ydb-platform · SvartMetal · Sep 27, 2024 · Sep 2, 2024 · Sep 2, 2024 · Sep 3, 2024
diff --git a/cloud/blockstore/apps/client/lib/create_volume.cpp b/cloud/blockstore/apps/client/lib/create_volume.cpp
@@ -10,6 +10,7 @@
 #include <cloud/storage/core/libs/common/error.h>
 #include <cloud/storage/core/libs/diagnostics/logging.h>
 
+#include <library/cpp/json/json_writer.h>
 #include <library/cpp/protobuf/util/pb_io.h>
 
 namespace NCloud::NBlockStore::NClient {
@@ -47,6 +48,7 @@ class TCreateVolumeCommand final
 
     TString StoragePoolName;
     TVector<TString> AgentIds;
+    bool JsonOutput = false;
 
 public:
     TCreateVolumeCommand(IBlockStorePtr client)
@@ -116,6 +118,7 @@ class TCreateVolumeCommand final
                 "Allowed only for nonreplicated disks")
             .RequiredArgument("STR")
             .AppendTo(&AgentIds);
+        Opts.AddLongOption("json").StoreTrue(&JsonOutput);
     }
 
 protected:
@@ -179,6 +182,18 @@ class TCreateVolumeCommand final
             return true;
         }
 
+        if (JsonOutput){
+            // We don't use result.PrintJSON(), because TError.PrintJSON()
+            // writes only code, and it is more reliable to use formatted
+            // error in tests and scripts.
+            NJson::TJsonValue resultJson;
+            if (HasError(result)){
+                resultJson["Error"] = FormatErrorJson(result.GetError());
+            }
+            NJson::WriteJson(&output, &resultJson, false, true, true);
+            return !HasError(result);
+        }
+
         if (HasError(result)) {
             output << FormatError(result.GetError()) << Endl;
             return false;

diff --git a/cloud/blockstore/tests/loadtest/local-auth/test.py b/cloud/blockstore/tests/loadtest/local-auth/test.py
@@ -1,18 +1,26 @@
+import json
+import logging
+import subprocess
+
 import yatest.common as common
 
-from cloud.blockstore.config.client_pb2 import TClientConfig
+from pathlib import Path
+
+from google.protobuf.text_format import MessageToString
+
+from cloud.blockstore.config.client_pb2 import TClientAppConfig, TClientConfig
 from cloud.blockstore.config.server_pb2 import TServerAppConfig, TServerConfig, TKikimrServiceConfig
 from cloud.blockstore.config.storage_pb2 import TStorageServiceConfig
 from cloud.blockstore.tests.python.lib.loadtest_env import LocalLoadTest
 from cloud.blockstore.tests.python.lib.test_base import thread_count, run_test
 from cloud.storage.core.protos.authorization_mode_pb2 import EAuthorizationMode
+from cloud.storage.core.tools.testing.access_service.lib import AccessService
+from cloud.storage.core.tools.testing.access_service_new.lib import NewAccessService
 
 
-def test_load():
+def create_server_app_config():
     server = TServerAppConfig()
     server.ServerConfig.CopyFrom(TServerConfig())
-    server.ServerConfig.ThreadsCount = thread_count()
-    server.ServerConfig.StrictContractValidation = False
     server.ServerConfig.RootCertsFile = common.source_path(
         "cloud/blockstore/tests/certs/server.crt")
     cert = server.ServerConfig.Certs.add()
@@ -21,10 +29,21 @@ def test_load():
     cert.CertPrivateKeyFile = common.source_path(
         "cloud/blockstore/tests/certs/server.key")
     server.KikimrServiceConfig.CopyFrom(TKikimrServiceConfig())
+    return server
+
 
+def create_storage_service_config(folder_id="test_folder_id"):
     storage = TStorageServiceConfig()
     storage.AuthorizationMode = EAuthorizationMode.Value("AUTHORIZATION_REQUIRE")
-    storage.FolderId = "test_folder_id"
+    storage.FolderId = folder_id
+    return storage
+
+
+def test_load():
+    server = create_server_app_config()
+    server.ServerConfig.ThreadsCount = thread_count()
+
+    storage = create_storage_service_config("test_folder_id")
 
     env = LocalLoadTest(
         "",
@@ -58,3 +77,146 @@ def test_load():
         env.tear_down()
 
     return ret
+
+
+def create_client_config():
+    client = TClientAppConfig()
+    client.ClientConfig.CopyFrom(TClientConfig())
+    client.ClientConfig.RootCertsFile = common.source_path(
+        "cloud/blockstore/tests/certs/server.crt")
+    return client
+
+
+class TestFixture:
+    __binary_path = common.binary_path("cloud/blockstore/apps/client/blockstore-client")
+
+    def __init__(self, access_service_type=AccessService, folder_id="test_folder_id"):
+        server = create_server_app_config()
+        storage = create_storage_service_config(folder_id)
+        self.__local_load_test = LocalLoadTest(
+            "",
+            server_app_config=server,
+            enable_access_service=True,
+            storage_config_patches=[storage],
+            enable_tls=True,
+            use_in_memory_pdisks=True,
+            access_service_type=access_service_type,
+        )
+        self.__client_config_path = Path(common.output_path()) / "client-config.txt"
+        self.__client_config = create_client_config()
+        self.__client_config.ClientConfig.SecurePort = self.__local_load_test.nbs_secure_port
+        self.__client_config_path.write_text(MessageToString(self.__client_config))
+        self.folder_id = folder_id
+        self.__auth_token = None
+
+    def __enter__(self):
+        return self
+
+    def __exit__(self, exc_type, exc_val, exc_tb):
+        self.__local_load_test.tear_down()
+
+    def run(self, *args, **kwargs):
+        args = [self.__binary_path, *args, "--config", str(self.__client_config_path)]
+
+        env = {}
+        if self.__auth_token is not None:
+            env['IAM_TOKEN'] = self.__auth_token
+        logging.info("running command: %s" % args)
+        result = subprocess.run(
+            args,
+            cwd=kwargs.get("cwd"),
+            check=False,
+            capture_output=True,
+            text=True,
+            env=env,
+        )
+        return result
+
+    def create_volume(self):
+        result = self.run("createvolume", "--disk-id", "vol0", "--blocks-count", "25000", "--json")
+        logging.info("Disk creation stdout: %s, stderr: %s", result.stdout, result.stderr)
+        return result
+
+    @property
+    def access_service(self):
+        return self.__local_load_test.access_service
+
+    def set_auth_token(self, token: str):
+        self.__auth_token = token
+
+
+def test_auth_unauthorized():
+    with TestFixture() as env:
+        token = "test_auth_token"
+        env.set_auth_token(token)
+        env.access_service.authenticate(token)
+        result = env.create_volume()
+        assert result.returncode != 0
+        assert json.loads(result.stdout)["Error"]["CodeString"] == "E_UNAUTHORIZED"
+
+
+def test_auth_empty_token():
+    with TestFixture() as env:
+        env.set_auth_token("")
+        env.access_service.authorize("test_auth_token")
+        result = env.create_volume()
+        assert result.returncode != 0
+        assert json.loads(result.stdout)["Error"]["CodeString"] == "E_UNAUTHORIZED"
+
+
+def test_new_auth_authorization_ok():
+    with TestFixture(NewAccessService) as env:
+        token = "test_auth_token"
+        env.set_auth_token(token)
+        env.access_service.create_account(
+            token,
+            token,
+            is_unknown_subject=False,
+            permissions=[
+                {"permission": "nbsInternal.disks.create", "resource": env.folder_id},
+            ],
+        )
+        result = env.create_volume()
+        assert result.returncode == 0
+
+
+def test_new_auth_unauthorized():
+    with TestFixture(NewAccessService) as env:
+        token = "test_auth_token"
+        env.set_auth_token(token)
+        env.access_service.create_account(
+            "test_user",
+            token,
+            is_unknown_subject=False,
+            permissions=[
+                {"permission": "nbsInternal.disks.create", "resource": "some_other_folder"},
+            ],
+        )
+        result = env.create_volume()
+        assert result.returncode != 0
+        assert json.loads(result.stdout)["Error"]["CodeString"] == "E_UNAUTHORIZED"
+
+
+def test_new_auth_unauthenticated():
+    with TestFixture(NewAccessService) as env:
+        env.set_auth_token("some_other_token")
+        result = env.create_volume()
+        assert result.returncode != 0
+        assert json.loads(result.stdout)["Error"]["CodeString"] == "E_UNAUTHORIZED"
+
+
+def test_new_auth_unknown_subject():
+    with TestFixture(NewAccessService) as env:
+        token = "test_token"
+        env.set_auth_token(token)
+        env.access_service.create_account(
+            "test_user",
+            token,
+            is_unknown_subject=True,
+            permissions=[
+                {"permission": "nbsInternal.disks.create", "resource": env.folder_id},
+            ],
+        )
+        result = env.create_volume()
+        assert result.returncode != 0
+        assert json.loads(result.stdout)["Error"]["CodeString"] == "E_UNAUTHORIZED"
diff --git a/cloud/blockstore/tests/loadtest/local-auth/ya.make b/cloud/blockstore/tests/loadtest/local-auth/ya.make
@@ -8,6 +8,7 @@ TEST_SRCS(
 
 DEPENDS(
     cloud/storage/core/tools/testing/access_service/mock
+    cloud/storage/core/tools/testing/access_service_new/mock
 )
 
 DATA(

diff --git a/cloud/blockstore/tests/python/lib/loadtest_env.py b/cloud/blockstore/tests/python/lib/loadtest_env.py
@@ -8,6 +8,7 @@
     setup_disk_registry_proxy_config, setup_disk_agent_config
 
 from cloud.blockstore.tests.python.lib.test_base import wait_for_nbs_server
+from cloud.storage.core.tools.testing.access_service.lib import AccessService
 
 from .nbs_runner import LocalNbs
 from .endpoint_proxy import EndpointProxy
@@ -51,6 +52,7 @@ def __init__(
             kikimr_binary_path=None,
             with_endpoint_proxy=False,
             with_netlink=False,
+            access_service_type=AccessService,
             load_configs_from_cms=True,
     ):
 
@@ -113,7 +115,9 @@ def __init__(
             load_configs_from_cms=load_configs_from_cms,
             features_config_patch=features_config_patch,
             grpc_trace=grpc_trace,
-            rack=rack)
+            rack=rack,
+            access_service_type=access_service_type,
+        )
 
         self.endpoint_proxy = None
         if with_endpoint_proxy:

diff --git a/cloud/blockstore/tests/python/lib/nbs_runner.py b/cloud/blockstore/tests/python/lib/nbs_runner.py
@@ -56,7 +56,9 @@ def __init__(
             rack="the_rack",
             use_ic_version_check=False,
             use_secure_registration=False,
-            grpc_ssl_port=None):
+            grpc_ssl_port=None,
+            access_service_type=AccessService,
+    ):
 
         if dynamic_storage_pools is not None:
             assert len(dynamic_storage_pools) >= 2
@@ -149,7 +151,8 @@ def __init__(
             host = "localhost"
             port = self.__port_manager.get_port()
             control_server_port = self.__port_manager.get_port()
-            self.__access_service = AccessService(host, port, control_server_port)
+            self._access_service_type = access_service_type
+            self.__access_service = self._access_service_type(host, port, control_server_port)
             self.__proto_configs["auth.txt"] = self.__generate_auth_txt(port)
 
         self.__load_configs_from_cms = load_configs_from_cms
@@ -410,6 +413,7 @@ def __generate_auth_txt(self, port):
         auth_config.UseBlackBox = False
         auth_config.UseStaff = False
         auth_config.AccessServiceEndpoint = "localhost:{}".format(port)
+        auth_config.AccessServiceType = self.__access_service.access_service_type
         return auth_config
 
     def __generate_dr_proxy_txt(self):

diff --git a/cloud/blockstore/tests/python/lib/ya.make b/cloud/blockstore/tests/python/lib/ya.make
@@ -8,6 +8,7 @@ PEERDIR(
 
     cloud/storage/core/tools/common/python
     cloud/storage/core/tools/testing/access_service/lib
+    cloud/storage/core/tools/testing/access_service_new/lib
     cloud/storage/core/tools/testing/qemu/lib
 
     contrib/ydb/core/protos

diff --git a/cloud/filestore/apps/client/lib/create.cpp b/cloud/filestore/apps/client/lib/create.cpp
@@ -2,6 +2,8 @@
 
 #include "performance_profile_params.h"
 
+#include "library/cpp/json/json_writer.h"
+
 #include <cloud/filestore/public/api/protos/fs.pb.h>
 
 #include <util/generic/size_literals.h>
@@ -86,6 +88,25 @@ class TCreateCommand final
                 std::move(callContext),
                 std::move(request)));
 
+        if (JsonOutput){
+            // We don't use result.PrintJSON(), because TError.PrintJSON()
+            // writes only code, and it is more reliable to use formatted
+            // error in tests and scripts.
+            NJson::TJsonValue resultJson;
+            if (HasError(response)){
+                resultJson["Error"] = FormatErrorJson(response.GetError());
+            }
+
+            NJson::WriteJson(&Cout, &resultJson, false, true, true);
+
+            if (HasError(response)){
+                ProgramShouldContinue.ShouldStop(1);
+                return false;
+            }
+
+            return true;
+        }
+
         if (HasError(response)) {
             ythrow TServiceError(response.GetError());
         }