tests: add e2e proxy test; optimize test container startup

Author: jimmarino

crates/facet-common/tests/common/minio.rs

@@ -102,12 +102,19 @@ impl MinioInstance {
         let config = build_minio_client_config(&self.endpoint).await;
         let client = Client::new(&config);
 
-        client
+        let create_result = client
             .create_bucket()
             .bucket(bucket)
             .send()
-            .await
-            .expect("Failed to create bucket");
+            .await;
+
+        // Ignore bucket-already-exists errors (MinIO may persist state between test runs)
+        if let Err(e) = create_result {
+            let error_msg = format!("{:?}", e);
+            if !error_msg.contains("BucketAlreadyOwnedByYou") && !error_msg.contains("BucketAlreadyExists") {
+                panic!("Failed to create bucket: {:?}", e);
+            }
+        }
 
         client
             .put_object()

crates/facet-common/tests/common/postgres.rs

@@ -16,25 +16,30 @@ use testcontainers_modules::postgres::Postgres;
 
 /// Helper to create a PostgreSQL container and connection pool
 pub async fn setup_postgres_container() -> (PgPool, testcontainers::ContainerAsync<Postgres>) {
-    let container = Postgres::default().start().await.unwrap();
+    let container = Postgres::default()
+        .start()
+        .await
+        .unwrap();
 
     let connection_string = format!(
         "postgresql://postgres:postgres@127.0.0.1:{}/postgres",
         container.get_host_port_ipv4(5432).await.unwrap()
     );
 
-    // Wait for PostgreSQL to be ready
-    let mut retries = 0;
-    let pool = loop {
-        match PgPool::connect(&connection_string).await {
-            Ok(pool) => break pool,
-            Err(_) if retries < 30 => {
-                retries += 1;
-                tokio::time::sleep(tokio::time::Duration::from_millis(100)).await;
+    // Wait for PostgreSQL to be ready with timeout
+    let pool = tokio::time::timeout(
+        tokio::time::Duration::from_secs(5),
+        async {
+            loop {
+                match PgPool::connect(&connection_string).await {
+                    Ok(pool) => break pool,
+                    Err(_) => tokio::task::yield_now().await,
+                }
             }
-            Err(e) => panic!("Failed to connect to PostgreSQL: {}", e),
         }
-    };
+    )
+    .await
+    .unwrap_or_else(|_| panic!("PostgreSQL failed to become ready within 5 seconds"));
 
     (pool, container)
 }

crates/facet-common/tests/common/proxy_s3.rs

@@ -182,7 +182,9 @@ impl ProxyConfig {
 }
 
 /// Launch S3 proxy with the given configuration
-pub fn launch_s3proxy(config: ProxyConfig) {
+pub async fn launch_s3proxy(config: ProxyConfig) {
+    let port = config.port;
+
     std::thread::spawn(move || {
         let operation_parser = config
             .operation_parser
@@ -212,14 +214,28 @@ pub fn launch_s3proxy(config: ProxyConfig) {
         server.bootstrap();
 
         let mut proxy_service = http_proxy_service(&server.configuration, proxy);
-        proxy_service.add_tcp(&format!("0.0.0.0:{}", config.port));
+        proxy_service.add_tcp(&format!("0.0.0.0:{}", port));
 
         server.add_service(proxy_service);
         server.run_forever();
     });
 
-    // Give the server time to start
-    std::thread::sleep(std::time::Duration::from_millis(500));
+    // Wait for proxy to be ready with 5-second timeout
+    let wait_result = tokio::time::timeout(
+        tokio::time::Duration::from_secs(5),
+        async {
+            loop {
+                if tokio::net::TcpStream::connect(format!("127.0.0.1:{}", port)).await.is_ok() {
+                    break;
+                }
+                tokio::task::yield_now().await;
+            }
+        }
+    ).await;
+
+    if wait_result.is_err() {
+        panic!("Proxy failed to start within 5 seconds on port {}", port);
+    }
 }
 
 /// Add an authorization rule to an evaluator.

crates/facet-common/tests/proxy_s3.rs

@@ -12,115 +12,175 @@
 
 mod common;
 
-use aws_config::BehaviorVersion;
-use aws_sdk_s3::config::{Credentials, Region};
-use aws_sdk_s3::Client;
-use facet_common::proxy::s3::UpstreamStyle;
-use crate::common::{
-    get_available_port, launch_s3proxy, MinioInstance, ProxyConfig,
-    MINIO_ACCESS_KEY, MINIO_SECRET_KEY, TEST_BUCKET, TEST_KEY,
+use common::{
+    create_test_client, get_available_port, launch_s3proxy, setup_postgres_container,
+    MinioInstance, PassthroughCredentialsResolver, ProxyConfig, TestJwtVerifier,
+    MINIO_ACCESS_KEY, MINIO_SECRET_KEY, TEST_BUCKET,
 };
-
-const TEST_CONTENT: &str = "Hello from Pingora proxy test!";
-const VALID_SESSION_TOKEN: &str = "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c";
-const INVALID_SESSION_TOKEN: &str = "invalid-token";
+use facet_common::auth::{AuthorizationEvaluator, Operation, PostgresAuthorizationEvaluator, Rule, RuleStore};
+use facet_common::context::ParticipantContext;
+use facet_common::proxy::s3::{
+    DefaultS3OperationParser, S3Credentials, StaticParticipantContextResolver, UpstreamStyle,
+};
+use std::sync::Arc;
 
 #[tokio::test]
-async fn test_s3_proxy_with_token_validation() {
-    // Start MinIO container
-    let minio = MinioInstance::launch().await;
-    minio.setup_bucket_with_file(TEST_BUCKET, TEST_KEY, TEST_CONTENT.as_bytes()).await;
+async fn test_s3_proxy_end_to_end_with_postgres() {
+    // Launch Postgres container and initialize auth evaluator
+    let (pool, _pg_container) = setup_postgres_container().await;
+    let auth_evaluator = Arc::new(PostgresAuthorizationEvaluator::new(pool));
+    auth_evaluator.initialize().await.unwrap();
 
-    // Get an available port for the proxy
+    // Launch MinIO container as upstream S3 server
+    let minio = MinioInstance::launch().await;
+    minio.setup_bucket_with_file(TEST_BUCKET, "test-file.txt", b"Hello from MinIO!").await;
+    minio.setup_bucket_with_file(TEST_BUCKET, "data/document.pdf", b"PDF content here").await;
+
+    let participant_id = "user123";
+    let scope = "agreement-456";
+    let participant_context = ParticipantContext::builder()
+        .identifier(participant_id)
+        .audience("s3-proxy")
+        .build();
+
+    // Create authorization rules in Postgres
+    // Rule 1: Allow GetObject on all objects in test-bucket (note: URL path includes leading slash)
+    let get_rule = Rule::new(
+        scope.to_string(),
+        vec!["s3:GetObject".to_string()],
+        format!("^/{}/.*", TEST_BUCKET),
+    )
+    .unwrap();
+
+    // Rule 2: Allow PutObject in test-bucket/uploads/ path (note: URL path includes leading slash)
+    let put_rule = Rule::new(
+        scope.to_string(),
+        vec!["s3:PutObject".to_string()],
+        format!("^/{}/uploads/.*", TEST_BUCKET),
+    )
+    .unwrap();
+
+    auth_evaluator.save_rule(&participant_context, get_rule).await.unwrap();
+    auth_evaluator.save_rule(&participant_context, put_rule).await.unwrap();
+
+    // Verify rules are stored
+    let rules = auth_evaluator.get_rules(&participant_context).await.unwrap();
+    assert_eq!(rules.len(), 2);
+
+    // Configure and launch S3 proxy with Postgres auth
     let proxy_port = get_available_port();
-    launch_s3proxy(ProxyConfig::for_token_testing(
-        proxy_port,
-        minio.host.clone(),
-        UpstreamStyle::PathStyle,
-        None,
-        VALID_SESSION_TOKEN.to_string(),
-        "test-scope".to_string(),
-    ).await);
-
-    // Configure SDK to use the proxy as a reverse proxy endpoint
+    let proxy_config = ProxyConfig {
+        port: proxy_port,
+        upstream_endpoint: minio.host.clone(),
+        upstream_style: UpstreamStyle::PathStyle,
+        proxy_domain: None,
+        credential_resolver: Arc::new(PassthroughCredentialsResolver {
+            credentials: S3Credentials {
+                access_key_id: MINIO_ACCESS_KEY.to_string(),
+                secret_key: MINIO_SECRET_KEY.to_string(),
+                region: "us-east-1".to_string(),
+            },
+        }),
+        participant_context_resolver: Arc::new(StaticParticipantContextResolver {
+            participant_context: participant_context.clone(),
+        }),
+        token_verifier: Arc::new(TestJwtVerifier {
+            scope: scope.to_string(),
+        }),
+        auth_evaluator: auth_evaluator.clone(),
+        operation_parser: Some(Arc::new(DefaultS3OperationParser::new())),
+    };
+
+    launch_s3proxy(proxy_config).await;
+
+    // Test 1: GET request - should succeed (authorized by get_rule)
     let proxy_url = format!("http://127.0.0.1:{}", proxy_port);
+    let client = create_test_client(&proxy_url, Some("test-token".to_string())).await;
 
-    // Test Case 1: Valid token succeeds
-    let valid_config = aws_config::defaults(BehaviorVersion::latest())
-        .credentials_provider(Credentials::new(
-            "",
-            "",
-            Some(VALID_SESSION_TOKEN.to_string()), // Valid token!
-            None,
-            "test",
-        ))
-        .region(Region::new("us-east-1"))
-        .endpoint_url(&proxy_url) // Point directly to the proxy
-        .load()
-        .await;
-
-    let valid_client = Client::new(&valid_config);
-
-    let result = valid_client
+    let get_response = client
         .get_object()
         .bucket(TEST_BUCKET)
-        .key(TEST_KEY)
+        .key("test-file.txt")
         .send()
-        .await
-        .expect("Request with valid token should succeed");
-
-    let body = result.body.collect().await.expect("Failed to read body");
-    let content = String::from_utf8(body.to_vec()).expect("Invalid UTF-8");
-
-    assert_eq!(content, TEST_CONTENT, "Content should match");
-
-    // Test Case 2: Invalid token fails
-    let invalid_config = aws_config::defaults(BehaviorVersion::latest())
-        .credentials_provider(Credentials::new(
-            MINIO_ACCESS_KEY,
-            MINIO_SECRET_KEY,
-            Some(INVALID_SESSION_TOKEN.to_string()), // Invalid token!
-            None,
-            "test",
-        ))
-        .region(Region::new("us-east-1"))
-        .endpoint_url(&proxy_url) // Point directly to the proxy
-        .load()
         .await;
 
-    let invalid_client = Client::new(&invalid_config);
+    assert!(get_response.is_ok(), "GetObject should succeed with valid authorization. Error: {:?}", get_response.as_ref().err());
+    let body = get_response.unwrap().body.collect().await.unwrap();
+    assert_eq!(body.to_vec(), b"Hello from MinIO!");
 
-    let result = invalid_client
+    // Test 2: GET another file - should succeed (authorized by get_rule)
+    let get_response2 = client
         .get_object()
         .bucket(TEST_BUCKET)
-        .key(TEST_KEY)
+        .key("data/document.pdf")
         .send()
         .await;
 
-    assert!(result.is_err(), "Request with invalid token should fail");
-
-    // Test Case 3: Missing token fails
-    let no_token_config = aws_config::defaults(BehaviorVersion::latest())
-        .credentials_provider(Credentials::new(
-            MINIO_ACCESS_KEY,
-            MINIO_SECRET_KEY,
-            None, // No token!
-            None,
-            "test",
-        ))
-        .region(Region::new("us-east-1"))
-        .endpoint_url(&proxy_url) // Point directly to the proxy
-        .load()
-        .await;
+    assert!(get_response2.is_ok(), "GetObject should succeed for nested path");
+    let body2 = get_response2.unwrap().body.collect().await.unwrap();
+    assert_eq!(body2.to_vec(), b"PDF content here");
 
-    let no_token_client = Client::new(&no_token_config);
-
-    let result = no_token_client
-        .get_object()
+    // Test 3: PUT request to uploads/ - should succeed (authorized by put_rule)
+    let put_response = client
+        .put_object()
         .bucket(TEST_BUCKET)
-        .key(TEST_KEY)
+        .key("uploads/new-file.txt")
+        .body(aws_sdk_s3::primitives::ByteStream::from_static(b"New content uploaded through proxy"))
         .send()
         .await;
 
-    assert!(result.is_err(), "Request without token should fail");
+    assert!(put_response.is_ok(), "PutObject should succeed in uploads/ path");
+
+    assert!(
+        minio.verify_object_content(TEST_BUCKET, "uploads/new-file.txt", b"New content uploaded through proxy").await,
+        "Uploaded file should exist in MinIO with correct content"
+    );
+
+    // Test 5: Verify authorization decisions are persisted in Postgres
+    // Check that we can evaluate operations directly using the AuthorizationEvaluator trait
+    let get_operation = Operation::builder()
+        .scope(scope)
+        .action("s3:GetObject")
+        .resource(format!("/{}/test-file.txt", TEST_BUCKET))
+        .build();
+
+    let authorized = <PostgresAuthorizationEvaluator as AuthorizationEvaluator>::evaluate(
+        &*auth_evaluator,
+        &participant_context,
+        get_operation,
+    )
+    .await
+    .unwrap();
+    assert!(authorized, "GetObject operation should be authorized");
+
+    let put_operation = Operation::builder()
+        .scope(scope)
+        .action("s3:PutObject")
+        .resource(format!("/{}/uploads/new-file.txt", TEST_BUCKET))
+        .build();
+
+    let authorized_put = <PostgresAuthorizationEvaluator as AuthorizationEvaluator>::evaluate(
+        &*auth_evaluator,
+        &participant_context,
+        put_operation,
+    )
+    .await
+    .unwrap();
+    assert!(authorized_put, "PutObject operation should be authorized for uploads/ path");
+
+    // Test 6: Verify unauthorized operation would be denied
+    let delete_operation = Operation::builder()
+        .scope(scope)
+        .action("s3:DeleteObject")
+        .resource(format!("/{}/test-file.txt", TEST_BUCKET))
+        .build();
+
+    let unauthorized = <PostgresAuthorizationEvaluator as AuthorizationEvaluator>::evaluate(
+        &*auth_evaluator,
+        &participant_context,
+        delete_operation,
+    )
+    .await
+    .unwrap();
+    assert!(!unauthorized, "DeleteObject should not be authorized");
 }