From c2ed87bd88574d855c08e6916ef8a3475eed3a23 Mon Sep 17 00:00:00 2001 From: Sergei Date: Tue, 24 Sep 2024 17:01:06 +0000 Subject: [PATCH] Introduce auth tests for the filestore --- cloud/filestore/tests/auth/lib/__init__.py | 36 ++++++++++ cloud/filestore/tests/auth/lib/ya.make | 13 ++++ cloud/filestore/tests/auth/new/test.py | 79 ++++++++++++++++++++++ cloud/filestore/tests/auth/new/ya.make | 28 ++++++++ cloud/filestore/tests/auth/old/test.py | 30 ++++++++ cloud/filestore/tests/auth/old/ya.make | 28 ++++++++ cloud/filestore/tests/auth/ya.make | 8 +++ 7 files changed, 222 insertions(+) create mode 100644 cloud/filestore/tests/auth/lib/__init__.py create mode 100644 cloud/filestore/tests/auth/lib/ya.make create mode 100644 cloud/filestore/tests/auth/new/test.py create mode 100644 cloud/filestore/tests/auth/new/ya.make create mode 100644 cloud/filestore/tests/auth/old/test.py create mode 100644 cloud/filestore/tests/auth/old/ya.make create mode 100644 cloud/filestore/tests/auth/ya.make diff --git a/cloud/filestore/tests/auth/lib/__init__.py b/cloud/filestore/tests/auth/lib/__init__.py new file mode 100644 index 00000000000..84567bf427a --- /dev/null +++ b/cloud/filestore/tests/auth/lib/__init__.py @@ -0,0 +1,36 @@ +import os + +import yatest.common as common + +from cloud.filestore.tests.python.lib.client import NfsCliClient +from cloud.storage.core.tools.testing.access_service.lib import AccessService +from cloud.storage.core.tools.testing.access_service_new.lib import NewAccessService + + +class TestFixture: + def __init__(self): + self.port = os.getenv("NFS_SERVER_PORT") + self.binary_path = common.binary_path("cloud/filestore/apps/client/filestore-client") + self.folder_id = os.getenv("TEST_FOLDER_ID") + access_service_port = os.getenv("ACCESS_SERVICE_PORT") + access_service_control_port = os.getenv("ACCESS_SERVICE_CONTROL_PORT") + self.access_service = AccessService( + "localhost", + access_service_port, + access_service_control_port, + ) + if os.getenv("ACCESS_SERVICE_TYPE") == "new": + self.access_service = NewAccessService( + "localhost", + int(access_service_port), + int(access_service_control_port), + ) + + def get_client(self, auth_token): + client = NfsCliClient( + self.binary_path, + self.port, + cwd=common.output_path(), + auth_token=auth_token, + ) + return client diff --git a/cloud/filestore/tests/auth/lib/ya.make b/cloud/filestore/tests/auth/lib/ya.make new file mode 100644 index 00000000000..228b4ead99c --- /dev/null +++ b/cloud/filestore/tests/auth/lib/ya.make @@ -0,0 +1,13 @@ +PY3_LIBRARY() + +PEERDIR( + cloud/filestore/tests/python/lib + cloud/storage/core/tools/testing/access_service/lib + cloud/storage/core/tools/testing/access_service_new/lib +) + +PY_SRCS( + __init__.py +) + +END() diff --git a/cloud/filestore/tests/auth/new/test.py b/cloud/filestore/tests/auth/new/test.py new file mode 100644 index 00000000000..95509b63358 --- /dev/null +++ b/cloud/filestore/tests/auth/new/test.py @@ -0,0 +1,79 @@ +from cloud.filestore.tests.auth.lib import TestFixture + + +def test_new_auth_authorization_ok(): + fixture = TestFixture() + token = "test_auth_token" + client = fixture.get_client(token) + fixture.access_service.create_account( + "authorized_user_1", + token, + is_unknown_subject=False, + permissions=[ + {"permission": "filestore.internal.disks.create", "resource": fixture.folder_id}, + ], + ) + result = client.create( + "test_new_auth_authorization_ok", + "some_cloud", + fixture.folder_id, + return_stdout=False, + ) + assert result.returncode == 0 + + +def test_new_auth_unauthorized(): + fixture = TestFixture() + token = "test_auth_token" + client = fixture.get_client(token) + fixture.access_service.create_account( + "test_user", + token, + is_unknown_subject=False, + permissions=[ + {"permission": "filestore.internal.disks.create", "resource": "some_other_folder"}, + ], + ) + result = client.create( + "test_new_auth_unauthorized", + "some_cloud", + fixture.folder_id, + return_stdout=False, + ) + assert result.returncode != 0 + assert "E_UNAUTHORIZED" in result.stdout + + +def test_new_auth_unauthenticated(): + fixture = TestFixture() + client = fixture.get_client("some_other_token") + result = client.create( + "test_new_auth_unauthenticated_fs", + "some_cloud", + fixture.folder_id, + return_stdout=False, + ) + assert result.returncode != 0 + assert "E_UNAUTHORIZED" in result.stdout + + +def test_new_auth_unknown_subject(): + fixture = TestFixture() + token = "test_token" + client = fixture.get_client(token) + fixture.access_service.create_account( + "test_user", + token, + is_unknown_subject=True, + permissions=[ + {"permission": "filestore.internal.disks.create", "resource": fixture.folder_id}, + ], + ) + result = client.create( + "test_new_auth_unknown_subject_fs", + "some_cloud", + fixture.folder_id, + return_stdout=False, + ) + assert result.returncode != 0 + assert "E_UNAUTHORIZED" in result.stdout diff --git a/cloud/filestore/tests/auth/new/ya.make b/cloud/filestore/tests/auth/new/ya.make new file mode 100644 index 00000000000..ffd7d3f8b89 --- /dev/null +++ b/cloud/filestore/tests/auth/new/ya.make @@ -0,0 +1,28 @@ +PY3TEST() + +INCLUDE(${ARCADIA_ROOT}/cloud/filestore/tests/recipes/medium.inc) + +TEST_SRCS( + test.py +) + + +DEPENDS( + cloud/filestore/apps/client + cloud/storage/core/tools/testing/access_service_new/mock +) + +DATA( + arcadia/cloud/filestore/tests/certs/server.crt + arcadia/cloud/filestore/tests/certs/server.key +) + +PEERDIR( + cloud/filestore/tests/auth/lib + cloud/filestore/tests/python/lib +) + +INCLUDE(${ARCADIA_ROOT}/cloud/storage/core/tests/recipes/access-service.inc) +INCLUDE(${ARCADIA_ROOT}/cloud/filestore/tests/recipes/service-kikimr.inc) + +END() diff --git a/cloud/filestore/tests/auth/old/test.py b/cloud/filestore/tests/auth/old/test.py new file mode 100644 index 00000000000..29ed7740123 --- /dev/null +++ b/cloud/filestore/tests/auth/old/test.py @@ -0,0 +1,30 @@ +from cloud.filestore.tests.auth.lib import TestFixture + + +def test_auth_unauthorized(): + fixture = TestFixture() + token = "test_auth_token" + client = fixture.get_client(token) + fixture.access_service.authenticate(token) + result = client.create( + "test_auth_unauthorized_fs", + "some_cloud", + fixture.folder_id, + return_stdout=False, + ) + assert result.returncode != 0 + assert "E_UNAUTHORIZED" in result.stdout + + +def test_auth_wrong_token(): + fixture = TestFixture() + fixture.access_service.authorize("test_auth_token") + client = fixture.get_client("other_auth_token") + result = client.create( + "test_auth_unauthorized_fs", + "some_cloud", + fixture.folder_id, + return_stdout=False, + ) + assert result.returncode != 0 + assert "E_UNAUTHORIZED" in result.stdout diff --git a/cloud/filestore/tests/auth/old/ya.make b/cloud/filestore/tests/auth/old/ya.make new file mode 100644 index 00000000000..acc71d7fa00 --- /dev/null +++ b/cloud/filestore/tests/auth/old/ya.make @@ -0,0 +1,28 @@ +PY3TEST() + +INCLUDE(${ARCADIA_ROOT}/cloud/filestore/tests/recipes/medium.inc) + +TEST_SRCS( + test.py +) + + +DEPENDS( + cloud/filestore/apps/client + cloud/storage/core/tools/testing/access_service/mock +) + +DATA( + arcadia/cloud/filestore/tests/certs/server.crt + arcadia/cloud/filestore/tests/certs/server.key +) + +PEERDIR( + cloud/filestore/tests/auth/lib + cloud/filestore/tests/python/lib +) + +INCLUDE(${ARCADIA_ROOT}/cloud/storage/core/tests/recipes/access-service.inc) +INCLUDE(${ARCADIA_ROOT}/cloud/filestore/tests/recipes/service-kikimr.inc) + +END() diff --git a/cloud/filestore/tests/auth/ya.make b/cloud/filestore/tests/auth/ya.make new file mode 100644 index 00000000000..66fe8153b84 --- /dev/null +++ b/cloud/filestore/tests/auth/ya.make @@ -0,0 +1,8 @@ +RECURSE( + lib +) + +RECURSE_FOR_TESTS( + new + old +)