Kirill Sosnovskikh
b4d27260ef
Expandable suites: - TestApeContainer - TestApeBearer - TestApeLocalOverrideAllow - TestApeLocalOverrideDeny - TestObjectApiWithoutUser - TestObjectApiWithBearerToken Signed-off-by: Kirill Sosnovskikh <k.sosnovskikh@yadro.com>
313 lines
13 KiB
Python
313 lines
13 KiB
Python
import allure
|
|
import pytest
|
|
from frostfs_testlib import reporter
|
|
from frostfs_testlib.cli.frostfs_cli.cli import FrostfsCli
|
|
from frostfs_testlib.resources.error_patterns import OBJECT_ACCESS_DENIED
|
|
from frostfs_testlib.storage.dataclasses import ape
|
|
from frostfs_testlib.storage.dataclasses.wallet import WalletInfo
|
|
from frostfs_testlib.storage.grpc_operations.interfaces import GrpcClientWrapper
|
|
from frostfs_testlib.testing.cluster_test_base import ClusterTestBase
|
|
from frostfs_testlib.utils.file_utils import TestFile
|
|
|
|
from ....helpers.bearer_token import create_bearer_token
|
|
from ....helpers.container_access import (
|
|
ALL_OBJECT_OPERATIONS,
|
|
assert_access_to_container,
|
|
assert_full_access_to_container,
|
|
assert_no_access_to_container,
|
|
)
|
|
|
|
|
|
@pytest.mark.nightly
|
|
@pytest.mark.sanity
|
|
@pytest.mark.bearer
|
|
@pytest.mark.ape
|
|
@pytest.mark.parametrize("user_tag", ["ApeBearer"], indirect=True) # provide dedicated user with no APE side-policies
|
|
class TestApeBearer(ClusterTestBase):
|
|
# TODO: Without PATCH operation,
|
|
# since it requires specific permissions that do not apply when testing all operations at once
|
|
@allure.title("Operations with BearerToken (role={role}, obj_size={object_size})")
|
|
@pytest.mark.parametrize("role", [ape.Role.OWNER, ape.Role.OTHERS], indirect=True)
|
|
@pytest.mark.parametrize("objects", [4], indirect=True)
|
|
def test_bearer_token_operations(
|
|
self,
|
|
container: str,
|
|
objects: list[str],
|
|
frostfs_cli: FrostfsCli,
|
|
temp_directory: str,
|
|
test_wallet: WalletInfo,
|
|
role: ape.Role,
|
|
test_file: TestFile,
|
|
rpc_endpoint: str,
|
|
):
|
|
with reporter.step(f"Check {role} has full access to container without bearer token"):
|
|
assert_full_access_to_container(test_wallet, container, objects.pop(), test_file, self.shell, self.cluster)
|
|
|
|
with reporter.step(f"Deny all operations for everyone via APE"):
|
|
rule = ape.Rule(ape.Verb.DENY, ALL_OBJECT_OPERATIONS)
|
|
frostfs_cli.ape_manager.add(rpc_endpoint, rule.chain_id, target_name=container, target_type="container", rule=rule.as_string())
|
|
|
|
with reporter.step("Wait for one block"):
|
|
self.wait_for_blocks()
|
|
|
|
with reporter.step(f"Create bearer token with all operations allowed"):
|
|
bearer = create_bearer_token(
|
|
frostfs_cli,
|
|
temp_directory,
|
|
container,
|
|
rule=ape.Rule(ape.Verb.ALLOW, ALL_OBJECT_OPERATIONS),
|
|
endpoint=rpc_endpoint,
|
|
)
|
|
|
|
with reporter.step(f"Check {role} without token has no access to all operations with container"):
|
|
assert_no_access_to_container(test_wallet, container, objects.pop(), test_file, self.shell, self.cluster)
|
|
|
|
with reporter.step(f"Check {role} with token has access to all operations with container"):
|
|
assert_full_access_to_container(test_wallet, container, objects.pop(), test_file, self.shell, self.cluster, bearer)
|
|
|
|
with reporter.step(f"Remove deny rule from APE"):
|
|
frostfs_cli.ape_manager.remove(rpc_endpoint, rule.chain_id, target_name=container, target_type="container")
|
|
|
|
with reporter.step("Wait for one block"):
|
|
self.wait_for_blocks()
|
|
|
|
with reporter.step(f"Check {role} without token has access to all operations with container"):
|
|
assert_full_access_to_container(test_wallet, container, objects.pop(), test_file, self.shell, self.cluster)
|
|
|
|
# ^
|
|
@allure.title("Patch operation with BearerToken (object_size={object_size})")
|
|
@pytest.mark.parametrize("objects", [1], indirect=True)
|
|
def test_patch_object_with_bearer_token(
|
|
self,
|
|
frostfs_cli: FrostfsCli,
|
|
grpc_client_with_other_wallet: GrpcClientWrapper,
|
|
container: str,
|
|
objects: list[str],
|
|
test_file: TestFile,
|
|
temp_directory: str,
|
|
):
|
|
oid = objects[0]
|
|
|
|
with reporter.step("Check if the patch is available with another wallet"):
|
|
patched_oid = grpc_client_with_other_wallet.object.patch(
|
|
container,
|
|
oid,
|
|
self.cluster.default_rpc_endpoint,
|
|
ranges=["100:300"],
|
|
payloads=[test_file],
|
|
new_attrs="allow-patch=true",
|
|
timeout="200s",
|
|
)
|
|
assert patched_oid != oid, "OID of patched object must be different from original one"
|
|
oid = patched_oid
|
|
|
|
rule = ape.Rule(ape.Verb.DENY, ape.ObjectOperations.PATCH)
|
|
|
|
with reporter.step("Deny PATCH operation for everyone via APE"):
|
|
frostfs_cli.ape_manager.add(
|
|
self.cluster.default_rpc_endpoint,
|
|
rule.chain_id,
|
|
target_name=container,
|
|
target_type="container",
|
|
rule=rule.as_string(),
|
|
)
|
|
|
|
with reporter.step("Wait for one block"):
|
|
self.wait_for_blocks(1)
|
|
|
|
with reporter.step("Check that patch is not allowed with another wallet"):
|
|
with pytest.raises(Exception, match=OBJECT_ACCESS_DENIED):
|
|
grpc_client_with_other_wallet.object.patch(
|
|
container,
|
|
oid,
|
|
self.cluster.default_rpc_endpoint,
|
|
ranges=["100:300"],
|
|
payloads=[test_file],
|
|
new_attrs="deny-patch=true",
|
|
timeout="200s",
|
|
)
|
|
|
|
with reporter.step("Create bearer token with all operations allowed"):
|
|
bearer = create_bearer_token(
|
|
frostfs_cli,
|
|
temp_directory,
|
|
container,
|
|
rule=ape.Rule(ape.Verb.ALLOW, ALL_OBJECT_OPERATIONS),
|
|
endpoint=self.cluster.default_rpc_endpoint,
|
|
)
|
|
|
|
with reporter.step("Check that patch is available with another wallet with BearerToken"):
|
|
patched_oid = grpc_client_with_other_wallet.object.patch(
|
|
container,
|
|
oid,
|
|
self.cluster.default_rpc_endpoint,
|
|
bearer=bearer,
|
|
ranges=["100:300"],
|
|
payloads=[test_file],
|
|
new_attrs="bearer-patch=true",
|
|
timeout="200s",
|
|
)
|
|
assert patched_oid != oid, "OID of patched object must be different from original one"
|
|
oid = patched_oid
|
|
|
|
with reporter.step(f"Remove deny rule from APE"):
|
|
frostfs_cli.ape_manager.remove(
|
|
self.cluster.default_rpc_endpoint,
|
|
rule.chain_id,
|
|
target_name=container,
|
|
target_type="container",
|
|
)
|
|
|
|
with reporter.step("Wait for one block"):
|
|
self.wait_for_blocks(1)
|
|
|
|
with reporter.step("Check if the patch is available with another wallet"):
|
|
patched_oid = grpc_client_with_other_wallet.object.patch(
|
|
container,
|
|
oid,
|
|
self.cluster.default_rpc_endpoint,
|
|
bearer=bearer,
|
|
ranges=["100:300"],
|
|
payloads=[test_file],
|
|
new_attrs="allow-patch-2=true",
|
|
timeout="200s",
|
|
)
|
|
assert patched_oid != oid, "OID of patched object must be different from original one"
|
|
oid = patched_oid
|
|
|
|
attrs = {"allow-patch", "bearer-patch", "allow-patch-2"}
|
|
|
|
with reporter.step("Ensure that all attributes match expected values"):
|
|
object_info: dict = grpc_client_with_other_wallet.object.head(container, oid, self.cluster.default_rpc_endpoint)
|
|
object_attrs: dict = object_info["header"]["attributes"]
|
|
assert attrs <= {k for k in object_attrs.keys()}, f"Received attributes do not match expected ones: {object_attrs}"
|
|
assert all(
|
|
v == "true" for k, v in object_attrs.items() if k in attrs
|
|
), f"Received attributes do not match expected ones: {object_attrs}"
|
|
|
|
@allure.title("BearerToken for compound operations (obj_size={object_size})")
|
|
@pytest.mark.parametrize("objects", [4], indirect=True)
|
|
def test_bearer_token_compound_operations(
|
|
self,
|
|
frostfs_cli: FrostfsCli,
|
|
temp_directory: str,
|
|
default_wallet: WalletInfo,
|
|
other_wallet: WalletInfo,
|
|
container: str,
|
|
objects: list[str],
|
|
rpc_endpoint: str,
|
|
test_file: TestFile,
|
|
):
|
|
"""
|
|
Bearer Token COMPLETLY overrides chains set for the specific target.
|
|
Thus, any restictions or permissions should be explicitly defined in BT.
|
|
"""
|
|
|
|
wallets_map = {
|
|
ape.Role.OWNER: default_wallet,
|
|
ape.Role.OTHERS: other_wallet,
|
|
}
|
|
|
|
access_map = {
|
|
ape.Role.OWNER: {
|
|
ape.ObjectOperations.PUT: True,
|
|
ape.ObjectOperations.GET: True,
|
|
ape.ObjectOperations.HEAD: True,
|
|
ape.ObjectOperations.GET_RANGE: True,
|
|
ape.ObjectOperations.GET_RANGE_HASH: True,
|
|
ape.ObjectOperations.SEARCH: True,
|
|
ape.ObjectOperations.DELETE: False,
|
|
},
|
|
ape.Role.OTHERS: {
|
|
ape.ObjectOperations.PUT: True,
|
|
ape.ObjectOperations.GET: True,
|
|
ape.ObjectOperations.HEAD: True,
|
|
ape.ObjectOperations.GET_RANGE: False,
|
|
ape.ObjectOperations.GET_RANGE_HASH: False,
|
|
ape.ObjectOperations.SEARCH: False,
|
|
ape.ObjectOperations.DELETE: True,
|
|
},
|
|
}
|
|
|
|
bt_access_map = {
|
|
ape.Role.OWNER: {
|
|
ape.ObjectOperations.PUT: True,
|
|
ape.ObjectOperations.GET: False,
|
|
ape.ObjectOperations.HEAD: True,
|
|
ape.ObjectOperations.GET_RANGE: True,
|
|
ape.ObjectOperations.GET_RANGE_HASH: False,
|
|
ape.ObjectOperations.SEARCH: False,
|
|
ape.ObjectOperations.DELETE: True,
|
|
},
|
|
# Bearer Token COMPLETLY overrides chains set for the specific target.
|
|
# Thus, any restictions or permissions should be explicitly defined in BT.
|
|
ape.Role.OTHERS: {
|
|
ape.ObjectOperations.PUT: False,
|
|
ape.ObjectOperations.GET: False,
|
|
ape.ObjectOperations.HEAD: False,
|
|
ape.ObjectOperations.GET_RANGE: False,
|
|
ape.ObjectOperations.GET_RANGE_HASH: False,
|
|
ape.ObjectOperations.SEARCH: False,
|
|
ape.ObjectOperations.DELETE: False,
|
|
},
|
|
}
|
|
|
|
# Operations that we will deny for each role via APE
|
|
deny_map = {
|
|
ape.Role.OWNER: [ape.ObjectOperations.DELETE],
|
|
ape.Role.OTHERS: [
|
|
ape.ObjectOperations.SEARCH,
|
|
ape.ObjectOperations.GET_RANGE_HASH,
|
|
ape.ObjectOperations.GET_RANGE,
|
|
],
|
|
}
|
|
|
|
# Operations that we will allow for each role with bearer token
|
|
bearer_map = {
|
|
ape.Role.OWNER: [
|
|
ape.ObjectOperations.PUT,
|
|
ape.ObjectOperations.HEAD,
|
|
ape.ObjectOperations.GET_RANGE,
|
|
# Delete also requires PUT (to make tombstone) and HEAD (to get simple objects header)
|
|
ape.ObjectOperations.DELETE,
|
|
],
|
|
ape.Role.OTHERS: [
|
|
ape.ObjectOperations.GET,
|
|
ape.ObjectOperations.GET_RANGE,
|
|
ape.ObjectOperations.GET_RANGE_HASH,
|
|
],
|
|
}
|
|
|
|
conditions_map = {
|
|
ape.Role.OWNER: ape.Condition.by_role(ape.Role.OWNER),
|
|
ape.Role.OTHERS: ape.Condition.by_role(ape.Role.OTHERS),
|
|
}
|
|
|
|
verb_map = {ape.Role.OWNER: ape.Verb.ALLOW, ape.Role.OTHERS: ape.Verb.DENY}
|
|
|
|
for role, operations in deny_map.items():
|
|
with reporter.step(f"Add APE deny rule for {role}"):
|
|
rule = ape.Rule(ape.Verb.DENY, operations, conditions_map[role])
|
|
frostfs_cli.ape_manager.add(
|
|
rpc_endpoint, rule.chain_id, target_name=container, target_type="container", rule=rule.as_string()
|
|
)
|
|
|
|
with reporter.step("Wait for one block"):
|
|
self.wait_for_blocks()
|
|
|
|
for role, wallet in wallets_map.items():
|
|
with reporter.step(f"Assert access to container without bearer token for {role}"):
|
|
assert_access_to_container(access_map[role], wallet, container, objects.pop(), test_file, self.shell, self.cluster)
|
|
|
|
bearer_tokens = {}
|
|
for role in wallets_map.keys():
|
|
with reporter.step(f"Create bearer token for {role}"):
|
|
rule = ape.Rule(verb_map[role], bearer_map[role], conditions_map[role])
|
|
bt = create_bearer_token(frostfs_cli, temp_directory, container, rule, rpc_endpoint)
|
|
bearer_tokens[role] = bt
|
|
|
|
for role, wallet in wallets_map.items():
|
|
with reporter.step(f"Assert access to container with bearer token for {role}"):
|
|
assert_access_to_container(
|
|
bt_access_map[role], wallet, container, objects.pop(), test_file, self.shell, self.cluster, bearer_tokens[role]
|
|
)
|