From cb3753f286bea91659f8c52a357a73d3bca6beb4 Mon Sep 17 00:00:00 2001
From: Denis Kirillov <d.kirillov@yadro.com>
Date: Fri, 11 Oct 2024 15:20:10 +0300
Subject: [PATCH] [#509] Add tests for custom credentials

Signed-off-by: Denis Kirillov <d.kirillov@yadro.com>
---
 ...bearer_token_test.go => accessbox_test.go} |  25 ++-
 creds/tokens/credentials_test.go              | 157 +++++++++++----
 internal/frostfs/authmate_test.go             | 184 +++++++++++++++---
 3 files changed, 294 insertions(+), 72 deletions(-)
 rename creds/accessbox/{bearer_token_test.go => accessbox_test.go} (91%)

diff --git a/creds/accessbox/bearer_token_test.go b/creds/accessbox/accessbox_test.go
similarity index 91%
rename from creds/accessbox/bearer_token_test.go
rename to creds/accessbox/accessbox_test.go
index e00d8c63..27842a36 100644
--- a/creds/accessbox/bearer_token_test.go
+++ b/creds/accessbox/accessbox_test.go
@@ -224,14 +224,27 @@ func TestGetBox(t *testing.T) {
 
 	var tkn bearer.Token
 	gate := NewGateData(cred.PublicKey(), &tkn)
-
 	secret := []byte("secret")
-	accessBox, _, err := PackTokens([]*GateData{gate}, secret, false)
-	require.NoError(t, err)
 
-	box, err := accessBox.GetBox(cred, false)
-	require.NoError(t, err)
-	require.Equal(t, hex.EncodeToString(secret), box.Gate.SecretKey)
+	t.Run("regular secret", func(t *testing.T) {
+		accessBox, secrets, err := PackTokens([]*GateData{gate}, secret, false)
+		require.NoError(t, err)
+		require.Equal(t, hex.EncodeToString(secret), secrets.SecretKey)
+
+		box, err := accessBox.GetBox(cred, false)
+		require.NoError(t, err)
+		require.Equal(t, hex.EncodeToString(secret), box.Gate.SecretKey)
+	})
+
+	t.Run("custom secret", func(t *testing.T) {
+		accessBox, secrets, err := PackTokens([]*GateData{gate}, secret, true)
+		require.NoError(t, err)
+		require.Equal(t, string(secret), secrets.SecretKey)
+
+		box, err := accessBox.GetBox(cred, true)
+		require.NoError(t, err)
+		require.Equal(t, string(secret), box.Gate.SecretKey)
+	})
 }
 
 func TestAccessBox(t *testing.T) {
diff --git a/creds/tokens/credentials_test.go b/creds/tokens/credentials_test.go
index 9ac4b795..95935bef 100644
--- a/creds/tokens/credentials_test.go
+++ b/creds/tokens/credentials_test.go
@@ -16,27 +16,40 @@ import (
 	"git.frostfs.info/TrueCloudLab/frostfs-sdk-go/object"
 	oid "git.frostfs.info/TrueCloudLab/frostfs-sdk-go/object/id"
 	oidtest "git.frostfs.info/TrueCloudLab/frostfs-sdk-go/object/id/test"
+	"git.frostfs.info/TrueCloudLab/frostfs-sdk-go/user"
 	"github.com/nspcc-dev/neo-go/pkg/crypto/keys"
 	"github.com/stretchr/testify/require"
 	"go.uber.org/zap/zaptest"
 )
 
 type frostfsMock struct {
+	key     *keys.PrivateKey
 	objects map[string][]*object.Object
 	errors  map[string]error
 }
 
-func newFrostfsMock() *frostfsMock {
+func newFrostfsMock(key *keys.PrivateKey) *frostfsMock {
 	return &frostfsMock{
 		objects: map[string][]*object.Object{},
 		errors:  map[string]error{},
+		key:     key,
 	}
 }
 
+func (f *frostfsMock) ownerID() user.ID {
+	if f.key == nil {
+		return user.ID{}
+	}
+
+	var ownerID user.ID
+	user.IDFromKey(&ownerID, f.key.PrivateKey.PublicKey)
+	return ownerID
+}
+
 func (f *frostfsMock) CreateObject(_ context.Context, prm PrmObjectCreate) (oid.ID, error) {
 	var obj object.Object
 	obj.SetPayload(prm.Payload)
-	obj.SetOwnerID(prm.Creator)
+	obj.SetOwnerID(f.ownerID())
 	obj.SetContainerID(prm.Container)
 
 	a := object.NewAttribute()
@@ -81,7 +94,7 @@ func (f *frostfsMock) GetCredsObject(_ context.Context, prm PrmGetCredsObject) (
 
 	objects, ok := f.objects[prm.AccessKeyID]
 	if !ok {
-		return nil, errors.New("not found")
+		return nil, ErrCustomAccessKeyIDNotFound
 	}
 
 	return objects[len(objects)-1], nil
@@ -157,8 +170,9 @@ func TestGetBox(t *testing.T) {
 	}}
 
 	secret := []byte("secret")
-	accessBox, _, err := accessbox.PackTokens(gateData, secret, false)
+	accessBox, secrets, err := accessbox.PackTokens(gateData, secret, false)
 	require.NoError(t, err)
+	require.Equal(t, hex.EncodeToString(secret), secrets.SecretKey)
 	data, err := accessBox.Marshal()
 	require.NoError(t, err)
 
@@ -176,11 +190,7 @@ func TestGetBox(t *testing.T) {
 	}
 
 	t.Run("no removing check, accessbox from cache", func(t *testing.T) {
-		frostfs := newFrostfsMock()
-		cfg.FrostFS = frostfs
-		cfg.RemovingCheckAfterDurations = time.Hour
-		cfg.Key = key
-		creds := New(cfg)
+		creds := newCreds(key, cfg, time.Hour)
 
 		cnrID := cidtest.ID()
 		addr, err := creds.Put(ctx, CredentialsParam{Container: cnrID, Keys: keys.PublicKeys{key.PublicKey()}, AccessBox: accessBox})
@@ -191,30 +201,26 @@ func TestGetBox(t *testing.T) {
 		_, _, err = creds.GetBox(ctx, addr.Container(), accessKeyID)
 		require.NoError(t, err)
 
-		frostfs.errors[accessKeyID] = &apistatus.ObjectAlreadyRemoved{}
+		creds.(*cred).frostFS.(*frostfsMock).errors[accessKeyID] = &apistatus.ObjectAlreadyRemoved{}
 		_, _, err = creds.GetBox(ctx, addr.Container(), accessKeyID)
 		require.NoError(t, err)
 	})
 
 	t.Run("error while getting box from frostfs", func(t *testing.T) {
-		frostfs := newFrostfsMock()
-		cfg.FrostFS = frostfs
-		cfg.RemovingCheckAfterDurations = 0
-		cfg.Key = key
-		creds := New(cfg)
+		creds := newCreds(key, cfg, 0)
 
 		cnrID := cidtest.ID()
 		addr, err := creds.Put(ctx, CredentialsParam{Container: cnrID, Keys: keys.PublicKeys{key.PublicKey()}, AccessBox: accessBox})
 		require.NoError(t, err)
 
 		accessKeyID := getAccessKeyID(addr)
-		frostfs.errors[accessKeyID] = errors.New("network error")
+		creds.(*cred).frostFS.(*frostfsMock).errors[accessKeyID] = errors.New("network error")
 		_, _, err = creds.GetBox(ctx, addr.Container(), accessKeyID)
 		require.Error(t, err)
 	})
 
 	t.Run("invalid key", func(t *testing.T) {
-		frostfs := newFrostfsMock()
+		frostfs := newFrostfsMock(key)
 
 		var obj object.Object
 		obj.SetPayload(data)
@@ -232,7 +238,7 @@ func TestGetBox(t *testing.T) {
 	})
 
 	t.Run("invalid payload", func(t *testing.T) {
-		frostfs := newFrostfsMock()
+		frostfs := newFrostfsMock(key)
 
 		var obj object.Object
 		obj.SetPayload([]byte("invalid"))
@@ -250,11 +256,7 @@ func TestGetBox(t *testing.T) {
 	})
 
 	t.Run("check attributes update", func(t *testing.T) {
-		frostfs := newFrostfsMock()
-		cfg.FrostFS = frostfs
-		cfg.RemovingCheckAfterDurations = 0
-		cfg.Key = key
-		creds := New(cfg)
+		creds := newCreds(key, cfg, 0)
 
 		cnrID := cidtest.ID()
 		addr, err := creds.Put(ctx, CredentialsParam{Container: cnrID, Keys: keys.PublicKeys{key.PublicKey()}, AccessBox: accessBox})
@@ -280,11 +282,7 @@ func TestGetBox(t *testing.T) {
 	})
 
 	t.Run("check accessbox update", func(t *testing.T) {
-		frostfs := newFrostfsMock()
-		cfg.FrostFS = frostfs
-		cfg.RemovingCheckAfterDurations = 0
-		cfg.Key = key
-		creds := New(cfg)
+		creds := newCreds(key, cfg, 0)
 
 		cnrID := cidtest.ID()
 		addr, err := creds.Put(ctx, CredentialsParam{Container: cnrID, Keys: keys.PublicKeys{key.PublicKey()}, AccessBox: accessBox})
@@ -321,20 +319,36 @@ func TestGetBox(t *testing.T) {
 		_, _, err = creds.GetBox(ctx, addr.Container(), accessKeyID)
 		require.Error(t, err)
 
-		cfg.Key = newKey
-		newCreds := New(cfg)
+		newCfg := Config{
+			FrostFS:     creds.(*cred).frostFS,
+			Key:         newKey,
+			CacheConfig: cfg.CacheConfig,
+		}
+		newCreds := New(newCfg)
 
 		box, _, err = newCreds.GetBox(ctx, addr.Container(), accessKeyID)
 		require.NoError(t, err)
 		require.Equal(t, hex.EncodeToString(newSecret), box.Gate.SecretKey)
 	})
 
+	t.Run("check access key id uniqueness", func(t *testing.T) {
+		creds := newCreds(key, cfg, 0)
+
+		prm := CredentialsParam{
+			Container: cidtest.ID(),
+			AccessBox: accessBox,
+			Keys:      keys.PublicKeys{key.PublicKey()},
+		}
+
+		_, err = creds.Put(ctx, prm)
+		require.NoError(t, err)
+
+		_, err = creds.Put(ctx, prm)
+		require.NoError(t, err)
+	})
+
 	t.Run("empty keys", func(t *testing.T) {
-		frostfs := newFrostfsMock()
-		cfg.FrostFS = frostfs
-		cfg.RemovingCheckAfterDurations = 0
-		cfg.Key = key
-		creds := New(cfg)
+		creds := newCreds(key, cfg, 0)
 
 		cnrID := cidtest.ID()
 		_, err = creds.Put(ctx, CredentialsParam{Container: cnrID, AccessBox: accessBox})
@@ -342,11 +356,7 @@ func TestGetBox(t *testing.T) {
 	})
 
 	t.Run("empty accessbox", func(t *testing.T) {
-		frostfs := newFrostfsMock()
-		cfg.FrostFS = frostfs
-		cfg.RemovingCheckAfterDurations = 0
-		cfg.Key = key
-		creds := New(cfg)
+		creds := newCreds(key, cfg, 0)
 
 		cnrID := cidtest.ID()
 		_, err = creds.Put(ctx, CredentialsParam{Container: cnrID, Keys: keys.PublicKeys{key.PublicKey()}})
@@ -354,6 +364,73 @@ func TestGetBox(t *testing.T) {
 	})
 }
 
+func TestBoxWithCustomAccessKeyID(t *testing.T) {
+	ctx := context.Background()
+	key, err := keys.NewPrivateKey()
+	require.NoError(t, err)
+
+	gateData := []*accessbox.GateData{{
+		BearerToken: &bearer.Token{},
+		GateKey:     key.PublicKey(),
+	}}
+
+	secret := []byte("secret")
+	accessBox, secrets, err := accessbox.PackTokens(gateData, secret, true)
+	require.NoError(t, err)
+	require.Equal(t, string(secret), secrets.SecretKey)
+
+	cfg := Config{
+		CacheConfig: &cache.Config{
+			Size:     10,
+			Lifetime: 24 * time.Hour,
+			Logger:   zaptest.NewLogger(t),
+		},
+	}
+
+	t.Run("check secret format", func(t *testing.T) {
+		creds := newCreds(key, cfg, 0)
+
+		prm := CredentialsParam{
+			Container:   cidtest.ID(),
+			AccessKeyID: "custom-access-key-id",
+			AccessBox:   accessBox,
+			Keys:        keys.PublicKeys{key.PublicKey()},
+		}
+
+		_, err = creds.Put(ctx, prm)
+		require.NoError(t, err)
+
+		box, _, err := creds.GetBox(ctx, prm.Container, prm.AccessKeyID)
+		require.NoError(t, err)
+		require.Equal(t, string(secret), box.Gate.SecretKey)
+	})
+
+	t.Run("check custom access key id uniqueness", func(t *testing.T) {
+		creds := newCreds(key, cfg, 0)
+
+		prm := CredentialsParam{
+			Container:   cidtest.ID(),
+			AccessKeyID: "custom-access-key-id",
+			AccessBox:   accessBox,
+			Keys:        keys.PublicKeys{key.PublicKey()},
+		}
+
+		_, err = creds.Put(ctx, prm)
+		require.NoError(t, err)
+
+		_, err = creds.Put(ctx, prm)
+		require.Error(t, err)
+	})
+}
+
+func newCreds(key *keys.PrivateKey, cfg Config, removingCheckDuration time.Duration) Credentials {
+	frostfs := newFrostfsMock(key)
+	cfg.FrostFS = frostfs
+	cfg.RemovingCheckAfterDurations = removingCheckDuration
+	cfg.Key = key
+	return New(cfg)
+}
+
 func getAccessKeyID(addr oid.Address) string {
 	return strings.ReplaceAll(addr.EncodeToString(), "/", "0")
 }
diff --git a/internal/frostfs/authmate_test.go b/internal/frostfs/authmate_test.go
index 0f0f167e..c21b5879 100644
--- a/internal/frostfs/authmate_test.go
+++ b/internal/frostfs/authmate_test.go
@@ -2,23 +2,27 @@ package frostfs
 
 import (
 	"context"
+	"strconv"
 	"strings"
 	"testing"
 
+	objectv2 "git.frostfs.info/TrueCloudLab/frostfs-api-go/v2/object"
 	"git.frostfs.info/TrueCloudLab/frostfs-s3-gw/api/layer"
 	"git.frostfs.info/TrueCloudLab/frostfs-s3-gw/api/middleware"
 	"git.frostfs.info/TrueCloudLab/frostfs-s3-gw/authmate"
 	"git.frostfs.info/TrueCloudLab/frostfs-s3-gw/creds/accessbox"
 	"git.frostfs.info/TrueCloudLab/frostfs-s3-gw/creds/tokens"
 	"git.frostfs.info/TrueCloudLab/frostfs-sdk-go/bearer"
+	"git.frostfs.info/TrueCloudLab/frostfs-sdk-go/object"
 	oid "git.frostfs.info/TrueCloudLab/frostfs-sdk-go/object/id"
+	oidtest "git.frostfs.info/TrueCloudLab/frostfs-sdk-go/object/id/test"
 	"git.frostfs.info/TrueCloudLab/frostfs-sdk-go/user"
 	"github.com/nspcc-dev/neo-go/pkg/crypto/keys"
 	"github.com/stretchr/testify/require"
 	"go.uber.org/zap/zaptest"
 )
 
-func TestGetCredsObject(t *testing.T) {
+func TestCredsObject(t *testing.T) {
 	ctx, bktName, payload, newPayload := context.Background(), "bucket", []byte("payload"), []byte("new-payload")
 
 	key, err := keys.NewPrivateKey()
@@ -45,38 +49,166 @@ func TestGetCredsObject(t *testing.T) {
 	})
 	require.NoError(t, err)
 
-	objID, err := frostfs.CreateObject(ctx, tokens.PrmObjectCreate{
-		Container: cnrID,
-		Payload:   payload,
+	t.Run("regular access key", func(t *testing.T) {
+		attr1 := object.NewAttribute()
+		attr1.SetKey("attr1")
+		attr1.SetValue("val1")
+
+		prm := tokens.PrmObjectCreate{
+			Container:        cnrID,
+			Filepath:         "regular-obj",
+			ExpirationEpoch:  10,
+			Payload:          payload,
+			CustomAttributes: []object.Attribute{*attr1},
+		}
+
+		objID, err := frostfs.CreateObject(ctx, prm)
+		require.NoError(t, err)
+
+		accessKeyID := cnrID.EncodeToString() + "0" + objID.EncodeToString()
+
+		obj, err := frostfs.GetCredsObject(ctx, tokens.PrmGetCredsObject{Container: cnrID, AccessKeyID: accessKeyID})
+		require.NoError(t, err)
+		assertParamsSet(t, prm, obj, userID)
+
+		t.Run("update existing", func(t *testing.T) {
+			attr2 := object.NewAttribute()
+			attr2.SetKey("attr2")
+			attr2.SetValue("val2")
+
+			prmNew := tokens.PrmObjectCreate{
+				Container:                cnrID,
+				Filepath:                 "regular-obj-new",
+				ExpirationEpoch:          11,
+				Payload:                  newPayload,
+				CustomAttributes:         []object.Attribute{*attr2},
+				NewVersionForAccessKeyID: accessKeyID,
+			}
+
+			_, err = frostfs.CreateObject(ctx, prmNew)
+			require.NoError(t, err)
+
+			obj, err = frostfs.GetCredsObject(ctx, tokens.PrmGetCredsObject{Container: cnrID, AccessKeyID: accessKeyID})
+			require.NoError(t, err)
+			assertParamsSet(t, prmNew, obj, userID)
+		})
+
+		t.Run("update not existing", func(t *testing.T) {
+			attr2 := object.NewAttribute()
+			attr2.SetKey("attr2")
+			attr2.SetValue("val2")
+
+			addr := oidtest.Address()
+			accessKeyIDNotExisting := getAccessKeyID(addr)
+
+			prmNew := tokens.PrmObjectCreate{
+				Container:                cnrID,
+				Filepath:                 "regular-obj-new",
+				ExpirationEpoch:          11,
+				Payload:                  newPayload,
+				CustomAttributes:         []object.Attribute{*attr2},
+				NewVersionForAccessKeyID: accessKeyIDNotExisting,
+			}
+
+			_, err = frostfs.CreateObject(ctx, prmNew)
+			require.NoError(t, err)
+
+			obj, err = frostfs.GetCredsObject(ctx, tokens.PrmGetCredsObject{Container: cnrID, AccessKeyID: accessKeyIDNotExisting})
+			require.NoError(t, err)
+			assertParamsSet(t, prmNew, obj, userID)
+		})
 	})
-	require.NoError(t, err)
 
-	var addr oid.Address
-	addr.SetContainer(cnrID)
-	addr.SetObject(objID)
+	t.Run("custom access key", func(t *testing.T) {
+		attr1 := object.NewAttribute()
+		attr1.SetKey("attr1")
+		attr1.SetValue("val1")
 
-	accessKeyID := getAccessKeyID(addr)
+		accessKeyID := "custom-access-key-id"
 
-	obj, err := frostfs.GetCredsObject(ctx, tokens.PrmGetCredsObject{
-		Container:   cnrID,
-		AccessKeyID: accessKeyID,
+		prm := tokens.PrmObjectCreate{
+			Container:        cnrID,
+			Filepath:         "custom-obj",
+			ExpirationEpoch:  10,
+			Payload:          payload,
+			CustomAccessKey:  accessKeyID,
+			CustomAttributes: []object.Attribute{*attr1},
+		}
+
+		_, err = frostfs.CreateObject(ctx, prm)
+		require.NoError(t, err)
+
+		obj, err := frostfs.GetCredsObject(ctx, tokens.PrmGetCredsObject{Container: cnrID, AccessKeyID: accessKeyID})
+		require.NoError(t, err)
+		assertParamsSet(t, prm, obj, userID)
+
+		t.Run("update", func(t *testing.T) {
+			attr2 := object.NewAttribute()
+			attr2.SetKey("attr2")
+			attr2.SetValue("val2")
+
+			prmNew := tokens.PrmObjectCreate{
+				Container:                cnrID,
+				Filepath:                 "custom-obj-new",
+				ExpirationEpoch:          11,
+				Payload:                  newPayload,
+				CustomAttributes:         []object.Attribute{*attr2},
+				NewVersionForAccessKeyID: accessKeyID,
+			}
+
+			_, err = frostfs.CreateObject(ctx, prmNew)
+			require.NoError(t, err)
+
+			obj, err = frostfs.GetCredsObject(ctx, tokens.PrmGetCredsObject{Container: cnrID, AccessKeyID: accessKeyID})
+			require.NoError(t, err)
+			assertParamsSet(t, prmNew, obj, userID)
+		})
+
+		t.Run("update not existing", func(t *testing.T) {
+			accessKeyIDNotExisting := "unknown"
+
+			prmNew := tokens.PrmObjectCreate{
+				Container:                cnrID,
+				Payload:                  newPayload,
+				NewVersionForAccessKeyID: accessKeyIDNotExisting,
+			}
+
+			_, err = frostfs.CreateObject(ctx, prmNew)
+			require.Error(t, err)
+		})
 	})
-	require.NoError(t, err)
-	require.Equal(t, payload, obj.Payload())
+}
 
-	_, err = frostfs.CreateObject(ctx, tokens.PrmObjectCreate{
-		Container:                cnrID,
-		Payload:                  newPayload,
-		NewVersionForAccessKeyID: accessKeyID,
-	})
-	require.NoError(t, err)
+func assertParamsSet(t *testing.T, prm tokens.PrmObjectCreate, obj *object.Object, userID user.ID) {
+	require.Equal(t, prm.Payload, obj.Payload())
+	require.True(t, userID.Equals(obj.OwnerID()), "owners not matched")
 
-	obj, err = frostfs.GetCredsObject(ctx, tokens.PrmGetCredsObject{
-		Container:   cnrID,
-		AccessKeyID: getAccessKeyID(addr),
-	})
-	require.NoError(t, err)
-	require.Equal(t, newPayload, obj.Payload())
+	require.True(t, containerAttribute(obj.Attributes(), object.AttributeFilePath, prm.Filepath), "missing FilePath")
+	require.True(t, containerAttribute(obj.Attributes(), objectv2.SysAttributeExpEpoch, strconv.FormatUint(prm.ExpirationEpoch, 10)), "missing expiration epoch")
+
+	var crdtName string
+	if prm.CustomAccessKey != "" {
+		crdtName = prm.CustomAccessKey
+	} else if prm.NewVersionForAccessKeyID != "" {
+		crdtName = prm.NewVersionForAccessKeyID
+	}
+	if crdtName != "" {
+		require.Truef(t, containerAttribute(obj.Attributes(), accessBoxCRDTNameAttr, crdtName), "wrong crdt name '%s'", crdtName)
+	}
+
+	for _, attr := range prm.CustomAttributes {
+		require.True(t, containerAttribute(obj.Attributes(), attr.Key(), attr.Value()), "missing custom attribute")
+	}
+}
+
+func containerAttribute(attrs []object.Attribute, key, val string) bool {
+	for _, attr := range attrs {
+		if attr.Key() == key && attr.Value() == val {
+			return true
+		}
+	}
+
+	return false
 }
 
 func getAccessKeyID(addr oid.Address) string {