satellite/console: add test for time based permission

Add test with NotBefore and NotAfter restricted permission to verify that we don't have an access to bucket Change-Id: I7ec98a5b02c0098ee7ec81034278398f4435f1cf
2021-05-12 13:21:15 +03:00 · 2021-05-12 13:21:15 +03:00 · 6ee2210297
commit 6ee2210297
parent ce075a1d53
2 changed files with 106 additions and 4 deletions
--- a/private/testplanet/uplink.go
+++ b/private/testplanet/uplink.go
@ -351,6 +351,22 @@ func (client *Uplink) ListBuckets(ctx context.Context, satellite *Satellite) ([]
 	return buckets, iter.Err()
 }

+// ListObjects returns a list of all objects in a bucket.
+func (client *Uplink) ListObjects(ctx context.Context, satellite *Satellite, bucketName string) ([]*uplink.Object, error) {
+	var objects = []*uplink.Object{}
+	project, err := client.GetProject(ctx, satellite)
+	if err != nil {
+		return objects, err
+	}
+	defer func() { err = errs.Combine(err, project.Close()) }()
+
+	iter := project.ListObjects(ctx, bucketName, &uplink.ListObjectsOptions{})
+	for iter.Next() {
+		objects = append(objects, iter.Item())
+	}
+	return objects, iter.Err()
+}
+
 // GetProject returns a uplink.Project which allows interactions with a specific project.
 func (client *Uplink) GetProject(ctx context.Context, satellite *Satellite) (*uplink.Project, error) {
 	access := client.Access[satellite.ID()]
--- a/satellite/console/consolewasm/permission_test.go
+++ b/satellite/console/consolewasm/permission_test.go
@ -4,13 +4,12 @@
 package consolewasm_test

 import (
+	"errors"
 	"testing"
 	"time"

 	"github.com/stretchr/testify/require"

-	"storj.io/common/errs2"
-	"storj.io/common/rpc/rpcstatus"
 	"storj.io/common/testcontext"
 	"storj.io/storj/private/testplanet"
 	console "storj.io/storj/satellite/console/consolewasm"
@ -65,7 +64,7 @@ func TestSetPermissionWithBuckets(t *testing.T) {
 		require.NoError(t, err)
 		require.Equal(t, data, testdata)
 		err = uplinkPeer.Upload(ctx, satellitePeer, testbucket1, "file2", testdata)
-		require.True(t, errs2.IsRPC(err, rpcstatus.PermissionDenied))
+		require.True(t, errors.Is(err, uplink.ErrPermissionDenied))
 		_, err = uplinkPeer.Download(ctx, satellitePeer, testbucket2, testfilename)
 		require.Error(t, err)

@ -92,7 +91,7 @@ func TestSetPermissionWithBuckets(t *testing.T) {
 		require.NoError(t, err)
 		require.Equal(t, data, testdata)
 		err = uplinkPeer.Upload(ctx, satellitePeer, testbucket1, "file2", testdata)
-		require.True(t, errs2.IsRPC(err, rpcstatus.PermissionDenied))
+		require.True(t, errors.Is(err, uplink.ErrPermissionDenied))
 		_, err = uplinkPeer.Download(ctx, satellitePeer, testbucket2, testfilename)
 		require.Error(t, err)
 	})
@ -147,3 +146,90 @@ func TestSetPermissionUplinkOperations(t *testing.T) {
 		require.NoError(t, uplinkPeer.DeleteBucket(ctx, satellitePeer, testbucket1))
 	})
 }
+
+func TestSetTimePermissionWithBucket(t *testing.T) {
+	testplanet.Run(t, testplanet.Config{
+		SatelliteCount: 1, StorageNodeCount: 4, UplinkCount: 1,
+	}, func(t *testing.T, ctx *testcontext.Context, planet *testplanet.Planet) {
+		satellitePeer := planet.Satellites[0]
+		satelliteNodeURL := satellitePeer.NodeURL().String()
+		uplinkPeer := planet.Uplinks[0]
+		APIKey := uplinkPeer.APIKey[satellitePeer.ID()]
+		apiKeyString := APIKey.Serialize()
+		projectID := uplinkPeer.Projects[0].ID.String()
+		require.Equal(t, 1, len(uplinkPeer.Projects))
+		passphrase := "supersecretpassphrase"
+
+		// Create an access grant with the uplink API key. With that access grant, create 1 bucket and upload an object.
+		uplinkAccess, err := uplinkPeer.Config.RequestAccessWithPassphrase(ctx, satelliteNodeURL, apiKeyString, passphrase)
+		require.NoError(t, err)
+		uplinkPeer.Access[satellitePeer.ID()] = uplinkAccess
+		testbucket := "buckettest"
+		testfilename := "file.txt"
+		testdata := []byte("fun data")
+		require.NoError(t, uplinkPeer.CreateBucket(ctx, satellitePeer, testbucket))
+		require.NoError(t, uplinkPeer.Upload(ctx, satellitePeer, testbucket, testfilename, testdata))
+
+		bucket := []string{testbucket}
+
+		// Create an access grant with restricted access by time
+		notAfterRestrictedPermission := console.Permission{
+			AllowDownload: true,
+			AllowUpload:   true,
+			AllowList:     true,
+			AllowDelete:   true,
+			NotAfter:      time.Now().Add(-2 * time.Hour),
+		}
+		restrictedAfterKey, err := console.SetPermission(apiKeyString, bucket, notAfterRestrictedPermission)
+		require.NoError(t, err)
+		restrictedAfterAccessGrant, err := console.GenAccessGrant(satelliteNodeURL, restrictedAfterKey.Serialize(), passphrase, projectID)
+		require.NoError(t, err)
+		restrictedAfterAccess, err := uplink.ParseAccess(restrictedAfterAccessGrant)
+		require.NoError(t, err)
+
+		uplinkPeer.APIKey[satellitePeer.ID()] = restrictedAfterKey
+		uplinkPeer.Access[satellitePeer.ID()] = restrictedAfterAccess
+
+		// Expect that we can't download or upload any data
+		err = uplinkPeer.Upload(ctx, satellitePeer, testbucket, testfilename, testdata)
+		require.True(t, errors.Is(err, uplink.ErrPermissionDenied))
+		_, err = uplinkPeer.Download(ctx, satellitePeer, testbucket, testfilename)
+		require.True(t, errors.Is(err, uplink.ErrPermissionDenied))
+		_, err = uplinkPeer.ListBuckets(ctx, satellitePeer)
+		require.True(t, errors.Is(err, uplink.ErrPermissionDenied))
+		_, err = uplinkPeer.ListObjects(ctx, satellitePeer, testbucket)
+		require.True(t, errors.Is(err, uplink.ErrPermissionDenied))
+		err = uplinkPeer.DeleteObject(ctx, satellitePeer, testbucket, testfilename)
+		require.True(t, errors.Is(err, uplink.ErrPermissionDenied))
+
+		notBeforeRestrictedPermission := console.Permission{
+			AllowDownload: true,
+			AllowUpload:   true,
+			AllowList:     true,
+			AllowDelete:   true,
+			NotBefore:     time.Now().Add(2 * time.Hour),
+		}
+		restrictedBeforeKey, err := console.SetPermission(apiKeyString, bucket, notBeforeRestrictedPermission)
+		require.NoError(t, err)
+		restrictedBeforeAccessGrant, err := console.GenAccessGrant(satelliteNodeURL, restrictedBeforeKey.Serialize(), passphrase, projectID)
+		require.NoError(t, err)
+		restrictedBeforeAccess, err := uplink.ParseAccess(restrictedBeforeAccessGrant)
+		require.NoError(t, err)
+
+		uplinkPeer.APIKey[satellitePeer.ID()] = restrictedBeforeKey
+		uplinkPeer.Access[satellitePeer.ID()] = restrictedBeforeAccess
+
+		// Expect that we can't download or upload any data
+		err = uplinkPeer.Upload(ctx, satellitePeer, testbucket, testfilename, testdata)
+		require.True(t, errors.Is(err, uplink.ErrPermissionDenied))
+		_, err = uplinkPeer.Download(ctx, satellitePeer, testbucket, testfilename)
+		require.True(t, errors.Is(err, uplink.ErrPermissionDenied))
+		_, err = uplinkPeer.ListBuckets(ctx, satellitePeer)
+		require.True(t, errors.Is(err, uplink.ErrPermissionDenied))
+		_, err = uplinkPeer.ListObjects(ctx, satellitePeer, testbucket)
+		require.True(t, errors.Is(err, uplink.ErrPermissionDenied))
+		err = uplinkPeer.DeleteObject(ctx, satellitePeer, testbucket, testfilename)
+		require.True(t, errors.Is(err, uplink.ErrPermissionDenied))
+
+	})
+}