[#162] eACL: Create eACL with neofs-cli

Signed-off-by: Elizaveta Chichindaeva <elizaveta@nspcc.ru>
This commit is contained in:
Elizaveta Chichindaeva 2022-02-17 12:52:48 +03:00
parent d66ae5b7fc
commit e5d6662905
22 changed files with 121 additions and 175 deletions

View file

@ -67,6 +67,22 @@ def _encode_cid_for_eacl(cid: str) -> str:
cid_base58 = base58.b58decode(cid) cid_base58 = base58.b58decode(cid)
return base64.b64encode(cid_base58).decode("utf-8") return base64.b64encode(cid_base58).decode("utf-8")
@keyword('Create eACL')
def create_eacl(cid: str, rules_list: list):
table = f"{os.getcwd()}/{ASSETS_DIR}/eacl_table_{str(uuid.uuid4())}.json"
rules = ""
for rule in rules_list:
# TODO: check if $Object: is still necessary for filtering in the newest releases
rules += f"--rule '{rule}' "
cmd = (
f"{NEOFS_CLI_EXEC} acl extended create --cid {cid} "
f"{rules}--out {table}"
)
logger.info(f"cmd: {cmd}")
_cmd_run(cmd)
return table
@keyword('Form BearerToken File') @keyword('Form BearerToken File')
def form_bearertoken_file(wif: str, cid: str, eacl_records: list) -> str: def form_bearertoken_file(wif: str, cid: str, eacl_records: list) -> str:
@ -153,48 +169,3 @@ def sign_bearer_token(wif: str, eacl_rules_file: str):
) )
logger.info(f"cmd: {cmd}") logger.info(f"cmd: {cmd}")
_cmd_run(cmd) _cmd_run(cmd)
@keyword('Form eACL JSON Common File')
def form_eacl_json_common_file(eacl_records: list) -> str:
# Input role can be Role (USER, SYSTEM, OTHERS) or public key.
eacl = {"records":[]}
file_path = f"{os.getcwd()}/{ASSETS_DIR}/{str(uuid.uuid4())}"
for record in eacl_records:
op_data = dict()
if Role(record['Role']):
op_data = {
"operation": record['Operation'],
"action": record['Access'],
"filters": [],
"targets": [
{
"role": record['Role']
}
]
}
else:
op_data = {
"operation": record['Operation'],
"action": record['Access'],
"filters": [],
"targets": [
{
"keys": [ record['Role'] ]
}
]
}
if 'Filters' in record.keys():
op_data["filters"].append(record['Filters'])
eacl["records"].append(op_data)
logger.info(f"Got these extended ACL records: {eacl}")
with open(file_path, 'w', encoding='utf-8') as eacl_file:
json.dump(eacl, eacl_file, ensure_ascii=False, indent=4)
return file_path

View file

@ -27,21 +27,22 @@ Generate file
Prepare eACL Role rules Prepare eACL Role rules
[Arguments] ${CID}
Log Set eACL for different Role cases Log Set eACL for different Role cases
# eACL rules for all operations and similar permissions # eACL rules for all operations and similar permissions
@{Roles} = Create List OTHERS USER SYSTEM @{Roles} = Create List others user system
FOR ${role} IN @{Roles} FOR ${role} IN @{Roles}
${rule1} = Create Dictionary Operation=GET Access=DENY Role=${role} ${rule1} = Set Variable deny get ${role}
${rule2} = Create Dictionary Operation=HEAD Access=DENY Role=${role} ${rule2} = Set Variable deny head ${role}
${rule3} = Create Dictionary Operation=PUT Access=DENY Role=${role} ${rule3} = Set Variable deny put ${role}
${rule4} = Create Dictionary Operation=DELETE Access=DENY Role=${role} ${rule4} = Set Variable deny delete ${role}
${rule5} = Create Dictionary Operation=SEARCH Access=DENY Role=${role} ${rule5} = Set Variable deny search ${role}
${rule6} = Create Dictionary Operation=GETRANGE Access=DENY Role=${role} ${rule6} = Set Variable deny getrange ${role}
${rule7} = Create Dictionary Operation=GETRANGEHASH Access=DENY Role=${role} ${rule7} = Set Variable deny getrangehash ${role}
${eACL_gen} = Create List ${rule1} ${rule2} ${rule3} ${rule4} ${rule5} ${rule6} ${rule7} ${eACL_gen} = Create List ${rule1} ${rule2} ${rule3} ${rule4} ${rule5} ${rule6} ${rule7}
${EACL_FILE} = Form eACL JSON Common File ${eACL_gen} ${EACL_FILE} = Create eACL ${CID} ${eACL_gen}
Set Global Variable ${EACL_DENY_ALL_${role}} ${EACL_FILE} Set Global Variable ${EACL_DENY_ALL_${role}} ${EACL_FILE}
END END
[Return] gen_eacl_deny_all_${role} [Return] gen_eacl_deny_all_${role}

View file

@ -89,22 +89,22 @@ Check eACL Deny and Allow All
Delete object ${KEY} ${CID} ${S_OID_USER} Delete object ${KEY} ${CID} ${S_OID_USER}
Compose eACL Custom Compose eACL Custom
[Arguments] ${HEADER_DICT} ${MATCH_TYPE} ${FILTER} ${ACCESS} ${ROLE} [Arguments] ${CID} ${HEADER_DICT} ${MATCH_TYPE} ${FILTER} ${ACCESS} ${ROLE}
${filter_value} = Get From dictionary ${HEADER_DICT}[header] ${EACL_OBJ_FILTERS}[${FILTER}] ${filter_value} = Get From dictionary ${HEADER_DICT}[header] ${EACL_OBJ_FILTERS}[${FILTER}]
${filters} = Create Dictionary headerType=OBJECT matchType=${MATCH_TYPE} key=${FILTER} value=${filter_value} ${filters} = Set Variable obj:${FILTER}${MATCH_TYPE}${filter_value}
${rule_get}= Create Dictionary Operation=GET Access=${ACCESS} Role=${ROLE} Filters=${filters} ${rule_get}= Set Variable ${ACCESS} get ${filters} ${ROLE}
${rule_head}= Create Dictionary Operation=HEAD Access=${ACCESS} Role=${ROLE} Filters=${filters} ${rule_head}= Set Variable ${ACCESS} head ${filters} ${ROLE}
${rule_put}= Create Dictionary Operation=PUT Access=${ACCESS} Role=${ROLE} Filters=${filters} ${rule_put}= Set Variable ${ACCESS} put ${filters} ${ROLE}
${rule_del}= Create Dictionary Operation=DELETE Access=${ACCESS} Role=${ROLE} Filters=${filters} ${rule_del}= Set Variable ${ACCESS} delete ${filters} ${ROLE}
${rule_search}= Create Dictionary Operation=SEARCH Access=${ACCESS} Role=${ROLE} Filters=${filters} ${rule_search}= Set Variable ${ACCESS} search ${filters} ${ROLE}
${rule_range}= Create Dictionary Operation=GETRANGE Access=${ACCESS} Role=${ROLE} Filters=${filters} ${rule_range}= Set Variable ${ACCESS} getrange ${filters} ${ROLE}
${rule_rangehash}= Create Dictionary Operation=GETRANGEHASH Access=${ACCESS} Role=${ROLE} Filters=${filters} ${rule_rangehash}= Set Variable ${ACCESS} getrangehash ${filters} ${ROLE}
${eACL_gen}= Create List ${rule_get} ${rule_head} ${rule_put} ${rule_del} ${eACL_gen}= Create List ${rule_get} ${rule_head} ${rule_put} ${rule_del}
... ${rule_search} ${rule_range} ${rule_rangehash} ... ${rule_search} ${rule_range} ${rule_rangehash}
${EACL_CUSTOM} = Form eACL JSON Common File ${eACL_gen} ${EACL_CUSTOM} = Create eACL ${CID} ${eACL_gen}
[Return] ${EACL_CUSTOM} [Return] ${EACL_CUSTOM}
@ -136,8 +136,9 @@ Check eACL Filters with MatchType String Equal
Delete Object ${OTHER_KEY} ${CID} ${D_OID_USER} Delete Object ${OTHER_KEY} ${CID} ${D_OID_USER}
&{HEADER_DICT} = Object Header Decoded ${USER_KEY} ${CID} ${S_OID_USER} &{HEADER_DICT} = Object Header Decoded ${USER_KEY} ${CID} ${S_OID_USER}
${EACL_CUSTOM} = Compose eACL Custom ${HEADER_DICT} STRING_EQUAL ${FILTER} DENY OTHERS ${EACL_CUSTOM} = Compose eACL Custom ${CID} ${HEADER_DICT} = ${FILTER} deny others
Set eACL ${USER_KEY} ${CID} ${EACL_CUSTOM} Set eACL ${USER_KEY} ${CID} ${EACL_CUSTOM}
Sleep ${MORPH_BLOCK_TIME}
IF 'GET' in ${VERB_FILTER_DEP}[${FILTER}] IF 'GET' in ${VERB_FILTER_DEP}[${FILTER}]
Run Keyword And Expect Error ${EACL_ERR_MSG} Run Keyword And Expect Error ${EACL_ERR_MSG}
@ -185,7 +186,7 @@ Check eACL Filters with MatchType String Not Equal
Get Range Hash ${USER_KEY} ${CID} ${S_OID_USER} ${EMPTY} 0:256 Get Range Hash ${USER_KEY} ${CID} ${S_OID_USER} ${EMPTY} 0:256
&{HEADER_DICT} = Object Header Decoded ${USER_KEY} ${CID} ${S_OID_USER} &{HEADER_DICT} = Object Header Decoded ${USER_KEY} ${CID} ${S_OID_USER}
${EACL_CUSTOM} = Compose eACL Custom ${HEADER_DICT} STRING_NOT_EQUAL ${FILTER} DENY OTHERS ${EACL_CUSTOM} = Compose eACL Custom ${CID} ${HEADER_DICT} != ${FILTER} deny others
Set eACL ${USER_KEY} ${CID} ${EACL_CUSTOM} Set eACL ${USER_KEY} ${CID} ${EACL_CUSTOM}
IF 'GET' in ${VERB_FILTER_DEP}[${FILTER}] IF 'GET' in ${VERB_FILTER_DEP}[${FILTER}]

View file

@ -25,7 +25,6 @@ BearerToken Operations
[Setup] Setup [Setup] Setup
${_} ${_} ${USER_KEY} = Prepare Wallet And Deposit ${_} ${_} ${USER_KEY} = Prepare Wallet And Deposit
Prepare eACL Role rules
Log Check Bearer token with simple object Log Check Bearer token with simple object
${FILE_S} = Generate file ${SIMPLE_OBJ_SIZE} ${FILE_S} = Generate file ${SIMPLE_OBJ_SIZE}
@ -46,6 +45,7 @@ Check eACL Deny and Allow All Bearer
[Arguments] ${USER_KEY} ${FILE_S} [Arguments] ${USER_KEY} ${FILE_S}
${CID} = Create Container Public ${USER_KEY} ${CID} = Create Container Public ${USER_KEY}
Prepare eACL Role rules ${CID}
${S_OID_USER} = Put object ${USER_KEY} ${FILE_S} ${CID} user_headers=${USER_HEADER} ${S_OID_USER} = Put object ${USER_KEY} ${FILE_S} ${CID} user_headers=${USER_HEADER}
${D_OID_USER} = Put object ${USER_KEY} ${FILE_S} ${CID} user_headers=${USER_HEADER_DEL} ${D_OID_USER} = Put object ${USER_KEY} ${FILE_S} ${CID} user_headers=${USER_HEADER_DEL}
@{S_OBJ_H} = Create List ${S_OID_USER} @{S_OBJ_H} = Create List ${S_OID_USER}

View file

@ -21,7 +21,6 @@ BearerToken Operations
[Setup] Setup [Setup] Setup
${WALLET} ${ADDR} ${USER_KEY} = Prepare Wallet And Deposit ${WALLET} ${ADDR} ${USER_KEY} = Prepare Wallet And Deposit
Prepare eACL Role rules
Log Check Bearer token with simple object Log Check Bearer token with simple object
${FILE_S} = Generate file ${SIMPLE_OBJ_SIZE} ${FILE_S} = Generate file ${SIMPLE_OBJ_SIZE}
@ -43,6 +42,7 @@ Check eACL Deny and Allow All Bearer
${CID} = Create Container Public ${USER_KEY} ${CID} = Create Container Public ${USER_KEY}
${S_OID_USER} = Put object ${USER_KEY} ${FILE_S} ${CID} ${EMPTY} ${FILE_USR_HEADER} ${S_OID_USER} = Put object ${USER_KEY} ${FILE_S} ${CID} ${EMPTY} ${FILE_USR_HEADER}
Prepare eACL Role rules ${CID}
# Storage group Operations (Put, List, Get, Delete) # Storage group Operations (Put, List, Get, Delete)

View file

@ -26,7 +26,6 @@ BearerToken Operations for Сompound Operations
${_} ${_} ${USER_KEY} = Prepare Wallet And Deposit ${_} ${_} ${USER_KEY} = Prepare Wallet And Deposit
${_} ${_} ${OTHER_KEY} = Prepare Wallet And Deposit ${_} ${_} ${OTHER_KEY} = Prepare Wallet And Deposit
Prepare eACL Role rules
Log Check Bearer token with simple object Log Check Bearer token with simple object
${FILE_S} = Generate file ${SIMPLE_OBJ_SIZE} ${FILE_S} = Generate file ${SIMPLE_OBJ_SIZE}
@ -58,6 +57,7 @@ Check Bearer Сompound Get
[Arguments] ${KEY} ${DENY_GROUP} ${DENY_EACL} ${FILE_S} ${USER_KEY} [Arguments] ${KEY} ${DENY_GROUP} ${DENY_EACL} ${FILE_S} ${USER_KEY}
${CID} = Create Container Public ${USER_KEY} ${CID} = Create Container Public ${USER_KEY}
Prepare eACL Role rules ${CID}
${S_OID_USER} = Put object ${USER_KEY} ${FILE_S} ${CID} user_headers=${USER_HEADER} ${S_OID_USER} = Put object ${USER_KEY} ${FILE_S} ${CID} user_headers=${USER_HEADER}
@{S_OBJ_H} = Create List ${S_OID_USER} @{S_OBJ_H} = Create List ${S_OID_USER}
@ -92,6 +92,7 @@ Check Bearer Сompound Delete
[Arguments] ${KEY} ${DENY_GROUP} ${DENY_EACL} ${FILE_S} ${USER_KEY} [Arguments] ${KEY} ${DENY_GROUP} ${DENY_EACL} ${FILE_S} ${USER_KEY}
${CID} = Create Container Public ${USER_KEY} ${CID} = Create Container Public ${USER_KEY}
Prepare eACL Role rules ${CID}
${S_OID_USER} = Put object ${USER_KEY} ${FILE_S} ${CID} user_headers=${USER_HEADER} ${S_OID_USER} = Put object ${USER_KEY} ${FILE_S} ${CID} user_headers=${USER_HEADER}
${D_OID_USER} = Put object ${USER_KEY} ${FILE_S} ${CID} ${D_OID_USER} = Put object ${USER_KEY} ${FILE_S} ${CID}
Put object ${KEY} ${FILE_S} ${CID} user_headers=${ANOTHER_HEADER} Put object ${KEY} ${FILE_S} ${CID} user_headers=${ANOTHER_HEADER}
@ -126,6 +127,7 @@ Check Bearer Сompound Get Range Hash
[Arguments] ${KEY} ${DENY_GROUP} ${DENY_EACL} ${FILE_S} ${USER_KEY} [Arguments] ${KEY} ${DENY_GROUP} ${DENY_EACL} ${FILE_S} ${USER_KEY}
${CID} = Create Container Public ${USER_KEY} ${CID} = Create Container Public ${USER_KEY}
Prepare eACL Role rules ${CID}
${S_OID_USER} = Put object ${USER_KEY} ${FILE_S} ${CID} user_headers=${USER_HEADER} ${S_OID_USER} = Put object ${USER_KEY} ${FILE_S} ${CID} user_headers=${USER_HEADER}
Put object ${KEY} ${FILE_S} ${CID} user_headers=${ANOTHER_HEADER} Put object ${KEY} ${FILE_S} ${CID} user_headers=${ANOTHER_HEADER}

View file

@ -26,7 +26,7 @@ BearerToken Operations with Filter OID Equal
${WALLET} ${ADDR} ${USER_KEY} = Prepare Wallet And Deposit ${WALLET} ${ADDR} ${USER_KEY} = Prepare Wallet And Deposit
${WALLET_OTH} ${ADDR_OTH} ${OTHER_KEY} = Prepare Wallet And Deposit ${WALLET_OTH} ${ADDR_OTH} ${OTHER_KEY} = Prepare Wallet And Deposit
Prepare eACL Role rules
Log Check Bearer token with simple object Log Check Bearer token with simple object
${FILE_S} = Generate file ${SIMPLE_OBJ_SIZE} ${FILE_S} = Generate file ${SIMPLE_OBJ_SIZE}
Check eACL Deny and Allow All Bearer Filter OID Equal ${USER_KEY} ${FILE_S} Check eACL Deny and Allow All Bearer Filter OID Equal ${USER_KEY} ${FILE_S}
@ -46,6 +46,7 @@ Check eACL Deny and Allow All Bearer Filter OID Equal
[Arguments] ${USER_KEY} ${FILE_S} [Arguments] ${USER_KEY} ${FILE_S}
${CID} = Create Container Public ${USER_KEY} ${CID} = Create Container Public ${USER_KEY}
Prepare eACL Role rules ${CID}
${S_OID_USER} = Put object ${USER_KEY} ${FILE_S} ${CID} user_headers=${USER_HEADER} ${S_OID_USER} = Put object ${USER_KEY} ${FILE_S} ${CID} user_headers=${USER_HEADER}
${S_OID_USER_2} = Put object ${USER_KEY} ${FILE_S} ${CID} ${S_OID_USER_2} = Put object ${USER_KEY} ${FILE_S} ${CID}
${D_OID_USER} = Put object ${USER_KEY} ${FILE_S} ${CID} user_headers=${USER_HEADER_DEL} ${D_OID_USER} = Put object ${USER_KEY} ${FILE_S} ${CID} user_headers=${USER_HEADER_DEL}

View file

@ -24,7 +24,6 @@ BearerToken Operations with Filter OID NotEqual
[Setup] Setup [Setup] Setup
${_} ${_} ${USER_KEY} = Prepare Wallet And Deposit ${_} ${_} ${USER_KEY} = Prepare Wallet And Deposit
Prepare eACL Role rules
Log Check Bearer token with simple object Log Check Bearer token with simple object
${FILE_S} = Generate file ${SIMPLE_OBJ_SIZE} ${FILE_S} = Generate file ${SIMPLE_OBJ_SIZE}
@ -44,6 +43,7 @@ Check eACL Deny and Allow All Bearer Filter OID NotEqual
[Arguments] ${USER_KEY} ${FILE_S} [Arguments] ${USER_KEY} ${FILE_S}
${CID} = Create Container Public ${USER_KEY} ${CID} = Create Container Public ${USER_KEY}
Prepare eACL Role rules ${CID}
${S_OID_USER} = Put object ${USER_KEY} ${FILE_S} ${CID} user_headers=${USER_HEADER} ${S_OID_USER} = Put object ${USER_KEY} ${FILE_S} ${CID} user_headers=${USER_HEADER}
${S_OID_USER_2} = Put object ${USER_KEY} ${FILE_S} ${CID} ${S_OID_USER_2} = Put object ${USER_KEY} ${FILE_S} ${CID}
${D_OID_USER} = Put object ${USER_KEY} ${FILE_S} ${CID} ${D_OID_USER} = Put object ${USER_KEY} ${FILE_S} ${CID}

View file

@ -25,7 +25,6 @@ BearerToken Operations with Filter UserHeader Equal
[Setup] Setup [Setup] Setup
${_} ${_} ${USER_KEY} = Prepare Wallet And Deposit ${_} ${_} ${USER_KEY} = Prepare Wallet And Deposit
Prepare eACL Role rules
Log Check Bearer token with simple object Log Check Bearer token with simple object
${FILE_S} = Generate file ${SIMPLE_OBJ_SIZE} ${FILE_S} = Generate file ${SIMPLE_OBJ_SIZE}
@ -42,6 +41,7 @@ BearerToken Operations with Filter UserHeader Equal
Check eACL Deny and Allow All Bearer Filter UserHeader Equal Check eACL Deny and Allow All Bearer Filter UserHeader Equal
[Arguments] ${USER_KEY} ${FILE_S} [Arguments] ${USER_KEY} ${FILE_S}
${CID} = Create Container Public ${USER_KEY} ${CID} = Create Container Public ${USER_KEY}
Prepare eACL Role rules ${CID}
${S_OID_USER} = Put object ${USER_KEY} ${FILE_S} ${CID} user_headers=${USER_HEADER} ${S_OID_USER} = Put object ${USER_KEY} ${FILE_S} ${CID} user_headers=${USER_HEADER}
${S_OID_USER_2} = Put object ${USER_KEY} ${FILE_S} ${CID} ${S_OID_USER_2} = Put object ${USER_KEY} ${FILE_S} ${CID}
${D_OID_USER} = Put object ${USER_KEY} ${FILE_S} ${CID} user_headers=${USER_HEADER_DEL} ${D_OID_USER} = Put object ${USER_KEY} ${FILE_S} ${CID} user_headers=${USER_HEADER_DEL}

View file

@ -25,7 +25,6 @@ BearerToken Operations Filter UserHeader NotEqual
[Setup] Setup [Setup] Setup
${_} ${_} ${USER_KEY} = Prepare Wallet And Deposit ${_} ${_} ${USER_KEY} = Prepare Wallet And Deposit
Prepare eACL Role rules
Log Check Bearer token with simple object Log Check Bearer token with simple object
${FILE_S} = Generate file ${SIMPLE_OBJ_SIZE} ${FILE_S} = Generate file ${SIMPLE_OBJ_SIZE}
@ -43,6 +42,7 @@ Check eACL Deny and Allow All Bearer Filter UserHeader NotEqual
[Arguments] ${USER_KEY} ${FILE_S} [Arguments] ${USER_KEY} ${FILE_S}
${CID} = Create Container Public ${USER_KEY} ${CID} = Create Container Public ${USER_KEY}
Prepare eACL Role rules ${CID}
${S_OID_USER} = Put object ${USER_KEY} ${FILE_S} ${CID} user_headers=${ANOTHER_HEADER} ${S_OID_USER} = Put object ${USER_KEY} ${FILE_S} ${CID} user_headers=${ANOTHER_HEADER}
${S_OID_USER_2} = Put object ${USER_KEY} ${FILE_S} ${CID} user_headers=${USER_HEADER} ${S_OID_USER_2} = Put object ${USER_KEY} ${FILE_S} ${CID} user_headers=${USER_HEADER}
${D_OID_USER} = Put object ${USER_KEY} ${FILE_S} ${CID} user_headers=${USER_HEADER_DEL} ${D_OID_USER} = Put object ${USER_KEY} ${FILE_S} ${CID} user_headers=${USER_HEADER_DEL}

View file

@ -20,7 +20,6 @@ BearerToken Operations for Inaccessible Container
[Setup] Setup [Setup] Setup
${_} ${_} ${USER_KEY} = Prepare Wallet And Deposit ${_} ${_} ${USER_KEY} = Prepare Wallet And Deposit
Prepare eACL Role rules
Log Check Bearer token with simple object Log Check Bearer token with simple object
${FILE_S} = Generate file ${SIMPLE_OBJ_SIZE} ${FILE_S} = Generate file ${SIMPLE_OBJ_SIZE}
@ -38,6 +37,7 @@ Check Container Inaccessible and Allow All Bearer
[Arguments] ${USER_KEY} ${FILE_S} [Arguments] ${USER_KEY} ${FILE_S}
${CID} = Create Container Inaccessible ${USER_KEY} ${CID} = Create Container Inaccessible ${USER_KEY}
Prepare eACL Role rules ${CID}
Run Keyword And Expect Error * Run Keyword And Expect Error *
... Put object ${USER_KEY} ${FILE_S} ${CID} user_headers=${FILE_USR_HEADER} ... Put object ${USER_KEY} ${FILE_S} ${CID} user_headers=${FILE_USR_HEADER}

View file

@ -25,7 +25,6 @@ BearerToken Operations
[Setup] Setup [Setup] Setup
${_} ${_} ${USER_KEY} = Prepare Wallet And Deposit ${_} ${_} ${USER_KEY} = Prepare Wallet And Deposit
Prepare eACL Role rules
Log Check Bearer token with simple object Log Check Bearer token with simple object
${FILE_S} = Generate file ${SIMPLE_OBJ_SIZE} ${FILE_S} = Generate file ${SIMPLE_OBJ_SIZE}
@ -45,6 +44,7 @@ Check eACL Allow All Bearer Filter Requst Equal Deny
[Arguments] ${USER_KEY} ${FILE_S} [Arguments] ${USER_KEY} ${FILE_S}
${CID} = Create Container Public ${USER_KEY} ${CID} = Create Container Public ${USER_KEY}
Prepare eACL Role rules ${CID}
${S_OID_USER} = Put object ${USER_KEY} ${FILE_S} ${CID} user_headers=${USER_HEADER} ${S_OID_USER} = Put object ${USER_KEY} ${FILE_S} ${CID} user_headers=${USER_HEADER}
${S_OID_USER_2} = Put object ${USER_KEY} ${FILE_S} ${CID} ${S_OID_USER_2} = Put object ${USER_KEY} ${FILE_S} ${CID}
${D_OID_USER} = Put object ${USER_KEY} ${FILE_S} ${CID} user_headers=${USER_HEADER_DEL} ${D_OID_USER} = Put object ${USER_KEY} ${FILE_S} ${CID} user_headers=${USER_HEADER_DEL}

View file

@ -25,7 +25,6 @@ BearerToken Operations with Filter Requst Equal
[Setup] Setup [Setup] Setup
${_} ${_} ${USER_KEY} = Prepare Wallet And Deposit ${_} ${_} ${USER_KEY} = Prepare Wallet And Deposit
Prepare eACL Role rules
Log Check Bearer token with simple object Log Check Bearer token with simple object
${FILE_S} = Generate file ${SIMPLE_OBJ_SIZE} ${FILE_S} = Generate file ${SIMPLE_OBJ_SIZE}
@ -45,6 +44,7 @@ Check eACL Deny and Allow All Bearer Filter Requst Equal
[Arguments] ${USER_KEY} ${FILE_S} [Arguments] ${USER_KEY} ${FILE_S}
${CID} = Create Container Public ${USER_KEY} ${CID} = Create Container Public ${USER_KEY}
Prepare eACL Role rules ${CID}
${S_OID_USER} = Put object ${USER_KEY} ${FILE_S} ${CID} user_headers=${USER_HEADER} ${S_OID_USER} = Put object ${USER_KEY} ${FILE_S} ${CID} user_headers=${USER_HEADER}
${S_OID_USER_2} = Put object ${USER_KEY} ${FILE_S} ${CID} ${S_OID_USER_2} = Put object ${USER_KEY} ${FILE_S} ${CID}
${D_OID_USER} = Put object ${USER_KEY} ${FILE_S} ${CID} user_headers=${USER_HEADER_DEL} ${D_OID_USER} = Put object ${USER_KEY} ${FILE_S} ${CID} user_headers=${USER_HEADER_DEL}
@ -71,6 +71,7 @@ Check eACL Deny and Allow All Bearer Filter Requst Equal
${rule6}= Create Dictionary Operation=GETRANGE Access=ALLOW Role=USER Filters=${filters} ${rule6}= Create Dictionary Operation=GETRANGE Access=ALLOW Role=USER Filters=${filters}
${rule7}= Create Dictionary Operation=GETRANGEHASH Access=ALLOW Role=USER Filters=${filters} ${rule7}= Create Dictionary Operation=GETRANGEHASH Access=ALLOW Role=USER Filters=${filters}
${eACL_gen}= Create List ${rule1} ${rule2} ${rule3} ${rule4} ${rule5} ${rule6} ${rule7} ${eACL_gen}= Create List ${rule1} ${rule2} ${rule3} ${rule4} ${rule5} ${rule6} ${rule7}
${EACL_TOKEN} = Form BearerToken File ${USER_KEY} ${CID} ${eACL_gen} ${EACL_TOKEN} = Form BearerToken File ${USER_KEY} ${CID} ${eACL_gen}
Run Keyword And Expect Error ${EACL_ERROR_MSG} Run Keyword And Expect Error ${EACL_ERROR_MSG}

View file

@ -24,8 +24,7 @@ BearerToken Operations with Filter Requst NotEqual
[Setup] Setup [Setup] Setup
${WALLET} ${ADDR} ${USER_KEY} = Prepare Wallet And Deposit ${_} ${_} ${USER_KEY} = Prepare Wallet And Deposit
Prepare eACL Role rules
Log Check Bearer token with simple object Log Check Bearer token with simple object
${FILE_S} = Generate file ${SIMPLE_OBJ_SIZE} ${FILE_S} = Generate file ${SIMPLE_OBJ_SIZE}

View file

@ -37,4 +37,4 @@ Extended ACL Operations
Check eACL Deny and Allow All Other Check eACL Deny and Allow All Other
[Arguments] ${USER_KEY} ${OTHER_KEY} [Arguments] ${USER_KEY} ${OTHER_KEY}
Check eACL Deny and Allow All ${OTHER_KEY} ${EACL_DENY_ALL_OTHER} ${EACL_ALLOW_ALL_OTHER} ${USER_KEY} Check eACL Deny and Allow All ${OTHER_KEY} ${EACL_DENY_ALL_OTHERS} ${EACL_ALLOW_ALL_OTHERS} ${USER_KEY}

View file

@ -30,8 +30,6 @@ eACL Deny Replication Operations
${NODE_NUM} ${NODE} ${WIF_STORAGE} = Get control endpoint with wif ${NODE_NUM} ${NODE} ${WIF_STORAGE} = Get control endpoint with wif
${WALLET} ${ADDR} ${WIF_USER} = Prepare Wallet And Deposit ${WALLET} ${ADDR} ${WIF_USER} = Prepare Wallet And Deposit
Prepare eACL Role rules
Log Check Replication with eACL deny - object should be replicated Log Check Replication with eACL deny - object should be replicated
# https://github.com/nspcc-dev/neofs-node/issues/881 # https://github.com/nspcc-dev/neofs-node/issues/881
@ -41,14 +39,16 @@ eACL Deny Replication Operations
Wait Until Keyword Succeeds ${MORPH_BLOCK_TIME} ${CONTAINER_WAIT_INTERVAL} Wait Until Keyword Succeeds ${MORPH_BLOCK_TIME} ${CONTAINER_WAIT_INTERVAL}
... Container Existing ${WIF_USER} ${CID} ... Container Existing ${WIF_USER} ${CID}
${OID} = Put object ${WIF_USER} ${FILE} ${CID} ${EMPTY} ${FILE_USR_HEADER} Prepare eACL Role rules ${CID}
${OID} = Put object ${WIF_USER} ${FILE} ${CID}
Validate storage policy for object ${WIF_USER} ${EXPECTED_COPIES} ${CID} ${OID} Validate storage policy for object ${WIF_USER} ${EXPECTED_COPIES} ${CID} ${OID}
Set eACL ${WIF_USER} ${CID} ${EACL_DENY_ALL_USER} Set eACL ${WIF_USER} ${CID} ${EACL_DENY_ALL_USER}
Run Keyword And Expect Error * Run Keyword And Expect Error *
... Put object ${WIF_USER} ${FILE} ${CID} ${EMPTY} ${FILE_USR_HEADER} ... Put object ${WIF_USER} ${FILE} ${CID}
# Drop object to check replication # Drop object to check replication
Drop object ${NODE} ${WIF_STORAGE} ${CID} ${OID} Drop object ${NODE} ${WIF_STORAGE} ${CID} ${OID}

View file

@ -16,6 +16,8 @@ Resource eacl_tables.robot
${PATH} = testfile ${PATH} = testfile
&{USER_HEADER} = key1=1 key2=abc &{USER_HEADER} = key1=1 key2=abc
&{ANOTHER_HEADER} = key1=oth key2=oth &{ANOTHER_HEADER} = key1=oth key2=oth
${ID_FILTER} = $Object:objectID
${CUSTOM_FILTER} = $Object:key1
*** Test cases *** *** Test cases ***
Extended ACL Operations Extended ACL Operations
@ -136,27 +138,27 @@ Check eACL MatchType String Equal Object
Get Object ${OTHER_KEY} ${CID} ${S_OID_USER} ${EMPTY} ${PATH} Get Object ${OTHER_KEY} ${CID} ${S_OID_USER} ${EMPTY} ${PATH}
Log Set eACL for Deny GET operation with StringEqual Object ID Log Set eACL for Deny GET operation with StringEqual Object ID
&{HEADER_DICT} = Head Object ${USER_KEY} ${CID} ${S_OID_USER} &{HEADER_DICT} = Head Object ${USER_KEY} ${CID} ${S_OID_USER}
${ID_value} = Get From dictionary ${HEADER_DICT} objectID ${ID_value} = Get From dictionary ${HEADER_DICT} ${EACL_OBJ_FILTERS}[${ID_FILTER}]
${filters} = Create Dictionary headerType=OBJECT matchType=STRING_EQUAL key=$Object:objectID value=${ID_value} ${filters} = Set Variable obj:${ID_FILTER}=${ID_value}
${rule1} = Create Dictionary Operation=GET Access=DENY Role=OTHERS Filters=${filters} ${rule1} = Set Variable deny get ${filters} others
${eACL_gen} = Create List ${rule1} ${eACL_gen} = Create List ${rule1}
${EACL_CUSTOM} = Form eACL JSON Common File ${eACL_gen} ${EACL_CUSTOM} = Create eACL ${CID} ${eACL_gen}
Set eACL ${USER_KEY} ${CID} ${EACL_CUSTOM} Set eACL ${USER_KEY} ${CID} ${EACL_CUSTOM}
Run Keyword And Expect Error * Run Keyword And Expect Error *
... Get object ${OTHER_KEY} ${CID} ${S_OID_USER} ${EMPTY} ${PATH} ... Get object ${OTHER_KEY} ${CID} ${S_OID_USER} ${EMPTY} ${PATH}
Log Set eACL for Deny GET operation with StringEqual Object Extended User Header Log Set eACL for Deny GET operation with StringEqual Object Extended User Header
${S_OID_USER_OTH} = Put object ${USER_KEY} ${FILE_S} ${CID} user_headers=${ANOTHER_HEADER} ${S_OID_USER_OTH} = Put object ${USER_KEY} ${FILE_S} ${CID} user_headers=${ANOTHER_HEADER}
${filters} = Create Dictionary headerType=OBJECT matchType=STRING_EQUAL key=key1 value=1 ${filters} = Set Variable obj:${CUSTOM_FILTER}=1
${rule1} = Create Dictionary Operation=GET Access=DENY Role=OTHERS Filters=${filters} ${rule1} = Set Variable deny get ${filters} others
${eACL_gen} = Create List ${rule1} ${eACL_gen} = Create List ${rule1}
${EACL_CUSTOM} = Form eACL JSON Common File ${eACL_gen} ${EACL_CUSTOM} = Create eACL ${CID} ${eACL_gen}
Set eACL ${USER_KEY} ${CID} ${EACL_CUSTOM} Set eACL ${USER_KEY} ${CID} ${EACL_CUSTOM}
Run Keyword And Expect Error * Run Keyword And Expect Error *
@ -176,13 +178,14 @@ Check eACL MatchType String Not Equal Object
Get object ${OTHER_KEY} ${CID} ${S_OID_OTHER} ${EMPTY} ${PATH} Get object ${OTHER_KEY} ${CID} ${S_OID_OTHER} ${EMPTY} ${PATH}
Log Set eACL for Deny GET operation with StringNotEqual Object ID Log Set eACL for Deny GET operation with StringNotEqual Object ID
&{HEADER_DICT} = Head object ${USER_KEY} ${CID} ${S_OID_USER}
${ID_value} = Get From Dictionary ${HEADER_DICT} objectID
${filters} = Create Dictionary headerType=OBJECT matchType=STRING_NOT_EQUAL key=$Object:objectID value=${ID_value} &{HEADER_DICT} = Head object ${USER_KEY} ${CID} ${S_OID_USER}
${rule1} = Create Dictionary Operation=GET Access=DENY Role=OTHERS Filters=${filters} ${ID_value} = Get From Dictionary ${HEADER_DICT} ${EACL_OBJ_FILTERS}[${ID_FILTER}]
${filters} = Set Variable obj:${ID_FILTER}!=${ID_value}
${rule1} = Set Variable deny get ${filters} others
${eACL_gen} = Create List ${rule1} ${eACL_gen} = Create List ${rule1}
${EACL_CUSTOM} = Form eACL JSON Common File ${eACL_gen} ${EACL_CUSTOM} = Create eACL ${CID} ${eACL_gen}
Set eACL ${USER_KEY} ${CID} ${EACL_CUSTOM} Set eACL ${USER_KEY} ${CID} ${EACL_CUSTOM}
Run Keyword And Expect Error * Run Keyword And Expect Error *
@ -191,12 +194,12 @@ Check eACL MatchType String Not Equal Object
Log Set eACL for Deny GET operation with StringEqual Object Extended User Header Log Set eACL for Deny GET operation with StringEqual Object Extended User Header
${S_OID_USER_OTH} = Put object ${USER_KEY} ${FILE_S} ${CID} user_headers=${ANOTHER_HEADER}
${filters} = Create Dictionary headerType=OBJECT matchType=STRING_NOT_EQUAL key=key1 value=1 ${S_OID_USER_OTH} = Put object ${USER_KEY} ${FILE_S} ${CID} user_headers=${ANOTHER_HEADER}
${rule1} = Create Dictionary Operation=GET Access=DENY Role=OTHERS Filters=${filters} ${filters} = Set Variable obj:${CUSTOM_FILTER}!=1
${rule1} = Set Variable deny get ${filters} others
${eACL_gen} = Create List ${rule1} ${eACL_gen} = Create List ${rule1}
${EACL_CUSTOM} = Form eACL JSON Common File ${eACL_gen} ${EACL_CUSTOM} = Create eACL ${CID} ${eACL_gen}
Set eACL ${USER_KEY} ${CID} ${EACL_CUSTOM} Set eACL ${USER_KEY} ${CID} ${EACL_CUSTOM}
Run Keyword And Expect Error * Run Keyword And Expect Error *

View file

@ -47,7 +47,7 @@ Check $Object:creationEpoch Filter with MatchType String Not Equal
Get Object ${USER_KEY} ${CID} ${S_OID_NEW} ${EMPTY} local_file_eacl Get Object ${USER_KEY} ${CID} ${S_OID_NEW} ${EMPTY} local_file_eacl
&{HEADER_DICT} = Head Object ${USER_KEY} ${CID} ${S_OID_NEW} &{HEADER_DICT} = Head Object ${USER_KEY} ${CID} ${S_OID_NEW}
${EACL_CUSTOM} = Compose eACL Custom ${HEADER_DICT} STRING_NOT_EQUAL ${FILTER} DENY OTHERS ${EACL_CUSTOM} = Compose eACL Custom ${CID} ${HEADER_DICT} != ${FILTER} DENY OTHERS
Set eACL ${USER_KEY} ${CID} ${EACL_CUSTOM} Set eACL ${USER_KEY} ${CID} ${EACL_CUSTOM}
Run Keyword And Expect Error ${EACL_ERR_MSG} Run Keyword And Expect Error ${EACL_ERR_MSG}

View file

@ -40,6 +40,8 @@ Object ID Object Filter for Extended ACL
Log Check two matchTypes applied Log Check two matchTypes applied
Check eACL Filters, two matchTypes $Object:objectID Check eACL Filters, two matchTypes $Object:objectID
[Teardown] Teardown object_id
*** Keywords *** *** Keywords ***
@ -58,28 +60,12 @@ Check eACL Filters with MatchType String Equal with two contradicting filters
Get Object ${OTHER_KEY} ${CID} ${S_OID_USER} ${EMPTY} ${OBJECT_PATH} Get Object ${OTHER_KEY} ${CID} ${S_OID_USER} ${EMPTY} ${OBJECT_PATH}
${filter_value} = Get From Dictionary ${HEADER_DICT_USER} ${EACL_OBJ_FILTERS}[${FILTER}] ${filter_value} = Get From Dictionary ${HEADER_DICT_USER} ${EACL_OBJ_FILTERS}[${FILTER}]
${filters} = Create Dictionary ${filters} = Set Variable obj:${FILTER}=${filter_value}
... headerType=OBJECT ${rule} = Set Variable allow get ${filters} others
... matchType=STRING_EQUAL ${contradicting_filters} = Set Variable obj:$Object:payloadLength=${SIMPLE_OBJ_SIZE}
... key=${FILTER} ${contradicting_rule} = Set Variable deny get ${contradicting_filters} others
... value=${filter_value}
${rule} = Create Dictionary
... Operation=GET
... Access=ALLOW
... Role=OTHERS
... Filters=${filters}
${contradicting_filters} = Create Dictionary
... headerType=OBJECT
... matchType=STRING_EQUAL
... key=$Object:payloadLength
... value=${SIMPLE_OBJ_SIZE}
${contradicting_rule} = Create Dictionary
... Operation=GET
... Access=DENY
... Role=OTHERS
... Filters=${contradicting_filters}
${eACL_gen} = Create List ${rule} ${contradicting_rule} ${eACL_gen} = Create List ${rule} ${contradicting_rule}
${EACL_CUSTOM} = Form eACL JSON Common File ${eACL_gen} ${EACL_CUSTOM} = Create eACL ${CID} ${eACL_gen}
Set eACL ${USER_KEY} ${CID} ${EACL_CUSTOM} Set eACL ${USER_KEY} ${CID} ${EACL_CUSTOM}
Get object ${OTHER_KEY} ${CID} ${S_OID_USER} ${EMPTY} ${OBJECT_PATH} Get object ${OTHER_KEY} ${CID} ${S_OID_USER} ${EMPTY} ${OBJECT_PATH}
@ -101,34 +87,15 @@ Check eACL Filters, two matchTypes
Get Object ${OTHER_KEY} ${CID} ${S_OID_OTHER} ${EMPTY} ${OBJECT_PATH} Get Object ${OTHER_KEY} ${CID} ${S_OID_OTHER} ${EMPTY} ${OBJECT_PATH}
${filter_value} = Get From Dictionary ${HEADER_DICT_USER} ${EACL_OBJ_FILTERS}[${FILTER}] ${filter_value} = Get From Dictionary ${HEADER_DICT_USER} ${EACL_OBJ_FILTERS}[${FILTER}]
${noneq_filters} = Create Dictionary ${noneq_filters} = Set Variable obj:${FILTER}!=${filter_value}
... headerType=OBJECT ${rule_noneq_filter} = Set Variable deny get ${noneq_filters} others
... matchType=STRING_NOT_EQUAL ${eq_filters} = Set Variable obj:${FILTER}=${filter_value}
... key=${FILTER} ${rule_eq_filter} = Set Variable deny get ${eq_filters} others
... value=${filter_value}
${rule_noneq_filter} = Create Dictionary
... Operation=GET
... Access=DENY
... Role=OTHERS
... Filters=${noneq_filters}
${eq_filters} = Create Dictionary
... headerType=OBJECT
... matchType=STRING_EQUAL
... key=${FILTER}
... value=${filter_value}
${rule_eq_filter} = Create Dictionary
... Operation=GET
... Access=DENY
... Role=OTHERS
... Filters=${eq_filters}
${eACL_gen} = Create List ${rule_noneq_filter} ${rule_eq_filter} ${eACL_gen} = Create List ${rule_noneq_filter} ${rule_eq_filter}
${EACL_CUSTOM} = Form eACL JSON Common File ${eACL_gen} ${EACL_CUSTOM} = Create eACL ${CID} ${eACL_gen}
Set eACL ${USER_KEY} ${CID} ${EACL_CUSTOM} Set eACL ${USER_KEY} ${CID} ${EACL_CUSTOM}
Run Keyword And Expect Error * Run Keyword And Expect Error *
... Get object ${OTHER_KEY} ${CID} ${S_OID_OTHER} ${EMPTY} ${OBJECT_PATH} ... Get object ${OTHER_KEY} ${CID} ${S_OID_OTHER} ${EMPTY} ${OBJECT_PATH}
Run Keyword And Expect Error * Run Keyword And Expect Error *
... Get Object ${OTHER_KEY} ${CID} ${S_OID_USER} ${EMPTY} ${OBJECT_PATH} ... Get Object ${OTHER_KEY} ${CID} ${S_OID_USER} ${EMPTY} ${OBJECT_PATH}
[Teardown] Teardown object_id

View file

@ -47,7 +47,7 @@ Check $Object:payloadLength Filter with MatchType String Not Equal
Head Object ${USER_KEY} ${CID} ${S_OID} Head Object ${USER_KEY} ${CID} ${S_OID}
&{HEADER_DICT} = Object Header Decoded ${USER_KEY} ${CID} ${S_OID} &{HEADER_DICT} = Object Header Decoded ${USER_KEY} ${CID} ${S_OID}
${EACL_CUSTOM} = Compose eACL Custom ${HEADER_DICT} STRING_NOT_EQUAL ${FILTER} DENY OTHERS ${EACL_CUSTOM} = Compose eACL Custom ${CID} ${HEADER_DICT} != ${FILTER} DENY OTHERS
Set eACL ${USER_KEY} ${CID} ${EACL_CUSTOM} Set eACL ${USER_KEY} ${CID} ${EACL_CUSTOM}
Run Keyword And Expect Error ${EACL_ERR_MSG} Run Keyword And Expect Error ${EACL_ERR_MSG}

View file

@ -1,6 +1,6 @@
EACL_OBJ_FILTERS = {'$Object:objectID': 'ID', EACL_OBJ_FILTERS = {'$Object:objectID': 'objectID',
'$Object:containerID': 'CID', '$Object:containerID': 'containerID',
'$Object:ownerID': 'OwnerID', '$Object:ownerID': 'ownerID',
'$Object:creationEpoch': 'creationEpoch', '$Object:creationEpoch': 'creationEpoch',
'$Object:payloadLength': 'payloadLength', '$Object:payloadLength': 'payloadLength',
'$Object:payloadHash': 'payloadHash', '$Object:payloadHash': 'payloadHash',

View file

@ -2,8 +2,8 @@
${ACL_TEST_FILES} = robot/resources/files/eacl_tables ${ACL_TEST_FILES} = robot/resources/files/eacl_tables
${EACL_DENY_ALL_OTHER} = ${ACL_TEST_FILES}/gen_eacl_deny_all_OTHERS ${EACL_DENY_ALL_OTHERS} = ${ACL_TEST_FILES}/gen_eacl_deny_all_OTHERS
${EACL_ALLOW_ALL_OTHER} = ${ACL_TEST_FILES}/gen_eacl_allow_all_OTHERS ${EACL_ALLOW_ALL_OTHERS} = ${ACL_TEST_FILES}/gen_eacl_allow_all_OTHERS
${EACL_DENY_ALL_USER} = ${ACL_TEST_FILES}/gen_eacl_deny_all_USER ${EACL_DENY_ALL_USER} = ${ACL_TEST_FILES}/gen_eacl_deny_all_USER
${EACL_ALLOW_ALL_USER} = ${ACL_TEST_FILES}/gen_eacl_allow_all_USER ${EACL_ALLOW_ALL_USER} = ${ACL_TEST_FILES}/gen_eacl_allow_all_USER