forked from TrueCloudLab/frostfs-s3-gw
parent
b78e55e101
commit
81209e308c
6 changed files with 169 additions and 141 deletions
|
@ -19,6 +19,7 @@ import (
|
|||
"git.frostfs.info/TrueCloudLab/frostfs-s3-gw/creds/tokens"
|
||||
frosterr "git.frostfs.info/TrueCloudLab/frostfs-s3-gw/internal/frostfs/errors"
|
||||
"git.frostfs.info/TrueCloudLab/frostfs-sdk-go/bearer"
|
||||
cid "git.frostfs.info/TrueCloudLab/frostfs-sdk-go/container/id"
|
||||
"git.frostfs.info/TrueCloudLab/frostfs-sdk-go/object"
|
||||
oid "git.frostfs.info/TrueCloudLab/frostfs-sdk-go/object/id"
|
||||
oidtest "git.frostfs.info/TrueCloudLab/frostfs-sdk-go/object/id/test"
|
||||
|
@ -28,11 +29,23 @@ import (
|
|||
"go.uber.org/zap/zaptest"
|
||||
)
|
||||
|
||||
type centerSettingsMock struct {
|
||||
accessBoxContainer *cid.ID
|
||||
}
|
||||
|
||||
func (c *centerSettingsMock) AccessBoxContainer() (cid.ID, bool) {
|
||||
if c.accessBoxContainer == nil {
|
||||
return cid.ID{}, false
|
||||
}
|
||||
return *c.accessBoxContainer, true
|
||||
}
|
||||
|
||||
func TestAuthHeaderParse(t *testing.T) {
|
||||
defaultHeader := "AWS4-HMAC-SHA256 Credential=oid0cid/20210809/us-east-1/s3/aws4_request, SignedHeaders=host;x-amz-content-sha256;x-amz-date, Signature=2811ccb9e242f41426738fb1f"
|
||||
|
||||
center := &Center{
|
||||
reg: NewRegexpMatcher(AuthorizationFieldRegexp),
|
||||
reg: NewRegexpMatcher(AuthorizationFieldRegexp),
|
||||
settings: ¢erSettingsMock{},
|
||||
}
|
||||
|
||||
for _, tc := range []struct {
|
||||
|
@ -57,11 +70,6 @@ func TestAuthHeaderParse(t *testing.T) {
|
|||
err: errors.GetAPIError(errors.ErrAuthorizationHeaderMalformed),
|
||||
expected: nil,
|
||||
},
|
||||
{
|
||||
header: strings.ReplaceAll(defaultHeader, "oid0cid", "oidcid"),
|
||||
err: errors.GetAPIError(errors.ErrInvalidAccessKeyID),
|
||||
expected: nil,
|
||||
},
|
||||
} {
|
||||
authHeader, err := center.parseAuthHeader(tc.header)
|
||||
require.ErrorIs(t, err, tc.err, tc.header)
|
||||
|
@ -69,43 +77,6 @@ func TestAuthHeaderParse(t *testing.T) {
|
|||
}
|
||||
}
|
||||
|
||||
func TestAuthHeaderGetAddress(t *testing.T) {
|
||||
defaulErr := errors.GetAPIError(errors.ErrInvalidAccessKeyID)
|
||||
|
||||
for _, tc := range []struct {
|
||||
authHeader *AuthHeader
|
||||
err error
|
||||
}{
|
||||
{
|
||||
authHeader: &AuthHeader{
|
||||
AccessKeyID: "vWqF8cMDRbJcvnPLALoQGnABPPhw8NyYMcGsfDPfZJM0HrgjonN8CgFvCZ3kh9BUXw4W2tJ5E7EAGhueSF122HB",
|
||||
},
|
||||
err: nil,
|
||||
},
|
||||
{
|
||||
authHeader: &AuthHeader{
|
||||
AccessKeyID: "vWqF8cMDRbJcvnPLALoQGnABPPhw8NyYMcGsfDPfZJMHrgjonN8CgFvCZ3kh9BUXw4W2tJ5E7EAGhueSF122HB",
|
||||
},
|
||||
err: defaulErr,
|
||||
},
|
||||
{
|
||||
authHeader: &AuthHeader{
|
||||
AccessKeyID: "oid0cid",
|
||||
},
|
||||
err: defaulErr,
|
||||
},
|
||||
{
|
||||
authHeader: &AuthHeader{
|
||||
AccessKeyID: "oidcid",
|
||||
},
|
||||
err: defaulErr,
|
||||
},
|
||||
} {
|
||||
_, err := getAddress(tc.authHeader.AccessKeyID)
|
||||
require.ErrorIs(t, err, tc.err, tc.authHeader.AccessKeyID)
|
||||
}
|
||||
}
|
||||
|
||||
func TestSignature(t *testing.T) {
|
||||
secret := "66be461c3cd429941c55daf42fad2b8153e5a2016ba89c9494d97677cc9d3872"
|
||||
strToSign := "eyAiZXhwaXJhdGlvbiI6ICIyMDE1LTEyLTMwVDEyOjAwOjAwLjAwMFoiLAogICJjb25kaXRpb25zIjogWwogICAgeyJidWNrZXQiOiAiYWNsIn0sCiAgICBbInN0YXJ0cy13aXRoIiwgIiRrZXkiLCAidXNlci91c2VyMS8iXSwKICAgIHsic3VjY2Vzc19hY3Rpb25fcmVkaXJlY3QiOiAiaHR0cDovL2xvY2FsaG9zdDo4MDg0L2FjbCJ9LAogICAgWyJzdGFydHMtd2l0aCIsICIkQ29udGVudC1UeXBlIiwgImltYWdlLyJdLAogICAgeyJ4LWFtei1tZXRhLXV1aWQiOiAiMTQzNjUxMjM2NTEyNzQifSwKICAgIFsic3RhcnRzLXdpdGgiLCAiJHgtYW16LW1ldGEtdGFnIiwgIiJdLAoKICAgIHsiWC1BbXotQ3JlZGVudGlhbCI6ICI4Vmk0MVBIbjVGMXNzY2J4OUhqMXdmMUU2aERUYURpNndxOGhxTU05NllKdTA1QzVDeUVkVlFoV1E2aVZGekFpTkxXaTlFc3BiUTE5ZDRuR3pTYnZVZm10TS8yMDE1MTIyOS91cy1lYXN0LTEvczMvYXdzNF9yZXF1ZXN0In0sCiAgICB7IngtYW16LWFsZ29yaXRobSI6ICJBV1M0LUhNQUMtU0hBMjU2In0sCiAgICB7IlgtQW16LURhdGUiOiAiMjAxNTEyMjlUMDAwMDAwWiIgfSwKICAgIHsieC1pZ25vcmUtdG1wIjogInNvbWV0aGluZyIgfQogIF0KfQ=="
|
||||
|
@ -171,17 +142,17 @@ func TestCheckFormatContentSHA256(t *testing.T) {
|
|||
}
|
||||
|
||||
type frostFSMock struct {
|
||||
objects map[oid.Address]*object.Object
|
||||
objects map[string]*object.Object
|
||||
}
|
||||
|
||||
func newFrostFSMock() *frostFSMock {
|
||||
return &frostFSMock{
|
||||
objects: map[oid.Address]*object.Object{},
|
||||
objects: map[string]*object.Object{},
|
||||
}
|
||||
}
|
||||
|
||||
func (f *frostFSMock) GetCredsObject(_ context.Context, address oid.Address) (*object.Object, error) {
|
||||
obj, ok := f.objects[address]
|
||||
func (f *frostFSMock) GetCredsObject(_ context.Context, prm tokens.PrmGetCredsObject) (*object.Object, error) {
|
||||
obj, ok := f.objects[prm.AccessKeyID]
|
||||
if !ok {
|
||||
return nil, fmt.Errorf("not found")
|
||||
}
|
||||
|
@ -208,7 +179,7 @@ func TestAuthenticate(t *testing.T) {
|
|||
GateKey: key.PublicKey(),
|
||||
}}
|
||||
|
||||
accessBox, secret, err := accessbox.PackTokens(gateData, []byte("secret"))
|
||||
accessBox, secret, err := accessbox.PackTokens(gateData, []byte("secret"), false)
|
||||
require.NoError(t, err)
|
||||
data, err := accessBox.Marshal()
|
||||
require.NoError(t, err)
|
||||
|
@ -219,10 +190,10 @@ func TestAuthenticate(t *testing.T) {
|
|||
obj.SetContainerID(addr.Container())
|
||||
obj.SetID(addr.Object())
|
||||
|
||||
frostfs := newFrostFSMock()
|
||||
frostfs.objects[addr] = &obj
|
||||
accessKeyID := getAccessKeyID(addr)
|
||||
|
||||
accessKeyID := addr.Container().String() + "0" + addr.Object().String()
|
||||
frostfs := newFrostFSMock()
|
||||
frostfs.objects[accessKeyID] = &obj
|
||||
|
||||
awsCreds := credentials.NewStaticCredentials(accessKeyID, secret.SecretKey, "")
|
||||
defaultSigner := v4.NewSigner(awsCreds)
|
||||
|
@ -413,7 +384,7 @@ func TestAuthenticate(t *testing.T) {
|
|||
} {
|
||||
t.Run(tc.name, func(t *testing.T) {
|
||||
creds := tokens.New(bigConfig)
|
||||
cntr := New(creds, tc.prefixes)
|
||||
cntr := New(creds, tc.prefixes, ¢erSettingsMock{})
|
||||
box, err := cntr.Authenticate(tc.request)
|
||||
|
||||
if tc.err {
|
||||
|
@ -455,7 +426,7 @@ func TestHTTPPostAuthenticate(t *testing.T) {
|
|||
GateKey: key.PublicKey(),
|
||||
}}
|
||||
|
||||
accessBox, secret, err := accessbox.PackTokens(gateData, []byte("secret"))
|
||||
accessBox, secret, err := accessbox.PackTokens(gateData, []byte("secret"), false)
|
||||
require.NoError(t, err)
|
||||
data, err := accessBox.Marshal()
|
||||
require.NoError(t, err)
|
||||
|
@ -466,10 +437,11 @@ func TestHTTPPostAuthenticate(t *testing.T) {
|
|||
obj.SetContainerID(addr.Container())
|
||||
obj.SetID(addr.Object())
|
||||
|
||||
frostfs := newFrostFSMock()
|
||||
frostfs.objects[addr] = &obj
|
||||
accessKeyID := getAccessKeyID(addr)
|
||||
|
||||
frostfs := newFrostFSMock()
|
||||
frostfs.objects[accessKeyID] = &obj
|
||||
|
||||
accessKeyID := addr.Container().String() + "0" + addr.Object().String()
|
||||
invalidAccessKeyID := oidtest.Address().String() + "0" + oidtest.Address().Object().String()
|
||||
|
||||
timeToSign := time.Now()
|
||||
|
@ -590,7 +562,7 @@ func TestHTTPPostAuthenticate(t *testing.T) {
|
|||
} {
|
||||
t.Run(tc.name, func(t *testing.T) {
|
||||
creds := tokens.New(bigConfig)
|
||||
cntr := New(creds, tc.prefixes)
|
||||
cntr := New(creds, tc.prefixes, ¢erSettingsMock{})
|
||||
box, err := cntr.Authenticate(tc.request)
|
||||
|
||||
if tc.err {
|
||||
|
@ -633,3 +605,7 @@ func getRequestWithMultipartForm(t *testing.T, policy, creds, date, sign, fieldN
|
|||
|
||||
return req
|
||||
}
|
||||
|
||||
func getAccessKeyID(addr oid.Address) string {
|
||||
return strings.ReplaceAll(addr.EncodeToString(), "/", "0")
|
||||
}
|
||||
|
|
|
@ -29,11 +29,11 @@ func newTokensFrostfsMock() *credentialsMock {
|
|||
}
|
||||
|
||||
func (m credentialsMock) addBox(addr oid.Address, box *accessbox.Box) {
|
||||
m.boxes[addr.String()] = box
|
||||
m.boxes[getAccessKeyID(addr)] = box
|
||||
}
|
||||
|
||||
func (m credentialsMock) GetBox(_ context.Context, addr oid.Address) (*accessbox.Box, []object.Attribute, error) {
|
||||
box, ok := m.boxes[addr.String()]
|
||||
func (m credentialsMock) GetBox(_ context.Context, _ cid.ID, accessKeyID string) (*accessbox.Box, []object.Attribute, error) {
|
||||
box, ok := m.boxes[accessKeyID]
|
||||
if !ok {
|
||||
return nil, nil, &apistatus.ObjectNotFound{}
|
||||
}
|
||||
|
@ -41,11 +41,11 @@ func (m credentialsMock) GetBox(_ context.Context, addr oid.Address) (*accessbox
|
|||
return box, nil, nil
|
||||
}
|
||||
|
||||
func (m credentialsMock) Put(context.Context, cid.ID, tokens.CredentialsParam) (oid.Address, error) {
|
||||
func (m credentialsMock) Put(context.Context, tokens.CredentialsParam) (oid.Address, error) {
|
||||
return oid.Address{}, nil
|
||||
}
|
||||
|
||||
func (m credentialsMock) Update(context.Context, oid.Address, tokens.CredentialsParam) (oid.Address, error) {
|
||||
func (m credentialsMock) Update(context.Context, tokens.CredentialsParam) (oid.Address, error) {
|
||||
return oid.Address{}, nil
|
||||
}
|
||||
|
||||
|
@ -84,9 +84,10 @@ func TestCheckSign(t *testing.T) {
|
|||
mock.addBox(accessKeyAddr, expBox)
|
||||
|
||||
c := &Center{
|
||||
cli: mock,
|
||||
reg: NewRegexpMatcher(AuthorizationFieldRegexp),
|
||||
postReg: NewRegexpMatcher(postPolicyCredentialRegexp),
|
||||
cli: mock,
|
||||
reg: NewRegexpMatcher(AuthorizationFieldRegexp),
|
||||
postReg: NewRegexpMatcher(postPolicyCredentialRegexp),
|
||||
settings: ¢erSettingsMock{},
|
||||
}
|
||||
box, err := c.Authenticate(req)
|
||||
require.NoError(t, err)
|
||||
|
|
16
api/cache/cache_test.go
vendored
16
api/cache/cache_test.go
vendored
|
@ -1,6 +1,7 @@
|
|||
package cache
|
||||
|
||||
import (
|
||||
"strings"
|
||||
"testing"
|
||||
|
||||
"git.frostfs.info/TrueCloudLab/frostfs-contract/frostfsid/client"
|
||||
|
@ -8,6 +9,7 @@ import (
|
|||
"git.frostfs.info/TrueCloudLab/frostfs-s3-gw/creds/accessbox"
|
||||
cidtest "git.frostfs.info/TrueCloudLab/frostfs-sdk-go/container/id/test"
|
||||
"git.frostfs.info/TrueCloudLab/frostfs-sdk-go/object"
|
||||
oid "git.frostfs.info/TrueCloudLab/frostfs-sdk-go/object/id"
|
||||
oidtest "git.frostfs.info/TrueCloudLab/frostfs-sdk-go/object/id/test"
|
||||
"github.com/nspcc-dev/neo-go/pkg/crypto/keys"
|
||||
"github.com/nspcc-dev/neo-go/pkg/util"
|
||||
|
@ -24,16 +26,18 @@ func TestAccessBoxCacheType(t *testing.T) {
|
|||
box := &accessbox.Box{}
|
||||
var attrs []object.Attribute
|
||||
|
||||
err := cache.Put(addr, box, attrs)
|
||||
accessKeyID := getAccessKeyID(addr)
|
||||
|
||||
err := cache.Put(accessKeyID, box, attrs)
|
||||
require.NoError(t, err)
|
||||
val := cache.Get(addr)
|
||||
val := cache.Get(accessKeyID)
|
||||
require.Equal(t, box, val.Box)
|
||||
require.Equal(t, attrs, val.Attributes)
|
||||
require.Equal(t, 0, observedLog.Len())
|
||||
|
||||
err = cache.cache.Set(addr, "tmp")
|
||||
err = cache.cache.Set(accessKeyID, "tmp")
|
||||
require.NoError(t, err)
|
||||
assertInvalidCacheEntry(t, cache.Get(addr), observedLog)
|
||||
assertInvalidCacheEntry(t, cache.Get(accessKeyID), observedLog)
|
||||
}
|
||||
|
||||
func TestBucketsCacheType(t *testing.T) {
|
||||
|
@ -230,3 +234,7 @@ func getObservedLogger() (*zap.Logger, *observer.ObservedLogs) {
|
|||
loggerCore, observedLog := observer.New(zap.WarnLevel)
|
||||
return zap.New(loggerCore), observedLog
|
||||
}
|
||||
|
||||
func getAccessKeyID(addr oid.Address) string {
|
||||
return strings.ReplaceAll(addr.EncodeToString(), "/", "0")
|
||||
}
|
||||
|
|
|
@ -61,7 +61,7 @@ func TestBearerTokenInAccessBox(t *testing.T) {
|
|||
require.NoError(t, tkn.Sign(sec.PrivateKey))
|
||||
|
||||
gate := NewGateData(cred.PublicKey(), &tkn)
|
||||
box, _, err = PackTokens([]*GateData{gate}, nil)
|
||||
box, _, err = PackTokens([]*GateData{gate}, nil, false)
|
||||
require.NoError(t, err)
|
||||
|
||||
data, err := box.Marshal()
|
||||
|
@ -70,7 +70,7 @@ func TestBearerTokenInAccessBox(t *testing.T) {
|
|||
err = box2.Unmarshal(data)
|
||||
require.NoError(t, err)
|
||||
|
||||
tkns, err := box2.GetTokens(cred)
|
||||
tkns, err := box2.GetTokens(cred, false)
|
||||
require.NoError(t, err)
|
||||
|
||||
assertBearerToken(t, tkn, *tkns.BearerToken)
|
||||
|
@ -96,7 +96,7 @@ func TestSessionTokenInAccessBox(t *testing.T) {
|
|||
var newTkn bearer.Token
|
||||
gate := NewGateData(cred.PublicKey(), &newTkn)
|
||||
gate.SessionTokens = []*session.Container{tkn}
|
||||
box, _, err = PackTokens([]*GateData{gate}, nil)
|
||||
box, _, err = PackTokens([]*GateData{gate}, nil, false)
|
||||
require.NoError(t, err)
|
||||
|
||||
data, err := box.Marshal()
|
||||
|
@ -105,7 +105,7 @@ func TestSessionTokenInAccessBox(t *testing.T) {
|
|||
err = box2.Unmarshal(data)
|
||||
require.NoError(t, err)
|
||||
|
||||
tkns, err := box2.GetTokens(cred)
|
||||
tkns, err := box2.GetTokens(cred, false)
|
||||
require.NoError(t, err)
|
||||
|
||||
require.Equal(t, []*session.Container{tkn}, tkns.SessionTokens)
|
||||
|
@ -136,11 +136,11 @@ func TestAccessboxMultipleKeys(t *testing.T) {
|
|||
}
|
||||
}
|
||||
|
||||
box, _, err = PackTokens(gates, nil)
|
||||
box, _, err = PackTokens(gates, nil, false)
|
||||
require.NoError(t, err)
|
||||
|
||||
for i, k := range privateKeys {
|
||||
tkns, err := box.GetTokens(k)
|
||||
tkns, err := box.GetTokens(k, false)
|
||||
require.NoError(t, err, "key #%d: %s failed", i, k)
|
||||
assertBearerToken(t, tkn, *tkns.BearerToken)
|
||||
}
|
||||
|
@ -165,10 +165,10 @@ func TestUnknownKey(t *testing.T) {
|
|||
require.NoError(t, tkn.Sign(sec.PrivateKey))
|
||||
|
||||
gate := NewGateData(cred.PublicKey(), &tkn)
|
||||
box, _, err = PackTokens([]*GateData{gate}, nil)
|
||||
box, _, err = PackTokens([]*GateData{gate}, nil, false)
|
||||
require.NoError(t, err)
|
||||
|
||||
_, err = box.GetTokens(wrongCred)
|
||||
_, err = box.GetTokens(wrongCred, false)
|
||||
require.Error(t, err)
|
||||
}
|
||||
|
||||
|
@ -226,10 +226,10 @@ func TestGetBox(t *testing.T) {
|
|||
gate := NewGateData(cred.PublicKey(), &tkn)
|
||||
|
||||
secret := []byte("secret")
|
||||
accessBox, _, err := PackTokens([]*GateData{gate}, secret)
|
||||
accessBox, _, err := PackTokens([]*GateData{gate}, secret, false)
|
||||
require.NoError(t, err)
|
||||
|
||||
box, err := accessBox.GetBox(cred)
|
||||
box, err := accessBox.GetBox(cred, false)
|
||||
require.NoError(t, err)
|
||||
require.Equal(t, hex.EncodeToString(secret), box.Gate.SecretKey)
|
||||
}
|
||||
|
@ -241,17 +241,17 @@ func TestAccessBox(t *testing.T) {
|
|||
var tkn bearer.Token
|
||||
gate := NewGateData(cred.PublicKey(), &tkn)
|
||||
|
||||
accessBox, _, err := PackTokens([]*GateData{gate}, nil)
|
||||
accessBox, _, err := PackTokens([]*GateData{gate}, nil, false)
|
||||
require.NoError(t, err)
|
||||
|
||||
t.Run("invalid owner", func(t *testing.T) {
|
||||
randomKey, err := keys.NewPrivateKey()
|
||||
require.NoError(t, err)
|
||||
|
||||
_, err = accessBox.GetTokens(randomKey)
|
||||
_, err = accessBox.GetTokens(randomKey, false)
|
||||
require.Error(t, err)
|
||||
|
||||
_, err = accessBox.GetBox(randomKey)
|
||||
_, err = accessBox.GetBox(randomKey, false)
|
||||
require.Error(t, err)
|
||||
})
|
||||
|
||||
|
@ -281,17 +281,17 @@ func TestAccessBox(t *testing.T) {
|
|||
_, err = accessBox.GetPlacementPolicy()
|
||||
require.Error(t, err)
|
||||
|
||||
_, err = accessBox.GetBox(cred)
|
||||
_, err = accessBox.GetBox(cred, false)
|
||||
require.Error(t, err)
|
||||
})
|
||||
|
||||
t.Run("empty seed key", func(t *testing.T) {
|
||||
accessBox.SeedKey = nil
|
||||
|
||||
_, err = accessBox.GetTokens(cred)
|
||||
_, err = accessBox.GetTokens(cred, false)
|
||||
require.Error(t, err)
|
||||
|
||||
_, err = accessBox.GetBox(cred)
|
||||
_, err = accessBox.GetBox(cred, false)
|
||||
require.Error(t, err)
|
||||
})
|
||||
|
||||
|
@ -300,7 +300,7 @@ func TestAccessBox(t *testing.T) {
|
|||
BearerToken: &tkn,
|
||||
GateKey: &keys.PublicKey{},
|
||||
}
|
||||
_, _, err = PackTokens([]*GateData{gate}, nil)
|
||||
_, _, err = PackTokens([]*GateData{gate}, nil, false)
|
||||
require.Error(t, err)
|
||||
})
|
||||
}
|
||||
|
|
|
@ -4,6 +4,7 @@ import (
|
|||
"context"
|
||||
"encoding/hex"
|
||||
"errors"
|
||||
"strings"
|
||||
"testing"
|
||||
"time"
|
||||
|
||||
|
@ -21,14 +22,14 @@ import (
|
|||
)
|
||||
|
||||
type frostfsMock struct {
|
||||
objects map[oid.Address][]*object.Object
|
||||
errors map[oid.Address]error
|
||||
objects map[string][]*object.Object
|
||||
errors map[string]error
|
||||
}
|
||||
|
||||
func newFrostfsMock() *frostfsMock {
|
||||
return &frostfsMock{
|
||||
objects: map[oid.Address][]*object.Object{},
|
||||
errors: map[oid.Address]error{},
|
||||
objects: map[string][]*object.Object{},
|
||||
errors: map[string]error{},
|
||||
}
|
||||
}
|
||||
|
||||
|
@ -44,19 +45,15 @@ func (f *frostfsMock) CreateObject(_ context.Context, prm PrmObjectCreate) (oid.
|
|||
prm.CustomAttributes = append(prm.CustomAttributes, *a)
|
||||
obj.SetAttributes(prm.CustomAttributes...)
|
||||
|
||||
if prm.NewVersionFor != nil {
|
||||
var addr oid.Address
|
||||
addr.SetObject(*prm.NewVersionFor)
|
||||
addr.SetContainer(prm.Container)
|
||||
|
||||
_, ok := f.objects[addr]
|
||||
if prm.NewVersionForAccessKeyID != "" {
|
||||
_, ok := f.objects[prm.NewVersionForAccessKeyID]
|
||||
if !ok {
|
||||
return oid.ID{}, errors.New("not found")
|
||||
}
|
||||
|
||||
objID := oidtest.ID()
|
||||
obj.SetID(objID)
|
||||
f.objects[addr] = append(f.objects[addr], &obj)
|
||||
f.objects[prm.NewVersionForAccessKeyID] = append(f.objects[prm.NewVersionForAccessKeyID], &obj)
|
||||
|
||||
return objID, nil
|
||||
}
|
||||
|
@ -64,20 +61,25 @@ func (f *frostfsMock) CreateObject(_ context.Context, prm PrmObjectCreate) (oid.
|
|||
objID := oidtest.ID()
|
||||
obj.SetID(objID)
|
||||
|
||||
accessKeyID := prm.CustomAccessKey
|
||||
if accessKeyID == "" {
|
||||
accessKeyID = prm.Container.EncodeToString() + "0" + objID.EncodeToString()
|
||||
}
|
||||
|
||||
var addr oid.Address
|
||||
addr.SetObject(objID)
|
||||
addr.SetContainer(prm.Container)
|
||||
f.objects[addr] = []*object.Object{&obj}
|
||||
f.objects[accessKeyID] = []*object.Object{&obj}
|
||||
|
||||
return objID, nil
|
||||
}
|
||||
|
||||
func (f *frostfsMock) GetCredsObject(_ context.Context, address oid.Address) (*object.Object, error) {
|
||||
if err := f.errors[address]; err != nil {
|
||||
func (f *frostfsMock) GetCredsObject(_ context.Context, prm PrmGetCredsObject) (*object.Object, error) {
|
||||
if err := f.errors[prm.AccessKeyID]; err != nil {
|
||||
return nil, err
|
||||
}
|
||||
|
||||
objects, ok := f.objects[address]
|
||||
objects, ok := f.objects[prm.AccessKeyID]
|
||||
if !ok {
|
||||
return nil, errors.New("not found")
|
||||
}
|
||||
|
@ -100,7 +102,7 @@ func TestRemovingAccessBox(t *testing.T) {
|
|||
sk, err := hex.DecodeString(secretKey)
|
||||
require.NoError(t, err)
|
||||
|
||||
accessBox, _, err := accessbox.PackTokens(gateData, sk)
|
||||
accessBox, _, err := accessbox.PackTokens(gateData, sk, false)
|
||||
require.NoError(t, err)
|
||||
data, err := accessBox.Marshal()
|
||||
require.NoError(t, err)
|
||||
|
@ -111,9 +113,11 @@ func TestRemovingAccessBox(t *testing.T) {
|
|||
obj.SetID(addr.Object())
|
||||
obj.SetContainerID(addr.Container())
|
||||
|
||||
accessKeyID := getAccessKeyID(addr)
|
||||
|
||||
frostfs := &frostfsMock{
|
||||
objects: map[oid.Address][]*object.Object{addr: {&obj}},
|
||||
errors: map[oid.Address]error{},
|
||||
objects: map[string][]*object.Object{accessKeyID: {&obj}},
|
||||
errors: map[string]error{},
|
||||
}
|
||||
|
||||
cfg := Config{
|
||||
|
@ -129,15 +133,15 @@ func TestRemovingAccessBox(t *testing.T) {
|
|||
|
||||
creds := New(cfg)
|
||||
|
||||
_, _, err = creds.GetBox(ctx, addr)
|
||||
_, _, err = creds.GetBox(ctx, addr.Container(), accessKeyID)
|
||||
require.NoError(t, err)
|
||||
|
||||
frostfs.errors[addr] = errors.New("network error")
|
||||
_, _, err = creds.GetBox(ctx, addr)
|
||||
frostfs.errors[accessKeyID] = errors.New("network error")
|
||||
_, _, err = creds.GetBox(ctx, addr.Container(), accessKeyID)
|
||||
require.NoError(t, err)
|
||||
|
||||
frostfs.errors[addr] = &apistatus.ObjectAlreadyRemoved{}
|
||||
_, _, err = creds.GetBox(ctx, addr)
|
||||
frostfs.errors[accessKeyID] = &apistatus.ObjectAlreadyRemoved{}
|
||||
_, _, err = creds.GetBox(ctx, addr.Container(), accessKeyID)
|
||||
require.Error(t, err)
|
||||
}
|
||||
|
||||
|
@ -153,7 +157,7 @@ func TestGetBox(t *testing.T) {
|
|||
}}
|
||||
|
||||
secret := []byte("secret")
|
||||
accessBox, _, err := accessbox.PackTokens(gateData, secret)
|
||||
accessBox, _, err := accessbox.PackTokens(gateData, secret, false)
|
||||
require.NoError(t, err)
|
||||
data, err := accessBox.Marshal()
|
||||
require.NoError(t, err)
|
||||
|
@ -179,14 +183,16 @@ func TestGetBox(t *testing.T) {
|
|||
creds := New(cfg)
|
||||
|
||||
cnrID := cidtest.ID()
|
||||
addr, err := creds.Put(ctx, cnrID, CredentialsParam{Keys: keys.PublicKeys{key.PublicKey()}, AccessBox: accessBox})
|
||||
addr, err := creds.Put(ctx, CredentialsParam{Container: cnrID, Keys: keys.PublicKeys{key.PublicKey()}, AccessBox: accessBox})
|
||||
require.NoError(t, err)
|
||||
|
||||
_, _, err = creds.GetBox(ctx, addr)
|
||||
accessKeyID := getAccessKeyID(addr)
|
||||
|
||||
_, _, err = creds.GetBox(ctx, addr.Container(), accessKeyID)
|
||||
require.NoError(t, err)
|
||||
|
||||
frostfs.errors[addr] = &apistatus.ObjectAlreadyRemoved{}
|
||||
_, _, err = creds.GetBox(ctx, addr)
|
||||
frostfs.errors[accessKeyID] = &apistatus.ObjectAlreadyRemoved{}
|
||||
_, _, err = creds.GetBox(ctx, addr.Container(), accessKeyID)
|
||||
require.NoError(t, err)
|
||||
})
|
||||
|
||||
|
@ -198,11 +204,12 @@ func TestGetBox(t *testing.T) {
|
|||
creds := New(cfg)
|
||||
|
||||
cnrID := cidtest.ID()
|
||||
addr, err := creds.Put(ctx, cnrID, CredentialsParam{Keys: keys.PublicKeys{key.PublicKey()}, AccessBox: accessBox})
|
||||
addr, err := creds.Put(ctx, CredentialsParam{Container: cnrID, Keys: keys.PublicKeys{key.PublicKey()}, AccessBox: accessBox})
|
||||
require.NoError(t, err)
|
||||
|
||||
frostfs.errors[addr] = errors.New("network error")
|
||||
_, _, err = creds.GetBox(ctx, addr)
|
||||
accessKeyID := getAccessKeyID(addr)
|
||||
frostfs.errors[accessKeyID] = errors.New("network error")
|
||||
_, _, err = creds.GetBox(ctx, addr.Container(), accessKeyID)
|
||||
require.Error(t, err)
|
||||
})
|
||||
|
||||
|
@ -212,14 +219,15 @@ func TestGetBox(t *testing.T) {
|
|||
var obj object.Object
|
||||
obj.SetPayload(data)
|
||||
addr := oidtest.Address()
|
||||
frostfs.objects[addr] = []*object.Object{&obj}
|
||||
accessKeyID := getAccessKeyID(addr)
|
||||
frostfs.objects[accessKeyID] = []*object.Object{&obj}
|
||||
|
||||
cfg.FrostFS = frostfs
|
||||
cfg.RemovingCheckAfterDurations = 0
|
||||
cfg.Key = &keys.PrivateKey{}
|
||||
creds := New(cfg)
|
||||
|
||||
_, _, err = creds.GetBox(ctx, addr)
|
||||
_, _, err = creds.GetBox(ctx, addr.Container(), accessKeyID)
|
||||
require.Error(t, err)
|
||||
})
|
||||
|
||||
|
@ -229,14 +237,15 @@ func TestGetBox(t *testing.T) {
|
|||
var obj object.Object
|
||||
obj.SetPayload([]byte("invalid"))
|
||||
addr := oidtest.Address()
|
||||
frostfs.objects[addr] = []*object.Object{&obj}
|
||||
accessKeyID := getAccessKeyID(addr)
|
||||
frostfs.objects[accessKeyID] = []*object.Object{&obj}
|
||||
|
||||
cfg.FrostFS = frostfs
|
||||
cfg.RemovingCheckAfterDurations = 0
|
||||
cfg.Key = key
|
||||
creds := New(cfg)
|
||||
|
||||
_, _, err = creds.GetBox(ctx, addr)
|
||||
_, _, err = creds.GetBox(ctx, addr.Container(), accessKeyID)
|
||||
require.Error(t, err)
|
||||
})
|
||||
|
||||
|
@ -248,16 +257,24 @@ func TestGetBox(t *testing.T) {
|
|||
creds := New(cfg)
|
||||
|
||||
cnrID := cidtest.ID()
|
||||
addr, err := creds.Put(ctx, cnrID, CredentialsParam{Keys: keys.PublicKeys{key.PublicKey()}, AccessBox: accessBox})
|
||||
addr, err := creds.Put(ctx, CredentialsParam{Container: cnrID, Keys: keys.PublicKeys{key.PublicKey()}, AccessBox: accessBox})
|
||||
require.NoError(t, err)
|
||||
|
||||
_, boxAttrs, err := creds.GetBox(ctx, addr)
|
||||
accessKeyID := getAccessKeyID(addr)
|
||||
_, boxAttrs, err := creds.GetBox(ctx, addr.Container(), accessKeyID)
|
||||
require.NoError(t, err)
|
||||
|
||||
_, err = creds.Update(ctx, addr, CredentialsParam{Keys: keys.PublicKeys{key.PublicKey()}, AccessBox: accessBox, CustomAttributes: attrs})
|
||||
prm := CredentialsParam{
|
||||
Container: addr.Container(),
|
||||
AccessKeyID: accessKeyID,
|
||||
Keys: keys.PublicKeys{key.PublicKey()},
|
||||
AccessBox: accessBox,
|
||||
CustomAttributes: attrs,
|
||||
}
|
||||
_, err = creds.Update(ctx, prm)
|
||||
require.NoError(t, err)
|
||||
|
||||
_, newBoxAttrs, err := creds.GetBox(ctx, addr)
|
||||
_, newBoxAttrs, err := creds.GetBox(ctx, addr.Container(), accessKeyID)
|
||||
require.NoError(t, err)
|
||||
require.Equal(t, len(boxAttrs)+1, len(newBoxAttrs))
|
||||
})
|
||||
|
@ -270,10 +287,12 @@ func TestGetBox(t *testing.T) {
|
|||
creds := New(cfg)
|
||||
|
||||
cnrID := cidtest.ID()
|
||||
addr, err := creds.Put(ctx, cnrID, CredentialsParam{Keys: keys.PublicKeys{key.PublicKey()}, AccessBox: accessBox})
|
||||
addr, err := creds.Put(ctx, CredentialsParam{Container: cnrID, Keys: keys.PublicKeys{key.PublicKey()}, AccessBox: accessBox})
|
||||
require.NoError(t, err)
|
||||
|
||||
box, _, err := creds.GetBox(ctx, addr)
|
||||
accessKeyID := getAccessKeyID(addr)
|
||||
|
||||
box, _, err := creds.GetBox(ctx, addr.Container(), accessKeyID)
|
||||
require.NoError(t, err)
|
||||
require.Equal(t, hex.EncodeToString(secret), box.Gate.SecretKey)
|
||||
|
||||
|
@ -286,19 +305,26 @@ func TestGetBox(t *testing.T) {
|
|||
}}
|
||||
|
||||
newSecret := []byte("new-secret")
|
||||
newAccessBox, _, err := accessbox.PackTokens(newGateData, newSecret)
|
||||
newAccessBox, _, err := accessbox.PackTokens(newGateData, newSecret, false)
|
||||
require.NoError(t, err)
|
||||
|
||||
_, err = creds.Update(ctx, addr, CredentialsParam{Keys: keys.PublicKeys{newKey.PublicKey()}, AccessBox: newAccessBox})
|
||||
prm := CredentialsParam{
|
||||
Container: addr.Container(),
|
||||
AccessKeyID: accessKeyID,
|
||||
Keys: keys.PublicKeys{newKey.PublicKey()},
|
||||
AccessBox: newAccessBox,
|
||||
}
|
||||
|
||||
_, err = creds.Update(ctx, prm)
|
||||
require.NoError(t, err)
|
||||
|
||||
_, _, err = creds.GetBox(ctx, addr)
|
||||
_, _, err = creds.GetBox(ctx, addr.Container(), accessKeyID)
|
||||
require.Error(t, err)
|
||||
|
||||
cfg.Key = newKey
|
||||
newCreds := New(cfg)
|
||||
|
||||
box, _, err = newCreds.GetBox(ctx, addr)
|
||||
box, _, err = newCreds.GetBox(ctx, addr.Container(), accessKeyID)
|
||||
require.NoError(t, err)
|
||||
require.Equal(t, hex.EncodeToString(newSecret), box.Gate.SecretKey)
|
||||
})
|
||||
|
@ -311,7 +337,7 @@ func TestGetBox(t *testing.T) {
|
|||
creds := New(cfg)
|
||||
|
||||
cnrID := cidtest.ID()
|
||||
_, err = creds.Put(ctx, cnrID, CredentialsParam{AccessBox: accessBox})
|
||||
_, err = creds.Put(ctx, CredentialsParam{Container: cnrID, AccessBox: accessBox})
|
||||
require.ErrorIs(t, err, ErrEmptyPublicKeys)
|
||||
})
|
||||
|
||||
|
@ -323,7 +349,11 @@ func TestGetBox(t *testing.T) {
|
|||
creds := New(cfg)
|
||||
|
||||
cnrID := cidtest.ID()
|
||||
_, err = creds.Put(ctx, cnrID, CredentialsParam{Keys: keys.PublicKeys{key.PublicKey()}})
|
||||
_, err = creds.Put(ctx, CredentialsParam{Container: cnrID, Keys: keys.PublicKeys{key.PublicKey()}})
|
||||
require.ErrorIs(t, err, ErrEmptyBearerToken)
|
||||
})
|
||||
}
|
||||
|
||||
func getAccessKeyID(addr oid.Address) string {
|
||||
return strings.ReplaceAll(addr.EncodeToString(), "/", "0")
|
||||
}
|
||||
|
|
|
@ -2,6 +2,7 @@ package frostfs
|
|||
|
||||
import (
|
||||
"context"
|
||||
"strings"
|
||||
"testing"
|
||||
|
||||
"git.frostfs.info/TrueCloudLab/frostfs-s3-gw/api/layer"
|
||||
|
@ -38,34 +39,46 @@ func TestGetCredsObject(t *testing.T) {
|
|||
|
||||
frostfs := NewAuthmateFrostFS(layer.NewTestFrostFS(key), zaptest.NewLogger(t))
|
||||
|
||||
cid, err := frostfs.CreateContainer(ctx, authmate.PrmContainerCreate{
|
||||
cnrID, err := frostfs.CreateContainer(ctx, authmate.PrmContainerCreate{
|
||||
FriendlyName: bktName,
|
||||
Owner: userID,
|
||||
})
|
||||
require.NoError(t, err)
|
||||
|
||||
objID, err := frostfs.CreateObject(ctx, tokens.PrmObjectCreate{
|
||||
Container: cid,
|
||||
Container: cnrID,
|
||||
Payload: payload,
|
||||
})
|
||||
require.NoError(t, err)
|
||||
|
||||
var addr oid.Address
|
||||
addr.SetContainer(cid)
|
||||
addr.SetContainer(cnrID)
|
||||
addr.SetObject(objID)
|
||||
|
||||
obj, err := frostfs.GetCredsObject(ctx, addr)
|
||||
accessKeyID := getAccessKeyID(addr)
|
||||
|
||||
obj, err := frostfs.GetCredsObject(ctx, tokens.PrmGetCredsObject{
|
||||
Container: cnrID,
|
||||
AccessKeyID: accessKeyID,
|
||||
})
|
||||
require.NoError(t, err)
|
||||
require.Equal(t, payload, obj.Payload())
|
||||
|
||||
_, err = frostfs.CreateObject(ctx, tokens.PrmObjectCreate{
|
||||
Container: cid,
|
||||
Payload: newPayload,
|
||||
NewVersionFor: &objID,
|
||||
Container: cnrID,
|
||||
Payload: newPayload,
|
||||
NewVersionForAccessKeyID: accessKeyID,
|
||||
})
|
||||
require.NoError(t, err)
|
||||
|
||||
obj, err = frostfs.GetCredsObject(ctx, addr)
|
||||
obj, err = frostfs.GetCredsObject(ctx, tokens.PrmGetCredsObject{
|
||||
Container: cnrID,
|
||||
AccessKeyID: getAccessKeyID(addr),
|
||||
})
|
||||
require.NoError(t, err)
|
||||
require.Equal(t, newPayload, obj.Payload())
|
||||
}
|
||||
|
||||
func getAccessKeyID(addr oid.Address) string {
|
||||
return strings.ReplaceAll(addr.EncodeToString(), "/", "0")
|
||||
}
|
||||
|
|
Loading…
Reference in a new issue