2c28a0e599
Option added to `uplink access setup` and `uplink access create` commands to disable object key encryption. Related to https://github.com/storj/storj/issues/5678 Change-Id: I4789a94143742ff4b232fd60decc029ad2883c2a
258 lines
7.4 KiB
Go
258 lines
7.4 KiB
Go
// Copyright (C) 2021 Storj Labs, Inc.
|
|
// See LICENSE for copying information.
|
|
|
|
package uitest
|
|
|
|
import (
|
|
"context"
|
|
"crypto/ecdsa"
|
|
"crypto/elliptic"
|
|
"crypto/rand"
|
|
"crypto/x509"
|
|
"crypto/x509/pkix"
|
|
"encoding/binary"
|
|
"encoding/pem"
|
|
"fmt"
|
|
"math/big"
|
|
"net"
|
|
"os"
|
|
"strconv"
|
|
"testing"
|
|
"time"
|
|
|
|
"github.com/go-rod/rod"
|
|
"github.com/spf13/pflag"
|
|
"github.com/stretchr/testify/require"
|
|
"go.uber.org/zap"
|
|
|
|
"storj.io/common/sync2"
|
|
"storj.io/common/testcontext"
|
|
"storj.io/gateway-mt/pkg/auth"
|
|
"storj.io/gateway-mt/pkg/authclient"
|
|
"storj.io/gateway-mt/pkg/server"
|
|
"storj.io/gateway-mt/pkg/trustedip"
|
|
"storj.io/private/cfgstruct"
|
|
"storj.io/storj/cmd/uplink/cmd"
|
|
"storj.io/storj/private/testplanet"
|
|
"storj.io/storj/satellite"
|
|
)
|
|
|
|
// EdgePlanet contains defaults for testplanet with Edge.
|
|
type EdgePlanet struct {
|
|
*testplanet.Planet
|
|
|
|
Gateway struct {
|
|
AccessKey string
|
|
SecretKey string
|
|
|
|
Addr string
|
|
}
|
|
|
|
Auth struct {
|
|
Addr string
|
|
}
|
|
}
|
|
|
|
// EdgeTest defines common args for edge testing.
|
|
type EdgeTest func(t *testing.T, ctx *testcontext.Context, planet *EdgePlanet, browser *rod.Browser)
|
|
|
|
// Edge starts a testplanet together with auth service and gateway.
|
|
func Edge(t *testing.T, test EdgeTest) {
|
|
edgehost := os.Getenv("STORJ_TEST_EDGE_HOST")
|
|
if edgehost == "" {
|
|
edgehost = "127.0.0.1"
|
|
}
|
|
|
|
// TODO: make address not hardcoded the address selection here may
|
|
// conflict with some automatically bound address.
|
|
startPort := randomRange(20000, 40000)
|
|
authSvcAddr := net.JoinHostPort(edgehost, strconv.Itoa(startPort))
|
|
authSvcAddrTLS := net.JoinHostPort(edgehost, strconv.Itoa(startPort+1))
|
|
authSvcDrpcAddrTLS := net.JoinHostPort(edgehost, strconv.Itoa(startPort+2))
|
|
|
|
testplanet.Run(t, testplanet.Config{
|
|
SatelliteCount: 1, StorageNodeCount: 4, UplinkCount: 1,
|
|
Reconfigure: testplanet.Reconfigure{
|
|
Satellite: func(log *zap.Logger, index int, config *satellite.Config) {
|
|
configureSatellite(log, index, config)
|
|
// TODO: this should be dynamically set from the auth service
|
|
config.Console.GatewayCredentialsRequestURL = "http://" + authSvcAddr
|
|
},
|
|
},
|
|
NonParallel: true, // Note, do not remove this, because the code above uses same auth service addr.
|
|
}, func(t *testing.T, ctx *testcontext.Context, planet *testplanet.Planet) {
|
|
access := planet.Uplinks[0].Access[planet.Satellites[0].ID()]
|
|
|
|
gwConfig := server.Config{}
|
|
cfgstruct.Bind(&pflag.FlagSet{}, &gwConfig, cfgstruct.UseTestDefaults())
|
|
gwConfig.Server.Address = "127.0.0.1:0"
|
|
gwConfig.Auth.BaseURL = "http://" + authSvcAddr
|
|
gwConfig.Auth.Token = "super-secret"
|
|
gwConfig.Auth.Timeout = 5 * time.Minute
|
|
gwConfig.InsecureLogAll = true
|
|
|
|
authClient := authclient.New(gwConfig.Auth)
|
|
|
|
gateway, err := server.New(gwConfig, planet.Log().Named("gateway"),
|
|
trustedip.NewListTrustAll(), []string{}, authClient, 16)
|
|
require.NoError(t, err)
|
|
|
|
defer ctx.Check(gateway.Close)
|
|
|
|
certFile, keyFile, _, _ := createSelfSignedCertificateFile(t, edgehost)
|
|
|
|
authConfig := auth.Config{
|
|
Endpoint: "http://" + gateway.Address(),
|
|
AuthToken: []string{"super-secret"},
|
|
KVBackend: "memory://",
|
|
ListenAddr: authSvcAddr,
|
|
ListenAddrTLS: authSvcAddrTLS,
|
|
DRPCListenAddr: net.JoinHostPort(edgehost, "0"),
|
|
DRPCListenAddrTLS: authSvcDrpcAddrTLS,
|
|
CertFile: certFile.Name(),
|
|
KeyFile: keyFile.Name(),
|
|
}
|
|
for _, sat := range planet.Satellites {
|
|
authConfig.AllowedSatellites = append(authConfig.AllowedSatellites, sat.NodeURL().String())
|
|
}
|
|
|
|
authPeer, err := auth.New(ctx, planet.Log().Named("auth"), authConfig, ctx.Dir("authservice"))
|
|
require.NoError(t, err)
|
|
|
|
defer ctx.Check(authPeer.Close)
|
|
ctx.Go(func() error { return authPeer.Run(ctx) })
|
|
require.NoError(t, waitForAddress(ctx, authSvcAddrTLS, 3*time.Second))
|
|
require.NoError(t, waitForAddress(ctx, authSvcDrpcAddrTLS, 3*time.Second))
|
|
|
|
ctx.Go(func() error {
|
|
return gateway.Run(ctx)
|
|
})
|
|
require.NoError(t, waitForAddress(ctx, gateway.Address(), 3*time.Second))
|
|
|
|
edgeCredentials, err := cmd.RegisterAccess(ctx, access, authSvcDrpcAddrTLS, false, certFile.Name())
|
|
require.NoError(t, err)
|
|
|
|
edge := &EdgePlanet{}
|
|
edge.Planet = planet
|
|
edge.Gateway.AccessKey = edgeCredentials.AccessKeyID
|
|
edge.Gateway.SecretKey = edgeCredentials.SecretKey
|
|
edge.Gateway.Addr = edgeCredentials.Endpoint
|
|
edge.Auth.Addr = authSvcAddr
|
|
|
|
Browser(t, ctx, planet, func(browser *rod.Browser) {
|
|
test(t, ctx, edge, browser)
|
|
})
|
|
})
|
|
}
|
|
|
|
func createSelfSignedCertificateFile(t *testing.T, hostname string) (certFile *os.File, keyFile *os.File, certificatePEM []byte, privateKeyPEM []byte) {
|
|
certificatePEM, privateKeyPEM = createSelfSignedCertificate(t, hostname)
|
|
|
|
certFile, err := os.CreateTemp(os.TempDir(), "*-cert.pem")
|
|
require.NoError(t, err)
|
|
_, err = certFile.Write(certificatePEM)
|
|
require.NoError(t, err)
|
|
|
|
keyFile, err = os.CreateTemp(os.TempDir(), "*-key.pem")
|
|
require.NoError(t, err)
|
|
_, err = keyFile.Write(privateKeyPEM)
|
|
require.NoError(t, err)
|
|
|
|
return certFile, keyFile, certificatePEM, privateKeyPEM
|
|
}
|
|
|
|
func createSelfSignedCertificate(t *testing.T, hostname string) (certificatePEM []byte, privateKeyPEM []byte) {
|
|
notAfter := time.Now().Add(1 * time.Minute)
|
|
|
|
var ips []net.IP
|
|
ip := net.ParseIP(hostname)
|
|
if ip != nil {
|
|
ips = []net.IP{ip}
|
|
}
|
|
|
|
// first create a server certificate
|
|
template := x509.Certificate{
|
|
Subject: pkix.Name{
|
|
CommonName: hostname,
|
|
},
|
|
DNSNames: []string{hostname},
|
|
IPAddresses: ips,
|
|
SerialNumber: big.NewInt(1337),
|
|
BasicConstraintsValid: false,
|
|
IsCA: true,
|
|
NotAfter: notAfter,
|
|
}
|
|
|
|
privateKey, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
|
|
require.NoError(t, err)
|
|
|
|
certificateDERBytes, err := x509.CreateCertificate(
|
|
rand.Reader,
|
|
&template,
|
|
&template,
|
|
&privateKey.PublicKey,
|
|
privateKey,
|
|
)
|
|
require.NoError(t, err)
|
|
|
|
certificatePEM = pem.EncodeToMemory(&pem.Block{Type: "CERTIFICATE", Bytes: certificateDERBytes})
|
|
|
|
privateKeyBytes, err := x509.MarshalPKCS8PrivateKey(privateKey)
|
|
require.NoError(t, err)
|
|
privateKeyPEM = pem.EncodeToMemory(&pem.Block{Type: "PRIVATE KEY", Bytes: privateKeyBytes})
|
|
|
|
return certificatePEM, privateKeyPEM
|
|
}
|
|
|
|
func randomRange(low, high int) int {
|
|
// this generates biased crypt random numbers
|
|
// but it uses crypt/rand to avoid potentially
|
|
// someone seeding math/rand.
|
|
span := high - low
|
|
return low + int(randomUint64()&0x7FFF_FFFF)%span
|
|
}
|
|
|
|
func randomUint64() uint64 {
|
|
var value [8]byte
|
|
if _, err := rand.Read(value[:]); err != nil {
|
|
panic(err)
|
|
}
|
|
|
|
return binary.LittleEndian.Uint64(value[:])
|
|
}
|
|
|
|
// waitForAddress will monitor starting when we are able to start the process.
|
|
func waitForAddress(ctx context.Context, address string, maxStartupWait time.Duration) error {
|
|
defer mon.Task()(&ctx)(nil)
|
|
|
|
start := time.Now()
|
|
for time.Since(start) < maxStartupWait {
|
|
if tryConnect(ctx, address) {
|
|
return ctx.Err()
|
|
}
|
|
|
|
// wait a bit before retrying to reduce load
|
|
if !sync2.Sleep(ctx, 50*time.Millisecond) {
|
|
return ctx.Err()
|
|
}
|
|
}
|
|
return fmt.Errorf("did not start in required time %v", maxStartupWait)
|
|
}
|
|
|
|
// tryConnect will try to connect to the process public address.
|
|
func tryConnect(ctx context.Context, address string) bool {
|
|
defer mon.Task()(&ctx)(nil)
|
|
|
|
dialer := net.Dialer{}
|
|
|
|
conn, err := dialer.DialContext(ctx, "tcp", address)
|
|
if err != nil {
|
|
return false
|
|
}
|
|
// write empty byte slice to trigger refresh on connection
|
|
_, _ = conn.Write([]byte{})
|
|
// ignoring errors, because we only care about being able to connect
|
|
_ = conn.Close()
|
|
return true
|
|
}
|