mirror of
https://github.com/versity/versitygw.git
synced 2025-12-23 05:05:16 +00:00
test: REST Get/PutBucketOwnershipControls
This commit is contained in:
Luke McCrone
@@ -16,7 +16,7 @@
|
||||
|
||||
copy_object() {
|
||||
if [ $# -ne 4 ]; then
|
||||
echo "copy object command requires command type, source, bucket, key"
|
||||
log 2 "copy object command requires command type, source, bucket, key"
|
||||
return 1
|
||||
fi
|
||||
local exit_code=0
|
||||
@@ -32,12 +32,12 @@ copy_object() {
|
||||
elif [[ $1 == 'mc' ]]; then
|
||||
error=$(send_command mc --insecure cp "$MC_ALIAS/$2" "$MC_ALIAS/$3/$4" 2>&1) || exit_code=$?
|
||||
else
|
||||
echo "'copy-object' not implemented for '$1'"
|
||||
log 2 "'copy-object' not implemented for '$1'"
|
||||
return 1
|
||||
fi
|
||||
log 5 "copy object exit code: $exit_code"
|
||||
if [ $exit_code -ne 0 ]; then
|
||||
echo "error copying object to bucket: $error"
|
||||
log 2 "error copying object to bucket: $error"
|
||||
return 1
|
||||
fi
|
||||
return 0
|
||||
|
||||
@@ -17,7 +17,7 @@
|
||||
delete_object_tagging() {
|
||||
record_command "delete-object-tagging" "client:$1"
|
||||
if [[ $# -ne 3 ]]; then
|
||||
echo "delete object tagging command missing command type, bucket, key"
|
||||
log 2 "delete object tagging command missing command type, bucket, key"
|
||||
return 1
|
||||
fi
|
||||
delete_result=0
|
||||
@@ -28,11 +28,11 @@ delete_object_tagging() {
|
||||
elif [ "$1" == 'rest' ]; then
|
||||
delete_object_tagging_rest "$2" "$3" || delete_result=$?
|
||||
else
|
||||
echo "delete-object-tagging command not implemented for '$1'"
|
||||
log 2 "delete-object-tagging command not implemented for '$1'"
|
||||
return 1
|
||||
fi
|
||||
if [[ $delete_result -ne 0 ]]; then
|
||||
echo "error deleting object tagging: $error"
|
||||
log 2 "error deleting object tagging: $error"
|
||||
return 1
|
||||
fi
|
||||
return 0
|
||||
|
||||
@@ -17,9 +17,10 @@
|
||||
get_bucket_location() {
|
||||
record_command "get-bucket-location" "client:$1"
|
||||
if [[ $# -ne 2 ]]; then
|
||||
echo "get bucket location command requires command type, bucket name"
|
||||
log 2 "get bucket location command requires command type, bucket name"
|
||||
return 1
|
||||
fi
|
||||
get_result=0
|
||||
if [[ $1 == 'aws' ]]; then
|
||||
get_bucket_location_aws "$2" || get_result=$?
|
||||
elif [[ $1 == 's3cmd' ]]; then
|
||||
@@ -27,7 +28,7 @@ get_bucket_location() {
|
||||
elif [[ $1 == 'mc' ]]; then
|
||||
get_bucket_location_mc "$2" || get_result=$?
|
||||
else
|
||||
echo "command type '$1' not implemented for get_bucket_location"
|
||||
log 2 "command type '$1' not implemented for get_bucket_location"
|
||||
return 1
|
||||
fi
|
||||
if [[ $get_result -ne 0 ]]; then
|
||||
@@ -39,7 +40,7 @@ get_bucket_location() {
|
||||
get_bucket_location_aws() {
|
||||
record_command "get-bucket-location" "client:s3api"
|
||||
if [[ $# -ne 1 ]]; then
|
||||
echo "get bucket location (aws) requires bucket name"
|
||||
log 2 "get bucket location (aws) requires bucket name"
|
||||
return 1
|
||||
fi
|
||||
location_json=$(send_command aws --no-verify-ssl s3api get-bucket-location --bucket "$1") || location_result=$?
|
||||
@@ -59,7 +60,7 @@ get_bucket_location_s3cmd() {
|
||||
fi
|
||||
info=$(send_command s3cmd --no-check-certificate info "s3://$1") || results=$?
|
||||
if [[ $results -ne 0 ]]; then
|
||||
echo "error getting s3cmd info: $info"
|
||||
log 2 "error getting bucket location: $location"
|
||||
return 1
|
||||
fi
|
||||
bucket_location=$(echo "$info" | grep -o 'Location:.*' | awk '{print $2}')
|
||||
@@ -69,12 +70,12 @@ get_bucket_location_s3cmd() {
|
||||
get_bucket_location_mc() {
|
||||
record_command "get-bucket-location" "client:mc"
|
||||
if [[ $# -ne 1 ]]; then
|
||||
echo "get bucket location (mc) requires bucket name"
|
||||
log 2 "get bucket location (mc) requires bucket name"
|
||||
return 1
|
||||
fi
|
||||
info=$(send_command mc --insecure stat "$MC_ALIAS/$1") || results=$?
|
||||
if [[ $results -ne 0 ]]; then
|
||||
echo "error getting s3cmd info: $info"
|
||||
log 2 "error getting s3cmd info: $info"
|
||||
return 1
|
||||
fi
|
||||
# shellcheck disable=SC2034
|
||||
|
||||
@@ -126,12 +126,12 @@ get_bucket_policy_s3cmd() {
|
||||
get_bucket_policy_mc() {
|
||||
record_command "get-bucket-policy" "client:mc"
|
||||
if [[ $# -ne 1 ]]; then
|
||||
echo "aws 'get bucket policy' command requires bucket"
|
||||
log 2 "aws 'get bucket policy' command requires bucket"
|
||||
return 1
|
||||
fi
|
||||
bucket_policy=$(send_command mc --insecure anonymous get-json "$MC_ALIAS/$1") || get_result=$?
|
||||
if [[ $get_result -ne 0 ]]; then
|
||||
echo "error getting policy: $bucket_policy"
|
||||
log 2 "error getting policy: $bucket_policy"
|
||||
return 1
|
||||
fi
|
||||
return 0
|
||||
|
||||
@@ -35,7 +35,7 @@ get_bucket_tagging() {
|
||||
export tags=
|
||||
return 0
|
||||
fi
|
||||
echo "error getting bucket tags: $tags"
|
||||
log 2 "error getting bucket tags: $tags"
|
||||
return 1
|
||||
fi
|
||||
export tags
|
||||
|
||||
@@ -18,7 +18,7 @@ list_buckets() {
|
||||
log 6 "list_buckets"
|
||||
record_command "list-buckets" "client:$1"
|
||||
if [ $# -ne 1 ]; then
|
||||
echo "list buckets command missing command type"
|
||||
log 2 "list buckets command missing command type"
|
||||
return 1
|
||||
fi
|
||||
|
||||
@@ -34,11 +34,11 @@ list_buckets() {
|
||||
elif [[ $1 == 'rest' ]]; then
|
||||
list_buckets_rest || exit_code=$?
|
||||
else
|
||||
echo "list buckets command not implemented for '$1'"
|
||||
log 2 "list buckets command not implemented for '$1'"
|
||||
return 1
|
||||
fi
|
||||
if [ $exit_code -ne 0 ]; then
|
||||
echo "error listing buckets: $buckets"
|
||||
log 2 "error listing buckets: $buckets"
|
||||
return 1
|
||||
fi
|
||||
|
||||
@@ -57,7 +57,7 @@ list_buckets() {
|
||||
list_buckets_with_user() {
|
||||
record_command "list-buckets" "client:$1"
|
||||
if [ $# -ne 3 ]; then
|
||||
echo "'list buckets as user' command missing command type, username, password"
|
||||
log 2 "'list buckets as user' command missing command type, username, password"
|
||||
return 1
|
||||
fi
|
||||
|
||||
@@ -71,11 +71,11 @@ list_buckets_with_user() {
|
||||
elif [[ $1 == 'mc' ]]; then
|
||||
buckets=$(send_command mc --insecure ls "$MC_ALIAS" 2>&1) || exit_code=$?
|
||||
else
|
||||
echo "list buckets command not implemented for '$1'"
|
||||
log 2 "list buckets command not implemented for '$1'"
|
||||
return 1
|
||||
fi
|
||||
if [ $exit_code -ne 0 ]; then
|
||||
echo "error listing buckets: $buckets"
|
||||
log 2 "error listing buckets: $buckets"
|
||||
return 1
|
||||
fi
|
||||
|
||||
@@ -97,7 +97,7 @@ list_buckets_s3api() {
|
||||
return 1
|
||||
fi
|
||||
if ! output=$(AWS_ACCESS_KEY_ID="$1" AWS_SECRET_ACCESS_KEY="$2" send_command aws --no-verify-ssl s3api list-buckets 2>&1); then
|
||||
echo "error listing buckets: $output"
|
||||
log 2 "error listing buckets: $output"
|
||||
return 1
|
||||
fi
|
||||
log 5 "bucket data: $output"
|
||||
|
||||
@@ -91,7 +91,7 @@ list_objects_s3api() {
|
||||
# export objects on success, return 1 for failure
|
||||
list_objects_s3api_v1() {
|
||||
if [ $# -lt 1 ] || [ $# -gt 2 ]; then
|
||||
echo "list objects command requires bucket, (optional) delimiter"
|
||||
log 2 "list objects command requires bucket, (optional) delimiter"
|
||||
return 1
|
||||
fi
|
||||
if [ "$2" == "" ]; then
|
||||
@@ -100,7 +100,7 @@ list_objects_s3api_v1() {
|
||||
objects=$(send_command aws --no-verify-ssl s3api list-objects --bucket "$1" --delimiter "$2") || local result=$?
|
||||
fi
|
||||
if [[ $result -ne 0 ]]; then
|
||||
echo "error listing objects: $objects"
|
||||
log 2 "error listing objects: $objects"
|
||||
return 1
|
||||
fi
|
||||
export objects
|
||||
|
||||
@@ -19,13 +19,13 @@
|
||||
# export objects on success, return 1 for failure
|
||||
list_objects_v2() {
|
||||
if [ $# -ne 1 ]; then
|
||||
echo "list objects command missing bucket and/or path"
|
||||
log 2 "list objects command missing bucket and/or path"
|
||||
return 1
|
||||
fi
|
||||
record_command "list-objects-v2 client:s3api"
|
||||
objects=$(send_command aws --no-verify-ssl s3api list-objects-v2 --bucket "$1") || local result=$?
|
||||
if [[ $result -ne 0 ]]; then
|
||||
echo "error listing objects: $objects"
|
||||
log 2 "error listing objects: $objects"
|
||||
return 1
|
||||
fi
|
||||
}
|
||||
@@ -17,14 +17,14 @@
|
||||
upload_part_copy() {
|
||||
record_command "upload-part-copy" "client:s3api"
|
||||
if [ $# -ne 5 ]; then
|
||||
echo "upload multipart part copy function must have bucket, key, upload ID, file name, part number"
|
||||
log 2 "upload multipart part copy function must have bucket, key, upload ID, file name, part number"
|
||||
return 1
|
||||
fi
|
||||
local etag_json
|
||||
echo "$1 $2 $3 $4 $5"
|
||||
log 5 "parameters: $1 $2 $3 $4 $5"
|
||||
etag_json=$(send_command aws --no-verify-ssl s3api upload-part-copy --bucket "$1" --key "$2" --upload-id "$3" --part-number "$5" --copy-source "$1/$4-$(($5-1))") || local uploaded=$?
|
||||
if [[ $uploaded -ne 0 ]]; then
|
||||
echo "Error uploading part $5: $etag_json"
|
||||
log 2 "Error uploading part $5: $etag_json"
|
||||
return 1
|
||||
fi
|
||||
etag=$(echo "$etag_json" | jq '.CopyPartResult.ETag')
|
||||
|
||||
43
tests/rest_scripts/get_bucket_ownership_controls.sh
Executable file
43
tests/rest_scripts/get_bucket_ownership_controls.sh
Executable file
@@ -0,0 +1,43 @@
|
||||
#!/usr/bin/env bash
|
||||
|
||||
# Copyright 2024 Versity Software
|
||||
# This file is licensed under the Apache License, Version 2.0
|
||||
# (the "License"); you may not use this file except in compliance
|
||||
# with the License. You may obtain a copy of the License at
|
||||
#
|
||||
# http:#www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing,
|
||||
# software distributed under the License is distributed on an
|
||||
# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
|
||||
# KIND, either express or implied. See the License for the
|
||||
# specific language governing permissions and limitations
|
||||
# under the License.
|
||||
|
||||
source ./tests/rest_scripts/rest.sh
|
||||
|
||||
# Fields
|
||||
# shellcheck disable=SC2153
|
||||
bucket_name="$BUCKET_NAME"
|
||||
|
||||
current_date_time=$(date -u +"%Y%m%dT%H%M%SZ")
|
||||
|
||||
canonical_request="GET
|
||||
/$bucket_name
|
||||
ownershipControls=
|
||||
host:$host
|
||||
x-amz-content-sha256:UNSIGNED-PAYLOAD
|
||||
x-amz-date:$current_date_time
|
||||
|
||||
host;x-amz-content-sha256;x-amz-date
|
||||
UNSIGNED-PAYLOAD"
|
||||
|
||||
create_canonical_hash_sts_and_signature
|
||||
|
||||
curl_command+=(curl -ks -w "\"%{http_code}\"" "$AWS_ENDPOINT_URL/$bucket_name?ownershipControls="
|
||||
-H "\"Authorization: AWS4-HMAC-SHA256 Credential=$aws_access_key_id/$year_month_day/$aws_region/s3/aws4_request,SignedHeaders=host;x-amz-content-sha256;x-amz-date,Signature=$signature\""
|
||||
-H "\"x-amz-content-sha256: UNSIGNED-PAYLOAD\""
|
||||
-H "\"x-amz-date: $current_date_time\""
|
||||
-o "$OUTPUT_FILE")
|
||||
# shellcheck disable=SC2154
|
||||
eval "${curl_command[*]}" 2>&1
|
||||
59
tests/rest_scripts/put_bucket_ownership_controls.sh
Executable file
59
tests/rest_scripts/put_bucket_ownership_controls.sh
Executable file
@@ -0,0 +1,59 @@
|
||||
#!/usr/bin/env bash
|
||||
|
||||
# Copyright 2024 Versity Software
|
||||
# This file is licensed under the Apache License, Version 2.0
|
||||
# (the "License"); you may not use this file except in compliance
|
||||
# with the License. You may obtain a copy of the License at
|
||||
#
|
||||
# http:#www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing,
|
||||
# software distributed under the License is distributed on an
|
||||
# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
|
||||
# KIND, either express or implied. See the License for the
|
||||
# specific language governing permissions and limitations
|
||||
# under the License.
|
||||
|
||||
source ./tests/rest_scripts/rest.sh
|
||||
|
||||
# Fields
|
||||
|
||||
# shellcheck disable=SC2153
|
||||
bucket_name="$BUCKET_NAME"
|
||||
# shellcheck disable=SC2153
|
||||
ownership="$OWNERSHIP"
|
||||
|
||||
payload="<?xml version=\"1.0\" encoding=\"UTF-8\"?>
|
||||
<OwnershipControls xmlns=\"http://s3.amazonaws.com/doc/2006-03-01/\">
|
||||
<Rule>
|
||||
<ObjectOwnership>$ownership</ObjectOwnership>
|
||||
</Rule>
|
||||
</OwnershipControls>"
|
||||
|
||||
content_md5=$(echo -n "$payload" | openssl dgst -binary -md5 | openssl base64)
|
||||
payload_hash="$(echo -n "$payload" | sha256sum | awk '{print $1}')"
|
||||
current_date_time=$(date -u +"%Y%m%dT%H%M%SZ")
|
||||
|
||||
canonical_request="PUT
|
||||
/$bucket_name
|
||||
ownershipControls=
|
||||
content-md5:$content_md5
|
||||
host:$host
|
||||
x-amz-content-sha256:$payload_hash
|
||||
x-amz-date:$current_date_time
|
||||
|
||||
content-md5;host;x-amz-content-sha256;x-amz-date
|
||||
$payload_hash"
|
||||
|
||||
create_canonical_hash_sts_and_signature
|
||||
|
||||
curl_command+=(curl -ks -w "\"%{http_code}\"" -X PUT "$AWS_ENDPOINT_URL/$bucket_name?ownershipControls="
|
||||
-H "\"Authorization: AWS4-HMAC-SHA256 Credential=$aws_access_key_id/$year_month_day/$aws_region/s3/aws4_request,SignedHeaders=content-md5;host;x-amz-content-sha256;x-amz-date,Signature=$signature\""
|
||||
-H "\"Content-MD5: $content_md5\""
|
||||
-H "\"x-amz-content-sha256: $payload_hash\""
|
||||
-H "\"x-amz-date: $current_date_time\""
|
||||
-d "\"${payload//\"/\\\"}\""
|
||||
-o "$OUTPUT_FILE")
|
||||
|
||||
# shellcheck disable=SC2154
|
||||
eval "${curl_command[*]}" 2>&1
|
||||
@@ -18,7 +18,7 @@ check_for_alias() {
|
||||
local alias_result
|
||||
aliases=$(mc alias list)
|
||||
if [[ $alias_result -ne 0 ]]; then
|
||||
echo "error checking for aliases: $aliases"
|
||||
log 2 "error checking for aliases: $aliases"
|
||||
return 2
|
||||
fi
|
||||
while IFS= read -r line; do
|
||||
@@ -32,7 +32,7 @@ check_for_alias() {
|
||||
check_add_mc_alias() {
|
||||
check_for_alias || alias_result=$?
|
||||
if [[ $alias_result -eq 2 ]]; then
|
||||
echo "error checking for aliases"
|
||||
log 2 "error checking for aliases"
|
||||
return 1
|
||||
fi
|
||||
if [[ $alias_result -eq 0 ]]; then
|
||||
@@ -41,7 +41,7 @@ check_add_mc_alias() {
|
||||
local set_result
|
||||
error=$(mc alias set --insecure "$MC_ALIAS" "$AWS_ENDPOINT_URL" "$AWS_ACCESS_KEY_ID" "$AWS_SECRET_ACCESS_KEY") || set_result=$?
|
||||
if [[ $set_result -ne 0 ]]; then
|
||||
echo "error setting alias: $error"
|
||||
log 2 "error setting alias: $error"
|
||||
return 1
|
||||
fi
|
||||
return 0
|
||||
|
||||
@@ -218,7 +218,7 @@ test_common_list_buckets() {
|
||||
|
||||
test_common_list_objects() {
|
||||
if [[ $# -ne 1 ]]; then
|
||||
echo "common test function for listing objects requires command type"
|
||||
log 2 "common test function for listing objects requires command type"
|
||||
return 1
|
||||
fi
|
||||
|
||||
@@ -294,7 +294,7 @@ test_common_set_get_object_tags() {
|
||||
|
||||
test_common_presigned_url_utf8_chars() {
|
||||
if [[ $# -ne 1 ]]; then
|
||||
echo "presigned url command missing command type"
|
||||
log 2 "presigned url command missing command type"
|
||||
return 1
|
||||
fi
|
||||
|
||||
|
||||
@@ -35,6 +35,7 @@ source ./tests/util_list_buckets.sh
|
||||
source ./tests/util_list_objects.sh
|
||||
source ./tests/util_list_parts.sh
|
||||
source ./tests/util_lock_config.sh
|
||||
source ./tests/util_ownership.sh
|
||||
source ./tests/util_rest.sh
|
||||
source ./tests/util_tags.sh
|
||||
source ./tests/util_time.sh
|
||||
@@ -394,4 +395,18 @@ source ./tests/util_versioning.sh
|
||||
|
||||
run add_verify_bucket_tags_rest "$BUCKET_ONE_NAME" "$test_key" "$test_value"
|
||||
assert_success
|
||||
}
|
||||
|
||||
@test "REST - get, put bucket ownership controls" {
|
||||
run setup_bucket "s3api" "$BUCKET_ONE_NAME"
|
||||
assert_success
|
||||
|
||||
run get_and_check_ownership_controls "$BUCKET_ONE_NAME" "BucketOwnerEnforced"
|
||||
assert_success
|
||||
|
||||
run put_bucket_ownership_controls_rest "$BUCKET_ONE_NAME" "BucketOwnerPreferred"
|
||||
assert_success
|
||||
|
||||
run get_and_check_ownership_controls "$BUCKET_ONE_NAME" "BucketOwnerPreferred"
|
||||
assert_success
|
||||
}
|
||||
@@ -50,15 +50,15 @@ source ./tests/commands/select_object_content.sh
|
||||
|
||||
export RUN_USERS=true
|
||||
|
||||
@test "test_create_bucket_invalid_name" {
|
||||
test_create_bucket_invalid_name_aws_root
|
||||
}
|
||||
|
||||
# create-bucket
|
||||
@test "test_create_delete_bucket_aws" {
|
||||
test_common_create_delete_bucket "aws"
|
||||
}
|
||||
|
||||
@test "test_create_bucket_invalid_name" {
|
||||
test_create_bucket_invalid_name_aws_root
|
||||
}
|
||||
|
||||
# delete-bucket - test_create_delete_bucket_aws
|
||||
|
||||
# delete-bucket-policy
|
||||
@@ -69,10 +69,6 @@ export RUN_USERS=true
|
||||
test_common_get_put_delete_bucket_policy "aws"
|
||||
}
|
||||
|
||||
# delete-bucket-tagging
|
||||
@test "test-set-get-delete-bucket-tags" {
|
||||
test_common_set_get_delete_bucket_tags "aws"
|
||||
}
|
||||
|
||||
# get-bucket-acl
|
||||
@test "test_get_bucket_acl" {
|
||||
@@ -88,6 +84,24 @@ export RUN_USERS=true
|
||||
|
||||
# get-bucket-tagging - test_set_get_delete_bucket_tags
|
||||
|
||||
@test "test_head_bucket" {
|
||||
run setup_bucket "aws" "$BUCKET_ONE_NAME"
|
||||
assert_success
|
||||
|
||||
run check_for_empty_region "$BUCKET_ONE_NAME"
|
||||
assert_success
|
||||
}
|
||||
|
||||
@test "test_head_bucket_doesnt_exist" {
|
||||
run setup_bucket "aws" "$BUCKET_ONE_NAME"
|
||||
assert_success
|
||||
|
||||
head_bucket "aws" "$BUCKET_ONE_NAME"a || local info_result=$?
|
||||
[[ $info_result -eq 1 ]] || fail "bucket info for non-existent bucket returned"
|
||||
[[ $bucket_info == *"404"* ]] || fail "404 not returned for non-existent bucket info"
|
||||
bucket_cleanup "aws" "$BUCKET_ONE_NAME"
|
||||
}
|
||||
|
||||
@test "test_head_bucket_invalid_name" {
|
||||
if head_bucket "aws" ""; then
|
||||
fail "able to get bucket info for invalid name"
|
||||
@@ -103,23 +117,7 @@ export RUN_USERS=true
|
||||
test_common_put_bucket_acl "s3api"
|
||||
}
|
||||
|
||||
@test "test_head_bucket" {
|
||||
run setup_bucket "aws" "$BUCKET_ONE_NAME"
|
||||
assert_success
|
||||
|
||||
head_bucket "aws" "$BUCKET_ONE_NAME" || fail "error getting bucket info"
|
||||
log 5 "INFO: $bucket_info"
|
||||
region=$(echo "$bucket_info" | grep -v "InsecureRequestWarning" | jq -r ".BucketRegion" 2>&1) || fail "error getting bucket region: $region"
|
||||
[[ $region != "" ]] || fail "empty bucket region"
|
||||
bucket_cleanup "aws" "$BUCKET_ONE_NAME"
|
||||
}
|
||||
|
||||
@test "test_head_bucket_doesnt_exist" {
|
||||
run setup_bucket "aws" "$BUCKET_ONE_NAME"
|
||||
assert_success
|
||||
|
||||
head_bucket "aws" "$BUCKET_ONE_NAME"a || local info_result=$?
|
||||
[[ $info_result -eq 1 ]] || fail "bucket info for non-existent bucket returned"
|
||||
[[ $bucket_info == *"404"* ]] || fail "404 not returned for non-existent bucket info"
|
||||
bucket_cleanup "aws" "$BUCKET_ONE_NAME"
|
||||
# delete-bucket-tagging
|
||||
@test "test-set-get-delete-bucket-tags" {
|
||||
test_common_set_get_delete_bucket_tags "aws"
|
||||
}
|
||||
|
||||
@@ -38,31 +38,6 @@ source ./tests/commands/list_multipart_uploads.sh
|
||||
test_create_multipart_upload_properties_aws_root
|
||||
}
|
||||
|
||||
# test multi-part upload list parts command
|
||||
@test "test-multipart-upload-list-parts" {
|
||||
test_multipart_upload_list_parts_aws_root
|
||||
}
|
||||
|
||||
# test listing of active uploads
|
||||
@test "test-multipart-upload-list-uploads" {
|
||||
local bucket_file_one="bucket-file-one"
|
||||
local bucket_file_two="bucket-file-two"
|
||||
|
||||
if [[ $RECREATE_BUCKETS == false ]]; then
|
||||
run abort_all_multipart_uploads "$BUCKET_ONE_NAME"
|
||||
assert_success
|
||||
fi
|
||||
|
||||
run create_test_files "$bucket_file_one" "$bucket_file_two"
|
||||
assert_success
|
||||
|
||||
run setup_bucket "aws" "$BUCKET_ONE_NAME"
|
||||
assert_success
|
||||
|
||||
run create_list_check_multipart_uploads "$BUCKET_ONE_NAME" "$bucket_file_one" "$bucket_file_two"
|
||||
assert_success
|
||||
}
|
||||
|
||||
@test "test-multipart-upload-from-bucket" {
|
||||
local bucket_file="bucket-file"
|
||||
|
||||
@@ -108,3 +83,29 @@ source ./tests/commands/list_multipart_uploads.sh
|
||||
run run_and_verify_multipart_upload_with_valid_range "$BUCKET_ONE_NAME" "$bucket_file" "$TEST_FILE_FOLDER/$bucket_file"
|
||||
assert_success
|
||||
}
|
||||
|
||||
# test multi-part upload list parts command
|
||||
@test "test-multipart-upload-list-parts" {
|
||||
test_multipart_upload_list_parts_aws_root
|
||||
}
|
||||
|
||||
# test listing of active uploads
|
||||
@test "test-multipart-upload-list-uploads" {
|
||||
local bucket_file_one="bucket-file-one"
|
||||
local bucket_file_two="bucket-file-two"
|
||||
|
||||
if [[ $RECREATE_BUCKETS == false ]]; then
|
||||
run abort_all_multipart_uploads "$BUCKET_ONE_NAME"
|
||||
assert_success
|
||||
fi
|
||||
|
||||
run create_test_files "$bucket_file_one" "$bucket_file_two"
|
||||
assert_success
|
||||
|
||||
run setup_bucket "aws" "$BUCKET_ONE_NAME"
|
||||
assert_success
|
||||
|
||||
run create_list_check_multipart_uploads "$BUCKET_ONE_NAME" "$bucket_file_one" "$bucket_file_two"
|
||||
assert_success
|
||||
}
|
||||
|
||||
|
||||
@@ -88,30 +88,6 @@ export RUN_USERS=true
|
||||
test_get_object_attributes_aws_root
|
||||
}
|
||||
|
||||
@test "test_put_object" {
|
||||
test_put_object_aws_root
|
||||
}
|
||||
|
||||
# test adding and removing an object on versitygw
|
||||
@test "test_put_object_with_data" {
|
||||
if [ "$RECREATE_BUCKETS" == "false" ]; then
|
||||
skip "https://github.com/versity/versitygw/issues/888"
|
||||
fi
|
||||
test_common_put_object_with_data "aws"
|
||||
}
|
||||
|
||||
@test "test_put_object_no_data" {
|
||||
if [ "$RECREATE_BUCKETS" == "false" ]; then
|
||||
skip "https://github.com/versity/versitygw/issues/888"
|
||||
fi
|
||||
test_common_put_object_no_data "aws"
|
||||
}
|
||||
|
||||
# test listing a bucket's objects on versitygw
|
||||
@test "test_list_objects" {
|
||||
test_common_list_objects "aws"
|
||||
}
|
||||
|
||||
@test "test_get_put_object_legal_hold" {
|
||||
test_get_put_object_legal_hold_aws_root
|
||||
}
|
||||
@@ -120,23 +96,9 @@ export RUN_USERS=true
|
||||
test_get_put_object_retention_aws_root
|
||||
}
|
||||
|
||||
# test v1 s3api list objects command
|
||||
@test "test-s3api-list-objects-v1" {
|
||||
test_s3api_list_objects_v1_aws_root
|
||||
}
|
||||
|
||||
# test v2 s3api list objects command
|
||||
@test "test-s3api-list-objects-v2" {
|
||||
test_s3api_list_objects_v2_aws_root
|
||||
}
|
||||
|
||||
# test abilty to set and retrieve object tags
|
||||
@test "test-set-get-object-tags" {
|
||||
test_common_set_get_object_tags "aws"
|
||||
}
|
||||
|
||||
@test "test-presigned-url-utf8-chars" {
|
||||
test_common_presigned_url_utf8_chars "aws"
|
||||
# test listing a bucket's objects on versitygw
|
||||
@test "test_list_objects" {
|
||||
test_common_list_objects "aws"
|
||||
}
|
||||
|
||||
@test "test-list-objects-delimiter" {
|
||||
@@ -159,6 +121,94 @@ export RUN_USERS=true
|
||||
assert_success
|
||||
}
|
||||
|
||||
@test "test_put_object" {
|
||||
test_put_object_aws_root
|
||||
}
|
||||
|
||||
# test adding and removing an object on versitygw
|
||||
@test "test_put_object_with_data" {
|
||||
if [ "$RECREATE_BUCKETS" == "false" ]; then
|
||||
skip "https://github.com/versity/versitygw/issues/888"
|
||||
fi
|
||||
test_common_put_object_with_data "aws"
|
||||
}
|
||||
|
||||
@test "test_put_object_no_data" {
|
||||
if [ "$RECREATE_BUCKETS" == "false" ]; then
|
||||
skip "https://github.com/versity/versitygw/issues/888"
|
||||
fi
|
||||
test_common_put_object_no_data "aws"
|
||||
}
|
||||
|
||||
@test "test-presigned-url-utf8-chars" {
|
||||
test_common_presigned_url_utf8_chars "aws"
|
||||
}
|
||||
|
||||
@test "test_put_object_lock_configuration" {
|
||||
bucket_name=$BUCKET_ONE_NAME
|
||||
if [[ $RECREATE_BUCKETS == "true" ]]; then
|
||||
run delete_bucket "s3api" "$bucket_name"
|
||||
assert_success
|
||||
run create_bucket_object_lock_enabled "$bucket_name"
|
||||
assert_success
|
||||
fi
|
||||
local enabled="Enabled"
|
||||
local governance="GOVERNANCE"
|
||||
local days="1"
|
||||
|
||||
run put_object_lock_configuration "$bucket_name" "$enabled" "$governance" "$days"
|
||||
assert_success "error putting object lock config"
|
||||
|
||||
run get_and_check_object_lock_config "$bucket_name" "$enabled" "$governance" "$days"
|
||||
assert_success "error getting and checking object lock config"
|
||||
|
||||
bucket_cleanup "aws" "$bucket_name"
|
||||
}
|
||||
|
||||
@test "test_put_object_metadata" {
|
||||
object_one="object-one"
|
||||
test_key="x-test-data"
|
||||
test_value="test-value"
|
||||
|
||||
run create_test_files "$object_one"
|
||||
assert_success
|
||||
|
||||
run setup_bucket "aws" "$BUCKET_ONE_NAME"
|
||||
assert_success
|
||||
|
||||
object="$TEST_FILE_FOLDER"/"$object_one"
|
||||
put_object_with_metadata "aws" "$object" "$BUCKET_ONE_NAME" "$object_one" "$test_key" "$test_value" || fail "failed to add object to bucket"
|
||||
object_exists "aws" "$BUCKET_ONE_NAME" "$object_one" || fail "object not found after being added to bucket"
|
||||
|
||||
get_object_metadata "aws" "$BUCKET_ONE_NAME" "$object_one" || fail "error getting object metadata"
|
||||
key=$(echo "$metadata" | jq -r 'keys[]' 2>&1) || fail "error getting key from metadata: $key"
|
||||
value=$(echo "$metadata" | jq -r '.[]' 2>&1) || fail "error getting value from metadata: $value"
|
||||
[[ $key == "$test_key" ]] || fail "keys doesn't match (expected $key, actual \"$test_key\")"
|
||||
[[ $value == "$test_value" ]] || fail "values doesn't match (expected $value, actual \"$test_value\")"
|
||||
|
||||
bucket_cleanup "aws" "$BUCKET_ONE_NAME"
|
||||
delete_test_files "$object_one"
|
||||
}
|
||||
|
||||
@test "test_retention_bypass" {
|
||||
test_retention_bypass_aws_root
|
||||
}
|
||||
|
||||
# test v1 s3api list objects command
|
||||
@test "test-s3api-list-objects-v1" {
|
||||
test_s3api_list_objects_v1_aws_root
|
||||
}
|
||||
|
||||
# test v2 s3api list objects command
|
||||
@test "test-s3api-list-objects-v2" {
|
||||
test_s3api_list_objects_v2_aws_root
|
||||
}
|
||||
|
||||
# test abilty to set and retrieve object tags
|
||||
@test "test-set-get-object-tags" {
|
||||
test_common_set_get_object_tags "aws"
|
||||
}
|
||||
|
||||
# ensure that lists of files greater than a size of 1000 (pagination) are returned properly
|
||||
#@test "test_list_objects_file_count" {
|
||||
# test_common_list_objects_file_count "aws"
|
||||
@@ -183,55 +233,6 @@ export RUN_USERS=true
|
||||
# [[ $put_object -eq 0 ]] || fail "Failed to add object to bucket"
|
||||
#}
|
||||
|
||||
@test "test_retention_bypass" {
|
||||
test_retention_bypass_aws_root
|
||||
}
|
||||
|
||||
@test "test_add_object_metadata" {
|
||||
object_one="object-one"
|
||||
test_key="x-test-data"
|
||||
test_value="test-value"
|
||||
|
||||
run create_test_files "$object_one"
|
||||
assert_success
|
||||
|
||||
run setup_bucket "aws" "$BUCKET_ONE_NAME"
|
||||
assert_success
|
||||
|
||||
object="$TEST_FILE_FOLDER"/"$object_one"
|
||||
put_object_with_metadata "aws" "$object" "$BUCKET_ONE_NAME" "$object_one" "$test_key" "$test_value" || fail "failed to add object to bucket"
|
||||
object_exists "aws" "$BUCKET_ONE_NAME" "$object_one" || fail "object not found after being added to bucket"
|
||||
|
||||
get_object_metadata "aws" "$BUCKET_ONE_NAME" "$object_one" || fail "error getting object metadata"
|
||||
key=$(echo "$metadata" | jq -r 'keys[]' 2>&1) || fail "error getting key from metadata: $key"
|
||||
value=$(echo "$metadata" | jq -r '.[]' 2>&1) || fail "error getting value from metadata: $value"
|
||||
[[ $key == "$test_key" ]] || fail "keys doesn't match (expected $key, actual \"$test_key\")"
|
||||
[[ $value == "$test_value" ]] || fail "values doesn't match (expected $value, actual \"$test_value\")"
|
||||
|
||||
bucket_cleanup "aws" "$BUCKET_ONE_NAME"
|
||||
delete_test_files "$object_one"
|
||||
}
|
||||
|
||||
@test "test_put_object_lock_configuration" {
|
||||
bucket_name=$BUCKET_ONE_NAME
|
||||
if [[ $RECREATE_BUCKETS == "true" ]]; then
|
||||
run delete_bucket "s3api" "$bucket_name"
|
||||
assert_success
|
||||
run create_bucket_object_lock_enabled "$bucket_name"
|
||||
assert_success
|
||||
fi
|
||||
local enabled="Enabled"
|
||||
local governance="GOVERNANCE"
|
||||
local days="1"
|
||||
|
||||
run put_object_lock_configuration "$bucket_name" "$enabled" "$governance" "$days"
|
||||
assert_success "error putting object lock config"
|
||||
|
||||
run get_and_check_object_lock_config "$bucket_name" "$enabled" "$governance" "$days"
|
||||
assert_success "error getting and checking object lock config"
|
||||
|
||||
bucket_cleanup "aws" "$bucket_name"
|
||||
}
|
||||
|
||||
@test "test_ls_directory_object" {
|
||||
test_common_ls_directory_object "s3api"
|
||||
|
||||
@@ -16,6 +16,9 @@
|
||||
|
||||
source ./tests/logger.sh
|
||||
source ./tests/setup.sh
|
||||
source ./tests/test_s3api_policy_bucket.sh
|
||||
source ./tests/test_s3api_policy_multipart.sh
|
||||
source ./tests/test_s3api_policy_object.sh
|
||||
source ./tests/util_multipart.sh
|
||||
source ./tests/util_file.sh
|
||||
source ./tests/util_policy.sh
|
||||
@@ -30,25 +33,60 @@ source ./tests/commands/put_object.sh
|
||||
|
||||
export RUN_USERS=true
|
||||
|
||||
@test "test_put_policy_invalid_action" {
|
||||
@test "test_policy_abort_multipart_upload" {
|
||||
if [[ -n $SKIP_POLICY ]]; then
|
||||
skip "will not test policy actions with SKIP_POLICY set"
|
||||
fi
|
||||
test_s3api_policy_invalid_action
|
||||
test_s3api_policy_abort_multipart_upload
|
||||
}
|
||||
|
||||
@test "test_policy_get_object_with_user" {
|
||||
@test "test_policy_allow_deny" {
|
||||
if [[ -n $SKIP_POLICY ]]; then
|
||||
skip "will not test policy actions with SKIP_POLICY set"
|
||||
fi
|
||||
test_s3api_policy_get_object_with_user
|
||||
test_s3api_policy_allow_deny
|
||||
}
|
||||
|
||||
@test "test_policy_get_object_specific_file" {
|
||||
@test "test_policy_delete" {
|
||||
if [[ -n $SKIP_POLICY ]]; then
|
||||
skip "will not test policy actions with SKIP_POLICY set"
|
||||
fi
|
||||
test_s3api_policy_get_object_specific_file
|
||||
test_s3api_policy_delete
|
||||
}
|
||||
|
||||
@test "test_policy_delete_bucket_policy" {
|
||||
if [[ -n $SKIP_POLICY ]]; then
|
||||
skip "will not test policy actions with SKIP_POLICY set"
|
||||
fi
|
||||
test_s3api_policy_delete_bucket_policy
|
||||
}
|
||||
|
||||
@test "test_policy_deny" {
|
||||
if [[ -n $SKIP_POLICY ]]; then
|
||||
skip "will not test policy actions with SKIP_POLICY set"
|
||||
fi
|
||||
test_s3api_policy_deny
|
||||
}
|
||||
|
||||
@test "test_policy_get_bucket_acl" {
|
||||
if [[ -n $SKIP_POLICY ]]; then
|
||||
skip "will not test policy actions with SKIP_POLICY set"
|
||||
fi
|
||||
test_s3api_policy_get_bucket_acl
|
||||
}
|
||||
|
||||
@test "test_policy_get_bucket_policy" {
|
||||
if [[ -n $SKIP_POLICY ]]; then
|
||||
skip "will not test policy actions with SKIP_POLICY set"
|
||||
fi
|
||||
test_s3api_policy_get_bucket_policy
|
||||
}
|
||||
|
||||
@test "test_policy_get_bucket_tagging" {
|
||||
if [[ -n $SKIP_POLICY ]]; then
|
||||
skip "will not test policy actions with SKIP_POLICY set"
|
||||
fi
|
||||
test_s3api_policy_get_bucket_tagging
|
||||
}
|
||||
|
||||
@test "test_policy_get_object_file_wildcard" {
|
||||
@@ -65,39 +103,18 @@ export RUN_USERS=true
|
||||
test_s3api_policy_get_object_folder_wildcard
|
||||
}
|
||||
|
||||
@test "test_policy_allow_deny" {
|
||||
@test "test_policy_get_object_specific_file" {
|
||||
if [[ -n $SKIP_POLICY ]]; then
|
||||
skip "will not test policy actions with SKIP_POLICY set"
|
||||
fi
|
||||
test_s3api_policy_allow_deny
|
||||
test_s3api_policy_get_object_specific_file
|
||||
}
|
||||
|
||||
@test "test_policy_deny" {
|
||||
@test "test_policy_get_object_with_user" {
|
||||
if [[ -n $SKIP_POLICY ]]; then
|
||||
skip "will not test policy actions with SKIP_POLICY set"
|
||||
fi
|
||||
test_s3api_policy_deny
|
||||
}
|
||||
|
||||
@test "test_policy_put_wildcard" {
|
||||
if [[ -n $SKIP_POLICY ]]; then
|
||||
skip "will not test policy actions with SKIP_POLICY set"
|
||||
fi
|
||||
test_s3api_policy_put_wildcard
|
||||
}
|
||||
|
||||
@test "test_policy_delete" {
|
||||
if [[ -n $SKIP_POLICY ]]; then
|
||||
skip "will not test policy actions with SKIP_POLICY set"
|
||||
fi
|
||||
test_s3api_policy_delete
|
||||
}
|
||||
|
||||
@test "test_policy_get_bucket_policy" {
|
||||
if [[ -n $SKIP_POLICY ]]; then
|
||||
skip "will not test policy actions with SKIP_POLICY set"
|
||||
fi
|
||||
test_s3api_policy_get_bucket_policy
|
||||
test_s3api_policy_get_object_with_user
|
||||
}
|
||||
|
||||
@test "test_policy_list_multipart_uploads" {
|
||||
@@ -107,55 +124,6 @@ export RUN_USERS=true
|
||||
test_s3api_policy_list_multipart_uploads
|
||||
}
|
||||
|
||||
@test "test_policy_put_bucket_policy" {
|
||||
if [[ -n $SKIP_POLICY ]]; then
|
||||
skip "will not test policy actions with SKIP_POLICY set"
|
||||
fi
|
||||
test_s3api_policy_put_bucket_policy
|
||||
}
|
||||
|
||||
@test "test_policy_delete_bucket_policy" {
|
||||
if [[ -n $SKIP_POLICY ]]; then
|
||||
skip "will not test policy actions with SKIP_POLICY set"
|
||||
fi
|
||||
test_s3api_policy_delete_bucket_policy
|
||||
}
|
||||
|
||||
@test "test_policy_get_bucket_acl" {
|
||||
if [[ -n $SKIP_POLICY ]]; then
|
||||
skip "will not test policy actions with SKIP_POLICY set"
|
||||
fi
|
||||
test_s3api_policy_get_bucket_acl
|
||||
}
|
||||
|
||||
@test "test_policy_abort_multipart_upload" {
|
||||
if [[ -n $SKIP_POLICY ]]; then
|
||||
skip "will not test policy actions with SKIP_POLICY set"
|
||||
fi
|
||||
test_s3api_policy_abort_multipart_upload
|
||||
}
|
||||
|
||||
@test "test_policy_two_principals" {
|
||||
if [[ -n $SKIP_POLICY ]]; then
|
||||
skip "will not test policy actions with SKIP_POLICY set"
|
||||
fi
|
||||
test_s3api_policy_two_principals
|
||||
}
|
||||
|
||||
@test "test_policy_put_bucket_tagging" {
|
||||
if [[ -n $SKIP_POLICY ]]; then
|
||||
skip "will not test policy actions with SKIP_POLICY set"
|
||||
fi
|
||||
test_s3api_policy_put_bucket_tagging
|
||||
}
|
||||
|
||||
@test "test_policy_get_bucket_tagging" {
|
||||
if [[ -n $SKIP_POLICY ]]; then
|
||||
skip "will not test policy actions with SKIP_POLICY set"
|
||||
fi
|
||||
test_s3api_policy_get_bucket_tagging
|
||||
}
|
||||
|
||||
@test "test_policy_list_upload_parts" {
|
||||
if [[ -n $SKIP_POLICY ]]; then
|
||||
skip "will not test policy actions with SKIP_POLICY set"
|
||||
@@ -170,673 +138,37 @@ export RUN_USERS=true
|
||||
test_s3api_policy_put_acl
|
||||
}
|
||||
|
||||
test_s3api_policy_invalid_action() {
|
||||
policy_file="policy_file"
|
||||
|
||||
run create_test_file "$policy_file"
|
||||
assert_success
|
||||
|
||||
effect="Allow"
|
||||
principal="*"
|
||||
action="s3:GetObjectt"
|
||||
resource="arn:aws:s3:::$BUCKET_ONE_NAME/*"
|
||||
|
||||
# shellcheck disable=SC2154
|
||||
run setup_policy_with_single_statement "$TEST_FILE_FOLDER/$policy_file" "dummy" "$effect" "$principal" "$action" "$resource"
|
||||
assert_success
|
||||
|
||||
run setup_bucket "s3api" "$BUCKET_ONE_NAME"
|
||||
assert_success
|
||||
|
||||
run check_for_empty_policy "s3api" "$BUCKET_ONE_NAME"
|
||||
assert_success
|
||||
|
||||
run put_and_check_for_malformed_policy "$BUCKET_ONE_NAME" "$TEST_FILE_FOLDER/$policy_file"
|
||||
assert_success
|
||||
}
|
||||
|
||||
test_s3api_policy_get_object_with_user() {
|
||||
policy_file="policy_file"
|
||||
username=$USERNAME_ONE
|
||||
password=$PASSWORD_ONE
|
||||
test_file="test_file"
|
||||
|
||||
log 5 "username: $USERNAME_ONE, password: $PASSWORD_ONE"
|
||||
run create_test_files "$test_file" "$policy_file"
|
||||
assert_success
|
||||
|
||||
effect="Allow"
|
||||
principal="$username"
|
||||
action="s3:GetObject"
|
||||
resource="arn:aws:s3:::$BUCKET_ONE_NAME/$test_file"
|
||||
|
||||
run setup_bucket "s3api" "$BUCKET_ONE_NAME"
|
||||
assert_success
|
||||
|
||||
run put_object "s3api" "$TEST_FILE_FOLDER/$test_file" "$BUCKET_ONE_NAME" "$test_file"
|
||||
assert_success
|
||||
|
||||
run setup_user "$username" "$password" "user"
|
||||
assert_success
|
||||
|
||||
run verify_user_cant_get_object "s3api" "$BUCKET_ONE_NAME" "$test_file" "$TEST_FILE_FOLDER/$test_file-copy" "$username" "$password"
|
||||
assert_success
|
||||
|
||||
run setup_policy_with_single_statement "$TEST_FILE_FOLDER/$policy_file" "2012-10-17" "$effect" "$principal" "$action" "$resource"
|
||||
assert_success
|
||||
|
||||
run put_bucket_policy "s3api" "$BUCKET_ONE_NAME" "$TEST_FILE_FOLDER/$policy_file"
|
||||
assert_success
|
||||
|
||||
run download_and_compare_file_with_user "s3api" "$TEST_FILE_FOLDER/$test_file" "$BUCKET_ONE_NAME" "$test_file" "$TEST_FILE_FOLDER/$test_file-copy" "$username" "$password"
|
||||
assert_success
|
||||
}
|
||||
|
||||
test_s3api_policy_get_object_specific_file() {
|
||||
policy_file="policy_file"
|
||||
test_file="test_file"
|
||||
test_file_two="test_file_two"
|
||||
username=$USERNAME_ONE
|
||||
password=$PASSWORD_ONE
|
||||
|
||||
run create_test_files "$policy_file" "$test_file" "$test_file_two"
|
||||
assert_success
|
||||
|
||||
effect="Allow"
|
||||
principal="$username"
|
||||
action="s3:GetObject"
|
||||
resource="arn:aws:s3:::$BUCKET_ONE_NAME/test_file"
|
||||
|
||||
setup_user "$username" "$password" "user" || fail "error creating user"
|
||||
|
||||
run setup_bucket "s3api" "$BUCKET_ONE_NAME"
|
||||
assert_success
|
||||
|
||||
setup_policy_with_single_statement "$TEST_FILE_FOLDER/$policy_file" "dummy" "$effect" "$principal" "$action" "$resource" || fail "failed to set up policy"
|
||||
put_bucket_policy "s3api" "$BUCKET_ONE_NAME" "$TEST_FILE_FOLDER/$policy_file" || fail "error putting policy"
|
||||
|
||||
put_object "s3api" "$TEST_FILE_FOLDER/$test_file" "$BUCKET_ONE_NAME" "$test_file" || fail "error copying object"
|
||||
put_object "s3api" "$TEST_FILE_FOLDER/$test_file_two" "$BUCKET_ONE_NAME" "$test_file_two" || fail "error copying object"
|
||||
|
||||
run download_and_compare_file_with_user "s3api" "$TEST_FILE_FOLDER/$test_file" "$BUCKET_ONE_NAME" "$test_file" "$TEST_FILE_FOLDER/$test_file-copy" "$username" "$password"
|
||||
assert_success
|
||||
|
||||
run verify_user_cant_get_object "s3api" "$BUCKET_ONE_NAME" "$test_file_two" "$TEST_FILE_FOLDER/$test_file_two-copy" "$username" "$password"
|
||||
assert_success
|
||||
}
|
||||
|
||||
test_s3api_policy_get_object_file_wildcard() {
|
||||
policy_file="policy_file_one"
|
||||
policy_file_two="policy_file_two"
|
||||
policy_file_three="policy_fil"
|
||||
username=$USERNAME_ONE
|
||||
password=$PASSWORD_ONE
|
||||
|
||||
run create_test_files "$policy_file" "$policy_file_two" "$policy_file_three"
|
||||
assert_success
|
||||
|
||||
effect="Allow"
|
||||
principal="$username"
|
||||
action="s3:GetObject"
|
||||
resource="arn:aws:s3:::$BUCKET_ONE_NAME/policy_file*"
|
||||
|
||||
run setup_user "$username" "$password" "user"
|
||||
assert_success
|
||||
|
||||
run setup_bucket "s3api" "$BUCKET_ONE_NAME"
|
||||
assert_success
|
||||
|
||||
run setup_policy_with_single_statement "$TEST_FILE_FOLDER/$policy_file" "dummy" "$effect" "$principal" "$action" "$resource"
|
||||
assert_success
|
||||
run put_bucket_policy "s3api" "$BUCKET_ONE_NAME" "$TEST_FILE_FOLDER/$policy_file"
|
||||
assert_success
|
||||
|
||||
run put_object "s3api" "$TEST_FILE_FOLDER/$policy_file" "$BUCKET_ONE_NAME" "$policy_file"
|
||||
assert_success
|
||||
run put_object "s3api" "$TEST_FILE_FOLDER/$policy_file_two" "$BUCKET_ONE_NAME" "$policy_file_two"
|
||||
assert_success
|
||||
run put_object "s3api" "$TEST_FILE_FOLDER/$policy_file_three" "$BUCKET_ONE_NAME" "$policy_file_three"
|
||||
assert_success
|
||||
|
||||
run download_and_compare_file_with_user "s3api" "$TEST_FILE_FOLDER/$policy_file" "$BUCKET_ONE_NAME" "$policy_file" "$TEST_FILE_FOLDER/$policy_file-copy" "$username" "$password"
|
||||
assert_success
|
||||
|
||||
run download_and_compare_file_with_user "s3api" "$TEST_FILE_FOLDER/$policy_file_two" "$BUCKET_ONE_NAME" "$policy_file_two" "$TEST_FILE_FOLDER/$policy_file_two-copy" "$username" "$password"
|
||||
assert_success
|
||||
|
||||
run verify_user_cant_get_object "s3api" "$BUCKET_ONE_NAME" "$policy_file_three" "$TEST_FILE_FOLDER/$policy_file_three" "$username" "$password"
|
||||
assert_success
|
||||
}
|
||||
|
||||
test_s3api_policy_get_object_folder_wildcard() {
|
||||
policy_file="policy_file"
|
||||
test_folder="test_folder"
|
||||
test_file="test_file"
|
||||
username=$USERNAME_ONE
|
||||
password=$PASSWORD_ONE
|
||||
|
||||
run create_test_folder "$test_folder"
|
||||
assert_success
|
||||
|
||||
run create_test_files "$test_folder/$test_file" "$policy_file"
|
||||
assert_success
|
||||
|
||||
effect="Allow"
|
||||
principal="$username"
|
||||
action="s3:GetObject"
|
||||
resource="arn:aws:s3:::$BUCKET_ONE_NAME/$test_folder/*"
|
||||
|
||||
run setup_user "$username" "$password" "user"
|
||||
assert_success
|
||||
|
||||
run setup_bucket "s3api" "$BUCKET_ONE_NAME"
|
||||
assert_success
|
||||
|
||||
run setup_policy_with_single_statement "$TEST_FILE_FOLDER/$policy_file" "dummy" "$effect" "$principal" "$action" "$resource"
|
||||
assert_success
|
||||
|
||||
run put_bucket_policy "s3api" "$BUCKET_ONE_NAME" "$TEST_FILE_FOLDER/$policy_file"
|
||||
assert_success
|
||||
|
||||
run put_object "s3api" "$TEST_FILE_FOLDER/$test_folder/$test_file" "$BUCKET_ONE_NAME" "$test_folder/$test_file"
|
||||
assert_success
|
||||
|
||||
run download_and_compare_file_with_user "s3api" "$TEST_FILE_FOLDER/$test_folder/$test_file" "$BUCKET_ONE_NAME" "$test_folder/$test_file" "$TEST_FILE_FOLDER/$test_file-copy" "$username" "$password"
|
||||
assert_success
|
||||
}
|
||||
|
||||
test_s3api_policy_allow_deny() {
|
||||
policy_file="policy_file"
|
||||
test_file="test_file"
|
||||
username=$USERNAME_ONE
|
||||
password=$PASSWORD_ONE
|
||||
|
||||
run create_test_files "$policy_file" "$test_file"
|
||||
assert_success
|
||||
|
||||
run setup_user "$username" "$password" "user"
|
||||
assert_success
|
||||
|
||||
run setup_bucket "s3api" "$BUCKET_ONE_NAME"
|
||||
assert_success
|
||||
|
||||
run setup_policy_with_double_statement "$TEST_FILE_FOLDER/$policy_file" "dummy" \
|
||||
"Deny" "$username" "s3:GetObject" "arn:aws:s3:::$BUCKET_ONE_NAME/$test_file" \
|
||||
"Allow" "$username" "s3:GetObject" "arn:aws:s3:::$BUCKET_ONE_NAME/$test_file"
|
||||
assert_success
|
||||
|
||||
run put_bucket_policy "s3api" "$BUCKET_ONE_NAME" "$TEST_FILE_FOLDER/$policy_file"
|
||||
assert_success
|
||||
|
||||
run put_object "s3api" "$TEST_FILE_FOLDER/$test_file" "$BUCKET_ONE_NAME" "$test_file"
|
||||
assert_success
|
||||
|
||||
run verify_user_cant_get_object "s3api" "$BUCKET_ONE_NAME" "$test_file" "$TEST_FILE_FOLDER/$test_file-copy" "$username" "$password"
|
||||
assert_success
|
||||
}
|
||||
|
||||
test_s3api_policy_deny() {
|
||||
policy_file="policy_file"
|
||||
test_file_one="test_file_one"
|
||||
test_file_two="test_file_two"
|
||||
username=$USERNAME_ONE
|
||||
password=$PASSWORD_ONE
|
||||
|
||||
run create_test_files "$test_file_one" "$test_file_two" "$policy_file"
|
||||
assert_success
|
||||
|
||||
setup_user "$username" "$password" "user" || fail "error creating user"
|
||||
|
||||
run setup_bucket "s3api" "$BUCKET_ONE_NAME"
|
||||
assert_success
|
||||
|
||||
setup_policy_with_double_statement "$TEST_FILE_FOLDER/$policy_file" "dummy" \
|
||||
"Deny" "$username" "s3:GetObject" "arn:aws:s3:::$BUCKET_ONE_NAME/$test_file_two" \
|
||||
"Allow" "$username" "s3:GetObject" "arn:aws:s3:::$BUCKET_ONE_NAME/*"
|
||||
|
||||
log 5 "Policy: $(cat "$TEST_FILE_FOLDER/$policy_file")"
|
||||
put_bucket_policy "s3api" "$BUCKET_ONE_NAME" "$TEST_FILE_FOLDER/$policy_file" || fail "error putting policy"
|
||||
put_object "s3api" "$TEST_FILE_FOLDER/$test_file_one" "$BUCKET_ONE_NAME" "$test_file_one" || fail "error copying object one"
|
||||
put_object "s3api" "$TEST_FILE_FOLDER/$test_file_one" "$BUCKET_ONE_NAME" "$test_file_two" || fail "error copying object two"
|
||||
get_object_with_user "s3api" "$BUCKET_ONE_NAME" "$test_file_one" "$TEST_FILE_FOLDER/$test_file_one-copy" "$username" "$password" || fail "error getting object"
|
||||
|
||||
run verify_user_cant_get_object "s3api" "$BUCKET_ONE_NAME" "$test_file_two" "$TEST_FILE_FOLDER/$test_file_two-copy" "$username" "$password"
|
||||
assert_success
|
||||
}
|
||||
|
||||
test_s3api_policy_put_wildcard() {
|
||||
policy_file="policy_file"
|
||||
test_folder="test_folder"
|
||||
test_file="test_file"
|
||||
username=$USERNAME_ONE
|
||||
password=$PASSWORD_ONE
|
||||
|
||||
run create_test_folder "$test_folder"
|
||||
assert_success
|
||||
|
||||
run create_test_files "$test_folder/$test_file" "$policy_file"
|
||||
assert_success
|
||||
|
||||
effect="Allow"
|
||||
principal="$username"
|
||||
action="s3:PutObject"
|
||||
resource="arn:aws:s3:::$BUCKET_ONE_NAME/$test_folder/*"
|
||||
|
||||
setup_user "$username" "$password" "user" || fail "error creating user"
|
||||
|
||||
setup_bucket "s3api" "$BUCKET_ONE_NAME"
|
||||
log 5 "Policy: $(cat "$TEST_FILE_FOLDER/$policy_file")"
|
||||
setup_policy_with_single_statement "$TEST_FILE_FOLDER/$policy_file" "dummy" "$effect" "$principal" "$action" "$resource" || fail "failed to set up policy"
|
||||
put_bucket_policy "s3api" "$BUCKET_ONE_NAME" "$TEST_FILE_FOLDER/$policy_file" || fail "error putting policy"
|
||||
if put_object_with_user "s3api" "$TEST_FILE_FOLDER/$test_folder/$test_file" "$BUCKET_ONE_NAME" "$test_file" "$username" "$password"; then
|
||||
fail "able to put object despite not being allowed"
|
||||
@test "test_policy_put_bucket_policy" {
|
||||
if [[ -n $SKIP_POLICY ]]; then
|
||||
skip "will not test policy actions with SKIP_POLICY set"
|
||||
fi
|
||||
# shellcheck disable=SC2154
|
||||
[[ "$put_object_error" == *"Access Denied"* ]] || fail "invalid put object error: $put_object_error"
|
||||
put_object_with_user "s3api" "$TEST_FILE_FOLDER/$test_folder/$test_file" "$BUCKET_ONE_NAME" "$test_folder/$test_file" "$username" "$password" || fail "error putting file despite policy permissions"
|
||||
|
||||
run verify_user_cant_get_object "s3api" "$BUCKET_ONE_NAME" "$test_folder/$test_file" "$test_folder/$test_file-copy" "$username" "$password"
|
||||
assert_success
|
||||
|
||||
download_and_compare_file "s3api" "$TEST_FILE_FOLDER/$test_folder/$test_file" "$BUCKET_ONE_NAME" "$test_folder/$test_file" "$TEST_FILE_FOLDER/$test_file-copy" || fail "files don't match"
|
||||
test_s3api_policy_put_bucket_policy
|
||||
}
|
||||
|
||||
test_s3api_policy_delete() {
|
||||
policy_file="policy_file"
|
||||
test_file_one="test_file_one"
|
||||
test_file_two="test_file_two"
|
||||
username=$USERNAME_ONE
|
||||
password=$PASSWORD_ONE
|
||||
|
||||
run create_test_files "$test_file_one" "$test_file_two" "$policy_file"
|
||||
assert_success
|
||||
|
||||
effect="Allow"
|
||||
principal="$username"
|
||||
action="s3:DeleteObject"
|
||||
resource="arn:aws:s3:::$BUCKET_ONE_NAME/$test_file_two"
|
||||
|
||||
setup_user "$username" "$password" "user" || fail "error creating user"
|
||||
|
||||
run setup_bucket "s3api" "$BUCKET_ONE_NAME"
|
||||
assert_success
|
||||
|
||||
setup_policy_with_single_statement "$TEST_FILE_FOLDER/$policy_file" "dummy" "$effect" "$principal" "$action" "$resource" || fail "failed to set up policy"
|
||||
log 5 "Policy: $(cat "$TEST_FILE_FOLDER/$policy_file")"
|
||||
put_bucket_policy "s3api" "$BUCKET_ONE_NAME" "$TEST_FILE_FOLDER/$policy_file" || fail "error putting policy"
|
||||
|
||||
put_object "s3api" "$TEST_FILE_FOLDER/$test_file_one" "$BUCKET_ONE_NAME" "$test_file_one" || fail "error copying object one"
|
||||
put_object "s3api" "$TEST_FILE_FOLDER/$test_file_two" "$BUCKET_ONE_NAME" "$test_file_two" || fail "error copying object two"
|
||||
if delete_object_with_user "s3api" "$BUCKET_ONE_NAME" "$test_file_one" "$username" "$password"; then
|
||||
fail "able to delete object despite lack of permissions"
|
||||
@test "test_policy_put_bucket_tagging" {
|
||||
if [[ -n $SKIP_POLICY ]]; then
|
||||
skip "will not test policy actions with SKIP_POLICY set"
|
||||
fi
|
||||
# shellcheck disable=SC2154
|
||||
[[ "$delete_object_error" == *"Access Denied"* ]] || fail "invalid delete object error: $delete_object_error"
|
||||
delete_object_with_user "s3api" "$BUCKET_ONE_NAME" "$test_file_two" "$username" "$password" || fail "error deleting object despite permissions"
|
||||
test_s3api_policy_put_bucket_tagging
|
||||
}
|
||||
|
||||
test_s3api_policy_get_bucket_policy() {
|
||||
policy_file="policy_file"
|
||||
username=$USERNAME_ONE
|
||||
password=$PASSWORD_ONE
|
||||
|
||||
run create_test_file "$policy_file"
|
||||
assert_success
|
||||
|
||||
effect="Allow"
|
||||
principal="$username"
|
||||
action="s3:GetBucketPolicy"
|
||||
resource="arn:aws:s3:::$BUCKET_ONE_NAME"
|
||||
|
||||
setup_user "$username" "$password" "user" || fail "error creating user"
|
||||
|
||||
run setup_bucket "s3api" "$BUCKET_ONE_NAME"
|
||||
assert_success
|
||||
|
||||
setup_policy_with_single_statement "$TEST_FILE_FOLDER/$policy_file" "dummy" "$effect" "$principal" "$action" "$resource" || fail "failed to set up policy"
|
||||
if get_bucket_policy_with_user "$BUCKET_ONE_NAME" "$username" "$password"; then
|
||||
fail "able to retrieve bucket policy despite lack of permissions"
|
||||
@test "test_policy_two_principals" {
|
||||
if [[ -n $SKIP_POLICY ]]; then
|
||||
skip "will not test policy actions with SKIP_POLICY set"
|
||||
fi
|
||||
|
||||
put_bucket_policy "s3api" "$BUCKET_ONE_NAME" "$TEST_FILE_FOLDER/$policy_file" || fail "error putting policy"
|
||||
get_bucket_policy_with_user "$BUCKET_ONE_NAME" "$username" "$password" || fail "error getting bucket policy despite permissions"
|
||||
# shellcheck disable=SC2154
|
||||
echo "$bucket_policy" > "$TEST_FILE_FOLDER/$policy_file-copy"
|
||||
log 5 "ORIG: $(cat "$TEST_FILE_FOLDER/$policy_file")"
|
||||
log 5 "COPY: $(cat "$TEST_FILE_FOLDER/$policy_file-copy")"
|
||||
compare_files "$TEST_FILE_FOLDER/$policy_file" "$TEST_FILE_FOLDER/$policy_file-copy" || fail "policies not equal"
|
||||
test_s3api_policy_two_principals
|
||||
}
|
||||
|
||||
test_s3api_policy_list_multipart_uploads() {
|
||||
policy_file="policy_file"
|
||||
test_file="test_file"
|
||||
username=$USERNAME_ONE
|
||||
password=$PASSWORD_ONE
|
||||
|
||||
run create_test_file "$policy_file"
|
||||
assert_success
|
||||
|
||||
run create_large_file "$test_file"
|
||||
assert_success
|
||||
|
||||
effect="Allow"
|
||||
principal="$username"
|
||||
action="s3:ListBucketMultipartUploads"
|
||||
resource="arn:aws:s3:::$BUCKET_ONE_NAME"
|
||||
setup_user "$username" "$password" "user" || fail "error creating user"
|
||||
|
||||
run setup_bucket "s3api" "$BUCKET_ONE_NAME"
|
||||
assert_success
|
||||
|
||||
get_bucket_policy "s3api" "$BUCKET_ONE_NAME" || fail "error getting bucket policy"
|
||||
log 5 "BUCKET POLICY: $bucket_policy"
|
||||
get_bucket_acl "s3api" "$BUCKET_ONE_NAME" || fail "error getting bucket ACL"
|
||||
# shellcheck disable=SC2154
|
||||
log 5 "ACL: $acl"
|
||||
run setup_policy_with_single_statement "$TEST_FILE_FOLDER/$policy_file" "dummy" "$effect" "$principal" "$action" "$resource"
|
||||
assert_success "failed to set up policy"
|
||||
run create_multipart_upload "$BUCKET_ONE_NAME" "$test_file"
|
||||
assert_success "failed to create multipart upload"
|
||||
if list_multipart_uploads_with_user "$BUCKET_ONE_NAME" "$username" "$password"; then
|
||||
fail "able to list multipart uploads despite lack of permissions"
|
||||
@test "test_policy_put_wildcard" {
|
||||
if [[ -n $SKIP_POLICY ]]; then
|
||||
skip "will not test policy actions with SKIP_POLICY set"
|
||||
fi
|
||||
# shellcheck disable=SC2154
|
||||
[[ "$list_multipart_uploads_error" == *"Access Denied"* ]] || fail "invalid list multipart uploads error: $list_multipart_uploads_error"
|
||||
put_bucket_policy "s3api" "$BUCKET_ONE_NAME" "$TEST_FILE_FOLDER/$policy_file" || fail "error putting policy"
|
||||
list_multipart_uploads_with_user "$BUCKET_ONE_NAME" "$username" "$password" || fail "error listing multipart uploads"
|
||||
# shellcheck disable=SC2154
|
||||
log 5 "$uploads"
|
||||
upload_key=$(echo "$uploads" | grep -v "InsecureRequestWarning" | jq -r ".Uploads[0].Key" 2>&1) || fail "error parsing upload key from uploads message: $upload_key"
|
||||
[[ $upload_key == "$test_file" ]] || fail "upload key doesn't match file marked as being uploaded"
|
||||
test_s3api_policy_put_wildcard
|
||||
}
|
||||
|
||||
test_s3api_policy_put_bucket_policy() {
|
||||
policy_file="policy_file"
|
||||
policy_file_two="policy_file_two"
|
||||
username=$USERNAME_ONE
|
||||
password=$PASSWORD_ONE
|
||||
|
||||
run create_test_file "$policy_file" 0
|
||||
assert_success
|
||||
|
||||
effect="Allow"
|
||||
principal="$username"
|
||||
action="s3:PutBucketPolicy"
|
||||
resource="arn:aws:s3:::$BUCKET_ONE_NAME"
|
||||
|
||||
setup_user "$username" "$password" "user" || fail "error creating user"
|
||||
|
||||
run setup_bucket "s3api" "$BUCKET_ONE_NAME"
|
||||
assert_success
|
||||
|
||||
setup_policy_with_single_statement "$TEST_FILE_FOLDER/$policy_file" "dummy" "$effect" "$principal" "$action" "$resource" || fail "failed to set up policy"
|
||||
if put_bucket_policy_with_user "$BUCKET_ONE_NAME" "$TEST_FILE_FOLDER/$policy_file" "$username" "$password"; then
|
||||
fail "able to retrieve bucket policy despite lack of permissions"
|
||||
@test "test_put_policy_invalid_action" {
|
||||
if [[ -n $SKIP_POLICY ]]; then
|
||||
skip "will not test policy actions with SKIP_POLICY set"
|
||||
fi
|
||||
|
||||
put_bucket_policy "s3api" "$BUCKET_ONE_NAME" "$TEST_FILE_FOLDER/$policy_file" || fail "error putting policy"
|
||||
setup_policy_with_single_statement "$TEST_FILE_FOLDER/$policy_file_two" "dummy" "$effect" "$principal" "s3:GetBucketPolicy" "$resource" || fail "failed to set up policy"
|
||||
put_bucket_policy_with_user "$BUCKET_ONE_NAME" "$TEST_FILE_FOLDER/$policy_file_two" "$username" "$password" || fail "error putting bucket policy despite permissions"
|
||||
get_bucket_policy_with_user "$BUCKET_ONE_NAME" "$username" "$password" || fail "error getting bucket policy despite permissions"
|
||||
# shellcheck disable=SC2154
|
||||
echo "$bucket_policy" > "$TEST_FILE_FOLDER/$policy_file-copy"
|
||||
log 5 "ORIG: $(cat "$TEST_FILE_FOLDER/$policy_file_two")"
|
||||
log 5 "COPY: $(cat "$TEST_FILE_FOLDER/$policy_file-copy")"
|
||||
compare_files "$TEST_FILE_FOLDER/$policy_file_two" "$TEST_FILE_FOLDER/$policy_file-copy" || fail "policies not equal"
|
||||
}
|
||||
|
||||
test_s3api_policy_delete_bucket_policy() {
|
||||
policy_file="policy_file"
|
||||
username=$USERNAME_ONE
|
||||
password=$PASSWORD_ONE
|
||||
|
||||
run create_test_file "$policy_file" 0
|
||||
assert_success
|
||||
|
||||
effect="Allow"
|
||||
principal="$username"
|
||||
action="s3:DeleteBucketPolicy"
|
||||
resource="arn:aws:s3:::$BUCKET_ONE_NAME"
|
||||
|
||||
setup_user "$username" "$password" "user" || fail "error creating user"
|
||||
|
||||
run setup_bucket "s3api" "$BUCKET_ONE_NAME"
|
||||
assert_success
|
||||
|
||||
if delete_bucket_policy_with_user "$BUCKET_ONE_NAME" "$username" "$password"; then
|
||||
fail "able to delete bucket policy with user $username without right permissions"
|
||||
fi
|
||||
setup_policy_with_single_statement "$TEST_FILE_FOLDER/$policy_file" "dummy" "$effect" "$principal" "$action" "$resource" || fail "failed to set up policy"
|
||||
put_bucket_policy "s3api" "$BUCKET_ONE_NAME" "$TEST_FILE_FOLDER/$policy_file" || fail "error putting policy"
|
||||
delete_bucket_policy_with_user "$BUCKET_ONE_NAME" "$username" "$password" || fail "unable to delete bucket policy"
|
||||
}
|
||||
|
||||
test_s3api_policy_get_bucket_acl() {
|
||||
policy_file="policy_file"
|
||||
username=$USERNAME_ONE
|
||||
password=$PASSWORD_ONE
|
||||
|
||||
run create_test_file "$policy_file" 0
|
||||
assert_success
|
||||
|
||||
effect="Allow"
|
||||
principal="$username"
|
||||
action="s3:GetBucketAcl"
|
||||
resource="arn:aws:s3:::$BUCKET_ONE_NAME"
|
||||
|
||||
setup_user "$username" "$password" "user" || fail "error creating user"
|
||||
|
||||
run setup_bucket "s3api" "$BUCKET_ONE_NAME"
|
||||
assert_success
|
||||
|
||||
if get_bucket_acl_with_user "$BUCKET_ONE_NAME" "$username" "$password"; then
|
||||
fail "user able to get bucket ACLs despite permissions"
|
||||
fi
|
||||
setup_policy_with_single_statement "$TEST_FILE_FOLDER/$policy_file" "dummy" "$effect" "$principal" "$action" "$resource" || fail "failed to set up policy"
|
||||
put_bucket_policy "s3api" "$BUCKET_ONE_NAME" "$TEST_FILE_FOLDER/$policy_file" || fail "error putting policy"
|
||||
get_bucket_acl_with_user "$BUCKET_ONE_NAME" "$username" "$password" || fail "error getting bucket ACL despite permissions"
|
||||
}
|
||||
|
||||
test_s3api_policy_abort_multipart_upload() {
|
||||
policy_file="policy_file"
|
||||
test_file="test_file"
|
||||
username=$USERNAME_ONE
|
||||
|
||||
run create_test_file "$policy_file"
|
||||
assert_success
|
||||
|
||||
run create_large_file "$test_file"
|
||||
assert_success
|
||||
|
||||
run setup_bucket "s3api" "$BUCKET_ONE_NAME"
|
||||
assert_success
|
||||
|
||||
if [[ $DIRECT == "true" ]]; then
|
||||
setup_user_direct "$username" "user" "$BUCKET_ONE_NAME" || fail "error setting up direct user $username"
|
||||
principal="{\"AWS\": \"arn:aws:iam::$DIRECT_AWS_USER_ID:user/$username\"}"
|
||||
# shellcheck disable=SC2154
|
||||
username=$key_id
|
||||
# shellcheck disable=SC2154
|
||||
password=$secret_key
|
||||
else
|
||||
password=$PASSWORD_ONE
|
||||
setup_user "$username" "$password" "user" || fail "error setting up user $username"
|
||||
principal="\"$username\""
|
||||
fi
|
||||
|
||||
setup_policy_with_double_statement "$TEST_FILE_FOLDER/$policy_file" "2012-10-17" \
|
||||
"Allow" "$principal" "s3:PutObject" "arn:aws:s3:::$BUCKET_ONE_NAME/*" \
|
||||
"Deny" "$principal" "s3:AbortMultipartUpload" "arn:aws:s3:::$BUCKET_ONE_NAME/*"
|
||||
put_bucket_policy "s3api" "$BUCKET_ONE_NAME" "$TEST_FILE_FOLDER/$policy_file" || fail "error putting first policy"
|
||||
|
||||
create_multipart_upload_with_user "$BUCKET_ONE_NAME" "$test_file" "$username" "$password" || fail "error creating multipart upload"
|
||||
# shellcheck disable=SC2154
|
||||
if abort_multipart_upload_with_user "$BUCKET_ONE_NAME" "$test_file" "$upload_id" "$username" "$password"; then
|
||||
fail "abort multipart upload succeeded despite lack of permissions"
|
||||
fi
|
||||
# shellcheck disable=SC2154
|
||||
[[ "$abort_multipart_upload_error" == *"AccessDenied"* ]] || fail "unexpected abort error: $abort_multipart_upload_error"
|
||||
|
||||
setup_policy_with_single_statement "$TEST_FILE_FOLDER/$policy_file" "2012-10-17" "Allow" "$principal" "s3:AbortMultipartUpload" "arn:aws:s3:::$BUCKET_ONE_NAME/*"
|
||||
|
||||
put_bucket_policy "s3api" "$BUCKET_ONE_NAME" "$TEST_FILE_FOLDER/$policy_file" || fail "error putting policy"
|
||||
abort_multipart_upload_with_user "$BUCKET_ONE_NAME" "$test_file" "$upload_id" "$username" "$password" || fail "error aborting multipart upload despite permissions"
|
||||
}
|
||||
|
||||
test_s3api_policy_two_principals() {
|
||||
policy_file="policy_file"
|
||||
test_file="test_file"
|
||||
|
||||
run create_test_files "$test_file" "$policy_file"
|
||||
assert_success "error creating test files"
|
||||
run setup_bucket "s3api" "$BUCKET_ONE_NAME"
|
||||
assert_success "error setting up bucket $BUCKET_ONE_NAME"
|
||||
run setup_user "$USERNAME_ONE" "$PASSWORD_ONE" "user"
|
||||
assert_success "error setting up user $USERNAME_ONE"
|
||||
run setup_user "$USERNAME_TWO" "$PASSWORD_TWO" "user"
|
||||
assert_success "error setting up user $USERNAME_TWO"
|
||||
|
||||
run put_object "s3api" "$TEST_FILE_FOLDER/$test_file" "$BUCKET_ONE_NAME" "$test_file"
|
||||
assert_success "error adding object to bucket"
|
||||
run get_object_with_user "s3api" "$BUCKET_ONE_NAME" "$test_file" "$TEST_FILE_FOLDER/copy_one" "$USERNAME_ONE" "$PASSWORD_ONE"
|
||||
assert_failure "able to get object with user $USERNAME_ONE despite lack of permission"
|
||||
|
||||
run get_object_with_user "s3api" "$BUCKET_ONE_NAME" "$test_file" "$TEST_FILE_FOLDER/copy_two" "$USERNAME_TWO" "$PASSWORD_TWO"
|
||||
assert_failure "able to get object with user $USERNAME_TWO despite lack of permission"
|
||||
|
||||
run setup_policy_with_single_statement "$TEST_FILE_FOLDER/$policy_file" "dummy" "Allow" "[\"$USERNAME_ONE\", \"$USERNAME_TWO\"]" "s3:GetObject" "arn:aws:s3:::$BUCKET_ONE_NAME/*"
|
||||
assert_success "error setting up policy"
|
||||
|
||||
run put_bucket_policy "s3api" "$BUCKET_ONE_NAME" "$TEST_FILE_FOLDER/$policy_file"
|
||||
assert_success "error putting policy"
|
||||
run get_object_with_user "s3api" "$BUCKET_ONE_NAME" "$test_file" "$TEST_FILE_FOLDER/copy_one" "$USERNAME_ONE" "$PASSWORD_ONE"
|
||||
assert_success "error getting object with user $USERNAME_ONE"
|
||||
run get_object_with_user "s3api" "$BUCKET_ONE_NAME" "$test_file" "$TEST_FILE_FOLDER/copy_two" "$USERNAME_TWO" "$PASSWORD_TWO"
|
||||
assert_success "error getting object with user $USERNAME_TWO"
|
||||
}
|
||||
|
||||
test_s3api_policy_put_bucket_tagging() {
|
||||
policy_file="policy_file"
|
||||
tag_key="TestKey"
|
||||
tag_value="TestValue"
|
||||
|
||||
run create_test_files "$policy_file"
|
||||
assert_success "error creating test files"
|
||||
run setup_bucket "s3api" "$BUCKET_ONE_NAME"
|
||||
assert_success "error setting up bucket"
|
||||
run setup_user "$USERNAME_ONE" "$PASSWORD_ONE" "user"
|
||||
assert_success "error setting up user"
|
||||
|
||||
run setup_policy_with_single_statement "$TEST_FILE_FOLDER/$policy_file" "2012-10-17" "Allow" "$USERNAME_ONE" "s3:PutBucketTagging" "arn:aws:s3:::$BUCKET_ONE_NAME"
|
||||
assert_success "error setting up policy"
|
||||
run put_bucket_tagging_with_user "$BUCKET_ONE_NAME" "$tag_key" "$tag_value" "$USERNAME_ONE" "$PASSWORD_ONE"
|
||||
assert_failure
|
||||
run put_bucket_policy "s3api" "$BUCKET_ONE_NAME" "$TEST_FILE_FOLDER/$policy_file"
|
||||
assert_success "error putting policy"
|
||||
run put_bucket_tagging_with_user "$BUCKET_ONE_NAME" "$tag_key" "$tag_value" "$USERNAME_ONE" "$PASSWORD_ONE"
|
||||
assert_success "unable to put bucket tagging despite user permissions"
|
||||
|
||||
run get_and_check_bucket_tags "$BUCKET_ONE_NAME" "$tag_key" "$tag_value"
|
||||
assert_success
|
||||
}
|
||||
|
||||
test_s3api_policy_put_acl() {
|
||||
policy_file="policy_file"
|
||||
test_file="test_file"
|
||||
username=$USERNAME_ONE
|
||||
password=$PASSWORD_ONE
|
||||
|
||||
run create_test_file "$policy_file" 0
|
||||
assert_success
|
||||
run create_large_file "$test_file"
|
||||
assert_success
|
||||
run setup_bucket "s3api" "$BUCKET_ONE_NAME"
|
||||
assert_success
|
||||
|
||||
put_bucket_ownership_controls "$BUCKET_ONE_NAME" "BucketOwnerPreferred" || fail "error putting bucket ownership controls"
|
||||
|
||||
setup_user "$username" "$password" "user" || fail "error setting up user $username"
|
||||
|
||||
setup_policy_with_single_statement "$TEST_FILE_FOLDER/$policy_file" "2012-10-17" "Allow" "$username" "s3:PutBucketAcl" "arn:aws:s3:::$BUCKET_ONE_NAME"
|
||||
if [[ $DIRECT == "true" ]]; then
|
||||
put_public_access_block_enable_public_acls "$BUCKET_ONE_NAME" || fail "error enabling public ACLs"
|
||||
fi
|
||||
|
||||
put_bucket_policy "s3api" "$BUCKET_ONE_NAME" "$TEST_FILE_FOLDER/$policy_file" || fail "error putting policy"
|
||||
|
||||
put_bucket_canned_acl_with_user "$BUCKET_ONE_NAME" "public-read" "$username" "$password" || fail "error putting canned acl"
|
||||
get_bucket_acl "s3api" "$BUCKET_ONE_NAME" || fail "error getting bucket acl"
|
||||
# shellcheck disable=SC2154
|
||||
log 5 "ACL: $acl"
|
||||
second_grant=$(echo "$acl" | jq -r ".Grants[1]" 2>&1) || fail "error getting second grant: $second_grant"
|
||||
second_grantee=$(echo "$second_grant" | jq -r ".Grantee" 2>&1) || fail "error getting second grantee: $second_grantee"
|
||||
permission=$(echo "$second_grant" | jq -r ".Permission" 2>&1) || fail "error getting permission: $permission"
|
||||
log 5 "second grantee: $second_grantee"
|
||||
[[ $permission == "READ" ]] || fail "incorrect permission: $permission"
|
||||
if [[ $DIRECT == "true" ]]; then
|
||||
uri=$(echo "$second_grantee" | jq -r ".URI" 2>&1) || fail "error getting uri: $uri"
|
||||
[[ $uri == "http://acs.amazonaws.com/groups/global/AllUsers" ]] || fail "unexpected URI: $uri"
|
||||
else
|
||||
id=$(echo "$second_grantee" | jq -r ".ID" 2>&1) || fail "error getting ID: $id"
|
||||
[[ $id == "all-users" ]] || fail "unexpected ID: $id"
|
||||
fi
|
||||
}
|
||||
|
||||
test_s3api_policy_get_bucket_tagging() {
|
||||
policy_file="policy_file"
|
||||
test_file="test_file"
|
||||
tag_key="TestKey"
|
||||
tag_value="TestValue"
|
||||
|
||||
run create_test_files "$policy_file"
|
||||
assert_success "error creating test files"
|
||||
|
||||
run setup_bucket "s3api" "$BUCKET_ONE_NAME"
|
||||
assert_success
|
||||
|
||||
run setup_user "$USERNAME_ONE" "$PASSWORD_ONE" "user"
|
||||
assert_success "error creating user '$USERNAME_ONE'"
|
||||
|
||||
run setup_policy_with_single_statement "$TEST_FILE_FOLDER/$policy_file" "2012-10-17" "Allow" "$USERNAME_ONE" "s3:GetBucketTagging" "arn:aws:s3:::$BUCKET_ONE_NAME"
|
||||
assert_success "error setting up policy"
|
||||
|
||||
run put_bucket_tagging "s3api" "$BUCKET_ONE_NAME" "$tag_key" "$tag_value"
|
||||
assert_success "unable to put bucket tagging"
|
||||
|
||||
run get_bucket_tagging_with_user "$USERNAME_ONE" "$PASSWORD_ONE" "$BUCKET_ONE_NAME"
|
||||
assert_failure
|
||||
|
||||
run put_bucket_policy "s3api" "$BUCKET_ONE_NAME" "$TEST_FILE_FOLDER/$policy_file"
|
||||
assert_success "error putting policy"
|
||||
|
||||
run get_and_check_bucket_tags_with_user "$USERNAME_ONE" "$PASSWORD_ONE" "$BUCKET_ONE_NAME" "$tag_key" "$tag_value"
|
||||
assert_success "get and check bucket tags failed"
|
||||
}
|
||||
|
||||
test_s3api_policy_list_upload_parts() {
|
||||
policy_file="policy_file"
|
||||
test_file="test_file"
|
||||
tag_key="TestKey"
|
||||
tag_value="TestValue"
|
||||
|
||||
run create_test_files "$policy_file"
|
||||
assert_success "error creating test files"
|
||||
|
||||
run create_large_file "$test_file"
|
||||
assert_success "error creating large file"
|
||||
|
||||
run setup_bucket "s3api" "$BUCKET_ONE_NAME"
|
||||
assert_success "error setting up bucket"
|
||||
|
||||
run setup_user "$USERNAME_ONE" "$PASSWORD_ONE" "user"
|
||||
assert_success "error creating user '$USERNAME_ONE'"
|
||||
|
||||
run setup_policy_with_single_statement "$TEST_FILE_FOLDER/$policy_file" "2012-10-17" "Allow" "$USERNAME_ONE" "s3:PutObject" "arn:aws:s3:::$BUCKET_ONE_NAME/*"
|
||||
assert_success "error setting up policy"
|
||||
|
||||
run put_bucket_policy "s3api" "$BUCKET_ONE_NAME" "$TEST_FILE_FOLDER/$policy_file"
|
||||
assert_success "error putting policy"
|
||||
|
||||
run create_upload_and_test_parts_listing "$test_file" "$policy_file"
|
||||
assert_success "error creating upload and testing parts listing"
|
||||
test_s3api_policy_invalid_action
|
||||
}
|
||||
|
||||
244
tests/test_s3api_policy_bucket.sh
Normal file
244
tests/test_s3api_policy_bucket.sh
Normal file
@@ -0,0 +1,244 @@
|
||||
#!/usr/bin/env bats
|
||||
|
||||
# Copyright 2024 Versity Software
|
||||
# This file is licensed under the Apache License, Version 2.0
|
||||
# (the "License"); you may not use this file except in compliance
|
||||
# with the License. You may obtain a copy of the License at
|
||||
#
|
||||
# http:#www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing,
|
||||
# software distributed under the License is distributed on an
|
||||
# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
|
||||
# KIND, either express or implied. See the License for the
|
||||
# specific language governing permissions and limitations
|
||||
# under the License.
|
||||
|
||||
source ./tests/util_acl.sh
|
||||
|
||||
test_s3api_policy_delete_bucket_policy() {
|
||||
policy_file="policy_file"
|
||||
username=$USERNAME_ONE
|
||||
password=$PASSWORD_ONE
|
||||
|
||||
run create_test_file "$policy_file" 0
|
||||
assert_success
|
||||
|
||||
effect="Allow"
|
||||
principal="$username"
|
||||
action="s3:DeleteBucketPolicy"
|
||||
resource="arn:aws:s3:::$BUCKET_ONE_NAME"
|
||||
|
||||
run setup_user "$username" "$password" "user"
|
||||
assert_success
|
||||
|
||||
run setup_bucket "s3api" "$BUCKET_ONE_NAME"
|
||||
assert_success
|
||||
|
||||
run delete_bucket_policy_with_user "$BUCKET_ONE_NAME" "$username" "$password"
|
||||
assert_failure
|
||||
|
||||
run setup_policy_with_single_statement "$TEST_FILE_FOLDER/$policy_file" "dummy" "$effect" "$principal" "$action" "$resource"
|
||||
assert_success
|
||||
|
||||
run put_bucket_policy "s3api" "$BUCKET_ONE_NAME" "$TEST_FILE_FOLDER/$policy_file"
|
||||
assert_success
|
||||
|
||||
run delete_bucket_policy_with_user "$BUCKET_ONE_NAME" "$username" "$password"
|
||||
assert_success
|
||||
}
|
||||
|
||||
test_s3api_policy_get_bucket_acl() {
|
||||
policy_file="policy_file"
|
||||
username=$USERNAME_ONE
|
||||
password=$PASSWORD_ONE
|
||||
|
||||
run create_test_file "$policy_file" 0
|
||||
assert_success
|
||||
|
||||
effect="Allow"
|
||||
principal="$username"
|
||||
action="s3:GetBucketAcl"
|
||||
resource="arn:aws:s3:::$BUCKET_ONE_NAME"
|
||||
|
||||
run setup_user "$username" "$password" "user"
|
||||
assert_success
|
||||
|
||||
run setup_bucket "s3api" "$BUCKET_ONE_NAME"
|
||||
assert_success
|
||||
|
||||
run get_bucket_acl_with_user "$BUCKET_ONE_NAME" "$username" "$password"
|
||||
assert_failure
|
||||
|
||||
run setup_policy_with_single_statement "$TEST_FILE_FOLDER/$policy_file" "dummy" "$effect" "$principal" "$action" "$resource"
|
||||
assert_success
|
||||
|
||||
run put_bucket_policy "s3api" "$BUCKET_ONE_NAME" "$TEST_FILE_FOLDER/$policy_file"
|
||||
assert_success
|
||||
|
||||
run get_bucket_acl_with_user "$BUCKET_ONE_NAME" "$username" "$password"
|
||||
assert_success
|
||||
}
|
||||
|
||||
test_s3api_policy_get_bucket_policy() {
|
||||
policy_file="policy_file"
|
||||
username=$USERNAME_ONE
|
||||
password=$PASSWORD_ONE
|
||||
|
||||
run create_test_file "$policy_file"
|
||||
assert_success
|
||||
|
||||
effect="Allow"
|
||||
principal="$username"
|
||||
action="s3:GetBucketPolicy"
|
||||
resource="arn:aws:s3:::$BUCKET_ONE_NAME"
|
||||
|
||||
run setup_user "$username" "$password" "user"
|
||||
assert_success
|
||||
|
||||
run setup_bucket "s3api" "$BUCKET_ONE_NAME"
|
||||
assert_success
|
||||
|
||||
run setup_policy_with_single_statement "$TEST_FILE_FOLDER/$policy_file" "dummy" "$effect" "$principal" "$action" "$resource"
|
||||
assert_success
|
||||
|
||||
run get_bucket_policy_with_user "$BUCKET_ONE_NAME" "$username" "$password"
|
||||
assert_failure
|
||||
|
||||
run put_bucket_policy "s3api" "$BUCKET_ONE_NAME" "$TEST_FILE_FOLDER/$policy_file"
|
||||
assert_success
|
||||
|
||||
run get_and_compare_policy_with_file "$BUCKET_ONE_NAME" "$username" "$password" "$TEST_FILE_FOLDER/$policy_file"
|
||||
assert_success
|
||||
}
|
||||
|
||||
test_s3api_policy_get_bucket_tagging() {
|
||||
policy_file="policy_file"
|
||||
test_file="test_file"
|
||||
tag_key="TestKey"
|
||||
tag_value="TestValue"
|
||||
|
||||
run create_test_files "$policy_file"
|
||||
assert_success "error creating test files"
|
||||
|
||||
run setup_bucket "s3api" "$BUCKET_ONE_NAME"
|
||||
assert_success
|
||||
|
||||
run setup_user "$USERNAME_ONE" "$PASSWORD_ONE" "user"
|
||||
assert_success "error creating user '$USERNAME_ONE'"
|
||||
|
||||
run setup_policy_with_single_statement "$TEST_FILE_FOLDER/$policy_file" "2012-10-17" "Allow" "$USERNAME_ONE" "s3:GetBucketTagging" "arn:aws:s3:::$BUCKET_ONE_NAME"
|
||||
assert_success "error setting up policy"
|
||||
|
||||
run put_bucket_tagging "s3api" "$BUCKET_ONE_NAME" "$tag_key" "$tag_value"
|
||||
assert_success "unable to put bucket tagging"
|
||||
|
||||
run get_bucket_tagging_with_user "$USERNAME_ONE" "$PASSWORD_ONE" "$BUCKET_ONE_NAME"
|
||||
assert_failure
|
||||
|
||||
run put_bucket_policy "s3api" "$BUCKET_ONE_NAME" "$TEST_FILE_FOLDER/$policy_file"
|
||||
assert_success "error putting policy"
|
||||
|
||||
run get_and_check_bucket_tags_with_user "$USERNAME_ONE" "$PASSWORD_ONE" "$BUCKET_ONE_NAME" "$tag_key" "$tag_value"
|
||||
assert_success "get and check bucket tags failed"
|
||||
}
|
||||
|
||||
test_s3api_policy_put_acl() {
|
||||
policy_file="policy_file"
|
||||
test_file="test_file"
|
||||
username=$USERNAME_ONE
|
||||
password=$PASSWORD_ONE
|
||||
|
||||
run create_test_file "$policy_file" 0
|
||||
assert_success
|
||||
run create_large_file "$test_file"
|
||||
assert_success
|
||||
run setup_bucket "s3api" "$BUCKET_ONE_NAME"
|
||||
assert_success
|
||||
|
||||
run put_bucket_ownership_controls "$BUCKET_ONE_NAME" "BucketOwnerPreferred"
|
||||
assert_success
|
||||
|
||||
run setup_user "$username" "$password" "user"
|
||||
assert_success
|
||||
|
||||
run setup_policy_with_single_statement "$TEST_FILE_FOLDER/$policy_file" "2012-10-17" "Allow" "$username" "s3:PutBucketAcl" "arn:aws:s3:::$BUCKET_ONE_NAME"
|
||||
assert_success
|
||||
if [[ $DIRECT == "true" ]]; then
|
||||
run put_public_access_block_enable_public_acls "$BUCKET_ONE_NAME"
|
||||
assert_success
|
||||
fi
|
||||
|
||||
run put_bucket_policy "s3api" "$BUCKET_ONE_NAME" "$TEST_FILE_FOLDER/$policy_file"
|
||||
assert_success
|
||||
|
||||
run put_bucket_canned_acl_with_user "$BUCKET_ONE_NAME" "public-read" "$username" "$password"
|
||||
assert_success
|
||||
|
||||
run get_check_acl_after_policy "$BUCKET_ONE_NAME"
|
||||
assert_success
|
||||
}
|
||||
|
||||
test_s3api_policy_put_bucket_policy() {
|
||||
policy_file="policy_file"
|
||||
policy_file_two="policy_file_two"
|
||||
username=$USERNAME_ONE
|
||||
password=$PASSWORD_ONE
|
||||
|
||||
run create_test_file "$policy_file" 0
|
||||
assert_success
|
||||
|
||||
effect="Allow"
|
||||
principal="$username"
|
||||
action="s3:PutBucketPolicy"
|
||||
resource="arn:aws:s3:::$BUCKET_ONE_NAME"
|
||||
|
||||
run setup_user "$username" "$password" "user"
|
||||
assert_success
|
||||
|
||||
run setup_bucket "s3api" "$BUCKET_ONE_NAME"
|
||||
assert_success
|
||||
|
||||
run setup_policy_with_single_statement "$TEST_FILE_FOLDER/$policy_file" "dummy" "$effect" "$principal" "$action" "$resource"
|
||||
assert_success
|
||||
|
||||
run put_bucket_policy_with_user "$BUCKET_ONE_NAME" "$TEST_FILE_FOLDER/$policy_file" "$username" "$password"
|
||||
assert_failure
|
||||
|
||||
run put_bucket_policy "s3api" "$BUCKET_ONE_NAME" "$TEST_FILE_FOLDER/$policy_file"
|
||||
assert_success
|
||||
|
||||
run setup_policy_with_single_statement "$TEST_FILE_FOLDER/$policy_file_two" "dummy" "$effect" "$principal" "s3:GetBucketPolicy" "$resource"
|
||||
assert_success
|
||||
|
||||
run put_bucket_policy_with_user "$BUCKET_ONE_NAME" "$TEST_FILE_FOLDER/$policy_file_two" "$username" "$password"
|
||||
assert_success
|
||||
|
||||
run get_and_compare_policy_with_file "$BUCKET_ONE_NAME" "$username" "$password" "$TEST_FILE_FOLDER/$policy_file_two"
|
||||
assert_success
|
||||
}
|
||||
|
||||
test_s3api_policy_put_bucket_tagging() {
|
||||
policy_file="policy_file"
|
||||
tag_key="TestKey"
|
||||
tag_value="TestValue"
|
||||
|
||||
run create_test_files "$policy_file"
|
||||
assert_success "error creating test files"
|
||||
run setup_bucket "s3api" "$BUCKET_ONE_NAME"
|
||||
assert_success "error setting up bucket"
|
||||
run setup_user "$USERNAME_ONE" "$PASSWORD_ONE" "user"
|
||||
assert_success "error setting up user"
|
||||
|
||||
run setup_policy_with_single_statement "$TEST_FILE_FOLDER/$policy_file" "2012-10-17" "Allow" "$USERNAME_ONE" "s3:PutBucketTagging" "arn:aws:s3:::$BUCKET_ONE_NAME"
|
||||
assert_success "error setting up policy"
|
||||
run put_bucket_tagging_with_user "$BUCKET_ONE_NAME" "$tag_key" "$tag_value" "$USERNAME_ONE" "$PASSWORD_ONE"
|
||||
assert_failure
|
||||
run put_bucket_policy "s3api" "$BUCKET_ONE_NAME" "$TEST_FILE_FOLDER/$policy_file"
|
||||
assert_success "error putting policy"
|
||||
run put_bucket_tagging_with_user "$BUCKET_ONE_NAME" "$tag_key" "$tag_value" "$USERNAME_ONE" "$PASSWORD_ONE"
|
||||
assert_success "unable to put bucket tagging despite user permissions"
|
||||
|
||||
run get_and_check_bucket_tags "$BUCKET_ONE_NAME" "$tag_key" "$tag_value"
|
||||
assert_success
|
||||
}
|
||||
131
tests/test_s3api_policy_multipart.sh
Normal file
131
tests/test_s3api_policy_multipart.sh
Normal file
@@ -0,0 +1,131 @@
|
||||
#!/usr/bin/env bats
|
||||
|
||||
# Copyright 2024 Versity Software
|
||||
# This file is licensed under the Apache License, Version 2.0
|
||||
# (the "License"); you may not use this file except in compliance
|
||||
# with the License. You may obtain a copy of the License at
|
||||
#
|
||||
# http:#www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing,
|
||||
# software distributed under the License is distributed on an
|
||||
# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
|
||||
# KIND, either express or implied. See the License for the
|
||||
# specific language governing permissions and limitations
|
||||
# under the License.
|
||||
|
||||
test_s3api_policy_abort_multipart_upload() {
|
||||
policy_file="policy_file"
|
||||
test_file="test_file"
|
||||
username=$USERNAME_ONE
|
||||
|
||||
run create_test_file "$policy_file"
|
||||
assert_success
|
||||
|
||||
run create_large_file "$test_file"
|
||||
assert_success
|
||||
|
||||
run setup_bucket "s3api" "$BUCKET_ONE_NAME"
|
||||
assert_success
|
||||
|
||||
if [[ $DIRECT == "true" ]]; then
|
||||
setup_user_direct "$username" "user" "$BUCKET_ONE_NAME" || fail "error setting up direct user $username"
|
||||
principal="{\"AWS\": \"arn:aws:iam::$DIRECT_AWS_USER_ID:user/$username\"}"
|
||||
# shellcheck disable=SC2154
|
||||
username=$key_id
|
||||
# shellcheck disable=SC2154
|
||||
password=$secret_key
|
||||
else
|
||||
password=$PASSWORD_ONE
|
||||
setup_user "$username" "$password" "user" || fail "error setting up user $username"
|
||||
principal="\"$username\""
|
||||
fi
|
||||
|
||||
setup_policy_with_double_statement "$TEST_FILE_FOLDER/$policy_file" "2012-10-17" \
|
||||
"Allow" "$principal" "s3:PutObject" "arn:aws:s3:::$BUCKET_ONE_NAME/*" \
|
||||
"Deny" "$principal" "s3:AbortMultipartUpload" "arn:aws:s3:::$BUCKET_ONE_NAME/*"
|
||||
put_bucket_policy "s3api" "$BUCKET_ONE_NAME" "$TEST_FILE_FOLDER/$policy_file" || fail "error putting first policy"
|
||||
|
||||
create_multipart_upload_with_user "$BUCKET_ONE_NAME" "$test_file" "$username" "$password" || fail "error creating multipart upload"
|
||||
# shellcheck disable=SC2154
|
||||
if abort_multipart_upload_with_user "$BUCKET_ONE_NAME" "$test_file" "$upload_id" "$username" "$password"; then
|
||||
fail "abort multipart upload succeeded despite lack of permissions"
|
||||
fi
|
||||
# shellcheck disable=SC2154
|
||||
[[ "$abort_multipart_upload_error" == *"AccessDenied"* ]] || fail "unexpected abort error: $abort_multipart_upload_error"
|
||||
|
||||
setup_policy_with_single_statement "$TEST_FILE_FOLDER/$policy_file" "2012-10-17" "Allow" "$principal" "s3:AbortMultipartUpload" "arn:aws:s3:::$BUCKET_ONE_NAME/*"
|
||||
|
||||
put_bucket_policy "s3api" "$BUCKET_ONE_NAME" "$TEST_FILE_FOLDER/$policy_file" || fail "error putting policy"
|
||||
abort_multipart_upload_with_user "$BUCKET_ONE_NAME" "$test_file" "$upload_id" "$username" "$password" || fail "error aborting multipart upload despite permissions"
|
||||
}
|
||||
|
||||
test_s3api_policy_list_multipart_uploads() {
|
||||
policy_file="policy_file"
|
||||
test_file="test_file"
|
||||
username=$USERNAME_ONE
|
||||
password=$PASSWORD_ONE
|
||||
|
||||
run create_test_file "$policy_file"
|
||||
assert_success
|
||||
|
||||
run create_large_file "$test_file"
|
||||
assert_success
|
||||
|
||||
effect="Allow"
|
||||
principal="$username"
|
||||
action="s3:ListBucketMultipartUploads"
|
||||
resource="arn:aws:s3:::$BUCKET_ONE_NAME"
|
||||
setup_user "$username" "$password" "user" || fail "error creating user"
|
||||
|
||||
run setup_bucket "s3api" "$BUCKET_ONE_NAME"
|
||||
assert_success
|
||||
|
||||
get_bucket_policy "s3api" "$BUCKET_ONE_NAME" || fail "error getting bucket policy"
|
||||
# shellcheck disable=SC2154
|
||||
log 5 "BUCKET POLICY: $bucket_policy"
|
||||
get_bucket_acl "s3api" "$BUCKET_ONE_NAME" || fail "error getting bucket ACL"
|
||||
# shellcheck disable=SC2154
|
||||
log 5 "ACL: $acl"
|
||||
run setup_policy_with_single_statement "$TEST_FILE_FOLDER/$policy_file" "dummy" "$effect" "$principal" "$action" "$resource"
|
||||
assert_success "failed to set up policy"
|
||||
run create_multipart_upload "$BUCKET_ONE_NAME" "$test_file"
|
||||
assert_success "failed to create multipart upload"
|
||||
if list_multipart_uploads_with_user "$BUCKET_ONE_NAME" "$username" "$password"; then
|
||||
fail "able to list multipart uploads despite lack of permissions"
|
||||
fi
|
||||
# shellcheck disable=SC2154
|
||||
[[ "$list_multipart_uploads_error" == *"Access Denied"* ]] || fail "invalid list multipart uploads error: $list_multipart_uploads_error"
|
||||
put_bucket_policy "s3api" "$BUCKET_ONE_NAME" "$TEST_FILE_FOLDER/$policy_file" || fail "error putting policy"
|
||||
list_multipart_uploads_with_user "$BUCKET_ONE_NAME" "$username" "$password" || fail "error listing multipart uploads"
|
||||
# shellcheck disable=SC2154
|
||||
log 5 "$uploads"
|
||||
upload_key=$(echo "$uploads" | grep -v "InsecureRequestWarning" | jq -r ".Uploads[0].Key" 2>&1) || fail "error parsing upload key from uploads message: $upload_key"
|
||||
[[ $upload_key == "$test_file" ]] || fail "upload key doesn't match file marked as being uploaded"
|
||||
}
|
||||
|
||||
test_s3api_policy_list_upload_parts() {
|
||||
policy_file="policy_file"
|
||||
test_file="test_file"
|
||||
|
||||
run create_test_files "$policy_file"
|
||||
assert_success "error creating test files"
|
||||
|
||||
run create_large_file "$test_file"
|
||||
assert_success "error creating large file"
|
||||
|
||||
run setup_bucket "s3api" "$BUCKET_ONE_NAME"
|
||||
assert_success "error setting up bucket"
|
||||
|
||||
run setup_user "$USERNAME_ONE" "$PASSWORD_ONE" "user"
|
||||
assert_success "error creating user '$USERNAME_ONE'"
|
||||
|
||||
run setup_policy_with_single_statement "$TEST_FILE_FOLDER/$policy_file" "2012-10-17" "Allow" "$USERNAME_ONE" "s3:PutObject" "arn:aws:s3:::$BUCKET_ONE_NAME/*"
|
||||
assert_success "error setting up policy"
|
||||
|
||||
run put_bucket_policy "s3api" "$BUCKET_ONE_NAME" "$TEST_FILE_FOLDER/$policy_file"
|
||||
assert_success "error putting policy"
|
||||
|
||||
run create_upload_and_test_parts_listing "$test_file" "$policy_file"
|
||||
assert_success "error creating upload and testing parts listing"
|
||||
}
|
||||
352
tests/test_s3api_policy_object.sh
Normal file
352
tests/test_s3api_policy_object.sh
Normal file
@@ -0,0 +1,352 @@
|
||||
#!/usr/bin/env bats
|
||||
|
||||
# Copyright 2024 Versity Software
|
||||
# This file is licensed under the Apache License, Version 2.0
|
||||
# (the "License"); you may not use this file except in compliance
|
||||
# with the License. You may obtain a copy of the License at
|
||||
#
|
||||
# http:#www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing,
|
||||
# software distributed under the License is distributed on an
|
||||
# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
|
||||
# KIND, either express or implied. See the License for the
|
||||
# specific language governing permissions and limitations
|
||||
# under the License.
|
||||
|
||||
test_s3api_policy_allow_deny() {
|
||||
policy_file="policy_file"
|
||||
test_file="test_file"
|
||||
username=$USERNAME_ONE
|
||||
password=$PASSWORD_ONE
|
||||
|
||||
run create_test_files "$policy_file" "$test_file"
|
||||
assert_success
|
||||
|
||||
run setup_user "$username" "$password" "user"
|
||||
assert_success
|
||||
|
||||
run setup_bucket "s3api" "$BUCKET_ONE_NAME"
|
||||
assert_success
|
||||
|
||||
run setup_policy_with_double_statement "$TEST_FILE_FOLDER/$policy_file" "dummy" \
|
||||
"Deny" "$username" "s3:GetObject" "arn:aws:s3:::$BUCKET_ONE_NAME/$test_file" \
|
||||
"Allow" "$username" "s3:GetObject" "arn:aws:s3:::$BUCKET_ONE_NAME/$test_file"
|
||||
assert_success
|
||||
|
||||
run put_bucket_policy "s3api" "$BUCKET_ONE_NAME" "$TEST_FILE_FOLDER/$policy_file"
|
||||
assert_success
|
||||
|
||||
run put_object "s3api" "$TEST_FILE_FOLDER/$test_file" "$BUCKET_ONE_NAME" "$test_file"
|
||||
assert_success
|
||||
|
||||
run verify_user_cant_get_object "s3api" "$BUCKET_ONE_NAME" "$test_file" "$TEST_FILE_FOLDER/$test_file-copy" "$username" "$password"
|
||||
assert_success
|
||||
}
|
||||
|
||||
test_s3api_policy_delete() {
|
||||
policy_file="policy_file"
|
||||
test_file_one="test_file_one"
|
||||
test_file_two="test_file_two"
|
||||
username=$USERNAME_ONE
|
||||
password=$PASSWORD_ONE
|
||||
|
||||
run create_test_files "$test_file_one" "$test_file_two" "$policy_file"
|
||||
assert_success
|
||||
|
||||
effect="Allow"
|
||||
principal="$username"
|
||||
action="s3:DeleteObject"
|
||||
resource="arn:aws:s3:::$BUCKET_ONE_NAME/$test_file_two"
|
||||
|
||||
setup_user "$username" "$password" "user" || fail "error creating user"
|
||||
|
||||
run setup_bucket "s3api" "$BUCKET_ONE_NAME"
|
||||
assert_success
|
||||
|
||||
setup_policy_with_single_statement "$TEST_FILE_FOLDER/$policy_file" "dummy" "$effect" "$principal" "$action" "$resource" || fail "failed to set up policy"
|
||||
log 5 "Policy: $(cat "$TEST_FILE_FOLDER/$policy_file")"
|
||||
put_bucket_policy "s3api" "$BUCKET_ONE_NAME" "$TEST_FILE_FOLDER/$policy_file" || fail "error putting policy"
|
||||
|
||||
put_object "s3api" "$TEST_FILE_FOLDER/$test_file_one" "$BUCKET_ONE_NAME" "$test_file_one" || fail "error copying object one"
|
||||
put_object "s3api" "$TEST_FILE_FOLDER/$test_file_two" "$BUCKET_ONE_NAME" "$test_file_two" || fail "error copying object two"
|
||||
if delete_object_with_user "s3api" "$BUCKET_ONE_NAME" "$test_file_one" "$username" "$password"; then
|
||||
fail "able to delete object despite lack of permissions"
|
||||
fi
|
||||
# shellcheck disable=SC2154
|
||||
[[ "$delete_object_error" == *"Access Denied"* ]] || fail "invalid delete object error: $delete_object_error"
|
||||
delete_object_with_user "s3api" "$BUCKET_ONE_NAME" "$test_file_two" "$username" "$password" || fail "error deleting object despite permissions"
|
||||
}
|
||||
|
||||
test_s3api_policy_deny() {
|
||||
policy_file="policy_file"
|
||||
test_file_one="test_file_one"
|
||||
test_file_two="test_file_two"
|
||||
username=$USERNAME_ONE
|
||||
password=$PASSWORD_ONE
|
||||
|
||||
run create_test_files "$test_file_one" "$test_file_two" "$policy_file"
|
||||
assert_success
|
||||
|
||||
setup_user "$username" "$password" "user" || fail "error creating user"
|
||||
|
||||
run setup_bucket "s3api" "$BUCKET_ONE_NAME"
|
||||
assert_success
|
||||
|
||||
setup_policy_with_double_statement "$TEST_FILE_FOLDER/$policy_file" "dummy" \
|
||||
"Deny" "$username" "s3:GetObject" "arn:aws:s3:::$BUCKET_ONE_NAME/$test_file_two" \
|
||||
"Allow" "$username" "s3:GetObject" "arn:aws:s3:::$BUCKET_ONE_NAME/*"
|
||||
|
||||
log 5 "Policy: $(cat "$TEST_FILE_FOLDER/$policy_file")"
|
||||
put_bucket_policy "s3api" "$BUCKET_ONE_NAME" "$TEST_FILE_FOLDER/$policy_file" || fail "error putting policy"
|
||||
put_object "s3api" "$TEST_FILE_FOLDER/$test_file_one" "$BUCKET_ONE_NAME" "$test_file_one" || fail "error copying object one"
|
||||
put_object "s3api" "$TEST_FILE_FOLDER/$test_file_one" "$BUCKET_ONE_NAME" "$test_file_two" || fail "error copying object two"
|
||||
get_object_with_user "s3api" "$BUCKET_ONE_NAME" "$test_file_one" "$TEST_FILE_FOLDER/$test_file_one-copy" "$username" "$password" || fail "error getting object"
|
||||
|
||||
run verify_user_cant_get_object "s3api" "$BUCKET_ONE_NAME" "$test_file_two" "$TEST_FILE_FOLDER/$test_file_two-copy" "$username" "$password"
|
||||
assert_success
|
||||
}
|
||||
|
||||
test_s3api_policy_get_object_file_wildcard() {
|
||||
policy_file="policy_file_one"
|
||||
policy_file_two="policy_file_two"
|
||||
policy_file_three="policy_fil"
|
||||
username=$USERNAME_ONE
|
||||
password=$PASSWORD_ONE
|
||||
|
||||
run create_test_files "$policy_file" "$policy_file_two" "$policy_file_three"
|
||||
assert_success
|
||||
|
||||
effect="Allow"
|
||||
principal="$username"
|
||||
action="s3:GetObject"
|
||||
resource="arn:aws:s3:::$BUCKET_ONE_NAME/policy_file*"
|
||||
|
||||
run setup_user "$username" "$password" "user"
|
||||
assert_success
|
||||
|
||||
run setup_bucket "s3api" "$BUCKET_ONE_NAME"
|
||||
assert_success
|
||||
|
||||
run setup_policy_with_single_statement "$TEST_FILE_FOLDER/$policy_file" "dummy" "$effect" "$principal" "$action" "$resource"
|
||||
assert_success
|
||||
run put_bucket_policy "s3api" "$BUCKET_ONE_NAME" "$TEST_FILE_FOLDER/$policy_file"
|
||||
assert_success
|
||||
|
||||
run put_object "s3api" "$TEST_FILE_FOLDER/$policy_file" "$BUCKET_ONE_NAME" "$policy_file"
|
||||
assert_success
|
||||
run put_object "s3api" "$TEST_FILE_FOLDER/$policy_file_two" "$BUCKET_ONE_NAME" "$policy_file_two"
|
||||
assert_success
|
||||
run put_object "s3api" "$TEST_FILE_FOLDER/$policy_file_three" "$BUCKET_ONE_NAME" "$policy_file_three"
|
||||
assert_success
|
||||
|
||||
run download_and_compare_file_with_user "s3api" "$TEST_FILE_FOLDER/$policy_file" "$BUCKET_ONE_NAME" "$policy_file" "$TEST_FILE_FOLDER/$policy_file-copy" "$username" "$password"
|
||||
assert_success
|
||||
|
||||
run download_and_compare_file_with_user "s3api" "$TEST_FILE_FOLDER/$policy_file_two" "$BUCKET_ONE_NAME" "$policy_file_two" "$TEST_FILE_FOLDER/$policy_file_two-copy" "$username" "$password"
|
||||
assert_success
|
||||
|
||||
run verify_user_cant_get_object "s3api" "$BUCKET_ONE_NAME" "$policy_file_three" "$TEST_FILE_FOLDER/$policy_file_three" "$username" "$password"
|
||||
assert_success
|
||||
}
|
||||
|
||||
test_s3api_policy_get_object_folder_wildcard() {
|
||||
policy_file="policy_file"
|
||||
test_folder="test_folder"
|
||||
test_file="test_file"
|
||||
username=$USERNAME_ONE
|
||||
password=$PASSWORD_ONE
|
||||
|
||||
run create_test_folder "$test_folder"
|
||||
assert_success
|
||||
|
||||
run create_test_files "$test_folder/$test_file" "$policy_file"
|
||||
assert_success
|
||||
|
||||
effect="Allow"
|
||||
principal="$username"
|
||||
action="s3:GetObject"
|
||||
resource="arn:aws:s3:::$BUCKET_ONE_NAME/$test_folder/*"
|
||||
|
||||
run setup_user "$username" "$password" "user"
|
||||
assert_success
|
||||
|
||||
run setup_bucket "s3api" "$BUCKET_ONE_NAME"
|
||||
assert_success
|
||||
|
||||
run setup_policy_with_single_statement "$TEST_FILE_FOLDER/$policy_file" "dummy" "$effect" "$principal" "$action" "$resource"
|
||||
assert_success
|
||||
|
||||
run put_bucket_policy "s3api" "$BUCKET_ONE_NAME" "$TEST_FILE_FOLDER/$policy_file"
|
||||
assert_success
|
||||
|
||||
run put_object "s3api" "$TEST_FILE_FOLDER/$test_folder/$test_file" "$BUCKET_ONE_NAME" "$test_folder/$test_file"
|
||||
assert_success
|
||||
|
||||
run download_and_compare_file_with_user "s3api" "$TEST_FILE_FOLDER/$test_folder/$test_file" "$BUCKET_ONE_NAME" "$test_folder/$test_file" "$TEST_FILE_FOLDER/$test_file-copy" "$username" "$password"
|
||||
assert_success
|
||||
}
|
||||
|
||||
test_s3api_policy_get_object_specific_file() {
|
||||
policy_file="policy_file"
|
||||
test_file="test_file"
|
||||
test_file_two="test_file_two"
|
||||
username=$USERNAME_ONE
|
||||
password=$PASSWORD_ONE
|
||||
|
||||
run create_test_files "$policy_file" "$test_file" "$test_file_two"
|
||||
assert_success
|
||||
|
||||
effect="Allow"
|
||||
principal="$username"
|
||||
action="s3:GetObject"
|
||||
resource="arn:aws:s3:::$BUCKET_ONE_NAME/test_file"
|
||||
|
||||
setup_user "$username" "$password" "user" || fail "error creating user"
|
||||
|
||||
run setup_bucket "s3api" "$BUCKET_ONE_NAME"
|
||||
assert_success
|
||||
|
||||
setup_policy_with_single_statement "$TEST_FILE_FOLDER/$policy_file" "dummy" "$effect" "$principal" "$action" "$resource" || fail "failed to set up policy"
|
||||
put_bucket_policy "s3api" "$BUCKET_ONE_NAME" "$TEST_FILE_FOLDER/$policy_file" || fail "error putting policy"
|
||||
|
||||
put_object "s3api" "$TEST_FILE_FOLDER/$test_file" "$BUCKET_ONE_NAME" "$test_file" || fail "error copying object"
|
||||
put_object "s3api" "$TEST_FILE_FOLDER/$test_file_two" "$BUCKET_ONE_NAME" "$test_file_two" || fail "error copying object"
|
||||
|
||||
run download_and_compare_file_with_user "s3api" "$TEST_FILE_FOLDER/$test_file" "$BUCKET_ONE_NAME" "$test_file" "$TEST_FILE_FOLDER/$test_file-copy" "$username" "$password"
|
||||
assert_success
|
||||
|
||||
run verify_user_cant_get_object "s3api" "$BUCKET_ONE_NAME" "$test_file_two" "$TEST_FILE_FOLDER/$test_file_two-copy" "$username" "$password"
|
||||
assert_success
|
||||
}
|
||||
|
||||
test_s3api_policy_get_object_with_user() {
|
||||
policy_file="policy_file"
|
||||
username=$USERNAME_ONE
|
||||
password=$PASSWORD_ONE
|
||||
test_file="test_file"
|
||||
|
||||
log 5 "username: $USERNAME_ONE, password: $PASSWORD_ONE"
|
||||
run create_test_files "$test_file" "$policy_file"
|
||||
assert_success
|
||||
|
||||
effect="Allow"
|
||||
principal="$username"
|
||||
action="s3:GetObject"
|
||||
resource="arn:aws:s3:::$BUCKET_ONE_NAME/$test_file"
|
||||
|
||||
run setup_bucket "s3api" "$BUCKET_ONE_NAME"
|
||||
assert_success
|
||||
|
||||
run put_object "s3api" "$TEST_FILE_FOLDER/$test_file" "$BUCKET_ONE_NAME" "$test_file"
|
||||
assert_success
|
||||
|
||||
run setup_user "$username" "$password" "user"
|
||||
assert_success
|
||||
|
||||
run verify_user_cant_get_object "s3api" "$BUCKET_ONE_NAME" "$test_file" "$TEST_FILE_FOLDER/$test_file-copy" "$username" "$password"
|
||||
assert_success
|
||||
|
||||
run setup_policy_with_single_statement "$TEST_FILE_FOLDER/$policy_file" "2012-10-17" "$effect" "$principal" "$action" "$resource"
|
||||
assert_success
|
||||
|
||||
run put_bucket_policy "s3api" "$BUCKET_ONE_NAME" "$TEST_FILE_FOLDER/$policy_file"
|
||||
assert_success
|
||||
|
||||
run download_and_compare_file_with_user "s3api" "$TEST_FILE_FOLDER/$test_file" "$BUCKET_ONE_NAME" "$test_file" "$TEST_FILE_FOLDER/$test_file-copy" "$username" "$password"
|
||||
assert_success
|
||||
}
|
||||
|
||||
test_s3api_policy_invalid_action() {
|
||||
policy_file="policy_file"
|
||||
|
||||
run create_test_file "$policy_file"
|
||||
assert_success
|
||||
|
||||
effect="Allow"
|
||||
principal="*"
|
||||
action="s3:GetObjectt"
|
||||
resource="arn:aws:s3:::$BUCKET_ONE_NAME/*"
|
||||
|
||||
# shellcheck disable=SC2154
|
||||
run setup_policy_with_single_statement "$TEST_FILE_FOLDER/$policy_file" "dummy" "$effect" "$principal" "$action" "$resource"
|
||||
assert_success
|
||||
|
||||
run setup_bucket "s3api" "$BUCKET_ONE_NAME"
|
||||
assert_success
|
||||
|
||||
run check_for_empty_policy "s3api" "$BUCKET_ONE_NAME"
|
||||
assert_success
|
||||
|
||||
run put_and_check_for_malformed_policy "$BUCKET_ONE_NAME" "$TEST_FILE_FOLDER/$policy_file"
|
||||
assert_success
|
||||
}
|
||||
|
||||
test_s3api_policy_put_wildcard() {
|
||||
policy_file="policy_file"
|
||||
test_folder="test_folder"
|
||||
test_file="test_file"
|
||||
username=$USERNAME_ONE
|
||||
password=$PASSWORD_ONE
|
||||
|
||||
run create_test_folder "$test_folder"
|
||||
assert_success
|
||||
|
||||
run create_test_files "$test_folder/$test_file" "$policy_file"
|
||||
assert_success
|
||||
|
||||
effect="Allow"
|
||||
principal="$username"
|
||||
action="s3:PutObject"
|
||||
resource="arn:aws:s3:::$BUCKET_ONE_NAME/$test_folder/*"
|
||||
|
||||
setup_user "$username" "$password" "user" || fail "error creating user"
|
||||
|
||||
setup_bucket "s3api" "$BUCKET_ONE_NAME"
|
||||
log 5 "Policy: $(cat "$TEST_FILE_FOLDER/$policy_file")"
|
||||
setup_policy_with_single_statement "$TEST_FILE_FOLDER/$policy_file" "dummy" "$effect" "$principal" "$action" "$resource" || fail "failed to set up policy"
|
||||
put_bucket_policy "s3api" "$BUCKET_ONE_NAME" "$TEST_FILE_FOLDER/$policy_file" || fail "error putting policy"
|
||||
if put_object_with_user "s3api" "$TEST_FILE_FOLDER/$test_folder/$test_file" "$BUCKET_ONE_NAME" "$test_file" "$username" "$password"; then
|
||||
fail "able to put object despite not being allowed"
|
||||
fi
|
||||
# shellcheck disable=SC2154
|
||||
[[ "$put_object_error" == *"Access Denied"* ]] || fail "invalid put object error: $put_object_error"
|
||||
put_object_with_user "s3api" "$TEST_FILE_FOLDER/$test_folder/$test_file" "$BUCKET_ONE_NAME" "$test_folder/$test_file" "$username" "$password" || fail "error putting file despite policy permissions"
|
||||
|
||||
run verify_user_cant_get_object "s3api" "$BUCKET_ONE_NAME" "$test_folder/$test_file" "$test_folder/$test_file-copy" "$username" "$password"
|
||||
assert_success
|
||||
|
||||
download_and_compare_file "s3api" "$TEST_FILE_FOLDER/$test_folder/$test_file" "$BUCKET_ONE_NAME" "$test_folder/$test_file" "$TEST_FILE_FOLDER/$test_file-copy" || fail "files don't match"
|
||||
}
|
||||
|
||||
test_s3api_policy_two_principals() {
|
||||
policy_file="policy_file"
|
||||
test_file="test_file"
|
||||
|
||||
run create_test_files "$test_file" "$policy_file"
|
||||
assert_success "error creating test files"
|
||||
run setup_bucket "s3api" "$BUCKET_ONE_NAME"
|
||||
assert_success "error setting up bucket $BUCKET_ONE_NAME"
|
||||
run setup_user "$USERNAME_ONE" "$PASSWORD_ONE" "user"
|
||||
assert_success "error setting up user $USERNAME_ONE"
|
||||
run setup_user "$USERNAME_TWO" "$PASSWORD_TWO" "user"
|
||||
assert_success "error setting up user $USERNAME_TWO"
|
||||
|
||||
run put_object "s3api" "$TEST_FILE_FOLDER/$test_file" "$BUCKET_ONE_NAME" "$test_file"
|
||||
assert_success "error adding object to bucket"
|
||||
run get_object_with_user "s3api" "$BUCKET_ONE_NAME" "$test_file" "$TEST_FILE_FOLDER/copy_one" "$USERNAME_ONE" "$PASSWORD_ONE"
|
||||
assert_failure "able to get object with user $USERNAME_ONE despite lack of permission"
|
||||
|
||||
run get_object_with_user "s3api" "$BUCKET_ONE_NAME" "$test_file" "$TEST_FILE_FOLDER/copy_two" "$USERNAME_TWO" "$PASSWORD_TWO"
|
||||
assert_failure "able to get object with user $USERNAME_TWO despite lack of permission"
|
||||
|
||||
run setup_policy_with_single_statement "$TEST_FILE_FOLDER/$policy_file" "dummy" "Allow" "[\"$USERNAME_ONE\", \"$USERNAME_TWO\"]" "s3:GetObject" "arn:aws:s3:::$BUCKET_ONE_NAME/*"
|
||||
assert_success "error setting up policy"
|
||||
|
||||
run put_bucket_policy "s3api" "$BUCKET_ONE_NAME" "$TEST_FILE_FOLDER/$policy_file"
|
||||
assert_success "error putting policy"
|
||||
run get_object_with_user "s3api" "$BUCKET_ONE_NAME" "$test_file" "$TEST_FILE_FOLDER/copy_one" "$USERNAME_ONE" "$PASSWORD_ONE"
|
||||
assert_success "error getting object with user $USERNAME_ONE"
|
||||
run get_object_with_user "s3api" "$BUCKET_ONE_NAME" "$test_file" "$TEST_FILE_FOLDER/copy_two" "$USERNAME_TWO" "$PASSWORD_TWO"
|
||||
assert_success "error getting object with user $USERNAME_TWO"
|
||||
}
|
||||
@@ -269,7 +269,7 @@ object_exists() {
|
||||
|
||||
put_object_with_metadata() {
|
||||
if [ $# -ne 6 ]; then
|
||||
echo "put object command requires command type, source, destination, key, metadata key, metadata value"
|
||||
log 2 "put object command requires command type, source, destination, key, metadata key, metadata value"
|
||||
return 1
|
||||
fi
|
||||
|
||||
@@ -278,12 +278,12 @@ put_object_with_metadata() {
|
||||
if [[ $1 == 'aws' ]]; then
|
||||
error=$(aws --no-verify-ssl s3api put-object --body "$2" --bucket "$3" --key "$4" --metadata "{\"$5\":\"$6\"}") || exit_code=$?
|
||||
else
|
||||
echo "invalid command type $1"
|
||||
log 2 "invalid command type $1"
|
||||
return 1
|
||||
fi
|
||||
log 5 "put object exit code: $exit_code"
|
||||
if [ $exit_code -ne 0 ]; then
|
||||
echo "error copying object to bucket: $error"
|
||||
log 2 "error copying object to bucket: $error"
|
||||
return 1
|
||||
fi
|
||||
return 0
|
||||
@@ -291,7 +291,7 @@ put_object_with_metadata() {
|
||||
|
||||
get_object_metadata() {
|
||||
if [ $# -ne 3 ]; then
|
||||
echo "get object metadata command requires command type, bucket, key"
|
||||
log 2 "get object metadata command requires command type, bucket, key"
|
||||
return 1
|
||||
fi
|
||||
|
||||
@@ -299,11 +299,11 @@ get_object_metadata() {
|
||||
if [[ $1 == 'aws' ]]; then
|
||||
metadata_struct=$(aws --no-verify-ssl s3api head-object --bucket "$2" --key "$3") || exit_code=$?
|
||||
else
|
||||
echo "invalid command type $1"
|
||||
log 2 "invalid command type $1"
|
||||
return 1
|
||||
fi
|
||||
if [ $exit_code -ne 0 ]; then
|
||||
echo "error copying object to bucket: $error"
|
||||
log 2 "error copying object to bucket: $error"
|
||||
return 1
|
||||
fi
|
||||
log 5 "raw metadata: $metadata_struct"
|
||||
@@ -315,7 +315,7 @@ get_object_metadata() {
|
||||
|
||||
put_object_multiple() {
|
||||
if [ $# -ne 3 ]; then
|
||||
echo "put object command requires command type, source, destination"
|
||||
log 2 "put object command requires command type, source, destination"
|
||||
return 1
|
||||
fi
|
||||
local exit_code=0
|
||||
@@ -330,11 +330,11 @@ put_object_multiple() {
|
||||
# shellcheck disable=SC2086
|
||||
error=$(mc --insecure cp $2 "$MC_ALIAS"/"$3" 2>&1) || exit_code=$?
|
||||
else
|
||||
echo "invalid command type $1"
|
||||
log 2 "invalid command type $1"
|
||||
return 1
|
||||
fi
|
||||
if [ $exit_code -ne 0 ]; then
|
||||
echo "error copying object to bucket: $error"
|
||||
log 2 "error copying object to bucket: $error"
|
||||
return 1
|
||||
else
|
||||
log 5 "$error"
|
||||
@@ -347,18 +347,18 @@ put_object_multiple() {
|
||||
# return 0 for success or already exists, 1 for failure
|
||||
check_and_put_object() {
|
||||
if [ $# -ne 3 ]; then
|
||||
echo "check and put object function requires source, bucket, destination"
|
||||
log 2 "check and put object function requires source, bucket, destination"
|
||||
return 1
|
||||
fi
|
||||
object_exists "aws" "$2" "$3" || local exists_result=$?
|
||||
if [ "$exists_result" -eq 2 ]; then
|
||||
echo "error checking if object exists"
|
||||
log 2 "error checking if object exists"
|
||||
return 1
|
||||
fi
|
||||
if [ "$exists_result" -eq 1 ]; then
|
||||
copy_object "$1" "$2" || local copy_result=$?
|
||||
if [ "$copy_result" -ne 0 ]; then
|
||||
echo "error adding object"
|
||||
log 2 "error adding object"
|
||||
return 1
|
||||
fi
|
||||
fi
|
||||
@@ -367,7 +367,7 @@ check_and_put_object() {
|
||||
|
||||
remove_insecure_request_warning() {
|
||||
if [[ $# -ne 1 ]]; then
|
||||
echo "remove insecure request warning requires input lines"
|
||||
log 2 "remove insecure request warning requires input lines"
|
||||
return 1
|
||||
fi
|
||||
parsed_output=()
|
||||
@@ -384,13 +384,13 @@ remove_insecure_request_warning() {
|
||||
# return 0 for yes, 1 for no, 2 for error
|
||||
object_is_accessible() {
|
||||
if [ $# -ne 2 ]; then
|
||||
echo "object accessibility check missing bucket and/or key"
|
||||
log 2 "object accessibility check missing bucket and/or key"
|
||||
return 2
|
||||
fi
|
||||
local exit_code=0
|
||||
object_data=$(aws --no-verify-ssl s3api head-object --bucket "$1" --key "$2" 2>&1) || exit_code="$?"
|
||||
if [ $exit_code -ne 0 ]; then
|
||||
echo "Error obtaining object data: $object_data"
|
||||
log 2 "Error obtaining object data: $object_data"
|
||||
return 2
|
||||
fi
|
||||
etag=$(echo "$object_data" | grep -v "InsecureRequestWarning" | jq '.ETag')
|
||||
@@ -405,13 +405,13 @@ object_is_accessible() {
|
||||
# export acl for success, return 1 for error
|
||||
get_object_acl() {
|
||||
if [ $# -ne 2 ]; then
|
||||
echo "object ACL command missing object name"
|
||||
log 2 "object ACL command missing object name"
|
||||
return 1
|
||||
fi
|
||||
local exit_code=0
|
||||
acl=$(aws --no-verify-ssl s3api get-object-acl --bucket "$1" --key "$2" 2>&1) || exit_code="$?"
|
||||
if [ $exit_code -ne 0 ]; then
|
||||
echo "Error getting object ACLs: $acl"
|
||||
log 2 "Error getting object ACLs: $acl"
|
||||
return 1
|
||||
fi
|
||||
export acl
|
||||
@@ -422,14 +422,14 @@ get_object_acl() {
|
||||
# return 0 for success, 1 for failure
|
||||
copy_file() {
|
||||
if [ $# -ne 2 ]; then
|
||||
echo "copy file command requires src and dest"
|
||||
log 2 "copy file command requires src and dest"
|
||||
return 1
|
||||
fi
|
||||
|
||||
local result
|
||||
error=$(aws --no-verify-ssl s3 cp "$1" "$2") || result=$?
|
||||
if [[ $result -ne 0 ]]; then
|
||||
echo "error copying file: $error"
|
||||
log 2 "error copying file: $error"
|
||||
return 1
|
||||
fi
|
||||
return 0
|
||||
|
||||
@@ -149,3 +149,52 @@ get_check_acl_after_second_put() {
|
||||
fi
|
||||
return 0
|
||||
}
|
||||
|
||||
get_check_acl_after_policy() {
|
||||
if [ $# -ne 1 ]; then
|
||||
log 2 "'get_check_acl_after_policy' requires bucket name"
|
||||
return 1
|
||||
fi
|
||||
if ! get_bucket_acl "s3api" "$1"; then
|
||||
log 2 "error getting bucket acl"
|
||||
return 1
|
||||
fi
|
||||
# shellcheck disable=SC2154
|
||||
log 5 "ACL: $acl"
|
||||
if ! second_grant=$(echo "$acl" | jq -r ".Grants[1]" 2>&1); then
|
||||
log 2 "error getting second grant: $second_grant"
|
||||
return 1
|
||||
fi
|
||||
if ! second_grantee=$(echo "$second_grant" | jq -r ".Grantee" 2>&1); then
|
||||
log 2 "error getting second grantee: $second_grantee"
|
||||
return 1
|
||||
fi
|
||||
if ! permission=$(echo "$second_grant" | jq -r ".Permission" 2>&1); then
|
||||
log 2 "error getting permission: $permission"
|
||||
return 1
|
||||
fi
|
||||
log 5 "second grantee: $second_grantee"
|
||||
if [[ $permission != "READ" ]]; then
|
||||
log 2 "incorrect permission: $permission"
|
||||
return 1
|
||||
fi
|
||||
if [[ $DIRECT == "true" ]]; then
|
||||
if ! uri=$(echo "$second_grantee" | jq -r ".URI" 2>&1); then
|
||||
log 2 "error getting uri: $uri"
|
||||
return 1
|
||||
fi
|
||||
if [[ $uri != "http://acs.amazonaws.com/groups/global/AllUsers" ]]; then
|
||||
log 2 "unexpected URI: $uri"
|
||||
return 1
|
||||
fi
|
||||
else
|
||||
if ! id=$(echo "$second_grantee" | jq -r ".ID" 2>&1); then
|
||||
log 2 "error getting ID: $id"
|
||||
return 1
|
||||
fi
|
||||
if [[ $id != "all-users" ]]; then
|
||||
log 2 "unexpected ID: $id"
|
||||
return 1
|
||||
fi
|
||||
fi
|
||||
}
|
||||
|
||||
@@ -16,13 +16,13 @@
|
||||
|
||||
abort_all_multipart_uploads() {
|
||||
if [[ $# -ne 1 ]]; then
|
||||
echo "abort all multipart uploads command missing bucket name"
|
||||
log 2 "abort all multipart uploads command missing bucket name"
|
||||
return 1
|
||||
fi
|
||||
|
||||
upload_list=$(aws --no-verify-ssl s3api list-multipart-uploads --bucket "$1" 2>&1) || list_result=$?
|
||||
if [[ $list_result -ne 0 ]]; then
|
||||
echo "error listing multipart uploads: $upload_list"
|
||||
log 2 "error listing multipart uploads: $upload_list"
|
||||
return 1
|
||||
fi
|
||||
log 5 "$upload_list"
|
||||
@@ -46,7 +46,7 @@ abort_all_multipart_uploads() {
|
||||
while read -r line; do
|
||||
# shellcheck disable=SC2086
|
||||
if ! error=$(aws --no-verify-ssl s3api abort-multipart-upload --bucket "$1" $line 2>&1); then
|
||||
echo "error aborting multipart upload: $error"
|
||||
log 2 "error aborting multipart upload: $error"
|
||||
return 1
|
||||
fi
|
||||
done <<< "$lines"
|
||||
|
||||
@@ -287,7 +287,7 @@ setup_bucket() {
|
||||
# return 0 for yes, 1 for no, 2 for error
|
||||
bucket_is_accessible() {
|
||||
if [ $# -ne 1 ]; then
|
||||
echo "bucket accessibility check missing bucket name"
|
||||
log 2 "bucket accessibility check missing bucket name"
|
||||
return 2
|
||||
fi
|
||||
local exit_code=0
|
||||
@@ -299,6 +299,28 @@ bucket_is_accessible() {
|
||||
if [[ "$error" == *"500"* ]]; then
|
||||
return 1
|
||||
fi
|
||||
echo "Error checking bucket accessibility: $error"
|
||||
log 2 "Error checking bucket accessibility: $error"
|
||||
return 2
|
||||
}
|
||||
|
||||
check_for_empty_region() {
|
||||
if [ $# -ne 1 ]; then
|
||||
log 2 "'check_for_empty_region' requires bucket name"
|
||||
return 1
|
||||
fi
|
||||
if ! head_bucket "aws" "$BUCKET_ONE_NAME"; then
|
||||
log 2 "error getting bucket info"
|
||||
return 1
|
||||
fi
|
||||
# shellcheck disable=SC2154
|
||||
log 5 "INFO: $bucket_info"
|
||||
if ! region=$(echo "$bucket_info" | grep -v "InsecureRequestWarning" | jq -r ".BucketRegion" 2>&1); then
|
||||
log 2 "error getting region: $region"
|
||||
return 1
|
||||
fi
|
||||
if [[ $region == "" ]]; then
|
||||
log 2 "empty bucket region"
|
||||
return 1
|
||||
fi
|
||||
return 0
|
||||
}
|
||||
|
||||
@@ -104,17 +104,17 @@ create_test_folder() {
|
||||
# return: 0 for success, 1 for error
|
||||
delete_test_files() {
|
||||
if [ $# -lt 1 ]; then
|
||||
echo "delete test files command missing filenames"
|
||||
log 2 "delete test files command missing filenames"
|
||||
return 1
|
||||
fi
|
||||
if [ -z "$TEST_FILE_FOLDER" ]; then
|
||||
echo "no test file folder defined, not deleting"
|
||||
log 2 "no test file folder defined, not deleting"
|
||||
return 1
|
||||
fi
|
||||
for name in "$@"; do
|
||||
rm -rf "${TEST_FILE_FOLDER:?}"/"${name:?}" || rm_result=$?
|
||||
if [[ $rm_result -ne 0 ]]; then
|
||||
echo "error deleting file $name"
|
||||
log 2 "error deleting file $name"
|
||||
fi
|
||||
done
|
||||
return 0
|
||||
@@ -139,7 +139,7 @@ split_file() {
|
||||
local split_result
|
||||
error=$(split -a 1 -d -b "$part_size" "$1" "$1"-) || split_result=$?
|
||||
if [[ $split_result -ne 0 ]]; then
|
||||
echo "error splitting file: $error"
|
||||
log 2 "error splitting file: $error"
|
||||
return 1
|
||||
fi
|
||||
return 0
|
||||
@@ -150,7 +150,7 @@ split_file() {
|
||||
# return 0 for same data, 1 for different data, 2 for error
|
||||
compare_files() {
|
||||
if [ $# -ne 2 ]; then
|
||||
echo "file comparison requires two files"
|
||||
log 2 "file comparison requires two files"
|
||||
return 2
|
||||
fi
|
||||
os=$(uname)
|
||||
|
||||
@@ -62,7 +62,7 @@ list_and_check_buckets_with_user() {
|
||||
break
|
||||
fi
|
||||
done
|
||||
echo $bucket_one_found $bucket_two_found
|
||||
log 5 "buckets found? one: $bucket_one_found, two: $bucket_two_found"
|
||||
if [ $bucket_one_found == false ] || [ $bucket_two_found == false ]; then
|
||||
log 2 "Not all buckets found"
|
||||
return 1
|
||||
|
||||
@@ -19,19 +19,19 @@
|
||||
# return 0 for success, 1 for failure
|
||||
delete_bucket_recursive_mc() {
|
||||
if [[ $# -ne 1 ]]; then
|
||||
echo "delete bucket recursive mc command requires bucket name"
|
||||
log 2 "delete bucket recursive mc command requires bucket name"
|
||||
return 1
|
||||
fi
|
||||
local exit_code=0
|
||||
local error
|
||||
error=$(mc --insecure rm --recursive --force "$MC_ALIAS"/"$1" 2>&1) || exit_code="$?"
|
||||
if [[ $exit_code -ne 0 ]]; then
|
||||
echo "error deleting bucket contents: $error"
|
||||
log 2 "error deleting bucket contents: $error"
|
||||
return 1
|
||||
fi
|
||||
error=$(mc --insecure rb "$MC_ALIAS"/"$1" 2>&1) || exit_code="$?"
|
||||
if [[ $exit_code -ne 0 ]]; then
|
||||
echo "error deleting bucket: $error"
|
||||
log 2 "error deleting bucket: $error"
|
||||
return 1
|
||||
fi
|
||||
return 0
|
||||
|
||||
@@ -210,7 +210,7 @@ create_and_list_multipart_uploads() {
|
||||
fi
|
||||
|
||||
if ! list_multipart_uploads "$1"; then
|
||||
echo "error listing uploads"
|
||||
log 2 "error listing uploads"
|
||||
return 1
|
||||
fi
|
||||
return 0
|
||||
@@ -228,7 +228,7 @@ multipart_upload_from_bucket() {
|
||||
fi
|
||||
|
||||
for ((i=0;i<$4;i++)) {
|
||||
echo "key: $3"
|
||||
log 5 "key: $3"
|
||||
if ! put_object "s3api" "$3-$i" "$1" "$2-$i"; then
|
||||
log 2 "error copying object"
|
||||
return 1
|
||||
@@ -262,7 +262,7 @@ multipart_upload_from_bucket() {
|
||||
|
||||
multipart_upload_from_bucket_range() {
|
||||
if [ $# -ne 5 ]; then
|
||||
echo "multipart upload from bucket with range command requires bucket, copy source, key, part count, and range"
|
||||
log 2 "multipart upload from bucket with range command requires bucket, copy source, key, part count, and range"
|
||||
return 1
|
||||
fi
|
||||
if ! split_file "$3" "$4"; then
|
||||
@@ -324,7 +324,7 @@ multipart_upload_before_completion() {
|
||||
for ((i = 1; i <= $4; i++)); do
|
||||
# shellcheck disable=SC2154
|
||||
if ! upload_part "$1" "$2" "$upload_id" "$3" "$i"; then
|
||||
echo "error uploading part $i"
|
||||
log 2 "error uploading part $i"
|
||||
return 1
|
||||
fi
|
||||
parts+="{\"ETag\": $etag, \"PartNumber\": $i}"
|
||||
|
||||
42
tests/util_ownership.sh
Normal file
42
tests/util_ownership.sh
Normal file
@@ -0,0 +1,42 @@
|
||||
#!/usr/bin/env bash
|
||||
|
||||
get_and_check_ownership_controls() {
|
||||
if [ $# -ne 2 ]; then
|
||||
log 2 "'get_and_check_ownership_controls' missing bucket name, expected result"
|
||||
return 1
|
||||
fi
|
||||
if ! result=$(COMMAND_LOG="$COMMAND_LOG" BUCKET_NAME="$BUCKET_ONE_NAME" OUTPUT_FILE="$TEST_FILE_FOLDER/ownershipControls.txt" ./tests/rest_scripts/get_bucket_ownership_controls.sh); then
|
||||
log 2 "error getting bucket ownership controls: $result"
|
||||
return 1
|
||||
fi
|
||||
if [ "$result" != "200" ]; then
|
||||
log 2 "GetBucketOwnershipControls returned response code: $result, reply: $(cat "$TEST_FILE_FOLDER/ownershipControls.txt")"
|
||||
return 1
|
||||
fi
|
||||
log 5 "controls: $(cat "$TEST_FILE_FOLDER/ownershipControls.txt")"
|
||||
if ! rule=$(xmllint --xpath '//*[local-name()="ObjectOwnership"]/text()' "$TEST_FILE_FOLDER/ownershipControls.txt" 2>&1); then
|
||||
log 2 "error getting ownership rule: $rule"
|
||||
return 1
|
||||
fi
|
||||
if [ "$rule" != "$2" ]; then
|
||||
log 2 "rule mismatch (expected '$2', actual '$rule')"
|
||||
return 1
|
||||
fi
|
||||
return 0
|
||||
}
|
||||
|
||||
put_bucket_ownership_controls_rest() {
|
||||
if [ $# -ne 2 ]; then
|
||||
log 2 "'put_bucket_ownership_controls_rest' missing bucket name, ownership"
|
||||
return 1
|
||||
fi
|
||||
if ! result=$(COMMAND_LOG="$COMMAND_LOG" BUCKET_NAME="$1" OWNERSHIP="$2" OUTPUT_FILE="$TEST_FILE_FOLDER/result.txt" ./tests/rest_scripts/put_bucket_ownership_controls.sh); then
|
||||
log 2 "error putting bucket ownership controls: $result"
|
||||
return 1
|
||||
fi
|
||||
if [ "$result" != "200" ]; then
|
||||
log 2 "put bucket ownership controls returned code $result: $(cat "$TEST_FILE_FOLDER/result.txt")"
|
||||
return 1
|
||||
fi
|
||||
return 0
|
||||
}
|
||||
@@ -16,7 +16,7 @@
|
||||
|
||||
check_for_empty_policy() {
|
||||
if [[ $# -ne 2 ]]; then
|
||||
echo "check for empty policy command requires command type, bucket name"
|
||||
log 2 "check for empty policy command requires command type, bucket name"
|
||||
return 1
|
||||
fi
|
||||
|
||||
@@ -36,7 +36,7 @@ check_for_empty_policy() {
|
||||
statement=$(echo "$bucket_policy" | jq -r '.Statement[0]')
|
||||
log 5 "statement: $statement"
|
||||
if [[ "" != "$statement" ]] && [[ "null" != "$statement" ]]; then
|
||||
echo "policy should be empty (actual value: '$statement')"
|
||||
log 2 "policy should be empty (actual value: '$statement')"
|
||||
return 1
|
||||
fi
|
||||
return 0
|
||||
@@ -222,3 +222,23 @@ put_and_check_for_malformed_policy() {
|
||||
fi
|
||||
return 0
|
||||
}
|
||||
|
||||
get_and_compare_policy_with_file() {
|
||||
if [ $# -ne 4 ]; then
|
||||
log 2 "'get_and_compare_policies' reuires bucket, username, password, filename"
|
||||
return 1
|
||||
fi
|
||||
if ! get_bucket_policy_with_user "$1" "$2" "$3"; then
|
||||
log 2 "error getting bucket policy"
|
||||
return 1
|
||||
fi
|
||||
# shellcheck disable=SC2154
|
||||
echo "$bucket_policy" > "$4-copy"
|
||||
log 5 "ORIG: $(cat "$4")"
|
||||
log 5 "COPY: $(cat "$4-copy")"
|
||||
if ! compare_files "$4" "$4-copy"; then
|
||||
log 2 "policies not equal"
|
||||
return 1
|
||||
fi
|
||||
return 0
|
||||
}
|
||||
|
||||
@@ -107,10 +107,10 @@ x-amz-date:$current_time
|
||||
|
||||
host;x-amz-content-sha256;x-amz-date
|
||||
$3"
|
||||
echo "canonical: $canonical_request"
|
||||
log 5 "canonical: $canonical_request"
|
||||
|
||||
echo "TEST CREQ"
|
||||
cat test.creq
|
||||
log 5 "TEST CREQ"
|
||||
log 5 "$(cat test.creq)"
|
||||
}
|
||||
|
||||
generate_sts_string() {
|
||||
@@ -148,6 +148,6 @@ $1
|
||||
$ymd/us-west-2/s3/aws4_request
|
||||
$creq_hash"
|
||||
|
||||
echo "TEST STS"
|
||||
cat test.sts
|
||||
log 5 "TEST STS"
|
||||
log 5 "$(cat test.sts)"
|
||||
}
|
||||
|
||||
@@ -176,7 +176,7 @@ parse_object_tags_rest() {
|
||||
|
||||
check_tags_empty() {
|
||||
if [[ $# -ne 1 ]]; then
|
||||
echo "check tags empty requires command type"
|
||||
log 2 "check tags empty requires command type"
|
||||
return 1
|
||||
fi
|
||||
if [[ $1 == 'aws' ]]; then
|
||||
@@ -185,12 +185,12 @@ check_tags_empty() {
|
||||
fi
|
||||
tag_set=$(echo "$tags" | jq '.TagSet')
|
||||
if [[ $tag_set != "[]" ]]; then
|
||||
echo "error: tags not empty: $tags"
|
||||
log 2 "error: tags not empty: $tags"
|
||||
return 1
|
||||
fi
|
||||
else
|
||||
if [[ $tags != "" ]] && [[ $tags != *"No tags found"* ]]; then
|
||||
echo "Error: tags not empty: $tags"
|
||||
log 2 "Error: tags not empty: $tags"
|
||||
return 1
|
||||
fi
|
||||
fi
|
||||
@@ -199,11 +199,11 @@ check_tags_empty() {
|
||||
|
||||
check_object_tags_empty() {
|
||||
if [[ $# -ne 3 ]]; then
|
||||
echo "bucket tags empty check requires command type, bucket, and key"
|
||||
log 2 "bucket tags empty check requires command type, bucket, and key"
|
||||
return 2
|
||||
fi
|
||||
if ! get_object_tagging "$1" "$2" "$3"; then
|
||||
echo "failed to get tags"
|
||||
log 2 "failed to get tags"
|
||||
return 2
|
||||
fi
|
||||
check_tags_empty "$1" || local check_result=$?
|
||||
@@ -213,11 +213,11 @@ check_object_tags_empty() {
|
||||
|
||||
check_bucket_tags_empty() {
|
||||
if [[ $# -ne 2 ]]; then
|
||||
echo "bucket tags empty check requires command type, bucket"
|
||||
log 2 "bucket tags empty check requires command type, bucket"
|
||||
return 2
|
||||
fi
|
||||
if ! get_bucket_tagging "$1" "$2"; then
|
||||
echo "failed to get tags"
|
||||
log 2 "failed to get tags"
|
||||
return 2
|
||||
fi
|
||||
check_tags_empty "$1" || local check_result=$?
|
||||
@@ -227,23 +227,23 @@ check_bucket_tags_empty() {
|
||||
|
||||
get_and_verify_object_tags() {
|
||||
if [[ $# -ne 5 ]]; then
|
||||
echo "get and verify object tags missing command type, bucket, key, tag key, tag value"
|
||||
log 2 "get and verify object tags missing command type, bucket, key, tag key, tag value"
|
||||
return 1
|
||||
fi
|
||||
get_object_tagging "$1" "$2" "$3" || get_result=$?
|
||||
if [[ $get_result -ne 0 ]]; then
|
||||
echo "failed to get tags"
|
||||
log 2 "failed to get tags"
|
||||
return 1
|
||||
fi
|
||||
if [[ $1 == 'aws' ]]; then
|
||||
tag_set_key=$(echo "$tags" | jq '.TagSet[0].Key')
|
||||
tag_set_value=$(echo "$tags" | jq '.TagSet[0].Value')
|
||||
if [[ $tag_set_key != '"'$4'"' ]]; then
|
||||
echo "Key mismatch ($tag_set_key, \"$4\")"
|
||||
log 2 "Key mismatch ($tag_set_key, \"$4\")"
|
||||
return 1
|
||||
fi
|
||||
if [[ $tag_set_value != '"'$5'"' ]]; then
|
||||
echo "Value mismatch ($tag_set_value, \"$5\")"
|
||||
log 2 "Value mismatch ($tag_set_value, \"$5\")"
|
||||
return 1
|
||||
fi
|
||||
else
|
||||
|
||||
@@ -69,7 +69,7 @@ create_user_versitygw() {
|
||||
create_user_if_nonexistent() {
|
||||
log 6 "create_user_if_nonexistent"
|
||||
if [[ $# -ne 3 ]]; then
|
||||
echo "create user command requires user ID, key, and role"
|
||||
log 2 "create user command requires user ID, key, and role"
|
||||
return 1
|
||||
fi
|
||||
if user_exists "$1"; then
|
||||
@@ -230,7 +230,7 @@ list_users_versitygw() {
|
||||
log 6 "list_users_versitygw"
|
||||
users=$(send_command "$VERSITY_EXE" admin --allow-insecure --access "$AWS_ACCESS_KEY_ID" --secret "$AWS_SECRET_ACCESS_KEY" --endpoint-url "$AWS_ENDPOINT_URL" list-users) || local list_result=$?
|
||||
if [[ $list_result -ne 0 ]]; then
|
||||
echo "error listing users: $users"
|
||||
log 2 "error listing users: $users"
|
||||
return 1
|
||||
fi
|
||||
parsed_users=()
|
||||
@@ -335,7 +335,7 @@ delete_user() {
|
||||
change_bucket_owner_direct() {
|
||||
log 6 "change_bucket_owner_direct"
|
||||
if [[ $# -ne 4 ]]; then
|
||||
echo "change bucket owner command requires ID, key, bucket name, and new owner"
|
||||
log 2 "change bucket owner command requires ID, key, bucket name, and new owner"
|
||||
return 1
|
||||
fi
|
||||
# TODO add
|
||||
@@ -356,7 +356,7 @@ reset_bucket_owner() {
|
||||
change_bucket_owner() {
|
||||
log 6 "change_bucket_owner"
|
||||
if [[ $# -ne 4 ]]; then
|
||||
echo "change bucket owner command requires ID, key, bucket name, and new owner"
|
||||
log 2 "change bucket owner command requires ID, key, bucket name, and new owner"
|
||||
return 1
|
||||
fi
|
||||
if [[ $DIRECT == "true" ]]; then
|
||||
@@ -369,7 +369,7 @@ change_bucket_owner() {
|
||||
log 5 "changing owner for bucket $3, new owner: $4"
|
||||
error=$(send_command "$VERSITY_EXE" admin --allow-insecure --access "$1" --secret "$2" --endpoint-url "$AWS_ENDPOINT_URL" change-bucket-owner --bucket "$3" --owner "$4" 2>&1) || local change_result=$?
|
||||
if [[ $change_result -ne 0 ]]; then
|
||||
echo "error changing bucket owner: $error"
|
||||
log 2 "error changing bucket owner: $error"
|
||||
return 1
|
||||
fi
|
||||
return 0
|
||||
|
||||
Reference in New Issue
Block a user