Skip to content

Commit

Permalink
handler: Extract encodeObjectACL function from handler struct
Browse files Browse the repository at this point in the history 
Is used only logger, so just passed it as a parameter. Also added some tests.

Signed-off-by: Evgenii Baidakov <[email protected]>
  • Loading branch information
@smallhive
smallhive committed Oct 19, 2023
1 parent e70d250 commit 1a86673
Show file tree
Hide file tree
Showing 2 changed files with 88 additions and 5 deletions.
10 changes: 5 additions & 5 deletions api/handler/acl.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -311,7 +311,7 @@ func (h *handler) GetObjectACLHandler(w http.ResponseWriter, r *http.Request) {
return
}

if err = api.EncodeToResponse(w, h.encodeObjectACL(bucketACL, reqInfo.BucketName, objInfo.VersionID())); err != nil {
if err = api.EncodeToResponse(w, encodeObjectACL(h.log, bucketACL, reqInfo.BucketName, objInfo.VersionID())); err != nil {

Check warning on line 314 in api/handler/acl.go

View check run for this annotation

Codecov / codecov/patch

api/handler/acl.go#L314 

Added line #L314 was not covered by tests
h.logAndSendError(w, "failed to encode response", reqInfo, err)
}
}
Expand Down Expand Up @@ -1320,7 +1320,7 @@ func permissionToOperations(permission amazonS3Permission) []eacl.Operation {
return nil
}

func (h *handler) encodeObjectACL(bucketACL *layer.BucketACL, bucketName, objectVersion string) *AccessControlPolicy {
func encodeObjectACL(log *zap.Logger, bucketACL *layer.BucketACL, bucketName, objectVersion string) *AccessControlPolicy {
res := &AccessControlPolicy{
Owner: Owner{
ID: bucketACL.Info.Owner.String(),
Expand Down Expand Up @@ -1361,7 +1361,7 @@ func (h *handler) encodeObjectACL(bucketACL *layer.BucketACL, bucketName, object
for _, op := range val {
// valid operation.
if op < eacl.OperationGet || op > eacl.OperationRangeHash {
h.log.Warn("invalid eACL op", zap.Int("op", int(op)), zap.String("CID", bucketACL.Info.CID.String()))
log.Warn("invalid eACL op", zap.Int("op", int(op)), zap.String("CID", bucketACL.Info.CID.String()))
continue

Check warning on line 1365 in api/handler/acl.go

View check run for this annotation

Codecov / codecov/patch

api/handler/acl.go#L1364-L1365 

Added lines #L1364 - L1365 were not covered by tests
}

Expand Down Expand Up @@ -1389,7 +1389,7 @@ func (h *handler) encodeObjectACL(bucketACL *layer.BucketACL, bucketName, object
} else if isWrite {
permission = awsPermWrite

Check warning on line 1390 in api/handler/acl.go

View check run for this annotation

Codecov / codecov/patch

api/handler/acl.go#L1390 

Added line #L1390 was not covered by tests
} else {
h.log.Warn("invalid permissions", zap.String("subject", key))
log.Warn("invalid permissions", zap.String("subject", key))
continue

Check warning on line 1393 in api/handler/acl.go

View check run for this annotation

Codecov / codecov/patch

api/handler/acl.go#L1392-L1393 

Added lines #L1392 - L1393 were not covered by tests
}

Expand All @@ -1413,7 +1413,7 @@ func (h *handler) encodeObjectACL(bucketACL *layer.BucketACL, bucketName, object
}

func (h *handler) encodeBucketACL(bucketName string, bucketACL *layer.BucketACL) *AccessControlPolicy {
return h.encodeObjectACL(bucketACL, bucketName, "")
return encodeObjectACL(h.log, bucketACL, bucketName, "")

Check warning on line 1416 in api/handler/acl.go

View check run for this annotation

Codecov / codecov/patch

api/handler/acl.go#L1416 

Added line #L1416 was not covered by tests
}

func contains(list []eacl.Operation, op eacl.Operation) bool {
Expand Down
83 changes: 83 additions & 0 deletions api/handler/acl_test.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -16,14 +16,18 @@ import (
"github.com/nspcc-dev/neo-go/pkg/crypto/keys"
"github.com/nspcc-dev/neofs-s3-gw/api"
"github.com/nspcc-dev/neofs-s3-gw/api/data"
"github.com/nspcc-dev/neofs-s3-gw/api/layer"
"github.com/nspcc-dev/neofs-s3-gw/creds/accessbox"
"github.com/nspcc-dev/neofs-sdk-go/bearer"
cid "github.com/nspcc-dev/neofs-sdk-go/container/id"
neofsecdsa "github.com/nspcc-dev/neofs-sdk-go/crypto/ecdsa"
"github.com/nspcc-dev/neofs-sdk-go/crypto/test"
"github.com/nspcc-dev/neofs-sdk-go/eacl"
"github.com/nspcc-dev/neofs-sdk-go/object"
oid "github.com/nspcc-dev/neofs-sdk-go/object/id"
"github.com/nspcc-dev/neofs-sdk-go/session"
"github.com/stretchr/testify/require"
"go.uber.org/zap"
)

func TestTableToAst(t *testing.T) {
Expand Down Expand Up @@ -1424,3 +1428,82 @@ func putBucketACL(t *testing.T, tc *handlerContext, bktName string, box *accessb
tc.Handler().PutBucketACLHandler(w, r)
assertStatus(t, w, http.StatusOK)
}

func generateRecord(action eacl.Action, op eacl.Operation, targets []eacl.Target) *eacl.Record {
var r eacl.Record
r.SetAction(action)
r.SetOperation(op)
r.SetTargets(targets...)

return &r
}

func TestEACLEncode(t *testing.T) {
s := test.RandomSignerRFC6979(t)

acl := layer.BucketACL{
Info: &data.BucketInfo{},
EACL: &eacl.Table{},
}
acl.Info.Owner = s.UserID()

var containerID cid.ID
acl.EACL.SetCID(containerID)

var userTarget eacl.Target
userTarget.SetBinaryKeys([][]byte{{1, 2, 3}})

var othersTarget eacl.Target
othersTarget.SetRole(eacl.RoleOthers)

acl.EACL.AddRecord(generateRecord(eacl.ActionAllow, eacl.OperationGet, []eacl.Target{userTarget}))
acl.EACL.AddRecord(generateRecord(eacl.ActionAllow, eacl.OperationHead, []eacl.Target{userTarget}))
acl.EACL.AddRecord(generateRecord(eacl.ActionAllow, eacl.OperationPut, []eacl.Target{userTarget}))
acl.EACL.AddRecord(generateRecord(eacl.ActionAllow, eacl.OperationDelete, []eacl.Target{userTarget}))
acl.EACL.AddRecord(generateRecord(eacl.ActionAllow, eacl.OperationSearch, []eacl.Target{userTarget}))
acl.EACL.AddRecord(generateRecord(eacl.ActionAllow, eacl.OperationRange, []eacl.Target{userTarget}))
acl.EACL.AddRecord(generateRecord(eacl.ActionAllow, eacl.OperationRangeHash, []eacl.Target{userTarget}))

acl.EACL.AddRecord(generateRecord(eacl.ActionAllow, eacl.OperationGet, []eacl.Target{othersTarget}))
acl.EACL.AddRecord(generateRecord(eacl.ActionAllow, eacl.OperationHead, []eacl.Target{othersTarget}))
acl.EACL.AddRecord(generateRecord(eacl.ActionAllow, eacl.OperationSearch, []eacl.Target{othersTarget}))
acl.EACL.AddRecord(generateRecord(eacl.ActionAllow, eacl.OperationRange, []eacl.Target{othersTarget}))
acl.EACL.AddRecord(generateRecord(eacl.ActionAllow, eacl.OperationRangeHash, []eacl.Target{othersTarget}))

acl.EACL.AddRecord(generateRecord(eacl.ActionDeny, eacl.OperationGet, []eacl.Target{othersTarget}))
acl.EACL.AddRecord(generateRecord(eacl.ActionDeny, eacl.OperationHead, []eacl.Target{othersTarget}))
acl.EACL.AddRecord(generateRecord(eacl.ActionDeny, eacl.OperationPut, []eacl.Target{othersTarget}))
acl.EACL.AddRecord(generateRecord(eacl.ActionDeny, eacl.OperationDelete, []eacl.Target{othersTarget}))
acl.EACL.AddRecord(generateRecord(eacl.ActionDeny, eacl.OperationSearch, []eacl.Target{othersTarget}))
acl.EACL.AddRecord(generateRecord(eacl.ActionDeny, eacl.OperationRange, []eacl.Target{othersTarget}))
acl.EACL.AddRecord(generateRecord(eacl.ActionDeny, eacl.OperationRangeHash, []eacl.Target{othersTarget}))

logger, err := zap.NewProduction()
require.NoError(t, err)

acp := encodeObjectACL(logger, &acl, "bucket-name", "")
require.NotNil(t, acp)

require.Len(t, acp.AccessControlList, 2)

required := []*Grant{
{
Grantee: &Grantee{
Type: granteeGroup,
URI: allUsersGroup,
},
Permission: awsPermRead,
},
{
Grantee: &Grantee{
ID: "010203",
Type: granteeCanonicalUser,
},
Permission: awsPermFullControl,
},
}

for _, g := range required {
require.Contains(t, acp.AccessControlList, g)
}
}

0 comments on commit 1a86673

Please sign in to comment.