frostfs-sdk-go/eacl/validator_test.go

253 lines
5.8 KiB
Go
Raw Normal View History

package eacl
import (
"crypto/rand"
"testing"
"github.com/stretchr/testify/require"
)
func checkAction(t *testing.T, expected Action, v *Validator, vu *ValidationUnit) {
action, ok := v.CalculateAction(vu)
require.True(t, ok)
require.Equal(t, expected, action)
}
func checkDefaultAction(t *testing.T, v *Validator, vu *ValidationUnit) {
action, ok := v.CalculateAction(vu)
require.False(t, ok)
require.Equal(t, ActionAllow, action)
}
func TestFilterMatch(t *testing.T) {
tgt := *NewTarget()
tgt.SetRole(RoleOthers)
t.Run("simple header match", func(t *testing.T) {
tb := NewTable()
r := newRecord(ActionDeny, OperationUnknown, tgt)
r.AddFilter(HeaderFromObject, MatchStringEqual, "a", "xxx")
tb.AddRecord(r)
r = newRecord(ActionDeny, OperationUnknown, tgt)
r.AddFilter(HeaderFromRequest, MatchStringNotEqual, "b", "yyy")
tb.AddRecord(r)
tb.AddRecord(newRecord(ActionAllow, OperationUnknown, tgt))
v := NewValidator()
vu := newValidationUnit(RoleOthers, nil, tb)
hs := headers{}
vu.hdrSrc = &hs
checkAction(t, ActionAllow, v, vu)
hs.obj = makeHeaders("b", "yyy")
checkAction(t, ActionAllow, v, vu)
hs.obj = makeHeaders("a", "xxx")
checkAction(t, ActionDeny, v, vu)
hs.obj = nil
hs.req = makeHeaders("b", "yyy")
checkAction(t, ActionAllow, v, vu)
hs.req = makeHeaders("b", "abc")
checkAction(t, ActionDeny, v, vu)
})
t.Run("all filters must match", func(t *testing.T) {
tb := NewTable()
r := newRecord(ActionDeny, OperationUnknown, tgt)
r.AddFilter(HeaderFromObject, MatchStringEqual, "a", "xxx")
r.AddFilter(HeaderFromRequest, MatchStringEqual, "b", "yyy")
tb.AddRecord(r)
tb.AddRecord(newRecord(ActionAllow, OperationUnknown, tgt))
v := NewValidator()
vu := newValidationUnit(RoleOthers, nil, tb)
hs := headers{}
vu.hdrSrc = &hs
hs.obj = makeHeaders("a", "xxx")
checkAction(t, ActionAllow, v, vu)
hs.req = makeHeaders("b", "yyy")
checkAction(t, ActionDeny, v, vu)
hs.obj = nil
checkAction(t, ActionAllow, v, vu)
})
t.Run("filters with unknown type are skipped", func(t *testing.T) {
tb := NewTable()
r := newRecord(ActionDeny, OperationUnknown, tgt)
r.AddFilter(HeaderTypeUnknown, MatchStringEqual, "a", "xxx")
tb.AddRecord(r)
r = newRecord(ActionDeny, OperationUnknown, tgt)
r.AddFilter(0xFF, MatchStringEqual, "b", "yyy")
tb.AddRecord(r)
tb.AddRecord(newRecord(ActionDeny, OperationUnknown, tgt))
v := NewValidator()
vu := newValidationUnit(RoleOthers, nil, tb)
hs := headers{}
vu.hdrSrc = &hs
checkDefaultAction(t, v, vu)
hs.obj = makeHeaders("a", "xxx")
checkDefaultAction(t, v, vu)
hs.obj = nil
hs.req = makeHeaders("b", "yyy")
checkDefaultAction(t, v, vu)
})
t.Run("filters with match function are skipped", func(t *testing.T) {
tb := NewTable()
r := newRecord(ActionAllow, OperationUnknown, tgt)
r.AddFilter(HeaderFromObject, 0xFF, "a", "xxx")
tb.AddRecord(r)
tb.AddRecord(newRecord(ActionDeny, OperationUnknown, tgt))
v := NewValidator()
vu := newValidationUnit(RoleOthers, nil, tb)
hs := headers{}
vu.hdrSrc = &hs
checkAction(t, ActionDeny, v, vu)
hs.obj = makeHeaders("a", "xxx")
checkAction(t, ActionDeny, v, vu)
})
}
func TestOperationMatch(t *testing.T) {
tgt := *NewTarget()
tgt.SetRole(RoleOthers)
t.Run("single operation", func(t *testing.T) {
tb := NewTable()
tb.AddRecord(newRecord(ActionDeny, OperationPut, tgt))
tb.AddRecord(newRecord(ActionAllow, OperationGet, tgt))
v := NewValidator()
vu := newValidationUnit(RoleOthers, nil, tb)
vu.op = OperationPut
checkAction(t, ActionDeny, v, vu)
vu.op = OperationGet
checkAction(t, ActionAllow, v, vu)
})
t.Run("unknown operation", func(t *testing.T) {
tb := NewTable()
tb.AddRecord(newRecord(ActionDeny, OperationUnknown, tgt))
tb.AddRecord(newRecord(ActionAllow, OperationGet, tgt))
v := NewValidator()
vu := newValidationUnit(RoleOthers, nil, tb)
// TODO discuss if both next tests should result in DENY
vu.op = OperationPut
checkDefaultAction(t, v, vu)
vu.op = OperationGet
checkAction(t, ActionAllow, v, vu)
})
}
func TestTargetMatches(t *testing.T) {
pubs := makeKeys(t, 3)
tgt1 := NewTarget()
tgt1.SetBinaryKeys(pubs[0:2])
tgt1.SetRole(RoleUser)
tgt2 := NewTarget()
tgt2.SetRole(RoleOthers)
r := NewRecord()
r.SetTargets(*tgt1, *tgt2)
u := newValidationUnit(RoleUser, pubs[0], nil)
require.True(t, targetMatches(u, r))
u = newValidationUnit(RoleUser, pubs[2], nil)
require.False(t, targetMatches(u, r))
u = newValidationUnit(RoleUnknown, pubs[1], nil)
require.True(t, targetMatches(u, r))
u = newValidationUnit(RoleOthers, pubs[2], nil)
require.True(t, targetMatches(u, r))
u = newValidationUnit(RoleSystem, pubs[2], nil)
require.False(t, targetMatches(u, r))
}
func makeKeys(t *testing.T, n int) [][]byte {
pubs := make([][]byte, n)
for i := range pubs {
pubs[i] = make([]byte, 33)
pubs[i][0] = 0x02
_, err := rand.Read(pubs[i][1:])
require.NoError(t, err)
}
return pubs
}
type (
hdr struct {
key, value string
}
headers struct {
obj []Header
req []Header
}
)
func (h hdr) Key() string { return h.key }
func (h hdr) Value() string { return h.value }
func makeHeaders(kv ...string) []Header {
hs := make([]Header, len(kv)/2)
for i := 0; i < len(kv); i += 2 {
hs[i/2] = hdr{kv[i], kv[i+1]}
}
return hs
}
func (h headers) HeadersOfType(ht FilterHeaderType) ([]Header, bool) {
switch ht {
case HeaderFromRequest:
return h.req, true
case HeaderFromObject:
return h.obj, true
default:
return nil, false
}
}
func newRecord(a Action, op Operation, tgt ...Target) *Record {
r := NewRecord()
r.SetAction(a)
r.SetOperation(op)
r.SetTargets(tgt...)
return r
}
func newValidationUnit(role Role, key []byte, table *Table) *ValidationUnit {
return new(ValidationUnit).
WithRole(role).
WithSenderKey(key).
WithEACLTable(table)
}