X-Git-Url: https://git.arvados.org/arvados.git/blobdiff_plain/a1745a13f68363598cc121b617436f3ac5b1654d..163c8f8750193b791eb62f5a8d73dc44a006b69e:/services/keepstore/proxy_remote_test.go diff --git a/services/keepstore/proxy_remote_test.go b/services/keepstore/proxy_remote_test.go index b15e0b0683..6e720b8499 100644 --- a/services/keepstore/proxy_remote_test.go +++ b/services/keepstore/proxy_remote_test.go @@ -99,6 +99,7 @@ func (s *ProxyRemoteSuite) SetUpTest(c *check.C) { KeepVM = s.vm theConfig = DefaultConfig() theConfig.systemAuthToken = arvadostest.DataManagerToken + theConfig.blobSigningKey = []byte(knownKey) theConfig.Start() s.rtr = MakeRESTRouter(s.cluster) } @@ -122,28 +123,59 @@ func (s *ProxyRemoteSuite) TestProxyRemote(c *check.C) { for _, trial := range []struct { label string + method string token string + xKeepSignature string expectRemoteReqs int64 expectCode int + expectSignature bool }{ { - label: "happy path", + label: "GET only", + method: "GET", token: arvadostest.ActiveTokenV2, expectRemoteReqs: 1, expectCode: http.StatusOK, }, { label: "obsolete token", + method: "GET", token: arvadostest.ActiveToken, expectRemoteReqs: 0, expectCode: http.StatusBadRequest, }, { label: "bad token", + method: "GET", token: arvadostest.ActiveTokenV2[:len(arvadostest.ActiveTokenV2)-3] + "xxx", expectRemoteReqs: 1, expectCode: http.StatusNotFound, }, + { + label: "HEAD only", + method: "HEAD", + token: arvadostest.ActiveTokenV2, + expectRemoteReqs: 1, + expectCode: http.StatusOK, + }, + { + label: "HEAD with local signature", + method: "HEAD", + xKeepSignature: "local, time=" + time.Now().Format(time.RFC3339), + token: arvadostest.ActiveTokenV2, + expectRemoteReqs: 1, + expectCode: http.StatusOK, + expectSignature: true, + }, + { + label: "GET with local signature", + method: "GET", + xKeepSignature: "local, time=" + time.Now().Format(time.RFC3339), + token: arvadostest.ActiveTokenV2, + expectRemoteReqs: 1, + expectCode: http.StatusOK, + expectSignature: true, + }, } { c.Logf("trial: %s", trial.label) @@ -151,8 +183,11 @@ func (s *ProxyRemoteSuite) TestProxyRemote(c *check.C) { var req *http.Request var resp *httptest.ResponseRecorder - req = httptest.NewRequest("GET", path, nil) + req = httptest.NewRequest(trial.method, path, nil) req.Header.Set("Authorization", "Bearer "+trial.token) + if trial.xKeepSignature != "" { + req.Header.Set("X-Keep-Signature", trial.xKeepSignature) + } resp = httptest.NewRecorder() s.rtr.ServeHTTP(resp, req) c.Check(s.remoteKeepRequests, check.Equals, trial.expectRemoteReqs) @@ -162,5 +197,25 @@ func (s *ProxyRemoteSuite) TestProxyRemote(c *check.C) { } else { c.Check(resp.Body.String(), check.Not(check.Equals), string(data)) } + + c.Check(resp.Header().Get("Vary"), check.Matches, `(.*, )?X-Keep-Signature(, .*)?`) + + locHdr := resp.Header().Get("X-Keep-Locator") + if !trial.expectSignature { + c.Check(locHdr, check.Equals, "") + continue + } + + c.Check(locHdr, check.Not(check.Equals), "") + c.Check(locHdr, check.Not(check.Matches), `.*\+R.*`) + c.Check(VerifySignature(locHdr, trial.token), check.IsNil) + + // Ensure block can be requested using new signature + req = httptest.NewRequest("GET", "/"+locHdr, nil) + req.Header.Set("Authorization", "Bearer "+trial.token) + resp = httptest.NewRecorder() + s.rtr.ServeHTTP(resp, req) + c.Check(resp.Code, check.Equals, http.StatusOK) + c.Check(s.remoteKeepRequests, check.Equals, trial.expectRemoteReqs) } }