beeb375a88
* docs(volume_server): add integration test development plan * test(volume_server): add integration harness and profile matrix * test(volume_server/http): add admin and options integration coverage * test(volume_server/grpc): add state and status integration coverage * test(volume_server): auto-build weed binary and harden cluster startup * test(volume_server/http): add upload read range head delete coverage * test(volume_server/grpc): expand admin lifecycle and state coverage * docs(volume_server): update progress tracker for implemented tests * test(volume_server/http): cover if-none-match and invalid-range branches * test(volume_server/grpc): add batch delete integration coverage * docs(volume_server): log latest HTTP and gRPC test coverage * ci(volume_server): run volume server integration tests in github actions * test(volume_server/grpc): add needle status configure ping and leave coverage * docs(volume_server): record additional grpc coverage progress * test(volume_server/grpc): add vacuum integration coverage * docs(volume_server): record vacuum test coverage progress * test(volume_server/grpc): add read and write needle blob error-path coverage * docs(volume_server): record data rw grpc coverage progress * test(volume_server/http): add jwt auth integration coverage * test(volume_server/grpc): add sync copy and stream error-path coverage * docs(volume_server): record jwt and sync/copy test coverage * test(volume_server/grpc): add scrub and query integration coverage * test(volume_server/grpc): add volume tail sender and receiver coverage * docs(volume_server): record scrub query and tail test progress * test(volume_server/grpc): add readonly writable and collection lifecycle coverage * test(volume_server/http): add public-port cors and method parity coverage * test(volume_server/grpc): add blob meta and read-all success path coverage * test(volume_server/grpc): expand scrub and query variation coverage * test(volume_server/grpc): add tiering and remote fetch error-path coverage * test(volume_server/http): add unchanged write and delete edge-case coverage * test(volume_server/grpc): add ping unknown and unreachable target coverage * test(volume_server/grpc): add volume delete only-empty variation coverage * test(volume_server/http): add jwt fid-mismatch auth coverage * test(volume_server/grpc): add scrub ec auto-select empty coverage * test(volume_server/grpc): stabilize ping timestamp assertion * docs(volume_server): update integration coverage progress log * test(volume_server/grpc): add tier remote backend and config variation coverage * docs(volume_server): record tier remote variation progress * test(volume_server/grpc): add incremental copy and receive-file protocol coverage * test(volume_server/http): add read path shape and if-modified-since coverage * test(volume_server/grpc): add copy-file compaction and receive-file success coverage * test(volume_server/http): add passthrough headers and static asset coverage * test(volume_server/grpc): add ping filer unreachable coverage * docs(volume_server): record copy receive and http variant progress * test(volume_server/grpc): add erasure coding maintenance and missing-path coverage * docs(volume_server): record initial erasure coding rpc coverage * test(volume_server/http): add multi-range multipart response coverage * docs(volume_server): record multi-range http coverage progress * test(volume_server/grpc): add query empty-stripe no-match coverage * docs(volume_server): record query no-match stream behavior coverage * test(volume_server/http): add upload throttling timeout and replicate bypass coverage * docs(volume_server): record upload throttling coverage progress * test(volume_server/http): add download throttling timeout coverage * docs(volume_server): record download throttling coverage progress * test(volume_server/http): add jwt wrong-cookie fid mismatch coverage * docs(volume_server): record jwt wrong-cookie mismatch coverage * test(volume_server/http): add jwt expired-token rejection coverage * docs(volume_server): record jwt expired-token coverage * test(volume_server/http): add jwt query and cookie transport coverage * docs(volume_server): record jwt token transport coverage * test(volume_server/http): add jwt token-source precedence coverage * docs(volume_server): record jwt token-source precedence coverage * test(volume_server/http): add jwt header-over-cookie precedence coverage * docs(volume_server): record jwt header cookie precedence coverage * test(volume_server/http): add jwt query-over-cookie precedence coverage * docs(volume_server): record jwt query cookie precedence coverage * test(volume_server/grpc): add setstate version mismatch and nil-state coverage * docs(volume_server): record setstate validation coverage * test(volume_server/grpc): add readonly persist-true lifecycle coverage * docs(volume_server): record readonly persist variation coverage * test(volume_server/http): add options origin cors header coverage * docs(volume_server): record options origin cors coverage * test(volume_server/http): add trace unsupported-method parity coverage * docs(volume_server): record trace method parity coverage * test(volume_server/grpc): add batch delete cookie-check variation coverage * docs(volume_server): record batch delete cookie-check coverage * test(volume_server/grpc): add admin lifecycle missing and maintenance variants * docs(volume_server): record admin lifecycle edge-case coverage * test(volume_server/grpc): add mixed batch delete status matrix coverage * docs(volume_server): record mixed batch delete matrix coverage * test(volume_server/http): add jwt-profile ui access gating coverage * docs(volume_server): record jwt ui-gating http coverage * test(volume_server/http): add propfind unsupported-method parity coverage * docs(volume_server): record propfind method parity coverage * test(volume_server/grpc): add volume configure success and rollback-path coverage * docs(volume_server): record volume configure branch coverage * test(volume_server/grpc): add volume needle status missing-path coverage * docs(volume_server): record volume needle status error-path coverage * test(volume_server/http): add readDeleted query behavior coverage * docs(volume_server): record readDeleted http behavior coverage * test(volume_server/http): add delete ts override parity coverage * docs(volume_server): record delete ts parity coverage * test(volume_server/grpc): add invalid blob/meta offset coverage * docs(volume_server): record invalid blob/meta offset coverage * test(volume_server/grpc): add read-all mixed volume abort coverage * docs(volume_server): record read-all mixed-volume abort coverage * test(volume_server/http): assert head response body parity * docs(volume_server): record head body parity assertion * test(volume_server/grpc): assert status state and memory payload completeness * docs(volume_server): record volume server status payload coverage * test(volume_server/grpc): add batch delete chunk-manifest rejection coverage * docs(volume_server): record batch delete chunk-manifest coverage * test(volume_server/grpc): add query cookie-mismatch eof parity coverage * docs(volume_server): record query cookie-mismatch parity coverage * test(volume_server/grpc): add ping master success target coverage * docs(volume_server): record ping master success coverage * test(volume_server/http): add head if-none-match conditional parity * docs(volume_server): record head if-none-match parity coverage * test(volume_server/http): add head if-modified-since parity coverage * docs(volume_server): record head if-modified-since parity coverage * test(volume_server/http): add connect unsupported-method parity coverage * docs(volume_server): record connect method parity coverage * test(volume_server/http): assert options allow-headers cors parity * docs(volume_server): record options allow-headers coverage * test(volume_server/framework): add dual volume cluster integration harness * test(volume_server/http): add missing-local read mode proxy redirect local coverage * docs(volume_server): record read mode missing-local matrix coverage * test(volume_server/http): add download over-limit replica proxy fallback coverage * docs(volume_server): record download replica fallback coverage * test(volume_server/http): add missing-local readDeleted proxy redirect parity coverage * docs(volume_server): record missing-local readDeleted mode coverage * test(volume_server/framework): add single-volume cluster with filer harness * test(volume_server/grpc): add ping filer success target coverage * docs(volume_server): record ping filer success coverage * test(volume_server/http): add proxied-loop guard download timeout coverage * docs(volume_server): record proxied-loop download coverage * test(volume_server/http): add disabled upload and download limit coverage * docs(volume_server): record disabled throttling path coverage * test(volume_server/grpc): add idempotent volume server leave coverage * docs(volume_server): record leave idempotence coverage * test(volume_server/http): add redirect collection query preservation coverage * docs(volume_server): record redirect collection query coverage * test(volume_server/http): assert admin server headers on status and health * docs(volume_server): record admin server header coverage * test(volume_server/http): assert healthz request-id echo parity * docs(volume_server): record healthz request-id parity coverage * test(volume_server/http): add over-limit invalid-vid download branch coverage * docs(volume_server): record over-limit invalid-vid branch coverage * test(volume_server/http): add public-port static asset coverage * docs(volume_server): record public static endpoint coverage * test(volume_server/http): add public head method parity coverage * docs(volume_server): record public head parity coverage * test(volume_server/http): add throttling wait-then-proceed path coverage * docs(volume_server): record throttling wait-then-proceed coverage * test(volume_server/http): add read cookie-mismatch not-found coverage * docs(volume_server): record read cookie-mismatch coverage * test(volume_server/http): add throttling timeout-recovery coverage * docs(volume_server): record throttling timeout-recovery coverage * test(volume_server/grpc): add ec generate mount info unmount lifecycle coverage * docs(volume_server): record ec positive lifecycle coverage * test(volume_server/grpc): add ec shard read and blob delete lifecycle coverage * docs(volume_server): record ec shard read/blob delete lifecycle coverage * test(volume_server/grpc): add ec rebuild and to-volume error branch coverage * docs(volume_server): record ec rebuild and to-volume branch coverage * test(volume_server/grpc): add ec shards-to-volume success roundtrip coverage * docs(volume_server): record ec shards-to-volume success coverage * test(volume_server/grpc): add ec receive and copy-file missing-source coverage * docs(volume_server): record ec receive and copy-file coverage * test(volume_server/grpc): add ec last-shard delete cleanup coverage * docs(volume_server): record ec last-shard delete cleanup coverage * test(volume_server/grpc): add volume copy success path coverage * docs(volume_server): record volume copy success coverage * test(volume_server/grpc): add volume copy overwrite-destination coverage * docs(volume_server): record volume copy overwrite coverage * test(volume_server/http): add write error-path variant coverage * docs(volume_server): record http write error-path coverage * test(volume_server/http): add conditional header precedence coverage * docs(volume_server): record conditional header precedence coverage * test(volume_server/http): add oversized combined range guard coverage * docs(volume_server): record oversized range guard coverage * test(volume_server/http): add image resize and crop read coverage * docs(volume_server): record image transform coverage * test(volume_server/http): add chunk-manifest expansion and bypass coverage * docs(volume_server): record chunk-manifest read coverage * test(volume_server/http): add compressed read encoding matrix coverage * docs(volume_server): record compressed read matrix coverage * test(volume_server/grpc): add tail receiver source replication coverage * docs(volume_server): record tail receiver replication coverage * test(volume_server/grpc): add tail sender large-needle chunking coverage * docs(volume_server): record tail sender chunking coverage * test(volume_server/grpc): add ec-backed volume needle status coverage * docs(volume_server): record ec-backed needle status coverage * test(volume_server/grpc): add ec shard copy from peer success coverage * docs(volume_server): record ec shard copy success coverage * test(volume_server/http): add chunk-manifest delete child cleanup coverage * docs(volume_server): record chunk-manifest delete cleanup coverage * test(volume_server/http): add chunk-manifest delete failure-path coverage * docs(volume_server): record chunk-manifest delete failure coverage * test(volume_server/grpc): add ec shard copy source-unavailable coverage * docs(volume_server): record ec shard copy source-unavailable coverage * parallel
420 lines
20 KiB
Go
420 lines
20 KiB
Go
package volume_server_http_test
|
|
|
|
import (
|
|
"bytes"
|
|
"net/http"
|
|
"testing"
|
|
"time"
|
|
|
|
jwt "github.com/golang-jwt/jwt/v5"
|
|
"github.com/seaweedfs/seaweedfs/test/volume_server/framework"
|
|
"github.com/seaweedfs/seaweedfs/test/volume_server/matrix"
|
|
"github.com/seaweedfs/seaweedfs/weed/security"
|
|
)
|
|
|
|
func TestJWTAuthForWriteAndRead(t *testing.T) {
|
|
if testing.Short() {
|
|
t.Skip("skipping integration test in short mode")
|
|
}
|
|
|
|
profile := matrix.P3()
|
|
clusterHarness := framework.StartSingleVolumeCluster(t, profile)
|
|
conn, grpcClient := framework.DialVolumeServer(t, clusterHarness.VolumeGRPCAddress())
|
|
defer conn.Close()
|
|
|
|
const volumeID = uint32(51)
|
|
const needleID = uint64(123456)
|
|
const cookie = uint32(0xABCDEF12)
|
|
|
|
framework.AllocateVolume(t, grpcClient, volumeID, "")
|
|
fid := framework.NewFileID(volumeID, needleID, cookie)
|
|
payload := []byte("jwt-protected-content")
|
|
client := framework.NewHTTPClient()
|
|
|
|
unauthWrite := newUploadRequest(t, clusterHarness.VolumeAdminURL()+"/"+fid, payload)
|
|
unauthWriteResp := framework.DoRequest(t, client, unauthWrite)
|
|
_ = framework.ReadAllAndClose(t, unauthWriteResp)
|
|
if unauthWriteResp.StatusCode != http.StatusUnauthorized {
|
|
t.Fatalf("unauthorized write expected 401, got %d", unauthWriteResp.StatusCode)
|
|
}
|
|
|
|
invalidWrite := newUploadRequest(t, clusterHarness.VolumeAdminURL()+"/"+fid, payload)
|
|
invalidWrite.Header.Set("Authorization", "Bearer invalid")
|
|
invalidWriteResp := framework.DoRequest(t, client, invalidWrite)
|
|
_ = framework.ReadAllAndClose(t, invalidWriteResp)
|
|
if invalidWriteResp.StatusCode != http.StatusUnauthorized {
|
|
t.Fatalf("invalid write token expected 401, got %d", invalidWriteResp.StatusCode)
|
|
}
|
|
|
|
writeToken := security.GenJwtForVolumeServer(security.SigningKey([]byte(profile.JWTSigningKey)), 60, fid)
|
|
authWrite := newUploadRequest(t, clusterHarness.VolumeAdminURL()+"/"+fid, payload)
|
|
authWrite.Header.Set("Authorization", "Bearer "+string(writeToken))
|
|
authWriteResp := framework.DoRequest(t, client, authWrite)
|
|
_ = framework.ReadAllAndClose(t, authWriteResp)
|
|
if authWriteResp.StatusCode != http.StatusCreated {
|
|
t.Fatalf("authorized write expected 201, got %d", authWriteResp.StatusCode)
|
|
}
|
|
|
|
unauthReadReq := mustNewRequest(t, http.MethodGet, clusterHarness.VolumeAdminURL()+"/"+fid)
|
|
unauthReadResp := framework.DoRequest(t, client, unauthReadReq)
|
|
_ = framework.ReadAllAndClose(t, unauthReadResp)
|
|
if unauthReadResp.StatusCode != http.StatusUnauthorized {
|
|
t.Fatalf("unauthorized read expected 401, got %d", unauthReadResp.StatusCode)
|
|
}
|
|
|
|
readToken := security.GenJwtForVolumeServer(security.SigningKey([]byte(profile.JWTReadKey)), 60, fid)
|
|
authReadReq := mustNewRequest(t, http.MethodGet, clusterHarness.VolumeAdminURL()+"/"+fid)
|
|
authReadReq.Header.Set("Authorization", "Bearer "+string(readToken))
|
|
authReadResp := framework.DoRequest(t, client, authReadReq)
|
|
authReadBody := framework.ReadAllAndClose(t, authReadResp)
|
|
if authReadResp.StatusCode != http.StatusOK {
|
|
t.Fatalf("authorized read expected 200, got %d", authReadResp.StatusCode)
|
|
}
|
|
if string(authReadBody) != string(payload) {
|
|
t.Fatalf("authorized read content mismatch: got %q want %q", string(authReadBody), string(payload))
|
|
}
|
|
}
|
|
|
|
func TestJWTAuthRejectsFidMismatch(t *testing.T) {
|
|
if testing.Short() {
|
|
t.Skip("skipping integration test in short mode")
|
|
}
|
|
|
|
profile := matrix.P3()
|
|
clusterHarness := framework.StartSingleVolumeCluster(t, profile)
|
|
conn, grpcClient := framework.DialVolumeServer(t, clusterHarness.VolumeGRPCAddress())
|
|
defer conn.Close()
|
|
|
|
const volumeID = uint32(52)
|
|
const needleID = uint64(223344)
|
|
const cookie = uint32(0x10203040)
|
|
const otherNeedleID = uint64(223345)
|
|
const otherCookie = uint32(0x50607080)
|
|
const wrongCookie = uint32(0x10203041)
|
|
|
|
framework.AllocateVolume(t, grpcClient, volumeID, "")
|
|
fid := framework.NewFileID(volumeID, needleID, cookie)
|
|
otherFid := framework.NewFileID(volumeID, otherNeedleID, otherCookie)
|
|
payload := []byte("jwt-fid-mismatch-content")
|
|
client := framework.NewHTTPClient()
|
|
|
|
writeTokenForOtherFid := security.GenJwtForVolumeServer(security.SigningKey([]byte(profile.JWTSigningKey)), 60, otherFid)
|
|
mismatchedWrite := newUploadRequest(t, clusterHarness.VolumeAdminURL()+"/"+fid, payload)
|
|
mismatchedWrite.Header.Set("Authorization", "Bearer "+string(writeTokenForOtherFid))
|
|
mismatchedWriteResp := framework.DoRequest(t, client, mismatchedWrite)
|
|
_ = framework.ReadAllAndClose(t, mismatchedWriteResp)
|
|
if mismatchedWriteResp.StatusCode != http.StatusUnauthorized {
|
|
t.Fatalf("write with mismatched fid token expected 401, got %d", mismatchedWriteResp.StatusCode)
|
|
}
|
|
|
|
wrongCookieFid := framework.NewFileID(volumeID, needleID, wrongCookie)
|
|
writeTokenWrongCookie := security.GenJwtForVolumeServer(security.SigningKey([]byte(profile.JWTSigningKey)), 60, wrongCookieFid)
|
|
wrongCookieWrite := newUploadRequest(t, clusterHarness.VolumeAdminURL()+"/"+fid, payload)
|
|
wrongCookieWrite.Header.Set("Authorization", "Bearer "+string(writeTokenWrongCookie))
|
|
wrongCookieWriteResp := framework.DoRequest(t, client, wrongCookieWrite)
|
|
_ = framework.ReadAllAndClose(t, wrongCookieWriteResp)
|
|
if wrongCookieWriteResp.StatusCode != http.StatusUnauthorized {
|
|
t.Fatalf("write with wrong-cookie fid token expected 401, got %d", wrongCookieWriteResp.StatusCode)
|
|
}
|
|
|
|
writeTokenForFid := security.GenJwtForVolumeServer(security.SigningKey([]byte(profile.JWTSigningKey)), 60, fid)
|
|
validWrite := newUploadRequest(t, clusterHarness.VolumeAdminURL()+"/"+fid, payload)
|
|
validWrite.Header.Set("Authorization", "Bearer "+string(writeTokenForFid))
|
|
validWriteResp := framework.DoRequest(t, client, validWrite)
|
|
_ = framework.ReadAllAndClose(t, validWriteResp)
|
|
if validWriteResp.StatusCode != http.StatusCreated {
|
|
t.Fatalf("authorized write expected 201, got %d", validWriteResp.StatusCode)
|
|
}
|
|
|
|
readTokenForOtherFid := security.GenJwtForVolumeServer(security.SigningKey([]byte(profile.JWTReadKey)), 60, otherFid)
|
|
mismatchedReadReq := mustNewRequest(t, http.MethodGet, clusterHarness.VolumeAdminURL()+"/"+fid)
|
|
mismatchedReadReq.Header.Set("Authorization", "Bearer "+string(readTokenForOtherFid))
|
|
mismatchedReadResp := framework.DoRequest(t, client, mismatchedReadReq)
|
|
_ = framework.ReadAllAndClose(t, mismatchedReadResp)
|
|
if mismatchedReadResp.StatusCode != http.StatusUnauthorized {
|
|
t.Fatalf("read with mismatched fid token expected 401, got %d", mismatchedReadResp.StatusCode)
|
|
}
|
|
|
|
readTokenWrongCookie := security.GenJwtForVolumeServer(security.SigningKey([]byte(profile.JWTReadKey)), 60, wrongCookieFid)
|
|
wrongCookieReadReq := mustNewRequest(t, http.MethodGet, clusterHarness.VolumeAdminURL()+"/"+fid)
|
|
wrongCookieReadReq.Header.Set("Authorization", "Bearer "+string(readTokenWrongCookie))
|
|
wrongCookieReadResp := framework.DoRequest(t, client, wrongCookieReadReq)
|
|
_ = framework.ReadAllAndClose(t, wrongCookieReadResp)
|
|
if wrongCookieReadResp.StatusCode != http.StatusUnauthorized {
|
|
t.Fatalf("read with wrong-cookie fid token expected 401, got %d", wrongCookieReadResp.StatusCode)
|
|
}
|
|
}
|
|
|
|
func newUploadRequest(t testing.TB, url string, payload []byte) *http.Request {
|
|
t.Helper()
|
|
req, err := http.NewRequest(http.MethodPost, url, bytes.NewReader(payload))
|
|
if err != nil {
|
|
t.Fatalf("create upload request %s: %v", url, err)
|
|
}
|
|
req.Header.Set("Content-Type", "application/octet-stream")
|
|
return req
|
|
}
|
|
|
|
func TestJWTAuthRejectsExpiredTokens(t *testing.T) {
|
|
if testing.Short() {
|
|
t.Skip("skipping integration test in short mode")
|
|
}
|
|
|
|
profile := matrix.P3()
|
|
clusterHarness := framework.StartSingleVolumeCluster(t, profile)
|
|
conn, grpcClient := framework.DialVolumeServer(t, clusterHarness.VolumeGRPCAddress())
|
|
defer conn.Close()
|
|
|
|
const volumeID = uint32(53)
|
|
const needleID = uint64(334455)
|
|
const cookie = uint32(0x22334455)
|
|
framework.AllocateVolume(t, grpcClient, volumeID, "")
|
|
|
|
fid := framework.NewFileID(volumeID, needleID, cookie)
|
|
payload := []byte("expired-token-content")
|
|
client := framework.NewHTTPClient()
|
|
|
|
expiredWriteToken := mustGenExpiredToken(t, []byte(profile.JWTSigningKey), fid)
|
|
writeReq := newUploadRequest(t, clusterHarness.VolumeAdminURL()+"/"+fid, payload)
|
|
writeReq.Header.Set("Authorization", "Bearer "+expiredWriteToken)
|
|
writeResp := framework.DoRequest(t, client, writeReq)
|
|
_ = framework.ReadAllAndClose(t, writeResp)
|
|
if writeResp.StatusCode != http.StatusUnauthorized {
|
|
t.Fatalf("expired write token expected 401, got %d", writeResp.StatusCode)
|
|
}
|
|
|
|
// Seed data with a valid token so read auth path can be exercised against existing content.
|
|
validWriteToken := security.GenJwtForVolumeServer(security.SigningKey([]byte(profile.JWTSigningKey)), 60, fid)
|
|
validWriteReq := newUploadRequest(t, clusterHarness.VolumeAdminURL()+"/"+fid, payload)
|
|
validWriteReq.Header.Set("Authorization", "Bearer "+string(validWriteToken))
|
|
validWriteResp := framework.DoRequest(t, client, validWriteReq)
|
|
_ = framework.ReadAllAndClose(t, validWriteResp)
|
|
if validWriteResp.StatusCode != http.StatusCreated {
|
|
t.Fatalf("valid write expected 201, got %d", validWriteResp.StatusCode)
|
|
}
|
|
|
|
expiredReadToken := mustGenExpiredToken(t, []byte(profile.JWTReadKey), fid)
|
|
readReq := mustNewRequest(t, http.MethodGet, clusterHarness.VolumeAdminURL()+"/"+fid)
|
|
readReq.Header.Set("Authorization", "Bearer "+expiredReadToken)
|
|
readResp := framework.DoRequest(t, client, readReq)
|
|
_ = framework.ReadAllAndClose(t, readResp)
|
|
if readResp.StatusCode != http.StatusUnauthorized {
|
|
t.Fatalf("expired read token expected 401, got %d", readResp.StatusCode)
|
|
}
|
|
}
|
|
|
|
func TestJWTAuthViaQueryParamAndCookie(t *testing.T) {
|
|
if testing.Short() {
|
|
t.Skip("skipping integration test in short mode")
|
|
}
|
|
|
|
profile := matrix.P3()
|
|
clusterHarness := framework.StartSingleVolumeCluster(t, profile)
|
|
conn, grpcClient := framework.DialVolumeServer(t, clusterHarness.VolumeGRPCAddress())
|
|
defer conn.Close()
|
|
|
|
const volumeID = uint32(54)
|
|
const needleID = uint64(445566)
|
|
const cookie = uint32(0x31415926)
|
|
framework.AllocateVolume(t, grpcClient, volumeID, "")
|
|
|
|
fid := framework.NewFileID(volumeID, needleID, cookie)
|
|
payload := []byte("jwt-query-cookie-content")
|
|
client := framework.NewHTTPClient()
|
|
|
|
writeToken := security.GenJwtForVolumeServer(security.SigningKey([]byte(profile.JWTSigningKey)), 60, fid)
|
|
writeReq := newUploadRequest(t, clusterHarness.VolumeAdminURL()+"/"+fid+"?jwt="+string(writeToken), payload)
|
|
writeResp := framework.DoRequest(t, client, writeReq)
|
|
_ = framework.ReadAllAndClose(t, writeResp)
|
|
if writeResp.StatusCode != http.StatusCreated {
|
|
t.Fatalf("query-jwt write expected 201, got %d", writeResp.StatusCode)
|
|
}
|
|
|
|
readToken := security.GenJwtForVolumeServer(security.SigningKey([]byte(profile.JWTReadKey)), 60, fid)
|
|
readReq := mustNewRequest(t, http.MethodGet, clusterHarness.VolumeAdminURL()+"/"+fid)
|
|
readReq.AddCookie(&http.Cookie{Name: "AT", Value: string(readToken)})
|
|
readResp := framework.DoRequest(t, client, readReq)
|
|
readBody := framework.ReadAllAndClose(t, readResp)
|
|
if readResp.StatusCode != http.StatusOK {
|
|
t.Fatalf("cookie-jwt read expected 200, got %d", readResp.StatusCode)
|
|
}
|
|
if string(readBody) != string(payload) {
|
|
t.Fatalf("cookie-jwt read body mismatch: got %q want %q", string(readBody), string(payload))
|
|
}
|
|
}
|
|
|
|
func TestJWTTokenSourcePrecedenceQueryOverHeader(t *testing.T) {
|
|
if testing.Short() {
|
|
t.Skip("skipping integration test in short mode")
|
|
}
|
|
|
|
profile := matrix.P3()
|
|
clusterHarness := framework.StartSingleVolumeCluster(t, profile)
|
|
conn, grpcClient := framework.DialVolumeServer(t, clusterHarness.VolumeGRPCAddress())
|
|
defer conn.Close()
|
|
|
|
const volumeID = uint32(55)
|
|
const needleID = uint64(556677)
|
|
const cookie = uint32(0x99887766)
|
|
framework.AllocateVolume(t, grpcClient, volumeID, "")
|
|
|
|
fid := framework.NewFileID(volumeID, needleID, cookie)
|
|
otherFID := framework.NewFileID(volumeID, needleID+1, cookie+1)
|
|
payload := []byte("jwt-precedence-content")
|
|
client := framework.NewHTTPClient()
|
|
|
|
validWriteToken := security.GenJwtForVolumeServer(security.SigningKey([]byte(profile.JWTSigningKey)), 60, fid)
|
|
invalidWriteQueryToken := security.GenJwtForVolumeServer(security.SigningKey([]byte(profile.JWTSigningKey)), 60, otherFID)
|
|
writeReq := newUploadRequest(t, clusterHarness.VolumeAdminURL()+"/"+fid+"?jwt="+string(invalidWriteQueryToken), payload)
|
|
writeReq.Header.Set("Authorization", "Bearer "+string(validWriteToken))
|
|
writeResp := framework.DoRequest(t, client, writeReq)
|
|
_ = framework.ReadAllAndClose(t, writeResp)
|
|
if writeResp.StatusCode != http.StatusUnauthorized {
|
|
t.Fatalf("query token should take precedence over header token for write, expected 401 got %d", writeResp.StatusCode)
|
|
}
|
|
|
|
// Seed data with valid write token, then exercise read precedence.
|
|
seedWriteReq := newUploadRequest(t, clusterHarness.VolumeAdminURL()+"/"+fid, payload)
|
|
seedWriteReq.Header.Set("Authorization", "Bearer "+string(validWriteToken))
|
|
seedWriteResp := framework.DoRequest(t, client, seedWriteReq)
|
|
_ = framework.ReadAllAndClose(t, seedWriteResp)
|
|
if seedWriteResp.StatusCode != http.StatusCreated {
|
|
t.Fatalf("seed write expected 201, got %d", seedWriteResp.StatusCode)
|
|
}
|
|
|
|
validReadToken := security.GenJwtForVolumeServer(security.SigningKey([]byte(profile.JWTReadKey)), 60, fid)
|
|
invalidReadQueryToken := security.GenJwtForVolumeServer(security.SigningKey([]byte(profile.JWTReadKey)), 60, otherFID)
|
|
readReq := mustNewRequest(t, http.MethodGet, clusterHarness.VolumeAdminURL()+"/"+fid+"?jwt="+string(invalidReadQueryToken))
|
|
readReq.Header.Set("Authorization", "Bearer "+string(validReadToken))
|
|
readResp := framework.DoRequest(t, client, readReq)
|
|
_ = framework.ReadAllAndClose(t, readResp)
|
|
if readResp.StatusCode != http.StatusUnauthorized {
|
|
t.Fatalf("query token should take precedence over header token for read, expected 401 got %d", readResp.StatusCode)
|
|
}
|
|
}
|
|
|
|
func TestJWTTokenSourcePrecedenceHeaderOverCookie(t *testing.T) {
|
|
if testing.Short() {
|
|
t.Skip("skipping integration test in short mode")
|
|
}
|
|
|
|
profile := matrix.P3()
|
|
clusterHarness := framework.StartSingleVolumeCluster(t, profile)
|
|
conn, grpcClient := framework.DialVolumeServer(t, clusterHarness.VolumeGRPCAddress())
|
|
defer conn.Close()
|
|
|
|
const volumeID = uint32(56)
|
|
const needleID = uint64(667788)
|
|
const cookie = uint32(0x11229988)
|
|
framework.AllocateVolume(t, grpcClient, volumeID, "")
|
|
|
|
fid := framework.NewFileID(volumeID, needleID, cookie)
|
|
otherFID := framework.NewFileID(volumeID, needleID+1, cookie+1)
|
|
payload := []byte("jwt-precedence-header-cookie")
|
|
client := framework.NewHTTPClient()
|
|
|
|
validWriteToken := security.GenJwtForVolumeServer(security.SigningKey([]byte(profile.JWTSigningKey)), 60, fid)
|
|
invalidCookieWriteToken := security.GenJwtForVolumeServer(security.SigningKey([]byte(profile.JWTSigningKey)), 60, otherFID)
|
|
writeReq := newUploadRequest(t, clusterHarness.VolumeAdminURL()+"/"+fid, payload)
|
|
writeReq.Header.Set("Authorization", "Bearer "+string(validWriteToken))
|
|
writeReq.AddCookie(&http.Cookie{Name: "AT", Value: string(invalidCookieWriteToken)})
|
|
writeResp := framework.DoRequest(t, client, writeReq)
|
|
_ = framework.ReadAllAndClose(t, writeResp)
|
|
if writeResp.StatusCode != http.StatusCreated {
|
|
t.Fatalf("header token should take precedence over cookie token for write, expected 201 got %d", writeResp.StatusCode)
|
|
}
|
|
|
|
validReadToken := security.GenJwtForVolumeServer(security.SigningKey([]byte(profile.JWTReadKey)), 60, fid)
|
|
invalidCookieReadToken := security.GenJwtForVolumeServer(security.SigningKey([]byte(profile.JWTReadKey)), 60, otherFID)
|
|
readReq := mustNewRequest(t, http.MethodGet, clusterHarness.VolumeAdminURL()+"/"+fid)
|
|
readReq.Header.Set("Authorization", "Bearer "+string(validReadToken))
|
|
readReq.AddCookie(&http.Cookie{Name: "AT", Value: string(invalidCookieReadToken)})
|
|
readResp := framework.DoRequest(t, client, readReq)
|
|
readBody := framework.ReadAllAndClose(t, readResp)
|
|
if readResp.StatusCode != http.StatusOK {
|
|
t.Fatalf("header token should take precedence over cookie token for read, expected 200 got %d", readResp.StatusCode)
|
|
}
|
|
if string(readBody) != string(payload) {
|
|
t.Fatalf("header-over-cookie read body mismatch: got %q want %q", string(readBody), string(payload))
|
|
}
|
|
}
|
|
|
|
func TestJWTTokenSourcePrecedenceQueryOverCookie(t *testing.T) {
|
|
if testing.Short() {
|
|
t.Skip("skipping integration test in short mode")
|
|
}
|
|
|
|
profile := matrix.P3()
|
|
clusterHarness := framework.StartSingleVolumeCluster(t, profile)
|
|
conn, grpcClient := framework.DialVolumeServer(t, clusterHarness.VolumeGRPCAddress())
|
|
defer conn.Close()
|
|
|
|
const volumeID = uint32(57)
|
|
const needleID = uint64(778899)
|
|
const cookie = uint32(0x88776655)
|
|
framework.AllocateVolume(t, grpcClient, volumeID, "")
|
|
|
|
fid := framework.NewFileID(volumeID, needleID, cookie)
|
|
otherFID := framework.NewFileID(volumeID, needleID+1, cookie+1)
|
|
payload := []byte("jwt-precedence-query-cookie")
|
|
client := framework.NewHTTPClient()
|
|
|
|
validWriteToken := security.GenJwtForVolumeServer(security.SigningKey([]byte(profile.JWTSigningKey)), 60, fid)
|
|
invalidQueryWriteToken := security.GenJwtForVolumeServer(security.SigningKey([]byte(profile.JWTSigningKey)), 60, otherFID)
|
|
writeReq := newUploadRequest(t, clusterHarness.VolumeAdminURL()+"/"+fid+"?jwt="+string(invalidQueryWriteToken), payload)
|
|
writeReq.AddCookie(&http.Cookie{Name: "AT", Value: string(validWriteToken)})
|
|
writeResp := framework.DoRequest(t, client, writeReq)
|
|
_ = framework.ReadAllAndClose(t, writeResp)
|
|
if writeResp.StatusCode != http.StatusUnauthorized {
|
|
t.Fatalf("query token should take precedence over cookie token for write, expected 401 got %d", writeResp.StatusCode)
|
|
}
|
|
|
|
// Seed data with valid write token so read precedence can be exercised.
|
|
seedWriteReq := newUploadRequest(t, clusterHarness.VolumeAdminURL()+"/"+fid, payload)
|
|
seedWriteReq.Header.Set("Authorization", "Bearer "+string(validWriteToken))
|
|
seedWriteResp := framework.DoRequest(t, client, seedWriteReq)
|
|
_ = framework.ReadAllAndClose(t, seedWriteResp)
|
|
if seedWriteResp.StatusCode != http.StatusCreated {
|
|
t.Fatalf("seed write expected 201, got %d", seedWriteResp.StatusCode)
|
|
}
|
|
|
|
validReadToken := security.GenJwtForVolumeServer(security.SigningKey([]byte(profile.JWTReadKey)), 60, fid)
|
|
invalidQueryReadToken := security.GenJwtForVolumeServer(security.SigningKey([]byte(profile.JWTReadKey)), 60, otherFID)
|
|
readReq := mustNewRequest(t, http.MethodGet, clusterHarness.VolumeAdminURL()+"/"+fid+"?jwt="+string(invalidQueryReadToken))
|
|
readReq.AddCookie(&http.Cookie{Name: "AT", Value: string(validReadToken)})
|
|
readResp := framework.DoRequest(t, client, readReq)
|
|
_ = framework.ReadAllAndClose(t, readResp)
|
|
if readResp.StatusCode != http.StatusUnauthorized {
|
|
t.Fatalf("query token should take precedence over cookie token for read, expected 401 got %d", readResp.StatusCode)
|
|
}
|
|
|
|
// Validate positive path: valid query token should succeed even if cookie token is invalid.
|
|
validQueryReadReq := mustNewRequest(t, http.MethodGet, clusterHarness.VolumeAdminURL()+"/"+fid+"?jwt="+string(validReadToken))
|
|
invalidCookieReadToken := security.GenJwtForVolumeServer(security.SigningKey([]byte(profile.JWTReadKey)), 60, otherFID)
|
|
validQueryReadReq.AddCookie(&http.Cookie{Name: "AT", Value: string(invalidCookieReadToken)})
|
|
validQueryReadResp := framework.DoRequest(t, client, validQueryReadReq)
|
|
validQueryReadBody := framework.ReadAllAndClose(t, validQueryReadResp)
|
|
if validQueryReadResp.StatusCode != http.StatusOK {
|
|
t.Fatalf("valid query token should succeed over invalid cookie token, expected 200 got %d", validQueryReadResp.StatusCode)
|
|
}
|
|
if string(validQueryReadBody) != string(payload) {
|
|
t.Fatalf("query-over-cookie read body mismatch: got %q want %q", string(validQueryReadBody), string(payload))
|
|
}
|
|
}
|
|
|
|
func mustGenExpiredToken(t testing.TB, key []byte, fid string) string {
|
|
t.Helper()
|
|
claims := security.SeaweedFileIdClaims{
|
|
Fid: fid,
|
|
RegisteredClaims: jwt.RegisteredClaims{
|
|
ExpiresAt: jwt.NewNumericDate(time.Now().Add(-1 * time.Minute)),
|
|
},
|
|
}
|
|
token := jwt.NewWithClaims(jwt.SigningMethodHS256, claims)
|
|
signed, err := token.SignedString(key)
|
|
if err != nil {
|
|
t.Fatalf("sign expired token: %v", err)
|
|
}
|
|
return signed
|
|
}
|