diff --git a/tests/commands/copy_object.sh b/tests/commands/copy_object.sh index 7508472..57c8a0f 100644 --- a/tests/commands/copy_object.sh +++ b/tests/commands/copy_object.sh @@ -16,7 +16,7 @@ copy_object() { if [ $# -ne 4 ]; then - echo "copy object command requires command type, source, bucket, key" + log 2 "copy object command requires command type, source, bucket, key" return 1 fi local exit_code=0 @@ -32,12 +32,12 @@ copy_object() { elif [[ $1 == 'mc' ]]; then error=$(send_command mc --insecure cp "$MC_ALIAS/$2" "$MC_ALIAS/$3/$4" 2>&1) || exit_code=$? else - echo "'copy-object' not implemented for '$1'" + log 2 "'copy-object' not implemented for '$1'" return 1 fi log 5 "copy object exit code: $exit_code" if [ $exit_code -ne 0 ]; then - echo "error copying object to bucket: $error" + log 2 "error copying object to bucket: $error" return 1 fi return 0 diff --git a/tests/commands/delete_object_tagging.sh b/tests/commands/delete_object_tagging.sh index 6261a00..f59f710 100644 --- a/tests/commands/delete_object_tagging.sh +++ b/tests/commands/delete_object_tagging.sh @@ -17,7 +17,7 @@ delete_object_tagging() { record_command "delete-object-tagging" "client:$1" if [[ $# -ne 3 ]]; then - echo "delete object tagging command missing command type, bucket, key" + log 2 "delete object tagging command missing command type, bucket, key" return 1 fi delete_result=0 @@ -28,11 +28,11 @@ delete_object_tagging() { elif [ "$1" == 'rest' ]; then delete_object_tagging_rest "$2" "$3" || delete_result=$? else - echo "delete-object-tagging command not implemented for '$1'" + log 2 "delete-object-tagging command not implemented for '$1'" return 1 fi if [[ $delete_result -ne 0 ]]; then - echo "error deleting object tagging: $error" + log 2 "error deleting object tagging: $error" return 1 fi return 0 diff --git a/tests/commands/get_bucket_location.sh b/tests/commands/get_bucket_location.sh index 09cf3e9..cff0e67 100644 --- a/tests/commands/get_bucket_location.sh +++ b/tests/commands/get_bucket_location.sh @@ -17,9 +17,10 @@ get_bucket_location() { record_command "get-bucket-location" "client:$1" if [[ $# -ne 2 ]]; then - echo "get bucket location command requires command type, bucket name" + log 2 "get bucket location command requires command type, bucket name" return 1 fi + get_result=0 if [[ $1 == 'aws' ]]; then get_bucket_location_aws "$2" || get_result=$? elif [[ $1 == 's3cmd' ]]; then @@ -27,7 +28,7 @@ get_bucket_location() { elif [[ $1 == 'mc' ]]; then get_bucket_location_mc "$2" || get_result=$? else - echo "command type '$1' not implemented for get_bucket_location" + log 2 "command type '$1' not implemented for get_bucket_location" return 1 fi if [[ $get_result -ne 0 ]]; then @@ -39,7 +40,7 @@ get_bucket_location() { get_bucket_location_aws() { record_command "get-bucket-location" "client:s3api" if [[ $# -ne 1 ]]; then - echo "get bucket location (aws) requires bucket name" + log 2 "get bucket location (aws) requires bucket name" return 1 fi location_json=$(send_command aws --no-verify-ssl s3api get-bucket-location --bucket "$1") || location_result=$? @@ -59,7 +60,7 @@ get_bucket_location_s3cmd() { fi info=$(send_command s3cmd --no-check-certificate info "s3://$1") || results=$? if [[ $results -ne 0 ]]; then - echo "error getting s3cmd info: $info" + log 2 "error getting bucket location: $location" return 1 fi bucket_location=$(echo "$info" | grep -o 'Location:.*' | awk '{print $2}') @@ -69,12 +70,12 @@ get_bucket_location_s3cmd() { get_bucket_location_mc() { record_command "get-bucket-location" "client:mc" if [[ $# -ne 1 ]]; then - echo "get bucket location (mc) requires bucket name" + log 2 "get bucket location (mc) requires bucket name" return 1 fi info=$(send_command mc --insecure stat "$MC_ALIAS/$1") || results=$? if [[ $results -ne 0 ]]; then - echo "error getting s3cmd info: $info" + log 2 "error getting s3cmd info: $info" return 1 fi # shellcheck disable=SC2034 diff --git a/tests/commands/get_bucket_policy.sh b/tests/commands/get_bucket_policy.sh index 822db72..42aebf8 100644 --- a/tests/commands/get_bucket_policy.sh +++ b/tests/commands/get_bucket_policy.sh @@ -126,12 +126,12 @@ get_bucket_policy_s3cmd() { get_bucket_policy_mc() { record_command "get-bucket-policy" "client:mc" if [[ $# -ne 1 ]]; then - echo "aws 'get bucket policy' command requires bucket" + log 2 "aws 'get bucket policy' command requires bucket" return 1 fi bucket_policy=$(send_command mc --insecure anonymous get-json "$MC_ALIAS/$1") || get_result=$? if [[ $get_result -ne 0 ]]; then - echo "error getting policy: $bucket_policy" + log 2 "error getting policy: $bucket_policy" return 1 fi return 0 diff --git a/tests/commands/get_bucket_tagging.sh b/tests/commands/get_bucket_tagging.sh index fa72c4d..ae55b1e 100644 --- a/tests/commands/get_bucket_tagging.sh +++ b/tests/commands/get_bucket_tagging.sh @@ -35,7 +35,7 @@ get_bucket_tagging() { export tags= return 0 fi - echo "error getting bucket tags: $tags" + log 2 "error getting bucket tags: $tags" return 1 fi export tags diff --git a/tests/commands/list_buckets.sh b/tests/commands/list_buckets.sh index 028a098..9c57ac9 100644 --- a/tests/commands/list_buckets.sh +++ b/tests/commands/list_buckets.sh @@ -18,7 +18,7 @@ list_buckets() { log 6 "list_buckets" record_command "list-buckets" "client:$1" if [ $# -ne 1 ]; then - echo "list buckets command missing command type" + log 2 "list buckets command missing command type" return 1 fi @@ -34,11 +34,11 @@ list_buckets() { elif [[ $1 == 'rest' ]]; then list_buckets_rest || exit_code=$? else - echo "list buckets command not implemented for '$1'" + log 2 "list buckets command not implemented for '$1'" return 1 fi if [ $exit_code -ne 0 ]; then - echo "error listing buckets: $buckets" + log 2 "error listing buckets: $buckets" return 1 fi @@ -57,7 +57,7 @@ list_buckets() { list_buckets_with_user() { record_command "list-buckets" "client:$1" if [ $# -ne 3 ]; then - echo "'list buckets as user' command missing command type, username, password" + log 2 "'list buckets as user' command missing command type, username, password" return 1 fi @@ -71,11 +71,11 @@ list_buckets_with_user() { elif [[ $1 == 'mc' ]]; then buckets=$(send_command mc --insecure ls "$MC_ALIAS" 2>&1) || exit_code=$? else - echo "list buckets command not implemented for '$1'" + log 2 "list buckets command not implemented for '$1'" return 1 fi if [ $exit_code -ne 0 ]; then - echo "error listing buckets: $buckets" + log 2 "error listing buckets: $buckets" return 1 fi @@ -97,7 +97,7 @@ list_buckets_s3api() { return 1 fi if ! output=$(AWS_ACCESS_KEY_ID="$1" AWS_SECRET_ACCESS_KEY="$2" send_command aws --no-verify-ssl s3api list-buckets 2>&1); then - echo "error listing buckets: $output" + log 2 "error listing buckets: $output" return 1 fi log 5 "bucket data: $output" diff --git a/tests/commands/list_objects.sh b/tests/commands/list_objects.sh index fe40410..61ffe57 100644 --- a/tests/commands/list_objects.sh +++ b/tests/commands/list_objects.sh @@ -91,7 +91,7 @@ list_objects_s3api() { # export objects on success, return 1 for failure list_objects_s3api_v1() { if [ $# -lt 1 ] || [ $# -gt 2 ]; then - echo "list objects command requires bucket, (optional) delimiter" + log 2 "list objects command requires bucket, (optional) delimiter" return 1 fi if [ "$2" == "" ]; then @@ -100,7 +100,7 @@ list_objects_s3api_v1() { objects=$(send_command aws --no-verify-ssl s3api list-objects --bucket "$1" --delimiter "$2") || local result=$? fi if [[ $result -ne 0 ]]; then - echo "error listing objects: $objects" + log 2 "error listing objects: $objects" return 1 fi export objects diff --git a/tests/commands/list_objects_v2.sh b/tests/commands/list_objects_v2.sh index 2d9c47a..af0ab41 100644 --- a/tests/commands/list_objects_v2.sh +++ b/tests/commands/list_objects_v2.sh @@ -19,13 +19,13 @@ # export objects on success, return 1 for failure list_objects_v2() { if [ $# -ne 1 ]; then - echo "list objects command missing bucket and/or path" + log 2 "list objects command missing bucket and/or path" return 1 fi record_command "list-objects-v2 client:s3api" objects=$(send_command aws --no-verify-ssl s3api list-objects-v2 --bucket "$1") || local result=$? if [[ $result -ne 0 ]]; then - echo "error listing objects: $objects" + log 2 "error listing objects: $objects" return 1 fi } \ No newline at end of file diff --git a/tests/commands/upload_part_copy.sh b/tests/commands/upload_part_copy.sh index 50d3598..4314dde 100644 --- a/tests/commands/upload_part_copy.sh +++ b/tests/commands/upload_part_copy.sh @@ -17,14 +17,14 @@ upload_part_copy() { record_command "upload-part-copy" "client:s3api" if [ $# -ne 5 ]; then - echo "upload multipart part copy function must have bucket, key, upload ID, file name, part number" + log 2 "upload multipart part copy function must have bucket, key, upload ID, file name, part number" return 1 fi local etag_json - echo "$1 $2 $3 $4 $5" + log 5 "parameters: $1 $2 $3 $4 $5" etag_json=$(send_command aws --no-verify-ssl s3api upload-part-copy --bucket "$1" --key "$2" --upload-id "$3" --part-number "$5" --copy-source "$1/$4-$(($5-1))") || local uploaded=$? if [[ $uploaded -ne 0 ]]; then - echo "Error uploading part $5: $etag_json" + log 2 "Error uploading part $5: $etag_json" return 1 fi etag=$(echo "$etag_json" | jq '.CopyPartResult.ETag') diff --git a/tests/rest_scripts/get_bucket_ownership_controls.sh b/tests/rest_scripts/get_bucket_ownership_controls.sh new file mode 100755 index 0000000..4cdf2e6 --- /dev/null +++ b/tests/rest_scripts/get_bucket_ownership_controls.sh @@ -0,0 +1,43 @@ +#!/usr/bin/env bash + +# Copyright 2024 Versity Software +# This file is licensed under the Apache License, Version 2.0 +# (the "License"); you may not use this file except in compliance +# with the License. You may obtain a copy of the License at +# +# http:#www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, +# software distributed under the License is distributed on an +# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +# KIND, either express or implied. See the License for the +# specific language governing permissions and limitations +# under the License. + +source ./tests/rest_scripts/rest.sh + +# Fields +# shellcheck disable=SC2153 +bucket_name="$BUCKET_NAME" + +current_date_time=$(date -u +"%Y%m%dT%H%M%SZ") + +canonical_request="GET +/$bucket_name +ownershipControls= +host:$host +x-amz-content-sha256:UNSIGNED-PAYLOAD +x-amz-date:$current_date_time + +host;x-amz-content-sha256;x-amz-date +UNSIGNED-PAYLOAD" + +create_canonical_hash_sts_and_signature + +curl_command+=(curl -ks -w "\"%{http_code}\"" "$AWS_ENDPOINT_URL/$bucket_name?ownershipControls=" +-H "\"Authorization: AWS4-HMAC-SHA256 Credential=$aws_access_key_id/$year_month_day/$aws_region/s3/aws4_request,SignedHeaders=host;x-amz-content-sha256;x-amz-date,Signature=$signature\"" +-H "\"x-amz-content-sha256: UNSIGNED-PAYLOAD\"" +-H "\"x-amz-date: $current_date_time\"" +-o "$OUTPUT_FILE") +# shellcheck disable=SC2154 +eval "${curl_command[*]}" 2>&1 \ No newline at end of file diff --git a/tests/rest_scripts/put_bucket_ownership_controls.sh b/tests/rest_scripts/put_bucket_ownership_controls.sh new file mode 100755 index 0000000..220c49c --- /dev/null +++ b/tests/rest_scripts/put_bucket_ownership_controls.sh @@ -0,0 +1,59 @@ +#!/usr/bin/env bash + +# Copyright 2024 Versity Software +# This file is licensed under the Apache License, Version 2.0 +# (the "License"); you may not use this file except in compliance +# with the License. You may obtain a copy of the License at +# +# http:#www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, +# software distributed under the License is distributed on an +# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +# KIND, either express or implied. See the License for the +# specific language governing permissions and limitations +# under the License. + +source ./tests/rest_scripts/rest.sh + +# Fields + +# shellcheck disable=SC2153 +bucket_name="$BUCKET_NAME" +# shellcheck disable=SC2153 +ownership="$OWNERSHIP" + +payload=" + + + $ownership + +" + +content_md5=$(echo -n "$payload" | openssl dgst -binary -md5 | openssl base64) +payload_hash="$(echo -n "$payload" | sha256sum | awk '{print $1}')" +current_date_time=$(date -u +"%Y%m%dT%H%M%SZ") + +canonical_request="PUT +/$bucket_name +ownershipControls= +content-md5:$content_md5 +host:$host +x-amz-content-sha256:$payload_hash +x-amz-date:$current_date_time + +content-md5;host;x-amz-content-sha256;x-amz-date +$payload_hash" + +create_canonical_hash_sts_and_signature + +curl_command+=(curl -ks -w "\"%{http_code}\"" -X PUT "$AWS_ENDPOINT_URL/$bucket_name?ownershipControls=" +-H "\"Authorization: AWS4-HMAC-SHA256 Credential=$aws_access_key_id/$year_month_day/$aws_region/s3/aws4_request,SignedHeaders=content-md5;host;x-amz-content-sha256;x-amz-date,Signature=$signature\"" +-H "\"Content-MD5: $content_md5\"" +-H "\"x-amz-content-sha256: $payload_hash\"" +-H "\"x-amz-date: $current_date_time\"" +-d "\"${payload//\"/\\\"}\"" +-o "$OUTPUT_FILE") + +# shellcheck disable=SC2154 +eval "${curl_command[*]}" 2>&1 \ No newline at end of file diff --git a/tests/setup_mc.sh b/tests/setup_mc.sh index 1fb734d..68b077b 100644 --- a/tests/setup_mc.sh +++ b/tests/setup_mc.sh @@ -18,7 +18,7 @@ check_for_alias() { local alias_result aliases=$(mc alias list) if [[ $alias_result -ne 0 ]]; then - echo "error checking for aliases: $aliases" + log 2 "error checking for aliases: $aliases" return 2 fi while IFS= read -r line; do @@ -32,7 +32,7 @@ check_for_alias() { check_add_mc_alias() { check_for_alias || alias_result=$? if [[ $alias_result -eq 2 ]]; then - echo "error checking for aliases" + log 2 "error checking for aliases" return 1 fi if [[ $alias_result -eq 0 ]]; then @@ -41,7 +41,7 @@ check_add_mc_alias() { local set_result error=$(mc alias set --insecure "$MC_ALIAS" "$AWS_ENDPOINT_URL" "$AWS_ACCESS_KEY_ID" "$AWS_SECRET_ACCESS_KEY") || set_result=$? if [[ $set_result -ne 0 ]]; then - echo "error setting alias: $error" + log 2 "error setting alias: $error" return 1 fi return 0 diff --git a/tests/test_common.sh b/tests/test_common.sh index f252933..1a3391f 100644 --- a/tests/test_common.sh +++ b/tests/test_common.sh @@ -218,7 +218,7 @@ test_common_list_buckets() { test_common_list_objects() { if [[ $# -ne 1 ]]; then - echo "common test function for listing objects requires command type" + log 2 "common test function for listing objects requires command type" return 1 fi @@ -294,7 +294,7 @@ test_common_set_get_object_tags() { test_common_presigned_url_utf8_chars() { if [[ $# -ne 1 ]]; then - echo "presigned url command missing command type" + log 2 "presigned url command missing command type" return 1 fi diff --git a/tests/test_rest.sh b/tests/test_rest.sh index a9247ee..ddf7ba4 100755 --- a/tests/test_rest.sh +++ b/tests/test_rest.sh @@ -35,6 +35,7 @@ source ./tests/util_list_buckets.sh source ./tests/util_list_objects.sh source ./tests/util_list_parts.sh source ./tests/util_lock_config.sh +source ./tests/util_ownership.sh source ./tests/util_rest.sh source ./tests/util_tags.sh source ./tests/util_time.sh @@ -394,4 +395,18 @@ source ./tests/util_versioning.sh run add_verify_bucket_tags_rest "$BUCKET_ONE_NAME" "$test_key" "$test_value" assert_success +} + +@test "REST - get, put bucket ownership controls" { + run setup_bucket "s3api" "$BUCKET_ONE_NAME" + assert_success + + run get_and_check_ownership_controls "$BUCKET_ONE_NAME" "BucketOwnerEnforced" + assert_success + + run put_bucket_ownership_controls_rest "$BUCKET_ONE_NAME" "BucketOwnerPreferred" + assert_success + + run get_and_check_ownership_controls "$BUCKET_ONE_NAME" "BucketOwnerPreferred" + assert_success } \ No newline at end of file diff --git a/tests/test_s3api_bucket.sh b/tests/test_s3api_bucket.sh index b2a3e8d..d1c7072 100755 --- a/tests/test_s3api_bucket.sh +++ b/tests/test_s3api_bucket.sh @@ -50,15 +50,15 @@ source ./tests/commands/select_object_content.sh export RUN_USERS=true +@test "test_create_bucket_invalid_name" { + test_create_bucket_invalid_name_aws_root +} + # create-bucket @test "test_create_delete_bucket_aws" { test_common_create_delete_bucket "aws" } -@test "test_create_bucket_invalid_name" { - test_create_bucket_invalid_name_aws_root -} - # delete-bucket - test_create_delete_bucket_aws # delete-bucket-policy @@ -69,10 +69,6 @@ export RUN_USERS=true test_common_get_put_delete_bucket_policy "aws" } -# delete-bucket-tagging -@test "test-set-get-delete-bucket-tags" { - test_common_set_get_delete_bucket_tags "aws" -} # get-bucket-acl @test "test_get_bucket_acl" { @@ -88,6 +84,24 @@ export RUN_USERS=true # get-bucket-tagging - test_set_get_delete_bucket_tags +@test "test_head_bucket" { + run setup_bucket "aws" "$BUCKET_ONE_NAME" + assert_success + + run check_for_empty_region "$BUCKET_ONE_NAME" + assert_success +} + +@test "test_head_bucket_doesnt_exist" { + run setup_bucket "aws" "$BUCKET_ONE_NAME" + assert_success + + head_bucket "aws" "$BUCKET_ONE_NAME"a || local info_result=$? + [[ $info_result -eq 1 ]] || fail "bucket info for non-existent bucket returned" + [[ $bucket_info == *"404"* ]] || fail "404 not returned for non-existent bucket info" + bucket_cleanup "aws" "$BUCKET_ONE_NAME" +} + @test "test_head_bucket_invalid_name" { if head_bucket "aws" ""; then fail "able to get bucket info for invalid name" @@ -103,23 +117,7 @@ export RUN_USERS=true test_common_put_bucket_acl "s3api" } -@test "test_head_bucket" { - run setup_bucket "aws" "$BUCKET_ONE_NAME" - assert_success - - head_bucket "aws" "$BUCKET_ONE_NAME" || fail "error getting bucket info" - log 5 "INFO: $bucket_info" - region=$(echo "$bucket_info" | grep -v "InsecureRequestWarning" | jq -r ".BucketRegion" 2>&1) || fail "error getting bucket region: $region" - [[ $region != "" ]] || fail "empty bucket region" - bucket_cleanup "aws" "$BUCKET_ONE_NAME" -} - -@test "test_head_bucket_doesnt_exist" { - run setup_bucket "aws" "$BUCKET_ONE_NAME" - assert_success - - head_bucket "aws" "$BUCKET_ONE_NAME"a || local info_result=$? - [[ $info_result -eq 1 ]] || fail "bucket info for non-existent bucket returned" - [[ $bucket_info == *"404"* ]] || fail "404 not returned for non-existent bucket info" - bucket_cleanup "aws" "$BUCKET_ONE_NAME" +# delete-bucket-tagging +@test "test-set-get-delete-bucket-tags" { + test_common_set_get_delete_bucket_tags "aws" } diff --git a/tests/test_s3api_multipart.sh b/tests/test_s3api_multipart.sh index d510954..3e21814 100755 --- a/tests/test_s3api_multipart.sh +++ b/tests/test_s3api_multipart.sh @@ -38,31 +38,6 @@ source ./tests/commands/list_multipart_uploads.sh test_create_multipart_upload_properties_aws_root } -# test multi-part upload list parts command -@test "test-multipart-upload-list-parts" { - test_multipart_upload_list_parts_aws_root -} - -# test listing of active uploads -@test "test-multipart-upload-list-uploads" { - local bucket_file_one="bucket-file-one" - local bucket_file_two="bucket-file-two" - - if [[ $RECREATE_BUCKETS == false ]]; then - run abort_all_multipart_uploads "$BUCKET_ONE_NAME" - assert_success - fi - - run create_test_files "$bucket_file_one" "$bucket_file_two" - assert_success - - run setup_bucket "aws" "$BUCKET_ONE_NAME" - assert_success - - run create_list_check_multipart_uploads "$BUCKET_ONE_NAME" "$bucket_file_one" "$bucket_file_two" - assert_success -} - @test "test-multipart-upload-from-bucket" { local bucket_file="bucket-file" @@ -108,3 +83,29 @@ source ./tests/commands/list_multipart_uploads.sh run run_and_verify_multipart_upload_with_valid_range "$BUCKET_ONE_NAME" "$bucket_file" "$TEST_FILE_FOLDER/$bucket_file" assert_success } + +# test multi-part upload list parts command +@test "test-multipart-upload-list-parts" { + test_multipart_upload_list_parts_aws_root +} + +# test listing of active uploads +@test "test-multipart-upload-list-uploads" { + local bucket_file_one="bucket-file-one" + local bucket_file_two="bucket-file-two" + + if [[ $RECREATE_BUCKETS == false ]]; then + run abort_all_multipart_uploads "$BUCKET_ONE_NAME" + assert_success + fi + + run create_test_files "$bucket_file_one" "$bucket_file_two" + assert_success + + run setup_bucket "aws" "$BUCKET_ONE_NAME" + assert_success + + run create_list_check_multipart_uploads "$BUCKET_ONE_NAME" "$bucket_file_one" "$bucket_file_two" + assert_success +} + diff --git a/tests/test_s3api_object.sh b/tests/test_s3api_object.sh index fd283c7..8ae3e48 100755 --- a/tests/test_s3api_object.sh +++ b/tests/test_s3api_object.sh @@ -88,30 +88,6 @@ export RUN_USERS=true test_get_object_attributes_aws_root } -@test "test_put_object" { - test_put_object_aws_root -} - -# test adding and removing an object on versitygw -@test "test_put_object_with_data" { - if [ "$RECREATE_BUCKETS" == "false" ]; then - skip "https://github.com/versity/versitygw/issues/888" - fi - test_common_put_object_with_data "aws" -} - -@test "test_put_object_no_data" { - if [ "$RECREATE_BUCKETS" == "false" ]; then - skip "https://github.com/versity/versitygw/issues/888" - fi - test_common_put_object_no_data "aws" -} - -# test listing a bucket's objects on versitygw -@test "test_list_objects" { - test_common_list_objects "aws" -} - @test "test_get_put_object_legal_hold" { test_get_put_object_legal_hold_aws_root } @@ -120,23 +96,9 @@ export RUN_USERS=true test_get_put_object_retention_aws_root } -# test v1 s3api list objects command -@test "test-s3api-list-objects-v1" { - test_s3api_list_objects_v1_aws_root -} - -# test v2 s3api list objects command -@test "test-s3api-list-objects-v2" { - test_s3api_list_objects_v2_aws_root -} - -# test abilty to set and retrieve object tags -@test "test-set-get-object-tags" { - test_common_set_get_object_tags "aws" -} - -@test "test-presigned-url-utf8-chars" { - test_common_presigned_url_utf8_chars "aws" +# test listing a bucket's objects on versitygw +@test "test_list_objects" { + test_common_list_objects "aws" } @test "test-list-objects-delimiter" { @@ -159,6 +121,94 @@ export RUN_USERS=true assert_success } +@test "test_put_object" { + test_put_object_aws_root +} + +# test adding and removing an object on versitygw +@test "test_put_object_with_data" { + if [ "$RECREATE_BUCKETS" == "false" ]; then + skip "https://github.com/versity/versitygw/issues/888" + fi + test_common_put_object_with_data "aws" +} + +@test "test_put_object_no_data" { + if [ "$RECREATE_BUCKETS" == "false" ]; then + skip "https://github.com/versity/versitygw/issues/888" + fi + test_common_put_object_no_data "aws" +} + +@test "test-presigned-url-utf8-chars" { + test_common_presigned_url_utf8_chars "aws" +} + +@test "test_put_object_lock_configuration" { + bucket_name=$BUCKET_ONE_NAME + if [[ $RECREATE_BUCKETS == "true" ]]; then + run delete_bucket "s3api" "$bucket_name" + assert_success + run create_bucket_object_lock_enabled "$bucket_name" + assert_success + fi + local enabled="Enabled" + local governance="GOVERNANCE" + local days="1" + + run put_object_lock_configuration "$bucket_name" "$enabled" "$governance" "$days" + assert_success "error putting object lock config" + + run get_and_check_object_lock_config "$bucket_name" "$enabled" "$governance" "$days" + assert_success "error getting and checking object lock config" + + bucket_cleanup "aws" "$bucket_name" +} + +@test "test_put_object_metadata" { + object_one="object-one" + test_key="x-test-data" + test_value="test-value" + + run create_test_files "$object_one" + assert_success + + run setup_bucket "aws" "$BUCKET_ONE_NAME" + assert_success + + object="$TEST_FILE_FOLDER"/"$object_one" + put_object_with_metadata "aws" "$object" "$BUCKET_ONE_NAME" "$object_one" "$test_key" "$test_value" || fail "failed to add object to bucket" + object_exists "aws" "$BUCKET_ONE_NAME" "$object_one" || fail "object not found after being added to bucket" + + get_object_metadata "aws" "$BUCKET_ONE_NAME" "$object_one" || fail "error getting object metadata" + key=$(echo "$metadata" | jq -r 'keys[]' 2>&1) || fail "error getting key from metadata: $key" + value=$(echo "$metadata" | jq -r '.[]' 2>&1) || fail "error getting value from metadata: $value" + [[ $key == "$test_key" ]] || fail "keys doesn't match (expected $key, actual \"$test_key\")" + [[ $value == "$test_value" ]] || fail "values doesn't match (expected $value, actual \"$test_value\")" + + bucket_cleanup "aws" "$BUCKET_ONE_NAME" + delete_test_files "$object_one" +} + +@test "test_retention_bypass" { + test_retention_bypass_aws_root +} + +# test v1 s3api list objects command +@test "test-s3api-list-objects-v1" { + test_s3api_list_objects_v1_aws_root +} + +# test v2 s3api list objects command +@test "test-s3api-list-objects-v2" { + test_s3api_list_objects_v2_aws_root +} + +# test abilty to set and retrieve object tags +@test "test-set-get-object-tags" { + test_common_set_get_object_tags "aws" +} + # ensure that lists of files greater than a size of 1000 (pagination) are returned properly #@test "test_list_objects_file_count" { # test_common_list_objects_file_count "aws" @@ -183,55 +233,6 @@ export RUN_USERS=true # [[ $put_object -eq 0 ]] || fail "Failed to add object to bucket" #} -@test "test_retention_bypass" { - test_retention_bypass_aws_root -} - -@test "test_add_object_metadata" { - object_one="object-one" - test_key="x-test-data" - test_value="test-value" - - run create_test_files "$object_one" - assert_success - - run setup_bucket "aws" "$BUCKET_ONE_NAME" - assert_success - - object="$TEST_FILE_FOLDER"/"$object_one" - put_object_with_metadata "aws" "$object" "$BUCKET_ONE_NAME" "$object_one" "$test_key" "$test_value" || fail "failed to add object to bucket" - object_exists "aws" "$BUCKET_ONE_NAME" "$object_one" || fail "object not found after being added to bucket" - - get_object_metadata "aws" "$BUCKET_ONE_NAME" "$object_one" || fail "error getting object metadata" - key=$(echo "$metadata" | jq -r 'keys[]' 2>&1) || fail "error getting key from metadata: $key" - value=$(echo "$metadata" | jq -r '.[]' 2>&1) || fail "error getting value from metadata: $value" - [[ $key == "$test_key" ]] || fail "keys doesn't match (expected $key, actual \"$test_key\")" - [[ $value == "$test_value" ]] || fail "values doesn't match (expected $value, actual \"$test_value\")" - - bucket_cleanup "aws" "$BUCKET_ONE_NAME" - delete_test_files "$object_one" -} - -@test "test_put_object_lock_configuration" { - bucket_name=$BUCKET_ONE_NAME - if [[ $RECREATE_BUCKETS == "true" ]]; then - run delete_bucket "s3api" "$bucket_name" - assert_success - run create_bucket_object_lock_enabled "$bucket_name" - assert_success - fi - local enabled="Enabled" - local governance="GOVERNANCE" - local days="1" - - run put_object_lock_configuration "$bucket_name" "$enabled" "$governance" "$days" - assert_success "error putting object lock config" - - run get_and_check_object_lock_config "$bucket_name" "$enabled" "$governance" "$days" - assert_success "error getting and checking object lock config" - - bucket_cleanup "aws" "$bucket_name" -} @test "test_ls_directory_object" { test_common_ls_directory_object "s3api" diff --git a/tests/test_s3api_policy.sh b/tests/test_s3api_policy.sh index 223e1b8..d8c1ecb 100755 --- a/tests/test_s3api_policy.sh +++ b/tests/test_s3api_policy.sh @@ -16,6 +16,9 @@ source ./tests/logger.sh source ./tests/setup.sh +source ./tests/test_s3api_policy_bucket.sh +source ./tests/test_s3api_policy_multipart.sh +source ./tests/test_s3api_policy_object.sh source ./tests/util_multipart.sh source ./tests/util_file.sh source ./tests/util_policy.sh @@ -30,25 +33,60 @@ source ./tests/commands/put_object.sh export RUN_USERS=true -@test "test_put_policy_invalid_action" { +@test "test_policy_abort_multipart_upload" { if [[ -n $SKIP_POLICY ]]; then skip "will not test policy actions with SKIP_POLICY set" fi - test_s3api_policy_invalid_action + test_s3api_policy_abort_multipart_upload } -@test "test_policy_get_object_with_user" { +@test "test_policy_allow_deny" { if [[ -n $SKIP_POLICY ]]; then skip "will not test policy actions with SKIP_POLICY set" fi - test_s3api_policy_get_object_with_user + test_s3api_policy_allow_deny } -@test "test_policy_get_object_specific_file" { +@test "test_policy_delete" { if [[ -n $SKIP_POLICY ]]; then skip "will not test policy actions with SKIP_POLICY set" fi - test_s3api_policy_get_object_specific_file + test_s3api_policy_delete +} + +@test "test_policy_delete_bucket_policy" { + if [[ -n $SKIP_POLICY ]]; then + skip "will not test policy actions with SKIP_POLICY set" + fi + test_s3api_policy_delete_bucket_policy +} + +@test "test_policy_deny" { + if [[ -n $SKIP_POLICY ]]; then + skip "will not test policy actions with SKIP_POLICY set" + fi + test_s3api_policy_deny +} + +@test "test_policy_get_bucket_acl" { + if [[ -n $SKIP_POLICY ]]; then + skip "will not test policy actions with SKIP_POLICY set" + fi + test_s3api_policy_get_bucket_acl +} + +@test "test_policy_get_bucket_policy" { + if [[ -n $SKIP_POLICY ]]; then + skip "will not test policy actions with SKIP_POLICY set" + fi + test_s3api_policy_get_bucket_policy +} + +@test "test_policy_get_bucket_tagging" { + if [[ -n $SKIP_POLICY ]]; then + skip "will not test policy actions with SKIP_POLICY set" + fi + test_s3api_policy_get_bucket_tagging } @test "test_policy_get_object_file_wildcard" { @@ -65,39 +103,18 @@ export RUN_USERS=true test_s3api_policy_get_object_folder_wildcard } -@test "test_policy_allow_deny" { +@test "test_policy_get_object_specific_file" { if [[ -n $SKIP_POLICY ]]; then skip "will not test policy actions with SKIP_POLICY set" fi - test_s3api_policy_allow_deny + test_s3api_policy_get_object_specific_file } -@test "test_policy_deny" { +@test "test_policy_get_object_with_user" { if [[ -n $SKIP_POLICY ]]; then skip "will not test policy actions with SKIP_POLICY set" fi - test_s3api_policy_deny -} - -@test "test_policy_put_wildcard" { - if [[ -n $SKIP_POLICY ]]; then - skip "will not test policy actions with SKIP_POLICY set" - fi - test_s3api_policy_put_wildcard -} - -@test "test_policy_delete" { - if [[ -n $SKIP_POLICY ]]; then - skip "will not test policy actions with SKIP_POLICY set" - fi - test_s3api_policy_delete -} - -@test "test_policy_get_bucket_policy" { - if [[ -n $SKIP_POLICY ]]; then - skip "will not test policy actions with SKIP_POLICY set" - fi - test_s3api_policy_get_bucket_policy + test_s3api_policy_get_object_with_user } @test "test_policy_list_multipart_uploads" { @@ -107,55 +124,6 @@ export RUN_USERS=true test_s3api_policy_list_multipart_uploads } -@test "test_policy_put_bucket_policy" { - if [[ -n $SKIP_POLICY ]]; then - skip "will not test policy actions with SKIP_POLICY set" - fi - test_s3api_policy_put_bucket_policy -} - -@test "test_policy_delete_bucket_policy" { - if [[ -n $SKIP_POLICY ]]; then - skip "will not test policy actions with SKIP_POLICY set" - fi - test_s3api_policy_delete_bucket_policy -} - -@test "test_policy_get_bucket_acl" { - if [[ -n $SKIP_POLICY ]]; then - skip "will not test policy actions with SKIP_POLICY set" - fi - test_s3api_policy_get_bucket_acl -} - -@test "test_policy_abort_multipart_upload" { - if [[ -n $SKIP_POLICY ]]; then - skip "will not test policy actions with SKIP_POLICY set" - fi - test_s3api_policy_abort_multipart_upload -} - -@test "test_policy_two_principals" { - if [[ -n $SKIP_POLICY ]]; then - skip "will not test policy actions with SKIP_POLICY set" - fi - test_s3api_policy_two_principals -} - -@test "test_policy_put_bucket_tagging" { - if [[ -n $SKIP_POLICY ]]; then - skip "will not test policy actions with SKIP_POLICY set" - fi - test_s3api_policy_put_bucket_tagging -} - -@test "test_policy_get_bucket_tagging" { - if [[ -n $SKIP_POLICY ]]; then - skip "will not test policy actions with SKIP_POLICY set" - fi - test_s3api_policy_get_bucket_tagging -} - @test "test_policy_list_upload_parts" { if [[ -n $SKIP_POLICY ]]; then skip "will not test policy actions with SKIP_POLICY set" @@ -170,673 +138,37 @@ export RUN_USERS=true test_s3api_policy_put_acl } -test_s3api_policy_invalid_action() { - policy_file="policy_file" - - run create_test_file "$policy_file" - assert_success - - effect="Allow" - principal="*" - action="s3:GetObjectt" - resource="arn:aws:s3:::$BUCKET_ONE_NAME/*" - - # shellcheck disable=SC2154 - run setup_policy_with_single_statement "$TEST_FILE_FOLDER/$policy_file" "dummy" "$effect" "$principal" "$action" "$resource" - assert_success - - run setup_bucket "s3api" "$BUCKET_ONE_NAME" - assert_success - - run check_for_empty_policy "s3api" "$BUCKET_ONE_NAME" - assert_success - - run put_and_check_for_malformed_policy "$BUCKET_ONE_NAME" "$TEST_FILE_FOLDER/$policy_file" - assert_success -} - -test_s3api_policy_get_object_with_user() { - policy_file="policy_file" - username=$USERNAME_ONE - password=$PASSWORD_ONE - test_file="test_file" - - log 5 "username: $USERNAME_ONE, password: $PASSWORD_ONE" - run create_test_files "$test_file" "$policy_file" - assert_success - - effect="Allow" - principal="$username" - action="s3:GetObject" - resource="arn:aws:s3:::$BUCKET_ONE_NAME/$test_file" - - run setup_bucket "s3api" "$BUCKET_ONE_NAME" - assert_success - - run put_object "s3api" "$TEST_FILE_FOLDER/$test_file" "$BUCKET_ONE_NAME" "$test_file" - assert_success - - run setup_user "$username" "$password" "user" - assert_success - - run verify_user_cant_get_object "s3api" "$BUCKET_ONE_NAME" "$test_file" "$TEST_FILE_FOLDER/$test_file-copy" "$username" "$password" - assert_success - - run setup_policy_with_single_statement "$TEST_FILE_FOLDER/$policy_file" "2012-10-17" "$effect" "$principal" "$action" "$resource" - assert_success - - run put_bucket_policy "s3api" "$BUCKET_ONE_NAME" "$TEST_FILE_FOLDER/$policy_file" - assert_success - - run download_and_compare_file_with_user "s3api" "$TEST_FILE_FOLDER/$test_file" "$BUCKET_ONE_NAME" "$test_file" "$TEST_FILE_FOLDER/$test_file-copy" "$username" "$password" - assert_success -} - -test_s3api_policy_get_object_specific_file() { - policy_file="policy_file" - test_file="test_file" - test_file_two="test_file_two" - username=$USERNAME_ONE - password=$PASSWORD_ONE - - run create_test_files "$policy_file" "$test_file" "$test_file_two" - assert_success - - effect="Allow" - principal="$username" - action="s3:GetObject" - resource="arn:aws:s3:::$BUCKET_ONE_NAME/test_file" - - setup_user "$username" "$password" "user" || fail "error creating user" - - run setup_bucket "s3api" "$BUCKET_ONE_NAME" - assert_success - - setup_policy_with_single_statement "$TEST_FILE_FOLDER/$policy_file" "dummy" "$effect" "$principal" "$action" "$resource" || fail "failed to set up policy" - put_bucket_policy "s3api" "$BUCKET_ONE_NAME" "$TEST_FILE_FOLDER/$policy_file" || fail "error putting policy" - - put_object "s3api" "$TEST_FILE_FOLDER/$test_file" "$BUCKET_ONE_NAME" "$test_file" || fail "error copying object" - put_object "s3api" "$TEST_FILE_FOLDER/$test_file_two" "$BUCKET_ONE_NAME" "$test_file_two" || fail "error copying object" - - run download_and_compare_file_with_user "s3api" "$TEST_FILE_FOLDER/$test_file" "$BUCKET_ONE_NAME" "$test_file" "$TEST_FILE_FOLDER/$test_file-copy" "$username" "$password" - assert_success - - run verify_user_cant_get_object "s3api" "$BUCKET_ONE_NAME" "$test_file_two" "$TEST_FILE_FOLDER/$test_file_two-copy" "$username" "$password" - assert_success -} - -test_s3api_policy_get_object_file_wildcard() { - policy_file="policy_file_one" - policy_file_two="policy_file_two" - policy_file_three="policy_fil" - username=$USERNAME_ONE - password=$PASSWORD_ONE - - run create_test_files "$policy_file" "$policy_file_two" "$policy_file_three" - assert_success - - effect="Allow" - principal="$username" - action="s3:GetObject" - resource="arn:aws:s3:::$BUCKET_ONE_NAME/policy_file*" - - run setup_user "$username" "$password" "user" - assert_success - - run setup_bucket "s3api" "$BUCKET_ONE_NAME" - assert_success - - run setup_policy_with_single_statement "$TEST_FILE_FOLDER/$policy_file" "dummy" "$effect" "$principal" "$action" "$resource" - assert_success - run put_bucket_policy "s3api" "$BUCKET_ONE_NAME" "$TEST_FILE_FOLDER/$policy_file" - assert_success - - run put_object "s3api" "$TEST_FILE_FOLDER/$policy_file" "$BUCKET_ONE_NAME" "$policy_file" - assert_success - run put_object "s3api" "$TEST_FILE_FOLDER/$policy_file_two" "$BUCKET_ONE_NAME" "$policy_file_two" - assert_success - run put_object "s3api" "$TEST_FILE_FOLDER/$policy_file_three" "$BUCKET_ONE_NAME" "$policy_file_three" - assert_success - - run download_and_compare_file_with_user "s3api" "$TEST_FILE_FOLDER/$policy_file" "$BUCKET_ONE_NAME" "$policy_file" "$TEST_FILE_FOLDER/$policy_file-copy" "$username" "$password" - assert_success - - run download_and_compare_file_with_user "s3api" "$TEST_FILE_FOLDER/$policy_file_two" "$BUCKET_ONE_NAME" "$policy_file_two" "$TEST_FILE_FOLDER/$policy_file_two-copy" "$username" "$password" - assert_success - - run verify_user_cant_get_object "s3api" "$BUCKET_ONE_NAME" "$policy_file_three" "$TEST_FILE_FOLDER/$policy_file_three" "$username" "$password" - assert_success -} - -test_s3api_policy_get_object_folder_wildcard() { - policy_file="policy_file" - test_folder="test_folder" - test_file="test_file" - username=$USERNAME_ONE - password=$PASSWORD_ONE - - run create_test_folder "$test_folder" - assert_success - - run create_test_files "$test_folder/$test_file" "$policy_file" - assert_success - - effect="Allow" - principal="$username" - action="s3:GetObject" - resource="arn:aws:s3:::$BUCKET_ONE_NAME/$test_folder/*" - - run setup_user "$username" "$password" "user" - assert_success - - run setup_bucket "s3api" "$BUCKET_ONE_NAME" - assert_success - - run setup_policy_with_single_statement "$TEST_FILE_FOLDER/$policy_file" "dummy" "$effect" "$principal" "$action" "$resource" - assert_success - - run put_bucket_policy "s3api" "$BUCKET_ONE_NAME" "$TEST_FILE_FOLDER/$policy_file" - assert_success - - run put_object "s3api" "$TEST_FILE_FOLDER/$test_folder/$test_file" "$BUCKET_ONE_NAME" "$test_folder/$test_file" - assert_success - - run download_and_compare_file_with_user "s3api" "$TEST_FILE_FOLDER/$test_folder/$test_file" "$BUCKET_ONE_NAME" "$test_folder/$test_file" "$TEST_FILE_FOLDER/$test_file-copy" "$username" "$password" - assert_success -} - -test_s3api_policy_allow_deny() { - policy_file="policy_file" - test_file="test_file" - username=$USERNAME_ONE - password=$PASSWORD_ONE - - run create_test_files "$policy_file" "$test_file" - assert_success - - run setup_user "$username" "$password" "user" - assert_success - - run setup_bucket "s3api" "$BUCKET_ONE_NAME" - assert_success - - run setup_policy_with_double_statement "$TEST_FILE_FOLDER/$policy_file" "dummy" \ - "Deny" "$username" "s3:GetObject" "arn:aws:s3:::$BUCKET_ONE_NAME/$test_file" \ - "Allow" "$username" "s3:GetObject" "arn:aws:s3:::$BUCKET_ONE_NAME/$test_file" - assert_success - - run put_bucket_policy "s3api" "$BUCKET_ONE_NAME" "$TEST_FILE_FOLDER/$policy_file" - assert_success - - run put_object "s3api" "$TEST_FILE_FOLDER/$test_file" "$BUCKET_ONE_NAME" "$test_file" - assert_success - - run verify_user_cant_get_object "s3api" "$BUCKET_ONE_NAME" "$test_file" "$TEST_FILE_FOLDER/$test_file-copy" "$username" "$password" - assert_success -} - -test_s3api_policy_deny() { - policy_file="policy_file" - test_file_one="test_file_one" - test_file_two="test_file_two" - username=$USERNAME_ONE - password=$PASSWORD_ONE - - run create_test_files "$test_file_one" "$test_file_two" "$policy_file" - assert_success - - setup_user "$username" "$password" "user" || fail "error creating user" - - run setup_bucket "s3api" "$BUCKET_ONE_NAME" - assert_success - - setup_policy_with_double_statement "$TEST_FILE_FOLDER/$policy_file" "dummy" \ - "Deny" "$username" "s3:GetObject" "arn:aws:s3:::$BUCKET_ONE_NAME/$test_file_two" \ - "Allow" "$username" "s3:GetObject" "arn:aws:s3:::$BUCKET_ONE_NAME/*" - - log 5 "Policy: $(cat "$TEST_FILE_FOLDER/$policy_file")" - put_bucket_policy "s3api" "$BUCKET_ONE_NAME" "$TEST_FILE_FOLDER/$policy_file" || fail "error putting policy" - put_object "s3api" "$TEST_FILE_FOLDER/$test_file_one" "$BUCKET_ONE_NAME" "$test_file_one" || fail "error copying object one" - put_object "s3api" "$TEST_FILE_FOLDER/$test_file_one" "$BUCKET_ONE_NAME" "$test_file_two" || fail "error copying object two" - get_object_with_user "s3api" "$BUCKET_ONE_NAME" "$test_file_one" "$TEST_FILE_FOLDER/$test_file_one-copy" "$username" "$password" || fail "error getting object" - - run verify_user_cant_get_object "s3api" "$BUCKET_ONE_NAME" "$test_file_two" "$TEST_FILE_FOLDER/$test_file_two-copy" "$username" "$password" - assert_success -} - -test_s3api_policy_put_wildcard() { - policy_file="policy_file" - test_folder="test_folder" - test_file="test_file" - username=$USERNAME_ONE - password=$PASSWORD_ONE - - run create_test_folder "$test_folder" - assert_success - - run create_test_files "$test_folder/$test_file" "$policy_file" - assert_success - - effect="Allow" - principal="$username" - action="s3:PutObject" - resource="arn:aws:s3:::$BUCKET_ONE_NAME/$test_folder/*" - - setup_user "$username" "$password" "user" || fail "error creating user" - - setup_bucket "s3api" "$BUCKET_ONE_NAME" - log 5 "Policy: $(cat "$TEST_FILE_FOLDER/$policy_file")" - setup_policy_with_single_statement "$TEST_FILE_FOLDER/$policy_file" "dummy" "$effect" "$principal" "$action" "$resource" || fail "failed to set up policy" - put_bucket_policy "s3api" "$BUCKET_ONE_NAME" "$TEST_FILE_FOLDER/$policy_file" || fail "error putting policy" - if put_object_with_user "s3api" "$TEST_FILE_FOLDER/$test_folder/$test_file" "$BUCKET_ONE_NAME" "$test_file" "$username" "$password"; then - fail "able to put object despite not being allowed" +@test "test_policy_put_bucket_policy" { + if [[ -n $SKIP_POLICY ]]; then + skip "will not test policy actions with SKIP_POLICY set" fi - # shellcheck disable=SC2154 - [[ "$put_object_error" == *"Access Denied"* ]] || fail "invalid put object error: $put_object_error" - put_object_with_user "s3api" "$TEST_FILE_FOLDER/$test_folder/$test_file" "$BUCKET_ONE_NAME" "$test_folder/$test_file" "$username" "$password" || fail "error putting file despite policy permissions" - - run verify_user_cant_get_object "s3api" "$BUCKET_ONE_NAME" "$test_folder/$test_file" "$test_folder/$test_file-copy" "$username" "$password" - assert_success - - download_and_compare_file "s3api" "$TEST_FILE_FOLDER/$test_folder/$test_file" "$BUCKET_ONE_NAME" "$test_folder/$test_file" "$TEST_FILE_FOLDER/$test_file-copy" || fail "files don't match" + test_s3api_policy_put_bucket_policy } -test_s3api_policy_delete() { - policy_file="policy_file" - test_file_one="test_file_one" - test_file_two="test_file_two" - username=$USERNAME_ONE - password=$PASSWORD_ONE - - run create_test_files "$test_file_one" "$test_file_two" "$policy_file" - assert_success - - effect="Allow" - principal="$username" - action="s3:DeleteObject" - resource="arn:aws:s3:::$BUCKET_ONE_NAME/$test_file_two" - - setup_user "$username" "$password" "user" || fail "error creating user" - - run setup_bucket "s3api" "$BUCKET_ONE_NAME" - assert_success - - setup_policy_with_single_statement "$TEST_FILE_FOLDER/$policy_file" "dummy" "$effect" "$principal" "$action" "$resource" || fail "failed to set up policy" - log 5 "Policy: $(cat "$TEST_FILE_FOLDER/$policy_file")" - put_bucket_policy "s3api" "$BUCKET_ONE_NAME" "$TEST_FILE_FOLDER/$policy_file" || fail "error putting policy" - - put_object "s3api" "$TEST_FILE_FOLDER/$test_file_one" "$BUCKET_ONE_NAME" "$test_file_one" || fail "error copying object one" - put_object "s3api" "$TEST_FILE_FOLDER/$test_file_two" "$BUCKET_ONE_NAME" "$test_file_two" || fail "error copying object two" - if delete_object_with_user "s3api" "$BUCKET_ONE_NAME" "$test_file_one" "$username" "$password"; then - fail "able to delete object despite lack of permissions" +@test "test_policy_put_bucket_tagging" { + if [[ -n $SKIP_POLICY ]]; then + skip "will not test policy actions with SKIP_POLICY set" fi - # shellcheck disable=SC2154 - [[ "$delete_object_error" == *"Access Denied"* ]] || fail "invalid delete object error: $delete_object_error" - delete_object_with_user "s3api" "$BUCKET_ONE_NAME" "$test_file_two" "$username" "$password" || fail "error deleting object despite permissions" + test_s3api_policy_put_bucket_tagging } -test_s3api_policy_get_bucket_policy() { - policy_file="policy_file" - username=$USERNAME_ONE - password=$PASSWORD_ONE - - run create_test_file "$policy_file" - assert_success - - effect="Allow" - principal="$username" - action="s3:GetBucketPolicy" - resource="arn:aws:s3:::$BUCKET_ONE_NAME" - - setup_user "$username" "$password" "user" || fail "error creating user" - - run setup_bucket "s3api" "$BUCKET_ONE_NAME" - assert_success - - setup_policy_with_single_statement "$TEST_FILE_FOLDER/$policy_file" "dummy" "$effect" "$principal" "$action" "$resource" || fail "failed to set up policy" - if get_bucket_policy_with_user "$BUCKET_ONE_NAME" "$username" "$password"; then - fail "able to retrieve bucket policy despite lack of permissions" +@test "test_policy_two_principals" { + if [[ -n $SKIP_POLICY ]]; then + skip "will not test policy actions with SKIP_POLICY set" fi - - put_bucket_policy "s3api" "$BUCKET_ONE_NAME" "$TEST_FILE_FOLDER/$policy_file" || fail "error putting policy" - get_bucket_policy_with_user "$BUCKET_ONE_NAME" "$username" "$password" || fail "error getting bucket policy despite permissions" - # shellcheck disable=SC2154 - echo "$bucket_policy" > "$TEST_FILE_FOLDER/$policy_file-copy" - log 5 "ORIG: $(cat "$TEST_FILE_FOLDER/$policy_file")" - log 5 "COPY: $(cat "$TEST_FILE_FOLDER/$policy_file-copy")" - compare_files "$TEST_FILE_FOLDER/$policy_file" "$TEST_FILE_FOLDER/$policy_file-copy" || fail "policies not equal" + test_s3api_policy_two_principals } -test_s3api_policy_list_multipart_uploads() { - policy_file="policy_file" - test_file="test_file" - username=$USERNAME_ONE - password=$PASSWORD_ONE - - run create_test_file "$policy_file" - assert_success - - run create_large_file "$test_file" - assert_success - - effect="Allow" - principal="$username" - action="s3:ListBucketMultipartUploads" - resource="arn:aws:s3:::$BUCKET_ONE_NAME" - setup_user "$username" "$password" "user" || fail "error creating user" - - run setup_bucket "s3api" "$BUCKET_ONE_NAME" - assert_success - - get_bucket_policy "s3api" "$BUCKET_ONE_NAME" || fail "error getting bucket policy" - log 5 "BUCKET POLICY: $bucket_policy" - get_bucket_acl "s3api" "$BUCKET_ONE_NAME" || fail "error getting bucket ACL" - # shellcheck disable=SC2154 - log 5 "ACL: $acl" - run setup_policy_with_single_statement "$TEST_FILE_FOLDER/$policy_file" "dummy" "$effect" "$principal" "$action" "$resource" - assert_success "failed to set up policy" - run create_multipart_upload "$BUCKET_ONE_NAME" "$test_file" - assert_success "failed to create multipart upload" - if list_multipart_uploads_with_user "$BUCKET_ONE_NAME" "$username" "$password"; then - fail "able to list multipart uploads despite lack of permissions" +@test "test_policy_put_wildcard" { + if [[ -n $SKIP_POLICY ]]; then + skip "will not test policy actions with SKIP_POLICY set" fi - # shellcheck disable=SC2154 - [[ "$list_multipart_uploads_error" == *"Access Denied"* ]] || fail "invalid list multipart uploads error: $list_multipart_uploads_error" - put_bucket_policy "s3api" "$BUCKET_ONE_NAME" "$TEST_FILE_FOLDER/$policy_file" || fail "error putting policy" - list_multipart_uploads_with_user "$BUCKET_ONE_NAME" "$username" "$password" || fail "error listing multipart uploads" - # shellcheck disable=SC2154 - log 5 "$uploads" - upload_key=$(echo "$uploads" | grep -v "InsecureRequestWarning" | jq -r ".Uploads[0].Key" 2>&1) || fail "error parsing upload key from uploads message: $upload_key" - [[ $upload_key == "$test_file" ]] || fail "upload key doesn't match file marked as being uploaded" + test_s3api_policy_put_wildcard } -test_s3api_policy_put_bucket_policy() { - policy_file="policy_file" - policy_file_two="policy_file_two" - username=$USERNAME_ONE - password=$PASSWORD_ONE - - run create_test_file "$policy_file" 0 - assert_success - - effect="Allow" - principal="$username" - action="s3:PutBucketPolicy" - resource="arn:aws:s3:::$BUCKET_ONE_NAME" - - setup_user "$username" "$password" "user" || fail "error creating user" - - run setup_bucket "s3api" "$BUCKET_ONE_NAME" - assert_success - - setup_policy_with_single_statement "$TEST_FILE_FOLDER/$policy_file" "dummy" "$effect" "$principal" "$action" "$resource" || fail "failed to set up policy" - if put_bucket_policy_with_user "$BUCKET_ONE_NAME" "$TEST_FILE_FOLDER/$policy_file" "$username" "$password"; then - fail "able to retrieve bucket policy despite lack of permissions" +@test "test_put_policy_invalid_action" { + if [[ -n $SKIP_POLICY ]]; then + skip "will not test policy actions with SKIP_POLICY set" fi - - put_bucket_policy "s3api" "$BUCKET_ONE_NAME" "$TEST_FILE_FOLDER/$policy_file" || fail "error putting policy" - setup_policy_with_single_statement "$TEST_FILE_FOLDER/$policy_file_two" "dummy" "$effect" "$principal" "s3:GetBucketPolicy" "$resource" || fail "failed to set up policy" - put_bucket_policy_with_user "$BUCKET_ONE_NAME" "$TEST_FILE_FOLDER/$policy_file_two" "$username" "$password" || fail "error putting bucket policy despite permissions" - get_bucket_policy_with_user "$BUCKET_ONE_NAME" "$username" "$password" || fail "error getting bucket policy despite permissions" - # shellcheck disable=SC2154 - echo "$bucket_policy" > "$TEST_FILE_FOLDER/$policy_file-copy" - log 5 "ORIG: $(cat "$TEST_FILE_FOLDER/$policy_file_two")" - log 5 "COPY: $(cat "$TEST_FILE_FOLDER/$policy_file-copy")" - compare_files "$TEST_FILE_FOLDER/$policy_file_two" "$TEST_FILE_FOLDER/$policy_file-copy" || fail "policies not equal" -} - -test_s3api_policy_delete_bucket_policy() { - policy_file="policy_file" - username=$USERNAME_ONE - password=$PASSWORD_ONE - - run create_test_file "$policy_file" 0 - assert_success - - effect="Allow" - principal="$username" - action="s3:DeleteBucketPolicy" - resource="arn:aws:s3:::$BUCKET_ONE_NAME" - - setup_user "$username" "$password" "user" || fail "error creating user" - - run setup_bucket "s3api" "$BUCKET_ONE_NAME" - assert_success - - if delete_bucket_policy_with_user "$BUCKET_ONE_NAME" "$username" "$password"; then - fail "able to delete bucket policy with user $username without right permissions" - fi - setup_policy_with_single_statement "$TEST_FILE_FOLDER/$policy_file" "dummy" "$effect" "$principal" "$action" "$resource" || fail "failed to set up policy" - put_bucket_policy "s3api" "$BUCKET_ONE_NAME" "$TEST_FILE_FOLDER/$policy_file" || fail "error putting policy" - delete_bucket_policy_with_user "$BUCKET_ONE_NAME" "$username" "$password" || fail "unable to delete bucket policy" -} - -test_s3api_policy_get_bucket_acl() { - policy_file="policy_file" - username=$USERNAME_ONE - password=$PASSWORD_ONE - - run create_test_file "$policy_file" 0 - assert_success - - effect="Allow" - principal="$username" - action="s3:GetBucketAcl" - resource="arn:aws:s3:::$BUCKET_ONE_NAME" - - setup_user "$username" "$password" "user" || fail "error creating user" - - run setup_bucket "s3api" "$BUCKET_ONE_NAME" - assert_success - - if get_bucket_acl_with_user "$BUCKET_ONE_NAME" "$username" "$password"; then - fail "user able to get bucket ACLs despite permissions" - fi - setup_policy_with_single_statement "$TEST_FILE_FOLDER/$policy_file" "dummy" "$effect" "$principal" "$action" "$resource" || fail "failed to set up policy" - put_bucket_policy "s3api" "$BUCKET_ONE_NAME" "$TEST_FILE_FOLDER/$policy_file" || fail "error putting policy" - get_bucket_acl_with_user "$BUCKET_ONE_NAME" "$username" "$password" || fail "error getting bucket ACL despite permissions" -} - -test_s3api_policy_abort_multipart_upload() { - policy_file="policy_file" - test_file="test_file" - username=$USERNAME_ONE - - run create_test_file "$policy_file" - assert_success - - run create_large_file "$test_file" - assert_success - - run setup_bucket "s3api" "$BUCKET_ONE_NAME" - assert_success - - if [[ $DIRECT == "true" ]]; then - setup_user_direct "$username" "user" "$BUCKET_ONE_NAME" || fail "error setting up direct user $username" - principal="{\"AWS\": \"arn:aws:iam::$DIRECT_AWS_USER_ID:user/$username\"}" - # shellcheck disable=SC2154 - username=$key_id - # shellcheck disable=SC2154 - password=$secret_key - else - password=$PASSWORD_ONE - setup_user "$username" "$password" "user" || fail "error setting up user $username" - principal="\"$username\"" - fi - - setup_policy_with_double_statement "$TEST_FILE_FOLDER/$policy_file" "2012-10-17" \ - "Allow" "$principal" "s3:PutObject" "arn:aws:s3:::$BUCKET_ONE_NAME/*" \ - "Deny" "$principal" "s3:AbortMultipartUpload" "arn:aws:s3:::$BUCKET_ONE_NAME/*" - put_bucket_policy "s3api" "$BUCKET_ONE_NAME" "$TEST_FILE_FOLDER/$policy_file" || fail "error putting first policy" - - create_multipart_upload_with_user "$BUCKET_ONE_NAME" "$test_file" "$username" "$password" || fail "error creating multipart upload" - # shellcheck disable=SC2154 - if abort_multipart_upload_with_user "$BUCKET_ONE_NAME" "$test_file" "$upload_id" "$username" "$password"; then - fail "abort multipart upload succeeded despite lack of permissions" - fi - # shellcheck disable=SC2154 - [[ "$abort_multipart_upload_error" == *"AccessDenied"* ]] || fail "unexpected abort error: $abort_multipart_upload_error" - - setup_policy_with_single_statement "$TEST_FILE_FOLDER/$policy_file" "2012-10-17" "Allow" "$principal" "s3:AbortMultipartUpload" "arn:aws:s3:::$BUCKET_ONE_NAME/*" - - put_bucket_policy "s3api" "$BUCKET_ONE_NAME" "$TEST_FILE_FOLDER/$policy_file" || fail "error putting policy" - abort_multipart_upload_with_user "$BUCKET_ONE_NAME" "$test_file" "$upload_id" "$username" "$password" || fail "error aborting multipart upload despite permissions" -} - -test_s3api_policy_two_principals() { - policy_file="policy_file" - test_file="test_file" - - run create_test_files "$test_file" "$policy_file" - assert_success "error creating test files" - run setup_bucket "s3api" "$BUCKET_ONE_NAME" - assert_success "error setting up bucket $BUCKET_ONE_NAME" - run setup_user "$USERNAME_ONE" "$PASSWORD_ONE" "user" - assert_success "error setting up user $USERNAME_ONE" - run setup_user "$USERNAME_TWO" "$PASSWORD_TWO" "user" - assert_success "error setting up user $USERNAME_TWO" - - run put_object "s3api" "$TEST_FILE_FOLDER/$test_file" "$BUCKET_ONE_NAME" "$test_file" - assert_success "error adding object to bucket" - run get_object_with_user "s3api" "$BUCKET_ONE_NAME" "$test_file" "$TEST_FILE_FOLDER/copy_one" "$USERNAME_ONE" "$PASSWORD_ONE" - assert_failure "able to get object with user $USERNAME_ONE despite lack of permission" - - run get_object_with_user "s3api" "$BUCKET_ONE_NAME" "$test_file" "$TEST_FILE_FOLDER/copy_two" "$USERNAME_TWO" "$PASSWORD_TWO" - assert_failure "able to get object with user $USERNAME_TWO despite lack of permission" - - run setup_policy_with_single_statement "$TEST_FILE_FOLDER/$policy_file" "dummy" "Allow" "[\"$USERNAME_ONE\", \"$USERNAME_TWO\"]" "s3:GetObject" "arn:aws:s3:::$BUCKET_ONE_NAME/*" - assert_success "error setting up policy" - - run put_bucket_policy "s3api" "$BUCKET_ONE_NAME" "$TEST_FILE_FOLDER/$policy_file" - assert_success "error putting policy" - run get_object_with_user "s3api" "$BUCKET_ONE_NAME" "$test_file" "$TEST_FILE_FOLDER/copy_one" "$USERNAME_ONE" "$PASSWORD_ONE" - assert_success "error getting object with user $USERNAME_ONE" - run get_object_with_user "s3api" "$BUCKET_ONE_NAME" "$test_file" "$TEST_FILE_FOLDER/copy_two" "$USERNAME_TWO" "$PASSWORD_TWO" - assert_success "error getting object with user $USERNAME_TWO" -} - -test_s3api_policy_put_bucket_tagging() { - policy_file="policy_file" - tag_key="TestKey" - tag_value="TestValue" - - run create_test_files "$policy_file" - assert_success "error creating test files" - run setup_bucket "s3api" "$BUCKET_ONE_NAME" - assert_success "error setting up bucket" - run setup_user "$USERNAME_ONE" "$PASSWORD_ONE" "user" - assert_success "error setting up user" - - run setup_policy_with_single_statement "$TEST_FILE_FOLDER/$policy_file" "2012-10-17" "Allow" "$USERNAME_ONE" "s3:PutBucketTagging" "arn:aws:s3:::$BUCKET_ONE_NAME" - assert_success "error setting up policy" - run put_bucket_tagging_with_user "$BUCKET_ONE_NAME" "$tag_key" "$tag_value" "$USERNAME_ONE" "$PASSWORD_ONE" - assert_failure - run put_bucket_policy "s3api" "$BUCKET_ONE_NAME" "$TEST_FILE_FOLDER/$policy_file" - assert_success "error putting policy" - run put_bucket_tagging_with_user "$BUCKET_ONE_NAME" "$tag_key" "$tag_value" "$USERNAME_ONE" "$PASSWORD_ONE" - assert_success "unable to put bucket tagging despite user permissions" - - run get_and_check_bucket_tags "$BUCKET_ONE_NAME" "$tag_key" "$tag_value" - assert_success -} - -test_s3api_policy_put_acl() { - policy_file="policy_file" - test_file="test_file" - username=$USERNAME_ONE - password=$PASSWORD_ONE - - run create_test_file "$policy_file" 0 - assert_success - run create_large_file "$test_file" - assert_success - run setup_bucket "s3api" "$BUCKET_ONE_NAME" - assert_success - - put_bucket_ownership_controls "$BUCKET_ONE_NAME" "BucketOwnerPreferred" || fail "error putting bucket ownership controls" - - setup_user "$username" "$password" "user" || fail "error setting up user $username" - - setup_policy_with_single_statement "$TEST_FILE_FOLDER/$policy_file" "2012-10-17" "Allow" "$username" "s3:PutBucketAcl" "arn:aws:s3:::$BUCKET_ONE_NAME" - if [[ $DIRECT == "true" ]]; then - put_public_access_block_enable_public_acls "$BUCKET_ONE_NAME" || fail "error enabling public ACLs" - fi - - put_bucket_policy "s3api" "$BUCKET_ONE_NAME" "$TEST_FILE_FOLDER/$policy_file" || fail "error putting policy" - - put_bucket_canned_acl_with_user "$BUCKET_ONE_NAME" "public-read" "$username" "$password" || fail "error putting canned acl" - get_bucket_acl "s3api" "$BUCKET_ONE_NAME" || fail "error getting bucket acl" - # shellcheck disable=SC2154 - log 5 "ACL: $acl" - second_grant=$(echo "$acl" | jq -r ".Grants[1]" 2>&1) || fail "error getting second grant: $second_grant" - second_grantee=$(echo "$second_grant" | jq -r ".Grantee" 2>&1) || fail "error getting second grantee: $second_grantee" - permission=$(echo "$second_grant" | jq -r ".Permission" 2>&1) || fail "error getting permission: $permission" - log 5 "second grantee: $second_grantee" - [[ $permission == "READ" ]] || fail "incorrect permission: $permission" - if [[ $DIRECT == "true" ]]; then - uri=$(echo "$second_grantee" | jq -r ".URI" 2>&1) || fail "error getting uri: $uri" - [[ $uri == "http://acs.amazonaws.com/groups/global/AllUsers" ]] || fail "unexpected URI: $uri" - else - id=$(echo "$second_grantee" | jq -r ".ID" 2>&1) || fail "error getting ID: $id" - [[ $id == "all-users" ]] || fail "unexpected ID: $id" - fi -} - -test_s3api_policy_get_bucket_tagging() { - policy_file="policy_file" - test_file="test_file" - tag_key="TestKey" - tag_value="TestValue" - - run create_test_files "$policy_file" - assert_success "error creating test files" - - run setup_bucket "s3api" "$BUCKET_ONE_NAME" - assert_success - - run setup_user "$USERNAME_ONE" "$PASSWORD_ONE" "user" - assert_success "error creating user '$USERNAME_ONE'" - - run setup_policy_with_single_statement "$TEST_FILE_FOLDER/$policy_file" "2012-10-17" "Allow" "$USERNAME_ONE" "s3:GetBucketTagging" "arn:aws:s3:::$BUCKET_ONE_NAME" - assert_success "error setting up policy" - - run put_bucket_tagging "s3api" "$BUCKET_ONE_NAME" "$tag_key" "$tag_value" - assert_success "unable to put bucket tagging" - - run get_bucket_tagging_with_user "$USERNAME_ONE" "$PASSWORD_ONE" "$BUCKET_ONE_NAME" - assert_failure - - run put_bucket_policy "s3api" "$BUCKET_ONE_NAME" "$TEST_FILE_FOLDER/$policy_file" - assert_success "error putting policy" - - run get_and_check_bucket_tags_with_user "$USERNAME_ONE" "$PASSWORD_ONE" "$BUCKET_ONE_NAME" "$tag_key" "$tag_value" - assert_success "get and check bucket tags failed" -} - -test_s3api_policy_list_upload_parts() { - policy_file="policy_file" - test_file="test_file" - tag_key="TestKey" - tag_value="TestValue" - - run create_test_files "$policy_file" - assert_success "error creating test files" - - run create_large_file "$test_file" - assert_success "error creating large file" - - run setup_bucket "s3api" "$BUCKET_ONE_NAME" - assert_success "error setting up bucket" - - run setup_user "$USERNAME_ONE" "$PASSWORD_ONE" "user" - assert_success "error creating user '$USERNAME_ONE'" - - run setup_policy_with_single_statement "$TEST_FILE_FOLDER/$policy_file" "2012-10-17" "Allow" "$USERNAME_ONE" "s3:PutObject" "arn:aws:s3:::$BUCKET_ONE_NAME/*" - assert_success "error setting up policy" - - run put_bucket_policy "s3api" "$BUCKET_ONE_NAME" "$TEST_FILE_FOLDER/$policy_file" - assert_success "error putting policy" - - run create_upload_and_test_parts_listing "$test_file" "$policy_file" - assert_success "error creating upload and testing parts listing" + test_s3api_policy_invalid_action } diff --git a/tests/test_s3api_policy_bucket.sh b/tests/test_s3api_policy_bucket.sh new file mode 100644 index 0000000..9530204 --- /dev/null +++ b/tests/test_s3api_policy_bucket.sh @@ -0,0 +1,244 @@ +#!/usr/bin/env bats + +# Copyright 2024 Versity Software +# This file is licensed under the Apache License, Version 2.0 +# (the "License"); you may not use this file except in compliance +# with the License. You may obtain a copy of the License at +# +# http:#www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, +# software distributed under the License is distributed on an +# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +# KIND, either express or implied. See the License for the +# specific language governing permissions and limitations +# under the License. + +source ./tests/util_acl.sh + +test_s3api_policy_delete_bucket_policy() { + policy_file="policy_file" + username=$USERNAME_ONE + password=$PASSWORD_ONE + + run create_test_file "$policy_file" 0 + assert_success + + effect="Allow" + principal="$username" + action="s3:DeleteBucketPolicy" + resource="arn:aws:s3:::$BUCKET_ONE_NAME" + + run setup_user "$username" "$password" "user" + assert_success + + run setup_bucket "s3api" "$BUCKET_ONE_NAME" + assert_success + + run delete_bucket_policy_with_user "$BUCKET_ONE_NAME" "$username" "$password" + assert_failure + + run setup_policy_with_single_statement "$TEST_FILE_FOLDER/$policy_file" "dummy" "$effect" "$principal" "$action" "$resource" + assert_success + + run put_bucket_policy "s3api" "$BUCKET_ONE_NAME" "$TEST_FILE_FOLDER/$policy_file" + assert_success + + run delete_bucket_policy_with_user "$BUCKET_ONE_NAME" "$username" "$password" + assert_success +} + +test_s3api_policy_get_bucket_acl() { + policy_file="policy_file" + username=$USERNAME_ONE + password=$PASSWORD_ONE + + run create_test_file "$policy_file" 0 + assert_success + + effect="Allow" + principal="$username" + action="s3:GetBucketAcl" + resource="arn:aws:s3:::$BUCKET_ONE_NAME" + + run setup_user "$username" "$password" "user" + assert_success + + run setup_bucket "s3api" "$BUCKET_ONE_NAME" + assert_success + + run get_bucket_acl_with_user "$BUCKET_ONE_NAME" "$username" "$password" + assert_failure + + run setup_policy_with_single_statement "$TEST_FILE_FOLDER/$policy_file" "dummy" "$effect" "$principal" "$action" "$resource" + assert_success + + run put_bucket_policy "s3api" "$BUCKET_ONE_NAME" "$TEST_FILE_FOLDER/$policy_file" + assert_success + + run get_bucket_acl_with_user "$BUCKET_ONE_NAME" "$username" "$password" + assert_success +} + +test_s3api_policy_get_bucket_policy() { + policy_file="policy_file" + username=$USERNAME_ONE + password=$PASSWORD_ONE + + run create_test_file "$policy_file" + assert_success + + effect="Allow" + principal="$username" + action="s3:GetBucketPolicy" + resource="arn:aws:s3:::$BUCKET_ONE_NAME" + + run setup_user "$username" "$password" "user" + assert_success + + run setup_bucket "s3api" "$BUCKET_ONE_NAME" + assert_success + + run setup_policy_with_single_statement "$TEST_FILE_FOLDER/$policy_file" "dummy" "$effect" "$principal" "$action" "$resource" + assert_success + + run get_bucket_policy_with_user "$BUCKET_ONE_NAME" "$username" "$password" + assert_failure + + run put_bucket_policy "s3api" "$BUCKET_ONE_NAME" "$TEST_FILE_FOLDER/$policy_file" + assert_success + + run get_and_compare_policy_with_file "$BUCKET_ONE_NAME" "$username" "$password" "$TEST_FILE_FOLDER/$policy_file" + assert_success +} + +test_s3api_policy_get_bucket_tagging() { + policy_file="policy_file" + test_file="test_file" + tag_key="TestKey" + tag_value="TestValue" + + run create_test_files "$policy_file" + assert_success "error creating test files" + + run setup_bucket "s3api" "$BUCKET_ONE_NAME" + assert_success + + run setup_user "$USERNAME_ONE" "$PASSWORD_ONE" "user" + assert_success "error creating user '$USERNAME_ONE'" + + run setup_policy_with_single_statement "$TEST_FILE_FOLDER/$policy_file" "2012-10-17" "Allow" "$USERNAME_ONE" "s3:GetBucketTagging" "arn:aws:s3:::$BUCKET_ONE_NAME" + assert_success "error setting up policy" + + run put_bucket_tagging "s3api" "$BUCKET_ONE_NAME" "$tag_key" "$tag_value" + assert_success "unable to put bucket tagging" + + run get_bucket_tagging_with_user "$USERNAME_ONE" "$PASSWORD_ONE" "$BUCKET_ONE_NAME" + assert_failure + + run put_bucket_policy "s3api" "$BUCKET_ONE_NAME" "$TEST_FILE_FOLDER/$policy_file" + assert_success "error putting policy" + + run get_and_check_bucket_tags_with_user "$USERNAME_ONE" "$PASSWORD_ONE" "$BUCKET_ONE_NAME" "$tag_key" "$tag_value" + assert_success "get and check bucket tags failed" +} + +test_s3api_policy_put_acl() { + policy_file="policy_file" + test_file="test_file" + username=$USERNAME_ONE + password=$PASSWORD_ONE + + run create_test_file "$policy_file" 0 + assert_success + run create_large_file "$test_file" + assert_success + run setup_bucket "s3api" "$BUCKET_ONE_NAME" + assert_success + + run put_bucket_ownership_controls "$BUCKET_ONE_NAME" "BucketOwnerPreferred" + assert_success + + run setup_user "$username" "$password" "user" + assert_success + + run setup_policy_with_single_statement "$TEST_FILE_FOLDER/$policy_file" "2012-10-17" "Allow" "$username" "s3:PutBucketAcl" "arn:aws:s3:::$BUCKET_ONE_NAME" + assert_success + if [[ $DIRECT == "true" ]]; then + run put_public_access_block_enable_public_acls "$BUCKET_ONE_NAME" + assert_success + fi + + run put_bucket_policy "s3api" "$BUCKET_ONE_NAME" "$TEST_FILE_FOLDER/$policy_file" + assert_success + + run put_bucket_canned_acl_with_user "$BUCKET_ONE_NAME" "public-read" "$username" "$password" + assert_success + + run get_check_acl_after_policy "$BUCKET_ONE_NAME" + assert_success +} + +test_s3api_policy_put_bucket_policy() { + policy_file="policy_file" + policy_file_two="policy_file_two" + username=$USERNAME_ONE + password=$PASSWORD_ONE + + run create_test_file "$policy_file" 0 + assert_success + + effect="Allow" + principal="$username" + action="s3:PutBucketPolicy" + resource="arn:aws:s3:::$BUCKET_ONE_NAME" + + run setup_user "$username" "$password" "user" + assert_success + + run setup_bucket "s3api" "$BUCKET_ONE_NAME" + assert_success + + run setup_policy_with_single_statement "$TEST_FILE_FOLDER/$policy_file" "dummy" "$effect" "$principal" "$action" "$resource" + assert_success + + run put_bucket_policy_with_user "$BUCKET_ONE_NAME" "$TEST_FILE_FOLDER/$policy_file" "$username" "$password" + assert_failure + + run put_bucket_policy "s3api" "$BUCKET_ONE_NAME" "$TEST_FILE_FOLDER/$policy_file" + assert_success + + run setup_policy_with_single_statement "$TEST_FILE_FOLDER/$policy_file_two" "dummy" "$effect" "$principal" "s3:GetBucketPolicy" "$resource" + assert_success + + run put_bucket_policy_with_user "$BUCKET_ONE_NAME" "$TEST_FILE_FOLDER/$policy_file_two" "$username" "$password" + assert_success + + run get_and_compare_policy_with_file "$BUCKET_ONE_NAME" "$username" "$password" "$TEST_FILE_FOLDER/$policy_file_two" + assert_success +} + +test_s3api_policy_put_bucket_tagging() { + policy_file="policy_file" + tag_key="TestKey" + tag_value="TestValue" + + run create_test_files "$policy_file" + assert_success "error creating test files" + run setup_bucket "s3api" "$BUCKET_ONE_NAME" + assert_success "error setting up bucket" + run setup_user "$USERNAME_ONE" "$PASSWORD_ONE" "user" + assert_success "error setting up user" + + run setup_policy_with_single_statement "$TEST_FILE_FOLDER/$policy_file" "2012-10-17" "Allow" "$USERNAME_ONE" "s3:PutBucketTagging" "arn:aws:s3:::$BUCKET_ONE_NAME" + assert_success "error setting up policy" + run put_bucket_tagging_with_user "$BUCKET_ONE_NAME" "$tag_key" "$tag_value" "$USERNAME_ONE" "$PASSWORD_ONE" + assert_failure + run put_bucket_policy "s3api" "$BUCKET_ONE_NAME" "$TEST_FILE_FOLDER/$policy_file" + assert_success "error putting policy" + run put_bucket_tagging_with_user "$BUCKET_ONE_NAME" "$tag_key" "$tag_value" "$USERNAME_ONE" "$PASSWORD_ONE" + assert_success "unable to put bucket tagging despite user permissions" + + run get_and_check_bucket_tags "$BUCKET_ONE_NAME" "$tag_key" "$tag_value" + assert_success +} diff --git a/tests/test_s3api_policy_multipart.sh b/tests/test_s3api_policy_multipart.sh new file mode 100644 index 0000000..c66ebce --- /dev/null +++ b/tests/test_s3api_policy_multipart.sh @@ -0,0 +1,131 @@ +#!/usr/bin/env bats + +# Copyright 2024 Versity Software +# This file is licensed under the Apache License, Version 2.0 +# (the "License"); you may not use this file except in compliance +# with the License. You may obtain a copy of the License at +# +# http:#www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, +# software distributed under the License is distributed on an +# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +# KIND, either express or implied. See the License for the +# specific language governing permissions and limitations +# under the License. + +test_s3api_policy_abort_multipart_upload() { + policy_file="policy_file" + test_file="test_file" + username=$USERNAME_ONE + + run create_test_file "$policy_file" + assert_success + + run create_large_file "$test_file" + assert_success + + run setup_bucket "s3api" "$BUCKET_ONE_NAME" + assert_success + + if [[ $DIRECT == "true" ]]; then + setup_user_direct "$username" "user" "$BUCKET_ONE_NAME" || fail "error setting up direct user $username" + principal="{\"AWS\": \"arn:aws:iam::$DIRECT_AWS_USER_ID:user/$username\"}" + # shellcheck disable=SC2154 + username=$key_id + # shellcheck disable=SC2154 + password=$secret_key + else + password=$PASSWORD_ONE + setup_user "$username" "$password" "user" || fail "error setting up user $username" + principal="\"$username\"" + fi + + setup_policy_with_double_statement "$TEST_FILE_FOLDER/$policy_file" "2012-10-17" \ + "Allow" "$principal" "s3:PutObject" "arn:aws:s3:::$BUCKET_ONE_NAME/*" \ + "Deny" "$principal" "s3:AbortMultipartUpload" "arn:aws:s3:::$BUCKET_ONE_NAME/*" + put_bucket_policy "s3api" "$BUCKET_ONE_NAME" "$TEST_FILE_FOLDER/$policy_file" || fail "error putting first policy" + + create_multipart_upload_with_user "$BUCKET_ONE_NAME" "$test_file" "$username" "$password" || fail "error creating multipart upload" + # shellcheck disable=SC2154 + if abort_multipart_upload_with_user "$BUCKET_ONE_NAME" "$test_file" "$upload_id" "$username" "$password"; then + fail "abort multipart upload succeeded despite lack of permissions" + fi + # shellcheck disable=SC2154 + [[ "$abort_multipart_upload_error" == *"AccessDenied"* ]] || fail "unexpected abort error: $abort_multipart_upload_error" + + setup_policy_with_single_statement "$TEST_FILE_FOLDER/$policy_file" "2012-10-17" "Allow" "$principal" "s3:AbortMultipartUpload" "arn:aws:s3:::$BUCKET_ONE_NAME/*" + + put_bucket_policy "s3api" "$BUCKET_ONE_NAME" "$TEST_FILE_FOLDER/$policy_file" || fail "error putting policy" + abort_multipart_upload_with_user "$BUCKET_ONE_NAME" "$test_file" "$upload_id" "$username" "$password" || fail "error aborting multipart upload despite permissions" +} + +test_s3api_policy_list_multipart_uploads() { + policy_file="policy_file" + test_file="test_file" + username=$USERNAME_ONE + password=$PASSWORD_ONE + + run create_test_file "$policy_file" + assert_success + + run create_large_file "$test_file" + assert_success + + effect="Allow" + principal="$username" + action="s3:ListBucketMultipartUploads" + resource="arn:aws:s3:::$BUCKET_ONE_NAME" + setup_user "$username" "$password" "user" || fail "error creating user" + + run setup_bucket "s3api" "$BUCKET_ONE_NAME" + assert_success + + get_bucket_policy "s3api" "$BUCKET_ONE_NAME" || fail "error getting bucket policy" + # shellcheck disable=SC2154 + log 5 "BUCKET POLICY: $bucket_policy" + get_bucket_acl "s3api" "$BUCKET_ONE_NAME" || fail "error getting bucket ACL" + # shellcheck disable=SC2154 + log 5 "ACL: $acl" + run setup_policy_with_single_statement "$TEST_FILE_FOLDER/$policy_file" "dummy" "$effect" "$principal" "$action" "$resource" + assert_success "failed to set up policy" + run create_multipart_upload "$BUCKET_ONE_NAME" "$test_file" + assert_success "failed to create multipart upload" + if list_multipart_uploads_with_user "$BUCKET_ONE_NAME" "$username" "$password"; then + fail "able to list multipart uploads despite lack of permissions" + fi + # shellcheck disable=SC2154 + [[ "$list_multipart_uploads_error" == *"Access Denied"* ]] || fail "invalid list multipart uploads error: $list_multipart_uploads_error" + put_bucket_policy "s3api" "$BUCKET_ONE_NAME" "$TEST_FILE_FOLDER/$policy_file" || fail "error putting policy" + list_multipart_uploads_with_user "$BUCKET_ONE_NAME" "$username" "$password" || fail "error listing multipart uploads" + # shellcheck disable=SC2154 + log 5 "$uploads" + upload_key=$(echo "$uploads" | grep -v "InsecureRequestWarning" | jq -r ".Uploads[0].Key" 2>&1) || fail "error parsing upload key from uploads message: $upload_key" + [[ $upload_key == "$test_file" ]] || fail "upload key doesn't match file marked as being uploaded" +} + +test_s3api_policy_list_upload_parts() { + policy_file="policy_file" + test_file="test_file" + + run create_test_files "$policy_file" + assert_success "error creating test files" + + run create_large_file "$test_file" + assert_success "error creating large file" + + run setup_bucket "s3api" "$BUCKET_ONE_NAME" + assert_success "error setting up bucket" + + run setup_user "$USERNAME_ONE" "$PASSWORD_ONE" "user" + assert_success "error creating user '$USERNAME_ONE'" + + run setup_policy_with_single_statement "$TEST_FILE_FOLDER/$policy_file" "2012-10-17" "Allow" "$USERNAME_ONE" "s3:PutObject" "arn:aws:s3:::$BUCKET_ONE_NAME/*" + assert_success "error setting up policy" + + run put_bucket_policy "s3api" "$BUCKET_ONE_NAME" "$TEST_FILE_FOLDER/$policy_file" + assert_success "error putting policy" + + run create_upload_and_test_parts_listing "$test_file" "$policy_file" + assert_success "error creating upload and testing parts listing" +} diff --git a/tests/test_s3api_policy_object.sh b/tests/test_s3api_policy_object.sh new file mode 100644 index 0000000..4c8d039 --- /dev/null +++ b/tests/test_s3api_policy_object.sh @@ -0,0 +1,352 @@ +#!/usr/bin/env bats + +# Copyright 2024 Versity Software +# This file is licensed under the Apache License, Version 2.0 +# (the "License"); you may not use this file except in compliance +# with the License. You may obtain a copy of the License at +# +# http:#www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, +# software distributed under the License is distributed on an +# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +# KIND, either express or implied. See the License for the +# specific language governing permissions and limitations +# under the License. + +test_s3api_policy_allow_deny() { + policy_file="policy_file" + test_file="test_file" + username=$USERNAME_ONE + password=$PASSWORD_ONE + + run create_test_files "$policy_file" "$test_file" + assert_success + + run setup_user "$username" "$password" "user" + assert_success + + run setup_bucket "s3api" "$BUCKET_ONE_NAME" + assert_success + + run setup_policy_with_double_statement "$TEST_FILE_FOLDER/$policy_file" "dummy" \ + "Deny" "$username" "s3:GetObject" "arn:aws:s3:::$BUCKET_ONE_NAME/$test_file" \ + "Allow" "$username" "s3:GetObject" "arn:aws:s3:::$BUCKET_ONE_NAME/$test_file" + assert_success + + run put_bucket_policy "s3api" "$BUCKET_ONE_NAME" "$TEST_FILE_FOLDER/$policy_file" + assert_success + + run put_object "s3api" "$TEST_FILE_FOLDER/$test_file" "$BUCKET_ONE_NAME" "$test_file" + assert_success + + run verify_user_cant_get_object "s3api" "$BUCKET_ONE_NAME" "$test_file" "$TEST_FILE_FOLDER/$test_file-copy" "$username" "$password" + assert_success +} + +test_s3api_policy_delete() { + policy_file="policy_file" + test_file_one="test_file_one" + test_file_two="test_file_two" + username=$USERNAME_ONE + password=$PASSWORD_ONE + + run create_test_files "$test_file_one" "$test_file_two" "$policy_file" + assert_success + + effect="Allow" + principal="$username" + action="s3:DeleteObject" + resource="arn:aws:s3:::$BUCKET_ONE_NAME/$test_file_two" + + setup_user "$username" "$password" "user" || fail "error creating user" + + run setup_bucket "s3api" "$BUCKET_ONE_NAME" + assert_success + + setup_policy_with_single_statement "$TEST_FILE_FOLDER/$policy_file" "dummy" "$effect" "$principal" "$action" "$resource" || fail "failed to set up policy" + log 5 "Policy: $(cat "$TEST_FILE_FOLDER/$policy_file")" + put_bucket_policy "s3api" "$BUCKET_ONE_NAME" "$TEST_FILE_FOLDER/$policy_file" || fail "error putting policy" + + put_object "s3api" "$TEST_FILE_FOLDER/$test_file_one" "$BUCKET_ONE_NAME" "$test_file_one" || fail "error copying object one" + put_object "s3api" "$TEST_FILE_FOLDER/$test_file_two" "$BUCKET_ONE_NAME" "$test_file_two" || fail "error copying object two" + if delete_object_with_user "s3api" "$BUCKET_ONE_NAME" "$test_file_one" "$username" "$password"; then + fail "able to delete object despite lack of permissions" + fi + # shellcheck disable=SC2154 + [[ "$delete_object_error" == *"Access Denied"* ]] || fail "invalid delete object error: $delete_object_error" + delete_object_with_user "s3api" "$BUCKET_ONE_NAME" "$test_file_two" "$username" "$password" || fail "error deleting object despite permissions" +} + +test_s3api_policy_deny() { + policy_file="policy_file" + test_file_one="test_file_one" + test_file_two="test_file_two" + username=$USERNAME_ONE + password=$PASSWORD_ONE + + run create_test_files "$test_file_one" "$test_file_two" "$policy_file" + assert_success + + setup_user "$username" "$password" "user" || fail "error creating user" + + run setup_bucket "s3api" "$BUCKET_ONE_NAME" + assert_success + + setup_policy_with_double_statement "$TEST_FILE_FOLDER/$policy_file" "dummy" \ + "Deny" "$username" "s3:GetObject" "arn:aws:s3:::$BUCKET_ONE_NAME/$test_file_two" \ + "Allow" "$username" "s3:GetObject" "arn:aws:s3:::$BUCKET_ONE_NAME/*" + + log 5 "Policy: $(cat "$TEST_FILE_FOLDER/$policy_file")" + put_bucket_policy "s3api" "$BUCKET_ONE_NAME" "$TEST_FILE_FOLDER/$policy_file" || fail "error putting policy" + put_object "s3api" "$TEST_FILE_FOLDER/$test_file_one" "$BUCKET_ONE_NAME" "$test_file_one" || fail "error copying object one" + put_object "s3api" "$TEST_FILE_FOLDER/$test_file_one" "$BUCKET_ONE_NAME" "$test_file_two" || fail "error copying object two" + get_object_with_user "s3api" "$BUCKET_ONE_NAME" "$test_file_one" "$TEST_FILE_FOLDER/$test_file_one-copy" "$username" "$password" || fail "error getting object" + + run verify_user_cant_get_object "s3api" "$BUCKET_ONE_NAME" "$test_file_two" "$TEST_FILE_FOLDER/$test_file_two-copy" "$username" "$password" + assert_success +} + +test_s3api_policy_get_object_file_wildcard() { + policy_file="policy_file_one" + policy_file_two="policy_file_two" + policy_file_three="policy_fil" + username=$USERNAME_ONE + password=$PASSWORD_ONE + + run create_test_files "$policy_file" "$policy_file_two" "$policy_file_three" + assert_success + + effect="Allow" + principal="$username" + action="s3:GetObject" + resource="arn:aws:s3:::$BUCKET_ONE_NAME/policy_file*" + + run setup_user "$username" "$password" "user" + assert_success + + run setup_bucket "s3api" "$BUCKET_ONE_NAME" + assert_success + + run setup_policy_with_single_statement "$TEST_FILE_FOLDER/$policy_file" "dummy" "$effect" "$principal" "$action" "$resource" + assert_success + run put_bucket_policy "s3api" "$BUCKET_ONE_NAME" "$TEST_FILE_FOLDER/$policy_file" + assert_success + + run put_object "s3api" "$TEST_FILE_FOLDER/$policy_file" "$BUCKET_ONE_NAME" "$policy_file" + assert_success + run put_object "s3api" "$TEST_FILE_FOLDER/$policy_file_two" "$BUCKET_ONE_NAME" "$policy_file_two" + assert_success + run put_object "s3api" "$TEST_FILE_FOLDER/$policy_file_three" "$BUCKET_ONE_NAME" "$policy_file_three" + assert_success + + run download_and_compare_file_with_user "s3api" "$TEST_FILE_FOLDER/$policy_file" "$BUCKET_ONE_NAME" "$policy_file" "$TEST_FILE_FOLDER/$policy_file-copy" "$username" "$password" + assert_success + + run download_and_compare_file_with_user "s3api" "$TEST_FILE_FOLDER/$policy_file_two" "$BUCKET_ONE_NAME" "$policy_file_two" "$TEST_FILE_FOLDER/$policy_file_two-copy" "$username" "$password" + assert_success + + run verify_user_cant_get_object "s3api" "$BUCKET_ONE_NAME" "$policy_file_three" "$TEST_FILE_FOLDER/$policy_file_three" "$username" "$password" + assert_success +} + +test_s3api_policy_get_object_folder_wildcard() { + policy_file="policy_file" + test_folder="test_folder" + test_file="test_file" + username=$USERNAME_ONE + password=$PASSWORD_ONE + + run create_test_folder "$test_folder" + assert_success + + run create_test_files "$test_folder/$test_file" "$policy_file" + assert_success + + effect="Allow" + principal="$username" + action="s3:GetObject" + resource="arn:aws:s3:::$BUCKET_ONE_NAME/$test_folder/*" + + run setup_user "$username" "$password" "user" + assert_success + + run setup_bucket "s3api" "$BUCKET_ONE_NAME" + assert_success + + run setup_policy_with_single_statement "$TEST_FILE_FOLDER/$policy_file" "dummy" "$effect" "$principal" "$action" "$resource" + assert_success + + run put_bucket_policy "s3api" "$BUCKET_ONE_NAME" "$TEST_FILE_FOLDER/$policy_file" + assert_success + + run put_object "s3api" "$TEST_FILE_FOLDER/$test_folder/$test_file" "$BUCKET_ONE_NAME" "$test_folder/$test_file" + assert_success + + run download_and_compare_file_with_user "s3api" "$TEST_FILE_FOLDER/$test_folder/$test_file" "$BUCKET_ONE_NAME" "$test_folder/$test_file" "$TEST_FILE_FOLDER/$test_file-copy" "$username" "$password" + assert_success +} + +test_s3api_policy_get_object_specific_file() { + policy_file="policy_file" + test_file="test_file" + test_file_two="test_file_two" + username=$USERNAME_ONE + password=$PASSWORD_ONE + + run create_test_files "$policy_file" "$test_file" "$test_file_two" + assert_success + + effect="Allow" + principal="$username" + action="s3:GetObject" + resource="arn:aws:s3:::$BUCKET_ONE_NAME/test_file" + + setup_user "$username" "$password" "user" || fail "error creating user" + + run setup_bucket "s3api" "$BUCKET_ONE_NAME" + assert_success + + setup_policy_with_single_statement "$TEST_FILE_FOLDER/$policy_file" "dummy" "$effect" "$principal" "$action" "$resource" || fail "failed to set up policy" + put_bucket_policy "s3api" "$BUCKET_ONE_NAME" "$TEST_FILE_FOLDER/$policy_file" || fail "error putting policy" + + put_object "s3api" "$TEST_FILE_FOLDER/$test_file" "$BUCKET_ONE_NAME" "$test_file" || fail "error copying object" + put_object "s3api" "$TEST_FILE_FOLDER/$test_file_two" "$BUCKET_ONE_NAME" "$test_file_two" || fail "error copying object" + + run download_and_compare_file_with_user "s3api" "$TEST_FILE_FOLDER/$test_file" "$BUCKET_ONE_NAME" "$test_file" "$TEST_FILE_FOLDER/$test_file-copy" "$username" "$password" + assert_success + + run verify_user_cant_get_object "s3api" "$BUCKET_ONE_NAME" "$test_file_two" "$TEST_FILE_FOLDER/$test_file_two-copy" "$username" "$password" + assert_success +} + +test_s3api_policy_get_object_with_user() { + policy_file="policy_file" + username=$USERNAME_ONE + password=$PASSWORD_ONE + test_file="test_file" + + log 5 "username: $USERNAME_ONE, password: $PASSWORD_ONE" + run create_test_files "$test_file" "$policy_file" + assert_success + + effect="Allow" + principal="$username" + action="s3:GetObject" + resource="arn:aws:s3:::$BUCKET_ONE_NAME/$test_file" + + run setup_bucket "s3api" "$BUCKET_ONE_NAME" + assert_success + + run put_object "s3api" "$TEST_FILE_FOLDER/$test_file" "$BUCKET_ONE_NAME" "$test_file" + assert_success + + run setup_user "$username" "$password" "user" + assert_success + + run verify_user_cant_get_object "s3api" "$BUCKET_ONE_NAME" "$test_file" "$TEST_FILE_FOLDER/$test_file-copy" "$username" "$password" + assert_success + + run setup_policy_with_single_statement "$TEST_FILE_FOLDER/$policy_file" "2012-10-17" "$effect" "$principal" "$action" "$resource" + assert_success + + run put_bucket_policy "s3api" "$BUCKET_ONE_NAME" "$TEST_FILE_FOLDER/$policy_file" + assert_success + + run download_and_compare_file_with_user "s3api" "$TEST_FILE_FOLDER/$test_file" "$BUCKET_ONE_NAME" "$test_file" "$TEST_FILE_FOLDER/$test_file-copy" "$username" "$password" + assert_success +} + +test_s3api_policy_invalid_action() { + policy_file="policy_file" + + run create_test_file "$policy_file" + assert_success + + effect="Allow" + principal="*" + action="s3:GetObjectt" + resource="arn:aws:s3:::$BUCKET_ONE_NAME/*" + + # shellcheck disable=SC2154 + run setup_policy_with_single_statement "$TEST_FILE_FOLDER/$policy_file" "dummy" "$effect" "$principal" "$action" "$resource" + assert_success + + run setup_bucket "s3api" "$BUCKET_ONE_NAME" + assert_success + + run check_for_empty_policy "s3api" "$BUCKET_ONE_NAME" + assert_success + + run put_and_check_for_malformed_policy "$BUCKET_ONE_NAME" "$TEST_FILE_FOLDER/$policy_file" + assert_success +} + +test_s3api_policy_put_wildcard() { + policy_file="policy_file" + test_folder="test_folder" + test_file="test_file" + username=$USERNAME_ONE + password=$PASSWORD_ONE + + run create_test_folder "$test_folder" + assert_success + + run create_test_files "$test_folder/$test_file" "$policy_file" + assert_success + + effect="Allow" + principal="$username" + action="s3:PutObject" + resource="arn:aws:s3:::$BUCKET_ONE_NAME/$test_folder/*" + + setup_user "$username" "$password" "user" || fail "error creating user" + + setup_bucket "s3api" "$BUCKET_ONE_NAME" + log 5 "Policy: $(cat "$TEST_FILE_FOLDER/$policy_file")" + setup_policy_with_single_statement "$TEST_FILE_FOLDER/$policy_file" "dummy" "$effect" "$principal" "$action" "$resource" || fail "failed to set up policy" + put_bucket_policy "s3api" "$BUCKET_ONE_NAME" "$TEST_FILE_FOLDER/$policy_file" || fail "error putting policy" + if put_object_with_user "s3api" "$TEST_FILE_FOLDER/$test_folder/$test_file" "$BUCKET_ONE_NAME" "$test_file" "$username" "$password"; then + fail "able to put object despite not being allowed" + fi + # shellcheck disable=SC2154 + [[ "$put_object_error" == *"Access Denied"* ]] || fail "invalid put object error: $put_object_error" + put_object_with_user "s3api" "$TEST_FILE_FOLDER/$test_folder/$test_file" "$BUCKET_ONE_NAME" "$test_folder/$test_file" "$username" "$password" || fail "error putting file despite policy permissions" + + run verify_user_cant_get_object "s3api" "$BUCKET_ONE_NAME" "$test_folder/$test_file" "$test_folder/$test_file-copy" "$username" "$password" + assert_success + + download_and_compare_file "s3api" "$TEST_FILE_FOLDER/$test_folder/$test_file" "$BUCKET_ONE_NAME" "$test_folder/$test_file" "$TEST_FILE_FOLDER/$test_file-copy" || fail "files don't match" +} + +test_s3api_policy_two_principals() { + policy_file="policy_file" + test_file="test_file" + + run create_test_files "$test_file" "$policy_file" + assert_success "error creating test files" + run setup_bucket "s3api" "$BUCKET_ONE_NAME" + assert_success "error setting up bucket $BUCKET_ONE_NAME" + run setup_user "$USERNAME_ONE" "$PASSWORD_ONE" "user" + assert_success "error setting up user $USERNAME_ONE" + run setup_user "$USERNAME_TWO" "$PASSWORD_TWO" "user" + assert_success "error setting up user $USERNAME_TWO" + + run put_object "s3api" "$TEST_FILE_FOLDER/$test_file" "$BUCKET_ONE_NAME" "$test_file" + assert_success "error adding object to bucket" + run get_object_with_user "s3api" "$BUCKET_ONE_NAME" "$test_file" "$TEST_FILE_FOLDER/copy_one" "$USERNAME_ONE" "$PASSWORD_ONE" + assert_failure "able to get object with user $USERNAME_ONE despite lack of permission" + + run get_object_with_user "s3api" "$BUCKET_ONE_NAME" "$test_file" "$TEST_FILE_FOLDER/copy_two" "$USERNAME_TWO" "$PASSWORD_TWO" + assert_failure "able to get object with user $USERNAME_TWO despite lack of permission" + + run setup_policy_with_single_statement "$TEST_FILE_FOLDER/$policy_file" "dummy" "Allow" "[\"$USERNAME_ONE\", \"$USERNAME_TWO\"]" "s3:GetObject" "arn:aws:s3:::$BUCKET_ONE_NAME/*" + assert_success "error setting up policy" + + run put_bucket_policy "s3api" "$BUCKET_ONE_NAME" "$TEST_FILE_FOLDER/$policy_file" + assert_success "error putting policy" + run get_object_with_user "s3api" "$BUCKET_ONE_NAME" "$test_file" "$TEST_FILE_FOLDER/copy_one" "$USERNAME_ONE" "$PASSWORD_ONE" + assert_success "error getting object with user $USERNAME_ONE" + run get_object_with_user "s3api" "$BUCKET_ONE_NAME" "$test_file" "$TEST_FILE_FOLDER/copy_two" "$USERNAME_TWO" "$PASSWORD_TWO" + assert_success "error getting object with user $USERNAME_TWO" +} diff --git a/tests/util.sh b/tests/util.sh index a72c24e..d8edf98 100644 --- a/tests/util.sh +++ b/tests/util.sh @@ -269,7 +269,7 @@ object_exists() { put_object_with_metadata() { if [ $# -ne 6 ]; then - echo "put object command requires command type, source, destination, key, metadata key, metadata value" + log 2 "put object command requires command type, source, destination, key, metadata key, metadata value" return 1 fi @@ -278,12 +278,12 @@ put_object_with_metadata() { if [[ $1 == 'aws' ]]; then error=$(aws --no-verify-ssl s3api put-object --body "$2" --bucket "$3" --key "$4" --metadata "{\"$5\":\"$6\"}") || exit_code=$? else - echo "invalid command type $1" + log 2 "invalid command type $1" return 1 fi log 5 "put object exit code: $exit_code" if [ $exit_code -ne 0 ]; then - echo "error copying object to bucket: $error" + log 2 "error copying object to bucket: $error" return 1 fi return 0 @@ -291,7 +291,7 @@ put_object_with_metadata() { get_object_metadata() { if [ $# -ne 3 ]; then - echo "get object metadata command requires command type, bucket, key" + log 2 "get object metadata command requires command type, bucket, key" return 1 fi @@ -299,11 +299,11 @@ get_object_metadata() { if [[ $1 == 'aws' ]]; then metadata_struct=$(aws --no-verify-ssl s3api head-object --bucket "$2" --key "$3") || exit_code=$? else - echo "invalid command type $1" + log 2 "invalid command type $1" return 1 fi if [ $exit_code -ne 0 ]; then - echo "error copying object to bucket: $error" + log 2 "error copying object to bucket: $error" return 1 fi log 5 "raw metadata: $metadata_struct" @@ -315,7 +315,7 @@ get_object_metadata() { put_object_multiple() { if [ $# -ne 3 ]; then - echo "put object command requires command type, source, destination" + log 2 "put object command requires command type, source, destination" return 1 fi local exit_code=0 @@ -330,11 +330,11 @@ put_object_multiple() { # shellcheck disable=SC2086 error=$(mc --insecure cp $2 "$MC_ALIAS"/"$3" 2>&1) || exit_code=$? else - echo "invalid command type $1" + log 2 "invalid command type $1" return 1 fi if [ $exit_code -ne 0 ]; then - echo "error copying object to bucket: $error" + log 2 "error copying object to bucket: $error" return 1 else log 5 "$error" @@ -347,18 +347,18 @@ put_object_multiple() { # return 0 for success or already exists, 1 for failure check_and_put_object() { if [ $# -ne 3 ]; then - echo "check and put object function requires source, bucket, destination" + log 2 "check and put object function requires source, bucket, destination" return 1 fi object_exists "aws" "$2" "$3" || local exists_result=$? if [ "$exists_result" -eq 2 ]; then - echo "error checking if object exists" + log 2 "error checking if object exists" return 1 fi if [ "$exists_result" -eq 1 ]; then copy_object "$1" "$2" || local copy_result=$? if [ "$copy_result" -ne 0 ]; then - echo "error adding object" + log 2 "error adding object" return 1 fi fi @@ -367,7 +367,7 @@ check_and_put_object() { remove_insecure_request_warning() { if [[ $# -ne 1 ]]; then - echo "remove insecure request warning requires input lines" + log 2 "remove insecure request warning requires input lines" return 1 fi parsed_output=() @@ -384,13 +384,13 @@ remove_insecure_request_warning() { # return 0 for yes, 1 for no, 2 for error object_is_accessible() { if [ $# -ne 2 ]; then - echo "object accessibility check missing bucket and/or key" + log 2 "object accessibility check missing bucket and/or key" return 2 fi local exit_code=0 object_data=$(aws --no-verify-ssl s3api head-object --bucket "$1" --key "$2" 2>&1) || exit_code="$?" if [ $exit_code -ne 0 ]; then - echo "Error obtaining object data: $object_data" + log 2 "Error obtaining object data: $object_data" return 2 fi etag=$(echo "$object_data" | grep -v "InsecureRequestWarning" | jq '.ETag') @@ -405,13 +405,13 @@ object_is_accessible() { # export acl for success, return 1 for error get_object_acl() { if [ $# -ne 2 ]; then - echo "object ACL command missing object name" + log 2 "object ACL command missing object name" return 1 fi local exit_code=0 acl=$(aws --no-verify-ssl s3api get-object-acl --bucket "$1" --key "$2" 2>&1) || exit_code="$?" if [ $exit_code -ne 0 ]; then - echo "Error getting object ACLs: $acl" + log 2 "Error getting object ACLs: $acl" return 1 fi export acl @@ -422,14 +422,14 @@ get_object_acl() { # return 0 for success, 1 for failure copy_file() { if [ $# -ne 2 ]; then - echo "copy file command requires src and dest" + log 2 "copy file command requires src and dest" return 1 fi local result error=$(aws --no-verify-ssl s3 cp "$1" "$2") || result=$? if [[ $result -ne 0 ]]; then - echo "error copying file: $error" + log 2 "error copying file: $error" return 1 fi return 0 diff --git a/tests/util_acl.sh b/tests/util_acl.sh index 8790851..d285ed9 100644 --- a/tests/util_acl.sh +++ b/tests/util_acl.sh @@ -149,3 +149,52 @@ get_check_acl_after_second_put() { fi return 0 } + +get_check_acl_after_policy() { + if [ $# -ne 1 ]; then + log 2 "'get_check_acl_after_policy' requires bucket name" + return 1 + fi + if ! get_bucket_acl "s3api" "$1"; then + log 2 "error getting bucket acl" + return 1 + fi + # shellcheck disable=SC2154 + log 5 "ACL: $acl" + if ! second_grant=$(echo "$acl" | jq -r ".Grants[1]" 2>&1); then + log 2 "error getting second grant: $second_grant" + return 1 + fi + if ! second_grantee=$(echo "$second_grant" | jq -r ".Grantee" 2>&1); then + log 2 "error getting second grantee: $second_grantee" + return 1 + fi + if ! permission=$(echo "$second_grant" | jq -r ".Permission" 2>&1); then + log 2 "error getting permission: $permission" + return 1 + fi + log 5 "second grantee: $second_grantee" + if [[ $permission != "READ" ]]; then + log 2 "incorrect permission: $permission" + return 1 + fi + if [[ $DIRECT == "true" ]]; then + if ! uri=$(echo "$second_grantee" | jq -r ".URI" 2>&1); then + log 2 "error getting uri: $uri" + return 1 + fi + if [[ $uri != "http://acs.amazonaws.com/groups/global/AllUsers" ]]; then + log 2 "unexpected URI: $uri" + return 1 + fi + else + if ! id=$(echo "$second_grantee" | jq -r ".ID" 2>&1); then + log 2 "error getting ID: $id" + return 1 + fi + if [[ $id != "all-users" ]]; then + log 2 "unexpected ID: $id" + return 1 + fi + fi +} diff --git a/tests/util_aws.sh b/tests/util_aws.sh index 5f9b99f..dcae4e9 100644 --- a/tests/util_aws.sh +++ b/tests/util_aws.sh @@ -16,13 +16,13 @@ abort_all_multipart_uploads() { if [[ $# -ne 1 ]]; then - echo "abort all multipart uploads command missing bucket name" + log 2 "abort all multipart uploads command missing bucket name" return 1 fi upload_list=$(aws --no-verify-ssl s3api list-multipart-uploads --bucket "$1" 2>&1) || list_result=$? if [[ $list_result -ne 0 ]]; then - echo "error listing multipart uploads: $upload_list" + log 2 "error listing multipart uploads: $upload_list" return 1 fi log 5 "$upload_list" @@ -46,7 +46,7 @@ abort_all_multipart_uploads() { while read -r line; do # shellcheck disable=SC2086 if ! error=$(aws --no-verify-ssl s3api abort-multipart-upload --bucket "$1" $line 2>&1); then - echo "error aborting multipart upload: $error" + log 2 "error aborting multipart upload: $error" return 1 fi done <<< "$lines" diff --git a/tests/util_bucket.sh b/tests/util_bucket.sh index 88f57cd..7ba81a1 100644 --- a/tests/util_bucket.sh +++ b/tests/util_bucket.sh @@ -287,7 +287,7 @@ setup_bucket() { # return 0 for yes, 1 for no, 2 for error bucket_is_accessible() { if [ $# -ne 1 ]; then - echo "bucket accessibility check missing bucket name" + log 2 "bucket accessibility check missing bucket name" return 2 fi local exit_code=0 @@ -299,6 +299,28 @@ bucket_is_accessible() { if [[ "$error" == *"500"* ]]; then return 1 fi - echo "Error checking bucket accessibility: $error" + log 2 "Error checking bucket accessibility: $error" return 2 } + +check_for_empty_region() { + if [ $# -ne 1 ]; then + log 2 "'check_for_empty_region' requires bucket name" + return 1 + fi + if ! head_bucket "aws" "$BUCKET_ONE_NAME"; then + log 2 "error getting bucket info" + return 1 + fi + # shellcheck disable=SC2154 + log 5 "INFO: $bucket_info" + if ! region=$(echo "$bucket_info" | grep -v "InsecureRequestWarning" | jq -r ".BucketRegion" 2>&1); then + log 2 "error getting region: $region" + return 1 + fi + if [[ $region == "" ]]; then + log 2 "empty bucket region" + return 1 + fi + return 0 +} diff --git a/tests/util_file.sh b/tests/util_file.sh index 6f39f32..a36606c 100644 --- a/tests/util_file.sh +++ b/tests/util_file.sh @@ -104,17 +104,17 @@ create_test_folder() { # return: 0 for success, 1 for error delete_test_files() { if [ $# -lt 1 ]; then - echo "delete test files command missing filenames" + log 2 "delete test files command missing filenames" return 1 fi if [ -z "$TEST_FILE_FOLDER" ]; then - echo "no test file folder defined, not deleting" + log 2 "no test file folder defined, not deleting" return 1 fi for name in "$@"; do rm -rf "${TEST_FILE_FOLDER:?}"/"${name:?}" || rm_result=$? if [[ $rm_result -ne 0 ]]; then - echo "error deleting file $name" + log 2 "error deleting file $name" fi done return 0 @@ -139,7 +139,7 @@ split_file() { local split_result error=$(split -a 1 -d -b "$part_size" "$1" "$1"-) || split_result=$? if [[ $split_result -ne 0 ]]; then - echo "error splitting file: $error" + log 2 "error splitting file: $error" return 1 fi return 0 @@ -150,7 +150,7 @@ split_file() { # return 0 for same data, 1 for different data, 2 for error compare_files() { if [ $# -ne 2 ]; then - echo "file comparison requires two files" + log 2 "file comparison requires two files" return 2 fi os=$(uname) diff --git a/tests/util_list_buckets.sh b/tests/util_list_buckets.sh index 116d0b2..6e5d594 100644 --- a/tests/util_list_buckets.sh +++ b/tests/util_list_buckets.sh @@ -62,7 +62,7 @@ list_and_check_buckets_with_user() { break fi done - echo $bucket_one_found $bucket_two_found + log 5 "buckets found? one: $bucket_one_found, two: $bucket_two_found" if [ $bucket_one_found == false ] || [ $bucket_two_found == false ]; then log 2 "Not all buckets found" return 1 diff --git a/tests/util_mc.sh b/tests/util_mc.sh index 045861c..3f4334c 100644 --- a/tests/util_mc.sh +++ b/tests/util_mc.sh @@ -19,19 +19,19 @@ # return 0 for success, 1 for failure delete_bucket_recursive_mc() { if [[ $# -ne 1 ]]; then - echo "delete bucket recursive mc command requires bucket name" + log 2 "delete bucket recursive mc command requires bucket name" return 1 fi local exit_code=0 local error error=$(mc --insecure rm --recursive --force "$MC_ALIAS"/"$1" 2>&1) || exit_code="$?" if [[ $exit_code -ne 0 ]]; then - echo "error deleting bucket contents: $error" + log 2 "error deleting bucket contents: $error" return 1 fi error=$(mc --insecure rb "$MC_ALIAS"/"$1" 2>&1) || exit_code="$?" if [[ $exit_code -ne 0 ]]; then - echo "error deleting bucket: $error" + log 2 "error deleting bucket: $error" return 1 fi return 0 diff --git a/tests/util_multipart.sh b/tests/util_multipart.sh index 781aa0f..19cc338 100644 --- a/tests/util_multipart.sh +++ b/tests/util_multipart.sh @@ -210,7 +210,7 @@ create_and_list_multipart_uploads() { fi if ! list_multipart_uploads "$1"; then - echo "error listing uploads" + log 2 "error listing uploads" return 1 fi return 0 @@ -228,7 +228,7 @@ multipart_upload_from_bucket() { fi for ((i=0;i<$4;i++)) { - echo "key: $3" + log 5 "key: $3" if ! put_object "s3api" "$3-$i" "$1" "$2-$i"; then log 2 "error copying object" return 1 @@ -262,7 +262,7 @@ multipart_upload_from_bucket() { multipart_upload_from_bucket_range() { if [ $# -ne 5 ]; then - echo "multipart upload from bucket with range command requires bucket, copy source, key, part count, and range" + log 2 "multipart upload from bucket with range command requires bucket, copy source, key, part count, and range" return 1 fi if ! split_file "$3" "$4"; then @@ -324,7 +324,7 @@ multipart_upload_before_completion() { for ((i = 1; i <= $4; i++)); do # shellcheck disable=SC2154 if ! upload_part "$1" "$2" "$upload_id" "$3" "$i"; then - echo "error uploading part $i" + log 2 "error uploading part $i" return 1 fi parts+="{\"ETag\": $etag, \"PartNumber\": $i}" diff --git a/tests/util_ownership.sh b/tests/util_ownership.sh new file mode 100644 index 0000000..427e897 --- /dev/null +++ b/tests/util_ownership.sh @@ -0,0 +1,42 @@ +#!/usr/bin/env bash + +get_and_check_ownership_controls() { + if [ $# -ne 2 ]; then + log 2 "'get_and_check_ownership_controls' missing bucket name, expected result" + return 1 + fi + if ! result=$(COMMAND_LOG="$COMMAND_LOG" BUCKET_NAME="$BUCKET_ONE_NAME" OUTPUT_FILE="$TEST_FILE_FOLDER/ownershipControls.txt" ./tests/rest_scripts/get_bucket_ownership_controls.sh); then + log 2 "error getting bucket ownership controls: $result" + return 1 + fi + if [ "$result" != "200" ]; then + log 2 "GetBucketOwnershipControls returned response code: $result, reply: $(cat "$TEST_FILE_FOLDER/ownershipControls.txt")" + return 1 + fi + log 5 "controls: $(cat "$TEST_FILE_FOLDER/ownershipControls.txt")" + if ! rule=$(xmllint --xpath '//*[local-name()="ObjectOwnership"]/text()' "$TEST_FILE_FOLDER/ownershipControls.txt" 2>&1); then + log 2 "error getting ownership rule: $rule" + return 1 + fi + if [ "$rule" != "$2" ]; then + log 2 "rule mismatch (expected '$2', actual '$rule')" + return 1 + fi + return 0 +} + +put_bucket_ownership_controls_rest() { + if [ $# -ne 2 ]; then + log 2 "'put_bucket_ownership_controls_rest' missing bucket name, ownership" + return 1 + fi + if ! result=$(COMMAND_LOG="$COMMAND_LOG" BUCKET_NAME="$1" OWNERSHIP="$2" OUTPUT_FILE="$TEST_FILE_FOLDER/result.txt" ./tests/rest_scripts/put_bucket_ownership_controls.sh); then + log 2 "error putting bucket ownership controls: $result" + return 1 + fi + if [ "$result" != "200" ]; then + log 2 "put bucket ownership controls returned code $result: $(cat "$TEST_FILE_FOLDER/result.txt")" + return 1 + fi + return 0 +} \ No newline at end of file diff --git a/tests/util_policy.sh b/tests/util_policy.sh index d51823a..9aa2ae1 100644 --- a/tests/util_policy.sh +++ b/tests/util_policy.sh @@ -16,7 +16,7 @@ check_for_empty_policy() { if [[ $# -ne 2 ]]; then - echo "check for empty policy command requires command type, bucket name" + log 2 "check for empty policy command requires command type, bucket name" return 1 fi @@ -36,7 +36,7 @@ check_for_empty_policy() { statement=$(echo "$bucket_policy" | jq -r '.Statement[0]') log 5 "statement: $statement" if [[ "" != "$statement" ]] && [[ "null" != "$statement" ]]; then - echo "policy should be empty (actual value: '$statement')" + log 2 "policy should be empty (actual value: '$statement')" return 1 fi return 0 @@ -222,3 +222,23 @@ put_and_check_for_malformed_policy() { fi return 0 } + +get_and_compare_policy_with_file() { + if [ $# -ne 4 ]; then + log 2 "'get_and_compare_policies' reuires bucket, username, password, filename" + return 1 + fi + if ! get_bucket_policy_with_user "$1" "$2" "$3"; then + log 2 "error getting bucket policy" + return 1 + fi + # shellcheck disable=SC2154 + echo "$bucket_policy" > "$4-copy" + log 5 "ORIG: $(cat "$4")" + log 5 "COPY: $(cat "$4-copy")" + if ! compare_files "$4" "$4-copy"; then + log 2 "policies not equal" + return 1 + fi + return 0 +} diff --git a/tests/util_rest.sh b/tests/util_rest.sh index 4ea4cbb..8c31e2e 100644 --- a/tests/util_rest.sh +++ b/tests/util_rest.sh @@ -107,10 +107,10 @@ x-amz-date:$current_time host;x-amz-content-sha256;x-amz-date $3" - echo "canonical: $canonical_request" + log 5 "canonical: $canonical_request" - echo "TEST CREQ" - cat test.creq + log 5 "TEST CREQ" + log 5 "$(cat test.creq)" } generate_sts_string() { @@ -148,6 +148,6 @@ $1 $ymd/us-west-2/s3/aws4_request $creq_hash" - echo "TEST STS" - cat test.sts + log 5 "TEST STS" + log 5 "$(cat test.sts)" } diff --git a/tests/util_tags.sh b/tests/util_tags.sh index 82b8633..f77d7e5 100644 --- a/tests/util_tags.sh +++ b/tests/util_tags.sh @@ -176,7 +176,7 @@ parse_object_tags_rest() { check_tags_empty() { if [[ $# -ne 1 ]]; then - echo "check tags empty requires command type" + log 2 "check tags empty requires command type" return 1 fi if [[ $1 == 'aws' ]]; then @@ -185,12 +185,12 @@ check_tags_empty() { fi tag_set=$(echo "$tags" | jq '.TagSet') if [[ $tag_set != "[]" ]]; then - echo "error: tags not empty: $tags" + log 2 "error: tags not empty: $tags" return 1 fi else if [[ $tags != "" ]] && [[ $tags != *"No tags found"* ]]; then - echo "Error: tags not empty: $tags" + log 2 "Error: tags not empty: $tags" return 1 fi fi @@ -199,11 +199,11 @@ check_tags_empty() { check_object_tags_empty() { if [[ $# -ne 3 ]]; then - echo "bucket tags empty check requires command type, bucket, and key" + log 2 "bucket tags empty check requires command type, bucket, and key" return 2 fi if ! get_object_tagging "$1" "$2" "$3"; then - echo "failed to get tags" + log 2 "failed to get tags" return 2 fi check_tags_empty "$1" || local check_result=$? @@ -213,11 +213,11 @@ check_object_tags_empty() { check_bucket_tags_empty() { if [[ $# -ne 2 ]]; then - echo "bucket tags empty check requires command type, bucket" + log 2 "bucket tags empty check requires command type, bucket" return 2 fi if ! get_bucket_tagging "$1" "$2"; then - echo "failed to get tags" + log 2 "failed to get tags" return 2 fi check_tags_empty "$1" || local check_result=$? @@ -227,23 +227,23 @@ check_bucket_tags_empty() { get_and_verify_object_tags() { if [[ $# -ne 5 ]]; then - echo "get and verify object tags missing command type, bucket, key, tag key, tag value" + log 2 "get and verify object tags missing command type, bucket, key, tag key, tag value" return 1 fi get_object_tagging "$1" "$2" "$3" || get_result=$? if [[ $get_result -ne 0 ]]; then - echo "failed to get tags" + log 2 "failed to get tags" return 1 fi if [[ $1 == 'aws' ]]; then tag_set_key=$(echo "$tags" | jq '.TagSet[0].Key') tag_set_value=$(echo "$tags" | jq '.TagSet[0].Value') if [[ $tag_set_key != '"'$4'"' ]]; then - echo "Key mismatch ($tag_set_key, \"$4\")" + log 2 "Key mismatch ($tag_set_key, \"$4\")" return 1 fi if [[ $tag_set_value != '"'$5'"' ]]; then - echo "Value mismatch ($tag_set_value, \"$5\")" + log 2 "Value mismatch ($tag_set_value, \"$5\")" return 1 fi else diff --git a/tests/util_users.sh b/tests/util_users.sh index 3cf6aa8..b9331d4 100644 --- a/tests/util_users.sh +++ b/tests/util_users.sh @@ -69,7 +69,7 @@ create_user_versitygw() { create_user_if_nonexistent() { log 6 "create_user_if_nonexistent" if [[ $# -ne 3 ]]; then - echo "create user command requires user ID, key, and role" + log 2 "create user command requires user ID, key, and role" return 1 fi if user_exists "$1"; then @@ -230,7 +230,7 @@ list_users_versitygw() { log 6 "list_users_versitygw" users=$(send_command "$VERSITY_EXE" admin --allow-insecure --access "$AWS_ACCESS_KEY_ID" --secret "$AWS_SECRET_ACCESS_KEY" --endpoint-url "$AWS_ENDPOINT_URL" list-users) || local list_result=$? if [[ $list_result -ne 0 ]]; then - echo "error listing users: $users" + log 2 "error listing users: $users" return 1 fi parsed_users=() @@ -335,7 +335,7 @@ delete_user() { change_bucket_owner_direct() { log 6 "change_bucket_owner_direct" if [[ $# -ne 4 ]]; then - echo "change bucket owner command requires ID, key, bucket name, and new owner" + log 2 "change bucket owner command requires ID, key, bucket name, and new owner" return 1 fi # TODO add @@ -356,7 +356,7 @@ reset_bucket_owner() { change_bucket_owner() { log 6 "change_bucket_owner" if [[ $# -ne 4 ]]; then - echo "change bucket owner command requires ID, key, bucket name, and new owner" + log 2 "change bucket owner command requires ID, key, bucket name, and new owner" return 1 fi if [[ $DIRECT == "true" ]]; then @@ -369,7 +369,7 @@ change_bucket_owner() { log 5 "changing owner for bucket $3, new owner: $4" error=$(send_command "$VERSITY_EXE" admin --allow-insecure --access "$1" --secret "$2" --endpoint-url "$AWS_ENDPOINT_URL" change-bucket-owner --bucket "$3" --owner "$4" 2>&1) || local change_result=$? if [[ $change_result -ne 0 ]]; then - echo "error changing bucket owner: $error" + log 2 "error changing bucket owner: $error" return 1 fi return 0