2023-07-19 14:18:55 +00:00
|
|
|
package api
|
|
|
|
|
|
|
|
import (
|
|
|
|
"encoding/json"
|
2023-11-30 08:25:05 +00:00
|
|
|
"encoding/xml"
|
2023-07-19 14:18:55 +00:00
|
|
|
"fmt"
|
|
|
|
"io"
|
|
|
|
"net/http"
|
|
|
|
"net/http/httptest"
|
|
|
|
"net/url"
|
|
|
|
"testing"
|
|
|
|
"time"
|
|
|
|
|
2023-11-30 08:25:05 +00:00
|
|
|
apiErrors "git.frostfs.info/TrueCloudLab/frostfs-s3-gw/api/errors"
|
|
|
|
s3middleware "git.frostfs.info/TrueCloudLab/frostfs-s3-gw/api/middleware"
|
2023-07-19 14:18:55 +00:00
|
|
|
"git.frostfs.info/TrueCloudLab/frostfs-s3-gw/metrics"
|
2023-11-30 08:25:05 +00:00
|
|
|
"git.frostfs.info/TrueCloudLab/policy-engine/pkg/chain"
|
|
|
|
"git.frostfs.info/TrueCloudLab/policy-engine/pkg/engine"
|
|
|
|
"git.frostfs.info/TrueCloudLab/policy-engine/pkg/engine/inmemory"
|
2023-07-19 14:18:55 +00:00
|
|
|
"github.com/go-chi/chi/v5"
|
|
|
|
"github.com/go-chi/chi/v5/middleware"
|
|
|
|
"github.com/stretchr/testify/require"
|
|
|
|
"go.uber.org/zap/zaptest"
|
|
|
|
)
|
|
|
|
|
2023-11-30 08:25:05 +00:00
|
|
|
type routerMock struct {
|
2023-12-05 12:49:13 +00:00
|
|
|
router *chi.Mux
|
|
|
|
cfg Config
|
|
|
|
middlewareSettings *middlewareSettingsMock
|
2023-12-08 07:44:13 +00:00
|
|
|
policyChecker engine.LocalOverrideEngine
|
2023-11-30 08:25:05 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
func (m *routerMock) ServeHTTP(w http.ResponseWriter, r *http.Request) {
|
|
|
|
m.router.ServeHTTP(w, r)
|
|
|
|
}
|
|
|
|
|
|
|
|
func prepareRouter(t *testing.T) *routerMock {
|
2023-12-05 12:49:13 +00:00
|
|
|
middlewareSettings := &middlewareSettingsMock{}
|
2023-12-08 07:44:13 +00:00
|
|
|
policyChecker := inmemory.NewInMemoryLocalOverrides()
|
2023-12-05 12:49:13 +00:00
|
|
|
|
2023-11-30 08:25:05 +00:00
|
|
|
cfg := Config{
|
|
|
|
Throttle: middleware.ThrottleOpts{
|
|
|
|
Limit: 10,
|
|
|
|
BacklogTimeout: 30 * time.Second,
|
|
|
|
},
|
|
|
|
Handler: &handlerMock{t: t},
|
|
|
|
Center: ¢erMock{},
|
|
|
|
Log: zaptest.NewLogger(t),
|
|
|
|
Metrics: &metrics.AppMetrics{},
|
2023-12-05 12:49:13 +00:00
|
|
|
MiddlewareSettings: middlewareSettings,
|
2023-12-08 07:44:13 +00:00
|
|
|
PolicyChecker: policyChecker,
|
2023-11-30 08:25:05 +00:00
|
|
|
}
|
|
|
|
return &routerMock{
|
2023-12-05 12:49:13 +00:00
|
|
|
router: NewRouter(cfg),
|
|
|
|
cfg: cfg,
|
|
|
|
middlewareSettings: middlewareSettings,
|
2023-12-08 07:44:13 +00:00
|
|
|
policyChecker: policyChecker,
|
2023-11-30 08:25:05 +00:00
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2023-07-19 14:18:55 +00:00
|
|
|
func TestRouterUploadPart(t *testing.T) {
|
|
|
|
chiRouter := prepareRouter(t)
|
|
|
|
|
|
|
|
w := httptest.NewRecorder()
|
|
|
|
r := httptest.NewRequest(http.MethodPut, "/dkirillov/fix-object", nil)
|
|
|
|
query := make(url.Values)
|
|
|
|
query.Set("uploadId", "some-id")
|
|
|
|
query.Set("partNumber", "1")
|
|
|
|
r.URL.RawQuery = query.Encode()
|
|
|
|
|
|
|
|
chiRouter.ServeHTTP(w, r)
|
|
|
|
resp := readResponse(t, w)
|
|
|
|
require.Equal(t, "UploadPart", resp.Method)
|
|
|
|
}
|
|
|
|
|
2023-07-20 09:08:45 +00:00
|
|
|
func TestRouterListMultipartUploads(t *testing.T) {
|
|
|
|
chiRouter := prepareRouter(t)
|
|
|
|
|
|
|
|
w := httptest.NewRecorder()
|
|
|
|
r := httptest.NewRequest(http.MethodGet, "/test-bucket", nil)
|
|
|
|
query := make(url.Values)
|
|
|
|
query.Set("uploads", "")
|
|
|
|
r.URL.RawQuery = query.Encode()
|
|
|
|
|
|
|
|
chiRouter.ServeHTTP(w, r)
|
|
|
|
resp := readResponse(t, w)
|
|
|
|
require.Equal(t, "ListMultipartUploads", resp.Method)
|
|
|
|
}
|
|
|
|
|
2023-07-19 14:18:55 +00:00
|
|
|
func TestRouterObjectWithSlashes(t *testing.T) {
|
|
|
|
chiRouter := prepareRouter(t)
|
|
|
|
|
|
|
|
bktName, objName := "dkirillov", "/fix/object"
|
|
|
|
target := fmt.Sprintf("/%s/%s", bktName, objName)
|
|
|
|
|
|
|
|
w := httptest.NewRecorder()
|
|
|
|
r := httptest.NewRequest(http.MethodPut, target, nil)
|
|
|
|
|
|
|
|
chiRouter.ServeHTTP(w, r)
|
|
|
|
resp := readResponse(t, w)
|
|
|
|
require.Equal(t, "PutObject", resp.Method)
|
|
|
|
require.Equal(t, objName, resp.ReqInfo.ObjectName)
|
|
|
|
}
|
|
|
|
|
2023-08-17 08:54:11 +00:00
|
|
|
func TestRouterObjectEscaping(t *testing.T) {
|
|
|
|
chiRouter := prepareRouter(t)
|
|
|
|
|
|
|
|
bktName := "dkirillov"
|
|
|
|
|
|
|
|
for _, tc := range []struct {
|
|
|
|
name string
|
|
|
|
expectedObjName string
|
|
|
|
objName string
|
|
|
|
}{
|
|
|
|
{
|
|
|
|
name: "simple",
|
|
|
|
expectedObjName: "object",
|
|
|
|
objName: "object",
|
|
|
|
},
|
|
|
|
{
|
|
|
|
name: "with slashes",
|
|
|
|
expectedObjName: "fix/object",
|
|
|
|
objName: "fix/object",
|
|
|
|
},
|
|
|
|
{
|
2023-10-27 14:56:51 +00:00
|
|
|
name: "with slash escaped",
|
|
|
|
expectedObjName: "/foo/bar",
|
|
|
|
objName: "/foo%2fbar",
|
2023-08-17 08:54:11 +00:00
|
|
|
},
|
|
|
|
{
|
|
|
|
name: "with percentage escaped",
|
|
|
|
expectedObjName: "fix/object%ac",
|
|
|
|
objName: "fix/object%25ac",
|
|
|
|
},
|
2023-10-27 14:56:51 +00:00
|
|
|
{
|
|
|
|
name: "with awful mint name",
|
|
|
|
expectedObjName: "äöüex ®©µÄÆÐÕæŒƕƩDž 01000000 0x40 \u0040 amȡȹɆple&0a!-_.*'()&$@=;:+,?<>.pdf",
|
|
|
|
objName: "%C3%A4%C3%B6%C3%BCex%20%C2%AE%C2%A9%C2%B5%C3%84%C3%86%C3%90%C3%95%C3%A6%C5%92%C6%95%C6%A9%C7%85%2001000000%200x40%20%40%20am%C8%A1%C8%B9%C9%86ple%260a%21-_.%2A%27%28%29%26%24%40%3D%3B%3A%2B%2C%3F%3C%3E.pdf",
|
|
|
|
},
|
2023-08-17 08:54:11 +00:00
|
|
|
} {
|
|
|
|
t.Run(tc.name, func(t *testing.T) {
|
|
|
|
target := fmt.Sprintf("/%s/%s", bktName, tc.objName)
|
|
|
|
|
|
|
|
w := httptest.NewRecorder()
|
|
|
|
r := httptest.NewRequest(http.MethodPut, target, nil)
|
|
|
|
|
|
|
|
chiRouter.ServeHTTP(w, r)
|
|
|
|
resp := readResponse(t, w)
|
|
|
|
require.Equal(t, "PutObject", resp.Method)
|
|
|
|
require.Equal(t, tc.expectedObjName, resp.ReqInfo.ObjectName)
|
|
|
|
})
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2023-11-30 08:25:05 +00:00
|
|
|
func TestPolicyChecker(t *testing.T) {
|
|
|
|
chiRouter := prepareRouter(t)
|
|
|
|
namespace := "custom-ns"
|
|
|
|
bktName, objName := "bucket", "object"
|
|
|
|
target := fmt.Sprintf("/%s/%s", bktName, objName)
|
|
|
|
|
|
|
|
ruleChain := &chain.Chain{
|
|
|
|
ID: "id",
|
|
|
|
Rules: []chain.Rule{{
|
|
|
|
Status: chain.AccessDenied,
|
|
|
|
Actions: chain.Actions{Names: []string{"*"}},
|
|
|
|
Resources: chain.Resources{Names: []string{bktName + "/*"}},
|
|
|
|
}},
|
2023-07-19 14:18:55 +00:00
|
|
|
}
|
2023-11-30 08:25:05 +00:00
|
|
|
|
2023-12-08 07:44:13 +00:00
|
|
|
_, _, err := chiRouter.policyChecker.MorphRuleChainStorage().AddMorphRuleChain(chain.S3, engine.NamespaceTarget(namespace), ruleChain)
|
2023-11-30 08:25:05 +00:00
|
|
|
require.NoError(t, err)
|
|
|
|
|
|
|
|
// check we can access 'bucket' in default namespace
|
|
|
|
w, r := httptest.NewRecorder(), httptest.NewRequest(http.MethodPut, target, nil)
|
|
|
|
chiRouter.ServeHTTP(w, r)
|
|
|
|
resp := readResponse(t, w)
|
|
|
|
require.Equal(t, s3middleware.PutObjectOperation, resp.Method)
|
|
|
|
|
|
|
|
// check we can access 'other-bucket' in custom namespace
|
|
|
|
w, r = httptest.NewRecorder(), httptest.NewRequest(http.MethodPut, "/other-bucket/object", nil)
|
|
|
|
r.Header.Set(FrostfsNamespaceHeader, namespace)
|
|
|
|
chiRouter.ServeHTTP(w, r)
|
|
|
|
resp = readResponse(t, w)
|
|
|
|
require.Equal(t, s3middleware.PutObjectOperation, resp.Method)
|
|
|
|
|
|
|
|
// check we cannot access 'bucket' in custom namespace
|
|
|
|
w, r = httptest.NewRecorder(), httptest.NewRequest(http.MethodPut, target, nil)
|
|
|
|
r.Header.Set(FrostfsNamespaceHeader, namespace)
|
|
|
|
chiRouter.ServeHTTP(w, r)
|
|
|
|
assertAPIError(t, w, apiErrors.ErrAccessDenied)
|
2023-07-19 14:18:55 +00:00
|
|
|
}
|
|
|
|
|
2023-12-05 12:49:13 +00:00
|
|
|
func TestDefaultBehaviorPolicyChecker(t *testing.T) {
|
|
|
|
chiRouter := prepareRouter(t)
|
|
|
|
bktName, objName := "bucket", "object"
|
|
|
|
target := fmt.Sprintf("/%s/%s", bktName, objName)
|
|
|
|
|
|
|
|
// check we can access bucket if rules not found
|
|
|
|
w, r := httptest.NewRecorder(), httptest.NewRequest(http.MethodPut, target, nil)
|
|
|
|
chiRouter.ServeHTTP(w, r)
|
|
|
|
resp := readResponse(t, w)
|
|
|
|
require.Equal(t, s3middleware.PutObjectOperation, resp.Method)
|
|
|
|
|
|
|
|
// check we cannot access if rules not found when settings is enabled
|
|
|
|
chiRouter.middlewareSettings.denyByDefault = true
|
|
|
|
w, r = httptest.NewRecorder(), httptest.NewRequest(http.MethodPut, target, nil)
|
|
|
|
chiRouter.ServeHTTP(w, r)
|
|
|
|
assertAPIError(t, w, apiErrors.ErrAccessDenied)
|
|
|
|
}
|
|
|
|
|
2023-07-19 14:18:55 +00:00
|
|
|
func readResponse(t *testing.T, w *httptest.ResponseRecorder) handlerResult {
|
|
|
|
var res handlerResult
|
|
|
|
|
|
|
|
resData, err := io.ReadAll(w.Result().Body)
|
|
|
|
require.NoError(t, err)
|
|
|
|
|
|
|
|
err = json.Unmarshal(resData, &res)
|
|
|
|
require.NoErrorf(t, err, "actual body: '%s'", string(resData))
|
|
|
|
return res
|
|
|
|
}
|
2023-11-30 08:25:05 +00:00
|
|
|
|
|
|
|
func assertAPIError(t *testing.T, w *httptest.ResponseRecorder, expectedErrorCode apiErrors.ErrorCode) {
|
|
|
|
actualErrorResponse := &s3middleware.ErrorResponse{}
|
|
|
|
err := xml.NewDecoder(w.Result().Body).Decode(actualErrorResponse)
|
|
|
|
require.NoError(t, err)
|
|
|
|
|
|
|
|
expectedError := apiErrors.GetAPIError(expectedErrorCode)
|
|
|
|
|
|
|
|
require.Equal(t, expectedError.HTTPStatusCode, w.Code)
|
|
|
|
require.Equal(t, expectedError.Code, actualErrorResponse.Code)
|
|
|
|
|
|
|
|
if expectedError.ErrCode != apiErrors.ErrInternalError {
|
|
|
|
require.Contains(t, actualErrorResponse.Message, expectedError.Description)
|
|
|
|
}
|
|
|
|
}
|