forked from TrueCloudLab/frostfs-node
117 lines
2.5 KiB
Go
117 lines
2.5 KiB
Go
|
package acl
|
||
|
|
||
|
import (
|
||
|
"math/bits"
|
||
|
"testing"
|
||
|
|
||
|
"github.com/nspcc-dev/neofs-api-go/acl"
|
||
|
"github.com/nspcc-dev/neofs-api-go/object"
|
||
|
"github.com/stretchr/testify/require"
|
||
|
)
|
||
|
|
||
|
func TestBasicACLChecker(t *testing.T) {
|
||
|
reqs := []object.RequestType{
|
||
|
object.RequestGet,
|
||
|
object.RequestHead,
|
||
|
object.RequestPut,
|
||
|
object.RequestDelete,
|
||
|
object.RequestSearch,
|
||
|
object.RequestRange,
|
||
|
object.RequestRangeHash,
|
||
|
}
|
||
|
|
||
|
targets := []acl.Target{
|
||
|
acl.Target_Others,
|
||
|
acl.Target_System,
|
||
|
acl.Target_User,
|
||
|
}
|
||
|
|
||
|
checker := new(BasicACLChecker)
|
||
|
|
||
|
t.Run("verb permissions", func(t *testing.T) {
|
||
|
mask := uint32(1)
|
||
|
|
||
|
for i := range reqs {
|
||
|
res, err := checker.Bearer(mask, reqs[i])
|
||
|
require.NoError(t, err)
|
||
|
require.True(t, res)
|
||
|
|
||
|
mask = bits.Reverse32(mask)
|
||
|
res, err = checker.Bearer(mask, reqs[i])
|
||
|
require.NoError(t, err)
|
||
|
require.False(t, res)
|
||
|
|
||
|
mask = bits.Reverse32(mask)
|
||
|
|
||
|
for j := range targets {
|
||
|
mask <<= 1
|
||
|
res, err = checker.Action(mask, reqs[i], targets[j])
|
||
|
require.NoError(t, err)
|
||
|
require.True(t, res)
|
||
|
|
||
|
mask = bits.Reverse32(mask)
|
||
|
res, err = checker.Action(mask, reqs[i], targets[j])
|
||
|
require.NoError(t, err)
|
||
|
require.False(t, res)
|
||
|
|
||
|
mask = bits.Reverse32(mask)
|
||
|
}
|
||
|
mask <<= 1
|
||
|
}
|
||
|
})
|
||
|
|
||
|
t.Run("unknown verb", func(t *testing.T) {
|
||
|
mask := uint32(1)
|
||
|
_, err := checker.Bearer(mask, -1)
|
||
|
require.Error(t, err)
|
||
|
|
||
|
mask = 2
|
||
|
_, err = checker.Action(mask, -1, acl.Target_Others)
|
||
|
require.Error(t, err)
|
||
|
})
|
||
|
|
||
|
t.Run("unknown action", func(t *testing.T) {
|
||
|
mask := uint32(2)
|
||
|
_, err := checker.Action(mask, object.RequestGet, -1)
|
||
|
require.Error(t, err)
|
||
|
})
|
||
|
|
||
|
t.Run("extended acl permission", func(t *testing.T) {
|
||
|
// set F-bit
|
||
|
mask := uint32(0) | aclFinalBit
|
||
|
require.False(t, checker.Extended(mask))
|
||
|
|
||
|
// unset F-bit
|
||
|
mask = bits.Reverse32(mask)
|
||
|
require.True(t, checker.Extended(mask))
|
||
|
})
|
||
|
|
||
|
t.Run("sticky bit permission", func(t *testing.T) {
|
||
|
mask := uint32(0x20000000)
|
||
|
require.True(t, checker.Sticky(mask))
|
||
|
|
||
|
mask = bits.Reverse32(mask)
|
||
|
require.False(t, checker.Sticky(mask))
|
||
|
})
|
||
|
}
|
||
|
|
||
|
// todo: add tests like in basic acl checker
|
||
|
func TestNeoFSMaskedBasicACLChecker(t *testing.T) {
|
||
|
const orFilter = 0x04040444 // this OR filter will be used in neofs-node
|
||
|
checker := NewMaskedBasicACLChecker(orFilter, DefaultAndFilter)
|
||
|
|
||
|
reqs := []object.RequestType{
|
||
|
object.RequestGet,
|
||
|
object.RequestHead,
|
||
|
object.RequestPut,
|
||
|
object.RequestSearch,
|
||
|
object.RequestRangeHash,
|
||
|
}
|
||
|
|
||
|
for i := range reqs {
|
||
|
res, err := checker.Action(0, reqs[i], acl.Target_System)
|
||
|
require.NoError(t, err)
|
||
|
require.True(t, res)
|
||
|
}
|
||
|
}
|