tests: add tests for numeric eacl rules

Signed-off-by: Evgeniy Zayats <[email protected]>
nspcc-dev · Mar 30, 2024 · 93e3a24 · 93e3a24
1 parent 451fe8f
commit 93e3a24
Show file tree

Hide file tree

Showing 2 changed files with 152 additions and 0 deletions.
diff --git a/pytest_tests/lib/helpers/acl.py b/pytest_tests/lib/helpers/acl.py
@@ -51,6 +51,21 @@ class EACLHeaderType(Enum):
 class EACLMatchType(Enum):
     STRING_EQUAL = "="  # Return true if strings are equal
     STRING_NOT_EQUAL = "!="  # Return true if strings are different
+    NUM_GT = ">"
+    NUM_GE = ">="
+    NUM_LT = "<"
+    NUM_LE = "<="
+
+    def compare(self, val1, val2):
+        if self.value == ">":
+            return val1 > val2
+        elif self.value == ">=":
+            return val1 >= val2
+        elif self.value == "<":
+            return val1 < val2
+        elif self.value == "<=":
+            return val1 <= val2
+        raise AssertionError(f"Unsupported value: {self.value} for compare")
 
 
 @dataclass

diff --git a/pytest_tests/tests/acl/test_eacl_filters.py b/pytest_tests/tests/acl/test_eacl_filters.py
@@ -11,11 +11,13 @@
     EACLRule,
     create_eacl,
     form_bearertoken_file,
+    get_eacl,
     set_eacl,
     wait_for_cache_expired,
 )
 from helpers.container import create_container, delete_container
 from helpers.container_access import check_full_access_to_container, check_no_access_to_container
+from helpers.file_helper import generate_file
 from helpers.neofs_verbs import put_object_to_random_node
 from helpers.object_access import can_get_head_object, can_get_object, can_put_object
 from helpers.wellknown_acl import PUBLIC_ACL
@@ -62,6 +64,30 @@ class TestEACLFilters(NeofsEnvTestBase):
         EACLOperation.HEAD,
         EACLOperation.PUT,
     ]
+    OBJECT_NUMERIC_KEY_ATTR_NAME = "numeric_value"
+    OBJECT_NUMERIC_VALUES = [0, 1, 10]
+
+    @pytest.fixture(scope="function")
+    def eacl_container(self, wallets):
+        user_wallet = wallets.get_wallet()
+
+        with allure.step("Create eACL public container"):
+            cid = create_container(
+                user_wallet.wallet_path,
+                basic_acl=PUBLIC_ACL,
+                shell=self.shell,
+                endpoint=self.neofs_env.sn_rpc,
+            )
+
+        yield cid
+
+        with allure.step("Delete eACL public container"):
+            delete_container(
+                user_wallet.wallet_path,
+                cid,
+                shell=self.shell,
+                endpoint=self.neofs_env.sn_rpc,
+            )
 
     @pytest.fixture(scope="function")
     def eacl_container_with_objects(self, wallets, file_path):
@@ -627,3 +653,114 @@ def test_extended_acl_allow_filters_object(
                 attributes=deny_attribute,
                 bearer=bearer_other,
             )
+
+    @pytest.mark.parametrize(
+        "operator",
+        [
+            EACLMatchType.NUM_GT,
+            EACLMatchType.NUM_GE,
+            EACLMatchType.NUM_LT,
+            EACLMatchType.NUM_LE,
+        ],
+    )
+    @pytest.mark.parametrize(
+        "object_size",
+        [pytest.lazy_fixture("simple_object_size"), pytest.lazy_fixture("complex_object_size")],
+        ids=["simple object", "complex object"],
+    )
+    def test_extended_acl_numeric_values(self, wallets, operator, eacl_container, object_size):
+        user_wallet = wallets.get_wallet()
+
+        cid = eacl_container
+        objects = []
+
+        with allure.step("Add test objects to container"):
+            for numeric_value in self.OBJECT_NUMERIC_VALUES:
+                file_path = generate_file(object_size)
+
+                objects.append(
+                    {
+                        "numeric_value": numeric_value,
+                        "id": put_object_to_random_node(
+                            user_wallet.wallet_path,
+                            file_path,
+                            cid,
+                            shell=self.shell,
+                            neofs_env=self.neofs_env,
+                            attributes={self.OBJECT_NUMERIC_KEY_ATTR_NAME: numeric_value},
+                        ),
+                    }
+                )
+
+        for numeric_value in self.OBJECT_NUMERIC_VALUES:
+            with allure.step(f"GET objects with any numeric value attribute should be allowed"):
+                for obj in objects:
+                    assert can_get_object(
+                        user_wallet.wallet_path,
+                        cid,
+                        obj["id"],
+                        file_path,
+                        self.shell,
+                        neofs_env=self.neofs_env,
+                    ), f"GET is not allowed for this object, while it shouldn't be"
+
+            with allure.step(f"Deny GET for all objects {operator.value} {numeric_value}"):
+                eacl_deny = [
+                    EACLRule(
+                        access=EACLAccess.DENY,
+                        role=EACLRole.USER,
+                        filters=EACLFilters(
+                            [
+                                EACLFilter(
+                                    header_type=EACLHeaderType.OBJECT,
+                                    match_type=operator,
+                                    key=self.OBJECT_NUMERIC_KEY_ATTR_NAME,
+                                    value=numeric_value,
+                                )
+                            ]
+                        ),
+                        operation=EACLOperation.GET,
+                    )
+                ]
+                set_eacl(
+                    user_wallet.wallet_path,
+                    cid,
+                    create_eacl(cid, eacl_deny, shell=self.shell),
+                    shell=self.shell,
+                    endpoint=self.neofs_env.sn_rpc,
+                )
+                wait_for_cache_expired()
+                get_eacl(
+                    user_wallet.wallet_path,
+                    cid,
+                    shell=self.shell,
+                    endpoint=self.neofs_env.sn_rpc,
+                )
+
+            with allure.step(
+                f"GET object with numeric value attribute {operator.value} {numeric_value} should be denied"
+            ):
+                for obj in objects:
+                    if operator.compare(obj["numeric_value"], numeric_value):
+                        assert not can_get_object(
+                            user_wallet.wallet_path,
+                            cid,
+                            obj["id"],
+                            file_path,
+                            self.shell,
+                            neofs_env=self.neofs_env,
+                        ), f"GET is allowed for this object, while it shouldn't be"
+
+            with allure.step(
+                f"GET object with numeric value attribute not {operator.value} {numeric_value} should be allowed"
+            ):
+                for obj in objects:
+                    if not operator.compare(obj["numeric_value"], numeric_value):
+                        assert can_get_object(
+                            user_wallet.wallet_path,
+                            cid,
+                            obj["id"],
+                            file_path,
+                            self.shell,
+                            neofs_env=self.neofs_env,
+                        ), f"GET is not allowed for this object, while it should be"