github.com/koko1123/flow-go-1@v0.29.6/network/p2p/blob/blob_service_test.go (about) 1 package blob_test 2 3 import ( 4 "testing" 5 6 "github.com/ipfs/go-cid" 7 "github.com/libp2p/go-libp2p/core/peer" 8 "github.com/stretchr/testify/assert" 9 "github.com/stretchr/testify/mock" 10 "github.com/stretchr/testify/require" 11 12 "github.com/koko1123/flow-go-1/model/flow" 13 modmock "github.com/koko1123/flow-go-1/module/mock" 14 "github.com/koko1123/flow-go-1/network/p2p/blob" 15 "github.com/koko1123/flow-go-1/utils/unittest" 16 ) 17 18 func TestAuthorizedRequester(t *testing.T) { 19 providerData := map[peer.ID]*flow.Identity{} 20 allowList := map[flow.Identifier]bool{} 21 22 // known and on allow list 23 an1, an1PeerID := mockIdentity(t, flow.RoleAccess) 24 providerData[an1PeerID] = an1 25 allowList[an1.NodeID] = true 26 27 // known and not on allow list 28 an2, an2PeerID := mockIdentity(t, flow.RoleAccess) 29 providerData[an2PeerID] = an2 30 31 // unknown and on the allow list 32 an3, an3PeerID := mockIdentity(t, flow.RoleAccess) 33 allowList[an3.NodeID] = true // should be ignored 34 35 // known and on the allow list but not an access node 36 sn1, sn1PeerID := mockIdentity(t, flow.RoleConsensus) 37 providerData[sn1PeerID] = sn1 38 allowList[sn1.NodeID] = true // should be ignored 39 40 // known and should always be allowed 41 en1, en1PeerID := mockIdentity(t, flow.RoleExecution) 42 providerData[en1PeerID] = en1 43 44 // unknown and should never be allowed 45 en2, en2PeerID := mockIdentity(t, flow.RoleExecution) 46 allowList[en2.NodeID] = true // should be ignored 47 48 idProvider := modmock.NewIdentityProvider(t) 49 idProvider.On("ByPeerID", mock.AnythingOfType("peer.ID")).Return( 50 func(peerId peer.ID) *flow.Identity { 51 return providerData[peerId] 52 }, func(peerId peer.ID) bool { 53 _, ok := providerData[peerId] 54 return ok 55 }) 56 57 // Allows requests from authorized nodes 58 t.Run("allows all ANs with empty allow list", func(t *testing.T) { 59 authorizer := blob.AuthorizedRequester(nil, idProvider, unittest.Logger()) 60 assert.True(t, authorizer(an1PeerID, cid.Cid{}), "AN1 should be allowed") 61 assert.True(t, authorizer(an2PeerID, cid.Cid{}), "AN2 should be allowed") 62 }) 63 64 t.Run("allows AN on allow list", func(t *testing.T) { 65 authorizer := blob.AuthorizedRequester(allowList, idProvider, unittest.Logger()) 66 assert.True(t, authorizer(an1PeerID, cid.Cid{})) 67 }) 68 69 t.Run("always allows EN", func(t *testing.T) { 70 authorizer := blob.AuthorizedRequester(nil, idProvider, unittest.Logger()) 71 assert.True(t, authorizer(en1PeerID, cid.Cid{})) 72 73 authorizer = blob.AuthorizedRequester(allowList, idProvider, unittest.Logger()) 74 assert.True(t, authorizer(en1PeerID, cid.Cid{})) 75 }) 76 77 // Denies requests from nodes not on the allow list 78 t.Run("denies AN not on allow list", func(t *testing.T) { 79 authorizer := blob.AuthorizedRequester(allowList, idProvider, unittest.Logger()) 80 assert.False(t, authorizer(an2PeerID, cid.Cid{})) 81 }) 82 83 // Denies requests from unknown nodes 84 t.Run("never allow SN", func(t *testing.T) { 85 authorizer := blob.AuthorizedRequester(nil, idProvider, unittest.Logger()) 86 assert.False(t, authorizer(sn1PeerID, cid.Cid{})) 87 88 authorizer = blob.AuthorizedRequester(allowList, idProvider, unittest.Logger()) 89 assert.False(t, authorizer(sn1PeerID, cid.Cid{})) 90 }) 91 92 an1.Ejected = true 93 en1.Ejected = true 94 95 // AN1 is on allow list (not passed) but is ejected 96 t.Run("always denies ejected AN", func(t *testing.T) { 97 authorizer := blob.AuthorizedRequester(nil, idProvider, unittest.Logger()) 98 assert.False(t, authorizer(an1PeerID, cid.Cid{})) 99 100 authorizer = blob.AuthorizedRequester(allowList, idProvider, unittest.Logger()) 101 assert.False(t, authorizer(an1PeerID, cid.Cid{})) 102 }) 103 104 // EN1 is on allow list (not passed) but is ejected 105 t.Run("always denies ejected EN", func(t *testing.T) { 106 authorizer := blob.AuthorizedRequester(nil, idProvider, unittest.Logger()) 107 assert.False(t, authorizer(en1PeerID, cid.Cid{})) 108 109 authorizer = blob.AuthorizedRequester(allowList, idProvider, unittest.Logger()) 110 assert.False(t, authorizer(en1PeerID, cid.Cid{})) 111 }) 112 113 // AN3 is on allow list (not passed) but is not in identity store 114 t.Run("always denies unknown peer", func(t *testing.T) { 115 authorizer := blob.AuthorizedRequester(nil, idProvider, unittest.Logger()) 116 assert.False(t, authorizer(an3PeerID, cid.Cid{})) 117 assert.False(t, authorizer(en2PeerID, cid.Cid{})) 118 119 authorizer = blob.AuthorizedRequester(allowList, idProvider, unittest.Logger()) 120 assert.False(t, authorizer(an3PeerID, cid.Cid{})) 121 assert.False(t, authorizer(en2PeerID, cid.Cid{})) 122 }) 123 } 124 125 func mockIdentity(t *testing.T, role flow.Role) (*flow.Identity, peer.ID) { 126 identity, _ := unittest.IdentityWithNetworkingKeyFixture(unittest.WithRole(role)) 127 peerID, err := unittest.PeerIDFromFlowID(identity) 128 require.NoError(t, err) 129 130 return identity, peerID 131 }