[#271] Migrate eACL tests to APE

Signed-off-by: a.berezin <a.berezin@yadro.com>

pytest_tests/testsuites/object/test_object_api_bearer.py

@@ -1,9 +1,9 @@
 import allure
 import pytest
 from frostfs_testlib import reporter
-from frostfs_testlib.resources.wellknown_acl import EACL_PUBLIC_READ_WRITE
+from frostfs_testlib.cli import FrostfsCli
+from frostfs_testlib.resources.wellknown_acl import PUBLIC_ACL
 from frostfs_testlib.shell import Shell
-from frostfs_testlib.steps.acl import form_bearertoken_file
 from frostfs_testlib.steps.cli.container import (
     REP_2_FOR_3_NODES_PLACEMENT_RULE,
     SINGLE_PLACEMENT_RULE,
@@ -12,68 +12,50 @@ from frostfs_testlib.steps.cli.container import (
     create_container,
 )
 from frostfs_testlib.steps.cli.object import delete_object, get_object
-from frostfs_testlib.steps.epoch import get_epoch
 from frostfs_testlib.steps.storage_object import StorageObjectInfo
 from frostfs_testlib.storage.cluster import Cluster
-from frostfs_testlib.storage.dataclasses.acl import EACLAccess, EACLOperation, EACLRole, EACLRule
+from frostfs_testlib.storage.dataclasses import ape
 from frostfs_testlib.storage.dataclasses.object_size import ObjectSize
 from frostfs_testlib.storage.dataclasses.wallet import WalletInfo
 from frostfs_testlib.testing.cluster_test_base import ClusterTestBase
 from frostfs_testlib.testing.test_control import expect_not_raises
 from pytest import FixtureRequest
 
-
-@pytest.fixture(scope="module")
-@allure.title("Create bearer token for OTHERS with all operations allowed for all containers")
-def bearer_token_file_all_allow(default_wallet: WalletInfo, client_shell: Shell, cluster: Cluster) -> str:
-    bearer = form_bearertoken_file(
-        default_wallet,
-        "",
-        [EACLRule(operation=op, access=EACLAccess.ALLOW, role=EACLRole.OTHERS) for op in EACLOperation],
-        shell=client_shell,
-        endpoint=cluster.default_rpc_endpoint,
-    )
-
-    return bearer
+from pytest_tests.helpers.bearer_token import create_bearer_token
+from pytest_tests.helpers.container_access import assert_full_access_to_container
 
 
-@pytest.fixture(scope="module")
+@pytest.fixture(scope="session")
 @allure.title("Create user container for bearer token usage")
-def user_container(
-    default_wallet: WalletInfo, client_shell: Shell, cluster: Cluster, request: FixtureRequest
-) -> StorageContainer:
-    container_id = create_container(
-        default_wallet,
-        shell=client_shell,
-        rule=request.param,
-        basic_acl=EACL_PUBLIC_READ_WRITE,
-        endpoint=cluster.default_rpc_endpoint,
-    )
+def user_container(default_wallet: WalletInfo, client_shell: Shell, cluster: Cluster, request: FixtureRequest) -> StorageContainer:
+    rule = request.param if "param" in request.__dict__ else SINGLE_PLACEMENT_RULE
+    container_id = create_container(default_wallet, client_shell, cluster.default_rpc_endpoint, rule, PUBLIC_ACL)
+
     # Deliberately using s3gate wallet here to test bearer token
-    s3gate = cluster.s3_gates[0]
-    return StorageContainer(
-        StorageContainerInfo(container_id, WalletInfo.from_node(s3gate)),
-        client_shell,
-        cluster,
-    )
+    s3_gate_wallet = WalletInfo.from_node(cluster.s3_gates[0])
+    return StorageContainer(StorageContainerInfo(container_id, s3_gate_wallet), client_shell, cluster)
+
+
+@pytest.fixture(scope="session")
+@allure.title("Create bearer token with allowed put for container")
+def bearer_token(frostfs_cli: FrostfsCli, temp_directory: str, user_container: StorageContainer, cluster: Cluster) -> str:
+    rule = ape.Rule(ape.Verb.ALLOW, ape.ObjectOperations.WILDCARD_ALL)
+    return create_bearer_token(frostfs_cli, temp_directory, user_container.get_id(), rule, cluster.default_rpc_endpoint)
 
 
 @pytest.fixture()
 def storage_objects(
     user_container: StorageContainer,
-    bearer_token_file_all_allow: str,
+    bearer_token: str,
     object_size: ObjectSize,
-    client_shell: Shell,
     cluster: Cluster,
 ) -> list[StorageObjectInfo]:
-    epoch = get_epoch(client_shell, cluster)
     storage_objects: list[StorageObjectInfo] = []
     for node in cluster.storage_nodes:
         storage_objects.append(
             user_container.generate_object(
                 object_size.value,
-                epoch + 3,
-                bearer_token=bearer_token_file_all_allow,
+                bearer_token=bearer_token,
                 endpoint=node.get_rpc_endpoint(),
             )
         )
@@ -82,6 +64,7 @@ def storage_objects(
 
 @pytest.mark.smoke
 @pytest.mark.bearer
+@pytest.mark.ape
 class TestObjectApiWithBearerToken(ClusterTestBase):
     @allure.title("Object can be deleted from any node using s3gate wallet with bearer token (obj_size={object_size})")
     @pytest.mark.parametrize(
@@ -92,10 +75,10 @@ class TestObjectApiWithBearerToken(ClusterTestBase):
     def test_delete_object_with_s3_wallet_bearer(
         self,
         storage_objects: list[StorageObjectInfo],
-        bearer_token_file_all_allow: str,
+        bearer_token: str,
     ):
         s3_gate_wallet = WalletInfo.from_node(self.cluster.s3_gates[0])
-        with reporter.step("Try to delete each object from first storage node"):
+        with reporter.step("Delete each object from first storage node"):
             for storage_object in storage_objects:
                 with expect_not_raises():
                     delete_object(
@@ -104,7 +87,7 @@ class TestObjectApiWithBearerToken(ClusterTestBase):
                         storage_object.oid,
                         self.shell,
                         endpoint=self.cluster.default_rpc_endpoint,
-                        bearer=bearer_token_file_all_allow,
+                        bearer=bearer_token,
                     )
 
     @allure.title("Object can be fetched from any node using s3gate wallet with bearer token (obj_size={object_size})")
@@ -117,16 +100,17 @@ class TestObjectApiWithBearerToken(ClusterTestBase):
         self,
         user_container: StorageContainer,
         object_size: ObjectSize,
-        bearer_token_file_all_allow: str,
+        bearer_token: str,
     ):
         s3_gate_wallet = WalletInfo.from_node(self.cluster.s3_gates[0])
-        with reporter.step("Put one object to container"):
-            epoch = self.get_epoch()
+        with reporter.step("Put object to container"):
             storage_object = user_container.generate_object(
-                object_size.value, epoch + 3, bearer_token=bearer_token_file_all_allow
+                object_size.value,
+                bearer_token=bearer_token,
+                endpoint=self.cluster.default_rpc_endpoint,
             )
 
-        with reporter.step("Try to fetch object from each storage node"):
+        with reporter.step("Get object from each storage node"):
             for node in self.cluster.storage_nodes:
                 with expect_not_raises():
                     get_object(
@@ -134,6 +118,17 @@ class TestObjectApiWithBearerToken(ClusterTestBase):
                         storage_object.cid,
                         storage_object.oid,
                         self.shell,
-                        endpoint=node.get_rpc_endpoint(),
-                        bearer=bearer_token_file_all_allow,
+                        node.get_rpc_endpoint(),
+                        bearer_token,
                     )
+
+    @allure.title("Wildcard APE rule contains all permissions (obj_size={object_size})")
+    def test_ape_wildcard_contains_all_rules(
+        self,
+        other_wallet: WalletInfo,
+        storage_objects: list[StorageObjectInfo],
+        bearer_token: str,
+    ):
+        obj = storage_objects.pop()
+        with reporter.step(f"Assert all operations available with object"):
+            assert_full_access_to_container(other_wallet, obj.cid, obj.oid, obj.file_path, self.shell, self.cluster, bearer_token)