Introduce auth tests for the filestore

ydb-platform · Sep 24, 2024 · c2ed87b · c2ed87b
1 parent 13fa366
commit c2ed87b
Show file tree

Hide file tree

Showing 7 changed files with 222 additions and 0 deletions.
diff --git a/cloud/filestore/tests/auth/lib/__init__.py b/cloud/filestore/tests/auth/lib/__init__.py
@@ -0,0 +1,36 @@
+import os
+
+import yatest.common as common
+
+from cloud.filestore.tests.python.lib.client import NfsCliClient
+from cloud.storage.core.tools.testing.access_service.lib import AccessService
+from cloud.storage.core.tools.testing.access_service_new.lib import NewAccessService
+
+
+class TestFixture:
+    def __init__(self):
+        self.port = os.getenv("NFS_SERVER_PORT")
+        self.binary_path = common.binary_path("cloud/filestore/apps/client/filestore-client")
+        self.folder_id = os.getenv("TEST_FOLDER_ID")
+        access_service_port = os.getenv("ACCESS_SERVICE_PORT")
+        access_service_control_port = os.getenv("ACCESS_SERVICE_CONTROL_PORT")
+        self.access_service = AccessService(
+            "localhost",
+            access_service_port,
+            access_service_control_port,
+        )
+        if os.getenv("ACCESS_SERVICE_TYPE") == "new":
+            self.access_service = NewAccessService(
+                "localhost",
+                int(access_service_port),
+                int(access_service_control_port),
+            )
+
+    def get_client(self, auth_token):
+        client = NfsCliClient(
+            self.binary_path,
+            self.port,
+            cwd=common.output_path(),
+            auth_token=auth_token,
+        )
+        return client
diff --git a/cloud/filestore/tests/auth/lib/ya.make b/cloud/filestore/tests/auth/lib/ya.make
@@ -0,0 +1,13 @@
+PY3_LIBRARY()
+
+PEERDIR(
+    cloud/filestore/tests/python/lib
+    cloud/storage/core/tools/testing/access_service/lib
+    cloud/storage/core/tools/testing/access_service_new/lib
+)
+
+PY_SRCS(
+    __init__.py
+)
+
+END()
diff --git a/cloud/filestore/tests/auth/new/test.py b/cloud/filestore/tests/auth/new/test.py
@@ -0,0 +1,79 @@
+from cloud.filestore.tests.auth.lib import TestFixture
+
+
+def test_new_auth_authorization_ok():
+    fixture = TestFixture()
+    token = "test_auth_token"
+    client = fixture.get_client(token)
+    fixture.access_service.create_account(
+        "authorized_user_1",
+        token,
+        is_unknown_subject=False,
+        permissions=[
+            {"permission": "filestore.internal.disks.create", "resource": fixture.folder_id},
+        ],
+    )
+    result = client.create(
+        "test_new_auth_authorization_ok",
+        "some_cloud",
+        fixture.folder_id,
+        return_stdout=False,
+    )
+    assert result.returncode == 0
+
+
+def test_new_auth_unauthorized():
+    fixture = TestFixture()
+    token = "test_auth_token"
+    client = fixture.get_client(token)
+    fixture.access_service.create_account(
+        "test_user",
+        token,
+        is_unknown_subject=False,
+        permissions=[
+            {"permission": "filestore.internal.disks.create", "resource": "some_other_folder"},
+        ],
+    )
+    result = client.create(
+        "test_new_auth_unauthorized",
+        "some_cloud",
+        fixture.folder_id,
+        return_stdout=False,
+    )
+    assert result.returncode != 0
+    assert "E_UNAUTHORIZED" in result.stdout
+
+
+def test_new_auth_unauthenticated():
+    fixture = TestFixture()
+    client = fixture.get_client("some_other_token")
+    result = client.create(
+        "test_new_auth_unauthenticated_fs",
+        "some_cloud",
+        fixture.folder_id,
+        return_stdout=False,
+    )
+    assert result.returncode != 0
+    assert "E_UNAUTHORIZED" in result.stdout
+
+
+def test_new_auth_unknown_subject():
+    fixture = TestFixture()
+    token = "test_token"
+    client = fixture.get_client(token)
+    fixture.access_service.create_account(
+        "test_user",
+        token,
+        is_unknown_subject=True,
+        permissions=[
+            {"permission": "filestore.internal.disks.create", "resource": fixture.folder_id},
+        ],
+    )
+    result = client.create(
+        "test_new_auth_unknown_subject_fs",
+        "some_cloud",
+        fixture.folder_id,
+        return_stdout=False,
+    )
+    assert result.returncode != 0
+    assert "E_UNAUTHORIZED" in result.stdout
diff --git a/cloud/filestore/tests/auth/new/ya.make b/cloud/filestore/tests/auth/new/ya.make
@@ -0,0 +1,28 @@
+PY3TEST()
+
+INCLUDE(${ARCADIA_ROOT}/cloud/filestore/tests/recipes/medium.inc)
+
+TEST_SRCS(
+    test.py
+)
+
+
+DEPENDS(
+    cloud/filestore/apps/client
+    cloud/storage/core/tools/testing/access_service_new/mock
+)
+
+DATA(
+    arcadia/cloud/filestore/tests/certs/server.crt
+    arcadia/cloud/filestore/tests/certs/server.key
+)
+
+PEERDIR(
+    cloud/filestore/tests/auth/lib
+    cloud/filestore/tests/python/lib
+)
+
+INCLUDE(${ARCADIA_ROOT}/cloud/storage/core/tests/recipes/access-service.inc)
+INCLUDE(${ARCADIA_ROOT}/cloud/filestore/tests/recipes/service-kikimr.inc)
+
+END()
diff --git a/cloud/filestore/tests/auth/old/test.py b/cloud/filestore/tests/auth/old/test.py
@@ -0,0 +1,30 @@
+from cloud.filestore.tests.auth.lib import TestFixture
+
+
+def test_auth_unauthorized():
+    fixture = TestFixture()
+    token = "test_auth_token"
+    client = fixture.get_client(token)
+    fixture.access_service.authenticate(token)
+    result = client.create(
+        "test_auth_unauthorized_fs",
+        "some_cloud",
+        fixture.folder_id,
+        return_stdout=False,
+    )
+    assert result.returncode != 0
+    assert "E_UNAUTHORIZED" in result.stdout
+
+
+def test_auth_wrong_token():
+    fixture = TestFixture()
+    fixture.access_service.authorize("test_auth_token")
+    client = fixture.get_client("other_auth_token")
+    result = client.create(
+        "test_auth_unauthorized_fs",
+        "some_cloud",
+        fixture.folder_id,
+        return_stdout=False,
+    )
+    assert result.returncode != 0
+    assert "E_UNAUTHORIZED" in result.stdout
diff --git a/cloud/filestore/tests/auth/old/ya.make b/cloud/filestore/tests/auth/old/ya.make
@@ -0,0 +1,28 @@
+PY3TEST()
+
+INCLUDE(${ARCADIA_ROOT}/cloud/filestore/tests/recipes/medium.inc)
+
+TEST_SRCS(
+    test.py
+)
+
+
+DEPENDS(
+    cloud/filestore/apps/client
+    cloud/storage/core/tools/testing/access_service/mock
+)
+
+DATA(
+    arcadia/cloud/filestore/tests/certs/server.crt
+    arcadia/cloud/filestore/tests/certs/server.key
+)
+
+PEERDIR(
+    cloud/filestore/tests/auth/lib
+    cloud/filestore/tests/python/lib
+)
+
+INCLUDE(${ARCADIA_ROOT}/cloud/storage/core/tests/recipes/access-service.inc)
+INCLUDE(${ARCADIA_ROOT}/cloud/filestore/tests/recipes/service-kikimr.inc)
+
+END()
diff --git a/cloud/filestore/tests/auth/ya.make b/cloud/filestore/tests/auth/ya.make
@@ -0,0 +1,8 @@
+RECURSE(
+    lib
+)
+
+RECURSE_FOR_TESTS(
+    new
+    old
+)