[#509] Fix tests

Signed-off-by: Denis Kirillov <d.kirillov@yadro.com>
This commit is contained in:
Denis Kirillov 2024-10-11 11:32:36 +03:00
parent 07c8923614
commit 4e73270b81
6 changed files with 169 additions and 141 deletions

View file

@ -19,6 +19,7 @@ import (
"git.frostfs.info/TrueCloudLab/frostfs-s3-gw/creds/tokens" "git.frostfs.info/TrueCloudLab/frostfs-s3-gw/creds/tokens"
frosterr "git.frostfs.info/TrueCloudLab/frostfs-s3-gw/internal/frostfs/errors" frosterr "git.frostfs.info/TrueCloudLab/frostfs-s3-gw/internal/frostfs/errors"
"git.frostfs.info/TrueCloudLab/frostfs-sdk-go/bearer" "git.frostfs.info/TrueCloudLab/frostfs-sdk-go/bearer"
cid "git.frostfs.info/TrueCloudLab/frostfs-sdk-go/container/id"
"git.frostfs.info/TrueCloudLab/frostfs-sdk-go/object" "git.frostfs.info/TrueCloudLab/frostfs-sdk-go/object"
oid "git.frostfs.info/TrueCloudLab/frostfs-sdk-go/object/id" oid "git.frostfs.info/TrueCloudLab/frostfs-sdk-go/object/id"
oidtest "git.frostfs.info/TrueCloudLab/frostfs-sdk-go/object/id/test" oidtest "git.frostfs.info/TrueCloudLab/frostfs-sdk-go/object/id/test"
@ -28,11 +29,23 @@ import (
"go.uber.org/zap/zaptest" "go.uber.org/zap/zaptest"
) )
type centerSettingsMock struct {
accessBoxContainer *cid.ID
}
func (c *centerSettingsMock) AccessBoxContainer() (cid.ID, bool) {
if c.accessBoxContainer == nil {
return cid.ID{}, false
}
return *c.accessBoxContainer, true
}
func TestAuthHeaderParse(t *testing.T) { func TestAuthHeaderParse(t *testing.T) {
defaultHeader := "AWS4-HMAC-SHA256 Credential=oid0cid/20210809/us-east-1/s3/aws4_request, SignedHeaders=host;x-amz-content-sha256;x-amz-date, Signature=2811ccb9e242f41426738fb1f" defaultHeader := "AWS4-HMAC-SHA256 Credential=oid0cid/20210809/us-east-1/s3/aws4_request, SignedHeaders=host;x-amz-content-sha256;x-amz-date, Signature=2811ccb9e242f41426738fb1f"
center := &Center{ center := &Center{
reg: NewRegexpMatcher(AuthorizationFieldRegexp), reg: NewRegexpMatcher(AuthorizationFieldRegexp),
settings: &centerSettingsMock{},
} }
for _, tc := range []struct { for _, tc := range []struct {
@ -57,11 +70,6 @@ func TestAuthHeaderParse(t *testing.T) {
err: errors.GetAPIError(errors.ErrAuthorizationHeaderMalformed), err: errors.GetAPIError(errors.ErrAuthorizationHeaderMalformed),
expected: nil, expected: nil,
}, },
{
header: strings.ReplaceAll(defaultHeader, "oid0cid", "oidcid"),
err: errors.GetAPIError(errors.ErrInvalidAccessKeyID),
expected: nil,
},
} { } {
authHeader, err := center.parseAuthHeader(tc.header) authHeader, err := center.parseAuthHeader(tc.header)
require.ErrorIs(t, err, tc.err, tc.header) require.ErrorIs(t, err, tc.err, tc.header)
@ -69,43 +77,6 @@ func TestAuthHeaderParse(t *testing.T) {
} }
} }
func TestAuthHeaderGetAddress(t *testing.T) {
defaulErr := errors.GetAPIError(errors.ErrInvalidAccessKeyID)
for _, tc := range []struct {
authHeader *AuthHeader
err error
}{
{
authHeader: &AuthHeader{
AccessKeyID: "vWqF8cMDRbJcvnPLALoQGnABPPhw8NyYMcGsfDPfZJM0HrgjonN8CgFvCZ3kh9BUXw4W2tJ5E7EAGhueSF122HB",
},
err: nil,
},
{
authHeader: &AuthHeader{
AccessKeyID: "vWqF8cMDRbJcvnPLALoQGnABPPhw8NyYMcGsfDPfZJMHrgjonN8CgFvCZ3kh9BUXw4W2tJ5E7EAGhueSF122HB",
},
err: defaulErr,
},
{
authHeader: &AuthHeader{
AccessKeyID: "oid0cid",
},
err: defaulErr,
},
{
authHeader: &AuthHeader{
AccessKeyID: "oidcid",
},
err: defaulErr,
},
} {
_, err := getAddress(tc.authHeader.AccessKeyID)
require.ErrorIs(t, err, tc.err, tc.authHeader.AccessKeyID)
}
}
func TestSignature(t *testing.T) { func TestSignature(t *testing.T) {
secret := "66be461c3cd429941c55daf42fad2b8153e5a2016ba89c9494d97677cc9d3872" secret := "66be461c3cd429941c55daf42fad2b8153e5a2016ba89c9494d97677cc9d3872"
strToSign := "eyAiZXhwaXJhdGlvbiI6ICIyMDE1LTEyLTMwVDEyOjAwOjAwLjAwMFoiLAogICJjb25kaXRpb25zIjogWwogICAgeyJidWNrZXQiOiAiYWNsIn0sCiAgICBbInN0YXJ0cy13aXRoIiwgIiRrZXkiLCAidXNlci91c2VyMS8iXSwKICAgIHsic3VjY2Vzc19hY3Rpb25fcmVkaXJlY3QiOiAiaHR0cDovL2xvY2FsaG9zdDo4MDg0L2FjbCJ9LAogICAgWyJzdGFydHMtd2l0aCIsICIkQ29udGVudC1UeXBlIiwgImltYWdlLyJdLAogICAgeyJ4LWFtei1tZXRhLXV1aWQiOiAiMTQzNjUxMjM2NTEyNzQifSwKICAgIFsic3RhcnRzLXdpdGgiLCAiJHgtYW16LW1ldGEtdGFnIiwgIiJdLAoKICAgIHsiWC1BbXotQ3JlZGVudGlhbCI6ICI4Vmk0MVBIbjVGMXNzY2J4OUhqMXdmMUU2aERUYURpNndxOGhxTU05NllKdTA1QzVDeUVkVlFoV1E2aVZGekFpTkxXaTlFc3BiUTE5ZDRuR3pTYnZVZm10TS8yMDE1MTIyOS91cy1lYXN0LTEvczMvYXdzNF9yZXF1ZXN0In0sCiAgICB7IngtYW16LWFsZ29yaXRobSI6ICJBV1M0LUhNQUMtU0hBMjU2In0sCiAgICB7IlgtQW16LURhdGUiOiAiMjAxNTEyMjlUMDAwMDAwWiIgfSwKICAgIHsieC1pZ25vcmUtdG1wIjogInNvbWV0aGluZyIgfQogIF0KfQ==" strToSign := "eyAiZXhwaXJhdGlvbiI6ICIyMDE1LTEyLTMwVDEyOjAwOjAwLjAwMFoiLAogICJjb25kaXRpb25zIjogWwogICAgeyJidWNrZXQiOiAiYWNsIn0sCiAgICBbInN0YXJ0cy13aXRoIiwgIiRrZXkiLCAidXNlci91c2VyMS8iXSwKICAgIHsic3VjY2Vzc19hY3Rpb25fcmVkaXJlY3QiOiAiaHR0cDovL2xvY2FsaG9zdDo4MDg0L2FjbCJ9LAogICAgWyJzdGFydHMtd2l0aCIsICIkQ29udGVudC1UeXBlIiwgImltYWdlLyJdLAogICAgeyJ4LWFtei1tZXRhLXV1aWQiOiAiMTQzNjUxMjM2NTEyNzQifSwKICAgIFsic3RhcnRzLXdpdGgiLCAiJHgtYW16LW1ldGEtdGFnIiwgIiJdLAoKICAgIHsiWC1BbXotQ3JlZGVudGlhbCI6ICI4Vmk0MVBIbjVGMXNzY2J4OUhqMXdmMUU2aERUYURpNndxOGhxTU05NllKdTA1QzVDeUVkVlFoV1E2aVZGekFpTkxXaTlFc3BiUTE5ZDRuR3pTYnZVZm10TS8yMDE1MTIyOS91cy1lYXN0LTEvczMvYXdzNF9yZXF1ZXN0In0sCiAgICB7IngtYW16LWFsZ29yaXRobSI6ICJBV1M0LUhNQUMtU0hBMjU2In0sCiAgICB7IlgtQW16LURhdGUiOiAiMjAxNTEyMjlUMDAwMDAwWiIgfSwKICAgIHsieC1pZ25vcmUtdG1wIjogInNvbWV0aGluZyIgfQogIF0KfQ=="
@ -171,17 +142,17 @@ func TestCheckFormatContentSHA256(t *testing.T) {
} }
type frostFSMock struct { type frostFSMock struct {
objects map[oid.Address]*object.Object objects map[string]*object.Object
} }
func newFrostFSMock() *frostFSMock { func newFrostFSMock() *frostFSMock {
return &frostFSMock{ return &frostFSMock{
objects: map[oid.Address]*object.Object{}, objects: map[string]*object.Object{},
} }
} }
func (f *frostFSMock) GetCredsObject(_ context.Context, address oid.Address) (*object.Object, error) { func (f *frostFSMock) GetCredsObject(_ context.Context, prm tokens.PrmGetCredsObject) (*object.Object, error) {
obj, ok := f.objects[address] obj, ok := f.objects[prm.AccessKeyID]
if !ok { if !ok {
return nil, fmt.Errorf("not found") return nil, fmt.Errorf("not found")
} }
@ -208,7 +179,7 @@ func TestAuthenticate(t *testing.T) {
GateKey: key.PublicKey(), GateKey: key.PublicKey(),
}} }}
accessBox, secret, err := accessbox.PackTokens(gateData, []byte("secret")) accessBox, secret, err := accessbox.PackTokens(gateData, []byte("secret"), false)
require.NoError(t, err) require.NoError(t, err)
data, err := accessBox.Marshal() data, err := accessBox.Marshal()
require.NoError(t, err) require.NoError(t, err)
@ -219,10 +190,10 @@ func TestAuthenticate(t *testing.T) {
obj.SetContainerID(addr.Container()) obj.SetContainerID(addr.Container())
obj.SetID(addr.Object()) obj.SetID(addr.Object())
frostfs := newFrostFSMock() accessKeyID := getAccessKeyID(addr)
frostfs.objects[addr] = &obj
accessKeyID := addr.Container().String() + "0" + addr.Object().String() frostfs := newFrostFSMock()
frostfs.objects[accessKeyID] = &obj
awsCreds := credentials.NewStaticCredentials(accessKeyID, secret.SecretKey, "") awsCreds := credentials.NewStaticCredentials(accessKeyID, secret.SecretKey, "")
defaultSigner := v4.NewSigner(awsCreds) defaultSigner := v4.NewSigner(awsCreds)
@ -413,7 +384,7 @@ func TestAuthenticate(t *testing.T) {
} { } {
t.Run(tc.name, func(t *testing.T) { t.Run(tc.name, func(t *testing.T) {
creds := tokens.New(bigConfig) creds := tokens.New(bigConfig)
cntr := New(creds, tc.prefixes) cntr := New(creds, tc.prefixes, &centerSettingsMock{})
box, err := cntr.Authenticate(tc.request) box, err := cntr.Authenticate(tc.request)
if tc.err { if tc.err {
@ -455,7 +426,7 @@ func TestHTTPPostAuthenticate(t *testing.T) {
GateKey: key.PublicKey(), GateKey: key.PublicKey(),
}} }}
accessBox, secret, err := accessbox.PackTokens(gateData, []byte("secret")) accessBox, secret, err := accessbox.PackTokens(gateData, []byte("secret"), false)
require.NoError(t, err) require.NoError(t, err)
data, err := accessBox.Marshal() data, err := accessBox.Marshal()
require.NoError(t, err) require.NoError(t, err)
@ -466,10 +437,11 @@ func TestHTTPPostAuthenticate(t *testing.T) {
obj.SetContainerID(addr.Container()) obj.SetContainerID(addr.Container())
obj.SetID(addr.Object()) obj.SetID(addr.Object())
frostfs := newFrostFSMock() accessKeyID := getAccessKeyID(addr)
frostfs.objects[addr] = &obj
frostfs := newFrostFSMock()
frostfs.objects[accessKeyID] = &obj
accessKeyID := addr.Container().String() + "0" + addr.Object().String()
invalidAccessKeyID := oidtest.Address().String() + "0" + oidtest.Address().Object().String() invalidAccessKeyID := oidtest.Address().String() + "0" + oidtest.Address().Object().String()
timeToSign := time.Now() timeToSign := time.Now()
@ -590,7 +562,7 @@ func TestHTTPPostAuthenticate(t *testing.T) {
} { } {
t.Run(tc.name, func(t *testing.T) { t.Run(tc.name, func(t *testing.T) {
creds := tokens.New(bigConfig) creds := tokens.New(bigConfig)
cntr := New(creds, tc.prefixes) cntr := New(creds, tc.prefixes, &centerSettingsMock{})
box, err := cntr.Authenticate(tc.request) box, err := cntr.Authenticate(tc.request)
if tc.err { if tc.err {
@ -633,3 +605,7 @@ func getRequestWithMultipartForm(t *testing.T, policy, creds, date, sign, fieldN
return req return req
} }
func getAccessKeyID(addr oid.Address) string {
return strings.ReplaceAll(addr.EncodeToString(), "/", "0")
}

View file

@ -29,11 +29,11 @@ func newTokensFrostfsMock() *credentialsMock {
} }
func (m credentialsMock) addBox(addr oid.Address, box *accessbox.Box) { func (m credentialsMock) addBox(addr oid.Address, box *accessbox.Box) {
m.boxes[addr.String()] = box m.boxes[getAccessKeyID(addr)] = box
} }
func (m credentialsMock) GetBox(_ context.Context, addr oid.Address) (*accessbox.Box, []object.Attribute, error) { func (m credentialsMock) GetBox(_ context.Context, _ cid.ID, accessKeyID string) (*accessbox.Box, []object.Attribute, error) {
box, ok := m.boxes[addr.String()] box, ok := m.boxes[accessKeyID]
if !ok { if !ok {
return nil, nil, &apistatus.ObjectNotFound{} return nil, nil, &apistatus.ObjectNotFound{}
} }
@ -41,11 +41,11 @@ func (m credentialsMock) GetBox(_ context.Context, addr oid.Address) (*accessbox
return box, nil, nil return box, nil, nil
} }
func (m credentialsMock) Put(context.Context, cid.ID, tokens.CredentialsParam) (oid.Address, error) { func (m credentialsMock) Put(context.Context, tokens.CredentialsParam) (oid.Address, error) {
return oid.Address{}, nil return oid.Address{}, nil
} }
func (m credentialsMock) Update(context.Context, oid.Address, tokens.CredentialsParam) (oid.Address, error) { func (m credentialsMock) Update(context.Context, tokens.CredentialsParam) (oid.Address, error) {
return oid.Address{}, nil return oid.Address{}, nil
} }
@ -84,9 +84,10 @@ func TestCheckSign(t *testing.T) {
mock.addBox(accessKeyAddr, expBox) mock.addBox(accessKeyAddr, expBox)
c := &Center{ c := &Center{
cli: mock, cli: mock,
reg: NewRegexpMatcher(AuthorizationFieldRegexp), reg: NewRegexpMatcher(AuthorizationFieldRegexp),
postReg: NewRegexpMatcher(postPolicyCredentialRegexp), postReg: NewRegexpMatcher(postPolicyCredentialRegexp),
settings: &centerSettingsMock{},
} }
box, err := c.Authenticate(req) box, err := c.Authenticate(req)
require.NoError(t, err) require.NoError(t, err)

View file

@ -1,6 +1,7 @@
package cache package cache
import ( import (
"strings"
"testing" "testing"
"git.frostfs.info/TrueCloudLab/frostfs-contract/frostfsid/client" "git.frostfs.info/TrueCloudLab/frostfs-contract/frostfsid/client"
@ -8,6 +9,7 @@ import (
"git.frostfs.info/TrueCloudLab/frostfs-s3-gw/creds/accessbox" "git.frostfs.info/TrueCloudLab/frostfs-s3-gw/creds/accessbox"
cidtest "git.frostfs.info/TrueCloudLab/frostfs-sdk-go/container/id/test" cidtest "git.frostfs.info/TrueCloudLab/frostfs-sdk-go/container/id/test"
"git.frostfs.info/TrueCloudLab/frostfs-sdk-go/object" "git.frostfs.info/TrueCloudLab/frostfs-sdk-go/object"
oid "git.frostfs.info/TrueCloudLab/frostfs-sdk-go/object/id"
oidtest "git.frostfs.info/TrueCloudLab/frostfs-sdk-go/object/id/test" oidtest "git.frostfs.info/TrueCloudLab/frostfs-sdk-go/object/id/test"
"github.com/nspcc-dev/neo-go/pkg/crypto/keys" "github.com/nspcc-dev/neo-go/pkg/crypto/keys"
"github.com/nspcc-dev/neo-go/pkg/util" "github.com/nspcc-dev/neo-go/pkg/util"
@ -24,16 +26,18 @@ func TestAccessBoxCacheType(t *testing.T) {
box := &accessbox.Box{} box := &accessbox.Box{}
var attrs []object.Attribute var attrs []object.Attribute
err := cache.Put(addr, box, attrs) accessKeyID := getAccessKeyID(addr)
err := cache.Put(accessKeyID, box, attrs)
require.NoError(t, err) require.NoError(t, err)
val := cache.Get(addr) val := cache.Get(accessKeyID)
require.Equal(t, box, val.Box) require.Equal(t, box, val.Box)
require.Equal(t, attrs, val.Attributes) require.Equal(t, attrs, val.Attributes)
require.Equal(t, 0, observedLog.Len()) require.Equal(t, 0, observedLog.Len())
err = cache.cache.Set(addr, "tmp") err = cache.cache.Set(accessKeyID, "tmp")
require.NoError(t, err) require.NoError(t, err)
assertInvalidCacheEntry(t, cache.Get(addr), observedLog) assertInvalidCacheEntry(t, cache.Get(accessKeyID), observedLog)
} }
func TestBucketsCacheType(t *testing.T) { func TestBucketsCacheType(t *testing.T) {
@ -230,3 +234,7 @@ func getObservedLogger() (*zap.Logger, *observer.ObservedLogs) {
loggerCore, observedLog := observer.New(zap.WarnLevel) loggerCore, observedLog := observer.New(zap.WarnLevel)
return zap.New(loggerCore), observedLog return zap.New(loggerCore), observedLog
} }
func getAccessKeyID(addr oid.Address) string {
return strings.ReplaceAll(addr.EncodeToString(), "/", "0")
}

View file

@ -61,7 +61,7 @@ func TestBearerTokenInAccessBox(t *testing.T) {
require.NoError(t, tkn.Sign(sec.PrivateKey)) require.NoError(t, tkn.Sign(sec.PrivateKey))
gate := NewGateData(cred.PublicKey(), &tkn) gate := NewGateData(cred.PublicKey(), &tkn)
box, _, err = PackTokens([]*GateData{gate}, nil) box, _, err = PackTokens([]*GateData{gate}, nil, false)
require.NoError(t, err) require.NoError(t, err)
data, err := box.Marshal() data, err := box.Marshal()
@ -70,7 +70,7 @@ func TestBearerTokenInAccessBox(t *testing.T) {
err = box2.Unmarshal(data) err = box2.Unmarshal(data)
require.NoError(t, err) require.NoError(t, err)
tkns, err := box2.GetTokens(cred) tkns, err := box2.GetTokens(cred, false)
require.NoError(t, err) require.NoError(t, err)
assertBearerToken(t, tkn, *tkns.BearerToken) assertBearerToken(t, tkn, *tkns.BearerToken)
@ -96,7 +96,7 @@ func TestSessionTokenInAccessBox(t *testing.T) {
var newTkn bearer.Token var newTkn bearer.Token
gate := NewGateData(cred.PublicKey(), &newTkn) gate := NewGateData(cred.PublicKey(), &newTkn)
gate.SessionTokens = []*session.Container{tkn} gate.SessionTokens = []*session.Container{tkn}
box, _, err = PackTokens([]*GateData{gate}, nil) box, _, err = PackTokens([]*GateData{gate}, nil, false)
require.NoError(t, err) require.NoError(t, err)
data, err := box.Marshal() data, err := box.Marshal()
@ -105,7 +105,7 @@ func TestSessionTokenInAccessBox(t *testing.T) {
err = box2.Unmarshal(data) err = box2.Unmarshal(data)
require.NoError(t, err) require.NoError(t, err)
tkns, err := box2.GetTokens(cred) tkns, err := box2.GetTokens(cred, false)
require.NoError(t, err) require.NoError(t, err)
require.Equal(t, []*session.Container{tkn}, tkns.SessionTokens) require.Equal(t, []*session.Container{tkn}, tkns.SessionTokens)
@ -136,11 +136,11 @@ func TestAccessboxMultipleKeys(t *testing.T) {
} }
} }
box, _, err = PackTokens(gates, nil) box, _, err = PackTokens(gates, nil, false)
require.NoError(t, err) require.NoError(t, err)
for i, k := range privateKeys { for i, k := range privateKeys {
tkns, err := box.GetTokens(k) tkns, err := box.GetTokens(k, false)
require.NoError(t, err, "key #%d: %s failed", i, k) require.NoError(t, err, "key #%d: %s failed", i, k)
assertBearerToken(t, tkn, *tkns.BearerToken) assertBearerToken(t, tkn, *tkns.BearerToken)
} }
@ -165,10 +165,10 @@ func TestUnknownKey(t *testing.T) {
require.NoError(t, tkn.Sign(sec.PrivateKey)) require.NoError(t, tkn.Sign(sec.PrivateKey))
gate := NewGateData(cred.PublicKey(), &tkn) gate := NewGateData(cred.PublicKey(), &tkn)
box, _, err = PackTokens([]*GateData{gate}, nil) box, _, err = PackTokens([]*GateData{gate}, nil, false)
require.NoError(t, err) require.NoError(t, err)
_, err = box.GetTokens(wrongCred) _, err = box.GetTokens(wrongCred, false)
require.Error(t, err) require.Error(t, err)
} }
@ -226,10 +226,10 @@ func TestGetBox(t *testing.T) {
gate := NewGateData(cred.PublicKey(), &tkn) gate := NewGateData(cred.PublicKey(), &tkn)
secret := []byte("secret") secret := []byte("secret")
accessBox, _, err := PackTokens([]*GateData{gate}, secret) accessBox, _, err := PackTokens([]*GateData{gate}, secret, false)
require.NoError(t, err) require.NoError(t, err)
box, err := accessBox.GetBox(cred) box, err := accessBox.GetBox(cred, false)
require.NoError(t, err) require.NoError(t, err)
require.Equal(t, hex.EncodeToString(secret), box.Gate.SecretKey) require.Equal(t, hex.EncodeToString(secret), box.Gate.SecretKey)
} }
@ -241,17 +241,17 @@ func TestAccessBox(t *testing.T) {
var tkn bearer.Token var tkn bearer.Token
gate := NewGateData(cred.PublicKey(), &tkn) gate := NewGateData(cred.PublicKey(), &tkn)
accessBox, _, err := PackTokens([]*GateData{gate}, nil) accessBox, _, err := PackTokens([]*GateData{gate}, nil, false)
require.NoError(t, err) require.NoError(t, err)
t.Run("invalid owner", func(t *testing.T) { t.Run("invalid owner", func(t *testing.T) {
randomKey, err := keys.NewPrivateKey() randomKey, err := keys.NewPrivateKey()
require.NoError(t, err) require.NoError(t, err)
_, err = accessBox.GetTokens(randomKey) _, err = accessBox.GetTokens(randomKey, false)
require.Error(t, err) require.Error(t, err)
_, err = accessBox.GetBox(randomKey) _, err = accessBox.GetBox(randomKey, false)
require.Error(t, err) require.Error(t, err)
}) })
@ -281,17 +281,17 @@ func TestAccessBox(t *testing.T) {
_, err = accessBox.GetPlacementPolicy() _, err = accessBox.GetPlacementPolicy()
require.Error(t, err) require.Error(t, err)
_, err = accessBox.GetBox(cred) _, err = accessBox.GetBox(cred, false)
require.Error(t, err) require.Error(t, err)
}) })
t.Run("empty seed key", func(t *testing.T) { t.Run("empty seed key", func(t *testing.T) {
accessBox.SeedKey = nil accessBox.SeedKey = nil
_, err = accessBox.GetTokens(cred) _, err = accessBox.GetTokens(cred, false)
require.Error(t, err) require.Error(t, err)
_, err = accessBox.GetBox(cred) _, err = accessBox.GetBox(cred, false)
require.Error(t, err) require.Error(t, err)
}) })
@ -300,7 +300,7 @@ func TestAccessBox(t *testing.T) {
BearerToken: &tkn, BearerToken: &tkn,
GateKey: &keys.PublicKey{}, GateKey: &keys.PublicKey{},
} }
_, _, err = PackTokens([]*GateData{gate}, nil) _, _, err = PackTokens([]*GateData{gate}, nil, false)
require.Error(t, err) require.Error(t, err)
}) })
} }

View file

@ -4,6 +4,7 @@ import (
"context" "context"
"encoding/hex" "encoding/hex"
"errors" "errors"
"strings"
"testing" "testing"
"time" "time"
@ -21,14 +22,14 @@ import (
) )
type frostfsMock struct { type frostfsMock struct {
objects map[oid.Address][]*object.Object objects map[string][]*object.Object
errors map[oid.Address]error errors map[string]error
} }
func newFrostfsMock() *frostfsMock { func newFrostfsMock() *frostfsMock {
return &frostfsMock{ return &frostfsMock{
objects: map[oid.Address][]*object.Object{}, objects: map[string][]*object.Object{},
errors: map[oid.Address]error{}, errors: map[string]error{},
} }
} }
@ -44,19 +45,15 @@ func (f *frostfsMock) CreateObject(_ context.Context, prm PrmObjectCreate) (oid.
prm.CustomAttributes = append(prm.CustomAttributes, *a) prm.CustomAttributes = append(prm.CustomAttributes, *a)
obj.SetAttributes(prm.CustomAttributes...) obj.SetAttributes(prm.CustomAttributes...)
if prm.NewVersionFor != nil { if prm.NewVersionForAccessKeyID != "" {
var addr oid.Address _, ok := f.objects[prm.NewVersionForAccessKeyID]
addr.SetObject(*prm.NewVersionFor)
addr.SetContainer(prm.Container)
_, ok := f.objects[addr]
if !ok { if !ok {
return oid.ID{}, errors.New("not found") return oid.ID{}, errors.New("not found")
} }
objID := oidtest.ID() objID := oidtest.ID()
obj.SetID(objID) obj.SetID(objID)
f.objects[addr] = append(f.objects[addr], &obj) f.objects[prm.NewVersionForAccessKeyID] = append(f.objects[prm.NewVersionForAccessKeyID], &obj)
return objID, nil return objID, nil
} }
@ -64,20 +61,25 @@ func (f *frostfsMock) CreateObject(_ context.Context, prm PrmObjectCreate) (oid.
objID := oidtest.ID() objID := oidtest.ID()
obj.SetID(objID) obj.SetID(objID)
accessKeyID := prm.CustomAccessKey
if accessKeyID == "" {
accessKeyID = prm.Container.EncodeToString() + "0" + objID.EncodeToString()
}
var addr oid.Address var addr oid.Address
addr.SetObject(objID) addr.SetObject(objID)
addr.SetContainer(prm.Container) addr.SetContainer(prm.Container)
f.objects[addr] = []*object.Object{&obj} f.objects[accessKeyID] = []*object.Object{&obj}
return objID, nil return objID, nil
} }
func (f *frostfsMock) GetCredsObject(_ context.Context, address oid.Address) (*object.Object, error) { func (f *frostfsMock) GetCredsObject(_ context.Context, prm PrmGetCredsObject) (*object.Object, error) {
if err := f.errors[address]; err != nil { if err := f.errors[prm.AccessKeyID]; err != nil {
return nil, err return nil, err
} }
objects, ok := f.objects[address] objects, ok := f.objects[prm.AccessKeyID]
if !ok { if !ok {
return nil, errors.New("not found") return nil, errors.New("not found")
} }
@ -100,7 +102,7 @@ func TestRemovingAccessBox(t *testing.T) {
sk, err := hex.DecodeString(secretKey) sk, err := hex.DecodeString(secretKey)
require.NoError(t, err) require.NoError(t, err)
accessBox, _, err := accessbox.PackTokens(gateData, sk) accessBox, _, err := accessbox.PackTokens(gateData, sk, false)
require.NoError(t, err) require.NoError(t, err)
data, err := accessBox.Marshal() data, err := accessBox.Marshal()
require.NoError(t, err) require.NoError(t, err)
@ -111,9 +113,11 @@ func TestRemovingAccessBox(t *testing.T) {
obj.SetID(addr.Object()) obj.SetID(addr.Object())
obj.SetContainerID(addr.Container()) obj.SetContainerID(addr.Container())
accessKeyID := getAccessKeyID(addr)
frostfs := &frostfsMock{ frostfs := &frostfsMock{
objects: map[oid.Address][]*object.Object{addr: {&obj}}, objects: map[string][]*object.Object{accessKeyID: {&obj}},
errors: map[oid.Address]error{}, errors: map[string]error{},
} }
cfg := Config{ cfg := Config{
@ -129,15 +133,15 @@ func TestRemovingAccessBox(t *testing.T) {
creds := New(cfg) creds := New(cfg)
_, _, err = creds.GetBox(ctx, addr) _, _, err = creds.GetBox(ctx, addr.Container(), accessKeyID)
require.NoError(t, err) require.NoError(t, err)
frostfs.errors[addr] = errors.New("network error") frostfs.errors[accessKeyID] = errors.New("network error")
_, _, err = creds.GetBox(ctx, addr) _, _, err = creds.GetBox(ctx, addr.Container(), accessKeyID)
require.NoError(t, err) require.NoError(t, err)
frostfs.errors[addr] = &apistatus.ObjectAlreadyRemoved{} frostfs.errors[accessKeyID] = &apistatus.ObjectAlreadyRemoved{}
_, _, err = creds.GetBox(ctx, addr) _, _, err = creds.GetBox(ctx, addr.Container(), accessKeyID)
require.Error(t, err) require.Error(t, err)
} }
@ -153,7 +157,7 @@ func TestGetBox(t *testing.T) {
}} }}
secret := []byte("secret") secret := []byte("secret")
accessBox, _, err := accessbox.PackTokens(gateData, secret) accessBox, _, err := accessbox.PackTokens(gateData, secret, false)
require.NoError(t, err) require.NoError(t, err)
data, err := accessBox.Marshal() data, err := accessBox.Marshal()
require.NoError(t, err) require.NoError(t, err)
@ -179,14 +183,16 @@ func TestGetBox(t *testing.T) {
creds := New(cfg) creds := New(cfg)
cnrID := cidtest.ID() cnrID := cidtest.ID()
addr, err := creds.Put(ctx, cnrID, CredentialsParam{Keys: keys.PublicKeys{key.PublicKey()}, AccessBox: accessBox}) addr, err := creds.Put(ctx, CredentialsParam{Container: cnrID, Keys: keys.PublicKeys{key.PublicKey()}, AccessBox: accessBox})
require.NoError(t, err) require.NoError(t, err)
_, _, err = creds.GetBox(ctx, addr) accessKeyID := getAccessKeyID(addr)
_, _, err = creds.GetBox(ctx, addr.Container(), accessKeyID)
require.NoError(t, err) require.NoError(t, err)
frostfs.errors[addr] = &apistatus.ObjectAlreadyRemoved{} frostfs.errors[accessKeyID] = &apistatus.ObjectAlreadyRemoved{}
_, _, err = creds.GetBox(ctx, addr) _, _, err = creds.GetBox(ctx, addr.Container(), accessKeyID)
require.NoError(t, err) require.NoError(t, err)
}) })
@ -198,11 +204,12 @@ func TestGetBox(t *testing.T) {
creds := New(cfg) creds := New(cfg)
cnrID := cidtest.ID() cnrID := cidtest.ID()
addr, err := creds.Put(ctx, cnrID, CredentialsParam{Keys: keys.PublicKeys{key.PublicKey()}, AccessBox: accessBox}) addr, err := creds.Put(ctx, CredentialsParam{Container: cnrID, Keys: keys.PublicKeys{key.PublicKey()}, AccessBox: accessBox})
require.NoError(t, err) require.NoError(t, err)
frostfs.errors[addr] = errors.New("network error") accessKeyID := getAccessKeyID(addr)
_, _, err = creds.GetBox(ctx, addr) frostfs.errors[accessKeyID] = errors.New("network error")
_, _, err = creds.GetBox(ctx, addr.Container(), accessKeyID)
require.Error(t, err) require.Error(t, err)
}) })
@ -212,14 +219,15 @@ func TestGetBox(t *testing.T) {
var obj object.Object var obj object.Object
obj.SetPayload(data) obj.SetPayload(data)
addr := oidtest.Address() addr := oidtest.Address()
frostfs.objects[addr] = []*object.Object{&obj} accessKeyID := getAccessKeyID(addr)
frostfs.objects[accessKeyID] = []*object.Object{&obj}
cfg.FrostFS = frostfs cfg.FrostFS = frostfs
cfg.RemovingCheckAfterDurations = 0 cfg.RemovingCheckAfterDurations = 0
cfg.Key = &keys.PrivateKey{} cfg.Key = &keys.PrivateKey{}
creds := New(cfg) creds := New(cfg)
_, _, err = creds.GetBox(ctx, addr) _, _, err = creds.GetBox(ctx, addr.Container(), accessKeyID)
require.Error(t, err) require.Error(t, err)
}) })
@ -229,14 +237,15 @@ func TestGetBox(t *testing.T) {
var obj object.Object var obj object.Object
obj.SetPayload([]byte("invalid")) obj.SetPayload([]byte("invalid"))
addr := oidtest.Address() addr := oidtest.Address()
frostfs.objects[addr] = []*object.Object{&obj} accessKeyID := getAccessKeyID(addr)
frostfs.objects[accessKeyID] = []*object.Object{&obj}
cfg.FrostFS = frostfs cfg.FrostFS = frostfs
cfg.RemovingCheckAfterDurations = 0 cfg.RemovingCheckAfterDurations = 0
cfg.Key = key cfg.Key = key
creds := New(cfg) creds := New(cfg)
_, _, err = creds.GetBox(ctx, addr) _, _, err = creds.GetBox(ctx, addr.Container(), accessKeyID)
require.Error(t, err) require.Error(t, err)
}) })
@ -248,16 +257,24 @@ func TestGetBox(t *testing.T) {
creds := New(cfg) creds := New(cfg)
cnrID := cidtest.ID() cnrID := cidtest.ID()
addr, err := creds.Put(ctx, cnrID, CredentialsParam{Keys: keys.PublicKeys{key.PublicKey()}, AccessBox: accessBox}) addr, err := creds.Put(ctx, CredentialsParam{Container: cnrID, Keys: keys.PublicKeys{key.PublicKey()}, AccessBox: accessBox})
require.NoError(t, err) require.NoError(t, err)
_, boxAttrs, err := creds.GetBox(ctx, addr) accessKeyID := getAccessKeyID(addr)
_, boxAttrs, err := creds.GetBox(ctx, addr.Container(), accessKeyID)
require.NoError(t, err) require.NoError(t, err)
_, err = creds.Update(ctx, addr, CredentialsParam{Keys: keys.PublicKeys{key.PublicKey()}, AccessBox: accessBox, CustomAttributes: attrs}) prm := CredentialsParam{
Container: addr.Container(),
AccessKeyID: accessKeyID,
Keys: keys.PublicKeys{key.PublicKey()},
AccessBox: accessBox,
CustomAttributes: attrs,
}
_, err = creds.Update(ctx, prm)
require.NoError(t, err) require.NoError(t, err)
_, newBoxAttrs, err := creds.GetBox(ctx, addr) _, newBoxAttrs, err := creds.GetBox(ctx, addr.Container(), accessKeyID)
require.NoError(t, err) require.NoError(t, err)
require.Equal(t, len(boxAttrs)+1, len(newBoxAttrs)) require.Equal(t, len(boxAttrs)+1, len(newBoxAttrs))
}) })
@ -270,10 +287,12 @@ func TestGetBox(t *testing.T) {
creds := New(cfg) creds := New(cfg)
cnrID := cidtest.ID() cnrID := cidtest.ID()
addr, err := creds.Put(ctx, cnrID, CredentialsParam{Keys: keys.PublicKeys{key.PublicKey()}, AccessBox: accessBox}) addr, err := creds.Put(ctx, CredentialsParam{Container: cnrID, Keys: keys.PublicKeys{key.PublicKey()}, AccessBox: accessBox})
require.NoError(t, err) require.NoError(t, err)
box, _, err := creds.GetBox(ctx, addr) accessKeyID := getAccessKeyID(addr)
box, _, err := creds.GetBox(ctx, addr.Container(), accessKeyID)
require.NoError(t, err) require.NoError(t, err)
require.Equal(t, hex.EncodeToString(secret), box.Gate.SecretKey) require.Equal(t, hex.EncodeToString(secret), box.Gate.SecretKey)
@ -286,19 +305,26 @@ func TestGetBox(t *testing.T) {
}} }}
newSecret := []byte("new-secret") newSecret := []byte("new-secret")
newAccessBox, _, err := accessbox.PackTokens(newGateData, newSecret) newAccessBox, _, err := accessbox.PackTokens(newGateData, newSecret, false)
require.NoError(t, err) require.NoError(t, err)
_, err = creds.Update(ctx, addr, CredentialsParam{Keys: keys.PublicKeys{newKey.PublicKey()}, AccessBox: newAccessBox}) prm := CredentialsParam{
Container: addr.Container(),
AccessKeyID: accessKeyID,
Keys: keys.PublicKeys{newKey.PublicKey()},
AccessBox: newAccessBox,
}
_, err = creds.Update(ctx, prm)
require.NoError(t, err) require.NoError(t, err)
_, _, err = creds.GetBox(ctx, addr) _, _, err = creds.GetBox(ctx, addr.Container(), accessKeyID)
require.Error(t, err) require.Error(t, err)
cfg.Key = newKey cfg.Key = newKey
newCreds := New(cfg) newCreds := New(cfg)
box, _, err = newCreds.GetBox(ctx, addr) box, _, err = newCreds.GetBox(ctx, addr.Container(), accessKeyID)
require.NoError(t, err) require.NoError(t, err)
require.Equal(t, hex.EncodeToString(newSecret), box.Gate.SecretKey) require.Equal(t, hex.EncodeToString(newSecret), box.Gate.SecretKey)
}) })
@ -311,7 +337,7 @@ func TestGetBox(t *testing.T) {
creds := New(cfg) creds := New(cfg)
cnrID := cidtest.ID() cnrID := cidtest.ID()
_, err = creds.Put(ctx, cnrID, CredentialsParam{AccessBox: accessBox}) _, err = creds.Put(ctx, CredentialsParam{Container: cnrID, AccessBox: accessBox})
require.ErrorIs(t, err, ErrEmptyPublicKeys) require.ErrorIs(t, err, ErrEmptyPublicKeys)
}) })
@ -323,7 +349,11 @@ func TestGetBox(t *testing.T) {
creds := New(cfg) creds := New(cfg)
cnrID := cidtest.ID() cnrID := cidtest.ID()
_, err = creds.Put(ctx, cnrID, CredentialsParam{Keys: keys.PublicKeys{key.PublicKey()}}) _, err = creds.Put(ctx, CredentialsParam{Container: cnrID, Keys: keys.PublicKeys{key.PublicKey()}})
require.ErrorIs(t, err, ErrEmptyBearerToken) require.ErrorIs(t, err, ErrEmptyBearerToken)
}) })
} }
func getAccessKeyID(addr oid.Address) string {
return strings.ReplaceAll(addr.EncodeToString(), "/", "0")
}

View file

@ -2,6 +2,7 @@ package frostfs
import ( import (
"context" "context"
"strings"
"testing" "testing"
"git.frostfs.info/TrueCloudLab/frostfs-s3-gw/api/layer" "git.frostfs.info/TrueCloudLab/frostfs-s3-gw/api/layer"
@ -38,34 +39,46 @@ func TestGetCredsObject(t *testing.T) {
frostfs := NewAuthmateFrostFS(layer.NewTestFrostFS(key), zaptest.NewLogger(t)) frostfs := NewAuthmateFrostFS(layer.NewTestFrostFS(key), zaptest.NewLogger(t))
cid, err := frostfs.CreateContainer(ctx, authmate.PrmContainerCreate{ cnrID, err := frostfs.CreateContainer(ctx, authmate.PrmContainerCreate{
FriendlyName: bktName, FriendlyName: bktName,
Owner: userID, Owner: userID,
}) })
require.NoError(t, err) require.NoError(t, err)
objID, err := frostfs.CreateObject(ctx, tokens.PrmObjectCreate{ objID, err := frostfs.CreateObject(ctx, tokens.PrmObjectCreate{
Container: cid, Container: cnrID,
Payload: payload, Payload: payload,
}) })
require.NoError(t, err) require.NoError(t, err)
var addr oid.Address var addr oid.Address
addr.SetContainer(cid) addr.SetContainer(cnrID)
addr.SetObject(objID) addr.SetObject(objID)
obj, err := frostfs.GetCredsObject(ctx, addr) accessKeyID := getAccessKeyID(addr)
obj, err := frostfs.GetCredsObject(ctx, tokens.PrmGetCredsObject{
Container: cnrID,
AccessKeyID: accessKeyID,
})
require.NoError(t, err) require.NoError(t, err)
require.Equal(t, payload, obj.Payload()) require.Equal(t, payload, obj.Payload())
_, err = frostfs.CreateObject(ctx, tokens.PrmObjectCreate{ _, err = frostfs.CreateObject(ctx, tokens.PrmObjectCreate{
Container: cid, Container: cnrID,
Payload: newPayload, Payload: newPayload,
NewVersionFor: &objID, NewVersionForAccessKeyID: accessKeyID,
}) })
require.NoError(t, err) require.NoError(t, err)
obj, err = frostfs.GetCredsObject(ctx, addr) obj, err = frostfs.GetCredsObject(ctx, tokens.PrmGetCredsObject{
Container: cnrID,
AccessKeyID: getAccessKeyID(addr),
})
require.NoError(t, err) require.NoError(t, err)
require.Equal(t, newPayload, obj.Payload()) require.Equal(t, newPayload, obj.Payload())
} }
func getAccessKeyID(addr oid.Address) string {
return strings.ReplaceAll(addr.EncodeToString(), "/", "0")
}