frostfs-s3-gw/api/auth/center_test.go

package auth

import (
	"strings"
	"testing"
	"time"

	"git.frostfs.info/TrueCloudLab/frostfs-s3-gw/api/errors"
	"github.com/stretchr/testify/require"
)

func TestAuthHeaderParse(t *testing.T) {
	defaultHeader := "AWS4-HMAC-SHA256 Credential=oid0cid/20210809/us-east-1/s3/aws4_request, SignedHeaders=host;x-amz-content-sha256;x-amz-date, Signature=2811ccb9e242f41426738fb1f"

	center := &Center{
		reg: NewRegexpMatcher(authorizationFieldRegexp),
	}

	for _, tc := range []struct {
		header   string
		err      error
		expected *AuthHeader
	}{
		{
			header: defaultHeader,
			err:    nil,
			expected: &AuthHeader{
				AccessKeyID:  "oid0cid",
				Service:      "s3",
				Region:       "us-east-1",
				SignatureV4:  "2811ccb9e242f41426738fb1f",
				SignedFields: []string{"host", "x-amz-content-sha256", "x-amz-date"},
				Date:         "20210809",
			},
		},
		{
			header:   strings.ReplaceAll(defaultHeader, "Signature=2811ccb9e242f41426738fb1f", ""),
			err:      errors.GetAPIError(errors.ErrAuthorizationHeaderMalformed),
			expected: nil,
		},
		{
			header:   strings.ReplaceAll(defaultHeader, "oid0cid", "oidcid"),
			err:      errors.GetAPIError(errors.ErrInvalidAccessKeyID),
			expected: nil,
		},
	} {
		authHeader, err := center.parseAuthHeader(tc.header)
		require.Equal(t, tc.err, err, tc.header)
		require.Equal(t, tc.expected, authHeader, tc.header)
	}
}

func TestAuthHeaderGetAddress(t *testing.T) {
	defaulErr := errors.GetAPIError(errors.ErrInvalidAccessKeyID)

	for _, tc := range []struct {
		authHeader *AuthHeader
		err        error
	}{
		{
			authHeader: &AuthHeader{
				AccessKeyID: "vWqF8cMDRbJcvnPLALoQGnABPPhw8NyYMcGsfDPfZJM0HrgjonN8CgFvCZ3kh9BUXw4W2tJ5E7EAGhueSF122HB",
			},
			err: nil,
		},
		{
			authHeader: &AuthHeader{
				AccessKeyID: "vWqF8cMDRbJcvnPLALoQGnABPPhw8NyYMcGsfDPfZJMHrgjonN8CgFvCZ3kh9BUXw4W2tJ5E7EAGhueSF122HB",
			},
			err: defaulErr,
		},
		{
			authHeader: &AuthHeader{
				AccessKeyID: "oid0cid",
			},
			err: defaulErr,
		},
		{
			authHeader: &AuthHeader{
				AccessKeyID: "oidcid",
			},
			err: defaulErr,
		},
	} {
		_, err := tc.authHeader.getAddress()
		require.Equal(t, tc.err, err, tc.authHeader.AccessKeyID)
	}
}

func TestSignature(t *testing.T) {
	secret := "66be461c3cd429941c55daf42fad2b8153e5a2016ba89c9494d97677cc9d3872"
	strToSign := "eyAiZXhwaXJhdGlvbiI6ICIyMDE1LTEyLTMwVDEyOjAwOjAwLjAwMFoiLAogICJjb25kaXRpb25zIjogWwogICAgeyJidWNrZXQiOiAiYWNsIn0sCiAgICBbInN0YXJ0cy13aXRoIiwgIiRrZXkiLCAidXNlci91c2VyMS8iXSwKICAgIHsic3VjY2Vzc19hY3Rpb25fcmVkaXJlY3QiOiAiaHR0cDovL2xvY2FsaG9zdDo4MDg0L2FjbCJ9LAogICAgWyJzdGFydHMtd2l0aCIsICIkQ29udGVudC1UeXBlIiwgImltYWdlLyJdLAogICAgeyJ4LWFtei1tZXRhLXV1aWQiOiAiMTQzNjUxMjM2NTEyNzQifSwKICAgIFsic3RhcnRzLXdpdGgiLCAiJHgtYW16LW1ldGEtdGFnIiwgIiJdLAoKICAgIHsiWC1BbXotQ3JlZGVudGlhbCI6ICI4Vmk0MVBIbjVGMXNzY2J4OUhqMXdmMUU2aERUYURpNndxOGhxTU05NllKdTA1QzVDeUVkVlFoV1E2aVZGekFpTkxXaTlFc3BiUTE5ZDRuR3pTYnZVZm10TS8yMDE1MTIyOS91cy1lYXN0LTEvczMvYXdzNF9yZXF1ZXN0In0sCiAgICB7IngtYW16LWFsZ29yaXRobSI6ICJBV1M0LUhNQUMtU0hBMjU2In0sCiAgICB7IlgtQW16LURhdGUiOiAiMjAxNTEyMjlUMDAwMDAwWiIgfSwKICAgIHsieC1pZ25vcmUtdG1wIjogInNvbWV0aGluZyIgfQogIF0KfQ=="

	signTime, err := time.Parse("20060102T150405Z", "20151229T000000Z")
	if err != nil {
		panic(err)
	}

	signature := signStr(secret, "s3", "us-east-1", signTime, strToSign)
	require.Equal(t, "dfbe886241d9e369cf4b329ca0f15eb27306c97aa1022cc0bb5a914c4ef87634", signature)
}

func TestCheckFormatContentSHA256(t *testing.T) {
	defaultErr := errors.GetAPIError(errors.ErrContentSHA256Mismatch)

	for _, tc := range []struct {
		name  string
		hash  string
		error error
	}{
		{
			name:  "invalid hash format: length and character",
			hash:  "invalid-hash",
			error: defaultErr,
		},
		{
			name:  "invalid hash format: length (63 characters)",
			hash:  "ed7002b439e9ac845f22357d822bac1444730fbdb6016d3ec9432297b9ec9f7",
			error: defaultErr,
		},
		{
			name:  "invalid hash format: character",
			hash:  "ed7002b439e9ac845f22357d822bac1444730fbdb6016d3ec9432297b9ec9f7s",
			error: defaultErr,
		},
		{
			name:  "unsigned payload",
			hash:  "UNSIGNED-PAYLOAD",
			error: nil,
		},
		{
			name:  "no hash",
			hash:  "",
			error: nil,
		},
		{
			name:  "correct hash format",
			hash:  "ed7002b439e9ac845f22357d822bac1444730fbdb6016d3ec9432297b9ec9f73",
			error: nil,
		},
	} {
		t.Run(tc.name, func(t *testing.T) {
			err := checkFormatHashContentSHA256(tc.hash)
			require.Equal(t, tc.error, err)
		})
	}
}
[#199] Add fine-grained handle auth header Signed-off-by: Denis Kirillov <denis@nspcc.ru> 2021-08-09 09:35:42 +00:00			`package auth`

			`import (`
			`"strings"`
			`"testing"`
[#190] Add POST object Signed-off-by: Denis Kirillov <denis@nspcc.ru> 2021-08-30 19:44:53 +00:00			`"time"`
[#199] Add fine-grained handle auth header Signed-off-by: Denis Kirillov <denis@nspcc.ru> 2021-08-09 09:35:42 +00:00
Rename package name Due to source code relocation from GitHub. Signed-off-by: Alex Vanin <a.vanin@yadro.com> 2023-03-07 14:38:08 +00:00			`"git.frostfs.info/TrueCloudLab/frostfs-s3-gw/api/errors"`
[#199] Add fine-grained handle auth header Signed-off-by: Denis Kirillov <denis@nspcc.ru> 2021-08-09 09:35:42 +00:00			`"github.com/stretchr/testify/require"`
			`)`

			`func TestAuthHeaderParse(t *testing.T) {`
			`defaultHeader := "AWS4-HMAC-SHA256 Credential=oid0cid/20210809/us-east-1/s3/aws4_request, SignedHeaders=host;x-amz-content-sha256;x-amz-date, Signature=2811ccb9e242f41426738fb1f"`

[#260] Refactor api/auth/center.go Move the Center interface to middleware package where it's used Signed-off-by: Denis Kirillov <d.kirillov@yadro.com> 2023-10-05 08:05:21 +00:00			`center := &Center{`
[#672] Fix handling X-Amz-Copy-Source header Signed-off-by: Denis Kirillov <denis@nspcc.ru> 2022-08-24 13:12:05 +00:00			`reg: NewRegexpMatcher(authorizationFieldRegexp),`
[#199] Add fine-grained handle auth header Signed-off-by: Denis Kirillov <denis@nspcc.ru> 2021-08-09 09:35:42 +00:00			`}`

			`for _, tc := range []struct {`
			`header string`
			`err error`
[#106] Add chunk uploading Signed-off-by: Artem Tataurov <a.tataurov@yadro.com> 2023-06-02 07:44:25 +00:00			`expected *AuthHeader`
[#199] Add fine-grained handle auth header Signed-off-by: Denis Kirillov <denis@nspcc.ru> 2021-08-09 09:35:42 +00:00			`}{`
			`{`
			`header: defaultHeader,`
			`err: nil,`
[#106] Add chunk uploading Signed-off-by: Artem Tataurov <a.tataurov@yadro.com> 2023-06-02 07:44:25 +00:00			`expected: &AuthHeader{`
[#199] Add fine-grained handle auth header Signed-off-by: Denis Kirillov <denis@nspcc.ru> 2021-08-09 09:35:42 +00:00			`AccessKeyID: "oid0cid",`
			`Service: "s3",`
			`Region: "us-east-1",`
			`SignatureV4: "2811ccb9e242f41426738fb1f",`
			`SignedFields: []string{"host", "x-amz-content-sha256", "x-amz-date"},`
			`Date: "20210809",`
			`},`
			`},`
			`{`
			`header: strings.ReplaceAll(defaultHeader, "Signature=2811ccb9e242f41426738fb1f", ""),`
			`err: errors.GetAPIError(errors.ErrAuthorizationHeaderMalformed),`
			`expected: nil,`
			`},`
			`{`
			`header: strings.ReplaceAll(defaultHeader, "oid0cid", "oidcid"),`
			`err: errors.GetAPIError(errors.ErrInvalidAccessKeyID),`
			`expected: nil,`
			`},`
			`} {`
			`authHeader, err := center.parseAuthHeader(tc.header)`
			`require.Equal(t, tc.err, err, tc.header)`
			`require.Equal(t, tc.expected, authHeader, tc.header)`
			`}`
			`}`

			`func TestAuthHeaderGetAddress(t *testing.T) {`
			`defaulErr := errors.GetAPIError(errors.ErrInvalidAccessKeyID)`

			`for _, tc := range []struct {`
[#106] Add chunk uploading Signed-off-by: Artem Tataurov <a.tataurov@yadro.com> 2023-06-02 07:44:25 +00:00			`authHeader *AuthHeader`
[#199] Add fine-grained handle auth header Signed-off-by: Denis Kirillov <denis@nspcc.ru> 2021-08-09 09:35:42 +00:00			`err error`
			`}{`
			`{`
[#106] Add chunk uploading Signed-off-by: Artem Tataurov <a.tataurov@yadro.com> 2023-06-02 07:44:25 +00:00			`authHeader: &AuthHeader{`
[#199] Add fine-grained handle auth header Signed-off-by: Denis Kirillov <denis@nspcc.ru> 2021-08-09 09:35:42 +00:00			`AccessKeyID: "vWqF8cMDRbJcvnPLALoQGnABPPhw8NyYMcGsfDPfZJM0HrgjonN8CgFvCZ3kh9BUXw4W2tJ5E7EAGhueSF122HB",`
			`},`
			`err: nil,`
			`},`
			`{`
[#106] Add chunk uploading Signed-off-by: Artem Tataurov <a.tataurov@yadro.com> 2023-06-02 07:44:25 +00:00			`authHeader: &AuthHeader{`
[#199] Add fine-grained handle auth header Signed-off-by: Denis Kirillov <denis@nspcc.ru> 2021-08-09 09:35:42 +00:00			`AccessKeyID: "vWqF8cMDRbJcvnPLALoQGnABPPhw8NyYMcGsfDPfZJMHrgjonN8CgFvCZ3kh9BUXw4W2tJ5E7EAGhueSF122HB",`
			`},`
			`err: defaulErr,`
			`},`
			`{`
[#106] Add chunk uploading Signed-off-by: Artem Tataurov <a.tataurov@yadro.com> 2023-06-02 07:44:25 +00:00			`authHeader: &AuthHeader{`
[#199] Add fine-grained handle auth header Signed-off-by: Denis Kirillov <denis@nspcc.ru> 2021-08-09 09:35:42 +00:00			`AccessKeyID: "oid0cid",`
			`},`
			`err: defaulErr,`
			`},`
			`{`
[#106] Add chunk uploading Signed-off-by: Artem Tataurov <a.tataurov@yadro.com> 2023-06-02 07:44:25 +00:00			`authHeader: &AuthHeader{`
[#199] Add fine-grained handle auth header Signed-off-by: Denis Kirillov <denis@nspcc.ru> 2021-08-09 09:35:42 +00:00			`AccessKeyID: "oidcid",`
			`},`
			`err: defaulErr,`
			`},`
			`} {`
			`_, err := tc.authHeader.getAddress()`
			`require.Equal(t, tc.err, err, tc.authHeader.AccessKeyID)`
			`}`
			`}`
[#190] Add POST object Signed-off-by: Denis Kirillov <denis@nspcc.ru> 2021-08-30 19:44:53 +00:00
			`func TestSignature(t *testing.T) {`
			`secret := "66be461c3cd429941c55daf42fad2b8153e5a2016ba89c9494d97677cc9d3872"`
			strToSign := "eyAiZXhwaXJhdGlvbiI6ICIyMDE1LTEyLTMwVDEyOjAwOjAwLjAwMFoiLAogICJjb25kaXRpb25zIjogWwogICAgeyJidWNrZXQiOiAiYWNsIn0sCiAgICBbInN0YXJ0cy13aXRoIiwgIiRrZXkiLCAidXNlci91c2VyMS8iXSwKICAgIHsic3VjY2Vzc19hY3Rpb25fcmVkaXJlY3QiOiAiaHR0cDovL2xvY2FsaG9zdDo4MDg0L2FjbCJ9LAogICAgWyJzdGFydHMtd2l0aCIsICIkQ29udGVudC1UeXBlIiwgImltYWdlLyJdLAogICAgeyJ4LWFtei1tZXRhLXV1aWQiOiAiMTQzNjUxMjM2NTEyNzQifSwKICAgIFsic3RhcnRzLXdpdGgiLCAiJHgtYW16LW1ldGEtdGFnIiwgIiJdLAoKICAgIHsiWC1BbXotQ3JlZGVudGlhbCI6ICI4Vmk0MVBIbjVGMXNzY2J4OUhqMXdmMUU2aERUYURpNndxOGhxTU05NllKdTA1QzVDeUVkVlFoV1E2aVZGekFpTkxXaTlFc3BiUTE5ZDRuR3pTYnZVZm10TS8yMDE1MTIyOS91cy1lYXN0LTEvczMvYXdzNF9yZXF1ZXN0In0sCiAgICB7IngtYW16LWFsZ29yaXRobSI6ICJBV1M0LUhNQUMtU0hBMjU2In0sCiAgICB7IlgtQW16LURhdGUiOiAiMjAxNTEyMjlUMDAwMDAwWiIgfSwKICAgIHsieC1pZ25vcmUtdG1wIjogInNvbWV0aGluZyIgfQogIF0KfQ=="

			`signTime, err := time.Parse("20060102T150405Z", "20151229T000000Z")`
			`if err != nil {`
			`panic(err)`
			`}`

			`signature := signStr(secret, "s3", "us-east-1", signTime, strToSign)`
			`require.Equal(t, "dfbe886241d9e369cf4b329ca0f15eb27306c97aa1022cc0bb5a914c4ef87634", signature)`
			`}`
[#218] Add check content sha256 header The X-Amz-Content-Sha256 header check is done only for unencrypted payload. Signed-off-by: Roman Loginov <r.loginov@yadro.com> 2023-11-13 08:01:47 +00:00
			`func TestCheckFormatContentSHA256(t *testing.T) {`
			`defaultErr := errors.GetAPIError(errors.ErrContentSHA256Mismatch)`

			`for _, tc := range []struct {`
			`name string`
			`hash string`
			`error error`
			`}{`
			`{`
			`name: "invalid hash format: length and character",`
			`hash: "invalid-hash",`
			`error: defaultErr,`
			`},`
			`{`
			`name: "invalid hash format: length (63 characters)",`
			`hash: "ed7002b439e9ac845f22357d822bac1444730fbdb6016d3ec9432297b9ec9f7",`
			`error: defaultErr,`
			`},`
			`{`
			`name: "invalid hash format: character",`
			`hash: "ed7002b439e9ac845f22357d822bac1444730fbdb6016d3ec9432297b9ec9f7s",`
			`error: defaultErr,`
			`},`
			`{`
			`name: "unsigned payload",`
			`hash: "UNSIGNED-PAYLOAD",`
			`error: nil,`
			`},`
			`{`
			`name: "no hash",`
			`hash: "",`
			`error: nil,`
			`},`
			`{`
			`name: "correct hash format",`
			`hash: "ed7002b439e9ac845f22357d822bac1444730fbdb6016d3ec9432297b9ec9f73",`
			`error: nil,`
			`},`
			`} {`
			`t.Run(tc.name, func(t *testing.T) {`
			`err := checkFormatHashContentSHA256(tc.hash)`
			`require.Equal(t, tc.error, err)`
			`})`
			`}`
			`}`