From 3c26f892ac633f6ab7ca174bf0320fd75192b005 Mon Sep 17 00:00:00 2001 From: Kirill Sosnovskikh Date: Tue, 10 Dec 2024 11:46:09 +0300 Subject: [PATCH] [#353] Extend testsuites for PATCH method Expandable suites: - TestApeContainer - TestApeBearer - TestApeLocalOverrideAllow - TestApeLocalOverrideDeny - TestObjectApiWithoutUser - TestObjectApiWithBearerToken Signed-off-by: Kirill Sosnovskikh --- pytest_tests/helpers/container_access.py | 5 +- .../testsuites/access/ape/test_ape.py | 202 ++++++++++++++++-- .../testsuites/access/ape/test_bearer.py | 135 +++++++++++- pytest_tests/testsuites/access/conftest.py | 38 +++- .../ape/test_ape_local_object_allow.py | 109 +++++++--- .../ape/test_ape_local_object_deny.py | 195 ++++++++++------- .../object/test_object_api_bearer.py | 34 ++- .../object/test_object_without_user.py | 119 +++++++---- 8 files changed, 656 insertions(+), 181 deletions(-) diff --git a/pytest_tests/helpers/container_access.py b/pytest_tests/helpers/container_access.py index 59194d5c..ec0828a9 100644 --- a/pytest_tests/helpers/container_access.py +++ b/pytest_tests/helpers/container_access.py @@ -20,7 +20,10 @@ ALL_OBJECT_OPERATIONS = ape.ObjectOperations.get_all() FULL_ACCESS = {op: True for op in ALL_OBJECT_OPERATIONS} NO_ACCESS = {op: False for op in ALL_OBJECT_OPERATIONS} -RO_ACCESS = {op: True if op not in [ape.ObjectOperations.PUT, ape.ObjectOperations.DELETE] else False for op in ALL_OBJECT_OPERATIONS} +RO_ACCESS = { + op: True if op not in [ape.ObjectOperations.PUT, ape.ObjectOperations.DELETE, ape.ObjectOperations.PATCH] else False + for op in ALL_OBJECT_OPERATIONS +} def assert_access_to_container( diff --git a/pytest_tests/testsuites/access/ape/test_ape.py b/pytest_tests/testsuites/access/ape/test_ape.py index cb0b7409..a500f601 100644 --- a/pytest_tests/testsuites/access/ape/test_ape.py +++ b/pytest_tests/testsuites/access/ape/test_ape.py @@ -2,10 +2,12 @@ import allure import pytest from frostfs_testlib import reporter from frostfs_testlib.cli.frostfs_cli.cli import FrostfsCli +from frostfs_testlib.resources.error_patterns import OBJECT_ACCESS_DENIED from frostfs_testlib.steps.cli.object import put_object_to_random_node from frostfs_testlib.steps.node_management import drop_object from frostfs_testlib.storage.dataclasses import ape from frostfs_testlib.storage.dataclasses.wallet import WalletInfo +from frostfs_testlib.storage.grpc_operations.interfaces import GrpcClientWrapper from frostfs_testlib.testing.cluster_test_base import ClusterTestBase from frostfs_testlib.utils import wallet_utils from frostfs_testlib.utils.failover_utils import wait_object_replication @@ -33,9 +35,12 @@ def allowed_wallet(default_wallet: WalletInfo, other_wallet: WalletInfo, role: a @pytest.mark.nightly @pytest.mark.ape class TestApeContainer(ClusterTestBase): + # TODO: Without PATCH operation, + # since it requires specific permissions that do not apply when testing all operations at once @pytest.mark.sanity @allure.title("Deny operations via APE by role (role={role}, obj_size={object_size})") @pytest.mark.parametrize("role", [ape.Role.OWNER, ape.Role.OTHERS], indirect=True) + @pytest.mark.parametrize("objects", [4], indirect=True) def test_deny_operations_via_ape_by_role( self, denied_wallet: WalletInfo, @@ -44,7 +49,7 @@ class TestApeContainer(ClusterTestBase): container: str, objects: list[str], role: ape.Role, - file_path: TestFile, + test_file: TestFile, rpc_endpoint: str, ): with reporter.step(f"Deny all operations for {role} via APE"): @@ -58,10 +63,10 @@ class TestApeContainer(ClusterTestBase): with reporter.step(f"Assert denied role have no access to public container"): # access checks will try to remove object, so we use .pop() to ensure we have object before deletion - assert_no_access_to_container(denied_wallet, container, objects.pop(), file_path, self.shell, self.cluster) + assert_no_access_to_container(denied_wallet, container, objects.pop(), test_file, self.shell, self.cluster) with reporter.step(f"Assert allowed role have full access to public container"): - assert_full_access_to_container(allowed_wallet, container, objects.pop(), file_path, self.shell, self.cluster) + assert_full_access_to_container(allowed_wallet, container, objects.pop(), test_file, self.shell, self.cluster) with reporter.step(f"Remove deny rule from APE"): frostfs_cli.ape_manager.remove(rpc_endpoint, deny_rule.chain_id, target_name=container, target_type="container") @@ -70,12 +75,15 @@ class TestApeContainer(ClusterTestBase): self.wait_for_blocks() with reporter.step("Assert allowed role have full access to public container"): - assert_full_access_to_container(allowed_wallet, container, objects.pop(), file_path, self.shell, self.cluster) + assert_full_access_to_container(allowed_wallet, container, objects.pop(), test_file, self.shell, self.cluster) with reporter.step("Assert denied role have full access to public container"): - assert_full_access_to_container(denied_wallet, container, objects.pop(), file_path, self.shell, self.cluster) + assert_full_access_to_container(denied_wallet, container, objects.pop(), test_file, self.shell, self.cluster) + # TODO: Without PATCH operation, + # since it requires specific permissions that do not apply when testing all operations at once @allure.title("Deny operations for others via APE excluding single pubkey (obj_size={object_size})") + @pytest.mark.parametrize("objects", [2], indirect=True) def test_deny_opeartions_excluding_pubkey( self, frostfs_cli: FrostfsCli, @@ -85,7 +93,7 @@ class TestApeContainer(ClusterTestBase): container: str, objects: list[str], rpc_endpoint: str, - file_path: TestFile, + test_file: TestFile, ): with reporter.step("Add deny APE rules for others except single wallet"): rule_conditions = [ @@ -103,13 +111,13 @@ class TestApeContainer(ClusterTestBase): with reporter.step("Assert others have no access to public container"): # access checks will try to remove object, so we use .pop() to ensure we have object before deletion - assert_no_access_to_container(other_wallet, container, objects[0], file_path, self.shell, self.cluster) + assert_no_access_to_container(other_wallet, container, objects[0], test_file, self.shell, self.cluster) with reporter.step("Assert owner have full access to public container"): - assert_full_access_to_container(default_wallet, container, objects.pop(), file_path, self.shell, self.cluster) + assert_full_access_to_container(default_wallet, container, objects.pop(), test_file, self.shell, self.cluster) with reporter.step("Assert allowed wallet have full access to public container"): - assert_full_access_to_container(other_wallet_2, container, objects.pop(), file_path, self.shell, self.cluster) + assert_full_access_to_container(other_wallet_2, container, objects.pop(), test_file, self.shell, self.cluster) @allure.title("Replication works with APE deny rules on OWNER and OTHERS (obj_size={object_size})") @pytest.mark.parametrize( @@ -123,10 +131,10 @@ class TestApeContainer(ClusterTestBase): frostfs_cli: FrostfsCli, container: str, rpc_endpoint: str, - file_path: TestFile, + test_file: TestFile, ): with reporter.step("Put object to container"): - oid = put_object_to_random_node(default_wallet, file_path, container, self.shell, self.cluster) + oid = put_object_to_random_node(default_wallet, test_file, container, self.shell, self.cluster) with reporter.step("Wait for object replication after upload"): wait_object_replication(container, oid, len(self.cluster.cluster_nodes), self.shell, self.cluster.storage_nodes) @@ -151,10 +159,13 @@ class TestApeContainer(ClusterTestBase): with reporter.step("Wait for dropped object to be replicated"): wait_object_replication(container, oid, len(self.cluster.storage_nodes), self.shell, self.cluster.storage_nodes) + # TODO: Without PATCH operation, + # since it requires specific permissions that do not apply when testing all operations at once @allure.title("Deny operations via APE by role (role=ir, obj_size={object_size})") @pytest.mark.parametrize("container_request", [OWNER_ALLOW_ALL], indirect=True) + @pytest.mark.parametrize("objects", [3], indirect=True) def test_deny_operations_via_ape_by_role_ir( - self, frostfs_cli: FrostfsCli, ir_wallet: WalletInfo, container: str, objects: list[str], rpc_endpoint: str, file_path: TestFile + self, frostfs_cli: FrostfsCli, ir_wallet: WalletInfo, container: str, objects: list[str], rpc_endpoint: str, test_file: TestFile ): default_ir_access = { ape.ObjectOperations.PUT: False, @@ -163,11 +174,12 @@ class TestApeContainer(ClusterTestBase): ape.ObjectOperations.GET_RANGE: True, ape.ObjectOperations.GET_RANGE_HASH: True, ape.ObjectOperations.SEARCH: True, + ape.ObjectOperations.PATCH: False, ape.ObjectOperations.DELETE: False, } with reporter.step("Assert IR wallet access in default state"): - assert_access_to_container(default_ir_access, ir_wallet, container, objects[0], file_path, self.shell, self.cluster) + assert_access_to_container(default_ir_access, ir_wallet, container, objects.pop(), test_file, self.shell, self.cluster) with reporter.step("Add deny APE rule with deny all operations for IR role"): rule = ape.Rule(ape.Verb.DENY, ALL_OBJECT_OPERATIONS, [ape.Condition.by_role(ape.Role.IR.value)]) @@ -177,7 +189,7 @@ class TestApeContainer(ClusterTestBase): self.wait_for_blocks() with reporter.step("Assert IR wallet ignores APE rules"): - assert_access_to_container(default_ir_access, ir_wallet, container, objects[0], file_path, self.shell, self.cluster) + assert_access_to_container(default_ir_access, ir_wallet, container, objects.pop(), test_file, self.shell, self.cluster) with reporter.step("Remove APE rule"): frostfs_cli.ape_manager.remove(rpc_endpoint, rule.chain_id, target_name=container, target_type="container") @@ -186,10 +198,13 @@ class TestApeContainer(ClusterTestBase): self.wait_for_blocks() with reporter.step("Assert IR wallet access is restored"): - assert_access_to_container(default_ir_access, ir_wallet, container, objects[0], file_path, self.shell, self.cluster) + assert_access_to_container(default_ir_access, ir_wallet, container, objects.pop(), test_file, self.shell, self.cluster) + # TODO: Without PATCH operation, + # since it requires specific permissions that do not apply when testing all operations at once @allure.title("Deny operations via APE by role (role=container, obj_size={object_size})") @pytest.mark.parametrize("container_request", [OWNER_ALLOW_ALL], indirect=True) + @pytest.mark.parametrize("objects", [3], indirect=True) def test_deny_operations_via_ape_by_role_container( self, frostfs_cli: FrostfsCli, @@ -197,7 +212,7 @@ class TestApeContainer(ClusterTestBase): container: str, objects: list[str], rpc_endpoint: str, - file_path: TestFile, + test_file: TestFile, ): access_matrix = { ape.ObjectOperations.PUT: True, @@ -206,11 +221,12 @@ class TestApeContainer(ClusterTestBase): ape.ObjectOperations.GET_RANGE: True, ape.ObjectOperations.GET_RANGE_HASH: True, ape.ObjectOperations.SEARCH: True, + ape.ObjectOperations.PATCH: True, ape.ObjectOperations.DELETE: True, } with reporter.step("Assert CONTAINER wallet access in default state"): - assert_access_to_container(access_matrix, container_node_wallet, container, objects[0], file_path, self.shell, self.cluster) + assert_access_to_container(access_matrix, container_node_wallet, container, objects.pop(), test_file, self.shell, self.cluster) rule = ape.Rule(ape.Verb.DENY, ALL_OBJECT_OPERATIONS, ape.Condition.by_role(ape.Role.CONTAINER.value)) @@ -221,7 +237,7 @@ class TestApeContainer(ClusterTestBase): self.wait_for_blocks() with reporter.step("Assert CONTAINER wallet ignores APE rule"): - assert_access_to_container(access_matrix, container_node_wallet, container, objects[1], file_path, self.shell, self.cluster) + assert_access_to_container(access_matrix, container_node_wallet, container, objects.pop(), test_file, self.shell, self.cluster) with reporter.step("Remove APE rule"): frostfs_cli.ape_manager.remove(rpc_endpoint, rule.chain_id, target_name=container, target_type="container") @@ -230,4 +246,152 @@ class TestApeContainer(ClusterTestBase): self.wait_for_blocks() with reporter.step("Assert CONTAINER wallet access after rule was removed"): - assert_access_to_container(access_matrix, container_node_wallet, container, objects[2], file_path, self.shell, self.cluster) + assert_access_to_container(access_matrix, container_node_wallet, container, objects.pop(), test_file, self.shell, self.cluster) + + # ^ + @allure.title("Deny PATCH operation via APE (object_size={object_size})") + @pytest.mark.parametrize("objects", [1], indirect=True) + def test_patch_object_with_deny_rule( + self, + frostfs_cli: FrostfsCli, + grpc_client: GrpcClientWrapper, + grpc_client_with_other_wallet: GrpcClientWrapper, + grpc_client_with_container_wallet: GrpcClientWrapper, + grpc_client_with_ir_wallet: GrpcClientWrapper, + container: str, + objects: list[str], + test_file: TestFile, + ): + patch_params = { + "cid": container, + "oid": objects[0], + "endpoint": self.cluster.default_rpc_endpoint, + "ranges": ["300:200"], + "payloads": [test_file], + "new_attrs": "owner=true", + "timeout": "200s", + } + + with reporter.step("Check that PATCH is available with owner wallet"): + patched_oid = grpc_client.object.patch(**patch_params) + assert patched_oid != patch_params["oid"], "OID of patched object must be different from original one" + patch_params["oid"] = patched_oid + + with reporter.step("Check that PATCH is available with another wallet"): + patch_params["ranges"] = ["100:50"] + patch_params["new_attrs"] = "other=true" + + patched_oid = grpc_client_with_other_wallet.object.patch(**patch_params) + assert patched_oid != patch_params["oid"], "OID of patched object must be different from original one" + patch_params["oid"] = patched_oid + + with reporter.step("Check that PATCH is available with container wallet"): + patch_params["ranges"] = ["600:0"] + patch_params["new_attrs"] = "container=true" + + patched_oid = grpc_client_with_container_wallet.object.patch(**patch_params) + assert patched_oid != patch_params["oid"], "OID of patched object must be different from original one" + patch_params["oid"] = patched_oid + + with reporter.step("Check that PATCH is available with ir wallet"): + patch_params["ranges"] = ["0:1000"] + patch_params["new_attrs"] = "ir=true" + + patched_oid = grpc_client_with_ir_wallet.object.patch(**patch_params) + assert patched_oid != patch_params["oid"], "OID of patched object must be different from original one" + patch_params["oid"] = patched_oid + + rule = ape.Rule(ape.Verb.DENY, ape.ObjectOperations.PATCH) + with reporter.step("Add APE rule with deny PATCH operation"): + frostfs_cli.ape_manager.add( + self.cluster.default_rpc_endpoint, + rule.chain_id, + target_name=container, + target_type="container", + rule=rule.as_string(), + ) + + with reporter.step("Wait for one block"): + self.wait_for_blocks(1) + + with reporter.step("Check that PATCH is not allowed with owner wallet"): + patch_params["ranges"] = ["300:200"] + patch_params["new_attrs"] = "owner_2=false" + + with pytest.raises(Exception, match=OBJECT_ACCESS_DENIED): + grpc_client.object.patch(**patch_params) + + with reporter.step("Check that PATCH is not allowed with another wallet"): + patch_params["ranges"] = ["100:50"] + patch_params["new_attrs"] = "other_2=false" + + with pytest.raises(Exception, match=OBJECT_ACCESS_DENIED): + grpc_client_with_other_wallet.object.patch(**patch_params) + + with reporter.step("Check that PATCH is allowed with container wallet as rule is ignored"): + patch_params["ranges"] = ["600:0"] + patch_params["new_attrs"] = "container_2=true" + + patched_oid = grpc_client_with_container_wallet.object.patch(**patch_params) + assert patched_oid != patch_params["oid"], "OID of patched object must be different from original one" + patch_params["oid"] = patched_oid + + with reporter.step("Check that PATCH is not allowed with ir waller"): + patch_params["ranges"] = ["0:1000"] + patch_params["new_attrs"] = "ir_2=true" + + with pytest.raises(Exception, match=OBJECT_ACCESS_DENIED): + grpc_client_with_ir_wallet.object.patch(**patch_params) + + with reporter.step("Remove APE rule"): + frostfs_cli.ape_manager.remove( + self.cluster.default_rpc_endpoint, + rule.chain_id, + target_name=container, + target_type="container", + ) + + with reporter.step("Wait for one block"): + self.wait_for_blocks(1) + + with reporter.step("Check that PATCH is available with owner wallet"): + patch_params["ranges"] = ["300:200"] + patch_params["new_attrs"] = "owner_3=true" + + patched_oid = grpc_client.object.patch(**patch_params) + assert patched_oid != patch_params["oid"], "OID of patched object must be different from original one" + patch_params["oid"] = patched_oid + + with reporter.step("Check that PATCH is available with another wallet"): + patch_params["ranges"] = ["100:50"] + patch_params["new_attrs"] = "other_3=true" + + patched_oid = grpc_client_with_other_wallet.object.patch(**patch_params) + assert patched_oid != patch_params["oid"], "OID of patched object must be different from original one" + patch_params["oid"] = patched_oid + + with reporter.step("Check that PATCH is available with container wallet"): + patch_params["ranges"] = ["600:0"] + patch_params["new_attrs"] = "container_3=true" + + patched_oid = grpc_client_with_container_wallet.object.patch(**patch_params) + assert patched_oid != patch_params["oid"], "OID of patched object must be different from original one" + patch_params["oid"] = patched_oid + + with reporter.step("Check that PATCH is available with ir wallet"): + patch_params["ranges"] = ["0:1000"] + patch_params["new_attrs"] = "ir_3=true" + + patched_oid = grpc_client_with_ir_wallet.object.patch(**patch_params) + assert patched_oid != patch_params["oid"], "OID of patched object must be different from original one" + patch_params["oid"] = patched_oid + + attrs = {"owner", "other", "container", "ir", "container_2", "owner_3", "other_3", "container_3", "ir_3"} + + with reporter.step("Ensure that all attributes match expected values"): + object_info: dict = grpc_client.object.head(container, patch_params["oid"], self.cluster.default_rpc_endpoint) + object_attrs: dict = object_info["header"]["attributes"] + assert attrs <= {k for k in object_attrs.keys()}, f"Received attributes do not match expected ones: {object_attrs}" + assert all( + v == "true" for k, v in object_attrs.items() if k in attrs + ), f"Received attributes do not match expected ones: {object_attrs}" diff --git a/pytest_tests/testsuites/access/ape/test_bearer.py b/pytest_tests/testsuites/access/ape/test_bearer.py index 0e2284aa..57c72484 100644 --- a/pytest_tests/testsuites/access/ape/test_bearer.py +++ b/pytest_tests/testsuites/access/ape/test_bearer.py @@ -2,8 +2,10 @@ import allure import pytest from frostfs_testlib import reporter from frostfs_testlib.cli.frostfs_cli.cli import FrostfsCli +from frostfs_testlib.resources.error_patterns import OBJECT_ACCESS_DENIED from frostfs_testlib.storage.dataclasses import ape from frostfs_testlib.storage.dataclasses.wallet import WalletInfo +from frostfs_testlib.storage.grpc_operations.interfaces import GrpcClientWrapper from frostfs_testlib.testing.cluster_test_base import ClusterTestBase from frostfs_testlib.utils.file_utils import TestFile @@ -22,8 +24,11 @@ from ....helpers.container_access import ( @pytest.mark.ape @pytest.mark.parametrize("user_tag", ["ApeBearer"], indirect=True) # provide dedicated user with no APE side-policies class TestApeBearer(ClusterTestBase): + # TODO: Without PATCH operation, + # since it requires specific permissions that do not apply when testing all operations at once @allure.title("Operations with BearerToken (role={role}, obj_size={object_size})") @pytest.mark.parametrize("role", [ape.Role.OWNER, ape.Role.OTHERS], indirect=True) + @pytest.mark.parametrize("objects", [4], indirect=True) def test_bearer_token_operations( self, container: str, @@ -32,11 +37,11 @@ class TestApeBearer(ClusterTestBase): temp_directory: str, test_wallet: WalletInfo, role: ape.Role, - file_path: TestFile, + test_file: TestFile, rpc_endpoint: str, ): with reporter.step(f"Check {role} has full access to container without bearer token"): - assert_full_access_to_container(test_wallet, container, objects.pop(), file_path, self.shell, self.cluster) + assert_full_access_to_container(test_wallet, container, objects.pop(), test_file, self.shell, self.cluster) with reporter.step(f"Deny all operations for everyone via APE"): rule = ape.Rule(ape.Verb.DENY, ALL_OBJECT_OPERATIONS) @@ -55,10 +60,10 @@ class TestApeBearer(ClusterTestBase): ) with reporter.step(f"Check {role} without token has no access to all operations with container"): - assert_no_access_to_container(test_wallet, container, objects.pop(), file_path, self.shell, self.cluster) + assert_no_access_to_container(test_wallet, container, objects.pop(), test_file, self.shell, self.cluster) with reporter.step(f"Check {role} with token has access to all operations with container"): - assert_full_access_to_container(test_wallet, container, objects.pop(), file_path, self.shell, self.cluster, bearer) + assert_full_access_to_container(test_wallet, container, objects.pop(), test_file, self.shell, self.cluster, bearer) with reporter.step(f"Remove deny rule from APE"): frostfs_cli.ape_manager.remove(rpc_endpoint, rule.chain_id, target_name=container, target_type="container") @@ -67,9 +72,121 @@ class TestApeBearer(ClusterTestBase): self.wait_for_blocks() with reporter.step(f"Check {role} without token has access to all operations with container"): - assert_full_access_to_container(test_wallet, container, objects.pop(), file_path, self.shell, self.cluster) + assert_full_access_to_container(test_wallet, container, objects.pop(), test_file, self.shell, self.cluster) + + # ^ + @allure.title("Patch operation with BearerToken (object_size={object_size})") + @pytest.mark.parametrize("objects", [1], indirect=True) + def test_patch_object_with_bearer_token( + self, + frostfs_cli: FrostfsCli, + grpc_client_with_other_wallet: GrpcClientWrapper, + container: str, + objects: list[str], + test_file: TestFile, + temp_directory: str, + ): + oid = objects[0] + + with reporter.step("Check if the patch is available with another wallet"): + patched_oid = grpc_client_with_other_wallet.object.patch( + container, + oid, + self.cluster.default_rpc_endpoint, + ranges=["100:300"], + payloads=[test_file], + new_attrs="allow-patch=true", + timeout="200s", + ) + assert patched_oid != oid, "OID of patched object must be different from original one" + oid = patched_oid + + rule = ape.Rule(ape.Verb.DENY, ape.ObjectOperations.PATCH) + + with reporter.step("Deny PATCH operation for everyone via APE"): + frostfs_cli.ape_manager.add( + self.cluster.default_rpc_endpoint, + rule.chain_id, + target_name=container, + target_type="container", + rule=rule.as_string(), + ) + + with reporter.step("Wait for one block"): + self.wait_for_blocks(1) + + with reporter.step("Check that patch is not allowed with another wallet"): + with pytest.raises(Exception, match=OBJECT_ACCESS_DENIED): + grpc_client_with_other_wallet.object.patch( + container, + oid, + self.cluster.default_rpc_endpoint, + ranges=["100:300"], + payloads=[test_file], + new_attrs="deny-patch=true", + timeout="200s", + ) + + with reporter.step("Create bearer token with all operations allowed"): + bearer = create_bearer_token( + frostfs_cli, + temp_directory, + container, + rule=ape.Rule(ape.Verb.ALLOW, ALL_OBJECT_OPERATIONS), + endpoint=self.cluster.default_rpc_endpoint, + ) + + with reporter.step("Check that patch is available with another wallet with BearerToken"): + patched_oid = grpc_client_with_other_wallet.object.patch( + container, + oid, + self.cluster.default_rpc_endpoint, + bearer=bearer, + ranges=["100:300"], + payloads=[test_file], + new_attrs="bearer-patch=true", + timeout="200s", + ) + assert patched_oid != oid, "OID of patched object must be different from original one" + oid = patched_oid + + with reporter.step(f"Remove deny rule from APE"): + frostfs_cli.ape_manager.remove( + self.cluster.default_rpc_endpoint, + rule.chain_id, + target_name=container, + target_type="container", + ) + + with reporter.step("Wait for one block"): + self.wait_for_blocks(1) + + with reporter.step("Check if the patch is available with another wallet"): + patched_oid = grpc_client_with_other_wallet.object.patch( + container, + oid, + self.cluster.default_rpc_endpoint, + bearer=bearer, + ranges=["100:300"], + payloads=[test_file], + new_attrs="allow-patch-2=true", + timeout="200s", + ) + assert patched_oid != oid, "OID of patched object must be different from original one" + oid = patched_oid + + attrs = {"allow-patch", "bearer-patch", "allow-patch-2"} + + with reporter.step("Ensure that all attributes match expected values"): + object_info: dict = grpc_client_with_other_wallet.object.head(container, oid, self.cluster.default_rpc_endpoint) + object_attrs: dict = object_info["header"]["attributes"] + assert attrs <= {k for k in object_attrs.keys()}, f"Received attributes do not match expected ones: {object_attrs}" + assert all( + v == "true" for k, v in object_attrs.items() if k in attrs + ), f"Received attributes do not match expected ones: {object_attrs}" @allure.title("BearerToken for compound operations (obj_size={object_size})") + @pytest.mark.parametrize("objects", [4], indirect=True) def test_bearer_token_compound_operations( self, frostfs_cli: FrostfsCli, @@ -79,7 +196,7 @@ class TestApeBearer(ClusterTestBase): container: str, objects: list[str], rpc_endpoint: str, - file_path: TestFile, + test_file: TestFile, ): """ Bearer Token COMPLETLY overrides chains set for the specific target. @@ -151,7 +268,7 @@ class TestApeBearer(ClusterTestBase): ape.ObjectOperations.PUT, ape.ObjectOperations.HEAD, ape.ObjectOperations.GET_RANGE, - # Delete also requires PUT (to make tobstone) and HEAD (to get simple objects header) + # Delete also requires PUT (to make tombstone) and HEAD (to get simple objects header) ape.ObjectOperations.DELETE, ], ape.Role.OTHERS: [ @@ -180,7 +297,7 @@ class TestApeBearer(ClusterTestBase): for role, wallet in wallets_map.items(): with reporter.step(f"Assert access to container without bearer token for {role}"): - assert_access_to_container(access_map[role], wallet, container, objects.pop(), file_path, self.shell, self.cluster) + assert_access_to_container(access_map[role], wallet, container, objects.pop(), test_file, self.shell, self.cluster) bearer_tokens = {} for role in wallets_map.keys(): @@ -192,5 +309,5 @@ class TestApeBearer(ClusterTestBase): for role, wallet in wallets_map.items(): with reporter.step(f"Assert access to container with bearer token for {role}"): assert_access_to_container( - bt_access_map[role], wallet, container, objects.pop(), file_path, self.shell, self.cluster, bearer_tokens[role] + bt_access_map[role], wallet, container, objects.pop(), test_file, self.shell, self.cluster, bearer_tokens[role] ) diff --git a/pytest_tests/testsuites/access/conftest.py b/pytest_tests/testsuites/access/conftest.py index 6d03faa3..14c2b7ae 100644 --- a/pytest_tests/testsuites/access/conftest.py +++ b/pytest_tests/testsuites/access/conftest.py @@ -2,16 +2,18 @@ import json import pytest from frostfs_testlib import reporter +from frostfs_testlib.cli.frostfs_cli.cli import FrostfsCli +from frostfs_testlib.resources.cli import FROSTFS_CLI_EXEC from frostfs_testlib.shell import Shell from frostfs_testlib.steps.cli.container import search_nodes_with_container from frostfs_testlib.steps.cli.object import put_object_to_random_node from frostfs_testlib.storage.cluster import Cluster, ClusterNode from frostfs_testlib.storage.dataclasses import ape from frostfs_testlib.storage.dataclasses.wallet import WalletInfo +from frostfs_testlib.storage.grpc_operations.client_wrappers import CliClientWrapper +from frostfs_testlib.storage.grpc_operations.interfaces import GrpcClientWrapper from frostfs_testlib.testing.parallel import parallel -OBJECT_COUNT = 5 - @pytest.fixture(scope="session") def ir_wallet(cluster: Cluster) -> WalletInfo: @@ -40,13 +42,22 @@ def test_wallet(default_wallet: WalletInfo, other_wallet: WalletInfo, role: ape. return role_to_wallet_map[role] -@pytest.fixture -def objects(container: str, default_wallet: WalletInfo, client_shell: Shell, cluster: Cluster, file_path: str): +@pytest.fixture(scope="function", params=[5]) +def objects( + container: str, + default_wallet: WalletInfo, + client_shell: Shell, + cluster: Cluster, + test_file: str, + request: pytest.FixtureRequest, +): + object_count = request.param + with reporter.step("Add test objects to container"): put_results = parallel( - [put_object_to_random_node] * OBJECT_COUNT, + [put_object_to_random_node] * object_count, wallet=default_wallet, - path=file_path, + path=test_file, cid=container, shell=client_shell, cluster=cluster, @@ -70,3 +81,18 @@ def container_nodes(default_wallet: WalletInfo, container: str, client_shell: Sh @pytest.fixture def container_node_wallet(container_nodes: list[ClusterNode]) -> WalletInfo: return WalletInfo.from_node(container_nodes[0].storage_node) + + +@pytest.fixture +def grpc_client_with_container_wallet(client_shell: Shell, container_node_wallet: WalletInfo) -> GrpcClientWrapper: + return CliClientWrapper(FrostfsCli(client_shell, FROSTFS_CLI_EXEC, container_node_wallet.config_path)) + + +@pytest.fixture(scope="session") +def grpc_client_with_other_wallet(client_shell: Shell, other_wallet: WalletInfo) -> GrpcClientWrapper: + return CliClientWrapper(FrostfsCli(client_shell, FROSTFS_CLI_EXEC, other_wallet.config_path)) + + +@pytest.fixture(scope="session") +def grpc_client_with_ir_wallet(client_shell: Shell, ir_wallet: WalletInfo) -> GrpcClientWrapper: + return CliClientWrapper(FrostfsCli(client_shell, FROSTFS_CLI_EXEC, ir_wallet.config_path)) diff --git a/pytest_tests/testsuites/ape/test_ape_local_object_allow.py b/pytest_tests/testsuites/ape/test_ape_local_object_allow.py index 7bd9b471..d968e301 100644 --- a/pytest_tests/testsuites/ape/test_ape_local_object_allow.py +++ b/pytest_tests/testsuites/ape/test_ape_local_object_allow.py @@ -3,12 +3,10 @@ import pytest from frostfs_testlib import reporter from frostfs_testlib.cli import FrostfsCli from frostfs_testlib.resources.error_patterns import NO_RULE_FOUND_OBJECT -from frostfs_testlib.steps.cli.object import delete_object, get_object, get_range, get_range_hash, head_object, put_object, search_object -from frostfs_testlib.storage.dataclasses.object_size import ObjectSize -from frostfs_testlib.storage.dataclasses.wallet import WalletInfo +from frostfs_testlib.storage.grpc_operations.interfaces import GrpcClientWrapper from frostfs_testlib.testing.cluster_test_base import ClusterTestBase from frostfs_testlib.testing.test_control import expect_not_raises -from frostfs_testlib.utils.file_utils import generate_file +from frostfs_testlib.utils.file_utils import TestFile from ...helpers.container_request import ContainerRequest @@ -25,8 +23,8 @@ class TestApeLocalOverrideAllow(ClusterTestBase): @allure.title("LocalOverride: Allow to GetObject in root tenant") def test_local_override_allow_to_get_object_root( self, - default_wallet: WalletInfo, frostfs_cli_on_first_node: FrostfsCli, + grpc_client: GrpcClientWrapper, container: str, object_id: str, ): @@ -41,11 +39,11 @@ class TestApeLocalOverrideAllow(ClusterTestBase): with reporter.step("Check get object in container on the first node, expected allow"): with expect_not_raises(): - get_object(default_wallet, container, object_id, self.shell, self.cluster.storage_nodes[0].get_rpc_endpoint()) + grpc_client.object.get(container, object_id, self.cluster.storage_nodes[0].get_rpc_endpoint()) with reporter.step("Check get object in container on the second node, epxected access denied error"): with pytest.raises(RuntimeError, match=NO_RULE_FOUND_OBJECT): - get_object(default_wallet, container, object_id, self.shell, self.cluster.storage_nodes[1].get_rpc_endpoint()) + grpc_client.object.get(container, object_id, self.cluster.storage_nodes[1].get_rpc_endpoint()) with reporter.step("Delete a rule"): frostfs_cli_on_first_node.control.remove_rule( @@ -56,15 +54,14 @@ class TestApeLocalOverrideAllow(ClusterTestBase): ) @allure.title("LocalOverride: Allow to PutObject in root tenant") + @pytest.mark.parametrize("object_size", ["simple"], indirect=True) def test_local_override_allow_to_put_object_root( self, - default_wallet: WalletInfo, frostfs_cli_on_first_node: FrostfsCli, - simple_object_size: ObjectSize, + grpc_client: GrpcClientWrapper, container: str, + test_file: TestFile, ): - test_file = generate_file(simple_object_size.value) - with reporter.step("Create local override on first node"): frostfs_cli_on_first_node.control.add_rule( endpoint=self.cluster.storage_nodes[0].get_control_endpoint(), @@ -76,11 +73,11 @@ class TestApeLocalOverrideAllow(ClusterTestBase): with reporter.step("Check put object in container on the first node, expected allow"): with expect_not_raises(): - put_object(default_wallet, test_file, container, self.shell, self.cluster.storage_nodes[0].get_rpc_endpoint()) + grpc_client.object.put(test_file, container, self.cluster.storage_nodes[0].get_rpc_endpoint()) - with reporter.step("Check get object in container on the second node, epxected access denied error"): + with reporter.step("Check put object in container on the second node, epxected access denied error"): with pytest.raises(RuntimeError, match=NO_RULE_FOUND_OBJECT): - put_object(default_wallet, test_file, container, self.shell, self.cluster.storage_nodes[1].get_rpc_endpoint()) + grpc_client.object.put(test_file, container, self.cluster.storage_nodes[1].get_rpc_endpoint()) with reporter.step("Delete a rule"): frostfs_cli_on_first_node.control.remove_rule( @@ -93,8 +90,8 @@ class TestApeLocalOverrideAllow(ClusterTestBase): @allure.title("LocalOverride: Allow to HeadObject in root tenant") def test_local_override_allow_to_head_object_root( self, - default_wallet: WalletInfo, frostfs_cli_on_first_node: FrostfsCli, + grpc_client: GrpcClientWrapper, container: str, object_id: str, ): @@ -109,11 +106,11 @@ class TestApeLocalOverrideAllow(ClusterTestBase): with reporter.step("Check head object in container on the first node, expected allow"): with expect_not_raises(): - head_object(default_wallet, container, object_id, self.shell, self.cluster.storage_nodes[0].get_rpc_endpoint()) + grpc_client.object.head(container, object_id, self.cluster.storage_nodes[0].get_rpc_endpoint()) with reporter.step("Check head object in container on the second node, expected access denied error"): with pytest.raises(RuntimeError, match=NO_RULE_FOUND_OBJECT): - head_object(default_wallet, container, object_id, self.shell, self.cluster.storage_nodes[1].get_rpc_endpoint()) + grpc_client.object.head(container, object_id, self.cluster.storage_nodes[1].get_rpc_endpoint()) with reporter.step("Delete a rule"): frostfs_cli_on_first_node.control.remove_rule( @@ -126,8 +123,8 @@ class TestApeLocalOverrideAllow(ClusterTestBase): @allure.title("LocalOverride: Allow to SearchObject in root tenant") def test_local_override_allow_to_search_object_root( self, - default_wallet: WalletInfo, frostfs_cli_on_first_node: FrostfsCli, + grpc_client: GrpcClientWrapper, container: str, ): with reporter.step("Create local override on first node"): @@ -141,11 +138,11 @@ class TestApeLocalOverrideAllow(ClusterTestBase): with reporter.step("Check search object in container on the first node, expected allow"): with expect_not_raises(): - search_object(default_wallet, container, self.shell, self.cluster.storage_nodes[0].get_rpc_endpoint()) + grpc_client.object.search(container, self.cluster.storage_nodes[0].get_rpc_endpoint()) with reporter.step("Check search object from container on the second node, expected access denied error"): with pytest.raises(RuntimeError, match=NO_RULE_FOUND_OBJECT): - search_object(default_wallet, container, self.shell, self.cluster.storage_nodes[1].get_rpc_endpoint()) + grpc_client.object.search(container, self.cluster.storage_nodes[1].get_rpc_endpoint()) with reporter.step("Delete a rule"): frostfs_cli_on_first_node.control.remove_rule( @@ -158,8 +155,8 @@ class TestApeLocalOverrideAllow(ClusterTestBase): @allure.title("LocalOverride: Allow to RangeObject in root tenant") def test_local_override_allow_to_range_object_root( self, - default_wallet: WalletInfo, frostfs_cli_on_first_node: FrostfsCli, + grpc_client: GrpcClientWrapper, container: str, object_id: str, ): @@ -174,11 +171,11 @@ class TestApeLocalOverrideAllow(ClusterTestBase): with reporter.step("Check get range object in container on the first node, expected allow"): with expect_not_raises(): - get_range(default_wallet, container, object_id, "0:10", self.shell, self.cluster.storage_nodes[0].get_rpc_endpoint()) + grpc_client.object.range(container, object_id, "0:10", self.cluster.storage_nodes[0].get_rpc_endpoint()) - with reporter.step("Check range object in container on the second node. expected access denied error"): + with reporter.step("Check get range object in container on the second node, expected access denied error"): with pytest.raises(RuntimeError, match=NO_RULE_FOUND_OBJECT): - get_range(default_wallet, container, object_id, "0:10", self.shell, self.cluster.storage_nodes[1].get_rpc_endpoint()) + grpc_client.object.range(container, object_id, "0:10", self.cluster.storage_nodes[1].get_rpc_endpoint()) with reporter.step("Delete a rule"): frostfs_cli_on_first_node.control.remove_rule( @@ -191,8 +188,8 @@ class TestApeLocalOverrideAllow(ClusterTestBase): @allure.title("LocalOverride: Allow to HashObject in root tenant") def test_local_override_allow_to_hash_object_root( self, - default_wallet: WalletInfo, frostfs_cli_on_first_node: FrostfsCli, + grpc_client: GrpcClientWrapper, container: str, object_id: str, ): @@ -207,11 +204,11 @@ class TestApeLocalOverrideAllow(ClusterTestBase): with reporter.step("Check get range hash object in container on the first node, expected allow"): with expect_not_raises(): - get_range_hash(default_wallet, container, object_id, "0:10", self.shell, self.cluster.storage_nodes[0].get_rpc_endpoint()) + grpc_client.object.hash(self.cluster.storage_nodes[0].get_rpc_endpoint(), container, object_id, range="0:10") with reporter.step("Check get range hash object in container on the second node, expected access denied error"): with pytest.raises(RuntimeError, match=NO_RULE_FOUND_OBJECT): - get_range_hash(default_wallet, container, object_id, "0:10", self.shell, self.cluster.storage_nodes[1].get_rpc_endpoint()) + grpc_client.object.hash(self.cluster.storage_nodes[1].get_rpc_endpoint(), container, object_id, range="0:10") with reporter.step("Delete a rule"): frostfs_cli_on_first_node.control.remove_rule( @@ -224,8 +221,8 @@ class TestApeLocalOverrideAllow(ClusterTestBase): @allure.title("LocalOverride: Allow to DeleteObject in root tenant") def test_local_override_allow_to_delete_object_root( self, - default_wallet: WalletInfo, frostfs_cli_on_first_node: FrostfsCli, + grpc_client: GrpcClientWrapper, container: str, object_id: str, ): @@ -240,11 +237,11 @@ class TestApeLocalOverrideAllow(ClusterTestBase): with reporter.step("Check delete object from container on the second node, expected access denied error"): with pytest.raises(RuntimeError, match=NO_RULE_FOUND_OBJECT): - delete_object(default_wallet, container, object_id, self.shell, self.cluster.storage_nodes[1].get_rpc_endpoint()) + grpc_client.object.delete(container, object_id, self.cluster.storage_nodes[1].get_rpc_endpoint()) with reporter.step("Check delete object in container on the first node, expected allow"): with expect_not_raises(): - delete_object(default_wallet, container, object_id, self.shell, self.cluster.storage_nodes[0].get_rpc_endpoint()) + grpc_client.object.delete(container, object_id, self.cluster.storage_nodes[0].get_rpc_endpoint()) with reporter.step("Delete a rule"): frostfs_cli_on_first_node.control.remove_rule( @@ -253,3 +250,55 @@ class TestApeLocalOverrideAllow(ClusterTestBase): target_name=container, chain_id="allowDeleteObject", ) + + @allure.title("LocalOverride: Allow to PatchObject in root tenant") + @pytest.mark.parametrize("object_size", ["simple"], indirect=True) + def test_local_override_allow_to_patch_object_root( + self, + frostfs_cli_on_first_node: FrostfsCli, + grpc_client: GrpcClientWrapper, + container: str, + object_id: str, + test_file: TestFile, + ): + with reporter.step("Create local override on first node"): + frostfs_cli_on_first_node.control.add_rule( + endpoint=self.cluster.storage_nodes[0].get_control_endpoint(), + target_type="container", + target_name=container, + chain_id="allowPatchObject", + rule=f"allow Object.Patch *", + ) + + with reporter.step("Check patch object in container on the second node, epxected access denied error"): + with pytest.raises(RuntimeError, match=NO_RULE_FOUND_OBJECT): + grpc_client.object.patch( + container, + object_id, + self.cluster.storage_nodes[1].get_rpc_endpoint(), + ranges=["500:300"], + payloads=[test_file], + new_attrs="patched=false", + timeout="200s", + ) + + with reporter.step("Check patch object in container on the first node, expected allow"): + with expect_not_raises(): + patched_oid = grpc_client.object.patch( + container, + object_id, + self.cluster.storage_nodes[0].get_rpc_endpoint(), + ranges=["100:200"], + payloads=[test_file], + new_attrs="patched=true", + timeout="200s", + ) + assert patched_oid != object_id, "OID of patched object must be different from original one" + + with reporter.step("Delete a rule"): + frostfs_cli_on_first_node.control.remove_rule( + endpoint=self.cluster.storage_nodes[0].get_control_endpoint(), + target_type="container", + target_name=container, + chain_id="allowPatchObject", + ) diff --git a/pytest_tests/testsuites/ape/test_ape_local_object_deny.py b/pytest_tests/testsuites/ape/test_ape_local_object_deny.py index 70131cd5..a554e5bd 100644 --- a/pytest_tests/testsuites/ape/test_ape_local_object_deny.py +++ b/pytest_tests/testsuites/ape/test_ape_local_object_deny.py @@ -1,20 +1,15 @@ import allure import pytest +from frostfs_testlib import reporter from frostfs_testlib.cli import FrostfsCli -from frostfs_testlib.reporter import get_reporter -from frostfs_testlib.resources.error_patterns import OBJECT_ACCESS_DENIED, RULE_ACCESS_DENIED_OBJECT -from frostfs_testlib.steps.cli.object import delete_object, get_object, get_range, get_range_hash, head_object, put_object, search_object -from frostfs_testlib.storage.dataclasses.ape import Operations -from frostfs_testlib.storage.dataclasses.object_size import ObjectSize -from frostfs_testlib.storage.dataclasses.wallet import WalletInfo +from frostfs_testlib.resources.error_patterns import RULE_ACCESS_DENIED_OBJECT +from frostfs_testlib.storage.grpc_operations.interfaces import GrpcClientWrapper from frostfs_testlib.testing.cluster_test_base import ClusterTestBase from frostfs_testlib.testing.test_control import expect_not_raises -from frostfs_testlib.utils.file_utils import generate_file +from frostfs_testlib.utils.file_utils import TestFile from ...helpers.container_request import APE_EVERYONE_ALLOW_ALL, ContainerRequest -reporter = get_reporter() - REP2 = ContainerRequest("REP 2", ape_rules=APE_EVERYONE_ALLOW_ALL, short_name="REP2_allow_all_ape") @@ -25,15 +20,14 @@ REP2 = ContainerRequest("REP 2", ape_rules=APE_EVERYONE_ALLOW_ALL, short_name="R class TestApeLocalOverrideDeny(ClusterTestBase): @allure.title("LocalOverride: Deny to GetObject in root tenant") @pytest.mark.parametrize("container_request", [REP2], indirect=True) + @pytest.mark.parametrize("object_size", ["simple"], indirect=True) def test_local_override_deny_to_get_object_root( self, - default_wallet: WalletInfo, frostfs_cli_on_first_node: FrostfsCli, - simple_object_size: ObjectSize, + grpc_client: GrpcClientWrapper, container: str, + test_file: TestFile, ): - test_file = generate_file(simple_object_size.value) - with reporter.step("Create local override on first node"): frostfs_cli_on_first_node.control.add_rule( endpoint=self.cluster.storage_nodes[0].get_control_endpoint(), @@ -44,15 +38,15 @@ class TestApeLocalOverrideDeny(ClusterTestBase): ) with reporter.step("Put object in container on the first node"): - oid = put_object(default_wallet, test_file, container, self.shell, self.cluster.storage_nodes[0].get_rpc_endpoint()) + oid = grpc_client.object.put(test_file, container, self.cluster.storage_nodes[0].get_rpc_endpoint()) with reporter.step("Check get object from container on the first node, expected access denied error"): with pytest.raises(RuntimeError, match=RULE_ACCESS_DENIED_OBJECT): - get_object(default_wallet, container, oid, self.shell, self.cluster.storage_nodes[0].get_rpc_endpoint()) + grpc_client.object.get(container, oid, self.cluster.storage_nodes[0].get_rpc_endpoint()) with reporter.step("Check get object from container on the second node, expected allow"): with expect_not_raises(): - get_object(default_wallet, container, oid, self.shell, self.cluster.storage_nodes[1].get_rpc_endpoint()) + grpc_client.object.get(container, oid, self.cluster.storage_nodes[1].get_rpc_endpoint()) with reporter.step("Delete a rule"): frostfs_cli_on_first_node.control.remove_rule( @@ -64,19 +58,18 @@ class TestApeLocalOverrideDeny(ClusterTestBase): with reporter.step("Check get object in container on the first node, expected allow"): with expect_not_raises(): - get_object(default_wallet, container, oid, self.shell, self.cluster.storage_nodes[0].get_rpc_endpoint()) + grpc_client.object.get(container, oid, self.cluster.storage_nodes[0].get_rpc_endpoint()) @allure.title("LocalOverride: Deny to PutObject in root tenant") @pytest.mark.parametrize("container_request", [REP2], indirect=True) + @pytest.mark.parametrize("object_size", ["simple"], indirect=True) def test_local_override_deny_to_put_object_root( self, - default_wallet: WalletInfo, frostfs_cli_on_first_node: FrostfsCli, - simple_object_size: ObjectSize, + grpc_client: GrpcClientWrapper, container: str, + test_file: TestFile, ): - test_file = generate_file(simple_object_size.value) - with reporter.step("Create local override on first node"): frostfs_cli_on_first_node.control.add_rule( endpoint=self.cluster.storage_nodes[0].get_control_endpoint(), @@ -87,14 +80,12 @@ class TestApeLocalOverrideDeny(ClusterTestBase): ) with reporter.step("Check put object from container on the first node, expected access denied error"): - with pytest.raises(RuntimeError, match=OBJECT_ACCESS_DENIED): - put_object(default_wallet, test_file, container, self.shell, self.cluster.storage_nodes[0].get_rpc_endpoint()) + with pytest.raises(RuntimeError, match=RULE_ACCESS_DENIED_OBJECT): + grpc_client.object.put(test_file, container, self.cluster.storage_nodes[0].get_rpc_endpoint()) with reporter.step("Check put object from container on the second node, expected allow"): with expect_not_raises(): - put_object( - default_wallet, test_file, container, self.shell, self.cluster.storage_nodes[1].get_rpc_endpoint(), copies_number=3 - ) + grpc_client.object.put(test_file, container, self.cluster.storage_nodes[1].get_rpc_endpoint()) with reporter.step("Delete a rule"): frostfs_cli_on_first_node.control.remove_rule( @@ -106,19 +97,18 @@ class TestApeLocalOverrideDeny(ClusterTestBase): with reporter.step("Check get object in container on the first node, expected allow"): with expect_not_raises(): - put_object(default_wallet, test_file, container, self.shell, self.cluster.storage_nodes[0].get_rpc_endpoint()) + grpc_client.object.put(test_file, container, self.cluster.storage_nodes[0].get_rpc_endpoint()) @allure.title("LocalOverride: Deny to HeadObject in root tenant") @pytest.mark.parametrize("container_request", [REP2], indirect=True) + @pytest.mark.parametrize("object_size", ["simple"], indirect=True) def test_local_override_deny_to_head_object_root( self, - default_wallet: WalletInfo, frostfs_cli_on_first_node: FrostfsCli, - simple_object_size: ObjectSize, + grpc_client: GrpcClientWrapper, container: str, + test_file: TestFile, ): - test_file = generate_file(simple_object_size.value) - with reporter.step("Create local override on first node"): frostfs_cli_on_first_node.control.add_rule( endpoint=self.cluster.storage_nodes[0].get_control_endpoint(), @@ -129,15 +119,15 @@ class TestApeLocalOverrideDeny(ClusterTestBase): ) with reporter.step("Put object in container on the first node"): - oid = put_object(default_wallet, test_file, container, self.shell, self.cluster.storage_nodes[0].get_rpc_endpoint()) + oid = grpc_client.object.put(test_file, container, self.cluster.storage_nodes[0].get_rpc_endpoint()) with reporter.step("Check head object from container on the first node, expected access denied error"): with pytest.raises(RuntimeError, match=RULE_ACCESS_DENIED_OBJECT): - head_object(default_wallet, container, oid, self.shell, self.cluster.storage_nodes[0].get_rpc_endpoint()) + grpc_client.object.head(container, oid, self.cluster.storage_nodes[0].get_rpc_endpoint()) with reporter.step("Check head object from container on the second node, expected allow"): with expect_not_raises(): - head_object(default_wallet, container, oid, self.shell, self.cluster.storage_nodes[1].get_rpc_endpoint()) + grpc_client.object.head(container, oid, self.cluster.storage_nodes[1].get_rpc_endpoint()) with reporter.step("Delete a rule"): frostfs_cli_on_first_node.control.remove_rule( @@ -149,14 +139,14 @@ class TestApeLocalOverrideDeny(ClusterTestBase): with reporter.step("Check head object in container on the first node, expected allow"): with expect_not_raises(): - head_object(default_wallet, container, oid, self.shell, self.cluster.storage_nodes[0].get_rpc_endpoint()) + grpc_client.object.head(container, oid, self.cluster.storage_nodes[0].get_rpc_endpoint()) @allure.title("LocalOverride: Deny to SearchObject in root tenant") @pytest.mark.parametrize("container_request", [REP2], indirect=True) def test_local_override_deny_to_search_object_root( self, - default_wallet: WalletInfo, frostfs_cli_on_first_node: FrostfsCli, + grpc_client: GrpcClientWrapper, container: str, ): with reporter.step("Create local override on first node"): @@ -169,12 +159,12 @@ class TestApeLocalOverrideDeny(ClusterTestBase): ) with reporter.step("Check search object from container on the first node, expected access denied error"): - with pytest.raises(RuntimeError, match=RULE_ACCESS_DENIED_OBJECT.format(operation=Operations.SEARCH_OBJECT)): - search_object(default_wallet, container, self.shell, self.cluster.storage_nodes[0].get_rpc_endpoint()) + with pytest.raises(RuntimeError, match=RULE_ACCESS_DENIED_OBJECT): + grpc_client.object.search(container, self.cluster.storage_nodes[0].get_rpc_endpoint()) with reporter.step("Check search object from container on the second node, expected allow"): with expect_not_raises(): - search_object(default_wallet, container, self.shell, self.cluster.storage_nodes[1].get_rpc_endpoint()) + grpc_client.object.search(container, self.cluster.storage_nodes[1].get_rpc_endpoint()) with reporter.step("Delete a rule"): frostfs_cli_on_first_node.control.remove_rule( @@ -186,19 +176,18 @@ class TestApeLocalOverrideDeny(ClusterTestBase): with reporter.step("Check search object in container on the first node, expected allow"): with expect_not_raises(): - search_object(default_wallet, container, self.shell, self.cluster.storage_nodes[0].get_rpc_endpoint()) + grpc_client.object.search(container, self.cluster.storage_nodes[0].get_rpc_endpoint()) @allure.title("LocalOverride: Deny to RangeObject in root tenant") @pytest.mark.parametrize("container_request", [REP2], indirect=True) + @pytest.mark.parametrize("object_size", ["simple"], indirect=True) def test_local_override_deny_to_range_object_root( self, - default_wallet: WalletInfo, frostfs_cli_on_first_node: FrostfsCli, - simple_object_size: ObjectSize, + grpc_client: GrpcClientWrapper, container: str, + test_file: TestFile, ): - test_file = generate_file(simple_object_size.value) - with reporter.step("Create local override on first node"): frostfs_cli_on_first_node.control.add_rule( endpoint=self.cluster.storage_nodes[0].get_control_endpoint(), @@ -209,15 +198,15 @@ class TestApeLocalOverrideDeny(ClusterTestBase): ) with reporter.step("Put object in container on the first node"): - oid = put_object(default_wallet, test_file, container, self.shell, self.cluster.storage_nodes[0].get_rpc_endpoint()) + oid = grpc_client.object.put(test_file, container, self.cluster.storage_nodes[0].get_rpc_endpoint()) with reporter.step("Check range object from container on the first node, expected access denied error"): - with pytest.raises(RuntimeError, match=RULE_ACCESS_DENIED_OBJECT.format(operation=Operations.RANGE_OBJECT)): - get_range(default_wallet, container, oid, "0:10", self.shell, self.cluster.storage_nodes[0].get_rpc_endpoint()) + with pytest.raises(RuntimeError, match=RULE_ACCESS_DENIED_OBJECT): + grpc_client.object.range(container, oid, "0:10", self.cluster.storage_nodes[0].get_rpc_endpoint()) with reporter.step("Check get range object from container on the second node, expected allow"): with expect_not_raises(): - get_range(default_wallet, container, oid, "0:10", self.shell, self.cluster.storage_nodes[1].get_rpc_endpoint()) + grpc_client.object.range(container, oid, "0:10", self.cluster.storage_nodes[1].get_rpc_endpoint()) with reporter.step("Delete a rule"): frostfs_cli_on_first_node.control.remove_rule( @@ -229,19 +218,18 @@ class TestApeLocalOverrideDeny(ClusterTestBase): with reporter.step("Check get range object in container on the first node, expected allow"): with expect_not_raises(): - get_range(default_wallet, container, oid, "0:10", self.shell, self.cluster.storage_nodes[0].get_rpc_endpoint()) + grpc_client.object.range(container, oid, "0:10", self.cluster.storage_nodes[0].get_rpc_endpoint()) @allure.title("LocalOverride: Deny to HashObject in root tenant") @pytest.mark.parametrize("container_request", [REP2], indirect=True) + @pytest.mark.parametrize("object_size", ["simple"], indirect=True) def test_local_override_deny_to_hash_object_root( self, - default_wallet: WalletInfo, frostfs_cli_on_first_node: FrostfsCli, - simple_object_size: ObjectSize, + grpc_client: GrpcClientWrapper, container: str, + test_file: TestFile, ): - test_file = generate_file(simple_object_size.value) - with reporter.step("Create local override on first node"): frostfs_cli_on_first_node.control.add_rule( endpoint=self.cluster.storage_nodes[0].get_control_endpoint(), @@ -252,15 +240,15 @@ class TestApeLocalOverrideDeny(ClusterTestBase): ) with reporter.step("Put object in container on the first node"): - oid = put_object(default_wallet, test_file, container, self.shell, self.cluster.storage_nodes[0].get_rpc_endpoint()) + oid = grpc_client.object.put(test_file, container, self.cluster.storage_nodes[0].get_rpc_endpoint()) with reporter.step("Check get range hash object from container on the first node, expected access denied error"): - with pytest.raises(RuntimeError, match=RULE_ACCESS_DENIED_OBJECT.format(operation=Operations.HASH_OBJECT)): - get_range_hash(default_wallet, container, oid, "0:10", self.shell, self.cluster.storage_nodes[0].get_rpc_endpoint()) + with pytest.raises(RuntimeError, match=RULE_ACCESS_DENIED_OBJECT): + grpc_client.object.hash(self.cluster.storage_nodes[0].get_rpc_endpoint(), container, oid, range="0:10") with reporter.step("Check get range hash object from container on the second node, expected allow"): with expect_not_raises(): - get_range_hash(default_wallet, container, oid, "0:10", self.shell, self.cluster.storage_nodes[1].get_rpc_endpoint()) + grpc_client.object.hash(self.cluster.storage_nodes[1].get_rpc_endpoint(), container, oid, range="0:10") with reporter.step("Delete a rule"): frostfs_cli_on_first_node.control.remove_rule( @@ -272,19 +260,18 @@ class TestApeLocalOverrideDeny(ClusterTestBase): with reporter.step("Check get range hash object in container on the first node, expected allow"): with expect_not_raises(): - get_range_hash(default_wallet, container, oid, "0:10", self.shell, self.cluster.storage_nodes[0].get_rpc_endpoint()) + grpc_client.object.hash(self.cluster.storage_nodes[0].get_rpc_endpoint(), container, oid, range="0:10") @allure.title("LocalOverride: Deny to DeleteObject in root tenant") @pytest.mark.parametrize("container_request", [REP2], indirect=True) + @pytest.mark.parametrize("object_size", ["simple"], indirect=True) def test_local_override_deny_to_delete_object_root( self, - default_wallet: WalletInfo, frostfs_cli_on_first_node: FrostfsCli, - simple_object_size: ObjectSize, + grpc_client: GrpcClientWrapper, container: str, + test_file: TestFile, ): - test_file = generate_file(simple_object_size.value) - with reporter.step("Create local override on first node"): frostfs_cli_on_first_node.control.add_rule( endpoint=self.cluster.storage_nodes[0].get_control_endpoint(), @@ -295,30 +282,26 @@ class TestApeLocalOverrideDeny(ClusterTestBase): ) with reporter.step("Put objects in container on the first node"): - oid_1 = put_object(default_wallet, test_file, container, self.shell, self.cluster.storage_nodes[0].get_rpc_endpoint()) - oid_2 = put_object(default_wallet, test_file, container, self.shell, self.cluster.storage_nodes[0].get_rpc_endpoint()) + oid_1 = grpc_client.object.put(test_file, container, self.cluster.storage_nodes[0].get_rpc_endpoint()) + oid_2 = grpc_client.object.put(test_file, container, self.cluster.storage_nodes[0].get_rpc_endpoint()) with reporter.step("Search object in container on the first node"): - search_object_in_container_1 = search_object( - default_wallet, container, self.shell, self.cluster.storage_nodes[0].get_rpc_endpoint() - ) + search_object_in_container_1 = grpc_client.object.search(container, self.cluster.storage_nodes[0].get_rpc_endpoint()) assert oid_1 in search_object_in_container_1, f"Object {oid_1} was not found" assert oid_2 in search_object_in_container_1, f"Object {oid_2} was not found" with reporter.step("Search object from container on the second node"): - search_object_in_container_2 = search_object( - default_wallet, container, self.shell, self.cluster.storage_nodes[1].get_rpc_endpoint() - ) + search_object_in_container_2 = grpc_client.object.search(container, self.cluster.storage_nodes[1].get_rpc_endpoint()) assert oid_1 in search_object_in_container_2, f"Object {oid_1} was not found" assert oid_2 in search_object_in_container_2, f"Object {oid_2} was not found" with reporter.step("Check delete object from container on the first node, expected access denied error"): with pytest.raises(RuntimeError, match=RULE_ACCESS_DENIED_OBJECT): - delete_object(default_wallet, container, oid_1, self.shell, self.cluster.storage_nodes[0].get_rpc_endpoint()) + grpc_client.object.delete(container, oid_1, self.cluster.storage_nodes[0].get_rpc_endpoint()) with reporter.step("Check delete object from container on the second node, expected allow"): with expect_not_raises(): - delete_object(default_wallet, container, oid_2, self.shell, self.cluster.storage_nodes[1].get_rpc_endpoint()) + grpc_client.object.delete(container, oid_2, self.cluster.storage_nodes[1].get_rpc_endpoint()) with reporter.step("Delete a rule"): frostfs_cli_on_first_node.control.remove_rule( @@ -330,4 +313,70 @@ class TestApeLocalOverrideDeny(ClusterTestBase): with reporter.step("Check delete object in container on the first node, expected allow"): with expect_not_raises(): - delete_object(default_wallet, container, oid_1, self.shell, self.cluster.storage_nodes[0].get_rpc_endpoint()) + grpc_client.object.delete(container, oid_1, self.cluster.storage_nodes[0].get_rpc_endpoint()) + + @allure.title("LocalOverride: Deny to PatchObject in root tenant") + @pytest.mark.parametrize("container_request", [REP2], indirect=True) + @pytest.mark.parametrize("object_size", ["simple"], indirect=True) + def test_local_override_deny_to_patch_object_root( + self, + frostfs_cli_on_first_node: FrostfsCli, + grpc_client: GrpcClientWrapper, + test_file: TestFile, + container: str, + object_id: str, + ): + with reporter.step("Create local override on first node"): + frostfs_cli_on_first_node.control.add_rule( + endpoint=self.cluster.storage_nodes[0].get_control_endpoint(), + target_type="container", + target_name=container, + chain_id="denyPatchObject", + rule=f"deny Object.Patch /{container}/*", + ) + + with reporter.step("Check patch object from container on the first node, expected access denied error"): + with pytest.raises(RuntimeError, match=RULE_ACCESS_DENIED_OBJECT): + grpc_client.object.patch( + container, + object_id, + self.cluster.storage_nodes[0].get_rpc_endpoint(), + ranges=["0:350"], + payloads=[test_file], + new_attrs="patched_by_first_node=false", + timeout="200s", + ) + + with reporter.step("Check patch object from container on the second node, expected allow"): + with expect_not_raises(): + patched_oid_1 = grpc_client.object.patch( + container, + object_id, + self.cluster.storage_nodes[1].get_rpc_endpoint(), + ranges=["200:400"], + payloads=[test_file], + new_attrs="patched_by_second_node=true", + timeout="200s", + ) + assert patched_oid_1 != object_id, "OID of patched object must be different from original one" + + with reporter.step("Delete a rule"): + frostfs_cli_on_first_node.control.remove_rule( + endpoint=self.cluster.storage_nodes[0].get_control_endpoint(), + target_type="container", + target_name=container, + chain_id="denyPatchObject", + ) + + with reporter.step("Check patch object in container on the first node, expected allow"): + with expect_not_raises(): + patched_oid_2 = grpc_client.object.patch( + container, + patched_oid_1, + self.cluster.storage_nodes[0].get_rpc_endpoint(), + ranges=["600:0"], + payloads=[test_file], + new_attrs="patched_by_first_node=true", + timeout="200s", + ) + assert patched_oid_1 != patched_oid_2, "OID of patched object must be different from original one" diff --git a/pytest_tests/testsuites/object/test_object_api_bearer.py b/pytest_tests/testsuites/object/test_object_api_bearer.py index be679c2c..030195e5 100644 --- a/pytest_tests/testsuites/object/test_object_api_bearer.py +++ b/pytest_tests/testsuites/object/test_object_api_bearer.py @@ -2,6 +2,7 @@ import allure import pytest from frostfs_testlib import reporter from frostfs_testlib.cli import FrostfsCli +from frostfs_testlib.resources.cli import FROSTFS_CLI_EXEC from frostfs_testlib.shell import Shell from frostfs_testlib.steps.cli.container import ( REP_2_FOR_3_NODES_PLACEMENT_RULE, @@ -15,6 +16,8 @@ from frostfs_testlib.storage.cluster import Cluster from frostfs_testlib.storage.dataclasses import ape from frostfs_testlib.storage.dataclasses.object_size import ObjectSize from frostfs_testlib.storage.dataclasses.wallet import WalletInfo +from frostfs_testlib.storage.grpc_operations.client_wrappers import CliClientWrapper +from frostfs_testlib.storage.grpc_operations.interfaces import GrpcClientWrapper from frostfs_testlib.testing.cluster_test_base import ClusterTestBase from frostfs_testlib.testing.test_control import expect_not_raises from pytest import FixtureRequest @@ -46,6 +49,11 @@ def bearer_token(frostfs_cli: FrostfsCli, temp_directory: str, user_container: S return create_bearer_token(frostfs_cli, temp_directory, user_container.get_id(), rule, cluster.default_rpc_endpoint) +@pytest.fixture(scope="session") +def grpc_client_with_other_wallet(client_shell: Shell, other_wallet: WalletInfo) -> GrpcClientWrapper: + return CliClientWrapper(FrostfsCli(client_shell, FROSTFS_CLI_EXEC, other_wallet.config_path)) + + @pytest.fixture() def storage_objects( user_container: StorageContainer, @@ -126,6 +134,8 @@ class TestObjectApiWithBearerToken(ClusterTestBase): bearer_token, ) + # TODO: Without PATCH operation, + # since it requires specific permissions that do not apply when testing all operations at once @allure.title("Wildcard APE rule contains all permissions (obj_size={object_size})") def test_ape_wildcard_contains_all_rules( self, @@ -134,5 +144,27 @@ class TestObjectApiWithBearerToken(ClusterTestBase): bearer_token: str, ): obj = storage_objects.pop() - with reporter.step(f"Assert all operations available with object"): + with reporter.step("Assert all operations available with object"): assert_full_access_to_container(other_wallet, obj.cid, obj.oid, obj.file_path, self.shell, self.cluster, bearer_token) + + # ^ + @allure.title("Wildcard APE rule contains PATCH permission (obj_size={object_size})") + def test_ape_wildcard_contains_patch_rule( + self, + grpc_client_with_other_wallet: GrpcClientWrapper, + storage_objects: list[StorageObjectInfo], + bearer_token: str, + ): + obj = storage_objects.pop() + with reporter.step("Verify patch is available"): + patched_oid = grpc_client_with_other_wallet.object.patch( + obj.cid, + obj.oid, + self.cluster.default_rpc_endpoint, + ranges=["99:88"], + payloads=[obj.file_path], + new_attrs="test-attribute=100", + bearer=bearer_token, + timeout="200s", + ) + assert patched_oid != obj.oid, "OID of patched object must be different from original one" diff --git a/pytest_tests/testsuites/object/test_object_without_user.py b/pytest_tests/testsuites/object/test_object_without_user.py index 9ee9b245..5c3903d9 100644 --- a/pytest_tests/testsuites/object/test_object_without_user.py +++ b/pytest_tests/testsuites/object/test_object_without_user.py @@ -1,5 +1,6 @@ import logging import re +from typing import Literal import allure import pytest @@ -8,6 +9,7 @@ from frostfs_testlib.cli import FrostfsCli from frostfs_testlib.resources.cli import CLI_DEFAULT_TIMEOUT, FROSTFS_CLI_EXEC from frostfs_testlib.resources.error_patterns import OBJECT_IS_LOCKED from frostfs_testlib.shell import Shell +from frostfs_testlib.shell.interfaces import CommandResult from frostfs_testlib.storage.dataclasses.wallet import WalletInfo from frostfs_testlib.testing.cluster_test_base import ClusterTestBase from frostfs_testlib.testing.test_control import expect_not_raises @@ -16,20 +18,24 @@ from frostfs_testlib.utils.file_utils import TestFile, get_file_hash logger = logging.getLogger("NeoLogger") +def parse_oid(response: CommandResult, response_type: Literal["tombstone", "patch"] = None) -> str: + if response_type == "tombstone": + id_str = response.stdout.split("\n")[1] + oid = id_str.split(":")[1] + return oid.strip() + + if response_type == "patch": + return response.stdout.split(":")[1].strip() + + id_str = response.stdout.strip().split("\n")[-2] + oid = id_str.split(":")[1] + return oid.strip() + + @pytest.mark.nightly @pytest.mark.grpc_api @pytest.mark.grpc_without_user class TestObjectApiWithoutUser(ClusterTestBase): - def _parse_oid(self, stdout: str) -> str: - id_str = stdout.strip().split("\n")[-2] - oid = id_str.split(":")[1] - return oid.strip() - - def _parse_tombstone_oid(self, stdout: str) -> str: - id_str = stdout.split("\n")[1] - tombstone = id_str.split(":")[1] - return tombstone.strip() - @pytest.fixture(scope="class") def cli_without_wallet(self, client_shell: Shell) -> FrostfsCli: return FrostfsCli(client_shell, FROSTFS_CLI_EXEC) @@ -86,7 +92,7 @@ class TestObjectApiWithoutUser(ClusterTestBase): cli_without_wallet.container.search_node(rpc_endpoint, container, generate_key=True, timeout=CLI_DEFAULT_TIMEOUT) @allure.title("Put object into public container by native API with generate private key (obj_size={object_size})") - def test_put_object_with_generate_key(self, cli_without_wallet: FrostfsCli, container: str, file_path: TestFile, rpc_endpoint: str): + def test_put_object_with_generate_key(self, cli_without_wallet: FrostfsCli, container: str, test_file: TestFile, rpc_endpoint: str): """ Validate `object put` into container with public ACL and flag `--generate-key`. """ @@ -96,13 +102,13 @@ class TestObjectApiWithoutUser(ClusterTestBase): result = cli_without_wallet.object.put( rpc_endpoint, container, - file_path, + test_file, generate_key=True, no_progress=True, timeout=CLI_DEFAULT_TIMEOUT, ) - oid = self._parse_oid(result.stdout) + oid = parse_oid(result) with reporter.step("List objects with generate key"): result = cli_without_wallet.container.list_objects(rpc_endpoint, container, generate_key=True, timeout=CLI_DEFAULT_TIMEOUT) @@ -112,24 +118,24 @@ class TestObjectApiWithoutUser(ClusterTestBase): assert oid in objects, objects @allure.title("Get public container object by native API with generate private key (obj_size={object_size})") - def test_get_object_with_generate_key(self, cli_without_wallet: FrostfsCli, container: str, file_path: TestFile, rpc_endpoint: str): + def test_get_object_with_generate_key(self, cli_without_wallet: FrostfsCli, container: str, test_file: TestFile, rpc_endpoint: str): """ Validate `object get` for container with public ACL and flag `--generate-key`. """ - expected_hash = get_file_hash(file_path) + expected_hash = get_file_hash(test_file) with reporter.step("Put object with generate key"): result = cli_without_wallet.object.put( rpc_endpoint, container, - file_path, + test_file, generate_key=True, no_progress=True, timeout=CLI_DEFAULT_TIMEOUT, ) - oid = self._parse_oid(result.stdout) + oid = parse_oid(result) with reporter.step("Get object with generate key"): with expect_not_raises(): @@ -137,19 +143,19 @@ class TestObjectApiWithoutUser(ClusterTestBase): rpc_endpoint, container, oid, - file=file_path, + file=test_file, generate_key=True, no_progress=True, timeout=CLI_DEFAULT_TIMEOUT, ) - downloaded_hash = get_file_hash(file_path) + downloaded_hash = get_file_hash(test_file) with reporter.step("Validate downloaded file"): assert expected_hash == downloaded_hash @allure.title("Head public container object by native API with generate private key (obj_size={object_size})") - def test_head_object_with_generate_key(self, cli_without_wallet: FrostfsCli, container: str, file_path: TestFile, rpc_endpoint: str): + def test_head_object_with_generate_key(self, cli_without_wallet: FrostfsCli, container: str, test_file: TestFile, rpc_endpoint: str): """ Validate `object head` for container with public ACL and flag `--generate-key`. """ @@ -158,20 +164,20 @@ class TestObjectApiWithoutUser(ClusterTestBase): result = cli_without_wallet.object.put( rpc_endpoint, container, - file_path, + test_file, generate_key=True, no_progress=True, timeout=CLI_DEFAULT_TIMEOUT, ) - oid = self._parse_oid(result.stdout) + oid = parse_oid(result) with reporter.step("Head object with generate key"): with expect_not_raises(): cli_without_wallet.object.head(rpc_endpoint, container, oid, generate_key=True, timeout=CLI_DEFAULT_TIMEOUT) @allure.title("Delete public container object by native API with generate private key (obj_size={object_size})") - def test_delete_object_with_generate_key(self, cli_without_wallet: FrostfsCli, container: str, file_path: TestFile, rpc_endpoint: str): + def test_delete_object_with_generate_key(self, cli_without_wallet: FrostfsCli, container: str, test_file: TestFile, rpc_endpoint: str): """ Validate `object delete` for container with public ACL and flag `--generate key`. """ @@ -180,19 +186,19 @@ class TestObjectApiWithoutUser(ClusterTestBase): result = cli_without_wallet.object.put( rpc_endpoint, container, - file_path, + test_file, generate_key=True, no_progress=True, timeout=CLI_DEFAULT_TIMEOUT, ) - oid = self._parse_oid(result.stdout) + oid = parse_oid(result) with reporter.step("Delete object with generate key"): with expect_not_raises(): result = cli_without_wallet.object.delete(rpc_endpoint, container, oid, generate_key=True, timeout=CLI_DEFAULT_TIMEOUT) - oid = self._parse_tombstone_oid(result.stdout) + oid = parse_oid(result, response_type="tombstone") with reporter.step("Head object with generate key"): result = cli_without_wallet.object.head( @@ -207,8 +213,37 @@ class TestObjectApiWithoutUser(ClusterTestBase): object_type = re.search(r"(?<=type: )tombstone", result.stdout, re.IGNORECASE).group() assert object_type == "TOMBSTONE", object_type + @allure.title("Patch object in public container with generate private key (obj_size={object_size})") + def test_patch_object_with_generate_key(self, cli_without_wallet: FrostfsCli, container: str, test_file: TestFile, rpc_endpoint: str): + with reporter.step("Put object with generate key"): + result = cli_without_wallet.object.put( + rpc_endpoint, + container, + test_file, + generate_key=True, + no_progress=True, + timeout=CLI_DEFAULT_TIMEOUT, + ) + + oid = parse_oid(result) + + with reporter.step("Patch object with generate key"): + with expect_not_raises(): + result = cli_without_wallet.object.patch( + rpc_endpoint, + container, + oid, + ["0:500"], + [test_file], + generate_key=True, + timeout=CLI_DEFAULT_TIMEOUT, + ) + + patched_oid = parse_oid(result, response_type="patch") + assert oid != patched_oid, "Patched object must have new object id" + @allure.title("Lock public container object by native API with generate private key (obj_size={object_size})") - def test_lock_object_with_generate_key(self, cli_without_wallet: FrostfsCli, container: str, file_path: TestFile, rpc_endpoint: str): + def test_lock_object_with_generate_key(self, cli_without_wallet: FrostfsCli, container: str, test_file: TestFile, rpc_endpoint: str): """ Validate `object lock` for container with public ACL and flag `--generate-key`. Attempt to delete the locked object. @@ -218,13 +253,13 @@ class TestObjectApiWithoutUser(ClusterTestBase): result = cli_without_wallet.object.put( rpc_endpoint, container, - file_path, + test_file, generate_key=True, no_progress=True, timeout=CLI_DEFAULT_TIMEOUT, ) - oid = self._parse_oid(result.stdout) + oid = parse_oid(result) with reporter.step("Lock object with generate key"): with expect_not_raises(): @@ -248,7 +283,7 @@ class TestObjectApiWithoutUser(ClusterTestBase): ) @allure.title("Search public container objects by native API with generate private key (obj_size={object_size})") - def test_search_object_with_generate_key(self, cli_without_wallet: FrostfsCli, container: str, file_path: TestFile, rpc_endpoint: str): + def test_search_object_with_generate_key(self, cli_without_wallet: FrostfsCli, container: str, test_file: TestFile, rpc_endpoint: str): """ Validate `object search` for container with public ACL and flag `--generate-key`. """ @@ -257,13 +292,13 @@ class TestObjectApiWithoutUser(ClusterTestBase): result = cli_without_wallet.object.put( rpc_endpoint, container, - file_path, + test_file, generate_key=True, no_progress=True, timeout=CLI_DEFAULT_TIMEOUT, ) - oid = self._parse_oid(result.stdout) + oid = parse_oid(result) with reporter.step("Object search with generate key"): with expect_not_raises(): @@ -274,7 +309,7 @@ class TestObjectApiWithoutUser(ClusterTestBase): assert oid in object_ids @allure.title("Get range of public container object by native API with generate private key (obj_size={object_size})") - def test_range_with_generate_key(self, cli_without_wallet: FrostfsCli, container: str, file_path: TestFile, rpc_endpoint: str): + def test_range_with_generate_key(self, cli_without_wallet: FrostfsCli, container: str, test_file: TestFile, rpc_endpoint: str): """ Validate `object range` for container with public ACL and `--generate-key`. """ @@ -283,13 +318,13 @@ class TestObjectApiWithoutUser(ClusterTestBase): result = cli_without_wallet.object.put( rpc_endpoint, container, - file_path, + test_file, generate_key=True, no_progress=True, timeout=CLI_DEFAULT_TIMEOUT, ) - oid = self._parse_oid(result.stdout) + oid = parse_oid(result) with reporter.step("Get range of object with generate key"): with expect_not_raises(): @@ -298,13 +333,13 @@ class TestObjectApiWithoutUser(ClusterTestBase): container, oid, "0:10", - file=file_path, + file=test_file, generate_key=True, timeout=CLI_DEFAULT_TIMEOUT, ) @allure.title("Get hash of public container object by native API with generate private key (obj_size={object_size})") - def test_hash_with_generate_key(self, cli_without_wallet: FrostfsCli, container: str, file_path: TestFile, rpc_endpoint: str): + def test_hash_with_generate_key(self, cli_without_wallet: FrostfsCli, container: str, test_file: TestFile, rpc_endpoint: str): """ Validate `object hash` for container with public ACL and `--generate-key`. """ @@ -313,13 +348,13 @@ class TestObjectApiWithoutUser(ClusterTestBase): result = cli_without_wallet.object.put( rpc_endpoint, container, - file_path, + test_file, generate_key=True, no_progress=True, timeout=CLI_DEFAULT_TIMEOUT, ) - oid = self._parse_oid(result.stdout) + oid = parse_oid(result) with reporter.step("Get range hash of object with generate key"): with expect_not_raises(): @@ -333,7 +368,7 @@ class TestObjectApiWithoutUser(ClusterTestBase): ) @allure.title("Get public container object nodes by native API with generate private key (obj_size={object_size})") - def test_nodes_with_generate_key(self, cli_without_wallet: FrostfsCli, container: str, file_path: TestFile, rpc_endpoint: str): + def test_nodes_with_generate_key(self, cli_without_wallet: FrostfsCli, container: str, test_file: TestFile, rpc_endpoint: str): """ Validate `object nodes` for container with public ACL and `--generate-key`. """ @@ -342,13 +377,13 @@ class TestObjectApiWithoutUser(ClusterTestBase): result = cli_without_wallet.object.put( rpc_endpoint, container, - file_path, + test_file, no_progress=True, generate_key=True, timeout=CLI_DEFAULT_TIMEOUT, ) - oid = self._parse_oid(result.stdout) + oid = parse_oid(result) with reporter.step("Configure frostfs-cli for alive remote node"): alive_node = self.cluster.cluster_nodes[0]