acl, container: Add negative tests #579

Added two negative tests that verify that the container cannot be removed or set container EACL by anyone other than the owner (creator). Signed-off-by: Oleg Kulachenko <oleg@nspcc.ru>
nspcc-dev · Jul 31, 2023 · 9ef2370 · 9ef2370
1 parent 8dad683
commit 9ef2370
Show file tree

Hide file tree

Showing 4 changed files with 107 additions and 26 deletions.
diff --git a/pytest_tests/helpers/grpc_responses.py b/pytest_tests/helpers/grpc_responses.py
@@ -26,6 +26,8 @@
 INVALID_OFFSET_SPECIFIER = "invalid '{range}' range offset specifier"
 INVALID_LENGTH_SPECIFIER = "invalid '{range}' range length specifier"
 
+NOT_CONTAINER_OWNER = "provided account differs with the container owner"
+TIMED_OUT = "timed out after \\d+ seconds"
 
 def error_matches_status(error: Exception, status_pattern: str) -> bool:
     """

diff --git a/pytest_tests/testsuites/acl/test_eacl.py b/pytest_tests/testsuites/acl/test_eacl.py
@@ -2,6 +2,7 @@
 import pytest
 from cluster_test_base import ClusterTestBase
 from failover_utils import wait_object_replication
+from grpc_responses import NOT_CONTAINER_OWNER
 from neofs_testlib.shell import Shell
 from python_keywords.acl import (
     EACLAccess,
@@ -679,3 +680,29 @@ def test_extended_actions_system(self, wallets, eacl_container_with_objects):
                     endpoint=endpoint,
                     wallet_config=storage_wallet.config_path,
                 )
+
+
+    @pytest.mark.skip(reason="https://github.com/nspcc-dev/neofs-node/issues/2436")
+    @allure.title("Not owner and not trusted party can NOT set eacl")
+    def test_only_owner_can_set_eacl(
+        self,
+        wallets,
+        eacl_full_placement_container_with_object,
+        not_owner_wallet
+    ):
+        cid, oid, file_path = eacl_full_placement_container_with_object
+
+        eacl = [
+            EACLRule(access=EACLAccess.DENY, role=EACLRole.USER, operation=op)
+            for op in EACLOperation
+        ]
+
+        with allure.step("Try to change EACL"):
+            with pytest.raises(RuntimeError, match=NOT_CONTAINER_OWNER):
+                set_eacl(
+                    wallet_path=not_owner_wallet,
+                    cid=cid,
+                    eacl_table_path=create_eacl(cid, eacl, shell=self.shell),
+                    shell=self.shell,
+                    endpoint=self.cluster.default_rpc_endpoint,
+                )
diff --git a/pytest_tests/testsuites/conftest.py b/pytest_tests/testsuites/conftest.py
@@ -9,6 +9,7 @@
 import allure
 import pytest
 import yaml
+from typing import Optional
 from binary_version_helper import get_local_binaries_versions, get_remote_binaries_versions
 from cluster import Cluster
 from common import (
@@ -304,33 +305,21 @@ def background_grpc_load(client_shell: Shell, hosting: Hosting):
                 k6_verify_instance.wait_until_finished(BACKGROUND_LOAD_MAX_TIME)
 
 
-@pytest.fixture(scope="session")
-@allure.title("Prepare wallet and deposit")
-def default_wallet(client_shell: Shell, temp_directory: str, cluster: Cluster):
-    wallet_path = os.path.join(os.getcwd(), ASSETS_DIR, f"{str(uuid.uuid4())}.json")
-    init_wallet(wallet_path, WALLET_PASS)
-    allure.attach.file(wallet_path, os.path.basename(wallet_path), allure.attachment_type.JSON)
-
-    if not FREE_STORAGE:
-        main_chain = cluster.main_chain_nodes[0]
-        deposit = 30
-        transfer_gas(
-            shell=client_shell,
-            amount=deposit + 1,
-            main_chain=main_chain,
-            wallet_to_path=wallet_path,
-            wallet_to_password=WALLET_PASS,
-        )
-        deposit_gas(
-            shell=client_shell,
-            main_chain=main_chain,
-            amount=deposit,
-            wallet_from_path=wallet_path,
-            wallet_from_password=WALLET_PASS,
-        )
+@pytest.fixture(scope="function")
+@allure.title("Prepare not owner wallet and deposit")
+def not_owner_wallet(client_shell: Shell, temp_directory: str, cluster: Cluster):
+    wallet_path = create_wallet(client_shell, temp_directory, cluster, 'not_owner_wallet')
+    try:
+        yield wallet_path
+    finally:
+        if os.path.exists(wallet_path):
+            os.remove(wallet_path)
 
-    return wallet_path
 
+@pytest.fixture(scope="session")
+@allure.title("Prepare default wallet and deposit")
+def default_wallet(client_shell: Shell, temp_directory: str, cluster: Cluster):
+    return create_wallet(client_shell, temp_directory, cluster)
 
 @allure.title("Check logs for OOM and PANIC entries in {logs_dir}")
 def check_logs(logs_dir: str):
@@ -387,4 +376,36 @@ def create_dir(dir_path: str) -> None:
 
 def remove_dir(dir_path: str) -> None:
     with allure.step("Remove directory"):
-        shutil.rmtree(dir_path, ignore_errors=True)
+        shutil.rmtree(dir_path, ignore_errors=True)
+
+
+@allure.title("Prepare wallet and deposit")
+def create_wallet(client_shell: Shell, temp_directory: str, cluster: Cluster, name: Optional[str] = None) -> str:
+    if name is None:
+        wallet_name = f'{str(uuid.uuid4())}.json'
+    else:
+        wallet_name = f'{name}.json'
+
+    wallet_path = os.path.join(os.getcwd(), ASSETS_DIR, wallet_name)
+    init_wallet(wallet_path, WALLET_PASS)
+    allure.attach.file(wallet_path, os.path.basename(wallet_path), allure.attachment_type.JSON)
+
+    if not FREE_STORAGE:
+        main_chain = cluster.main_chain_nodes[0]
+        deposit = 30
+        transfer_gas(
+            shell=client_shell,
+            amount=deposit + 1,
+            main_chain=main_chain,
+            wallet_to_path=wallet_path,
+            wallet_to_password=WALLET_PASS,
+        )
+        deposit_gas(
+            shell=client_shell,
+            main_chain=main_chain,
+            amount=deposit,
+            wallet_from_path=wallet_path,
+            wallet_from_password=WALLET_PASS,
+        )
+
+    return wallet_path
diff --git a/pytest_tests/testsuites/container/test_container.py b/pytest_tests/testsuites/container/test_container.py
@@ -3,6 +3,7 @@
 import allure
 import pytest
 from epoch import tick_epoch
+from grpc_responses import NOT_CONTAINER_OWNER, TIMED_OUT
 from python_keywords.container import (
     create_container,
     delete_container,
@@ -11,6 +12,7 @@
     wait_for_container_creation,
     wait_for_container_deletion,
 )
+from wallet import WalletFile
 from utility import placement_policy_from_container
 from wellknown_acl import PRIVATE_ACL_F
 
@@ -86,6 +88,35 @@ def test_container_creation(self, default_wallet, name):
                 wallet, cid, shell=self.shell, endpoint=self.cluster.default_rpc_endpoint
             )
 
+    @allure.title("Not owner and not trusted party can NOT delete container")
+    def test_only_owner_can_delete_container(self, not_owner_wallet, default_wallet):
+        cid = create_container(
+            wallet=default_wallet,
+            shell=self.shell,
+            endpoint=self.cluster.default_rpc_endpoint,
+        )
+
+        with allure.step("Try to delete container"):
+            with pytest.raises(RuntimeError, match=NOT_CONTAINER_OWNER):
+                delete_container(
+                    wallet=not_owner_wallet,
+                    cid=cid,
+                    shell=self.shell,
+                    endpoint=self.cluster.default_rpc_endpoint,
+                    await_mode=True,
+                )
+
+        with allure.step("Try to force delete container"):
+            with pytest.raises(Exception, match=TIMED_OUT):
+                delete_container(
+                    wallet=not_owner_wallet,
+                    cid=cid,
+                    shell=self.shell,
+                    endpoint=self.cluster.default_rpc_endpoint,
+                    await_mode=True,
+                    force=True,
+                )
+
     @allure.title("Parallel container creation and deletion")
     def test_container_creation_deletion_parallel(self, default_wallet):
         containers_count = 3