Duplicate some of the tests utils in binary crate

Signed-off-by: Evgeny (Zhenia) Dolgii <[email protected]>

Author: ujinho

Cargo.lock

@@ -21,12 +21,21 @@ regex = "1.11.1"
 
 [dev-dependencies]
 mountpoint-s3-client = { path = "../mountpoint-s3-client", features = ["mock"] }
+mountpoint-s3-fuser = { path = "../mountpoint-s3-fuser" }
 assert_cmd = "2.0.16"
 assert_fs = "1.1.2"
+aws-config = "1.5.15"
+aws-credential-types = "1.2.1"
+aws-sdk-s3 = "1.71.0"
 futures = { version = "0.3.31", features = ["thread-pool"] }
+nix = { version = "0.29.0" }
 predicates = "3.1.3"
+rand = "0.8.5"
+rand_chacha = "0.3.1"
 serde = { version = "1.0.217", features = ["derive"] }
 test-case = "3.3.1"
+tempfile = "3.15.0"
+tokio = { version = "1.43.0" }
 tracing = { version = "0.1.41", features = ["log"] }
 
 [build-dependencies]

mountpoint-s3/Cargo.toml

@@ -0,0 +1,63 @@
+use aws_config::sts::AssumeRoleProvider;
+use aws_config::Region;
+use aws_credential_types::provider::ProvideCredentials;
+use aws_credential_types::Credentials;
+use crate::common::s3::get_test_region;
+
+/// Detect if running on GitHub Actions (GHA) and if so,
+/// emit masking string to avoid credentials accidentally being printed.
+fn mask_aws_creds_if_on_gha(credentials: &Credentials) {
+    if std::env::var_os("GITHUB_ACTIONS").is_some() {
+        // GitHub Actions aren't aware of these credential strings since we're sourcing them inside the tests.
+        // If we think we're in GitHub Actions environment, register each in stdout.
+        // https://docs.github.com/en/actions/using-workflows/workflow-commands-for-github-actions#masking-a-value-in-a-log
+        println!("::add-mask::{}", credentials.access_key_id());
+        println!("::add-mask::{}", credentials.secret_access_key());
+        if let Some(token) = credentials.session_token() {
+            println!("::add-mask::{}", token);
+        }
+    }
+}
+
+pub async fn get_sdk_default_chain_creds() -> Credentials {
+    use aws_config::default_provider::credentials::DefaultCredentialsChain;
+    use aws_credential_types::provider::ProvideCredentials;
+
+    let sdk_provider = DefaultCredentialsChain::builder().build().await;
+    let credentials = sdk_provider
+        .provide_credentials()
+        .await
+        .expect("default chain credentials should be available");
+    mask_aws_creds_if_on_gha(&credentials);
+    credentials
+}
+
+pub fn get_subsession_iam_role() -> String {
+    std::env::var("S3_SUBSESSION_IAM_ROLE").expect("Set S3_SUBSESSION_IAM_ROLE to run integration tests")
+}
+
+/// Takes the provided IAM Policy and assumes the configured subsession role,
+/// applying the given policy to scope down the permissions available.
+///
+/// This method works by making an AWS Security Token Service (STS) AssumeRole call providing the policy request field.
+/// The permissions are the intersection of the identity-based policy of the principal creating the session
+/// and the session policies. This means that the subsession role must already have any permissions you wish to use -
+/// this method can only reduce the scope of permissions.
+///
+/// See the [session policies section of the AWS IAM User Guide][session_policies] for more detail.
+///
+/// [session_policies]: https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session
+pub async fn get_scoped_down_credentials<Policy: AsRef<str>>(policy: Policy) -> Credentials {
+    let provider = AssumeRoleProvider::builder(get_subsession_iam_role())
+        .region(Region::new(get_test_region()))
+        .session_name("test_mountpoint-s3")
+        .policy(policy.as_ref())
+        .build()
+        .await;
+    let credentials = provider
+        .provide_credentials()
+        .await
+        .expect("default chain credentials should be available");
+    mask_aws_creds_if_on_gha(&credentials);
+    credentials
+}

mountpoint-s3/tests/common/creds.rs

@@ -0,0 +1,43 @@
+use std::ffi::OsStr;
+    use std::fs::{File, ReadDir};
+    use std::os::fd::AsRawFd;
+    use std::path::Path;
+    use std::sync::Arc;
+
+    use nix::fcntl::{self, FdFlag};
+
+    use fuser::{Mount, MountOption};
+
+    /// Open `/dev/fuse` and call `mount` syscall with given `mount_point`.
+    ///
+    /// The mount is automatically unmounted when the returned [Mount] is dropped.
+    pub fn mount_for_passing_fuse_fd(mount_point: &Path, options: &[MountOption]) -> (Arc<File>, Mount) {
+        let (file, mount) = Mount::new(mount_point, options).unwrap();
+
+        // fuser sets `FD_CLOEXEC` (i.e., close-on-exec) flag on the file descriptor in its libfuse3 implementation.
+        // Since we're forking the process in some of our test cases, this prevents child process to inherit the FUSE fd and causes our tests to fail.
+        // Here we're clearing this flag if its set on the FUSE fd.
+        let fd = file.as_raw_fd();
+        let mut flags = FdFlag::from_bits_retain(fcntl::fcntl(fd, fcntl::F_GETFD).unwrap());
+        if flags.contains(FdFlag::FD_CLOEXEC) {
+            flags.remove(FdFlag::FD_CLOEXEC);
+            let _ = fcntl::fcntl(fd, fcntl::F_SETFD(flags)).unwrap();
+        }
+
+        (file, mount)
+    }
+
+    /// Take a `read_dir` iterator and return the entry names
+    pub fn read_dir_to_entry_names(read_dir_iter: ReadDir) -> Vec<String> {
+        read_dir_iter
+            .map(|entry| {
+                let entry = entry.expect("no io err during readdir");
+                let entry_path = entry.path();
+                let name = entry_path
+                    .file_name()
+                    .and_then(OsStr::to_str)
+                    .expect("path should end with valid unicode file or dir name");
+                name.to_owned()
+            })
+            .collect::<Vec<_>>()
+    }

mountpoint-s3/tests/common/fuse.rs

@@ -0,0 +1,14 @@
+pub mod creds;
+pub mod fuse;
+pub mod s3;
+
+use std::future::Future;
+
+pub fn tokio_block_on<F: Future>(future: F) -> F::Output {
+    let runtime = tokio::runtime::Builder::new_current_thread()
+        .enable_io()
+        .enable_time()
+        .build()
+        .unwrap();
+    runtime.block_on(future)
+}

mountpoint-s3/tests/common/mod.rs

@@ -0,0 +1,87 @@
+use aws_sdk_s3::primitives::ByteStream;
+use aws_config::{BehaviorVersion, Region};
+use rand::RngCore;
+use rand_chacha::rand_core::OsRng;
+use crate::tokio_block_on;
+
+pub fn get_test_region() -> String {
+    std::env::var("S3_REGION").expect("Set S3_REGION to run integration tests")
+}
+
+pub fn get_standard_bucket() -> String {
+    std::env::var("S3_BUCKET_NAME").expect("Set S3_BUCKET_NAME to run integration tests")
+}
+
+pub fn get_test_bucket_forbidden() -> String {
+    std::env::var("S3_FORBIDDEN_BUCKET_NAME").expect("Set S3_FORBIDDEN_BUCKET_NAME to run integration tests")
+}
+
+pub fn get_test_kms_key_id() -> String {
+    std::env::var("KMS_TEST_KEY_ID").expect("Set KMS_TEST_KEY_ID to run integration tests")
+}
+
+// Get a region other than what configured in S3_REGION
+pub fn get_non_test_region() -> String {
+    match get_test_region().as_str() {
+        "us-east-1" => String::from("us-west-2"),
+        _ => String::from("us-east-1"),
+    }
+}
+
+/// Optional config for testing against a custom endpoint url
+pub fn get_test_endpoint_url() -> Option<String> {
+    if cfg!(feature = "s3express_tests") {
+        std::env::var("S3_EXPRESS_ONE_ZONE_ENDPOINT_URL")
+            .ok()
+            .filter(|str| !str.is_empty())
+    } else {
+        std::env::var("S3_ENDPOINT_URL").ok().filter(|str| !str.is_empty())
+    }
+}
+
+pub async fn get_test_sdk_client(region: &str) -> aws_sdk_s3::Client {
+    let mut sdk_config = aws_config::defaults(BehaviorVersion::latest()).region(Region::new(region.to_owned()));
+    if let Some(endpoint_url) = get_test_endpoint_url() {
+        sdk_config = sdk_config.endpoint_url(endpoint_url);
+    }
+    aws_sdk_s3::Client::new(&sdk_config.load().await)
+}
+
+pub fn create_objects(bucket: &str, prefix: &str, region: &str, key: &str, value: &[u8]) {
+    let sdk_client = tokio_block_on(get_test_sdk_client(region));
+    let full_key = format!("{prefix}{key}");
+    tokio_block_on(
+        sdk_client
+            .put_object()
+            .bucket(bucket)
+            .key(full_key)
+            .body(ByteStream::from(value.to_vec()))
+            .send(),
+    )
+    .unwrap();
+}
+
+pub fn get_test_bucket_and_prefix(test_name: &str) -> (String, String) {
+    let bucket = get_test_bucket();
+    let prefix = get_test_prefix(test_name);
+
+    (bucket, prefix)
+}
+
+pub fn get_test_prefix(test_name: &str) -> String {
+    // Generate a random nonce to make sure this prefix is truly unique
+    let nonce = OsRng.next_u64();
+
+    // Prefix always has a trailing "/" to keep meaning in sync with the S3 API.
+    let prefix = std::env::var("S3_BUCKET_TEST_PREFIX").unwrap_or(String::from("mountpoint-test/"));
+    assert!(prefix.ends_with('/'), "S3_BUCKET_TEST_PREFIX should end in '/'");
+
+    format!("{prefix}{test_name}/{nonce}/")
+}
+
+pub fn get_test_bucket() -> String {
+    #[cfg(not(feature = "s3express_tests"))]
+    return get_standard_bucket();
+    #[cfg(feature = "s3express_tests")]
+    return get_express_bucket();
+}

mountpoint-s3/tests/common/s3.rs

@@ -18,6 +18,8 @@ use std::{path::PathBuf, process::Command};
 use tempfile::NamedTempFile;
 use test_case::test_case;
 
+mod common;
+
 use crate::common::creds::{get_sdk_default_chain_creds, get_subsession_iam_role};
 use crate::common::fuse::{mount_for_passing_fuse_fd, read_dir_to_entry_names};
 use crate::common::s3::{