diff --git a/api/auth/center_test.go b/api/auth/center_test.go index 8066dc8..c8c8261 100644 --- a/api/auth/center_test.go +++ b/api/auth/center_test.go @@ -19,6 +19,7 @@ import ( "git.frostfs.info/TrueCloudLab/frostfs-s3-gw/creds/tokens" frosterr "git.frostfs.info/TrueCloudLab/frostfs-s3-gw/internal/frostfs/errors" "git.frostfs.info/TrueCloudLab/frostfs-sdk-go/bearer" + cid "git.frostfs.info/TrueCloudLab/frostfs-sdk-go/container/id" "git.frostfs.info/TrueCloudLab/frostfs-sdk-go/object" oid "git.frostfs.info/TrueCloudLab/frostfs-sdk-go/object/id" oidtest "git.frostfs.info/TrueCloudLab/frostfs-sdk-go/object/id/test" @@ -28,11 +29,23 @@ import ( "go.uber.org/zap/zaptest" ) +type centerSettingsMock struct { + accessBoxContainer *cid.ID +} + +func (c *centerSettingsMock) AccessBoxContainer() (cid.ID, bool) { + if c.accessBoxContainer == nil { + return cid.ID{}, false + } + return *c.accessBoxContainer, true +} + func TestAuthHeaderParse(t *testing.T) { defaultHeader := "AWS4-HMAC-SHA256 Credential=oid0cid/20210809/us-east-1/s3/aws4_request, SignedHeaders=host;x-amz-content-sha256;x-amz-date, Signature=2811ccb9e242f41426738fb1f" center := &Center{ - reg: NewRegexpMatcher(AuthorizationFieldRegexp), + reg: NewRegexpMatcher(AuthorizationFieldRegexp), + settings: ¢erSettingsMock{}, } for _, tc := range []struct { @@ -57,11 +70,6 @@ func TestAuthHeaderParse(t *testing.T) { err: errors.GetAPIError(errors.ErrAuthorizationHeaderMalformed), expected: nil, }, - { - header: strings.ReplaceAll(defaultHeader, "oid0cid", "oidcid"), - err: errors.GetAPIError(errors.ErrInvalidAccessKeyID), - expected: nil, - }, } { authHeader, err := center.parseAuthHeader(tc.header) require.ErrorIs(t, err, tc.err, tc.header) @@ -69,43 +77,6 @@ func TestAuthHeaderParse(t *testing.T) { } } -func TestAuthHeaderGetAddress(t *testing.T) { - defaulErr := errors.GetAPIError(errors.ErrInvalidAccessKeyID) - - for _, tc := range []struct { - authHeader *AuthHeader - err error - }{ - { - authHeader: &AuthHeader{ - AccessKeyID: "vWqF8cMDRbJcvnPLALoQGnABPPhw8NyYMcGsfDPfZJM0HrgjonN8CgFvCZ3kh9BUXw4W2tJ5E7EAGhueSF122HB", - }, - err: nil, - }, - { - authHeader: &AuthHeader{ - AccessKeyID: "vWqF8cMDRbJcvnPLALoQGnABPPhw8NyYMcGsfDPfZJMHrgjonN8CgFvCZ3kh9BUXw4W2tJ5E7EAGhueSF122HB", - }, - err: defaulErr, - }, - { - authHeader: &AuthHeader{ - AccessKeyID: "oid0cid", - }, - err: defaulErr, - }, - { - authHeader: &AuthHeader{ - AccessKeyID: "oidcid", - }, - err: defaulErr, - }, - } { - _, err := getAddress(tc.authHeader.AccessKeyID) - require.ErrorIs(t, err, tc.err, tc.authHeader.AccessKeyID) - } -} - func TestSignature(t *testing.T) { secret := "66be461c3cd429941c55daf42fad2b8153e5a2016ba89c9494d97677cc9d3872" strToSign := "eyAiZXhwaXJhdGlvbiI6ICIyMDE1LTEyLTMwVDEyOjAwOjAwLjAwMFoiLAogICJjb25kaXRpb25zIjogWwogICAgeyJidWNrZXQiOiAiYWNsIn0sCiAgICBbInN0YXJ0cy13aXRoIiwgIiRrZXkiLCAidXNlci91c2VyMS8iXSwKICAgIHsic3VjY2Vzc19hY3Rpb25fcmVkaXJlY3QiOiAiaHR0cDovL2xvY2FsaG9zdDo4MDg0L2FjbCJ9LAogICAgWyJzdGFydHMtd2l0aCIsICIkQ29udGVudC1UeXBlIiwgImltYWdlLyJdLAogICAgeyJ4LWFtei1tZXRhLXV1aWQiOiAiMTQzNjUxMjM2NTEyNzQifSwKICAgIFsic3RhcnRzLXdpdGgiLCAiJHgtYW16LW1ldGEtdGFnIiwgIiJdLAoKICAgIHsiWC1BbXotQ3JlZGVudGlhbCI6ICI4Vmk0MVBIbjVGMXNzY2J4OUhqMXdmMUU2aERUYURpNndxOGhxTU05NllKdTA1QzVDeUVkVlFoV1E2aVZGekFpTkxXaTlFc3BiUTE5ZDRuR3pTYnZVZm10TS8yMDE1MTIyOS91cy1lYXN0LTEvczMvYXdzNF9yZXF1ZXN0In0sCiAgICB7IngtYW16LWFsZ29yaXRobSI6ICJBV1M0LUhNQUMtU0hBMjU2In0sCiAgICB7IlgtQW16LURhdGUiOiAiMjAxNTEyMjlUMDAwMDAwWiIgfSwKICAgIHsieC1pZ25vcmUtdG1wIjogInNvbWV0aGluZyIgfQogIF0KfQ==" @@ -171,17 +142,17 @@ func TestCheckFormatContentSHA256(t *testing.T) { } type frostFSMock struct { - objects map[oid.Address]*object.Object + objects map[string]*object.Object } func newFrostFSMock() *frostFSMock { return &frostFSMock{ - objects: map[oid.Address]*object.Object{}, + objects: map[string]*object.Object{}, } } -func (f *frostFSMock) GetCredsObject(_ context.Context, address oid.Address) (*object.Object, error) { - obj, ok := f.objects[address] +func (f *frostFSMock) GetCredsObject(_ context.Context, prm tokens.PrmGetCredsObject) (*object.Object, error) { + obj, ok := f.objects[prm.AccessKeyID] if !ok { return nil, fmt.Errorf("not found") } @@ -208,7 +179,7 @@ func TestAuthenticate(t *testing.T) { GateKey: key.PublicKey(), }} - accessBox, secret, err := accessbox.PackTokens(gateData, []byte("secret")) + accessBox, secret, err := accessbox.PackTokens(gateData, []byte("secret"), false) require.NoError(t, err) data, err := accessBox.Marshal() require.NoError(t, err) @@ -219,10 +190,10 @@ func TestAuthenticate(t *testing.T) { obj.SetContainerID(addr.Container()) obj.SetID(addr.Object()) - frostfs := newFrostFSMock() - frostfs.objects[addr] = &obj + accessKeyID := getAccessKeyID(addr) - accessKeyID := addr.Container().String() + "0" + addr.Object().String() + frostfs := newFrostFSMock() + frostfs.objects[accessKeyID] = &obj awsCreds := credentials.NewStaticCredentials(accessKeyID, secret.SecretKey, "") defaultSigner := v4.NewSigner(awsCreds) @@ -413,7 +384,7 @@ func TestAuthenticate(t *testing.T) { } { t.Run(tc.name, func(t *testing.T) { creds := tokens.New(bigConfig) - cntr := New(creds, tc.prefixes) + cntr := New(creds, tc.prefixes, ¢erSettingsMock{}) box, err := cntr.Authenticate(tc.request) if tc.err { @@ -455,7 +426,7 @@ func TestHTTPPostAuthenticate(t *testing.T) { GateKey: key.PublicKey(), }} - accessBox, secret, err := accessbox.PackTokens(gateData, []byte("secret")) + accessBox, secret, err := accessbox.PackTokens(gateData, []byte("secret"), false) require.NoError(t, err) data, err := accessBox.Marshal() require.NoError(t, err) @@ -466,10 +437,11 @@ func TestHTTPPostAuthenticate(t *testing.T) { obj.SetContainerID(addr.Container()) obj.SetID(addr.Object()) - frostfs := newFrostFSMock() - frostfs.objects[addr] = &obj + accessKeyID := getAccessKeyID(addr) + + frostfs := newFrostFSMock() + frostfs.objects[accessKeyID] = &obj - accessKeyID := addr.Container().String() + "0" + addr.Object().String() invalidAccessKeyID := oidtest.Address().String() + "0" + oidtest.Address().Object().String() timeToSign := time.Now() @@ -590,7 +562,7 @@ func TestHTTPPostAuthenticate(t *testing.T) { } { t.Run(tc.name, func(t *testing.T) { creds := tokens.New(bigConfig) - cntr := New(creds, tc.prefixes) + cntr := New(creds, tc.prefixes, ¢erSettingsMock{}) box, err := cntr.Authenticate(tc.request) if tc.err { @@ -633,3 +605,7 @@ func getRequestWithMultipartForm(t *testing.T, policy, creds, date, sign, fieldN return req } + +func getAccessKeyID(addr oid.Address) string { + return strings.ReplaceAll(addr.EncodeToString(), "/", "0") +} diff --git a/api/auth/presign_test.go b/api/auth/presign_test.go index 8efca52..f669b1b 100644 --- a/api/auth/presign_test.go +++ b/api/auth/presign_test.go @@ -29,11 +29,11 @@ func newTokensFrostfsMock() *credentialsMock { } func (m credentialsMock) addBox(addr oid.Address, box *accessbox.Box) { - m.boxes[addr.String()] = box + m.boxes[getAccessKeyID(addr)] = box } -func (m credentialsMock) GetBox(_ context.Context, addr oid.Address) (*accessbox.Box, []object.Attribute, error) { - box, ok := m.boxes[addr.String()] +func (m credentialsMock) GetBox(_ context.Context, _ cid.ID, accessKeyID string) (*accessbox.Box, []object.Attribute, error) { + box, ok := m.boxes[accessKeyID] if !ok { return nil, nil, &apistatus.ObjectNotFound{} } @@ -41,11 +41,11 @@ func (m credentialsMock) GetBox(_ context.Context, addr oid.Address) (*accessbox return box, nil, nil } -func (m credentialsMock) Put(context.Context, cid.ID, tokens.CredentialsParam) (oid.Address, error) { +func (m credentialsMock) Put(context.Context, tokens.CredentialsParam) (oid.Address, error) { return oid.Address{}, nil } -func (m credentialsMock) Update(context.Context, oid.Address, tokens.CredentialsParam) (oid.Address, error) { +func (m credentialsMock) Update(context.Context, tokens.CredentialsParam) (oid.Address, error) { return oid.Address{}, nil } @@ -84,9 +84,10 @@ func TestCheckSign(t *testing.T) { mock.addBox(accessKeyAddr, expBox) c := &Center{ - cli: mock, - reg: NewRegexpMatcher(AuthorizationFieldRegexp), - postReg: NewRegexpMatcher(postPolicyCredentialRegexp), + cli: mock, + reg: NewRegexpMatcher(AuthorizationFieldRegexp), + postReg: NewRegexpMatcher(postPolicyCredentialRegexp), + settings: ¢erSettingsMock{}, } box, err := c.Authenticate(req) require.NoError(t, err) diff --git a/api/cache/cache_test.go b/api/cache/cache_test.go index 31aceba..a6a9464 100644 --- a/api/cache/cache_test.go +++ b/api/cache/cache_test.go @@ -1,6 +1,7 @@ package cache import ( + "strings" "testing" "git.frostfs.info/TrueCloudLab/frostfs-contract/frostfsid/client" @@ -8,6 +9,7 @@ import ( "git.frostfs.info/TrueCloudLab/frostfs-s3-gw/creds/accessbox" cidtest "git.frostfs.info/TrueCloudLab/frostfs-sdk-go/container/id/test" "git.frostfs.info/TrueCloudLab/frostfs-sdk-go/object" + oid "git.frostfs.info/TrueCloudLab/frostfs-sdk-go/object/id" oidtest "git.frostfs.info/TrueCloudLab/frostfs-sdk-go/object/id/test" "github.com/nspcc-dev/neo-go/pkg/crypto/keys" "github.com/nspcc-dev/neo-go/pkg/util" @@ -24,16 +26,18 @@ func TestAccessBoxCacheType(t *testing.T) { box := &accessbox.Box{} var attrs []object.Attribute - err := cache.Put(addr, box, attrs) + accessKeyID := getAccessKeyID(addr) + + err := cache.Put(accessKeyID, box, attrs) require.NoError(t, err) - val := cache.Get(addr) + val := cache.Get(accessKeyID) require.Equal(t, box, val.Box) require.Equal(t, attrs, val.Attributes) require.Equal(t, 0, observedLog.Len()) - err = cache.cache.Set(addr, "tmp") + err = cache.cache.Set(accessKeyID, "tmp") require.NoError(t, err) - assertInvalidCacheEntry(t, cache.Get(addr), observedLog) + assertInvalidCacheEntry(t, cache.Get(accessKeyID), observedLog) } func TestBucketsCacheType(t *testing.T) { @@ -230,3 +234,7 @@ func getObservedLogger() (*zap.Logger, *observer.ObservedLogs) { loggerCore, observedLog := observer.New(zap.WarnLevel) return zap.New(loggerCore), observedLog } + +func getAccessKeyID(addr oid.Address) string { + return strings.ReplaceAll(addr.EncodeToString(), "/", "0") +} diff --git a/creds/accessbox/bearer_token_test.go b/creds/accessbox/bearer_token_test.go index b6ee0e0..e00d8c6 100644 --- a/creds/accessbox/bearer_token_test.go +++ b/creds/accessbox/bearer_token_test.go @@ -61,7 +61,7 @@ func TestBearerTokenInAccessBox(t *testing.T) { require.NoError(t, tkn.Sign(sec.PrivateKey)) gate := NewGateData(cred.PublicKey(), &tkn) - box, _, err = PackTokens([]*GateData{gate}, nil) + box, _, err = PackTokens([]*GateData{gate}, nil, false) require.NoError(t, err) data, err := box.Marshal() @@ -70,7 +70,7 @@ func TestBearerTokenInAccessBox(t *testing.T) { err = box2.Unmarshal(data) require.NoError(t, err) - tkns, err := box2.GetTokens(cred) + tkns, err := box2.GetTokens(cred, false) require.NoError(t, err) assertBearerToken(t, tkn, *tkns.BearerToken) @@ -96,7 +96,7 @@ func TestSessionTokenInAccessBox(t *testing.T) { var newTkn bearer.Token gate := NewGateData(cred.PublicKey(), &newTkn) gate.SessionTokens = []*session.Container{tkn} - box, _, err = PackTokens([]*GateData{gate}, nil) + box, _, err = PackTokens([]*GateData{gate}, nil, false) require.NoError(t, err) data, err := box.Marshal() @@ -105,7 +105,7 @@ func TestSessionTokenInAccessBox(t *testing.T) { err = box2.Unmarshal(data) require.NoError(t, err) - tkns, err := box2.GetTokens(cred) + tkns, err := box2.GetTokens(cred, false) require.NoError(t, err) require.Equal(t, []*session.Container{tkn}, tkns.SessionTokens) @@ -136,11 +136,11 @@ func TestAccessboxMultipleKeys(t *testing.T) { } } - box, _, err = PackTokens(gates, nil) + box, _, err = PackTokens(gates, nil, false) require.NoError(t, err) for i, k := range privateKeys { - tkns, err := box.GetTokens(k) + tkns, err := box.GetTokens(k, false) require.NoError(t, err, "key #%d: %s failed", i, k) assertBearerToken(t, tkn, *tkns.BearerToken) } @@ -165,10 +165,10 @@ func TestUnknownKey(t *testing.T) { require.NoError(t, tkn.Sign(sec.PrivateKey)) gate := NewGateData(cred.PublicKey(), &tkn) - box, _, err = PackTokens([]*GateData{gate}, nil) + box, _, err = PackTokens([]*GateData{gate}, nil, false) require.NoError(t, err) - _, err = box.GetTokens(wrongCred) + _, err = box.GetTokens(wrongCred, false) require.Error(t, err) } @@ -226,10 +226,10 @@ func TestGetBox(t *testing.T) { gate := NewGateData(cred.PublicKey(), &tkn) secret := []byte("secret") - accessBox, _, err := PackTokens([]*GateData{gate}, secret) + accessBox, _, err := PackTokens([]*GateData{gate}, secret, false) require.NoError(t, err) - box, err := accessBox.GetBox(cred) + box, err := accessBox.GetBox(cred, false) require.NoError(t, err) require.Equal(t, hex.EncodeToString(secret), box.Gate.SecretKey) } @@ -241,17 +241,17 @@ func TestAccessBox(t *testing.T) { var tkn bearer.Token gate := NewGateData(cred.PublicKey(), &tkn) - accessBox, _, err := PackTokens([]*GateData{gate}, nil) + accessBox, _, err := PackTokens([]*GateData{gate}, nil, false) require.NoError(t, err) t.Run("invalid owner", func(t *testing.T) { randomKey, err := keys.NewPrivateKey() require.NoError(t, err) - _, err = accessBox.GetTokens(randomKey) + _, err = accessBox.GetTokens(randomKey, false) require.Error(t, err) - _, err = accessBox.GetBox(randomKey) + _, err = accessBox.GetBox(randomKey, false) require.Error(t, err) }) @@ -281,17 +281,17 @@ func TestAccessBox(t *testing.T) { _, err = accessBox.GetPlacementPolicy() require.Error(t, err) - _, err = accessBox.GetBox(cred) + _, err = accessBox.GetBox(cred, false) require.Error(t, err) }) t.Run("empty seed key", func(t *testing.T) { accessBox.SeedKey = nil - _, err = accessBox.GetTokens(cred) + _, err = accessBox.GetTokens(cred, false) require.Error(t, err) - _, err = accessBox.GetBox(cred) + _, err = accessBox.GetBox(cred, false) require.Error(t, err) }) @@ -300,7 +300,7 @@ func TestAccessBox(t *testing.T) { BearerToken: &tkn, GateKey: &keys.PublicKey{}, } - _, _, err = PackTokens([]*GateData{gate}, nil) + _, _, err = PackTokens([]*GateData{gate}, nil, false) require.Error(t, err) }) } diff --git a/creds/tokens/credentials_test.go b/creds/tokens/credentials_test.go index 3524045..9ac4b79 100644 --- a/creds/tokens/credentials_test.go +++ b/creds/tokens/credentials_test.go @@ -4,6 +4,7 @@ import ( "context" "encoding/hex" "errors" + "strings" "testing" "time" @@ -21,14 +22,14 @@ import ( ) type frostfsMock struct { - objects map[oid.Address][]*object.Object - errors map[oid.Address]error + objects map[string][]*object.Object + errors map[string]error } func newFrostfsMock() *frostfsMock { return &frostfsMock{ - objects: map[oid.Address][]*object.Object{}, - errors: map[oid.Address]error{}, + objects: map[string][]*object.Object{}, + errors: map[string]error{}, } } @@ -44,19 +45,15 @@ func (f *frostfsMock) CreateObject(_ context.Context, prm PrmObjectCreate) (oid. prm.CustomAttributes = append(prm.CustomAttributes, *a) obj.SetAttributes(prm.CustomAttributes...) - if prm.NewVersionFor != nil { - var addr oid.Address - addr.SetObject(*prm.NewVersionFor) - addr.SetContainer(prm.Container) - - _, ok := f.objects[addr] + if prm.NewVersionForAccessKeyID != "" { + _, ok := f.objects[prm.NewVersionForAccessKeyID] if !ok { return oid.ID{}, errors.New("not found") } objID := oidtest.ID() obj.SetID(objID) - f.objects[addr] = append(f.objects[addr], &obj) + f.objects[prm.NewVersionForAccessKeyID] = append(f.objects[prm.NewVersionForAccessKeyID], &obj) return objID, nil } @@ -64,20 +61,25 @@ func (f *frostfsMock) CreateObject(_ context.Context, prm PrmObjectCreate) (oid. objID := oidtest.ID() obj.SetID(objID) + accessKeyID := prm.CustomAccessKey + if accessKeyID == "" { + accessKeyID = prm.Container.EncodeToString() + "0" + objID.EncodeToString() + } + var addr oid.Address addr.SetObject(objID) addr.SetContainer(prm.Container) - f.objects[addr] = []*object.Object{&obj} + f.objects[accessKeyID] = []*object.Object{&obj} return objID, nil } -func (f *frostfsMock) GetCredsObject(_ context.Context, address oid.Address) (*object.Object, error) { - if err := f.errors[address]; err != nil { +func (f *frostfsMock) GetCredsObject(_ context.Context, prm PrmGetCredsObject) (*object.Object, error) { + if err := f.errors[prm.AccessKeyID]; err != nil { return nil, err } - objects, ok := f.objects[address] + objects, ok := f.objects[prm.AccessKeyID] if !ok { return nil, errors.New("not found") } @@ -100,7 +102,7 @@ func TestRemovingAccessBox(t *testing.T) { sk, err := hex.DecodeString(secretKey) require.NoError(t, err) - accessBox, _, err := accessbox.PackTokens(gateData, sk) + accessBox, _, err := accessbox.PackTokens(gateData, sk, false) require.NoError(t, err) data, err := accessBox.Marshal() require.NoError(t, err) @@ -111,9 +113,11 @@ func TestRemovingAccessBox(t *testing.T) { obj.SetID(addr.Object()) obj.SetContainerID(addr.Container()) + accessKeyID := getAccessKeyID(addr) + frostfs := &frostfsMock{ - objects: map[oid.Address][]*object.Object{addr: {&obj}}, - errors: map[oid.Address]error{}, + objects: map[string][]*object.Object{accessKeyID: {&obj}}, + errors: map[string]error{}, } cfg := Config{ @@ -129,15 +133,15 @@ func TestRemovingAccessBox(t *testing.T) { creds := New(cfg) - _, _, err = creds.GetBox(ctx, addr) + _, _, err = creds.GetBox(ctx, addr.Container(), accessKeyID) require.NoError(t, err) - frostfs.errors[addr] = errors.New("network error") - _, _, err = creds.GetBox(ctx, addr) + frostfs.errors[accessKeyID] = errors.New("network error") + _, _, err = creds.GetBox(ctx, addr.Container(), accessKeyID) require.NoError(t, err) - frostfs.errors[addr] = &apistatus.ObjectAlreadyRemoved{} - _, _, err = creds.GetBox(ctx, addr) + frostfs.errors[accessKeyID] = &apistatus.ObjectAlreadyRemoved{} + _, _, err = creds.GetBox(ctx, addr.Container(), accessKeyID) require.Error(t, err) } @@ -153,7 +157,7 @@ func TestGetBox(t *testing.T) { }} secret := []byte("secret") - accessBox, _, err := accessbox.PackTokens(gateData, secret) + accessBox, _, err := accessbox.PackTokens(gateData, secret, false) require.NoError(t, err) data, err := accessBox.Marshal() require.NoError(t, err) @@ -179,14 +183,16 @@ func TestGetBox(t *testing.T) { creds := New(cfg) cnrID := cidtest.ID() - addr, err := creds.Put(ctx, cnrID, CredentialsParam{Keys: keys.PublicKeys{key.PublicKey()}, AccessBox: accessBox}) + addr, err := creds.Put(ctx, CredentialsParam{Container: cnrID, Keys: keys.PublicKeys{key.PublicKey()}, AccessBox: accessBox}) require.NoError(t, err) - _, _, err = creds.GetBox(ctx, addr) + accessKeyID := getAccessKeyID(addr) + + _, _, err = creds.GetBox(ctx, addr.Container(), accessKeyID) require.NoError(t, err) - frostfs.errors[addr] = &apistatus.ObjectAlreadyRemoved{} - _, _, err = creds.GetBox(ctx, addr) + frostfs.errors[accessKeyID] = &apistatus.ObjectAlreadyRemoved{} + _, _, err = creds.GetBox(ctx, addr.Container(), accessKeyID) require.NoError(t, err) }) @@ -198,11 +204,12 @@ func TestGetBox(t *testing.T) { creds := New(cfg) cnrID := cidtest.ID() - addr, err := creds.Put(ctx, cnrID, CredentialsParam{Keys: keys.PublicKeys{key.PublicKey()}, AccessBox: accessBox}) + addr, err := creds.Put(ctx, CredentialsParam{Container: cnrID, Keys: keys.PublicKeys{key.PublicKey()}, AccessBox: accessBox}) require.NoError(t, err) - frostfs.errors[addr] = errors.New("network error") - _, _, err = creds.GetBox(ctx, addr) + accessKeyID := getAccessKeyID(addr) + frostfs.errors[accessKeyID] = errors.New("network error") + _, _, err = creds.GetBox(ctx, addr.Container(), accessKeyID) require.Error(t, err) }) @@ -212,14 +219,15 @@ func TestGetBox(t *testing.T) { var obj object.Object obj.SetPayload(data) addr := oidtest.Address() - frostfs.objects[addr] = []*object.Object{&obj} + accessKeyID := getAccessKeyID(addr) + frostfs.objects[accessKeyID] = []*object.Object{&obj} cfg.FrostFS = frostfs cfg.RemovingCheckAfterDurations = 0 cfg.Key = &keys.PrivateKey{} creds := New(cfg) - _, _, err = creds.GetBox(ctx, addr) + _, _, err = creds.GetBox(ctx, addr.Container(), accessKeyID) require.Error(t, err) }) @@ -229,14 +237,15 @@ func TestGetBox(t *testing.T) { var obj object.Object obj.SetPayload([]byte("invalid")) addr := oidtest.Address() - frostfs.objects[addr] = []*object.Object{&obj} + accessKeyID := getAccessKeyID(addr) + frostfs.objects[accessKeyID] = []*object.Object{&obj} cfg.FrostFS = frostfs cfg.RemovingCheckAfterDurations = 0 cfg.Key = key creds := New(cfg) - _, _, err = creds.GetBox(ctx, addr) + _, _, err = creds.GetBox(ctx, addr.Container(), accessKeyID) require.Error(t, err) }) @@ -248,16 +257,24 @@ func TestGetBox(t *testing.T) { creds := New(cfg) cnrID := cidtest.ID() - addr, err := creds.Put(ctx, cnrID, CredentialsParam{Keys: keys.PublicKeys{key.PublicKey()}, AccessBox: accessBox}) + addr, err := creds.Put(ctx, CredentialsParam{Container: cnrID, Keys: keys.PublicKeys{key.PublicKey()}, AccessBox: accessBox}) require.NoError(t, err) - _, boxAttrs, err := creds.GetBox(ctx, addr) + accessKeyID := getAccessKeyID(addr) + _, boxAttrs, err := creds.GetBox(ctx, addr.Container(), accessKeyID) require.NoError(t, err) - _, err = creds.Update(ctx, addr, CredentialsParam{Keys: keys.PublicKeys{key.PublicKey()}, AccessBox: accessBox, CustomAttributes: attrs}) + prm := CredentialsParam{ + Container: addr.Container(), + AccessKeyID: accessKeyID, + Keys: keys.PublicKeys{key.PublicKey()}, + AccessBox: accessBox, + CustomAttributes: attrs, + } + _, err = creds.Update(ctx, prm) require.NoError(t, err) - _, newBoxAttrs, err := creds.GetBox(ctx, addr) + _, newBoxAttrs, err := creds.GetBox(ctx, addr.Container(), accessKeyID) require.NoError(t, err) require.Equal(t, len(boxAttrs)+1, len(newBoxAttrs)) }) @@ -270,10 +287,12 @@ func TestGetBox(t *testing.T) { creds := New(cfg) cnrID := cidtest.ID() - addr, err := creds.Put(ctx, cnrID, CredentialsParam{Keys: keys.PublicKeys{key.PublicKey()}, AccessBox: accessBox}) + addr, err := creds.Put(ctx, CredentialsParam{Container: cnrID, Keys: keys.PublicKeys{key.PublicKey()}, AccessBox: accessBox}) require.NoError(t, err) - box, _, err := creds.GetBox(ctx, addr) + accessKeyID := getAccessKeyID(addr) + + box, _, err := creds.GetBox(ctx, addr.Container(), accessKeyID) require.NoError(t, err) require.Equal(t, hex.EncodeToString(secret), box.Gate.SecretKey) @@ -286,19 +305,26 @@ func TestGetBox(t *testing.T) { }} newSecret := []byte("new-secret") - newAccessBox, _, err := accessbox.PackTokens(newGateData, newSecret) + newAccessBox, _, err := accessbox.PackTokens(newGateData, newSecret, false) require.NoError(t, err) - _, err = creds.Update(ctx, addr, CredentialsParam{Keys: keys.PublicKeys{newKey.PublicKey()}, AccessBox: newAccessBox}) + prm := CredentialsParam{ + Container: addr.Container(), + AccessKeyID: accessKeyID, + Keys: keys.PublicKeys{newKey.PublicKey()}, + AccessBox: newAccessBox, + } + + _, err = creds.Update(ctx, prm) require.NoError(t, err) - _, _, err = creds.GetBox(ctx, addr) + _, _, err = creds.GetBox(ctx, addr.Container(), accessKeyID) require.Error(t, err) cfg.Key = newKey newCreds := New(cfg) - box, _, err = newCreds.GetBox(ctx, addr) + box, _, err = newCreds.GetBox(ctx, addr.Container(), accessKeyID) require.NoError(t, err) require.Equal(t, hex.EncodeToString(newSecret), box.Gate.SecretKey) }) @@ -311,7 +337,7 @@ func TestGetBox(t *testing.T) { creds := New(cfg) cnrID := cidtest.ID() - _, err = creds.Put(ctx, cnrID, CredentialsParam{AccessBox: accessBox}) + _, err = creds.Put(ctx, CredentialsParam{Container: cnrID, AccessBox: accessBox}) require.ErrorIs(t, err, ErrEmptyPublicKeys) }) @@ -323,7 +349,11 @@ func TestGetBox(t *testing.T) { creds := New(cfg) cnrID := cidtest.ID() - _, err = creds.Put(ctx, cnrID, CredentialsParam{Keys: keys.PublicKeys{key.PublicKey()}}) + _, err = creds.Put(ctx, CredentialsParam{Container: cnrID, Keys: keys.PublicKeys{key.PublicKey()}}) require.ErrorIs(t, err, ErrEmptyBearerToken) }) } + +func getAccessKeyID(addr oid.Address) string { + return strings.ReplaceAll(addr.EncodeToString(), "/", "0") +} diff --git a/internal/frostfs/authmate_test.go b/internal/frostfs/authmate_test.go index 74ef98c..0f0f167 100644 --- a/internal/frostfs/authmate_test.go +++ b/internal/frostfs/authmate_test.go @@ -2,6 +2,7 @@ package frostfs import ( "context" + "strings" "testing" "git.frostfs.info/TrueCloudLab/frostfs-s3-gw/api/layer" @@ -38,34 +39,46 @@ func TestGetCredsObject(t *testing.T) { frostfs := NewAuthmateFrostFS(layer.NewTestFrostFS(key), zaptest.NewLogger(t)) - cid, err := frostfs.CreateContainer(ctx, authmate.PrmContainerCreate{ + cnrID, err := frostfs.CreateContainer(ctx, authmate.PrmContainerCreate{ FriendlyName: bktName, Owner: userID, }) require.NoError(t, err) objID, err := frostfs.CreateObject(ctx, tokens.PrmObjectCreate{ - Container: cid, + Container: cnrID, Payload: payload, }) require.NoError(t, err) var addr oid.Address - addr.SetContainer(cid) + addr.SetContainer(cnrID) addr.SetObject(objID) - obj, err := frostfs.GetCredsObject(ctx, addr) + accessKeyID := getAccessKeyID(addr) + + obj, err := frostfs.GetCredsObject(ctx, tokens.PrmGetCredsObject{ + Container: cnrID, + AccessKeyID: accessKeyID, + }) require.NoError(t, err) require.Equal(t, payload, obj.Payload()) _, err = frostfs.CreateObject(ctx, tokens.PrmObjectCreate{ - Container: cid, - Payload: newPayload, - NewVersionFor: &objID, + Container: cnrID, + Payload: newPayload, + NewVersionForAccessKeyID: accessKeyID, }) require.NoError(t, err) - obj, err = frostfs.GetCredsObject(ctx, addr) + obj, err = frostfs.GetCredsObject(ctx, tokens.PrmGetCredsObject{ + Container: cnrID, + AccessKeyID: getAccessKeyID(addr), + }) require.NoError(t, err) require.Equal(t, newPayload, obj.Payload()) } + +func getAccessKeyID(addr oid.Address) string { + return strings.ReplaceAll(addr.EncodeToString(), "/", "0") +}