forked from TrueCloudLab/frostfs-s3-gw
parent
b78e55e101
commit
81209e308c
6 changed files with 169 additions and 141 deletions
|
@ -19,6 +19,7 @@ import (
|
||||||
"git.frostfs.info/TrueCloudLab/frostfs-s3-gw/creds/tokens"
|
"git.frostfs.info/TrueCloudLab/frostfs-s3-gw/creds/tokens"
|
||||||
frosterr "git.frostfs.info/TrueCloudLab/frostfs-s3-gw/internal/frostfs/errors"
|
frosterr "git.frostfs.info/TrueCloudLab/frostfs-s3-gw/internal/frostfs/errors"
|
||||||
"git.frostfs.info/TrueCloudLab/frostfs-sdk-go/bearer"
|
"git.frostfs.info/TrueCloudLab/frostfs-sdk-go/bearer"
|
||||||
|
cid "git.frostfs.info/TrueCloudLab/frostfs-sdk-go/container/id"
|
||||||
"git.frostfs.info/TrueCloudLab/frostfs-sdk-go/object"
|
"git.frostfs.info/TrueCloudLab/frostfs-sdk-go/object"
|
||||||
oid "git.frostfs.info/TrueCloudLab/frostfs-sdk-go/object/id"
|
oid "git.frostfs.info/TrueCloudLab/frostfs-sdk-go/object/id"
|
||||||
oidtest "git.frostfs.info/TrueCloudLab/frostfs-sdk-go/object/id/test"
|
oidtest "git.frostfs.info/TrueCloudLab/frostfs-sdk-go/object/id/test"
|
||||||
|
@ -28,11 +29,23 @@ import (
|
||||||
"go.uber.org/zap/zaptest"
|
"go.uber.org/zap/zaptest"
|
||||||
)
|
)
|
||||||
|
|
||||||
|
type centerSettingsMock struct {
|
||||||
|
accessBoxContainer *cid.ID
|
||||||
|
}
|
||||||
|
|
||||||
|
func (c *centerSettingsMock) AccessBoxContainer() (cid.ID, bool) {
|
||||||
|
if c.accessBoxContainer == nil {
|
||||||
|
return cid.ID{}, false
|
||||||
|
}
|
||||||
|
return *c.accessBoxContainer, true
|
||||||
|
}
|
||||||
|
|
||||||
func TestAuthHeaderParse(t *testing.T) {
|
func TestAuthHeaderParse(t *testing.T) {
|
||||||
defaultHeader := "AWS4-HMAC-SHA256 Credential=oid0cid/20210809/us-east-1/s3/aws4_request, SignedHeaders=host;x-amz-content-sha256;x-amz-date, Signature=2811ccb9e242f41426738fb1f"
|
defaultHeader := "AWS4-HMAC-SHA256 Credential=oid0cid/20210809/us-east-1/s3/aws4_request, SignedHeaders=host;x-amz-content-sha256;x-amz-date, Signature=2811ccb9e242f41426738fb1f"
|
||||||
|
|
||||||
center := &Center{
|
center := &Center{
|
||||||
reg: NewRegexpMatcher(AuthorizationFieldRegexp),
|
reg: NewRegexpMatcher(AuthorizationFieldRegexp),
|
||||||
|
settings: ¢erSettingsMock{},
|
||||||
}
|
}
|
||||||
|
|
||||||
for _, tc := range []struct {
|
for _, tc := range []struct {
|
||||||
|
@ -57,11 +70,6 @@ func TestAuthHeaderParse(t *testing.T) {
|
||||||
err: errors.GetAPIError(errors.ErrAuthorizationHeaderMalformed),
|
err: errors.GetAPIError(errors.ErrAuthorizationHeaderMalformed),
|
||||||
expected: nil,
|
expected: nil,
|
||||||
},
|
},
|
||||||
{
|
|
||||||
header: strings.ReplaceAll(defaultHeader, "oid0cid", "oidcid"),
|
|
||||||
err: errors.GetAPIError(errors.ErrInvalidAccessKeyID),
|
|
||||||
expected: nil,
|
|
||||||
},
|
|
||||||
} {
|
} {
|
||||||
authHeader, err := center.parseAuthHeader(tc.header)
|
authHeader, err := center.parseAuthHeader(tc.header)
|
||||||
require.ErrorIs(t, err, tc.err, tc.header)
|
require.ErrorIs(t, err, tc.err, tc.header)
|
||||||
|
@ -69,43 +77,6 @@ func TestAuthHeaderParse(t *testing.T) {
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
func TestAuthHeaderGetAddress(t *testing.T) {
|
|
||||||
defaulErr := errors.GetAPIError(errors.ErrInvalidAccessKeyID)
|
|
||||||
|
|
||||||
for _, tc := range []struct {
|
|
||||||
authHeader *AuthHeader
|
|
||||||
err error
|
|
||||||
}{
|
|
||||||
{
|
|
||||||
authHeader: &AuthHeader{
|
|
||||||
AccessKeyID: "vWqF8cMDRbJcvnPLALoQGnABPPhw8NyYMcGsfDPfZJM0HrgjonN8CgFvCZ3kh9BUXw4W2tJ5E7EAGhueSF122HB",
|
|
||||||
},
|
|
||||||
err: nil,
|
|
||||||
},
|
|
||||||
{
|
|
||||||
authHeader: &AuthHeader{
|
|
||||||
AccessKeyID: "vWqF8cMDRbJcvnPLALoQGnABPPhw8NyYMcGsfDPfZJMHrgjonN8CgFvCZ3kh9BUXw4W2tJ5E7EAGhueSF122HB",
|
|
||||||
},
|
|
||||||
err: defaulErr,
|
|
||||||
},
|
|
||||||
{
|
|
||||||
authHeader: &AuthHeader{
|
|
||||||
AccessKeyID: "oid0cid",
|
|
||||||
},
|
|
||||||
err: defaulErr,
|
|
||||||
},
|
|
||||||
{
|
|
||||||
authHeader: &AuthHeader{
|
|
||||||
AccessKeyID: "oidcid",
|
|
||||||
},
|
|
||||||
err: defaulErr,
|
|
||||||
},
|
|
||||||
} {
|
|
||||||
_, err := getAddress(tc.authHeader.AccessKeyID)
|
|
||||||
require.ErrorIs(t, err, tc.err, tc.authHeader.AccessKeyID)
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
func TestSignature(t *testing.T) {
|
func TestSignature(t *testing.T) {
|
||||||
secret := "66be461c3cd429941c55daf42fad2b8153e5a2016ba89c9494d97677cc9d3872"
|
secret := "66be461c3cd429941c55daf42fad2b8153e5a2016ba89c9494d97677cc9d3872"
|
||||||
strToSign := "eyAiZXhwaXJhdGlvbiI6ICIyMDE1LTEyLTMwVDEyOjAwOjAwLjAwMFoiLAogICJjb25kaXRpb25zIjogWwogICAgeyJidWNrZXQiOiAiYWNsIn0sCiAgICBbInN0YXJ0cy13aXRoIiwgIiRrZXkiLCAidXNlci91c2VyMS8iXSwKICAgIHsic3VjY2Vzc19hY3Rpb25fcmVkaXJlY3QiOiAiaHR0cDovL2xvY2FsaG9zdDo4MDg0L2FjbCJ9LAogICAgWyJzdGFydHMtd2l0aCIsICIkQ29udGVudC1UeXBlIiwgImltYWdlLyJdLAogICAgeyJ4LWFtei1tZXRhLXV1aWQiOiAiMTQzNjUxMjM2NTEyNzQifSwKICAgIFsic3RhcnRzLXdpdGgiLCAiJHgtYW16LW1ldGEtdGFnIiwgIiJdLAoKICAgIHsiWC1BbXotQ3JlZGVudGlhbCI6ICI4Vmk0MVBIbjVGMXNzY2J4OUhqMXdmMUU2aERUYURpNndxOGhxTU05NllKdTA1QzVDeUVkVlFoV1E2aVZGekFpTkxXaTlFc3BiUTE5ZDRuR3pTYnZVZm10TS8yMDE1MTIyOS91cy1lYXN0LTEvczMvYXdzNF9yZXF1ZXN0In0sCiAgICB7IngtYW16LWFsZ29yaXRobSI6ICJBV1M0LUhNQUMtU0hBMjU2In0sCiAgICB7IlgtQW16LURhdGUiOiAiMjAxNTEyMjlUMDAwMDAwWiIgfSwKICAgIHsieC1pZ25vcmUtdG1wIjogInNvbWV0aGluZyIgfQogIF0KfQ=="
|
strToSign := "eyAiZXhwaXJhdGlvbiI6ICIyMDE1LTEyLTMwVDEyOjAwOjAwLjAwMFoiLAogICJjb25kaXRpb25zIjogWwogICAgeyJidWNrZXQiOiAiYWNsIn0sCiAgICBbInN0YXJ0cy13aXRoIiwgIiRrZXkiLCAidXNlci91c2VyMS8iXSwKICAgIHsic3VjY2Vzc19hY3Rpb25fcmVkaXJlY3QiOiAiaHR0cDovL2xvY2FsaG9zdDo4MDg0L2FjbCJ9LAogICAgWyJzdGFydHMtd2l0aCIsICIkQ29udGVudC1UeXBlIiwgImltYWdlLyJdLAogICAgeyJ4LWFtei1tZXRhLXV1aWQiOiAiMTQzNjUxMjM2NTEyNzQifSwKICAgIFsic3RhcnRzLXdpdGgiLCAiJHgtYW16LW1ldGEtdGFnIiwgIiJdLAoKICAgIHsiWC1BbXotQ3JlZGVudGlhbCI6ICI4Vmk0MVBIbjVGMXNzY2J4OUhqMXdmMUU2aERUYURpNndxOGhxTU05NllKdTA1QzVDeUVkVlFoV1E2aVZGekFpTkxXaTlFc3BiUTE5ZDRuR3pTYnZVZm10TS8yMDE1MTIyOS91cy1lYXN0LTEvczMvYXdzNF9yZXF1ZXN0In0sCiAgICB7IngtYW16LWFsZ29yaXRobSI6ICJBV1M0LUhNQUMtU0hBMjU2In0sCiAgICB7IlgtQW16LURhdGUiOiAiMjAxNTEyMjlUMDAwMDAwWiIgfSwKICAgIHsieC1pZ25vcmUtdG1wIjogInNvbWV0aGluZyIgfQogIF0KfQ=="
|
||||||
|
@ -171,17 +142,17 @@ func TestCheckFormatContentSHA256(t *testing.T) {
|
||||||
}
|
}
|
||||||
|
|
||||||
type frostFSMock struct {
|
type frostFSMock struct {
|
||||||
objects map[oid.Address]*object.Object
|
objects map[string]*object.Object
|
||||||
}
|
}
|
||||||
|
|
||||||
func newFrostFSMock() *frostFSMock {
|
func newFrostFSMock() *frostFSMock {
|
||||||
return &frostFSMock{
|
return &frostFSMock{
|
||||||
objects: map[oid.Address]*object.Object{},
|
objects: map[string]*object.Object{},
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
func (f *frostFSMock) GetCredsObject(_ context.Context, address oid.Address) (*object.Object, error) {
|
func (f *frostFSMock) GetCredsObject(_ context.Context, prm tokens.PrmGetCredsObject) (*object.Object, error) {
|
||||||
obj, ok := f.objects[address]
|
obj, ok := f.objects[prm.AccessKeyID]
|
||||||
if !ok {
|
if !ok {
|
||||||
return nil, fmt.Errorf("not found")
|
return nil, fmt.Errorf("not found")
|
||||||
}
|
}
|
||||||
|
@ -208,7 +179,7 @@ func TestAuthenticate(t *testing.T) {
|
||||||
GateKey: key.PublicKey(),
|
GateKey: key.PublicKey(),
|
||||||
}}
|
}}
|
||||||
|
|
||||||
accessBox, secret, err := accessbox.PackTokens(gateData, []byte("secret"))
|
accessBox, secret, err := accessbox.PackTokens(gateData, []byte("secret"), false)
|
||||||
require.NoError(t, err)
|
require.NoError(t, err)
|
||||||
data, err := accessBox.Marshal()
|
data, err := accessBox.Marshal()
|
||||||
require.NoError(t, err)
|
require.NoError(t, err)
|
||||||
|
@ -219,10 +190,10 @@ func TestAuthenticate(t *testing.T) {
|
||||||
obj.SetContainerID(addr.Container())
|
obj.SetContainerID(addr.Container())
|
||||||
obj.SetID(addr.Object())
|
obj.SetID(addr.Object())
|
||||||
|
|
||||||
frostfs := newFrostFSMock()
|
accessKeyID := getAccessKeyID(addr)
|
||||||
frostfs.objects[addr] = &obj
|
|
||||||
|
|
||||||
accessKeyID := addr.Container().String() + "0" + addr.Object().String()
|
frostfs := newFrostFSMock()
|
||||||
|
frostfs.objects[accessKeyID] = &obj
|
||||||
|
|
||||||
awsCreds := credentials.NewStaticCredentials(accessKeyID, secret.SecretKey, "")
|
awsCreds := credentials.NewStaticCredentials(accessKeyID, secret.SecretKey, "")
|
||||||
defaultSigner := v4.NewSigner(awsCreds)
|
defaultSigner := v4.NewSigner(awsCreds)
|
||||||
|
@ -413,7 +384,7 @@ func TestAuthenticate(t *testing.T) {
|
||||||
} {
|
} {
|
||||||
t.Run(tc.name, func(t *testing.T) {
|
t.Run(tc.name, func(t *testing.T) {
|
||||||
creds := tokens.New(bigConfig)
|
creds := tokens.New(bigConfig)
|
||||||
cntr := New(creds, tc.prefixes)
|
cntr := New(creds, tc.prefixes, ¢erSettingsMock{})
|
||||||
box, err := cntr.Authenticate(tc.request)
|
box, err := cntr.Authenticate(tc.request)
|
||||||
|
|
||||||
if tc.err {
|
if tc.err {
|
||||||
|
@ -455,7 +426,7 @@ func TestHTTPPostAuthenticate(t *testing.T) {
|
||||||
GateKey: key.PublicKey(),
|
GateKey: key.PublicKey(),
|
||||||
}}
|
}}
|
||||||
|
|
||||||
accessBox, secret, err := accessbox.PackTokens(gateData, []byte("secret"))
|
accessBox, secret, err := accessbox.PackTokens(gateData, []byte("secret"), false)
|
||||||
require.NoError(t, err)
|
require.NoError(t, err)
|
||||||
data, err := accessBox.Marshal()
|
data, err := accessBox.Marshal()
|
||||||
require.NoError(t, err)
|
require.NoError(t, err)
|
||||||
|
@ -466,10 +437,11 @@ func TestHTTPPostAuthenticate(t *testing.T) {
|
||||||
obj.SetContainerID(addr.Container())
|
obj.SetContainerID(addr.Container())
|
||||||
obj.SetID(addr.Object())
|
obj.SetID(addr.Object())
|
||||||
|
|
||||||
frostfs := newFrostFSMock()
|
accessKeyID := getAccessKeyID(addr)
|
||||||
frostfs.objects[addr] = &obj
|
|
||||||
|
frostfs := newFrostFSMock()
|
||||||
|
frostfs.objects[accessKeyID] = &obj
|
||||||
|
|
||||||
accessKeyID := addr.Container().String() + "0" + addr.Object().String()
|
|
||||||
invalidAccessKeyID := oidtest.Address().String() + "0" + oidtest.Address().Object().String()
|
invalidAccessKeyID := oidtest.Address().String() + "0" + oidtest.Address().Object().String()
|
||||||
|
|
||||||
timeToSign := time.Now()
|
timeToSign := time.Now()
|
||||||
|
@ -590,7 +562,7 @@ func TestHTTPPostAuthenticate(t *testing.T) {
|
||||||
} {
|
} {
|
||||||
t.Run(tc.name, func(t *testing.T) {
|
t.Run(tc.name, func(t *testing.T) {
|
||||||
creds := tokens.New(bigConfig)
|
creds := tokens.New(bigConfig)
|
||||||
cntr := New(creds, tc.prefixes)
|
cntr := New(creds, tc.prefixes, ¢erSettingsMock{})
|
||||||
box, err := cntr.Authenticate(tc.request)
|
box, err := cntr.Authenticate(tc.request)
|
||||||
|
|
||||||
if tc.err {
|
if tc.err {
|
||||||
|
@ -633,3 +605,7 @@ func getRequestWithMultipartForm(t *testing.T, policy, creds, date, sign, fieldN
|
||||||
|
|
||||||
return req
|
return req
|
||||||
}
|
}
|
||||||
|
|
||||||
|
func getAccessKeyID(addr oid.Address) string {
|
||||||
|
return strings.ReplaceAll(addr.EncodeToString(), "/", "0")
|
||||||
|
}
|
||||||
|
|
|
@ -29,11 +29,11 @@ func newTokensFrostfsMock() *credentialsMock {
|
||||||
}
|
}
|
||||||
|
|
||||||
func (m credentialsMock) addBox(addr oid.Address, box *accessbox.Box) {
|
func (m credentialsMock) addBox(addr oid.Address, box *accessbox.Box) {
|
||||||
m.boxes[addr.String()] = box
|
m.boxes[getAccessKeyID(addr)] = box
|
||||||
}
|
}
|
||||||
|
|
||||||
func (m credentialsMock) GetBox(_ context.Context, addr oid.Address) (*accessbox.Box, []object.Attribute, error) {
|
func (m credentialsMock) GetBox(_ context.Context, _ cid.ID, accessKeyID string) (*accessbox.Box, []object.Attribute, error) {
|
||||||
box, ok := m.boxes[addr.String()]
|
box, ok := m.boxes[accessKeyID]
|
||||||
if !ok {
|
if !ok {
|
||||||
return nil, nil, &apistatus.ObjectNotFound{}
|
return nil, nil, &apistatus.ObjectNotFound{}
|
||||||
}
|
}
|
||||||
|
@ -41,11 +41,11 @@ func (m credentialsMock) GetBox(_ context.Context, addr oid.Address) (*accessbox
|
||||||
return box, nil, nil
|
return box, nil, nil
|
||||||
}
|
}
|
||||||
|
|
||||||
func (m credentialsMock) Put(context.Context, cid.ID, tokens.CredentialsParam) (oid.Address, error) {
|
func (m credentialsMock) Put(context.Context, tokens.CredentialsParam) (oid.Address, error) {
|
||||||
return oid.Address{}, nil
|
return oid.Address{}, nil
|
||||||
}
|
}
|
||||||
|
|
||||||
func (m credentialsMock) Update(context.Context, oid.Address, tokens.CredentialsParam) (oid.Address, error) {
|
func (m credentialsMock) Update(context.Context, tokens.CredentialsParam) (oid.Address, error) {
|
||||||
return oid.Address{}, nil
|
return oid.Address{}, nil
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -84,9 +84,10 @@ func TestCheckSign(t *testing.T) {
|
||||||
mock.addBox(accessKeyAddr, expBox)
|
mock.addBox(accessKeyAddr, expBox)
|
||||||
|
|
||||||
c := &Center{
|
c := &Center{
|
||||||
cli: mock,
|
cli: mock,
|
||||||
reg: NewRegexpMatcher(AuthorizationFieldRegexp),
|
reg: NewRegexpMatcher(AuthorizationFieldRegexp),
|
||||||
postReg: NewRegexpMatcher(postPolicyCredentialRegexp),
|
postReg: NewRegexpMatcher(postPolicyCredentialRegexp),
|
||||||
|
settings: ¢erSettingsMock{},
|
||||||
}
|
}
|
||||||
box, err := c.Authenticate(req)
|
box, err := c.Authenticate(req)
|
||||||
require.NoError(t, err)
|
require.NoError(t, err)
|
||||||
|
|
16
api/cache/cache_test.go
vendored
16
api/cache/cache_test.go
vendored
|
@ -1,6 +1,7 @@
|
||||||
package cache
|
package cache
|
||||||
|
|
||||||
import (
|
import (
|
||||||
|
"strings"
|
||||||
"testing"
|
"testing"
|
||||||
|
|
||||||
"git.frostfs.info/TrueCloudLab/frostfs-contract/frostfsid/client"
|
"git.frostfs.info/TrueCloudLab/frostfs-contract/frostfsid/client"
|
||||||
|
@ -8,6 +9,7 @@ import (
|
||||||
"git.frostfs.info/TrueCloudLab/frostfs-s3-gw/creds/accessbox"
|
"git.frostfs.info/TrueCloudLab/frostfs-s3-gw/creds/accessbox"
|
||||||
cidtest "git.frostfs.info/TrueCloudLab/frostfs-sdk-go/container/id/test"
|
cidtest "git.frostfs.info/TrueCloudLab/frostfs-sdk-go/container/id/test"
|
||||||
"git.frostfs.info/TrueCloudLab/frostfs-sdk-go/object"
|
"git.frostfs.info/TrueCloudLab/frostfs-sdk-go/object"
|
||||||
|
oid "git.frostfs.info/TrueCloudLab/frostfs-sdk-go/object/id"
|
||||||
oidtest "git.frostfs.info/TrueCloudLab/frostfs-sdk-go/object/id/test"
|
oidtest "git.frostfs.info/TrueCloudLab/frostfs-sdk-go/object/id/test"
|
||||||
"github.com/nspcc-dev/neo-go/pkg/crypto/keys"
|
"github.com/nspcc-dev/neo-go/pkg/crypto/keys"
|
||||||
"github.com/nspcc-dev/neo-go/pkg/util"
|
"github.com/nspcc-dev/neo-go/pkg/util"
|
||||||
|
@ -24,16 +26,18 @@ func TestAccessBoxCacheType(t *testing.T) {
|
||||||
box := &accessbox.Box{}
|
box := &accessbox.Box{}
|
||||||
var attrs []object.Attribute
|
var attrs []object.Attribute
|
||||||
|
|
||||||
err := cache.Put(addr, box, attrs)
|
accessKeyID := getAccessKeyID(addr)
|
||||||
|
|
||||||
|
err := cache.Put(accessKeyID, box, attrs)
|
||||||
require.NoError(t, err)
|
require.NoError(t, err)
|
||||||
val := cache.Get(addr)
|
val := cache.Get(accessKeyID)
|
||||||
require.Equal(t, box, val.Box)
|
require.Equal(t, box, val.Box)
|
||||||
require.Equal(t, attrs, val.Attributes)
|
require.Equal(t, attrs, val.Attributes)
|
||||||
require.Equal(t, 0, observedLog.Len())
|
require.Equal(t, 0, observedLog.Len())
|
||||||
|
|
||||||
err = cache.cache.Set(addr, "tmp")
|
err = cache.cache.Set(accessKeyID, "tmp")
|
||||||
require.NoError(t, err)
|
require.NoError(t, err)
|
||||||
assertInvalidCacheEntry(t, cache.Get(addr), observedLog)
|
assertInvalidCacheEntry(t, cache.Get(accessKeyID), observedLog)
|
||||||
}
|
}
|
||||||
|
|
||||||
func TestBucketsCacheType(t *testing.T) {
|
func TestBucketsCacheType(t *testing.T) {
|
||||||
|
@ -230,3 +234,7 @@ func getObservedLogger() (*zap.Logger, *observer.ObservedLogs) {
|
||||||
loggerCore, observedLog := observer.New(zap.WarnLevel)
|
loggerCore, observedLog := observer.New(zap.WarnLevel)
|
||||||
return zap.New(loggerCore), observedLog
|
return zap.New(loggerCore), observedLog
|
||||||
}
|
}
|
||||||
|
|
||||||
|
func getAccessKeyID(addr oid.Address) string {
|
||||||
|
return strings.ReplaceAll(addr.EncodeToString(), "/", "0")
|
||||||
|
}
|
||||||
|
|
|
@ -61,7 +61,7 @@ func TestBearerTokenInAccessBox(t *testing.T) {
|
||||||
require.NoError(t, tkn.Sign(sec.PrivateKey))
|
require.NoError(t, tkn.Sign(sec.PrivateKey))
|
||||||
|
|
||||||
gate := NewGateData(cred.PublicKey(), &tkn)
|
gate := NewGateData(cred.PublicKey(), &tkn)
|
||||||
box, _, err = PackTokens([]*GateData{gate}, nil)
|
box, _, err = PackTokens([]*GateData{gate}, nil, false)
|
||||||
require.NoError(t, err)
|
require.NoError(t, err)
|
||||||
|
|
||||||
data, err := box.Marshal()
|
data, err := box.Marshal()
|
||||||
|
@ -70,7 +70,7 @@ func TestBearerTokenInAccessBox(t *testing.T) {
|
||||||
err = box2.Unmarshal(data)
|
err = box2.Unmarshal(data)
|
||||||
require.NoError(t, err)
|
require.NoError(t, err)
|
||||||
|
|
||||||
tkns, err := box2.GetTokens(cred)
|
tkns, err := box2.GetTokens(cred, false)
|
||||||
require.NoError(t, err)
|
require.NoError(t, err)
|
||||||
|
|
||||||
assertBearerToken(t, tkn, *tkns.BearerToken)
|
assertBearerToken(t, tkn, *tkns.BearerToken)
|
||||||
|
@ -96,7 +96,7 @@ func TestSessionTokenInAccessBox(t *testing.T) {
|
||||||
var newTkn bearer.Token
|
var newTkn bearer.Token
|
||||||
gate := NewGateData(cred.PublicKey(), &newTkn)
|
gate := NewGateData(cred.PublicKey(), &newTkn)
|
||||||
gate.SessionTokens = []*session.Container{tkn}
|
gate.SessionTokens = []*session.Container{tkn}
|
||||||
box, _, err = PackTokens([]*GateData{gate}, nil)
|
box, _, err = PackTokens([]*GateData{gate}, nil, false)
|
||||||
require.NoError(t, err)
|
require.NoError(t, err)
|
||||||
|
|
||||||
data, err := box.Marshal()
|
data, err := box.Marshal()
|
||||||
|
@ -105,7 +105,7 @@ func TestSessionTokenInAccessBox(t *testing.T) {
|
||||||
err = box2.Unmarshal(data)
|
err = box2.Unmarshal(data)
|
||||||
require.NoError(t, err)
|
require.NoError(t, err)
|
||||||
|
|
||||||
tkns, err := box2.GetTokens(cred)
|
tkns, err := box2.GetTokens(cred, false)
|
||||||
require.NoError(t, err)
|
require.NoError(t, err)
|
||||||
|
|
||||||
require.Equal(t, []*session.Container{tkn}, tkns.SessionTokens)
|
require.Equal(t, []*session.Container{tkn}, tkns.SessionTokens)
|
||||||
|
@ -136,11 +136,11 @@ func TestAccessboxMultipleKeys(t *testing.T) {
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
box, _, err = PackTokens(gates, nil)
|
box, _, err = PackTokens(gates, nil, false)
|
||||||
require.NoError(t, err)
|
require.NoError(t, err)
|
||||||
|
|
||||||
for i, k := range privateKeys {
|
for i, k := range privateKeys {
|
||||||
tkns, err := box.GetTokens(k)
|
tkns, err := box.GetTokens(k, false)
|
||||||
require.NoError(t, err, "key #%d: %s failed", i, k)
|
require.NoError(t, err, "key #%d: %s failed", i, k)
|
||||||
assertBearerToken(t, tkn, *tkns.BearerToken)
|
assertBearerToken(t, tkn, *tkns.BearerToken)
|
||||||
}
|
}
|
||||||
|
@ -165,10 +165,10 @@ func TestUnknownKey(t *testing.T) {
|
||||||
require.NoError(t, tkn.Sign(sec.PrivateKey))
|
require.NoError(t, tkn.Sign(sec.PrivateKey))
|
||||||
|
|
||||||
gate := NewGateData(cred.PublicKey(), &tkn)
|
gate := NewGateData(cred.PublicKey(), &tkn)
|
||||||
box, _, err = PackTokens([]*GateData{gate}, nil)
|
box, _, err = PackTokens([]*GateData{gate}, nil, false)
|
||||||
require.NoError(t, err)
|
require.NoError(t, err)
|
||||||
|
|
||||||
_, err = box.GetTokens(wrongCred)
|
_, err = box.GetTokens(wrongCred, false)
|
||||||
require.Error(t, err)
|
require.Error(t, err)
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -226,10 +226,10 @@ func TestGetBox(t *testing.T) {
|
||||||
gate := NewGateData(cred.PublicKey(), &tkn)
|
gate := NewGateData(cred.PublicKey(), &tkn)
|
||||||
|
|
||||||
secret := []byte("secret")
|
secret := []byte("secret")
|
||||||
accessBox, _, err := PackTokens([]*GateData{gate}, secret)
|
accessBox, _, err := PackTokens([]*GateData{gate}, secret, false)
|
||||||
require.NoError(t, err)
|
require.NoError(t, err)
|
||||||
|
|
||||||
box, err := accessBox.GetBox(cred)
|
box, err := accessBox.GetBox(cred, false)
|
||||||
require.NoError(t, err)
|
require.NoError(t, err)
|
||||||
require.Equal(t, hex.EncodeToString(secret), box.Gate.SecretKey)
|
require.Equal(t, hex.EncodeToString(secret), box.Gate.SecretKey)
|
||||||
}
|
}
|
||||||
|
@ -241,17 +241,17 @@ func TestAccessBox(t *testing.T) {
|
||||||
var tkn bearer.Token
|
var tkn bearer.Token
|
||||||
gate := NewGateData(cred.PublicKey(), &tkn)
|
gate := NewGateData(cred.PublicKey(), &tkn)
|
||||||
|
|
||||||
accessBox, _, err := PackTokens([]*GateData{gate}, nil)
|
accessBox, _, err := PackTokens([]*GateData{gate}, nil, false)
|
||||||
require.NoError(t, err)
|
require.NoError(t, err)
|
||||||
|
|
||||||
t.Run("invalid owner", func(t *testing.T) {
|
t.Run("invalid owner", func(t *testing.T) {
|
||||||
randomKey, err := keys.NewPrivateKey()
|
randomKey, err := keys.NewPrivateKey()
|
||||||
require.NoError(t, err)
|
require.NoError(t, err)
|
||||||
|
|
||||||
_, err = accessBox.GetTokens(randomKey)
|
_, err = accessBox.GetTokens(randomKey, false)
|
||||||
require.Error(t, err)
|
require.Error(t, err)
|
||||||
|
|
||||||
_, err = accessBox.GetBox(randomKey)
|
_, err = accessBox.GetBox(randomKey, false)
|
||||||
require.Error(t, err)
|
require.Error(t, err)
|
||||||
})
|
})
|
||||||
|
|
||||||
|
@ -281,17 +281,17 @@ func TestAccessBox(t *testing.T) {
|
||||||
_, err = accessBox.GetPlacementPolicy()
|
_, err = accessBox.GetPlacementPolicy()
|
||||||
require.Error(t, err)
|
require.Error(t, err)
|
||||||
|
|
||||||
_, err = accessBox.GetBox(cred)
|
_, err = accessBox.GetBox(cred, false)
|
||||||
require.Error(t, err)
|
require.Error(t, err)
|
||||||
})
|
})
|
||||||
|
|
||||||
t.Run("empty seed key", func(t *testing.T) {
|
t.Run("empty seed key", func(t *testing.T) {
|
||||||
accessBox.SeedKey = nil
|
accessBox.SeedKey = nil
|
||||||
|
|
||||||
_, err = accessBox.GetTokens(cred)
|
_, err = accessBox.GetTokens(cred, false)
|
||||||
require.Error(t, err)
|
require.Error(t, err)
|
||||||
|
|
||||||
_, err = accessBox.GetBox(cred)
|
_, err = accessBox.GetBox(cred, false)
|
||||||
require.Error(t, err)
|
require.Error(t, err)
|
||||||
})
|
})
|
||||||
|
|
||||||
|
@ -300,7 +300,7 @@ func TestAccessBox(t *testing.T) {
|
||||||
BearerToken: &tkn,
|
BearerToken: &tkn,
|
||||||
GateKey: &keys.PublicKey{},
|
GateKey: &keys.PublicKey{},
|
||||||
}
|
}
|
||||||
_, _, err = PackTokens([]*GateData{gate}, nil)
|
_, _, err = PackTokens([]*GateData{gate}, nil, false)
|
||||||
require.Error(t, err)
|
require.Error(t, err)
|
||||||
})
|
})
|
||||||
}
|
}
|
||||||
|
|
|
@ -4,6 +4,7 @@ import (
|
||||||
"context"
|
"context"
|
||||||
"encoding/hex"
|
"encoding/hex"
|
||||||
"errors"
|
"errors"
|
||||||
|
"strings"
|
||||||
"testing"
|
"testing"
|
||||||
"time"
|
"time"
|
||||||
|
|
||||||
|
@ -21,14 +22,14 @@ import (
|
||||||
)
|
)
|
||||||
|
|
||||||
type frostfsMock struct {
|
type frostfsMock struct {
|
||||||
objects map[oid.Address][]*object.Object
|
objects map[string][]*object.Object
|
||||||
errors map[oid.Address]error
|
errors map[string]error
|
||||||
}
|
}
|
||||||
|
|
||||||
func newFrostfsMock() *frostfsMock {
|
func newFrostfsMock() *frostfsMock {
|
||||||
return &frostfsMock{
|
return &frostfsMock{
|
||||||
objects: map[oid.Address][]*object.Object{},
|
objects: map[string][]*object.Object{},
|
||||||
errors: map[oid.Address]error{},
|
errors: map[string]error{},
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -44,19 +45,15 @@ func (f *frostfsMock) CreateObject(_ context.Context, prm PrmObjectCreate) (oid.
|
||||||
prm.CustomAttributes = append(prm.CustomAttributes, *a)
|
prm.CustomAttributes = append(prm.CustomAttributes, *a)
|
||||||
obj.SetAttributes(prm.CustomAttributes...)
|
obj.SetAttributes(prm.CustomAttributes...)
|
||||||
|
|
||||||
if prm.NewVersionFor != nil {
|
if prm.NewVersionForAccessKeyID != "" {
|
||||||
var addr oid.Address
|
_, ok := f.objects[prm.NewVersionForAccessKeyID]
|
||||||
addr.SetObject(*prm.NewVersionFor)
|
|
||||||
addr.SetContainer(prm.Container)
|
|
||||||
|
|
||||||
_, ok := f.objects[addr]
|
|
||||||
if !ok {
|
if !ok {
|
||||||
return oid.ID{}, errors.New("not found")
|
return oid.ID{}, errors.New("not found")
|
||||||
}
|
}
|
||||||
|
|
||||||
objID := oidtest.ID()
|
objID := oidtest.ID()
|
||||||
obj.SetID(objID)
|
obj.SetID(objID)
|
||||||
f.objects[addr] = append(f.objects[addr], &obj)
|
f.objects[prm.NewVersionForAccessKeyID] = append(f.objects[prm.NewVersionForAccessKeyID], &obj)
|
||||||
|
|
||||||
return objID, nil
|
return objID, nil
|
||||||
}
|
}
|
||||||
|
@ -64,20 +61,25 @@ func (f *frostfsMock) CreateObject(_ context.Context, prm PrmObjectCreate) (oid.
|
||||||
objID := oidtest.ID()
|
objID := oidtest.ID()
|
||||||
obj.SetID(objID)
|
obj.SetID(objID)
|
||||||
|
|
||||||
|
accessKeyID := prm.CustomAccessKey
|
||||||
|
if accessKeyID == "" {
|
||||||
|
accessKeyID = prm.Container.EncodeToString() + "0" + objID.EncodeToString()
|
||||||
|
}
|
||||||
|
|
||||||
var addr oid.Address
|
var addr oid.Address
|
||||||
addr.SetObject(objID)
|
addr.SetObject(objID)
|
||||||
addr.SetContainer(prm.Container)
|
addr.SetContainer(prm.Container)
|
||||||
f.objects[addr] = []*object.Object{&obj}
|
f.objects[accessKeyID] = []*object.Object{&obj}
|
||||||
|
|
||||||
return objID, nil
|
return objID, nil
|
||||||
}
|
}
|
||||||
|
|
||||||
func (f *frostfsMock) GetCredsObject(_ context.Context, address oid.Address) (*object.Object, error) {
|
func (f *frostfsMock) GetCredsObject(_ context.Context, prm PrmGetCredsObject) (*object.Object, error) {
|
||||||
if err := f.errors[address]; err != nil {
|
if err := f.errors[prm.AccessKeyID]; err != nil {
|
||||||
return nil, err
|
return nil, err
|
||||||
}
|
}
|
||||||
|
|
||||||
objects, ok := f.objects[address]
|
objects, ok := f.objects[prm.AccessKeyID]
|
||||||
if !ok {
|
if !ok {
|
||||||
return nil, errors.New("not found")
|
return nil, errors.New("not found")
|
||||||
}
|
}
|
||||||
|
@ -100,7 +102,7 @@ func TestRemovingAccessBox(t *testing.T) {
|
||||||
sk, err := hex.DecodeString(secretKey)
|
sk, err := hex.DecodeString(secretKey)
|
||||||
require.NoError(t, err)
|
require.NoError(t, err)
|
||||||
|
|
||||||
accessBox, _, err := accessbox.PackTokens(gateData, sk)
|
accessBox, _, err := accessbox.PackTokens(gateData, sk, false)
|
||||||
require.NoError(t, err)
|
require.NoError(t, err)
|
||||||
data, err := accessBox.Marshal()
|
data, err := accessBox.Marshal()
|
||||||
require.NoError(t, err)
|
require.NoError(t, err)
|
||||||
|
@ -111,9 +113,11 @@ func TestRemovingAccessBox(t *testing.T) {
|
||||||
obj.SetID(addr.Object())
|
obj.SetID(addr.Object())
|
||||||
obj.SetContainerID(addr.Container())
|
obj.SetContainerID(addr.Container())
|
||||||
|
|
||||||
|
accessKeyID := getAccessKeyID(addr)
|
||||||
|
|
||||||
frostfs := &frostfsMock{
|
frostfs := &frostfsMock{
|
||||||
objects: map[oid.Address][]*object.Object{addr: {&obj}},
|
objects: map[string][]*object.Object{accessKeyID: {&obj}},
|
||||||
errors: map[oid.Address]error{},
|
errors: map[string]error{},
|
||||||
}
|
}
|
||||||
|
|
||||||
cfg := Config{
|
cfg := Config{
|
||||||
|
@ -129,15 +133,15 @@ func TestRemovingAccessBox(t *testing.T) {
|
||||||
|
|
||||||
creds := New(cfg)
|
creds := New(cfg)
|
||||||
|
|
||||||
_, _, err = creds.GetBox(ctx, addr)
|
_, _, err = creds.GetBox(ctx, addr.Container(), accessKeyID)
|
||||||
require.NoError(t, err)
|
require.NoError(t, err)
|
||||||
|
|
||||||
frostfs.errors[addr] = errors.New("network error")
|
frostfs.errors[accessKeyID] = errors.New("network error")
|
||||||
_, _, err = creds.GetBox(ctx, addr)
|
_, _, err = creds.GetBox(ctx, addr.Container(), accessKeyID)
|
||||||
require.NoError(t, err)
|
require.NoError(t, err)
|
||||||
|
|
||||||
frostfs.errors[addr] = &apistatus.ObjectAlreadyRemoved{}
|
frostfs.errors[accessKeyID] = &apistatus.ObjectAlreadyRemoved{}
|
||||||
_, _, err = creds.GetBox(ctx, addr)
|
_, _, err = creds.GetBox(ctx, addr.Container(), accessKeyID)
|
||||||
require.Error(t, err)
|
require.Error(t, err)
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -153,7 +157,7 @@ func TestGetBox(t *testing.T) {
|
||||||
}}
|
}}
|
||||||
|
|
||||||
secret := []byte("secret")
|
secret := []byte("secret")
|
||||||
accessBox, _, err := accessbox.PackTokens(gateData, secret)
|
accessBox, _, err := accessbox.PackTokens(gateData, secret, false)
|
||||||
require.NoError(t, err)
|
require.NoError(t, err)
|
||||||
data, err := accessBox.Marshal()
|
data, err := accessBox.Marshal()
|
||||||
require.NoError(t, err)
|
require.NoError(t, err)
|
||||||
|
@ -179,14 +183,16 @@ func TestGetBox(t *testing.T) {
|
||||||
creds := New(cfg)
|
creds := New(cfg)
|
||||||
|
|
||||||
cnrID := cidtest.ID()
|
cnrID := cidtest.ID()
|
||||||
addr, err := creds.Put(ctx, cnrID, CredentialsParam{Keys: keys.PublicKeys{key.PublicKey()}, AccessBox: accessBox})
|
addr, err := creds.Put(ctx, CredentialsParam{Container: cnrID, Keys: keys.PublicKeys{key.PublicKey()}, AccessBox: accessBox})
|
||||||
require.NoError(t, err)
|
require.NoError(t, err)
|
||||||
|
|
||||||
_, _, err = creds.GetBox(ctx, addr)
|
accessKeyID := getAccessKeyID(addr)
|
||||||
|
|
||||||
|
_, _, err = creds.GetBox(ctx, addr.Container(), accessKeyID)
|
||||||
require.NoError(t, err)
|
require.NoError(t, err)
|
||||||
|
|
||||||
frostfs.errors[addr] = &apistatus.ObjectAlreadyRemoved{}
|
frostfs.errors[accessKeyID] = &apistatus.ObjectAlreadyRemoved{}
|
||||||
_, _, err = creds.GetBox(ctx, addr)
|
_, _, err = creds.GetBox(ctx, addr.Container(), accessKeyID)
|
||||||
require.NoError(t, err)
|
require.NoError(t, err)
|
||||||
})
|
})
|
||||||
|
|
||||||
|
@ -198,11 +204,12 @@ func TestGetBox(t *testing.T) {
|
||||||
creds := New(cfg)
|
creds := New(cfg)
|
||||||
|
|
||||||
cnrID := cidtest.ID()
|
cnrID := cidtest.ID()
|
||||||
addr, err := creds.Put(ctx, cnrID, CredentialsParam{Keys: keys.PublicKeys{key.PublicKey()}, AccessBox: accessBox})
|
addr, err := creds.Put(ctx, CredentialsParam{Container: cnrID, Keys: keys.PublicKeys{key.PublicKey()}, AccessBox: accessBox})
|
||||||
require.NoError(t, err)
|
require.NoError(t, err)
|
||||||
|
|
||||||
frostfs.errors[addr] = errors.New("network error")
|
accessKeyID := getAccessKeyID(addr)
|
||||||
_, _, err = creds.GetBox(ctx, addr)
|
frostfs.errors[accessKeyID] = errors.New("network error")
|
||||||
|
_, _, err = creds.GetBox(ctx, addr.Container(), accessKeyID)
|
||||||
require.Error(t, err)
|
require.Error(t, err)
|
||||||
})
|
})
|
||||||
|
|
||||||
|
@ -212,14 +219,15 @@ func TestGetBox(t *testing.T) {
|
||||||
var obj object.Object
|
var obj object.Object
|
||||||
obj.SetPayload(data)
|
obj.SetPayload(data)
|
||||||
addr := oidtest.Address()
|
addr := oidtest.Address()
|
||||||
frostfs.objects[addr] = []*object.Object{&obj}
|
accessKeyID := getAccessKeyID(addr)
|
||||||
|
frostfs.objects[accessKeyID] = []*object.Object{&obj}
|
||||||
|
|
||||||
cfg.FrostFS = frostfs
|
cfg.FrostFS = frostfs
|
||||||
cfg.RemovingCheckAfterDurations = 0
|
cfg.RemovingCheckAfterDurations = 0
|
||||||
cfg.Key = &keys.PrivateKey{}
|
cfg.Key = &keys.PrivateKey{}
|
||||||
creds := New(cfg)
|
creds := New(cfg)
|
||||||
|
|
||||||
_, _, err = creds.GetBox(ctx, addr)
|
_, _, err = creds.GetBox(ctx, addr.Container(), accessKeyID)
|
||||||
require.Error(t, err)
|
require.Error(t, err)
|
||||||
})
|
})
|
||||||
|
|
||||||
|
@ -229,14 +237,15 @@ func TestGetBox(t *testing.T) {
|
||||||
var obj object.Object
|
var obj object.Object
|
||||||
obj.SetPayload([]byte("invalid"))
|
obj.SetPayload([]byte("invalid"))
|
||||||
addr := oidtest.Address()
|
addr := oidtest.Address()
|
||||||
frostfs.objects[addr] = []*object.Object{&obj}
|
accessKeyID := getAccessKeyID(addr)
|
||||||
|
frostfs.objects[accessKeyID] = []*object.Object{&obj}
|
||||||
|
|
||||||
cfg.FrostFS = frostfs
|
cfg.FrostFS = frostfs
|
||||||
cfg.RemovingCheckAfterDurations = 0
|
cfg.RemovingCheckAfterDurations = 0
|
||||||
cfg.Key = key
|
cfg.Key = key
|
||||||
creds := New(cfg)
|
creds := New(cfg)
|
||||||
|
|
||||||
_, _, err = creds.GetBox(ctx, addr)
|
_, _, err = creds.GetBox(ctx, addr.Container(), accessKeyID)
|
||||||
require.Error(t, err)
|
require.Error(t, err)
|
||||||
})
|
})
|
||||||
|
|
||||||
|
@ -248,16 +257,24 @@ func TestGetBox(t *testing.T) {
|
||||||
creds := New(cfg)
|
creds := New(cfg)
|
||||||
|
|
||||||
cnrID := cidtest.ID()
|
cnrID := cidtest.ID()
|
||||||
addr, err := creds.Put(ctx, cnrID, CredentialsParam{Keys: keys.PublicKeys{key.PublicKey()}, AccessBox: accessBox})
|
addr, err := creds.Put(ctx, CredentialsParam{Container: cnrID, Keys: keys.PublicKeys{key.PublicKey()}, AccessBox: accessBox})
|
||||||
require.NoError(t, err)
|
require.NoError(t, err)
|
||||||
|
|
||||||
_, boxAttrs, err := creds.GetBox(ctx, addr)
|
accessKeyID := getAccessKeyID(addr)
|
||||||
|
_, boxAttrs, err := creds.GetBox(ctx, addr.Container(), accessKeyID)
|
||||||
require.NoError(t, err)
|
require.NoError(t, err)
|
||||||
|
|
||||||
_, err = creds.Update(ctx, addr, CredentialsParam{Keys: keys.PublicKeys{key.PublicKey()}, AccessBox: accessBox, CustomAttributes: attrs})
|
prm := CredentialsParam{
|
||||||
|
Container: addr.Container(),
|
||||||
|
AccessKeyID: accessKeyID,
|
||||||
|
Keys: keys.PublicKeys{key.PublicKey()},
|
||||||
|
AccessBox: accessBox,
|
||||||
|
CustomAttributes: attrs,
|
||||||
|
}
|
||||||
|
_, err = creds.Update(ctx, prm)
|
||||||
require.NoError(t, err)
|
require.NoError(t, err)
|
||||||
|
|
||||||
_, newBoxAttrs, err := creds.GetBox(ctx, addr)
|
_, newBoxAttrs, err := creds.GetBox(ctx, addr.Container(), accessKeyID)
|
||||||
require.NoError(t, err)
|
require.NoError(t, err)
|
||||||
require.Equal(t, len(boxAttrs)+1, len(newBoxAttrs))
|
require.Equal(t, len(boxAttrs)+1, len(newBoxAttrs))
|
||||||
})
|
})
|
||||||
|
@ -270,10 +287,12 @@ func TestGetBox(t *testing.T) {
|
||||||
creds := New(cfg)
|
creds := New(cfg)
|
||||||
|
|
||||||
cnrID := cidtest.ID()
|
cnrID := cidtest.ID()
|
||||||
addr, err := creds.Put(ctx, cnrID, CredentialsParam{Keys: keys.PublicKeys{key.PublicKey()}, AccessBox: accessBox})
|
addr, err := creds.Put(ctx, CredentialsParam{Container: cnrID, Keys: keys.PublicKeys{key.PublicKey()}, AccessBox: accessBox})
|
||||||
require.NoError(t, err)
|
require.NoError(t, err)
|
||||||
|
|
||||||
box, _, err := creds.GetBox(ctx, addr)
|
accessKeyID := getAccessKeyID(addr)
|
||||||
|
|
||||||
|
box, _, err := creds.GetBox(ctx, addr.Container(), accessKeyID)
|
||||||
require.NoError(t, err)
|
require.NoError(t, err)
|
||||||
require.Equal(t, hex.EncodeToString(secret), box.Gate.SecretKey)
|
require.Equal(t, hex.EncodeToString(secret), box.Gate.SecretKey)
|
||||||
|
|
||||||
|
@ -286,19 +305,26 @@ func TestGetBox(t *testing.T) {
|
||||||
}}
|
}}
|
||||||
|
|
||||||
newSecret := []byte("new-secret")
|
newSecret := []byte("new-secret")
|
||||||
newAccessBox, _, err := accessbox.PackTokens(newGateData, newSecret)
|
newAccessBox, _, err := accessbox.PackTokens(newGateData, newSecret, false)
|
||||||
require.NoError(t, err)
|
require.NoError(t, err)
|
||||||
|
|
||||||
_, err = creds.Update(ctx, addr, CredentialsParam{Keys: keys.PublicKeys{newKey.PublicKey()}, AccessBox: newAccessBox})
|
prm := CredentialsParam{
|
||||||
|
Container: addr.Container(),
|
||||||
|
AccessKeyID: accessKeyID,
|
||||||
|
Keys: keys.PublicKeys{newKey.PublicKey()},
|
||||||
|
AccessBox: newAccessBox,
|
||||||
|
}
|
||||||
|
|
||||||
|
_, err = creds.Update(ctx, prm)
|
||||||
require.NoError(t, err)
|
require.NoError(t, err)
|
||||||
|
|
||||||
_, _, err = creds.GetBox(ctx, addr)
|
_, _, err = creds.GetBox(ctx, addr.Container(), accessKeyID)
|
||||||
require.Error(t, err)
|
require.Error(t, err)
|
||||||
|
|
||||||
cfg.Key = newKey
|
cfg.Key = newKey
|
||||||
newCreds := New(cfg)
|
newCreds := New(cfg)
|
||||||
|
|
||||||
box, _, err = newCreds.GetBox(ctx, addr)
|
box, _, err = newCreds.GetBox(ctx, addr.Container(), accessKeyID)
|
||||||
require.NoError(t, err)
|
require.NoError(t, err)
|
||||||
require.Equal(t, hex.EncodeToString(newSecret), box.Gate.SecretKey)
|
require.Equal(t, hex.EncodeToString(newSecret), box.Gate.SecretKey)
|
||||||
})
|
})
|
||||||
|
@ -311,7 +337,7 @@ func TestGetBox(t *testing.T) {
|
||||||
creds := New(cfg)
|
creds := New(cfg)
|
||||||
|
|
||||||
cnrID := cidtest.ID()
|
cnrID := cidtest.ID()
|
||||||
_, err = creds.Put(ctx, cnrID, CredentialsParam{AccessBox: accessBox})
|
_, err = creds.Put(ctx, CredentialsParam{Container: cnrID, AccessBox: accessBox})
|
||||||
require.ErrorIs(t, err, ErrEmptyPublicKeys)
|
require.ErrorIs(t, err, ErrEmptyPublicKeys)
|
||||||
})
|
})
|
||||||
|
|
||||||
|
@ -323,7 +349,11 @@ func TestGetBox(t *testing.T) {
|
||||||
creds := New(cfg)
|
creds := New(cfg)
|
||||||
|
|
||||||
cnrID := cidtest.ID()
|
cnrID := cidtest.ID()
|
||||||
_, err = creds.Put(ctx, cnrID, CredentialsParam{Keys: keys.PublicKeys{key.PublicKey()}})
|
_, err = creds.Put(ctx, CredentialsParam{Container: cnrID, Keys: keys.PublicKeys{key.PublicKey()}})
|
||||||
require.ErrorIs(t, err, ErrEmptyBearerToken)
|
require.ErrorIs(t, err, ErrEmptyBearerToken)
|
||||||
})
|
})
|
||||||
}
|
}
|
||||||
|
|
||||||
|
func getAccessKeyID(addr oid.Address) string {
|
||||||
|
return strings.ReplaceAll(addr.EncodeToString(), "/", "0")
|
||||||
|
}
|
||||||
|
|
|
@ -2,6 +2,7 @@ package frostfs
|
||||||
|
|
||||||
import (
|
import (
|
||||||
"context"
|
"context"
|
||||||
|
"strings"
|
||||||
"testing"
|
"testing"
|
||||||
|
|
||||||
"git.frostfs.info/TrueCloudLab/frostfs-s3-gw/api/layer"
|
"git.frostfs.info/TrueCloudLab/frostfs-s3-gw/api/layer"
|
||||||
|
@ -38,34 +39,46 @@ func TestGetCredsObject(t *testing.T) {
|
||||||
|
|
||||||
frostfs := NewAuthmateFrostFS(layer.NewTestFrostFS(key), zaptest.NewLogger(t))
|
frostfs := NewAuthmateFrostFS(layer.NewTestFrostFS(key), zaptest.NewLogger(t))
|
||||||
|
|
||||||
cid, err := frostfs.CreateContainer(ctx, authmate.PrmContainerCreate{
|
cnrID, err := frostfs.CreateContainer(ctx, authmate.PrmContainerCreate{
|
||||||
FriendlyName: bktName,
|
FriendlyName: bktName,
|
||||||
Owner: userID,
|
Owner: userID,
|
||||||
})
|
})
|
||||||
require.NoError(t, err)
|
require.NoError(t, err)
|
||||||
|
|
||||||
objID, err := frostfs.CreateObject(ctx, tokens.PrmObjectCreate{
|
objID, err := frostfs.CreateObject(ctx, tokens.PrmObjectCreate{
|
||||||
Container: cid,
|
Container: cnrID,
|
||||||
Payload: payload,
|
Payload: payload,
|
||||||
})
|
})
|
||||||
require.NoError(t, err)
|
require.NoError(t, err)
|
||||||
|
|
||||||
var addr oid.Address
|
var addr oid.Address
|
||||||
addr.SetContainer(cid)
|
addr.SetContainer(cnrID)
|
||||||
addr.SetObject(objID)
|
addr.SetObject(objID)
|
||||||
|
|
||||||
obj, err := frostfs.GetCredsObject(ctx, addr)
|
accessKeyID := getAccessKeyID(addr)
|
||||||
|
|
||||||
|
obj, err := frostfs.GetCredsObject(ctx, tokens.PrmGetCredsObject{
|
||||||
|
Container: cnrID,
|
||||||
|
AccessKeyID: accessKeyID,
|
||||||
|
})
|
||||||
require.NoError(t, err)
|
require.NoError(t, err)
|
||||||
require.Equal(t, payload, obj.Payload())
|
require.Equal(t, payload, obj.Payload())
|
||||||
|
|
||||||
_, err = frostfs.CreateObject(ctx, tokens.PrmObjectCreate{
|
_, err = frostfs.CreateObject(ctx, tokens.PrmObjectCreate{
|
||||||
Container: cid,
|
Container: cnrID,
|
||||||
Payload: newPayload,
|
Payload: newPayload,
|
||||||
NewVersionFor: &objID,
|
NewVersionForAccessKeyID: accessKeyID,
|
||||||
})
|
})
|
||||||
require.NoError(t, err)
|
require.NoError(t, err)
|
||||||
|
|
||||||
obj, err = frostfs.GetCredsObject(ctx, addr)
|
obj, err = frostfs.GetCredsObject(ctx, tokens.PrmGetCredsObject{
|
||||||
|
Container: cnrID,
|
||||||
|
AccessKeyID: getAccessKeyID(addr),
|
||||||
|
})
|
||||||
require.NoError(t, err)
|
require.NoError(t, err)
|
||||||
require.Equal(t, newPayload, obj.Payload())
|
require.Equal(t, newPayload, obj.Payload())
|
||||||
}
|
}
|
||||||
|
|
||||||
|
func getAccessKeyID(addr oid.Address) string {
|
||||||
|
return strings.ReplaceAll(addr.EncodeToString(), "/", "0")
|
||||||
|
}
|
||||||
|
|
Loading…
Reference in a new issue