tests: add session token v2 tests #1266

evgeniiz321 · 2026-01-19T21:08:46Z

closes #823

neofs-testlib/neofs_testlib/cli/neofs_cli/session.py

evgeniiz321 · 2026-01-27T00:17:20Z

Current issues:

Delegation for container operations doesn't work - results in 'invalid container ID field in the response: zero container ID'. Without delegation - works ok.

FAILED pytest_tests/tests/session_token/test_session_token_v2.py::TestSessionTokenV2::test_v2_session_token_container_operations[delegation] - RuntimeError: Command: ./neofs-cli --config /Users/evgeniiz/Projects/neofs-testcases-nspcc/neofs-testcases/wallet_config.yml container create --rpc-endpoint 'localhost:55846' --wallet '/U...

./neofs-cli --config /Users/evgeniiz/Projects/neofs-testcases-nspcc/neofs-testcases/wallet_config.yml container create --rpc-endpoint 'localhost:60812' --wallet '/Users/evgeniiz/Projects/neofs-testcases-nspcc/neofs-testcases/test-run-2026-01-26-23-30-22-007934/wallet-cb920fcc-05ca-4593-8472-610c6df1cb78.json' --await --policy 'REP 2 IN X CBF 1 SELECT 4 FROM * AS X' --session '/Users/evgeniiz/Projects/neofs-testcases-nspcc/neofs-testcases/test-run-2026-01-26-23-30-22-007934/TestFilesDir/72024926-59e2-4a45-8106-8c855cff59bc'
Error:
return code: 1 
Output: Error: put container rpc error: put: invalid container ID field in the response: zero container ID

NNS delegation results in "token issuer is not in this origin token's subjects". Without delegation works ok.

FAILED pytest_tests/tests/session_token/test_session_token_v2.py::TestSessionTokenV2::test_v2_session_token_nns_delegation - RuntimeError: Command: ./neofs-cli --config /Users/evgeniiz/Projects/neofs-testcases-nspcc/neofs-testcases/wallet_config.yml session create-v2 --wallet '/Users/evgeniiz/Projects/neofs-tes...
./neofs-cli --config /Users/evgeniiz/Projects/neofs-testcases-nspcc/neofs-testcases/wallet_config.yml session create-v2 --wallet '/Users/evgeniiz/Projects/neofs-testcases-nspcc/neofs-testcases/test-run-2026-01-26-23-20-57-427457/wallet-08249470-7b21-4175-986e-37974278e5bd.json' --out '/Users/evgeniiz/Projects/neofs-testcases-nspcc/neofs-testcases/test-run-2026-01-26-23-20-57-427457/TestFilesDir/53512b14-aba5-4c23-880c-11b629c8ab28' --rpc-endpoint 'localhost:55846' --lifetime 900 --address 'Nama9A8UQfKm3xHf57CStCxKhUSn7sADNB' --json --subject-nns 'subjectdomain.neofs' --context 'EmJ6jtwCbxy8JUkUwWUsV6hYphYebfvM85mDyhUiNTHy:GET,HEAD' --origin '/Users/evgeniiz/Projects/neofs-testcases-nspcc/neofs-testcases/test-run-2026-01-26-23-20-57-427457/TestFilesDir/9b0a99a4-b26a-4f87-93b0-a8ffcb7c32d1'
Error:
return code: 1 
Output: Error: created token validation failed: depth 0: token issuer is not in this origin token's subjects

Tests with expiration don't get error messages about expired token, although they expect one:

FAILED pytest_tests/tests/session_token/test_session_token_v2.py::TestSessionTokenV2::test_v2_session_token_expiration[owner-direct] - Failed: DID NOT RAISE <class 'RuntimeError'>
FAILED pytest_tests/tests/session_token/test_session_token_v2.py::TestSessionTokenV2::test_v2_session_token_expiration[delegation] - Failed: DID NOT RAISE <class 'RuntimeError'>

All tests can be run from the current PR, no special configurations are needed, just the node binary from the session tokens PR.

roman-khimov

Wildcard container tokens can be extended with tokens for specific container only, this needs to be checked. I'd also like to see more negative scenarios (like trying to extend cid-specific token with wildcard or using more verbs in delegated token than allowed by original, etc).

roman-khimov · 2026-01-27T15:57:52Z

pytest_tests/lib/helpers/nns.py

+            rpc_endpoint=f"http://{neofs_env.fschain_rpc}",
+            wallet_config=neo_go_wallet_config,
+            method="addRecord",
+            arguments=f"{domain} 16 string:{wallet.address}",


I expected to see Neo (100) type here (and AddNeoRecord call). @End-rey?

Updated, works with 100 and AddNeoRecord as well

roman-khimov · 2026-01-27T15:59:09Z

pytest_tests/lib/helpers/session_token.py

+        subjects: List of subject user IDs authorized to use the token.
+        subject_nns: List of subject NNS names authorized to use the token.
+        contexts: List of context specs in format: containerID:verbs[:objectID1,objectID2,...].
+                  Use '0' for wildcard container. Contexts and verbs should be sorted.


Sorting in done CLI-side now.

Updated, also changed tests to use non-sorted verbs

roman-khimov · 2026-01-27T16:51:58Z

pytest_tests/tests/session_token/test_session_token_v2.py

+        with allure.step("Create V2 Session Token with container operations"):
+            contexts = ["0:CONTAINERDELETE,CONTAINERPUT"]
+
+            if use_delegation:


This chunk can probably be moved out, same as in previous test.

roman-khimov · 2026-01-27T17:04:17Z

pytest_tests/tests/session_token/test_session_token_v2.py

+            )
+
+        with allure.step("Create delegated token for user to perform operations"):
+            with pytest.raises(Exception, match=".*final token cannot be used as origin.*"):


Should be also forced to create this invalid token and then check that requests fail with it.

force is not yet implemented

closes #823 Signed-off-by: Evgeniy Zayats <[email protected]>

End-rey · 2026-01-28T11:23:03Z

pytest_tests/lib/helpers/nns.py

+            contracts_hashes["nns"],
+            rpc_endpoint=f"http://{neofs_env.fschain_rpc}",
+            wallet_config=neo_go_wallet_config,
+            method="AddNeoRecord",


Suggested change

method="AddNeoRecord",

method="addNeoRecord",

End-rey · 2026-01-28T11:26:23Z

pytest_tests/lib/helpers/nns.py

+            rpc_endpoint=f"http://{neofs_env.fschain_rpc}",
+            wallet_config=neo_go_wallet_config,
+            method="AddNeoRecord",
+            arguments=f"{domain} 100 string:{wallet.address}",


The method works with a specific type Neo, so there is no need to write 100. Also, use Uint160 script hash instead of a string. There should be only 2 arguments: domain and hash of address.

End-rey · 2026-01-28T11:34:45Z

pytest_tests/tests/session_token/test_session_token_v2.py

+        1. Register NNS domain name for owner wallet
+        2. Add NNS record for the domain
+        3. Create V2 session token with NNS subject for owner
+        4. Verify owner can perform operations using the token


If I understand correctly, this test does not verify the correctness of the claim. In this case, all requests will go through an ephemeral key, so it does not matter what other subjects are in the token. What can be verified here is that if the node key is placed in nns and then this node is requested (it must be a different node from the one used to create the token), then everything should work. In this case, the object must be created with the node key, not the ephemeral key. You can also try adding several nodes to one nns and check that requests can be made from all nodes.

evgeniiz321 requested review from carpawell, cthulhu-rider and roman-khimov as code owners January 19, 2026 21:08

evgeniiz321 marked this pull request as draft January 19, 2026 21:08

roman-khimov reviewed Jan 20, 2026

View reviewed changes

neofs-testlib/neofs_testlib/cli/neofs_cli/session.py Outdated Show resolved Hide resolved

evgeniiz321 force-pushed the ezayats/session-tokens-v2 branch 2 times, most recently from 636f984 to 6f719fc Compare January 27, 2026 00:13

This was referenced Jan 27, 2026

session/v2: make single Validate function nspcc-dev/neofs-sdk-go#773

Merged

Session token V2 nspcc-dev/neofs-node#3671

Merged

roman-khimov reviewed Jan 27, 2026

View reviewed changes

evgeniiz321 force-pushed the ezayats/session-tokens-v2 branch 3 times, most recently from 4d7fccd to 34d0cdf Compare January 28, 2026 01:31

tests: add session token v2 tests

c418e7d

closes #823 Signed-off-by: Evgeniy Zayats <[email protected]>

evgeniiz321 force-pushed the ezayats/session-tokens-v2 branch from 34d0cdf to c418e7d Compare January 28, 2026 01:39

End-rey reviewed Jan 28, 2026

View reviewed changes

tests: add session token v2 tests #1266

Are you sure you want to change the base?

tests: add session token v2 tests #1266

Uh oh!

Conversation

evgeniiz321 commented Jan 19, 2026

Uh oh!

Uh oh!

evgeniiz321 commented Jan 27, 2026

Uh oh!

roman-khimov left a comment

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

4 participants