Skip to content

Commit

Permalink
session_token: Add negative tests #579
Browse files Browse the repository at this point in the history
Added negative tests that verify that the container can be removed or set
container EACL only by trusted party proved by the container owner via
session token.

Signed-off-by: Oleg Kulachenko <oleg@nspcc.ru>
  • Loading branch information
vvarg229 committed Aug 1, 2023
1 parent 9ef2370 commit 9b40c79
Show file tree
Hide file tree
Showing 3 changed files with 168 additions and 0 deletions.
1 change: 1 addition & 0 deletions pytest_tests/helpers/grpc_responses.py
Original file line number Diff line number Diff line change
Expand Up @@ -27,6 +27,7 @@
INVALID_LENGTH_SPECIFIER = "invalid '{range}' range length specifier"

NOT_CONTAINER_OWNER = "provided account differs with the container owner"
NOT_SESSION_CONTAINER_OWNER = "session issuer differs with the container owner"
TIMED_OUT = "timed out after \\d+ seconds"

def error_matches_status(error: Exception, status_pattern: str) -> bool:
Expand Down
8 changes: 8 additions & 0 deletions pytest_tests/testsuites/session_token/conftest.py
Original file line number Diff line number Diff line change
Expand Up @@ -24,3 +24,11 @@ def stranger_wallet(wallet_factory: WalletFactory) -> WalletFile:
Returns stranger wallet which should fail to obtain data
"""
return wallet_factory.create_wallet()


@pytest.fixture(scope="module")
def scammer_wallet(wallet_factory: WalletFactory) -> WalletFile:
"""
Returns stranger wallet which should fail to obtain data
"""
return wallet_factory.create_wallet()
Original file line number Diff line number Diff line change
@@ -1,6 +1,9 @@
import logging

import allure
import pytest
from file_helper import generate_file
from grpc_responses import TIMED_OUT, NOT_SESSION_CONTAINER_OWNER
from neofs_testlib.shell import Shell
from python_keywords.acl import (
EACLAccess,
Expand Down Expand Up @@ -38,6 +41,15 @@ def static_sessions(
"""
Returns dict with static session token file paths for all verbs with default lifetime
"""
return self.static_session_token(owner_wallet, user_wallet, client_shell, temp_directory)

def static_session_token(
self,
owner_wallet: WalletFile,
user_wallet: WalletFile,
client_shell: Shell,
temp_directory: str,
) -> dict[ContainerVerb, str]:
return {
verb: get_container_signed_token(
owner_wallet, user_wallet, verb, client_shell, temp_directory
Expand Down Expand Up @@ -142,6 +154,95 @@ def test_static_session_token_container_delete(
owner_wallet.path, shell=self.shell, endpoint=self.cluster.default_rpc_endpoint
)

@allure.title("Not owner and not trusted party can NOT delete container")
def test_static_session_token_container_delete_only_trusted_party_proved_by_the_container_owner(
self,
owner_wallet: WalletFile,
user_wallet: WalletFile,
stranger_wallet: WalletFile,
scammer_wallet: WalletFile,
static_sessions: dict[ContainerVerb, str],
temp_directory: str,
not_owner_wallet,
):
with allure.step("Create container"):
cid = create_container(
owner_wallet.path,
shell=self.shell,
endpoint=self.cluster.default_rpc_endpoint,
)

user_token = self.static_session_token(owner_wallet, user_wallet, self.shell, temp_directory)
stranger_token = self.static_session_token(user_wallet, stranger_wallet, self.shell, temp_directory)

with allure.step("Try to delete container using stranger token"):
with pytest.raises(RuntimeError):
delete_container(
wallet=user_wallet.path,
cid=cid,
session_token=stranger_token[ContainerVerb.DELETE],
shell=self.shell,
endpoint=self.cluster.default_rpc_endpoint,
await_mode=True,
)

with allure.step("Try to force delete container using stranger token"):
with pytest.raises(Exception, match=TIMED_OUT):
delete_container(
wallet=user_wallet.path,
cid=cid,
session_token=stranger_token[ContainerVerb.DELETE],
shell=self.shell,
endpoint=self.cluster.default_rpc_endpoint,
await_mode=True,
force=True,
)

with allure.step("Try to delete container using scammer token"):
with pytest.raises(Exception, match=TIMED_OUT):
delete_container(
wallet=scammer_wallet.path,
cid=cid,
session_token=user_token[ContainerVerb.DELETE],
shell=self.shell,
endpoint=self.cluster.default_rpc_endpoint,
await_mode=True,
)

with pytest.raises(RuntimeError, match=NOT_SESSION_CONTAINER_OWNER):
delete_container(
wallet=scammer_wallet.path,
cid=cid,
session_token=stranger_token[ContainerVerb.DELETE],
shell=self.shell,
endpoint=self.cluster.default_rpc_endpoint,
await_mode=True,
)

with allure.step("Try to force delete container using scammer token"):
with pytest.raises(Exception, match=TIMED_OUT):
delete_container(
wallet=scammer_wallet.path,
cid=cid,
session_token=user_token[ContainerVerb.DELETE],
shell=self.shell,
endpoint=self.cluster.default_rpc_endpoint,
await_mode=True,
force=True,
)

with pytest.raises(Exception, match=TIMED_OUT):
delete_container(
wallet=scammer_wallet.path,
cid=cid,
session_token=stranger_token[ContainerVerb.DELETE],
shell=self.shell,
endpoint=self.cluster.default_rpc_endpoint,
await_mode=True,
force=True,
)


def test_static_session_token_container_set_eacl(
self,
owner_wallet: WalletFile,
Expand Down Expand Up @@ -179,3 +280,61 @@ def test_static_session_token_container_set_eacl(
wait_for_cache_expired()

assert not can_put_object(stranger_wallet.path, cid, file_path, self.shell, self.cluster)

@allure.title("Not owner and not trusted party can NOT set eacl")
def test_static_session_token_container_set_eacl_only_trusted_party_proved_by_the_container_owner(
self,
owner_wallet: WalletFile,
user_wallet: WalletFile,
stranger_wallet: WalletFile,
scammer_wallet: WalletFile,
static_sessions: dict[ContainerVerb, str],
temp_directory: str,
not_owner_wallet,
):
with allure.step("Create container"):
cid = create_container(
owner_wallet.path,
basic_acl=PUBLIC_ACL,
shell=self.shell,
endpoint=self.cluster.default_rpc_endpoint,
)

user_token = self.static_session_token(owner_wallet, user_wallet, self.shell, temp_directory)
stranger_token = self.static_session_token(user_wallet, stranger_wallet, self.shell, temp_directory)

new_eacl = [
EACLRule(access=EACLAccess.DENY, role=EACLRole.OTHERS, operation=op)
for op in EACLOperation
]

with allure.step(f"Try to deny all operations for other via eACL"):
with pytest.raises(Exception, match=TIMED_OUT):
set_eacl(
user_wallet.path,
cid,
create_eacl(cid, new_eacl, shell=self.shell),
shell=self.shell,
endpoint=self.cluster.default_rpc_endpoint,
session_token=stranger_token[ContainerVerb.SETEACL],
)

with allure.step(f"Try to deny all operations for other via eACL using scammer token"):
with pytest.raises(Exception, match=TIMED_OUT):
set_eacl(
scammer_wallet.path,
cid,
create_eacl(cid, new_eacl, shell=self.shell),
shell=self.shell,
endpoint=self.cluster.default_rpc_endpoint,
session_token=user_token[ContainerVerb.SETEACL],
)
with pytest.raises(Exception, match=TIMED_OUT):
set_eacl(
scammer_wallet.path,
cid,
create_eacl(cid, new_eacl, shell=self.shell),
shell=self.shell,
endpoint=self.cluster.default_rpc_endpoint,
session_token=stranger_token[ContainerVerb.SETEACL],
)

0 comments on commit 9b40c79

Please sign in to comment.