From e5d66629057eb687f4995f27c5be06de3a57132b Mon Sep 17 00:00:00 2001 From: Elizaveta Chichindaeva Date: Thu, 17 Feb 2022 12:52:48 +0300 Subject: [PATCH] [#162] eACL: Create eACL with neofs-cli Signed-off-by: Elizaveta Chichindaeva --- robot/resources/lib/python/acl.py | 61 +++++------------- .../lib/robot/common_steps_acl_bearer.robot | 19 +++--- .../lib/robot/common_steps_acl_extended.robot | 25 ++++---- .../integration/acl/acl_bearer_allow.robot | 2 +- .../acl/acl_bearer_allow_storagegroup.robot | 4 +- .../integration/acl/acl_bearer_compound.robot | 6 +- .../acl/acl_bearer_filter_oid_equal.robot | 5 +- .../acl/acl_bearer_filter_oid_not_equal.robot | 8 +-- .../acl_bearer_filter_userheader_equal.robot | 4 +- ...l_bearer_filter_userheader_not_equal.robot | 4 +- .../acl/acl_bearer_inaccessible.robot | 2 +- ...l_bearer_request_filter_xheader_deny.robot | 2 +- ..._bearer_request_filter_xheader_equal.robot | 5 +- ...rer_request_filter_xheader_not_equal.robot | 5 +- .../acl/acl_extended_actions_other.robot | 2 +- .../acl/acl_extended_deny_replication.robot | 8 +-- .../acl/acl_extended_filters.robot | 63 ++++++++++--------- .../creation_epoch_filter.robot | 2 +- .../object_attributes/object_id_filter.robot | 57 ++++------------- .../payload_length_filter.robot | 2 +- robot/variables/eacl_object_filters.py | 6 +- robot/variables/eacl_tables.robot | 4 +- 22 files changed, 121 insertions(+), 175 deletions(-) diff --git a/robot/resources/lib/python/acl.py b/robot/resources/lib/python/acl.py index 038ef03..827fba2 100644 --- a/robot/resources/lib/python/acl.py +++ b/robot/resources/lib/python/acl.py @@ -67,6 +67,22 @@ def _encode_cid_for_eacl(cid: str) -> str: cid_base58 = base58.b58decode(cid) return base64.b64encode(cid_base58).decode("utf-8") +@keyword('Create eACL') +def create_eacl(cid: str, rules_list: list): + table = f"{os.getcwd()}/{ASSETS_DIR}/eacl_table_{str(uuid.uuid4())}.json" + rules = "" + for rule in rules_list: +# TODO: check if $Object: is still necessary for filtering in the newest releases + rules += f"--rule '{rule}' " + cmd = ( + f"{NEOFS_CLI_EXEC} acl extended create --cid {cid} " + f"{rules}--out {table}" + ) + logger.info(f"cmd: {cmd}") + _cmd_run(cmd) + + return table + @keyword('Form BearerToken File') def form_bearertoken_file(wif: str, cid: str, eacl_records: list) -> str: @@ -153,48 +169,3 @@ def sign_bearer_token(wif: str, eacl_rules_file: str): ) logger.info(f"cmd: {cmd}") _cmd_run(cmd) - - -@keyword('Form eACL JSON Common File') -def form_eacl_json_common_file(eacl_records: list) -> str: - # Input role can be Role (USER, SYSTEM, OTHERS) or public key. - eacl = {"records":[]} - file_path = f"{os.getcwd()}/{ASSETS_DIR}/{str(uuid.uuid4())}" - - for record in eacl_records: - op_data = dict() - - if Role(record['Role']): - op_data = { - "operation": record['Operation'], - "action": record['Access'], - "filters": [], - "targets": [ - { - "role": record['Role'] - } - ] - } - else: - op_data = { - "operation": record['Operation'], - "action": record['Access'], - "filters": [], - "targets": [ - { - "keys": [ record['Role'] ] - } - ] - } - - if 'Filters' in record.keys(): - op_data["filters"].append(record['Filters']) - - eacl["records"].append(op_data) - - logger.info(f"Got these extended ACL records: {eacl}") - - with open(file_path, 'w', encoding='utf-8') as eacl_file: - json.dump(eacl, eacl_file, ensure_ascii=False, indent=4) - - return file_path diff --git a/robot/resources/lib/robot/common_steps_acl_bearer.robot b/robot/resources/lib/robot/common_steps_acl_bearer.robot index dea4cb0..482f233 100644 --- a/robot/resources/lib/robot/common_steps_acl_bearer.robot +++ b/robot/resources/lib/robot/common_steps_acl_bearer.robot @@ -27,21 +27,22 @@ Generate file Prepare eACL Role rules + [Arguments] ${CID} Log Set eACL for different Role cases # eACL rules for all operations and similar permissions - @{Roles} = Create List OTHERS USER SYSTEM + @{Roles} = Create List others user system FOR ${role} IN @{Roles} - ${rule1} = Create Dictionary Operation=GET Access=DENY Role=${role} - ${rule2} = Create Dictionary Operation=HEAD Access=DENY Role=${role} - ${rule3} = Create Dictionary Operation=PUT Access=DENY Role=${role} - ${rule4} = Create Dictionary Operation=DELETE Access=DENY Role=${role} - ${rule5} = Create Dictionary Operation=SEARCH Access=DENY Role=${role} - ${rule6} = Create Dictionary Operation=GETRANGE Access=DENY Role=${role} - ${rule7} = Create Dictionary Operation=GETRANGEHASH Access=DENY Role=${role} + ${rule1} = Set Variable deny get ${role} + ${rule2} = Set Variable deny head ${role} + ${rule3} = Set Variable deny put ${role} + ${rule4} = Set Variable deny delete ${role} + ${rule5} = Set Variable deny search ${role} + ${rule6} = Set Variable deny getrange ${role} + ${rule7} = Set Variable deny getrangehash ${role} ${eACL_gen} = Create List ${rule1} ${rule2} ${rule3} ${rule4} ${rule5} ${rule6} ${rule7} - ${EACL_FILE} = Form eACL JSON Common File ${eACL_gen} + ${EACL_FILE} = Create eACL ${CID} ${eACL_gen} Set Global Variable ${EACL_DENY_ALL_${role}} ${EACL_FILE} END [Return] gen_eacl_deny_all_${role} diff --git a/robot/resources/lib/robot/common_steps_acl_extended.robot b/robot/resources/lib/robot/common_steps_acl_extended.robot index 9a51b07..a968789 100644 --- a/robot/resources/lib/robot/common_steps_acl_extended.robot +++ b/robot/resources/lib/robot/common_steps_acl_extended.robot @@ -89,22 +89,22 @@ Check eACL Deny and Allow All Delete object ${KEY} ${CID} ${S_OID_USER} Compose eACL Custom - [Arguments] ${HEADER_DICT} ${MATCH_TYPE} ${FILTER} ${ACCESS} ${ROLE} + [Arguments] ${CID} ${HEADER_DICT} ${MATCH_TYPE} ${FILTER} ${ACCESS} ${ROLE} ${filter_value} = Get From dictionary ${HEADER_DICT}[header] ${EACL_OBJ_FILTERS}[${FILTER}] - ${filters} = Create Dictionary headerType=OBJECT matchType=${MATCH_TYPE} key=${FILTER} value=${filter_value} - ${rule_get}= Create Dictionary Operation=GET Access=${ACCESS} Role=${ROLE} Filters=${filters} - ${rule_head}= Create Dictionary Operation=HEAD Access=${ACCESS} Role=${ROLE} Filters=${filters} - ${rule_put}= Create Dictionary Operation=PUT Access=${ACCESS} Role=${ROLE} Filters=${filters} - ${rule_del}= Create Dictionary Operation=DELETE Access=${ACCESS} Role=${ROLE} Filters=${filters} - ${rule_search}= Create Dictionary Operation=SEARCH Access=${ACCESS} Role=${ROLE} Filters=${filters} - ${rule_range}= Create Dictionary Operation=GETRANGE Access=${ACCESS} Role=${ROLE} Filters=${filters} - ${rule_rangehash}= Create Dictionary Operation=GETRANGEHASH Access=${ACCESS} Role=${ROLE} Filters=${filters} + ${filters} = Set Variable obj:${FILTER}${MATCH_TYPE}${filter_value} + ${rule_get}= Set Variable ${ACCESS} get ${filters} ${ROLE} + ${rule_head}= Set Variable ${ACCESS} head ${filters} ${ROLE} + ${rule_put}= Set Variable ${ACCESS} put ${filters} ${ROLE} + ${rule_del}= Set Variable ${ACCESS} delete ${filters} ${ROLE} + ${rule_search}= Set Variable ${ACCESS} search ${filters} ${ROLE} + ${rule_range}= Set Variable ${ACCESS} getrange ${filters} ${ROLE} + ${rule_rangehash}= Set Variable ${ACCESS} getrangehash ${filters} ${ROLE} ${eACL_gen}= Create List ${rule_get} ${rule_head} ${rule_put} ${rule_del} ... ${rule_search} ${rule_range} ${rule_rangehash} - ${EACL_CUSTOM} = Form eACL JSON Common File ${eACL_gen} + ${EACL_CUSTOM} = Create eACL ${CID} ${eACL_gen} [Return] ${EACL_CUSTOM} @@ -136,8 +136,9 @@ Check eACL Filters with MatchType String Equal Delete Object ${OTHER_KEY} ${CID} ${D_OID_USER} &{HEADER_DICT} = Object Header Decoded ${USER_KEY} ${CID} ${S_OID_USER} - ${EACL_CUSTOM} = Compose eACL Custom ${HEADER_DICT} STRING_EQUAL ${FILTER} DENY OTHERS + ${EACL_CUSTOM} = Compose eACL Custom ${CID} ${HEADER_DICT} = ${FILTER} deny others Set eACL ${USER_KEY} ${CID} ${EACL_CUSTOM} + Sleep ${MORPH_BLOCK_TIME} IF 'GET' in ${VERB_FILTER_DEP}[${FILTER}] Run Keyword And Expect Error ${EACL_ERR_MSG} @@ -185,7 +186,7 @@ Check eACL Filters with MatchType String Not Equal Get Range Hash ${USER_KEY} ${CID} ${S_OID_USER} ${EMPTY} 0:256 &{HEADER_DICT} = Object Header Decoded ${USER_KEY} ${CID} ${S_OID_USER} - ${EACL_CUSTOM} = Compose eACL Custom ${HEADER_DICT} STRING_NOT_EQUAL ${FILTER} DENY OTHERS + ${EACL_CUSTOM} = Compose eACL Custom ${CID} ${HEADER_DICT} != ${FILTER} deny others Set eACL ${USER_KEY} ${CID} ${EACL_CUSTOM} IF 'GET' in ${VERB_FILTER_DEP}[${FILTER}] diff --git a/robot/testsuites/integration/acl/acl_bearer_allow.robot b/robot/testsuites/integration/acl/acl_bearer_allow.robot index 894b538..e8c7f02 100644 --- a/robot/testsuites/integration/acl/acl_bearer_allow.robot +++ b/robot/testsuites/integration/acl/acl_bearer_allow.robot @@ -25,7 +25,6 @@ BearerToken Operations [Setup] Setup ${_} ${_} ${USER_KEY} = Prepare Wallet And Deposit - Prepare eACL Role rules Log Check Bearer token with simple object ${FILE_S} = Generate file ${SIMPLE_OBJ_SIZE} @@ -46,6 +45,7 @@ Check eACL Deny and Allow All Bearer [Arguments] ${USER_KEY} ${FILE_S} ${CID} = Create Container Public ${USER_KEY} + Prepare eACL Role rules ${CID} ${S_OID_USER} = Put object ${USER_KEY} ${FILE_S} ${CID} user_headers=${USER_HEADER} ${D_OID_USER} = Put object ${USER_KEY} ${FILE_S} ${CID} user_headers=${USER_HEADER_DEL} @{S_OBJ_H} = Create List ${S_OID_USER} diff --git a/robot/testsuites/integration/acl/acl_bearer_allow_storagegroup.robot b/robot/testsuites/integration/acl/acl_bearer_allow_storagegroup.robot index a80cf36..ea558c2 100644 --- a/robot/testsuites/integration/acl/acl_bearer_allow_storagegroup.robot +++ b/robot/testsuites/integration/acl/acl_bearer_allow_storagegroup.robot @@ -21,8 +21,7 @@ BearerToken Operations [Setup] Setup ${WALLET} ${ADDR} ${USER_KEY} = Prepare Wallet And Deposit - Prepare eACL Role rules - + Log Check Bearer token with simple object ${FILE_S} = Generate file ${SIMPLE_OBJ_SIZE} Check eACL Deny and Allow All Bearer Simple ${USER_KEY} ${FILE_S} @@ -43,6 +42,7 @@ Check eACL Deny and Allow All Bearer ${CID} = Create Container Public ${USER_KEY} ${S_OID_USER} = Put object ${USER_KEY} ${FILE_S} ${CID} ${EMPTY} ${FILE_USR_HEADER} + Prepare eACL Role rules ${CID} # Storage group Operations (Put, List, Get, Delete) diff --git a/robot/testsuites/integration/acl/acl_bearer_compound.robot b/robot/testsuites/integration/acl/acl_bearer_compound.robot index 921e2f2..dbbb1e1 100644 --- a/robot/testsuites/integration/acl/acl_bearer_compound.robot +++ b/robot/testsuites/integration/acl/acl_bearer_compound.robot @@ -26,7 +26,6 @@ BearerToken Operations for Сompound Operations ${_} ${_} ${USER_KEY} = Prepare Wallet And Deposit ${_} ${_} ${OTHER_KEY} = Prepare Wallet And Deposit - Prepare eACL Role rules Log Check Bearer token with simple object ${FILE_S} = Generate file ${SIMPLE_OBJ_SIZE} @@ -58,8 +57,9 @@ Check Bearer Сompound Get [Arguments] ${KEY} ${DENY_GROUP} ${DENY_EACL} ${FILE_S} ${USER_KEY} ${CID} = Create Container Public ${USER_KEY} + Prepare eACL Role rules ${CID} ${S_OID_USER} = Put object ${USER_KEY} ${FILE_S} ${CID} user_headers=${USER_HEADER} - @{S_OBJ_H} = Create List ${S_OID_USER} + @{S_OBJ_H} = Create List ${S_OID_USER} ${S_OID_USER} = Put object ${USER_KEY} ${FILE_S} ${CID} user_headers=${USER_HEADER} Put object ${KEY} ${FILE_S} ${CID} user_headers=${ANOTHER_HEADER} @@ -92,6 +92,7 @@ Check Bearer Сompound Delete [Arguments] ${KEY} ${DENY_GROUP} ${DENY_EACL} ${FILE_S} ${USER_KEY} ${CID} = Create Container Public ${USER_KEY} + Prepare eACL Role rules ${CID} ${S_OID_USER} = Put object ${USER_KEY} ${FILE_S} ${CID} user_headers=${USER_HEADER} ${D_OID_USER} = Put object ${USER_KEY} ${FILE_S} ${CID} Put object ${KEY} ${FILE_S} ${CID} user_headers=${ANOTHER_HEADER} @@ -126,6 +127,7 @@ Check Bearer Сompound Get Range Hash [Arguments] ${KEY} ${DENY_GROUP} ${DENY_EACL} ${FILE_S} ${USER_KEY} ${CID} = Create Container Public ${USER_KEY} + Prepare eACL Role rules ${CID} ${S_OID_USER} = Put object ${USER_KEY} ${FILE_S} ${CID} user_headers=${USER_HEADER} Put object ${KEY} ${FILE_S} ${CID} user_headers=${ANOTHER_HEADER} diff --git a/robot/testsuites/integration/acl/acl_bearer_filter_oid_equal.robot b/robot/testsuites/integration/acl/acl_bearer_filter_oid_equal.robot index 8ac2cb8..7528436 100644 --- a/robot/testsuites/integration/acl/acl_bearer_filter_oid_equal.robot +++ b/robot/testsuites/integration/acl/acl_bearer_filter_oid_equal.robot @@ -26,7 +26,7 @@ BearerToken Operations with Filter OID Equal ${WALLET} ${ADDR} ${USER_KEY} = Prepare Wallet And Deposit ${WALLET_OTH} ${ADDR_OTH} ${OTHER_KEY} = Prepare Wallet And Deposit - Prepare eACL Role rules + Log Check Bearer token with simple object ${FILE_S} = Generate file ${SIMPLE_OBJ_SIZE} Check eACL Deny and Allow All Bearer Filter OID Equal ${USER_KEY} ${FILE_S} @@ -46,10 +46,11 @@ Check eACL Deny and Allow All Bearer Filter OID Equal [Arguments] ${USER_KEY} ${FILE_S} ${CID} = Create Container Public ${USER_KEY} + Prepare eACL Role rules ${CID} ${S_OID_USER} = Put object ${USER_KEY} ${FILE_S} ${CID} user_headers=${USER_HEADER} ${S_OID_USER_2} = Put object ${USER_KEY} ${FILE_S} ${CID} ${D_OID_USER} = Put object ${USER_KEY} ${FILE_S} ${CID} user_headers=${USER_HEADER_DEL} - @{S_OBJ_H} = Create List ${S_OID_USER} + @{S_OBJ_H} = Create List ${S_OID_USER} Put object ${USER_KEY} ${FILE_S} ${CID} user_headers=${ANOTHER_HEADER} Get object ${USER_KEY} ${CID} ${S_OID_USER} ${EMPTY} local_file_eacl diff --git a/robot/testsuites/integration/acl/acl_bearer_filter_oid_not_equal.robot b/robot/testsuites/integration/acl/acl_bearer_filter_oid_not_equal.robot index f2c1b1d..8922473 100644 --- a/robot/testsuites/integration/acl/acl_bearer_filter_oid_not_equal.robot +++ b/robot/testsuites/integration/acl/acl_bearer_filter_oid_not_equal.robot @@ -24,7 +24,6 @@ BearerToken Operations with Filter OID NotEqual [Setup] Setup ${_} ${_} ${USER_KEY} = Prepare Wallet And Deposit - Prepare eACL Role rules Log Check Bearer token with simple object ${FILE_S} = Generate file ${SIMPLE_OBJ_SIZE} @@ -44,10 +43,11 @@ Check eACL Deny and Allow All Bearer Filter OID NotEqual [Arguments] ${USER_KEY} ${FILE_S} ${CID} = Create Container Public ${USER_KEY} + Prepare eACL Role rules ${CID} ${S_OID_USER} = Put object ${USER_KEY} ${FILE_S} ${CID} user_headers=${USER_HEADER} ${S_OID_USER_2} = Put object ${USER_KEY} ${FILE_S} ${CID} ${D_OID_USER} = Put object ${USER_KEY} ${FILE_S} ${CID} - @{S_OBJ_H} = Create List ${S_OID_USER} + @{S_OBJ_H} = Create List ${S_OID_USER} Put object ${USER_KEY} ${FILE_S} ${CID} Get object ${USER_KEY} ${CID} ${S_OID_USER} ${EMPTY} local_file_eacl @@ -58,8 +58,8 @@ Check eACL Deny and Allow All Bearer Filter OID NotEqual Set eACL ${USER_KEY} ${CID} ${EACL_DENY_ALL_USER} - # The current ACL cache lifetime is 30 sec - Sleep ${NEOFS_CONTRACT_CACHE_TIMEOUT} + # The current ACL cache lifetime is 30 sec + Sleep ${NEOFS_CONTRACT_CACHE_TIMEOUT} ${filters}= Create Dictionary headerType=OBJECT matchType=STRING_NOT_EQUAL key=$Object:objectID value=${S_OID_USER_2} diff --git a/robot/testsuites/integration/acl/acl_bearer_filter_userheader_equal.robot b/robot/testsuites/integration/acl/acl_bearer_filter_userheader_equal.robot index 0b5fb17..335b661 100644 --- a/robot/testsuites/integration/acl/acl_bearer_filter_userheader_equal.robot +++ b/robot/testsuites/integration/acl/acl_bearer_filter_userheader_equal.robot @@ -25,7 +25,6 @@ BearerToken Operations with Filter UserHeader Equal [Setup] Setup ${_} ${_} ${USER_KEY} = Prepare Wallet And Deposit - Prepare eACL Role rules Log Check Bearer token with simple object ${FILE_S} = Generate file ${SIMPLE_OBJ_SIZE} @@ -42,10 +41,11 @@ BearerToken Operations with Filter UserHeader Equal Check eACL Deny and Allow All Bearer Filter UserHeader Equal [Arguments] ${USER_KEY} ${FILE_S} ${CID} = Create Container Public ${USER_KEY} + Prepare eACL Role rules ${CID} ${S_OID_USER} = Put object ${USER_KEY} ${FILE_S} ${CID} user_headers=${USER_HEADER} ${S_OID_USER_2} = Put object ${USER_KEY} ${FILE_S} ${CID} ${D_OID_USER} = Put object ${USER_KEY} ${FILE_S} ${CID} user_headers=${USER_HEADER_DEL} - @{S_OBJ_H} = Create List ${S_OID_USER} + @{S_OBJ_H} = Create List ${S_OID_USER} Put object ${USER_KEY} ${FILE_S} ${CID} user_headers=${ANOTHER_HEADER} Get object ${USER_KEY} ${CID} ${S_OID_USER} ${EMPTY} local_file_eacl diff --git a/robot/testsuites/integration/acl/acl_bearer_filter_userheader_not_equal.robot b/robot/testsuites/integration/acl/acl_bearer_filter_userheader_not_equal.robot index 348078f..975f347 100644 --- a/robot/testsuites/integration/acl/acl_bearer_filter_userheader_not_equal.robot +++ b/robot/testsuites/integration/acl/acl_bearer_filter_userheader_not_equal.robot @@ -25,7 +25,6 @@ BearerToken Operations Filter UserHeader NotEqual [Setup] Setup ${_} ${_} ${USER_KEY} = Prepare Wallet And Deposit - Prepare eACL Role rules Log Check Bearer token with simple object ${FILE_S} = Generate file ${SIMPLE_OBJ_SIZE} @@ -43,10 +42,11 @@ Check eACL Deny and Allow All Bearer Filter UserHeader NotEqual [Arguments] ${USER_KEY} ${FILE_S} ${CID} = Create Container Public ${USER_KEY} + Prepare eACL Role rules ${CID} ${S_OID_USER} = Put object ${USER_KEY} ${FILE_S} ${CID} user_headers=${ANOTHER_HEADER} ${S_OID_USER_2} = Put object ${USER_KEY} ${FILE_S} ${CID} user_headers=${USER_HEADER} ${D_OID_USER} = Put object ${USER_KEY} ${FILE_S} ${CID} user_headers=${USER_HEADER_DEL} - @{S_OBJ_H} = Create List ${S_OID_USER_2} + @{S_OBJ_H} = Create List ${S_OID_USER_2} Put object ${USER_KEY} ${FILE_S} ${CID} Get object ${USER_KEY} ${CID} ${S_OID_USER} ${EMPTY} local_file_eacl diff --git a/robot/testsuites/integration/acl/acl_bearer_inaccessible.robot b/robot/testsuites/integration/acl/acl_bearer_inaccessible.robot index c663ed3..de3d411 100644 --- a/robot/testsuites/integration/acl/acl_bearer_inaccessible.robot +++ b/robot/testsuites/integration/acl/acl_bearer_inaccessible.robot @@ -20,7 +20,6 @@ BearerToken Operations for Inaccessible Container [Setup] Setup ${_} ${_} ${USER_KEY} = Prepare Wallet And Deposit - Prepare eACL Role rules Log Check Bearer token with simple object ${FILE_S} = Generate file ${SIMPLE_OBJ_SIZE} @@ -38,6 +37,7 @@ Check Container Inaccessible and Allow All Bearer [Arguments] ${USER_KEY} ${FILE_S} ${CID} = Create Container Inaccessible ${USER_KEY} + Prepare eACL Role rules ${CID} Run Keyword And Expect Error * ... Put object ${USER_KEY} ${FILE_S} ${CID} user_headers=${FILE_USR_HEADER} diff --git a/robot/testsuites/integration/acl/acl_bearer_request_filter_xheader_deny.robot b/robot/testsuites/integration/acl/acl_bearer_request_filter_xheader_deny.robot index fb7447d..4711a1a 100644 --- a/robot/testsuites/integration/acl/acl_bearer_request_filter_xheader_deny.robot +++ b/robot/testsuites/integration/acl/acl_bearer_request_filter_xheader_deny.robot @@ -25,7 +25,6 @@ BearerToken Operations [Setup] Setup ${_} ${_} ${USER_KEY} = Prepare Wallet And Deposit - Prepare eACL Role rules Log Check Bearer token with simple object ${FILE_S} = Generate file ${SIMPLE_OBJ_SIZE} @@ -45,6 +44,7 @@ Check eACL Allow All Bearer Filter Requst Equal Deny [Arguments] ${USER_KEY} ${FILE_S} ${CID} = Create Container Public ${USER_KEY} + Prepare eACL Role rules ${CID} ${S_OID_USER} = Put object ${USER_KEY} ${FILE_S} ${CID} user_headers=${USER_HEADER} ${S_OID_USER_2} = Put object ${USER_KEY} ${FILE_S} ${CID} ${D_OID_USER} = Put object ${USER_KEY} ${FILE_S} ${CID} user_headers=${USER_HEADER_DEL} diff --git a/robot/testsuites/integration/acl/acl_bearer_request_filter_xheader_equal.robot b/robot/testsuites/integration/acl/acl_bearer_request_filter_xheader_equal.robot index f8df1fc..18bfce1 100644 --- a/robot/testsuites/integration/acl/acl_bearer_request_filter_xheader_equal.robot +++ b/robot/testsuites/integration/acl/acl_bearer_request_filter_xheader_equal.robot @@ -25,7 +25,6 @@ BearerToken Operations with Filter Requst Equal [Setup] Setup ${_} ${_} ${USER_KEY} = Prepare Wallet And Deposit - Prepare eACL Role rules Log Check Bearer token with simple object ${FILE_S} = Generate file ${SIMPLE_OBJ_SIZE} @@ -45,10 +44,11 @@ Check eACL Deny and Allow All Bearer Filter Requst Equal [Arguments] ${USER_KEY} ${FILE_S} ${CID} = Create Container Public ${USER_KEY} + Prepare eACL Role rules ${CID} ${S_OID_USER} = Put object ${USER_KEY} ${FILE_S} ${CID} user_headers=${USER_HEADER} ${S_OID_USER_2} = Put object ${USER_KEY} ${FILE_S} ${CID} ${D_OID_USER} = Put object ${USER_KEY} ${FILE_S} ${CID} user_headers=${USER_HEADER_DEL} - @{S_OBJ_H} = Create List ${S_OID_USER} + @{S_OBJ_H} = Create List ${S_OID_USER} Put object ${USER_KEY} ${FILE_S} ${CID} Get object ${USER_KEY} ${CID} ${S_OID_USER} ${EMPTY} local_file_eacl @@ -71,6 +71,7 @@ Check eACL Deny and Allow All Bearer Filter Requst Equal ${rule6}= Create Dictionary Operation=GETRANGE Access=ALLOW Role=USER Filters=${filters} ${rule7}= Create Dictionary Operation=GETRANGEHASH Access=ALLOW Role=USER Filters=${filters} ${eACL_gen}= Create List ${rule1} ${rule2} ${rule3} ${rule4} ${rule5} ${rule6} ${rule7} + ${EACL_TOKEN} = Form BearerToken File ${USER_KEY} ${CID} ${eACL_gen} Run Keyword And Expect Error ${EACL_ERROR_MSG} diff --git a/robot/testsuites/integration/acl/acl_bearer_request_filter_xheader_not_equal.robot b/robot/testsuites/integration/acl/acl_bearer_request_filter_xheader_not_equal.robot index 599f2bc..668a4d1 100644 --- a/robot/testsuites/integration/acl/acl_bearer_request_filter_xheader_not_equal.robot +++ b/robot/testsuites/integration/acl/acl_bearer_request_filter_xheader_not_equal.robot @@ -24,8 +24,7 @@ BearerToken Operations with Filter Requst NotEqual [Setup] Setup - ${WALLET} ${ADDR} ${USER_KEY} = Prepare Wallet And Deposit - Prepare eACL Role rules + ${_} ${_} ${USER_KEY} = Prepare Wallet And Deposit Log Check Bearer token with simple object ${FILE_S} = Generate file ${SIMPLE_OBJ_SIZE} @@ -47,7 +46,7 @@ Check eACL Deny and Allow All Bearer Filter Requst NotEqual ${S_OID_USER} = Put object ${USER_KEY} ${FILE_S} ${CID} user_headers=${USER_HEADER} ${S_OID_USER_2} = Put object ${USER_KEY} ${FILE_S} ${CID} ${D_OID_USER} = Put object ${USER_KEY} ${FILE_S} ${CID} user_headers=${USER_HEADER_DEL} - @{S_OBJ_H} = Create List ${S_OID_USER} + @{S_OBJ_H} = Create List ${S_OID_USER} Put object ${USER_KEY} ${FILE_S} ${CID} user_headers=${ANOTHER_USER_HEADER} Get object ${USER_KEY} ${CID} ${S_OID_USER} ${EMPTY} local_file_eacl diff --git a/robot/testsuites/integration/acl/acl_extended_actions_other.robot b/robot/testsuites/integration/acl/acl_extended_actions_other.robot index 121d291..b3355b0 100644 --- a/robot/testsuites/integration/acl/acl_extended_actions_other.robot +++ b/robot/testsuites/integration/acl/acl_extended_actions_other.robot @@ -37,4 +37,4 @@ Extended ACL Operations Check eACL Deny and Allow All Other [Arguments] ${USER_KEY} ${OTHER_KEY} - Check eACL Deny and Allow All ${OTHER_KEY} ${EACL_DENY_ALL_OTHER} ${EACL_ALLOW_ALL_OTHER} ${USER_KEY} + Check eACL Deny and Allow All ${OTHER_KEY} ${EACL_DENY_ALL_OTHERS} ${EACL_ALLOW_ALL_OTHERS} ${USER_KEY} diff --git a/robot/testsuites/integration/acl/acl_extended_deny_replication.robot b/robot/testsuites/integration/acl/acl_extended_deny_replication.robot index d6184e3..e7301c5 100644 --- a/robot/testsuites/integration/acl/acl_extended_deny_replication.robot +++ b/robot/testsuites/integration/acl/acl_extended_deny_replication.robot @@ -30,8 +30,6 @@ eACL Deny Replication Operations ${NODE_NUM} ${NODE} ${WIF_STORAGE} = Get control endpoint with wif ${WALLET} ${ADDR} ${WIF_USER} = Prepare Wallet And Deposit - Prepare eACL Role rules - Log Check Replication with eACL deny - object should be replicated # https://github.com/nspcc-dev/neofs-node/issues/881 @@ -41,14 +39,16 @@ eACL Deny Replication Operations Wait Until Keyword Succeeds ${MORPH_BLOCK_TIME} ${CONTAINER_WAIT_INTERVAL} ... Container Existing ${WIF_USER} ${CID} - ${OID} = Put object ${WIF_USER} ${FILE} ${CID} ${EMPTY} ${FILE_USR_HEADER} + Prepare eACL Role rules ${CID} + + ${OID} = Put object ${WIF_USER} ${FILE} ${CID} Validate storage policy for object ${WIF_USER} ${EXPECTED_COPIES} ${CID} ${OID} Set eACL ${WIF_USER} ${CID} ${EACL_DENY_ALL_USER} Run Keyword And Expect Error * - ... Put object ${WIF_USER} ${FILE} ${CID} ${EMPTY} ${FILE_USR_HEADER} + ... Put object ${WIF_USER} ${FILE} ${CID} # Drop object to check replication Drop object ${NODE} ${WIF_STORAGE} ${CID} ${OID} diff --git a/robot/testsuites/integration/acl/acl_extended_filters.robot b/robot/testsuites/integration/acl/acl_extended_filters.robot index b2cf2a0..13d7185 100644 --- a/robot/testsuites/integration/acl/acl_extended_filters.robot +++ b/robot/testsuites/integration/acl/acl_extended_filters.robot @@ -16,6 +16,8 @@ Resource eacl_tables.robot ${PATH} = testfile &{USER_HEADER} = key1=1 key2=abc &{ANOTHER_HEADER} = key1=oth key2=oth +${ID_FILTER} = $Object:objectID +${CUSTOM_FILTER} = $Object:key1 *** Test cases *** Extended ACL Operations @@ -94,7 +96,7 @@ Check eACL MatchType String Equal Request Allow ${CID} = Create Container Public ${USER_KEY} ${S_OID_USER} = Put Object ${USER_KEY} ${FILE_S} ${CID} Get Object ${OTHER_KEY} ${CID} ${S_OID_USER} ${EMPTY} ${PATH} - + Set eACL ${USER_KEY} ${CID} ${EACL_XHEADER_ALLOW_ALL} # The current ACL cache lifetime is 30 sec @@ -136,27 +138,27 @@ Check eACL MatchType String Equal Object Get Object ${OTHER_KEY} ${CID} ${S_OID_USER} ${EMPTY} ${PATH} Log Set eACL for Deny GET operation with StringEqual Object ID + &{HEADER_DICT} = Head Object ${USER_KEY} ${CID} ${S_OID_USER} - ${ID_value} = Get From dictionary ${HEADER_DICT} objectID - - ${filters} = Create Dictionary headerType=OBJECT matchType=STRING_EQUAL key=$Object:objectID value=${ID_value} - ${rule1} = Create Dictionary Operation=GET Access=DENY Role=OTHERS Filters=${filters} - ${eACL_gen} = Create List ${rule1} - ${EACL_CUSTOM} = Form eACL JSON Common File ${eACL_gen} - - Set eACL ${USER_KEY} ${CID} ${EACL_CUSTOM} + ${ID_value} = Get From dictionary ${HEADER_DICT} ${EACL_OBJ_FILTERS}[${ID_FILTER}] + + ${filters} = Set Variable obj:${ID_FILTER}=${ID_value} + ${rule1} = Set Variable deny get ${filters} others + ${eACL_gen} = Create List ${rule1} + ${EACL_CUSTOM} = Create eACL ${CID} ${eACL_gen} + Set eACL ${USER_KEY} ${CID} ${EACL_CUSTOM} Run Keyword And Expect Error * - ... Get object ${OTHER_KEY} ${CID} ${S_OID_USER} ${EMPTY} ${PATH} + ... Get object ${OTHER_KEY} ${CID} ${S_OID_USER} ${EMPTY} ${PATH} Log Set eACL for Deny GET operation with StringEqual Object Extended User Header + ${S_OID_USER_OTH} = Put object ${USER_KEY} ${FILE_S} ${CID} user_headers=${ANOTHER_HEADER} - - ${filters} = Create Dictionary headerType=OBJECT matchType=STRING_EQUAL key=key1 value=1 - ${rule1} = Create Dictionary Operation=GET Access=DENY Role=OTHERS Filters=${filters} - ${eACL_gen} = Create List ${rule1} - ${EACL_CUSTOM} = Form eACL JSON Common File ${eACL_gen} - + + ${filters} = Set Variable obj:${CUSTOM_FILTER}=1 + ${rule1} = Set Variable deny get ${filters} others + ${eACL_gen} = Create List ${rule1} + ${EACL_CUSTOM} = Create eACL ${CID} ${eACL_gen} Set eACL ${USER_KEY} ${CID} ${EACL_CUSTOM} Run Keyword And Expect Error * @@ -176,29 +178,30 @@ Check eACL MatchType String Not Equal Object Get object ${OTHER_KEY} ${CID} ${S_OID_OTHER} ${EMPTY} ${PATH} Log Set eACL for Deny GET operation with StringNotEqual Object ID + &{HEADER_DICT} = Head object ${USER_KEY} ${CID} ${S_OID_USER} - ${ID_value} = Get From Dictionary ${HEADER_DICT} objectID + ${ID_value} = Get From Dictionary ${HEADER_DICT} ${EACL_OBJ_FILTERS}[${ID_FILTER}] + + ${filters} = Set Variable obj:${ID_FILTER}!=${ID_value} + ${rule1} = Set Variable deny get ${filters} others + ${eACL_gen} = Create List ${rule1} + ${EACL_CUSTOM} = Create eACL ${CID} ${eACL_gen} - ${filters} = Create Dictionary headerType=OBJECT matchType=STRING_NOT_EQUAL key=$Object:objectID value=${ID_value} - ${rule1} = Create Dictionary Operation=GET Access=DENY Role=OTHERS Filters=${filters} - ${eACL_gen} = Create List ${rule1} - ${EACL_CUSTOM} = Form eACL JSON Common File ${eACL_gen} - - Set eACL ${USER_KEY} ${CID} ${EACL_CUSTOM} + Set eACL ${USER_KEY} ${CID} ${EACL_CUSTOM} Run Keyword And Expect Error * ... Get object ${OTHER_KEY} ${CID} ${S_OID_OTHER} ${EMPTY} ${PATH} Get object ${OTHER_KEY} ${CID} ${S_OID_USER} ${EMPTY} ${PATH} Log Set eACL for Deny GET operation with StringEqual Object Extended User Header - ${S_OID_USER_OTH} = Put object ${USER_KEY} ${FILE_S} ${CID} user_headers=${ANOTHER_HEADER} + + ${S_OID_USER_OTH} = Put object ${USER_KEY} ${FILE_S} ${CID} user_headers=${ANOTHER_HEADER} + ${filters} = Set Variable obj:${CUSTOM_FILTER}!=1 + ${rule1} = Set Variable deny get ${filters} others + ${eACL_gen} = Create List ${rule1} + ${EACL_CUSTOM} = Create eACL ${CID} ${eACL_gen} - ${filters} = Create Dictionary headerType=OBJECT matchType=STRING_NOT_EQUAL key=key1 value=1 - ${rule1} = Create Dictionary Operation=GET Access=DENY Role=OTHERS Filters=${filters} - ${eACL_gen} = Create List ${rule1} - ${EACL_CUSTOM} = Form eACL JSON Common File ${eACL_gen} - - Set eACL ${USER_KEY} ${CID} ${EACL_CUSTOM} + Set eACL ${USER_KEY} ${CID} ${EACL_CUSTOM} Run Keyword And Expect Error * ... Get object ${OTHER_KEY} ${CID} ${S_OID_USER_OTH} ${EMPTY} ${PATH} Get object ${OTHER_KEY} ${CID} ${S_OID_USER} ${EMPTY} ${PATH} diff --git a/robot/testsuites/integration/acl/object_attributes/creation_epoch_filter.robot b/robot/testsuites/integration/acl/object_attributes/creation_epoch_filter.robot index a38bd55..f6839c3 100644 --- a/robot/testsuites/integration/acl/object_attributes/creation_epoch_filter.robot +++ b/robot/testsuites/integration/acl/object_attributes/creation_epoch_filter.robot @@ -47,7 +47,7 @@ Check $Object:creationEpoch Filter with MatchType String Not Equal Get Object ${USER_KEY} ${CID} ${S_OID_NEW} ${EMPTY} local_file_eacl &{HEADER_DICT} = Head Object ${USER_KEY} ${CID} ${S_OID_NEW} - ${EACL_CUSTOM} = Compose eACL Custom ${HEADER_DICT} STRING_NOT_EQUAL ${FILTER} DENY OTHERS + ${EACL_CUSTOM} = Compose eACL Custom ${CID} ${HEADER_DICT} != ${FILTER} DENY OTHERS Set eACL ${USER_KEY} ${CID} ${EACL_CUSTOM} Run Keyword And Expect Error ${EACL_ERR_MSG} diff --git a/robot/testsuites/integration/acl/object_attributes/object_id_filter.robot b/robot/testsuites/integration/acl/object_attributes/object_id_filter.robot index 3e92790..c98d402 100644 --- a/robot/testsuites/integration/acl/object_attributes/object_id_filter.robot +++ b/robot/testsuites/integration/acl/object_attributes/object_id_filter.robot @@ -40,6 +40,8 @@ Object ID Object Filter for Extended ACL Log Check two matchTypes applied Check eACL Filters, two matchTypes $Object:objectID + [Teardown] Teardown object_id + *** Keywords *** @@ -58,28 +60,12 @@ Check eACL Filters with MatchType String Equal with two contradicting filters Get Object ${OTHER_KEY} ${CID} ${S_OID_USER} ${EMPTY} ${OBJECT_PATH} ${filter_value} = Get From Dictionary ${HEADER_DICT_USER} ${EACL_OBJ_FILTERS}[${FILTER}] - ${filters} = Create Dictionary - ... headerType=OBJECT - ... matchType=STRING_EQUAL - ... key=${FILTER} - ... value=${filter_value} - ${rule} = Create Dictionary - ... Operation=GET - ... Access=ALLOW - ... Role=OTHERS - ... Filters=${filters} - ${contradicting_filters} = Create Dictionary - ... headerType=OBJECT - ... matchType=STRING_EQUAL - ... key=$Object:payloadLength - ... value=${SIMPLE_OBJ_SIZE} - ${contradicting_rule} = Create Dictionary - ... Operation=GET - ... Access=DENY - ... Role=OTHERS - ... Filters=${contradicting_filters} + ${filters} = Set Variable obj:${FILTER}=${filter_value} + ${rule} = Set Variable allow get ${filters} others + ${contradicting_filters} = Set Variable obj:$Object:payloadLength=${SIMPLE_OBJ_SIZE} + ${contradicting_rule} = Set Variable deny get ${contradicting_filters} others ${eACL_gen} = Create List ${rule} ${contradicting_rule} - ${EACL_CUSTOM} = Form eACL JSON Common File ${eACL_gen} + ${EACL_CUSTOM} = Create eACL ${CID} ${eACL_gen} Set eACL ${USER_KEY} ${CID} ${EACL_CUSTOM} Get object ${OTHER_KEY} ${CID} ${S_OID_USER} ${EMPTY} ${OBJECT_PATH} @@ -101,34 +87,15 @@ Check eACL Filters, two matchTypes Get Object ${OTHER_KEY} ${CID} ${S_OID_OTHER} ${EMPTY} ${OBJECT_PATH} ${filter_value} = Get From Dictionary ${HEADER_DICT_USER} ${EACL_OBJ_FILTERS}[${FILTER}] - ${noneq_filters} = Create Dictionary - ... headerType=OBJECT - ... matchType=STRING_NOT_EQUAL - ... key=${FILTER} - ... value=${filter_value} - ${rule_noneq_filter} = Create Dictionary - ... Operation=GET - ... Access=DENY - ... Role=OTHERS - ... Filters=${noneq_filters} - ${eq_filters} = Create Dictionary - ... headerType=OBJECT - ... matchType=STRING_EQUAL - ... key=${FILTER} - ... value=${filter_value} - ${rule_eq_filter} = Create Dictionary - ... Operation=GET - ... Access=DENY - ... Role=OTHERS - ... Filters=${eq_filters} + ${noneq_filters} = Set Variable obj:${FILTER}!=${filter_value} + ${rule_noneq_filter} = Set Variable deny get ${noneq_filters} others + ${eq_filters} = Set Variable obj:${FILTER}=${filter_value} + ${rule_eq_filter} = Set Variable deny get ${eq_filters} others ${eACL_gen} = Create List ${rule_noneq_filter} ${rule_eq_filter} - ${EACL_CUSTOM} = Form eACL JSON Common File ${eACL_gen} + ${EACL_CUSTOM} = Create eACL ${CID} ${eACL_gen} Set eACL ${USER_KEY} ${CID} ${EACL_CUSTOM} Run Keyword And Expect Error * ... Get object ${OTHER_KEY} ${CID} ${S_OID_OTHER} ${EMPTY} ${OBJECT_PATH} Run Keyword And Expect Error * ... Get Object ${OTHER_KEY} ${CID} ${S_OID_USER} ${EMPTY} ${OBJECT_PATH} - - - [Teardown] Teardown object_id diff --git a/robot/testsuites/integration/acl/object_attributes/payload_length_filter.robot b/robot/testsuites/integration/acl/object_attributes/payload_length_filter.robot index 1603d82..78d14ae 100644 --- a/robot/testsuites/integration/acl/object_attributes/payload_length_filter.robot +++ b/robot/testsuites/integration/acl/object_attributes/payload_length_filter.robot @@ -47,7 +47,7 @@ Check $Object:payloadLength Filter with MatchType String Not Equal Head Object ${USER_KEY} ${CID} ${S_OID} &{HEADER_DICT} = Object Header Decoded ${USER_KEY} ${CID} ${S_OID} - ${EACL_CUSTOM} = Compose eACL Custom ${HEADER_DICT} STRING_NOT_EQUAL ${FILTER} DENY OTHERS + ${EACL_CUSTOM} = Compose eACL Custom ${CID} ${HEADER_DICT} != ${FILTER} DENY OTHERS Set eACL ${USER_KEY} ${CID} ${EACL_CUSTOM} Run Keyword And Expect Error ${EACL_ERR_MSG} diff --git a/robot/variables/eacl_object_filters.py b/robot/variables/eacl_object_filters.py index 5aec383..1fc9614 100644 --- a/robot/variables/eacl_object_filters.py +++ b/robot/variables/eacl_object_filters.py @@ -1,6 +1,6 @@ -EACL_OBJ_FILTERS = {'$Object:objectID': 'ID', - '$Object:containerID': 'CID', - '$Object:ownerID': 'OwnerID', +EACL_OBJ_FILTERS = {'$Object:objectID': 'objectID', + '$Object:containerID': 'containerID', + '$Object:ownerID': 'ownerID', '$Object:creationEpoch': 'creationEpoch', '$Object:payloadLength': 'payloadLength', '$Object:payloadHash': 'payloadHash', diff --git a/robot/variables/eacl_tables.robot b/robot/variables/eacl_tables.robot index c0b3547..2aef479 100644 --- a/robot/variables/eacl_tables.robot +++ b/robot/variables/eacl_tables.robot @@ -2,8 +2,8 @@ ${ACL_TEST_FILES} = robot/resources/files/eacl_tables -${EACL_DENY_ALL_OTHER} = ${ACL_TEST_FILES}/gen_eacl_deny_all_OTHERS -${EACL_ALLOW_ALL_OTHER} = ${ACL_TEST_FILES}/gen_eacl_allow_all_OTHERS +${EACL_DENY_ALL_OTHERS} = ${ACL_TEST_FILES}/gen_eacl_deny_all_OTHERS +${EACL_ALLOW_ALL_OTHERS} = ${ACL_TEST_FILES}/gen_eacl_allow_all_OTHERS ${EACL_DENY_ALL_USER} = ${ACL_TEST_FILES}/gen_eacl_deny_all_USER ${EACL_ALLOW_ALL_USER} = ${ACL_TEST_FILES}/gen_eacl_allow_all_USER