storj/testsuite/ui/uitest/edge.go
Kaloyan Raev 2c28a0e599 cmd/uplink: ability to opt-out from object key encryption
Option added to `uplink access setup` and `uplink access create`
commands to disable object key encryption.

Related to https://github.com/storj/storj/issues/5678

Change-Id: I4789a94143742ff4b232fd60decc029ad2883c2a
2023-03-20 13:56:15 +00:00

258 lines
7.4 KiB
Go

// Copyright (C) 2021 Storj Labs, Inc.
// See LICENSE for copying information.
package uitest
import (
"context"
"crypto/ecdsa"
"crypto/elliptic"
"crypto/rand"
"crypto/x509"
"crypto/x509/pkix"
"encoding/binary"
"encoding/pem"
"fmt"
"math/big"
"net"
"os"
"strconv"
"testing"
"time"
"github.com/go-rod/rod"
"github.com/spf13/pflag"
"github.com/stretchr/testify/require"
"go.uber.org/zap"
"storj.io/common/sync2"
"storj.io/common/testcontext"
"storj.io/gateway-mt/pkg/auth"
"storj.io/gateway-mt/pkg/authclient"
"storj.io/gateway-mt/pkg/server"
"storj.io/gateway-mt/pkg/trustedip"
"storj.io/private/cfgstruct"
"storj.io/storj/cmd/uplink/cmd"
"storj.io/storj/private/testplanet"
"storj.io/storj/satellite"
)
// EdgePlanet contains defaults for testplanet with Edge.
type EdgePlanet struct {
*testplanet.Planet
Gateway struct {
AccessKey string
SecretKey string
Addr string
}
Auth struct {
Addr string
}
}
// EdgeTest defines common args for edge testing.
type EdgeTest func(t *testing.T, ctx *testcontext.Context, planet *EdgePlanet, browser *rod.Browser)
// Edge starts a testplanet together with auth service and gateway.
func Edge(t *testing.T, test EdgeTest) {
edgehost := os.Getenv("STORJ_TEST_EDGE_HOST")
if edgehost == "" {
edgehost = "127.0.0.1"
}
// TODO: make address not hardcoded the address selection here may
// conflict with some automatically bound address.
startPort := randomRange(20000, 40000)
authSvcAddr := net.JoinHostPort(edgehost, strconv.Itoa(startPort))
authSvcAddrTLS := net.JoinHostPort(edgehost, strconv.Itoa(startPort+1))
authSvcDrpcAddrTLS := net.JoinHostPort(edgehost, strconv.Itoa(startPort+2))
testplanet.Run(t, testplanet.Config{
SatelliteCount: 1, StorageNodeCount: 4, UplinkCount: 1,
Reconfigure: testplanet.Reconfigure{
Satellite: func(log *zap.Logger, index int, config *satellite.Config) {
configureSatellite(log, index, config)
// TODO: this should be dynamically set from the auth service
config.Console.GatewayCredentialsRequestURL = "http://" + authSvcAddr
},
},
NonParallel: true, // Note, do not remove this, because the code above uses same auth service addr.
}, func(t *testing.T, ctx *testcontext.Context, planet *testplanet.Planet) {
access := planet.Uplinks[0].Access[planet.Satellites[0].ID()]
gwConfig := server.Config{}
cfgstruct.Bind(&pflag.FlagSet{}, &gwConfig, cfgstruct.UseTestDefaults())
gwConfig.Server.Address = "127.0.0.1:0"
gwConfig.Auth.BaseURL = "http://" + authSvcAddr
gwConfig.Auth.Token = "super-secret"
gwConfig.Auth.Timeout = 5 * time.Minute
gwConfig.InsecureLogAll = true
authClient := authclient.New(gwConfig.Auth)
gateway, err := server.New(gwConfig, planet.Log().Named("gateway"),
trustedip.NewListTrustAll(), []string{}, authClient, 16)
require.NoError(t, err)
defer ctx.Check(gateway.Close)
certFile, keyFile, _, _ := createSelfSignedCertificateFile(t, edgehost)
authConfig := auth.Config{
Endpoint: "http://" + gateway.Address(),
AuthToken: []string{"super-secret"},
KVBackend: "memory://",
ListenAddr: authSvcAddr,
ListenAddrTLS: authSvcAddrTLS,
DRPCListenAddr: net.JoinHostPort(edgehost, "0"),
DRPCListenAddrTLS: authSvcDrpcAddrTLS,
CertFile: certFile.Name(),
KeyFile: keyFile.Name(),
}
for _, sat := range planet.Satellites {
authConfig.AllowedSatellites = append(authConfig.AllowedSatellites, sat.NodeURL().String())
}
authPeer, err := auth.New(ctx, planet.Log().Named("auth"), authConfig, ctx.Dir("authservice"))
require.NoError(t, err)
defer ctx.Check(authPeer.Close)
ctx.Go(func() error { return authPeer.Run(ctx) })
require.NoError(t, waitForAddress(ctx, authSvcAddrTLS, 3*time.Second))
require.NoError(t, waitForAddress(ctx, authSvcDrpcAddrTLS, 3*time.Second))
ctx.Go(func() error {
return gateway.Run(ctx)
})
require.NoError(t, waitForAddress(ctx, gateway.Address(), 3*time.Second))
edgeCredentials, err := cmd.RegisterAccess(ctx, access, authSvcDrpcAddrTLS, false, certFile.Name())
require.NoError(t, err)
edge := &EdgePlanet{}
edge.Planet = planet
edge.Gateway.AccessKey = edgeCredentials.AccessKeyID
edge.Gateway.SecretKey = edgeCredentials.SecretKey
edge.Gateway.Addr = edgeCredentials.Endpoint
edge.Auth.Addr = authSvcAddr
Browser(t, ctx, planet, func(browser *rod.Browser) {
test(t, ctx, edge, browser)
})
})
}
func createSelfSignedCertificateFile(t *testing.T, hostname string) (certFile *os.File, keyFile *os.File, certificatePEM []byte, privateKeyPEM []byte) {
certificatePEM, privateKeyPEM = createSelfSignedCertificate(t, hostname)
certFile, err := os.CreateTemp(os.TempDir(), "*-cert.pem")
require.NoError(t, err)
_, err = certFile.Write(certificatePEM)
require.NoError(t, err)
keyFile, err = os.CreateTemp(os.TempDir(), "*-key.pem")
require.NoError(t, err)
_, err = keyFile.Write(privateKeyPEM)
require.NoError(t, err)
return certFile, keyFile, certificatePEM, privateKeyPEM
}
func createSelfSignedCertificate(t *testing.T, hostname string) (certificatePEM []byte, privateKeyPEM []byte) {
notAfter := time.Now().Add(1 * time.Minute)
var ips []net.IP
ip := net.ParseIP(hostname)
if ip != nil {
ips = []net.IP{ip}
}
// first create a server certificate
template := x509.Certificate{
Subject: pkix.Name{
CommonName: hostname,
},
DNSNames: []string{hostname},
IPAddresses: ips,
SerialNumber: big.NewInt(1337),
BasicConstraintsValid: false,
IsCA: true,
NotAfter: notAfter,
}
privateKey, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
require.NoError(t, err)
certificateDERBytes, err := x509.CreateCertificate(
rand.Reader,
&template,
&template,
&privateKey.PublicKey,
privateKey,
)
require.NoError(t, err)
certificatePEM = pem.EncodeToMemory(&pem.Block{Type: "CERTIFICATE", Bytes: certificateDERBytes})
privateKeyBytes, err := x509.MarshalPKCS8PrivateKey(privateKey)
require.NoError(t, err)
privateKeyPEM = pem.EncodeToMemory(&pem.Block{Type: "PRIVATE KEY", Bytes: privateKeyBytes})
return certificatePEM, privateKeyPEM
}
func randomRange(low, high int) int {
// this generates biased crypt random numbers
// but it uses crypt/rand to avoid potentially
// someone seeding math/rand.
span := high - low
return low + int(randomUint64()&0x7FFF_FFFF)%span
}
func randomUint64() uint64 {
var value [8]byte
if _, err := rand.Read(value[:]); err != nil {
panic(err)
}
return binary.LittleEndian.Uint64(value[:])
}
// waitForAddress will monitor starting when we are able to start the process.
func waitForAddress(ctx context.Context, address string, maxStartupWait time.Duration) error {
defer mon.Task()(&ctx)(nil)
start := time.Now()
for time.Since(start) < maxStartupWait {
if tryConnect(ctx, address) {
return ctx.Err()
}
// wait a bit before retrying to reduce load
if !sync2.Sleep(ctx, 50*time.Millisecond) {
return ctx.Err()
}
}
return fmt.Errorf("did not start in required time %v", maxStartupWait)
}
// tryConnect will try to connect to the process public address.
func tryConnect(ctx context.Context, address string) bool {
defer mon.Task()(&ctx)(nil)
dialer := net.Dialer{}
conn, err := dialer.DialContext(ctx, "tcp", address)
if err != nil {
return false
}
// write empty byte slice to trigger refresh on connection
_, _ = conn.Write([]byte{})
// ignoring errors, because we only care about being able to connect
_ = conn.Close()
return true
}