[#509] Fix tests

Signed-off-by: Denis Kirillov <d.kirillov@yadro.com>

api/auth/center_test.go

@@ -19,6 +19,7 @@ import (
 	"git.frostfs.info/TrueCloudLab/frostfs-s3-gw/creds/tokens"
 	frosterr "git.frostfs.info/TrueCloudLab/frostfs-s3-gw/internal/frostfs/errors"
 	"git.frostfs.info/TrueCloudLab/frostfs-sdk-go/bearer"
+	cid "git.frostfs.info/TrueCloudLab/frostfs-sdk-go/container/id"
 	"git.frostfs.info/TrueCloudLab/frostfs-sdk-go/object"
 	oid "git.frostfs.info/TrueCloudLab/frostfs-sdk-go/object/id"
 	oidtest "git.frostfs.info/TrueCloudLab/frostfs-sdk-go/object/id/test"
@@ -28,11 +29,23 @@ import (
 	"go.uber.org/zap/zaptest"
 )
 
+type centerSettingsMock struct {
+	accessBoxContainer *cid.ID
+}
+
+func (c *centerSettingsMock) AccessBoxContainer() (cid.ID, bool) {
+	if c.accessBoxContainer == nil {
+		return cid.ID{}, false
+	}
+	return *c.accessBoxContainer, true
+}
+
 func TestAuthHeaderParse(t *testing.T) {
 	defaultHeader := "AWS4-HMAC-SHA256 Credential=oid0cid/20210809/us-east-1/s3/aws4_request, SignedHeaders=host;x-amz-content-sha256;x-amz-date, Signature=2811ccb9e242f41426738fb1f"
 
 	center := &Center{
 		reg:      NewRegexpMatcher(AuthorizationFieldRegexp),
+		settings: &centerSettingsMock{},
 	}
 
 	for _, tc := range []struct {
@@ -57,11 +70,6 @@ func TestAuthHeaderParse(t *testing.T) {
 			err:      errors.GetAPIError(errors.ErrAuthorizationHeaderMalformed),
 			expected: nil,
 		},
-		{
-			header:   strings.ReplaceAll(defaultHeader, "oid0cid", "oidcid"),
-			err:      errors.GetAPIError(errors.ErrInvalidAccessKeyID),
-			expected: nil,
-		},
 	} {
 		authHeader, err := center.parseAuthHeader(tc.header)
 		require.ErrorIs(t, err, tc.err, tc.header)
@@ -69,43 +77,6 @@ func TestAuthHeaderParse(t *testing.T) {
 	}
 }
 
-func TestAuthHeaderGetAddress(t *testing.T) {
-	defaulErr := errors.GetAPIError(errors.ErrInvalidAccessKeyID)
-
-	for _, tc := range []struct {
-		authHeader *AuthHeader
-		err        error
-	}{
-		{
-			authHeader: &AuthHeader{
-				AccessKeyID: "vWqF8cMDRbJcvnPLALoQGnABPPhw8NyYMcGsfDPfZJM0HrgjonN8CgFvCZ3kh9BUXw4W2tJ5E7EAGhueSF122HB",
-			},
-			err: nil,
-		},
-		{
-			authHeader: &AuthHeader{
-				AccessKeyID: "vWqF8cMDRbJcvnPLALoQGnABPPhw8NyYMcGsfDPfZJMHrgjonN8CgFvCZ3kh9BUXw4W2tJ5E7EAGhueSF122HB",
-			},
-			err: defaulErr,
-		},
-		{
-			authHeader: &AuthHeader{
-				AccessKeyID: "oid0cid",
-			},
-			err: defaulErr,
-		},
-		{
-			authHeader: &AuthHeader{
-				AccessKeyID: "oidcid",
-			},
-			err: defaulErr,
-		},
-	} {
-		_, err := getAddress(tc.authHeader.AccessKeyID)
-		require.ErrorIs(t, err, tc.err, tc.authHeader.AccessKeyID)
-	}
-}
-
 func TestSignature(t *testing.T) {
 	secret := "66be461c3cd429941c55daf42fad2b8153e5a2016ba89c9494d97677cc9d3872"
 	strToSign := "eyAiZXhwaXJhdGlvbiI6ICIyMDE1LTEyLTMwVDEyOjAwOjAwLjAwMFoiLAogICJjb25kaXRpb25zIjogWwogICAgeyJidWNrZXQiOiAiYWNsIn0sCiAgICBbInN0YXJ0cy13aXRoIiwgIiRrZXkiLCAidXNlci91c2VyMS8iXSwKICAgIHsic3VjY2Vzc19hY3Rpb25fcmVkaXJlY3QiOiAiaHR0cDovL2xvY2FsaG9zdDo4MDg0L2FjbCJ9LAogICAgWyJzdGFydHMtd2l0aCIsICIkQ29udGVudC1UeXBlIiwgImltYWdlLyJdLAogICAgeyJ4LWFtei1tZXRhLXV1aWQiOiAiMTQzNjUxMjM2NTEyNzQifSwKICAgIFsic3RhcnRzLXdpdGgiLCAiJHgtYW16LW1ldGEtdGFnIiwgIiJdLAoKICAgIHsiWC1BbXotQ3JlZGVudGlhbCI6ICI4Vmk0MVBIbjVGMXNzY2J4OUhqMXdmMUU2aERUYURpNndxOGhxTU05NllKdTA1QzVDeUVkVlFoV1E2aVZGekFpTkxXaTlFc3BiUTE5ZDRuR3pTYnZVZm10TS8yMDE1MTIyOS91cy1lYXN0LTEvczMvYXdzNF9yZXF1ZXN0In0sCiAgICB7IngtYW16LWFsZ29yaXRobSI6ICJBV1M0LUhNQUMtU0hBMjU2In0sCiAgICB7IlgtQW16LURhdGUiOiAiMjAxNTEyMjlUMDAwMDAwWiIgfSwKICAgIHsieC1pZ25vcmUtdG1wIjogInNvbWV0aGluZyIgfQogIF0KfQ=="
@@ -171,17 +142,17 @@ func TestCheckFormatContentSHA256(t *testing.T) {
 }
 
 type frostFSMock struct {
-	objects map[oid.Address]*object.Object
+	objects map[string]*object.Object
 }
 
 func newFrostFSMock() *frostFSMock {
 	return &frostFSMock{
-		objects: map[oid.Address]*object.Object{},
+		objects: map[string]*object.Object{},
 	}
 }
 
-func (f *frostFSMock) GetCredsObject(_ context.Context, address oid.Address) (*object.Object, error) {
+func (f *frostFSMock) GetCredsObject(_ context.Context, prm tokens.PrmGetCredsObject) (*object.Object, error) {
-	obj, ok := f.objects[address]
+	obj, ok := f.objects[prm.AccessKeyID]
 	if !ok {
 		return nil, fmt.Errorf("not found")
 	}
@@ -208,7 +179,7 @@ func TestAuthenticate(t *testing.T) {
 		GateKey:     key.PublicKey(),
 	}}
 
-	accessBox, secret, err := accessbox.PackTokens(gateData, []byte("secret"))
+	accessBox, secret, err := accessbox.PackTokens(gateData, []byte("secret"), false)
 	require.NoError(t, err)
 	data, err := accessBox.Marshal()
 	require.NoError(t, err)
@@ -219,10 +190,10 @@ func TestAuthenticate(t *testing.T) {
 	obj.SetContainerID(addr.Container())
 	obj.SetID(addr.Object())
 
-	frostfs := newFrostFSMock()
+	accessKeyID := getAccessKeyID(addr)
-	frostfs.objects[addr] = &obj
 
-	accessKeyID := addr.Container().String() + "0" + addr.Object().String()
+	frostfs := newFrostFSMock()
+	frostfs.objects[accessKeyID] = &obj
 
 	awsCreds := credentials.NewStaticCredentials(accessKeyID, secret.SecretKey, "")
 	defaultSigner := v4.NewSigner(awsCreds)
@@ -413,7 +384,7 @@ func TestAuthenticate(t *testing.T) {
 	} {
 		t.Run(tc.name, func(t *testing.T) {
 			creds := tokens.New(bigConfig)
-			cntr := New(creds, tc.prefixes)
+			cntr := New(creds, tc.prefixes, &centerSettingsMock{})
 			box, err := cntr.Authenticate(tc.request)
 
 			if tc.err {
@@ -455,7 +426,7 @@ func TestHTTPPostAuthenticate(t *testing.T) {
 		GateKey:     key.PublicKey(),
 	}}
 
-	accessBox, secret, err := accessbox.PackTokens(gateData, []byte("secret"))
+	accessBox, secret, err := accessbox.PackTokens(gateData, []byte("secret"), false)
 	require.NoError(t, err)
 	data, err := accessBox.Marshal()
 	require.NoError(t, err)
@@ -466,10 +437,11 @@ func TestHTTPPostAuthenticate(t *testing.T) {
 	obj.SetContainerID(addr.Container())
 	obj.SetID(addr.Object())
 
-	frostfs := newFrostFSMock()
+	accessKeyID := getAccessKeyID(addr)
-	frostfs.objects[addr] = &obj
+
+	frostfs := newFrostFSMock()
+	frostfs.objects[accessKeyID] = &obj
 
-	accessKeyID := addr.Container().String() + "0" + addr.Object().String()
 	invalidAccessKeyID := oidtest.Address().String() + "0" + oidtest.Address().Object().String()
 
 	timeToSign := time.Now()
@@ -590,7 +562,7 @@ func TestHTTPPostAuthenticate(t *testing.T) {
 	} {
 		t.Run(tc.name, func(t *testing.T) {
 			creds := tokens.New(bigConfig)
-			cntr := New(creds, tc.prefixes)
+			cntr := New(creds, tc.prefixes, &centerSettingsMock{})
 			box, err := cntr.Authenticate(tc.request)
 
 			if tc.err {
@@ -633,3 +605,7 @@ func getRequestWithMultipartForm(t *testing.T, policy, creds, date, sign, fieldN
 
 	return req
 }
+
+func getAccessKeyID(addr oid.Address) string {
+	return strings.ReplaceAll(addr.EncodeToString(), "/", "0")
+}

api/auth/presign_test.go

@@ -29,11 +29,11 @@ func newTokensFrostfsMock() *credentialsMock {
 }
 
 func (m credentialsMock) addBox(addr oid.Address, box *accessbox.Box) {
-	m.boxes[addr.String()] = box
+	m.boxes[getAccessKeyID(addr)] = box
 }
 
-func (m credentialsMock) GetBox(_ context.Context, addr oid.Address) (*accessbox.Box, []object.Attribute, error) {
+func (m credentialsMock) GetBox(_ context.Context, _ cid.ID, accessKeyID string) (*accessbox.Box, []object.Attribute, error) {
-	box, ok := m.boxes[addr.String()]
+	box, ok := m.boxes[accessKeyID]
 	if !ok {
 		return nil, nil, &apistatus.ObjectNotFound{}
 	}
@@ -41,11 +41,11 @@ func (m credentialsMock) GetBox(_ context.Context, addr oid.Address) (*accessbox
 	return box, nil, nil
 }
 
-func (m credentialsMock) Put(context.Context, cid.ID, tokens.CredentialsParam) (oid.Address, error) {
+func (m credentialsMock) Put(context.Context, tokens.CredentialsParam) (oid.Address, error) {
 	return oid.Address{}, nil
 }
 
-func (m credentialsMock) Update(context.Context, oid.Address, tokens.CredentialsParam) (oid.Address, error) {
+func (m credentialsMock) Update(context.Context, tokens.CredentialsParam) (oid.Address, error) {
 	return oid.Address{}, nil
 }
 
@@ -87,6 +87,7 @@ func TestCheckSign(t *testing.T) {
 		cli:      mock,
 		reg:      NewRegexpMatcher(AuthorizationFieldRegexp),
 		postReg:  NewRegexpMatcher(postPolicyCredentialRegexp),
+		settings: &centerSettingsMock{},
 	}
 	box, err := c.Authenticate(req)
 	require.NoError(t, err)

api/cache/cache_test.go

@@ -1,6 +1,7 @@
 package cache
 
 import (
+	"strings"
 	"testing"
 
 	"git.frostfs.info/TrueCloudLab/frostfs-contract/frostfsid/client"
@@ -8,6 +9,7 @@ import (
 	"git.frostfs.info/TrueCloudLab/frostfs-s3-gw/creds/accessbox"
 	cidtest "git.frostfs.info/TrueCloudLab/frostfs-sdk-go/container/id/test"
 	"git.frostfs.info/TrueCloudLab/frostfs-sdk-go/object"
+	oid "git.frostfs.info/TrueCloudLab/frostfs-sdk-go/object/id"
 	oidtest "git.frostfs.info/TrueCloudLab/frostfs-sdk-go/object/id/test"
 	"github.com/nspcc-dev/neo-go/pkg/crypto/keys"
 	"github.com/nspcc-dev/neo-go/pkg/util"
@@ -24,16 +26,18 @@ func TestAccessBoxCacheType(t *testing.T) {
 	box := &accessbox.Box{}
 	var attrs []object.Attribute
 
-	err := cache.Put(addr, box, attrs)
+	accessKeyID := getAccessKeyID(addr)
+
+	err := cache.Put(accessKeyID, box, attrs)
 	require.NoError(t, err)
-	val := cache.Get(addr)
+	val := cache.Get(accessKeyID)
 	require.Equal(t, box, val.Box)
 	require.Equal(t, attrs, val.Attributes)
 	require.Equal(t, 0, observedLog.Len())
 
-	err = cache.cache.Set(addr, "tmp")
+	err = cache.cache.Set(accessKeyID, "tmp")
 	require.NoError(t, err)
-	assertInvalidCacheEntry(t, cache.Get(addr), observedLog)
+	assertInvalidCacheEntry(t, cache.Get(accessKeyID), observedLog)
 }
 
 func TestBucketsCacheType(t *testing.T) {
@@ -230,3 +234,7 @@ func getObservedLogger() (*zap.Logger, *observer.ObservedLogs) {
 	loggerCore, observedLog := observer.New(zap.WarnLevel)
 	return zap.New(loggerCore), observedLog
 }
+
+func getAccessKeyID(addr oid.Address) string {
+	return strings.ReplaceAll(addr.EncodeToString(), "/", "0")
+}

creds/accessbox/bearer_token_test.go

@@ -61,7 +61,7 @@ func TestBearerTokenInAccessBox(t *testing.T) {
 	require.NoError(t, tkn.Sign(sec.PrivateKey))
 
 	gate := NewGateData(cred.PublicKey(), &tkn)
-	box, _, err = PackTokens([]*GateData{gate}, nil)
+	box, _, err = PackTokens([]*GateData{gate}, nil, false)
 	require.NoError(t, err)
 
 	data, err := box.Marshal()
@@ -70,7 +70,7 @@ func TestBearerTokenInAccessBox(t *testing.T) {
 	err = box2.Unmarshal(data)
 	require.NoError(t, err)
 
-	tkns, err := box2.GetTokens(cred)
+	tkns, err := box2.GetTokens(cred, false)
 	require.NoError(t, err)
 
 	assertBearerToken(t, tkn, *tkns.BearerToken)
@@ -96,7 +96,7 @@ func TestSessionTokenInAccessBox(t *testing.T) {
 	var newTkn bearer.Token
 	gate := NewGateData(cred.PublicKey(), &newTkn)
 	gate.SessionTokens = []*session.Container{tkn}
-	box, _, err = PackTokens([]*GateData{gate}, nil)
+	box, _, err = PackTokens([]*GateData{gate}, nil, false)
 	require.NoError(t, err)
 
 	data, err := box.Marshal()
@@ -105,7 +105,7 @@ func TestSessionTokenInAccessBox(t *testing.T) {
 	err = box2.Unmarshal(data)
 	require.NoError(t, err)
 
-	tkns, err := box2.GetTokens(cred)
+	tkns, err := box2.GetTokens(cred, false)
 	require.NoError(t, err)
 
 	require.Equal(t, []*session.Container{tkn}, tkns.SessionTokens)
@@ -136,11 +136,11 @@ func TestAccessboxMultipleKeys(t *testing.T) {
 		}
 	}
 
-	box, _, err = PackTokens(gates, nil)
+	box, _, err = PackTokens(gates, nil, false)
 	require.NoError(t, err)
 
 	for i, k := range privateKeys {
-		tkns, err := box.GetTokens(k)
+		tkns, err := box.GetTokens(k, false)
 		require.NoError(t, err, "key #%d: %s failed", i, k)
 		assertBearerToken(t, tkn, *tkns.BearerToken)
 	}
@@ -165,10 +165,10 @@ func TestUnknownKey(t *testing.T) {
 	require.NoError(t, tkn.Sign(sec.PrivateKey))
 
 	gate := NewGateData(cred.PublicKey(), &tkn)
-	box, _, err = PackTokens([]*GateData{gate}, nil)
+	box, _, err = PackTokens([]*GateData{gate}, nil, false)
 	require.NoError(t, err)
 
-	_, err = box.GetTokens(wrongCred)
+	_, err = box.GetTokens(wrongCred, false)
 	require.Error(t, err)
 }
 
@@ -226,10 +226,10 @@ func TestGetBox(t *testing.T) {
 	gate := NewGateData(cred.PublicKey(), &tkn)
 
 	secret := []byte("secret")
-	accessBox, _, err := PackTokens([]*GateData{gate}, secret)
+	accessBox, _, err := PackTokens([]*GateData{gate}, secret, false)
 	require.NoError(t, err)
 
-	box, err := accessBox.GetBox(cred)
+	box, err := accessBox.GetBox(cred, false)
 	require.NoError(t, err)
 	require.Equal(t, hex.EncodeToString(secret), box.Gate.SecretKey)
 }
@@ -241,17 +241,17 @@ func TestAccessBox(t *testing.T) {
 	var tkn bearer.Token
 	gate := NewGateData(cred.PublicKey(), &tkn)
 
-	accessBox, _, err := PackTokens([]*GateData{gate}, nil)
+	accessBox, _, err := PackTokens([]*GateData{gate}, nil, false)
 	require.NoError(t, err)
 
 	t.Run("invalid owner", func(t *testing.T) {
 		randomKey, err := keys.NewPrivateKey()
 		require.NoError(t, err)
 
-		_, err = accessBox.GetTokens(randomKey)
+		_, err = accessBox.GetTokens(randomKey, false)
 		require.Error(t, err)
 
-		_, err = accessBox.GetBox(randomKey)
+		_, err = accessBox.GetBox(randomKey, false)
 		require.Error(t, err)
 	})
 
@@ -281,17 +281,17 @@ func TestAccessBox(t *testing.T) {
 		_, err = accessBox.GetPlacementPolicy()
 		require.Error(t, err)
 
-		_, err = accessBox.GetBox(cred)
+		_, err = accessBox.GetBox(cred, false)
 		require.Error(t, err)
 	})
 
 	t.Run("empty seed key", func(t *testing.T) {
 		accessBox.SeedKey = nil
 
-		_, err = accessBox.GetTokens(cred)
+		_, err = accessBox.GetTokens(cred, false)
 		require.Error(t, err)
 
-		_, err = accessBox.GetBox(cred)
+		_, err = accessBox.GetBox(cred, false)
 		require.Error(t, err)
 	})
 
@@ -300,7 +300,7 @@ func TestAccessBox(t *testing.T) {
 			BearerToken: &tkn,
 			GateKey:     &keys.PublicKey{},
 		}
-		_, _, err = PackTokens([]*GateData{gate}, nil)
+		_, _, err = PackTokens([]*GateData{gate}, nil, false)
 		require.Error(t, err)
 	})
 }

creds/tokens/credentials_test.go

@@ -4,6 +4,7 @@ import (
 	"context"
 	"encoding/hex"
 	"errors"
+	"strings"
 	"testing"
 	"time"
 
@@ -21,14 +22,14 @@ import (
 )
 
 type frostfsMock struct {
-	objects map[oid.Address][]*object.Object
+	objects map[string][]*object.Object
-	errors  map[oid.Address]error
+	errors  map[string]error
 }
 
 func newFrostfsMock() *frostfsMock {
 	return &frostfsMock{
-		objects: map[oid.Address][]*object.Object{},
+		objects: map[string][]*object.Object{},
-		errors:  map[oid.Address]error{},
+		errors:  map[string]error{},
 	}
 }
 
@@ -44,19 +45,15 @@ func (f *frostfsMock) CreateObject(_ context.Context, prm PrmObjectCreate) (oid.
 	prm.CustomAttributes = append(prm.CustomAttributes, *a)
 	obj.SetAttributes(prm.CustomAttributes...)
 
-	if prm.NewVersionFor != nil {
+	if prm.NewVersionForAccessKeyID != "" {
-		var addr oid.Address
+		_, ok := f.objects[prm.NewVersionForAccessKeyID]
-		addr.SetObject(*prm.NewVersionFor)
-		addr.SetContainer(prm.Container)
-
-		_, ok := f.objects[addr]
 		if !ok {
 			return oid.ID{}, errors.New("not found")
 		}
 
 		objID := oidtest.ID()
 		obj.SetID(objID)
-		f.objects[addr] = append(f.objects[addr], &obj)
+		f.objects[prm.NewVersionForAccessKeyID] = append(f.objects[prm.NewVersionForAccessKeyID], &obj)
 
 		return objID, nil
 	}
@@ -64,20 +61,25 @@ func (f *frostfsMock) CreateObject(_ context.Context, prm PrmObjectCreate) (oid.
 	objID := oidtest.ID()
 	obj.SetID(objID)
 
+	accessKeyID := prm.CustomAccessKey
+	if accessKeyID == "" {
+		accessKeyID = prm.Container.EncodeToString() + "0" + objID.EncodeToString()
+	}
+
 	var addr oid.Address
 	addr.SetObject(objID)
 	addr.SetContainer(prm.Container)
-	f.objects[addr] = []*object.Object{&obj}
+	f.objects[accessKeyID] = []*object.Object{&obj}
 
 	return objID, nil
 }
 
-func (f *frostfsMock) GetCredsObject(_ context.Context, address oid.Address) (*object.Object, error) {
+func (f *frostfsMock) GetCredsObject(_ context.Context, prm PrmGetCredsObject) (*object.Object, error) {
-	if err := f.errors[address]; err != nil {
+	if err := f.errors[prm.AccessKeyID]; err != nil {
 		return nil, err
 	}
 
-	objects, ok := f.objects[address]
+	objects, ok := f.objects[prm.AccessKeyID]
 	if !ok {
 		return nil, errors.New("not found")
 	}
@@ -100,7 +102,7 @@ func TestRemovingAccessBox(t *testing.T) {
 	sk, err := hex.DecodeString(secretKey)
 	require.NoError(t, err)
 
-	accessBox, _, err := accessbox.PackTokens(gateData, sk)
+	accessBox, _, err := accessbox.PackTokens(gateData, sk, false)
 	require.NoError(t, err)
 	data, err := accessBox.Marshal()
 	require.NoError(t, err)
@@ -111,9 +113,11 @@ func TestRemovingAccessBox(t *testing.T) {
 	obj.SetID(addr.Object())
 	obj.SetContainerID(addr.Container())
 
+	accessKeyID := getAccessKeyID(addr)
+
 	frostfs := &frostfsMock{
-		objects: map[oid.Address][]*object.Object{addr: {&obj}},
+		objects: map[string][]*object.Object{accessKeyID: {&obj}},
-		errors:  map[oid.Address]error{},
+		errors:  map[string]error{},
 	}
 
 	cfg := Config{
@@ -129,15 +133,15 @@ func TestRemovingAccessBox(t *testing.T) {
 
 	creds := New(cfg)
 
-	_, _, err = creds.GetBox(ctx, addr)
+	_, _, err = creds.GetBox(ctx, addr.Container(), accessKeyID)
 	require.NoError(t, err)
 
-	frostfs.errors[addr] = errors.New("network error")
+	frostfs.errors[accessKeyID] = errors.New("network error")
-	_, _, err = creds.GetBox(ctx, addr)
+	_, _, err = creds.GetBox(ctx, addr.Container(), accessKeyID)
 	require.NoError(t, err)
 
-	frostfs.errors[addr] = &apistatus.ObjectAlreadyRemoved{}
+	frostfs.errors[accessKeyID] = &apistatus.ObjectAlreadyRemoved{}
-	_, _, err = creds.GetBox(ctx, addr)
+	_, _, err = creds.GetBox(ctx, addr.Container(), accessKeyID)
 	require.Error(t, err)
 }
 
@@ -153,7 +157,7 @@ func TestGetBox(t *testing.T) {
 	}}
 
 	secret := []byte("secret")
-	accessBox, _, err := accessbox.PackTokens(gateData, secret)
+	accessBox, _, err := accessbox.PackTokens(gateData, secret, false)
 	require.NoError(t, err)
 	data, err := accessBox.Marshal()
 	require.NoError(t, err)
@@ -179,14 +183,16 @@ func TestGetBox(t *testing.T) {
 		creds := New(cfg)
 
 		cnrID := cidtest.ID()
-		addr, err := creds.Put(ctx, cnrID, CredentialsParam{Keys: keys.PublicKeys{key.PublicKey()}, AccessBox: accessBox})
+		addr, err := creds.Put(ctx, CredentialsParam{Container: cnrID, Keys: keys.PublicKeys{key.PublicKey()}, AccessBox: accessBox})
 		require.NoError(t, err)
 
-		_, _, err = creds.GetBox(ctx, addr)
+		accessKeyID := getAccessKeyID(addr)
+
+		_, _, err = creds.GetBox(ctx, addr.Container(), accessKeyID)
 		require.NoError(t, err)
 
-		frostfs.errors[addr] = &apistatus.ObjectAlreadyRemoved{}
+		frostfs.errors[accessKeyID] = &apistatus.ObjectAlreadyRemoved{}
-		_, _, err = creds.GetBox(ctx, addr)
+		_, _, err = creds.GetBox(ctx, addr.Container(), accessKeyID)
 		require.NoError(t, err)
 	})
 
@@ -198,11 +204,12 @@ func TestGetBox(t *testing.T) {
 		creds := New(cfg)
 
 		cnrID := cidtest.ID()
-		addr, err := creds.Put(ctx, cnrID, CredentialsParam{Keys: keys.PublicKeys{key.PublicKey()}, AccessBox: accessBox})
+		addr, err := creds.Put(ctx, CredentialsParam{Container: cnrID, Keys: keys.PublicKeys{key.PublicKey()}, AccessBox: accessBox})
 		require.NoError(t, err)
 
-		frostfs.errors[addr] = errors.New("network error")
+		accessKeyID := getAccessKeyID(addr)
-		_, _, err = creds.GetBox(ctx, addr)
+		frostfs.errors[accessKeyID] = errors.New("network error")
+		_, _, err = creds.GetBox(ctx, addr.Container(), accessKeyID)
 		require.Error(t, err)
 	})
 
@@ -212,14 +219,15 @@ func TestGetBox(t *testing.T) {
 		var obj object.Object
 		obj.SetPayload(data)
 		addr := oidtest.Address()
-		frostfs.objects[addr] = []*object.Object{&obj}
+		accessKeyID := getAccessKeyID(addr)
+		frostfs.objects[accessKeyID] = []*object.Object{&obj}
 
 		cfg.FrostFS = frostfs
 		cfg.RemovingCheckAfterDurations = 0
 		cfg.Key = &keys.PrivateKey{}
 		creds := New(cfg)
 
-		_, _, err = creds.GetBox(ctx, addr)
+		_, _, err = creds.GetBox(ctx, addr.Container(), accessKeyID)
 		require.Error(t, err)
 	})
 
@@ -229,14 +237,15 @@ func TestGetBox(t *testing.T) {
 		var obj object.Object
 		obj.SetPayload([]byte("invalid"))
 		addr := oidtest.Address()
-		frostfs.objects[addr] = []*object.Object{&obj}
+		accessKeyID := getAccessKeyID(addr)
+		frostfs.objects[accessKeyID] = []*object.Object{&obj}
 
 		cfg.FrostFS = frostfs
 		cfg.RemovingCheckAfterDurations = 0
 		cfg.Key = key
 		creds := New(cfg)
 
-		_, _, err = creds.GetBox(ctx, addr)
+		_, _, err = creds.GetBox(ctx, addr.Container(), accessKeyID)
 		require.Error(t, err)
 	})
 
@@ -248,16 +257,24 @@ func TestGetBox(t *testing.T) {
 		creds := New(cfg)
 
 		cnrID := cidtest.ID()
-		addr, err := creds.Put(ctx, cnrID, CredentialsParam{Keys: keys.PublicKeys{key.PublicKey()}, AccessBox: accessBox})
+		addr, err := creds.Put(ctx, CredentialsParam{Container: cnrID, Keys: keys.PublicKeys{key.PublicKey()}, AccessBox: accessBox})
 		require.NoError(t, err)
 
-		_, boxAttrs, err := creds.GetBox(ctx, addr)
+		accessKeyID := getAccessKeyID(addr)
+		_, boxAttrs, err := creds.GetBox(ctx, addr.Container(), accessKeyID)
 		require.NoError(t, err)
 
-		_, err = creds.Update(ctx, addr, CredentialsParam{Keys: keys.PublicKeys{key.PublicKey()}, AccessBox: accessBox, CustomAttributes: attrs})
+		prm := CredentialsParam{
+			Container:        addr.Container(),
+			AccessKeyID:      accessKeyID,
+			Keys:             keys.PublicKeys{key.PublicKey()},
+			AccessBox:        accessBox,
+			CustomAttributes: attrs,
+		}
+		_, err = creds.Update(ctx, prm)
 		require.NoError(t, err)
 
-		_, newBoxAttrs, err := creds.GetBox(ctx, addr)
+		_, newBoxAttrs, err := creds.GetBox(ctx, addr.Container(), accessKeyID)
 		require.NoError(t, err)
 		require.Equal(t, len(boxAttrs)+1, len(newBoxAttrs))
 	})
@@ -270,10 +287,12 @@ func TestGetBox(t *testing.T) {
 		creds := New(cfg)
 
 		cnrID := cidtest.ID()
-		addr, err := creds.Put(ctx, cnrID, CredentialsParam{Keys: keys.PublicKeys{key.PublicKey()}, AccessBox: accessBox})
+		addr, err := creds.Put(ctx, CredentialsParam{Container: cnrID, Keys: keys.PublicKeys{key.PublicKey()}, AccessBox: accessBox})
 		require.NoError(t, err)
 
-		box, _, err := creds.GetBox(ctx, addr)
+		accessKeyID := getAccessKeyID(addr)
+
+		box, _, err := creds.GetBox(ctx, addr.Container(), accessKeyID)
 		require.NoError(t, err)
 		require.Equal(t, hex.EncodeToString(secret), box.Gate.SecretKey)
 
@@ -286,19 +305,26 @@ func TestGetBox(t *testing.T) {
 		}}
 
 		newSecret := []byte("new-secret")
-		newAccessBox, _, err := accessbox.PackTokens(newGateData, newSecret)
+		newAccessBox, _, err := accessbox.PackTokens(newGateData, newSecret, false)
 		require.NoError(t, err)
 
-		_, err = creds.Update(ctx, addr, CredentialsParam{Keys: keys.PublicKeys{newKey.PublicKey()}, AccessBox: newAccessBox})
+		prm := CredentialsParam{
+			Container:   addr.Container(),
+			AccessKeyID: accessKeyID,
+			Keys:        keys.PublicKeys{newKey.PublicKey()},
+			AccessBox:   newAccessBox,
+		}
+
+		_, err = creds.Update(ctx, prm)
 		require.NoError(t, err)
 
-		_, _, err = creds.GetBox(ctx, addr)
+		_, _, err = creds.GetBox(ctx, addr.Container(), accessKeyID)
 		require.Error(t, err)
 
 		cfg.Key = newKey
 		newCreds := New(cfg)
 
-		box, _, err = newCreds.GetBox(ctx, addr)
+		box, _, err = newCreds.GetBox(ctx, addr.Container(), accessKeyID)
 		require.NoError(t, err)
 		require.Equal(t, hex.EncodeToString(newSecret), box.Gate.SecretKey)
 	})
@@ -311,7 +337,7 @@ func TestGetBox(t *testing.T) {
 		creds := New(cfg)
 
 		cnrID := cidtest.ID()
-		_, err = creds.Put(ctx, cnrID, CredentialsParam{AccessBox: accessBox})
+		_, err = creds.Put(ctx, CredentialsParam{Container: cnrID, AccessBox: accessBox})
 		require.ErrorIs(t, err, ErrEmptyPublicKeys)
 	})
 
@@ -323,7 +349,11 @@ func TestGetBox(t *testing.T) {
 		creds := New(cfg)
 
 		cnrID := cidtest.ID()
-		_, err = creds.Put(ctx, cnrID, CredentialsParam{Keys: keys.PublicKeys{key.PublicKey()}})
+		_, err = creds.Put(ctx, CredentialsParam{Container: cnrID, Keys: keys.PublicKeys{key.PublicKey()}})
 		require.ErrorIs(t, err, ErrEmptyBearerToken)
 	})
 }
+
+func getAccessKeyID(addr oid.Address) string {
+	return strings.ReplaceAll(addr.EncodeToString(), "/", "0")
+}

internal/frostfs/authmate_test.go

@@ -2,6 +2,7 @@ package frostfs
 
 import (
 	"context"
+	"strings"
 	"testing"
 
 	"git.frostfs.info/TrueCloudLab/frostfs-s3-gw/api/layer"
@@ -38,34 +39,46 @@ func TestGetCredsObject(t *testing.T) {
 
 	frostfs := NewAuthmateFrostFS(layer.NewTestFrostFS(key), zaptest.NewLogger(t))
 
-	cid, err := frostfs.CreateContainer(ctx, authmate.PrmContainerCreate{
+	cnrID, err := frostfs.CreateContainer(ctx, authmate.PrmContainerCreate{
 		FriendlyName: bktName,
 		Owner:        userID,
 	})
 	require.NoError(t, err)
 
 	objID, err := frostfs.CreateObject(ctx, tokens.PrmObjectCreate{
-		Container: cid,
+		Container: cnrID,
 		Payload:   payload,
 	})
 	require.NoError(t, err)
 
 	var addr oid.Address
-	addr.SetContainer(cid)
+	addr.SetContainer(cnrID)
 	addr.SetObject(objID)
 
-	obj, err := frostfs.GetCredsObject(ctx, addr)
+	accessKeyID := getAccessKeyID(addr)
+
+	obj, err := frostfs.GetCredsObject(ctx, tokens.PrmGetCredsObject{
+		Container:   cnrID,
+		AccessKeyID: accessKeyID,
+	})
 	require.NoError(t, err)
 	require.Equal(t, payload, obj.Payload())
 
 	_, err = frostfs.CreateObject(ctx, tokens.PrmObjectCreate{
-		Container:     cid,
+		Container:                cnrID,
 		Payload:                  newPayload,
-		NewVersionFor: &objID,
+		NewVersionForAccessKeyID: accessKeyID,
 	})
 	require.NoError(t, err)
 
-	obj, err = frostfs.GetCredsObject(ctx, addr)
+	obj, err = frostfs.GetCredsObject(ctx, tokens.PrmGetCredsObject{
+		Container:   cnrID,
+		AccessKeyID: getAccessKeyID(addr),
+	})
 	require.NoError(t, err)
 	require.Equal(t, newPayload, obj.Payload())
 }
+
+func getAccessKeyID(addr oid.Address) string {
+	return strings.ReplaceAll(addr.EncodeToString(), "/", "0")
+}