[#334] add allow local ape tests

2024-12-04 01:46:31 +03:00 · 2024-12-04 01:46:31 +03:00 · 662f6e73a7
commit 662f6e73a7
parent cec6aa7c0c
1 changed files with 324 additions and 0 deletions
--- a/pytest_tests/testsuites/ape/test_ape.py
+++ b/pytest_tests/testsuites/ape/test_ape.py
@ -112,6 +112,54 @@ def remove_rule_ape_in_morph(cluster: Cluster) -> None:
        parallel(morph_on_node, cluster.cluster_nodes, id_chains_for_remove)


+def pre_create_container_object_cli(
+    default_user: User,
+    remote_frostfs_cli_first_node: FrostfsCli,
+    frostfs_cli: FrostfsCli,
+    simple_object_size: ObjectSize,
+    shell: Shell,
+    cluster: Cluster,
+):
+
+    test_file = generate_file(simple_object_size.value)
+
+    with reporter.step("Create a container on the first node"):
+        cid = (
+            frostfs_cli.container.create(
+                rpc_endpoint=cluster.storage_nodes[0].get_rpc_endpoint(),
+                policy="REP 1 IN MOW CBF 1 SELECT 1 FROM MSK AS MOW FILTER SubDivCode EQ MOW AS MSK",
+                name="dcl1",
+                await_mode=True,
+                basic_acl="0",
+            )
+            .stdout.split(" ")[1]
+            .strip()
+            .split("\n")[0]
+        )
+
+    with reporter.step("Create a namespace rule for the first node"):
+        remote_frostfs_cli_first_node.control.add_rule(
+            endpoint=cluster.storage_nodes[0].get_control_endpoint(),
+            target_type="container",
+            target_name=f"{cid}",
+            chain_id="allowPutObject",
+            rule=f"allow Object.Put *",
+        )
+
+    with reporter.step("Put objects in container on the first node"):
+        oid = put_object(default_user.wallet, test_file, cid, shell, cluster.storage_nodes[0].get_rpc_endpoint())
+
+    with reporter.step("Create a namespace rule for the first node"):
+        remote_frostfs_cli_first_node.control.remove_rule(
+            endpoint=cluster.storage_nodes[0].get_control_endpoint(),
+            target_type="container",
+            target_name=f"{cid}",
+            chain_id="allowPutObject",
+        )
+
+    return cid, oid
+
+
 def pre_create_container_object_adm(
    default_user: User,
    remote_frostfs_adm_first_node: FrostfsAdm,
@ -1646,3 +1694,279 @@ class TestApeLocalOverride(ClusterTestBase):
        with reporter.step("Check delete object in container on the first node"):
            with expect_not_raises():
                delete_object(default_user.wallet, cid, oid_1, self.shell, self.cluster.storage_nodes[0].get_rpc_endpoint())
+
+    @allure.title("LocalOverride: Allow to GetObject in root tenant")
+    def test_local_override_allow_to_get_object_root(
+        self,
+        default_user: User,
+        remote_frostfs_cli_first_node: FrostfsCli,
+        frostfs_cli: FrostfsCli,
+        simple_object_size: ObjectSize,
+    ):
+        cid, oid = pre_create_container_object_cli(
+            default_user, remote_frostfs_cli_first_node, frostfs_cli, simple_object_size, self.shell, self.cluster
+        )
+
+        with reporter.step("Create a container rule for the first node"):
+            remote_frostfs_cli_first_node.control.add_rule(
+                endpoint=self.cluster.storage_nodes[0].get_control_endpoint(),
+                target_type="container",
+                target_name=f"{cid}",
+                chain_id="allowGetObject",
+                rule=f"allow Object.Get *",
+            )
+
+        with reporter.step("Check get object in container on the first node"):
+            with expect_not_raises():
+                get_object(default_user.wallet, cid, oid, self.shell, self.cluster.storage_nodes[0].get_rpc_endpoint())
+
+        with reporter.step("[NEGATIVE] Check get object in container on the second node"):
+            with pytest.raises(RuntimeError, match=NO_RULE_FOUND_OBJECT.format(operation=Operations.GET_OBJECT.value)):
+                get_object(default_user.wallet, cid, oid, self.shell, self.cluster.storage_nodes[1].get_rpc_endpoint())
+
+        with reporter.step("Delete a rule"):
+            remote_frostfs_cli_first_node.control.remove_rule(
+                endpoint=self.cluster.storage_nodes[0].get_control_endpoint(),
+                target_type="container",
+                target_name=f"{cid}",
+                chain_id="allowGetObject",
+            )
+
+    @allure.title("LocalOverride: Allow to PutObject in root tenant")
+    def test_local_override_allow_to_put_object_root(
+        self,
+        default_user: User,
+        remote_frostfs_cli_first_node: FrostfsCli,
+        frostfs_cli: FrostfsCli,
+        simple_object_size: ObjectSize,
+    ):
+        test_file = generate_file(simple_object_size.value)
+
+        with reporter.step("Create a container on the first node"):
+            cid = (
+                frostfs_cli.container.create(
+                    rpc_endpoint=self.cluster.storage_nodes[0].get_rpc_endpoint(),
+                    policy="REP 1 IN MOW CBF 1 SELECT 1 FROM MSK AS MOW FILTER SubDivCode EQ MOW AS MSK",
+                    name="dcl1",
+                    await_mode=True,
+                    basic_acl="0",
+                )
+                .stdout.split(" ")[1]
+                .strip()
+                .split("\n")[0]
+            )
+
+        with reporter.step("Create a namespace rule for the first node"):
+            remote_frostfs_cli_first_node.control.add_rule(
+                endpoint=self.cluster.storage_nodes[0].get_control_endpoint(),
+                target_type="container",
+                target_name=f"{cid}",
+                chain_id="allowPutObject",
+                rule=f"allow Object.Put *",
+            )
+
+            with reporter.step("Check put object in container on the first node"):
+                with expect_not_raises():
+                    put_object(default_user.wallet, test_file, cid, self.shell, self.cluster.storage_nodes[0].get_rpc_endpoint())
+
+            with reporter.step("[NEGATIVE] Check get object in container on the second node"):
+                with pytest.raises(RuntimeError, match=NO_RULE_FOUND_OBJECT.format(operation=Operations.PUT_OBJECT.value)):
+                    put_object(default_user.wallet, test_file, cid, self.shell, self.cluster.storage_nodes[1].get_rpc_endpoint())
+
+            with reporter.step("Delete a rule"):
+                remote_frostfs_cli_first_node.control.remove_rule(
+                    endpoint=self.cluster.storage_nodes[0].get_control_endpoint(),
+                    target_type="container",
+                    target_name=f"{cid}",
+                    chain_id="allowPutObject",
+                )
+
+    @allure.title("LocalOverride: Allow to HeadObject in root tenant")
+    def test_local_override_allow_to_head_object_root(
+        self,
+        default_user: User,
+        remote_frostfs_cli_first_node: FrostfsCli,
+        frostfs_cli: FrostfsCli,
+        simple_object_size: ObjectSize,
+    ):
+
+        cid, oid = pre_create_container_object_cli(
+            default_user, remote_frostfs_cli_first_node, frostfs_cli, simple_object_size, self.shell, self.cluster
+        )
+
+        with reporter.step("Create a container rule for the first node"):
+            remote_frostfs_cli_first_node.control.add_rule(
+                endpoint=self.cluster.storage_nodes[0].get_control_endpoint(),
+                target_type="container",
+                target_name=f"{cid}",
+                chain_id="allowHeadObject",
+                rule=f"allow Object.Head *",
+            )
+
+        with reporter.step("Check head object in container on the first node"):
+            with expect_not_raises():
+                head_object(default_user.wallet, cid, oid, self.shell, self.cluster.storage_nodes[0].get_rpc_endpoint())
+
+        with reporter.step("[NEGATIVE] Check head object in container on the second node"):
+            with pytest.raises(RuntimeError, match=NO_RULE_FOUND_OBJECT.format(operation=Operations.HEAD_OBJECT.value)):
+                head_object(default_user.wallet, cid, oid, self.shell, self.cluster.storage_nodes[1].get_rpc_endpoint())
+
+        with reporter.step("Delete a rule"):
+            remote_frostfs_cli_first_node.control.remove_rule(
+                endpoint=self.cluster.storage_nodes[0].get_control_endpoint(),
+                target_type="container",
+                target_name=f"{cid}",
+                chain_id="allowHeadObject",
+            )
+
+    @allure.title("LocalOverride: Allow to SearchObject in root tenant")
+    def test_local_override_allow_to_search_object_root(
+        self,
+        default_user: User,
+        remote_frostfs_cli_first_node: FrostfsCli,
+        frostfs_cli: FrostfsCli,
+        simple_object_size: ObjectSize,
+    ):
+
+        cid, oid = pre_create_container_object_cli(
+            default_user, remote_frostfs_cli_first_node, frostfs_cli, simple_object_size, self.shell, self.cluster
+        )
+
+        with reporter.step("Create a container rule for the first node"):
+            remote_frostfs_cli_first_node.control.add_rule(
+                endpoint=self.cluster.storage_nodes[0].get_control_endpoint(),
+                target_type="container",
+                target_name=f"{cid}",
+                chain_id="allowSearchObject",
+                rule=f"allow Object.Search *",
+            )
+
+        with reporter.step("Check search object in container on the first node"):
+            with expect_not_raises():
+                search_object(default_user.wallet, cid, self.shell, self.cluster.storage_nodes[0].get_rpc_endpoint())
+
+        with reporter.step("[NEGATIVE] Check search object from container on the second node"):
+            with pytest.raises(RuntimeError, match=NO_RULE_FOUND_OBJECT.format(operation=Operations.SEARCH_OBJECT.value)):
+                search_object(default_user.wallet, cid, self.shell, self.cluster.storage_nodes[1].get_rpc_endpoint())
+
+        with reporter.step("Delete a rule"):
+            remote_frostfs_cli_first_node.control.remove_rule(
+                endpoint=self.cluster.storage_nodes[0].get_control_endpoint(),
+                target_type="container",
+                target_name=f"{cid}",
+                chain_id="allowSearchObject",
+            )
+
+    @allure.title("LocalOverride: Allow to RangeObject in root tenant")
+    def test_local_override_allow_to_range_object_root(
+        self,
+        default_user: User,
+        remote_frostfs_cli_first_node: FrostfsCli,
+        frostfs_cli: FrostfsCli,
+        simple_object_size: ObjectSize,
+    ):
+
+        cid, oid = pre_create_container_object_cli(
+            default_user, remote_frostfs_cli_first_node, frostfs_cli, simple_object_size, self.shell, self.cluster
+        )
+
+        with reporter.step("Create a container rule for the first node"):
+            remote_frostfs_cli_first_node.control.add_rule(
+                endpoint=self.cluster.storage_nodes[0].get_control_endpoint(),
+                target_type="container",
+                target_name=f"{cid}",
+                chain_id="allowRangeObject",
+                rule=f"allow Object.Range *",
+            )
+
+        with reporter.step("Check get range object in container on the first node"):
+            with expect_not_raises():
+                get_range(default_user.wallet, cid, oid, "0:10", self.shell, self.cluster.storage_nodes[0].get_rpc_endpoint())
+
+        with reporter.step("[NEGATIVE] Check range object in container on the second node"):
+            with pytest.raises(RuntimeError, match=NO_RULE_FOUND_OBJECT.format(operation=Operations.RANGE_OBJECT.value)):
+                get_range(default_user.wallet, cid, oid, "0:10", self.shell, self.cluster.storage_nodes[1].get_rpc_endpoint())
+
+        with reporter.step("Delete a rule"):
+            remote_frostfs_cli_first_node.control.remove_rule(
+                endpoint=self.cluster.storage_nodes[0].get_control_endpoint(),
+                target_type="container",
+                target_name=f"{cid}",
+                chain_id="allowRangeObject",
+            )
+
+    @allure.title("LocalOverride: Allow to HashObject in root tenant")
+    def test_local_override_allow_to_hash_object_root(
+        self,
+        default_user: User,
+        remote_frostfs_cli_first_node: FrostfsCli,
+        frostfs_cli: FrostfsCli,
+        simple_object_size: ObjectSize,
+    ):
+
+        cid, oid = pre_create_container_object_cli(
+            default_user, remote_frostfs_cli_first_node, frostfs_cli, simple_object_size, self.shell, self.cluster
+        )
+
+        with reporter.step("Create a container rule for the first node"):
+            remote_frostfs_cli_first_node.control.add_rule(
+                endpoint=self.cluster.storage_nodes[0].get_control_endpoint(),
+                target_type="container",
+                target_name=f"{cid}",
+                chain_id="allowHashObject",
+                rule=f"allow Object.Hash *",
+            )
+
+        with reporter.step("Check get range hash object in container on the first node"):
+            with expect_not_raises():
+                get_range_hash(default_user.wallet, cid, oid, "0:10", self.shell, self.cluster.storage_nodes[0].get_rpc_endpoint())
+
+        with reporter.step("[NEGATIVE] Check get range hash object in container on the second node"):
+            with pytest.raises(RuntimeError, match=NO_RULE_FOUND_OBJECT.format(operation=Operations.HASH_OBJECT.value)):
+                get_range_hash(default_user.wallet, cid, oid, "0:10", self.shell, self.cluster.storage_nodes[1].get_rpc_endpoint())
+
+        with reporter.step("Delete a rule"):
+            remote_frostfs_cli_first_node.control.remove_rule(
+                endpoint=self.cluster.storage_nodes[0].get_control_endpoint(),
+                target_type="container",
+                target_name=f"{cid}",
+                chain_id="allowHashObject",
+            )
+
+    @allure.title("LocalOverride: Allow to DeleteObject in root tenant")
+    def test_local_override_allow_to_delete_object_root(
+        self,
+        default_user: User,
+        remote_frostfs_cli_first_node: FrostfsCli,
+        frostfs_cli: FrostfsCli,
+        simple_object_size: ObjectSize,
+    ):
+
+        cid, oid = pre_create_container_object_cli(
+            default_user, remote_frostfs_cli_first_node, frostfs_cli, simple_object_size, self.shell, self.cluster
+        )
+
+        with reporter.step("Create a container rule for the first node"):
+            remote_frostfs_cli_first_node.control.add_rule(
+                endpoint=self.cluster.storage_nodes[0].get_control_endpoint(),
+                target_type="container",
+                target_name=f"{cid}",
+                chain_id="allowDeleteObject",
+                rule=f"allow Object.Head Object.Delete *",
+            )
+
+        with reporter.step("[NEGATIVE] Check delete object from container on the second node"):
+            with pytest.raises(RuntimeError, match=OBJECT_ACCESS_DENIED):
+                delete_object(default_user.wallet, cid, oid, self.shell, self.cluster.storage_nodes[1].get_rpc_endpoint())
+
+        with reporter.step("Check delete object in container on the first node"):
+            with expect_not_raises():
+                delete_object(default_user.wallet, cid, oid, self.shell, self.cluster.storage_nodes[0].get_rpc_endpoint())
+
+        with reporter.step("Delete a rule"):
+            remote_frostfs_cli_first_node.control.remove_rule(
+                endpoint=self.cluster.storage_nodes[0].get_control_endpoint(),
+                target_type="container",
+                target_name=f"{cid}",
+                chain_id="allowDeleteObject",
+            )