forked from TrueCloudLab/frostfs-sdk-go
447 lines
9.4 KiB
Go
447 lines
9.4 KiB
Go
package bearer_test
|
|
|
|
import (
|
|
"bytes"
|
|
"math/rand"
|
|
"reflect"
|
|
"testing"
|
|
|
|
"git.frostfs.info/TrueCloudLab/frostfs-sdk-go/api/acl"
|
|
"git.frostfs.info/TrueCloudLab/frostfs-sdk-go/api/refs"
|
|
"git.frostfs.info/TrueCloudLab/frostfs-sdk-go/bearer"
|
|
bearertest "git.frostfs.info/TrueCloudLab/frostfs-sdk-go/bearer/test"
|
|
cidtest "git.frostfs.info/TrueCloudLab/frostfs-sdk-go/container/id/test"
|
|
frostfscrypto "git.frostfs.info/TrueCloudLab/frostfs-sdk-go/crypto"
|
|
frostfsecdsa "git.frostfs.info/TrueCloudLab/frostfs-sdk-go/crypto/ecdsa"
|
|
"git.frostfs.info/TrueCloudLab/frostfs-sdk-go/eacl"
|
|
eacltest "git.frostfs.info/TrueCloudLab/frostfs-sdk-go/eacl/test"
|
|
"git.frostfs.info/TrueCloudLab/frostfs-sdk-go/user"
|
|
usertest "git.frostfs.info/TrueCloudLab/frostfs-sdk-go/user/test"
|
|
"github.com/nspcc-dev/neo-go/pkg/crypto/keys"
|
|
"github.com/stretchr/testify/require"
|
|
)
|
|
|
|
// compares binary representations of two eacl.Table instances.
|
|
func isEqualEACLTables(t1, t2 eacl.Table) bool {
|
|
d1, err := t1.Marshal()
|
|
if err != nil {
|
|
panic(err)
|
|
}
|
|
|
|
d2, err := t2.Marshal()
|
|
if err != nil {
|
|
panic(err)
|
|
}
|
|
|
|
return bytes.Equal(d1, d2)
|
|
}
|
|
|
|
func TestToken_SetEACLTable(t *testing.T) {
|
|
var val bearer.Token
|
|
var m acl.BearerToken
|
|
filled := bearertest.Token()
|
|
|
|
val.WriteToV2(&m)
|
|
require.Zero(t, m.GetBody())
|
|
|
|
val2 := filled
|
|
|
|
require.NoError(t, val2.Unmarshal(val.Marshal()))
|
|
require.Zero(t, val2.EACLTable())
|
|
|
|
val2 = filled
|
|
|
|
jd, err := val.MarshalJSON()
|
|
require.NoError(t, err)
|
|
|
|
require.NoError(t, val2.UnmarshalJSON(jd))
|
|
require.Zero(t, val2.EACLTable())
|
|
|
|
// set value
|
|
|
|
eaclTable := *eacltest.Table()
|
|
|
|
val.SetEACLTable(eaclTable)
|
|
require.True(t, isEqualEACLTables(eaclTable, val.EACLTable()))
|
|
|
|
val.WriteToV2(&m)
|
|
eaclTableV2 := eaclTable.ToV2()
|
|
require.Equal(t, eaclTableV2, m.GetBody().GetEACL())
|
|
|
|
val2 = filled
|
|
|
|
require.NoError(t, val2.Unmarshal(val.Marshal()))
|
|
require.True(t, isEqualEACLTables(eaclTable, val.EACLTable()))
|
|
|
|
val2 = filled
|
|
|
|
jd, err = val.MarshalJSON()
|
|
require.NoError(t, err)
|
|
|
|
require.NoError(t, val2.UnmarshalJSON(jd))
|
|
require.True(t, isEqualEACLTables(eaclTable, val.EACLTable()))
|
|
}
|
|
|
|
func TestToken_SetAPEOverrides(t *testing.T) {
|
|
var val bearer.Token
|
|
var m acl.BearerToken
|
|
filled := bearertest.Token()
|
|
|
|
val.WriteToV2(&m)
|
|
require.Zero(t, m.GetBody())
|
|
|
|
val2 := filled
|
|
|
|
require.NoError(t, val2.Unmarshal(val.Marshal()))
|
|
require.Zero(t, val2.APEOverride())
|
|
|
|
val2 = filled
|
|
|
|
jd, err := val.MarshalJSON()
|
|
require.NoError(t, err)
|
|
|
|
require.NoError(t, val2.UnmarshalJSON(jd))
|
|
require.Zero(t, val2.APEOverride())
|
|
|
|
// set value
|
|
|
|
tApe := bearertest.APEOverride()
|
|
|
|
val.SetAPEOverride(tApe)
|
|
require.Equal(t, tApe, val.APEOverride())
|
|
|
|
val.WriteToV2(&m)
|
|
require.NotNil(t, m.GetBody().GetAPEOverride())
|
|
require.True(t, tokenAPEOverridesEqual(tApe.ToV2(), m.GetBody().GetAPEOverride()))
|
|
|
|
val2 = filled
|
|
|
|
require.NoError(t, val2.Unmarshal(val.Marshal()))
|
|
apeOverride := val2.APEOverride()
|
|
require.True(t, tokenAPEOverridesEqual(tApe.ToV2(), apeOverride.ToV2()))
|
|
|
|
val2 = filled
|
|
|
|
jd, err = val.MarshalJSON()
|
|
require.NoError(t, err)
|
|
|
|
require.NoError(t, val2.UnmarshalJSON(jd))
|
|
apeOverride = val.APEOverride()
|
|
require.True(t, tokenAPEOverridesEqual(tApe.ToV2(), apeOverride.ToV2()))
|
|
}
|
|
|
|
func tokenAPEOverridesEqual(lhs, rhs *acl.APEOverride) bool {
|
|
return reflect.DeepEqual(lhs, rhs)
|
|
}
|
|
|
|
func TestToken_ForUser(t *testing.T) {
|
|
var val bearer.Token
|
|
var m acl.BearerToken
|
|
filled := bearertest.Token()
|
|
|
|
val.WriteToV2(&m)
|
|
require.Zero(t, m.GetBody())
|
|
|
|
val2 := filled
|
|
|
|
require.NoError(t, val2.Unmarshal(val.Marshal()))
|
|
|
|
val2.WriteToV2(&m)
|
|
require.Zero(t, m.GetBody())
|
|
|
|
val2 = filled
|
|
|
|
jd, err := val.MarshalJSON()
|
|
require.NoError(t, err)
|
|
|
|
require.NoError(t, val2.UnmarshalJSON(jd))
|
|
|
|
val2.WriteToV2(&m)
|
|
require.Zero(t, m.GetBody())
|
|
|
|
// set value
|
|
usr := usertest.ID()
|
|
|
|
var usrV2 refs.OwnerID
|
|
usr.WriteToV2(&usrV2)
|
|
|
|
val.ForUser(usr)
|
|
|
|
val.WriteToV2(&m)
|
|
require.Equal(t, usrV2, *m.GetBody().GetOwnerID())
|
|
|
|
val2 = filled
|
|
|
|
require.NoError(t, val2.Unmarshal(val.Marshal()))
|
|
|
|
val2.WriteToV2(&m)
|
|
require.Equal(t, usrV2, *m.GetBody().GetOwnerID())
|
|
|
|
val2 = filled
|
|
|
|
jd, err = val.MarshalJSON()
|
|
require.NoError(t, err)
|
|
|
|
require.NoError(t, val2.UnmarshalJSON(jd))
|
|
|
|
val2.WriteToV2(&m)
|
|
require.Equal(t, usrV2, *m.GetBody().GetOwnerID())
|
|
}
|
|
|
|
func testLifetimeClaim(t *testing.T, setter func(*bearer.Token, uint64), getter func(*acl.BearerToken) uint64) {
|
|
var val bearer.Token
|
|
var m acl.BearerToken
|
|
filled := bearertest.Token()
|
|
|
|
val.WriteToV2(&m)
|
|
require.Zero(t, m.GetBody())
|
|
|
|
val2 := filled
|
|
|
|
require.NoError(t, val2.Unmarshal(val.Marshal()))
|
|
|
|
val2.WriteToV2(&m)
|
|
require.Zero(t, m.GetBody())
|
|
|
|
val2 = filled
|
|
|
|
jd, err := val.MarshalJSON()
|
|
require.NoError(t, err)
|
|
|
|
require.NoError(t, val2.UnmarshalJSON(jd))
|
|
|
|
val2.WriteToV2(&m)
|
|
require.Zero(t, m.GetBody())
|
|
|
|
// set value
|
|
exp := rand.Uint64()
|
|
|
|
setter(&val, exp)
|
|
|
|
val.WriteToV2(&m)
|
|
require.Equal(t, exp, getter(&m))
|
|
|
|
val2 = filled
|
|
|
|
require.NoError(t, val2.Unmarshal(val.Marshal()))
|
|
|
|
val2.WriteToV2(&m)
|
|
require.Equal(t, exp, getter(&m))
|
|
|
|
val2 = filled
|
|
|
|
jd, err = val.MarshalJSON()
|
|
require.NoError(t, err)
|
|
|
|
require.NoError(t, val2.UnmarshalJSON(jd))
|
|
|
|
val2.WriteToV2(&m)
|
|
require.Equal(t, exp, getter(&m))
|
|
}
|
|
|
|
func TestToken_SetLifetime(t *testing.T) {
|
|
t.Run("iat", func(t *testing.T) {
|
|
testLifetimeClaim(t, (*bearer.Token).SetIat, func(token *acl.BearerToken) uint64 {
|
|
return token.GetBody().GetLifetime().GetIat()
|
|
})
|
|
})
|
|
|
|
t.Run("nbf", func(t *testing.T) {
|
|
testLifetimeClaim(t, (*bearer.Token).SetNbf, func(token *acl.BearerToken) uint64 {
|
|
return token.GetBody().GetLifetime().GetNbf()
|
|
})
|
|
})
|
|
|
|
t.Run("exp", func(t *testing.T) {
|
|
testLifetimeClaim(t, (*bearer.Token).SetExp, func(token *acl.BearerToken) uint64 {
|
|
return token.GetBody().GetLifetime().GetExp()
|
|
})
|
|
})
|
|
}
|
|
|
|
func TestToken_InvalidAt(t *testing.T) {
|
|
var val bearer.Token
|
|
|
|
require.True(t, val.InvalidAt(0))
|
|
require.True(t, val.InvalidAt(1))
|
|
|
|
val.SetIat(1)
|
|
val.SetNbf(2)
|
|
val.SetExp(4)
|
|
|
|
require.True(t, val.InvalidAt(0))
|
|
require.True(t, val.InvalidAt(1))
|
|
require.False(t, val.InvalidAt(2))
|
|
require.False(t, val.InvalidAt(3))
|
|
require.False(t, val.InvalidAt(4))
|
|
require.True(t, val.InvalidAt(5))
|
|
}
|
|
|
|
func TestToken_AssertContainer(t *testing.T) {
|
|
var val bearer.Token
|
|
cnr := cidtest.ID()
|
|
|
|
require.True(t, val.AssertContainer(cnr))
|
|
|
|
eaclTable := *eacltest.Table()
|
|
|
|
eaclTable.SetCID(cidtest.ID())
|
|
val.SetEACLTable(eaclTable)
|
|
require.False(t, val.AssertContainer(cnr))
|
|
|
|
eaclTable.SetCID(cnr)
|
|
val.SetEACLTable(eaclTable)
|
|
require.True(t, val.AssertContainer(cnr))
|
|
}
|
|
|
|
func TestToken_AssertUser(t *testing.T) {
|
|
var val bearer.Token
|
|
usr := usertest.ID()
|
|
|
|
require.True(t, val.AssertUser(usr))
|
|
|
|
val.ForUser(usertest.ID())
|
|
require.False(t, val.AssertUser(usr))
|
|
|
|
val.ForUser(usr)
|
|
require.True(t, val.AssertUser(usr))
|
|
}
|
|
|
|
func TestToken_Sign(t *testing.T) {
|
|
var val bearer.Token
|
|
|
|
require.False(t, val.VerifySignature())
|
|
|
|
k, err := keys.NewPrivateKey()
|
|
require.NoError(t, err)
|
|
|
|
key := k.PrivateKey
|
|
val = bearertest.Token()
|
|
|
|
require.NoError(t, val.Sign(key))
|
|
|
|
require.True(t, val.VerifySignature())
|
|
|
|
var m acl.BearerToken
|
|
val.WriteToV2(&m)
|
|
|
|
require.NotZero(t, m.GetSignature().GetKey())
|
|
require.NotZero(t, m.GetSignature().GetSign())
|
|
|
|
val2 := bearertest.Token()
|
|
|
|
require.NoError(t, val2.Unmarshal(val.Marshal()))
|
|
require.True(t, val2.VerifySignature())
|
|
|
|
jd, err := val.MarshalJSON()
|
|
require.NoError(t, err)
|
|
|
|
val2 = bearertest.Token()
|
|
require.NoError(t, val2.UnmarshalJSON(jd))
|
|
require.True(t, val2.VerifySignature())
|
|
}
|
|
|
|
func TestToken_ReadFromV2(t *testing.T) {
|
|
var val bearer.Token
|
|
var m acl.BearerToken
|
|
|
|
require.Error(t, val.ReadFromV2(m))
|
|
|
|
var body acl.BearerTokenBody
|
|
m.SetBody(&body)
|
|
|
|
require.Error(t, val.ReadFromV2(m))
|
|
|
|
eaclTable := eacltest.Table().ToV2()
|
|
body.SetEACL(eaclTable)
|
|
|
|
require.Error(t, val.ReadFromV2(m))
|
|
|
|
var lifetime acl.TokenLifetime
|
|
body.SetLifetime(&lifetime)
|
|
|
|
require.Error(t, val.ReadFromV2(m))
|
|
|
|
const iat, nbf, exp = 1, 2, 3
|
|
lifetime.SetIat(iat)
|
|
lifetime.SetNbf(nbf)
|
|
lifetime.SetExp(exp)
|
|
|
|
body.SetLifetime(&lifetime)
|
|
|
|
require.Error(t, val.ReadFromV2(m))
|
|
|
|
var sig refs.Signature
|
|
m.SetSignature(&sig)
|
|
|
|
require.NoError(t, val.ReadFromV2(m))
|
|
|
|
body.SetEACL(nil)
|
|
body.SetImpersonate(true)
|
|
require.NoError(t, val.ReadFromV2(m))
|
|
|
|
var m2 acl.BearerToken
|
|
|
|
val.WriteToV2(&m2)
|
|
require.Equal(t, m, m2)
|
|
|
|
usr, usr2 := usertest.ID(), usertest.ID()
|
|
|
|
require.True(t, val.AssertUser(usr))
|
|
require.True(t, val.AssertUser(usr2))
|
|
|
|
var usrV2 refs.OwnerID
|
|
usr.WriteToV2(&usrV2)
|
|
|
|
body.SetOwnerID(&usrV2)
|
|
|
|
require.NoError(t, val.ReadFromV2(m))
|
|
|
|
val.WriteToV2(&m2)
|
|
require.Equal(t, m, m2)
|
|
|
|
require.True(t, val.AssertUser(usr))
|
|
require.False(t, val.AssertUser(usr2))
|
|
|
|
k, err := keys.NewPrivateKey()
|
|
require.NoError(t, err)
|
|
|
|
signer := frostfsecdsa.Signer(k.PrivateKey)
|
|
|
|
var s frostfscrypto.Signature
|
|
|
|
require.NoError(t, s.Calculate(signer, body.StableMarshal(nil)))
|
|
|
|
s.WriteToV2(&sig)
|
|
|
|
require.NoError(t, val.ReadFromV2(m))
|
|
require.True(t, val.VerifySignature())
|
|
require.Equal(t, sig.GetKey(), val.SigningKeyBytes())
|
|
}
|
|
|
|
func TestResolveIssuer(t *testing.T) {
|
|
k, err := keys.NewPrivateKey()
|
|
require.NoError(t, err)
|
|
|
|
var val bearer.Token
|
|
|
|
require.Zero(t, bearer.ResolveIssuer(val))
|
|
|
|
var m acl.BearerToken
|
|
|
|
var sig refs.Signature
|
|
sig.SetKey([]byte("invalid key"))
|
|
|
|
m.SetSignature(&sig)
|
|
|
|
require.NoError(t, val.Unmarshal(m.StableMarshal(nil)))
|
|
|
|
require.Zero(t, bearer.ResolveIssuer(val))
|
|
|
|
require.NoError(t, val.Sign(k.PrivateKey))
|
|
|
|
var usr user.ID
|
|
user.IDFromKey(&usr, k.PrivateKey.PublicKey)
|
|
|
|
require.Equal(t, usr, bearer.ResolveIssuer(val))
|
|
}
|