Change s3-auth function #40
2 changed files with 37 additions and 37 deletions
|
@ -8,17 +8,20 @@ from typing import Optional
|
|||
|
||||
from dateutil.parser import parse
|
||||
|
||||
from frostfs_testlib.cli import FrostfsAuthmate
|
||||
from frostfs_testlib.reporter import get_reporter
|
||||
from frostfs_testlib.resources.cli import FROSTFS_AUTHMATE_EXEC
|
||||
from frostfs_testlib.resources.common import CREDENTIALS_CREATE_TIMEOUT
|
||||
from frostfs_testlib.s3 import S3ClientWrapper, VersioningStatus
|
||||
from frostfs_testlib.shell import Shell
|
||||
from frostfs_testlib.shell import CommandOptions, InteractiveInput, Shell
|
||||
from frostfs_testlib.shell.interfaces import SshCredentials
|
||||
from frostfs_testlib.steps.cli.container import (
|
||||
search_container_by_name,
|
||||
search_nodes_with_container,
|
||||
)
|
||||
from frostfs_testlib.storage.cluster import Cluster, ClusterNode
|
||||
from frostfs_testlib.storage.dataclasses.frostfs_services import S3Gate
|
||||
from frostfs_testlib.storage.dataclasses.wallet import WalletInfo
|
||||
from frostfs_testlib.utils.cli_utils import _run_with_passwd
|
||||
|
||||
reporter = get_reporter()
|
||||
|
@ -183,48 +186,45 @@ def assert_s3_acl(acl_grants: list, permitted_users: str):
|
|||
|
||||
@reporter.step_deco("Init S3 Credentials")
|
||||
def init_s3_credentials(
|
||||
wallet_path: str,
|
||||
wallet: WalletInfo,
|
||||
shell: Shell,
|
||||
cluster: Cluster,
|
||||
s3_bearer_rules_file: str,
|
||||
policy: Optional[dict] = None,
|
||||
s3gates: Optional[list[S3Gate]] = None,
|
||||
):
|
||||
gate_public_keys = []
|
||||
bucket = str(uuid.uuid4())
|
||||
|
||||
s3gate_node = cluster.services(S3Gate)[0]
|
||||
gate_public_key = s3gate_node.get_wallet_public_key()
|
||||
cmd = (
|
||||
f"{FROSTFS_AUTHMATE_EXEC} --debug --with-log --timeout {CREDENTIALS_CREATE_TIMEOUT} "
|
||||
f"issue-secret --wallet {wallet_path} --gate-public-key={gate_public_key} "
|
||||
f"--peer {cluster.default_rpc_endpoint} --container-friendly-name {bucket} "
|
||||
f"--bearer-rules {s3_bearer_rules_file}"
|
||||
if not s3gates:
|
||||
s3gates = [cluster.s3_gates[0]]
|
||||
for s3gate in s3gates:
|
||||
gate_public_keys.append(s3gate.get_wallet_public_key())
|
||||
frostfs_authmate_exec: FrostfsAuthmate = FrostfsAuthmate(shell, FROSTFS_AUTHMATE_EXEC)
|
||||
issue_secret_output = frostfs_authmate_exec.secret.issue(
|
||||
wallet=wallet.path,
|
||||
peer=cluster.default_rpc_endpoint,
|
||||
bearer_rules=s3_bearer_rules_file,
|
||||
gate_public_key=gate_public_keys,
|
||||
wallet_password=wallet.password,
|
||||
container_policy=policy,
|
||||
container_friendly_name=bucket,
|
||||
).stdout
|
||||
aws_access_key_id = str(
|
||||
re.search(r"access_key_id.*:\s.(?P<aws_access_key_id>\w*)", issue_secret_output).group(
|
||||
"aws_access_key_id"
|
||||
)
|
||||
)
|
||||
if policy:
|
||||
cmd += f" --container-policy {policy}'"
|
||||
logger.info(f"Executing command: {cmd}")
|
||||
|
||||
try:
|
||||
output = _run_with_passwd(cmd)
|
||||
logger.info(f"Command completed with output: {output}")
|
||||
|
||||
# output contains some debug info and then several JSON structures, so we find each
|
||||
# JSON structure by curly brackets (naive approach, but works while JSON is not nested)
|
||||
# and then we take JSON containing secret_access_key
|
||||
json_blocks = re.findall(r"\{.*?\}", output, re.DOTALL)
|
||||
for json_block in json_blocks:
|
||||
try:
|
||||
parsed_json_block = json.loads(json_block)
|
||||
if "secret_access_key" in parsed_json_block:
|
||||
return (
|
||||
parsed_json_block["container_id"],
|
||||
parsed_json_block["access_key_id"],
|
||||
parsed_json_block["secret_access_key"],
|
||||
)
|
||||
except json.JSONDecodeError:
|
||||
raise AssertionError(f"Could not parse info from output\n{output}")
|
||||
raise AssertionError(f"Could not find AWS credentials in output:\n{output}")
|
||||
|
||||
except Exception as exc:
|
||||
raise RuntimeError(f"Failed to init s3 credentials because of error\n{exc}") from exc
|
||||
aws_secret_access_key = str(
|
||||
re.search(
|
||||
r"secret_access_key.*:\s.(?P<aws_secret_access_key>\w*)", issue_secret_output
|
||||
).group("aws_secret_access_key")
|
||||
)
|
||||
cid = str(
|
||||
re.search(r"container_id.*:\s.(?P<container_id>\w*)", issue_secret_output).group(
|
||||
"container_id"
|
||||
)
|
||||
)
|
||||
return cid, aws_access_key_id, aws_secret_access_key
|
||||
|
||||
|
||||
@reporter.step_deco("Delete bucket with all objects")
|
||||
|
|
Loading…
Reference in a new issue