forked from TrueCloudLab/frostfs-sdk-go
252 lines
5.8 KiB
Go
252 lines
5.8 KiB
Go
package eacl
|
|
|
|
import (
|
|
"math/rand"
|
|
"testing"
|
|
|
|
"github.com/stretchr/testify/require"
|
|
)
|
|
|
|
func checkAction(t *testing.T, expected Action, v *Validator, vu *ValidationUnit) {
|
|
action, ok := v.CalculateAction(vu)
|
|
require.True(t, ok)
|
|
require.Equal(t, expected, action)
|
|
}
|
|
|
|
func checkDefaultAction(t *testing.T, v *Validator, vu *ValidationUnit) {
|
|
action, ok := v.CalculateAction(vu)
|
|
require.False(t, ok)
|
|
require.Equal(t, ActionAllow, action)
|
|
}
|
|
|
|
func TestFilterMatch(t *testing.T) {
|
|
tgt := *NewTarget()
|
|
tgt.SetRole(RoleOthers)
|
|
|
|
t.Run("simple header match", func(t *testing.T) {
|
|
tb := NewTable()
|
|
|
|
r := newRecord(ActionDeny, OperationUnknown, tgt)
|
|
r.AddFilter(HeaderFromObject, MatchStringEqual, "a", "xxx")
|
|
tb.AddRecord(r)
|
|
|
|
r = newRecord(ActionDeny, OperationUnknown, tgt)
|
|
r.AddFilter(HeaderFromRequest, MatchStringNotEqual, "b", "yyy")
|
|
tb.AddRecord(r)
|
|
|
|
tb.AddRecord(newRecord(ActionAllow, OperationUnknown, tgt))
|
|
|
|
v := NewValidator()
|
|
vu := newValidationUnit(RoleOthers, nil, tb)
|
|
hs := headers{}
|
|
vu.hdrSrc = &hs
|
|
|
|
checkAction(t, ActionAllow, v, vu)
|
|
|
|
hs.obj = makeHeaders("b", "yyy")
|
|
checkAction(t, ActionAllow, v, vu)
|
|
|
|
hs.obj = makeHeaders("a", "xxx")
|
|
checkAction(t, ActionDeny, v, vu)
|
|
|
|
hs.obj = nil
|
|
hs.req = makeHeaders("b", "yyy")
|
|
checkAction(t, ActionAllow, v, vu)
|
|
|
|
hs.req = makeHeaders("b", "abc")
|
|
checkAction(t, ActionDeny, v, vu)
|
|
})
|
|
|
|
t.Run("all filters must match", func(t *testing.T) {
|
|
tb := NewTable()
|
|
r := newRecord(ActionDeny, OperationUnknown, tgt)
|
|
r.AddFilter(HeaderFromObject, MatchStringEqual, "a", "xxx")
|
|
r.AddFilter(HeaderFromRequest, MatchStringEqual, "b", "yyy")
|
|
tb.AddRecord(r)
|
|
tb.AddRecord(newRecord(ActionAllow, OperationUnknown, tgt))
|
|
|
|
v := NewValidator()
|
|
vu := newValidationUnit(RoleOthers, nil, tb)
|
|
hs := headers{}
|
|
vu.hdrSrc = &hs
|
|
|
|
hs.obj = makeHeaders("a", "xxx")
|
|
checkAction(t, ActionAllow, v, vu)
|
|
|
|
hs.req = makeHeaders("b", "yyy")
|
|
checkAction(t, ActionDeny, v, vu)
|
|
|
|
hs.obj = nil
|
|
checkAction(t, ActionAllow, v, vu)
|
|
})
|
|
|
|
t.Run("filters with unknown type are skipped", func(t *testing.T) {
|
|
tb := NewTable()
|
|
r := newRecord(ActionDeny, OperationUnknown, tgt)
|
|
r.AddFilter(HeaderTypeUnknown, MatchStringEqual, "a", "xxx")
|
|
tb.AddRecord(r)
|
|
|
|
r = newRecord(ActionDeny, OperationUnknown, tgt)
|
|
r.AddFilter(0xFF, MatchStringEqual, "b", "yyy")
|
|
tb.AddRecord(r)
|
|
|
|
tb.AddRecord(newRecord(ActionDeny, OperationUnknown, tgt))
|
|
|
|
v := NewValidator()
|
|
vu := newValidationUnit(RoleOthers, nil, tb)
|
|
hs := headers{}
|
|
vu.hdrSrc = &hs
|
|
|
|
checkDefaultAction(t, v, vu)
|
|
|
|
hs.obj = makeHeaders("a", "xxx")
|
|
checkDefaultAction(t, v, vu)
|
|
|
|
hs.obj = nil
|
|
hs.req = makeHeaders("b", "yyy")
|
|
checkDefaultAction(t, v, vu)
|
|
})
|
|
|
|
t.Run("filters with match function are skipped", func(t *testing.T) {
|
|
tb := NewTable()
|
|
r := newRecord(ActionAllow, OperationUnknown, tgt)
|
|
r.AddFilter(HeaderFromObject, 0xFF, "a", "xxx")
|
|
tb.AddRecord(r)
|
|
tb.AddRecord(newRecord(ActionDeny, OperationUnknown, tgt))
|
|
|
|
v := NewValidator()
|
|
vu := newValidationUnit(RoleOthers, nil, tb)
|
|
hs := headers{}
|
|
vu.hdrSrc = &hs
|
|
|
|
checkAction(t, ActionDeny, v, vu)
|
|
|
|
hs.obj = makeHeaders("a", "xxx")
|
|
checkAction(t, ActionDeny, v, vu)
|
|
})
|
|
}
|
|
|
|
func TestOperationMatch(t *testing.T) {
|
|
tgt := *NewTarget()
|
|
tgt.SetRole(RoleOthers)
|
|
|
|
t.Run("single operation", func(t *testing.T) {
|
|
tb := NewTable()
|
|
tb.AddRecord(newRecord(ActionDeny, OperationPut, tgt))
|
|
tb.AddRecord(newRecord(ActionAllow, OperationGet, tgt))
|
|
|
|
v := NewValidator()
|
|
vu := newValidationUnit(RoleOthers, nil, tb)
|
|
|
|
vu.op = OperationPut
|
|
checkAction(t, ActionDeny, v, vu)
|
|
|
|
vu.op = OperationGet
|
|
checkAction(t, ActionAllow, v, vu)
|
|
})
|
|
|
|
t.Run("unknown operation", func(t *testing.T) {
|
|
tb := NewTable()
|
|
tb.AddRecord(newRecord(ActionDeny, OperationUnknown, tgt))
|
|
tb.AddRecord(newRecord(ActionAllow, OperationGet, tgt))
|
|
|
|
v := NewValidator()
|
|
vu := newValidationUnit(RoleOthers, nil, tb)
|
|
|
|
// TODO discuss if both next tests should result in DENY
|
|
vu.op = OperationPut
|
|
checkDefaultAction(t, v, vu)
|
|
|
|
vu.op = OperationGet
|
|
checkAction(t, ActionAllow, v, vu)
|
|
})
|
|
}
|
|
|
|
func TestTargetMatches(t *testing.T) {
|
|
pubs := makeKeys(t, 3)
|
|
|
|
tgt1 := NewTarget()
|
|
tgt1.SetBinaryKeys(pubs[0:2])
|
|
tgt1.SetRole(RoleUser)
|
|
|
|
tgt2 := NewTarget()
|
|
tgt2.SetRole(RoleOthers)
|
|
|
|
r := NewRecord()
|
|
r.SetTargets(*tgt1, *tgt2)
|
|
|
|
u := newValidationUnit(RoleUser, pubs[0], nil)
|
|
require.True(t, targetMatches(u, r))
|
|
|
|
u = newValidationUnit(RoleUser, pubs[2], nil)
|
|
require.False(t, targetMatches(u, r))
|
|
|
|
u = newValidationUnit(RoleUnknown, pubs[1], nil)
|
|
require.True(t, targetMatches(u, r))
|
|
|
|
u = newValidationUnit(RoleOthers, pubs[2], nil)
|
|
require.True(t, targetMatches(u, r))
|
|
|
|
u = newValidationUnit(RoleSystem, pubs[2], nil)
|
|
require.False(t, targetMatches(u, r))
|
|
}
|
|
|
|
func makeKeys(t *testing.T, n int) [][]byte {
|
|
pubs := make([][]byte, n)
|
|
for i := range pubs {
|
|
pubs[i] = make([]byte, 33)
|
|
pubs[i][0] = 0x02
|
|
|
|
_, err := rand.Read(pubs[i][1:])
|
|
require.NoError(t, err)
|
|
}
|
|
return pubs
|
|
}
|
|
|
|
type (
|
|
hdr struct {
|
|
key, value string
|
|
}
|
|
|
|
headers struct {
|
|
obj []Header
|
|
req []Header
|
|
}
|
|
)
|
|
|
|
func (h hdr) GetKey() string { return h.key }
|
|
func (h hdr) GetValue() string { return h.value }
|
|
|
|
func makeHeaders(kv ...string) []Header {
|
|
hs := make([]Header, len(kv)/2)
|
|
for i := 0; i < len(kv); i += 2 {
|
|
hs[i/2] = hdr{kv[i], kv[i+1]}
|
|
}
|
|
return hs
|
|
}
|
|
|
|
func (h headers) HeadersOfType(ht FilterHeaderType) ([]Header, bool) {
|
|
switch ht {
|
|
case HeaderFromRequest:
|
|
return h.req, true
|
|
case HeaderFromObject:
|
|
return h.obj, true
|
|
default:
|
|
return nil, false
|
|
}
|
|
}
|
|
|
|
func newRecord(a Action, op Operation, tgt ...Target) *Record {
|
|
r := NewRecord()
|
|
r.SetAction(a)
|
|
r.SetOperation(op)
|
|
r.SetTargets(tgt...)
|
|
return r
|
|
}
|
|
|
|
func newValidationUnit(role Role, key []byte, table *Table) *ValidationUnit {
|
|
return new(ValidationUnit).
|
|
WithRole(role).
|
|
WithSenderKey(key).
|
|
WithEACLTable(table)
|
|
}
|