forked from TrueCloudLab/frostfs-testcases
109 lines
6.2 KiB
Python
109 lines
6.2 KiB
Python
|
import allure
|
||
|
|
import pytest
|
||
|
|
|
||
|
|
from python_keywords.acl import (EACLAccess, EACLOperation, EACLRole, EACLRule, create_eacl, form_bearertoken_file,
|
||
|
|
set_eacl, wait_for_cache_expired)
|
||
|
|
from python_keywords.container_access import (check_custom_access_to_container, check_full_access_to_container,
|
||
|
|
check_no_access_to_container)
|
||
|
|
|
||
|
|
|
||
|
|
@pytest.mark.sanity
|
||
|
|
@pytest.mark.acl
|
||
|
|
@pytest.mark.acl_bearer
|
||
|
|
class TestACLBearer:
|
||
|
|
@pytest.mark.parametrize('role', [EACLRole.USER, EACLRole.OTHERS])
|
||
|
|
def test_bearer_token_operations(self, wallets, eacl_container_with_objects, role):
|
||
|
|
allure.dynamic.title(f"Testcase to validate NeoFS operations with {role.value} BearerToken")
|
||
|
|
cid, objects_oids, file_path = eacl_container_with_objects
|
||
|
|
user_wallet = wallets.get_wallet()
|
||
|
|
deny_wallet = wallets.get_wallet(role)
|
||
|
|
|
||
|
|
with allure.step(f'Check {role.value} has full access to container without bearer token'):
|
||
|
|
check_full_access_to_container(deny_wallet.wallet_path, cid, objects_oids.pop(), file_path,
|
||
|
|
wallet_config=deny_wallet.config_path)
|
||
|
|
|
||
|
|
with allure.step(f'Set deny all operations for {role.value} via eACL'):
|
||
|
|
eacl = [EACLRule(access=EACLAccess.DENY, role=role, operation=op) for op in EACLOperation]
|
||
|
|
eacl_file = create_eacl(cid, eacl)
|
||
|
|
set_eacl(user_wallet.wallet_path, cid, eacl_file)
|
||
|
|
wait_for_cache_expired()
|
||
|
|
|
||
|
|
with allure.step(f'Create bearer token for {role.value} with all operations allowed'):
|
||
|
|
bearer_token = form_bearertoken_file(user_wallet.wallet_path, cid, [
|
||
|
|
EACLRule(operation=op, access=EACLAccess.ALLOW, role=role)
|
||
|
|
for op in EACLOperation])
|
||
|
|
|
||
|
|
with allure.step(f'Check {role.value} without token has no access to all operations with container'):
|
||
|
|
check_no_access_to_container(
|
||
|
|
deny_wallet.wallet_path, cid, objects_oids.pop(), file_path,
|
||
|
|
wallet_config=deny_wallet.config_path)
|
||
|
|
|
||
|
|
with allure.step(f'Check {role.value} with token has access to all operations with container'):
|
||
|
|
check_full_access_to_container(deny_wallet.wallet_path, cid, objects_oids.pop(), file_path,
|
||
|
|
bearer=bearer_token, wallet_config=deny_wallet.config_path)
|
||
|
|
|
||
|
|
with allure.step(f'Set allow all operations for {role.value} via eACL'):
|
||
|
|
eacl = [EACLRule(access=EACLAccess.ALLOW, role=role, operation=op) for op in EACLOperation]
|
||
|
|
eacl_file = create_eacl(cid, eacl)
|
||
|
|
set_eacl(user_wallet.wallet_path, cid, eacl_file)
|
||
|
|
wait_for_cache_expired()
|
||
|
|
|
||
|
|
with allure.step(f'Check {role.value} without token has access to all operations with container'):
|
||
|
|
check_full_access_to_container(deny_wallet.wallet_path, cid, objects_oids.pop(), file_path,
|
||
|
|
wallet_config=deny_wallet.config_path)
|
||
|
|
|
||
|
|
@allure.title('BearerToken Operations for compound Operations')
|
||
|
|
def test_bearer_token_compound_operations(self, wallets, eacl_container_with_objects):
|
||
|
|
cid, objects_oids, file_path = eacl_container_with_objects
|
||
|
|
user_wallet = wallets.get_wallet()
|
||
|
|
other_wallet = wallets.get_wallet(role=EACLRole.OTHERS)
|
||
|
|
|
||
|
|
# Operations that we will deny for each role via eACL
|
||
|
|
deny_map = {
|
||
|
|
EACLRole.USER: [EACLOperation.DELETE],
|
||
|
|
EACLRole.OTHERS: [EACLOperation.GET, EACLOperation.PUT, EACLOperation.GET_RANGE]
|
||
|
|
}
|
||
|
|
|
||
|
|
# Operations that we will allow for each role with bearer token
|
||
|
|
bearer_map = {
|
||
|
|
EACLRole.USER: [EACLOperation.DELETE, EACLOperation.PUT, EACLOperation.GET_RANGE],
|
||
|
|
EACLRole.OTHERS: [EACLOperation.GET, EACLOperation.GET_RANGE],
|
||
|
|
}
|
||
|
|
|
||
|
|
deny_map_with_bearer = {
|
||
|
|
EACLRole.USER: [op for op in deny_map[EACLRole.USER] if op not in bearer_map[EACLRole.USER]],
|
||
|
|
EACLRole.OTHERS: [op for op in deny_map[EACLRole.OTHERS] if op not in bearer_map[EACLRole.OTHERS]],
|
||
|
|
}
|
||
|
|
|
||
|
|
eacl_deny = []
|
||
|
|
for role, operations in deny_map.items():
|
||
|
|
eacl_deny += [EACLRule(access=EACLAccess.DENY, role=role, operation=op) for op in operations]
|
||
|
|
set_eacl(user_wallet.wallet_path, cid, eacl_table_path=create_eacl(cid, eacl_deny))
|
||
|
|
wait_for_cache_expired()
|
||
|
|
|
||
|
|
with allure.step('Check rule consistency without bearer'):
|
||
|
|
check_custom_access_to_container(user_wallet.wallet_path, cid, objects_oids.pop(), file_path,
|
||
|
|
deny_operations=deny_map[EACLRole.USER],
|
||
|
|
wallet_config=user_wallet.config_path)
|
||
|
|
check_custom_access_to_container(other_wallet.wallet_path, cid, objects_oids.pop(), file_path,
|
||
|
|
deny_operations=deny_map[EACLRole.OTHERS],
|
||
|
|
wallet_config=other_wallet.config_path)
|
||
|
|
|
||
|
|
with allure.step('Check rule consistency with bearer'):
|
||
|
|
bearer_token_user = form_bearertoken_file(user_wallet.wallet_path, cid, [
|
||
|
|
EACLRule(operation=op, access=EACLAccess.ALLOW, role=EACLRole.USER)
|
||
|
|
for op in bearer_map[EACLRole.USER]])
|
||
|
|
|
||
|
|
bearer_token_other = form_bearertoken_file(user_wallet.wallet_path, cid, [
|
||
|
|
EACLRule(operation=op, access=EACLAccess.ALLOW, role=EACLRole.OTHERS)
|
||
|
|
for op in bearer_map[EACLRole.OTHERS]])
|
||
|
|
|
||
|
|
check_custom_access_to_container(user_wallet.wallet_path, cid, objects_oids.pop(), file_path,
|
||
|
|
deny_operations=deny_map_with_bearer[EACLRole.USER],
|
||
|
|
bearer=bearer_token_user,
|
||
|
|
wallet_config=user_wallet.config_path)
|
||
|
|
check_custom_access_to_container(other_wallet.wallet_path, cid, objects_oids.pop(), file_path,
|
||
|
|
deny_operations=deny_map_with_bearer[EACLRole.OTHERS],
|
||
|
|
bearer=bearer_token_other,
|
||
|
|
wallet_config=other_wallet.config_path)
|