From c6944650a32a5f3b42b41b8e689ebee8047a9974 Mon Sep 17 00:00:00 2001
From: Luke McCrone <lrm110484@gmail.com>
Date: Tue, 8 Jul 2025 16:28:17 -0300
Subject: [PATCH] test: CreateBucket ACLs tests, REST command testing update

---
 tests/commands/create_bucket.sh        | 36 +++++++++++
 tests/commands/delete_bucket.sh        | 11 ++--
 tests/drivers/rest.sh                  | 50 +++++++++++++-
 tests/rest_scripts/create_bucket.sh    | 14 ++++
 tests/test_rest_bucket.sh              | 90 +++++++++++++++++++++++++-
 tests/util/util_public_access_block.sh | 23 ++++++-
 6 files changed, 212 insertions(+), 12 deletions(-)

diff --git a/tests/commands/create_bucket.sh b/tests/commands/create_bucket.sh
index 1faf4a0..e65f38e 100644
--- a/tests/commands/create_bucket.sh
+++ b/tests/commands/create_bucket.sh
@@ -89,3 +89,39 @@ create_bucket_object_lock_enabled() {
   fi
   return 0
 }
+
+create_bucket_rest_with_invalid_acl() {
+  if ! result=$(COMMAND_LOG="$COMMAND_LOG" BUCKET_NAME="$BUCKET_ONE_NAME" OUTPUT_FILE="$TEST_FILE_FOLDER/result.txt" ACL="public-reads" OBJECT_OWNERSHIP="BucketOwnerPreferred" ./tests/rest_scripts/create_bucket.sh 2>&1); then
+    log 2 "error creating bucket: $result"
+    return 1
+  fi
+  if ! check_rest_expected_error "$result" "$TEST_FILE_FOLDER/result.txt" "400" "InvalidArgument" ""; then
+    log 2 "error checking XML CreateBucket error"
+    return 1
+  fi
+  return 0
+}
+
+create_bucket_rest_expect_error() {
+  if ! check_param_count_v2 "bucket name, params, response code, error code, message" 5 $#; then
+    return 1
+  fi
+  env_vars="BUCKET_NAME=$1 $2"
+  if ! send_rest_command_expect_error "$env_vars" "./tests/rest_scripts/create_bucket.sh" "$3" "$4" "$5"; then
+    log 2 "error sending REST command and checking error"
+    return 1
+  fi
+  return 0
+}
+
+create_bucket_rest_expect_success() {
+  if ! check_param_count_v2 "bucket name, params" 2 $#; then
+    return 1
+  fi
+  env_vars="BUCKET_NAME=$1 $2"
+  if ! send_rest_command_expect_success "$env_vars" "./tests/rest_scripts/create_bucket.sh" "200"; then
+    log 2 "error sending REST command and checking error"
+    return 1
+  fi
+  return 0
+}
diff --git a/tests/commands/delete_bucket.sh b/tests/commands/delete_bucket.sh
index 9704570..55007ff 100644
--- a/tests/commands/delete_bucket.sh
+++ b/tests/commands/delete_bucket.sh
@@ -53,15 +53,12 @@ delete_bucket() {
 }
 
 delete_bucket_rest() {
-  if ! check_param_count "delete_bucket_rest" "bucket" 1 $#; then
+  if ! check_param_count_gt "bucket, env vars (optional)" 1 $#; then
     return 1
   fi
-  if ! result=$(COMMAND_LOG="$COMMAND_LOG" BUCKET_NAME="$1" OUTPUT_FILE="$TEST_FILE_FOLDER/result.txt" ./tests/rest_scripts/delete_bucket.sh 2>&1); then
-    log 2 "error deleting bucket: $result"
-    return 1
-  fi
-  if [ "$result" != "204" ]; then
-    log 2 "expected '204', was '$result' ($(cat "$TEST_FILE_FOLDER/result.txt"))"
+  env_vars="BUCKET_NAME=$1 $2"
+  if ! send_rest_command_expect_success "$env_vars" "./tests/rest_scripts/delete_bucket.sh" "204"; then
+    log 2 "error sending REST command and checking error"
     return 1
   fi
   return 0
diff --git a/tests/drivers/rest.sh b/tests/drivers/rest.sh
index 69b74b0..95af823 100644
--- a/tests/drivers/rest.sh
+++ b/tests/drivers/rest.sh
@@ -29,4 +29,52 @@ check_rest_expected_error() {
     return 1
   fi
   return 0
-}
\ No newline at end of file
+}
+
+send_rest_command() {
+  if ! check_param_count_v2 "env vars, script, output file" 3 $#; then
+    return 1
+  fi
+  local env_array=("env" "COMMAND_LOG=$COMMAND_LOG" "OUTPUT_FILE=$3")
+  if [ "$1" != "" ]; then
+    IFS=' ' read -r -a env_vars <<< "$1"
+    env_array+=("${env_vars[@]}")
+  fi
+  # shellcheck disable=SC2068
+  if ! result=$(${env_array[@]} "$2" 2>&1); then
+    log 2 "error sending command: $result"
+    return 1
+  fi
+}
+
+send_rest_command_expect_error() {
+  if ! check_param_count_v2 "env vars, script, response code, error, message" 5 $#; then
+    return 1
+  fi
+  output_file="$TEST_FILE_FOLDER/error.txt"
+  if ! send_rest_command "$1" "$2" "$output_file"; then
+    log 2 "error sending REST command"
+    return 1
+  fi
+  if ! check_rest_expected_error "$result" "$output_file" "$3" "$4" "$5"; then
+    log 2 "error checking REST error"
+    return 1
+  fi
+  return 0
+}
+
+send_rest_command_expect_success() {
+  if ! check_param_count_v2 "env vars, script, response code" 3 $#; then
+    return 1
+  fi
+  output_file="$TEST_FILE_FOLDER/error.txt"
+  if ! send_rest_command "$1" "$2" "$output_file"; then
+    log 2 "error sending REST command"
+    return 1
+  fi
+  if [ "$result" != "$3" ]; then
+    log 2 "expected '$3', was '$result' ($(cat "$TEST_FILE_FOLDER/error.txt"))"
+    return 1
+  fi
+  return 0
+}
diff --git a/tests/rest_scripts/create_bucket.sh b/tests/rest_scripts/create_bucket.sh
index 359f724..2ea94c4 100755
--- a/tests/rest_scripts/create_bucket.sh
+++ b/tests/rest_scripts/create_bucket.sh
@@ -20,11 +20,25 @@ source ./tests/rest_scripts/rest.sh
 
 # shellcheck disable=SC2153
 bucket_name="$BUCKET_NAME"
+acl="$ACL"
+# shellcheck disable=SC2153
+object_ownership="$OBJECT_OWNERSHIP"
+# shellcheck disable=SC2153
+grant_full_control="$GRANT_FULL_CONTROL"
 
 current_date_time=$(date -u +"%Y%m%dT%H%M%SZ")
 
 cr_data=("PUT" "/$bucket_name" "" "host:$host")
+if [ "$acl" != "" ]; then
+  cr_data+=("x-amz-acl:$acl")
+fi
 cr_data+=("x-amz-content-sha256:UNSIGNED-PAYLOAD" "x-amz-date:$current_date_time")
+if [ "$grant_full_control" != "" ]; then
+  cr_data+=("x-amz-grant-full-control:$grant_full_control")
+fi
+if [ "$object_ownership" != "" ]; then
+  cr_data+=("x-amz-object-ownership:$object_ownership")
+fi
 build_canonical_request "${cr_data[@]}"
 
 # shellcheck disable=SC2119
diff --git a/tests/test_rest_bucket.sh b/tests/test_rest_bucket.sh
index 2da15bf..c64670d 100755
--- a/tests/test_rest_bucket.sh
+++ b/tests/test_rest_bucket.sh
@@ -26,6 +26,7 @@ source ./tests/util/util_bucket.sh
 source ./tests/util/util_list_buckets.sh
 source ./tests/util/util_lock_config.sh
 source ./tests/util/util_ownership.sh
+source ./tests/util/util_public_access_block.sh
 source ./tests/util/util_rest.sh
 source ./tests/util/util_tags.sh
 
@@ -174,7 +175,7 @@ export RUN_USERS=true
 
 @test "REST - create bucket test" {
   if [ "$RECREATE_BUCKETS" == "false" ]; then
-    skip "invalid test for static buckets"
+    skip "skip bucket create tests for static buckets"
   fi
   run bucket_cleanup_if_bucket_exists "$BUCKET_ONE_NAME"
   assert_success
@@ -193,3 +194,90 @@ export RUN_USERS=true
   run delete_object_empty_bucket_check_error
   assert_success
 }
+
+@test "REST - CreateBucket w/invalid acl" {
+  if [ "$DIRECT" != "true" ]; then
+    skip "https://github.com/versity/versitygw/issues/1379"
+  fi
+  if [ "$RECREATE_BUCKETS" == "false" ]; then
+    skip "skip bucket create tests for static buckets"
+  fi
+  run bucket_cleanup_if_bucket_exists "$BUCKET_ONE_NAME"
+  assert_success
+
+  envs="ACL=public-reads OBJECT_OWNERSHIP=BucketOwnerPreferred"
+  run create_bucket_rest_expect_error "$BUCKET_ONE_NAME" "$envs" "400" "InvalidArgument" ""
+  assert_success
+}
+
+@test "REST - CreateBucket - x-amz-grant-full-control - non-existent user" {
+  if [ "$DIRECT" != "true" ]; then
+    skip "https://github.com/versity/versitygw/issues/1384"
+  fi
+  if [ "$RECREATE_BUCKETS" == "false" ]; then
+    skip "skip bucket create tests for static buckets"
+  fi
+  run bucket_cleanup_if_bucket_exists "$BUCKET_ONE_NAME"
+  assert_success
+
+  if [ "$DIRECT" == "true" ]; then
+    id="id=$ACL_AWS_CANONICAL_ID"0
+  else
+    id="$AWS_ACCESS_KEY_ID"a
+  fi
+  envs="GRANT_FULL_CONTROL=$id OBJECT_OWNERSHIP=BucketOwnerPreferred"
+  run create_bucket_rest_expect_error "$BUCKET_ONE_NAME" "$envs" "400" "InvalidArgument" "Invalid id"
+  assert_success
+}
+
+@test "REST - CreateBucket - x-amz-grant-full-control - no ownership control change" {
+  if [ "$DIRECT" != "true" ]; then
+    skip "https://github.com/versity/versitygw/issues/1387"
+  fi
+  if [ "$RECREATE_BUCKETS" == "false" ]; then
+    skip "skip bucket create tests for static buckets"
+  fi
+  run bucket_cleanup_if_bucket_exists "$BUCKET_ONE_NAME"
+  assert_success
+
+  if [ "$DIRECT" == "true" ]; then
+    id="id=$ACL_AWS_CANONICAL_ID"
+  else
+    id="$AWS_ACCESS_KEY_ID"
+  fi
+  envs="GRANT_FULL_CONTROL=$id"
+  run create_bucket_rest_expect_error "$BUCKET_ONE_NAME" "$envs" "400" "InvalidBucketAclWithObjectOwnership" "Bucket cannot have ACLs set"
+  assert_success
+}
+
+@test "REST - CreateBucket - x-amz-grant-full-control - success" {
+  if [ "$RECREATE_BUCKETS" == "false" ]; then
+    skip "skip bucket create tests for static buckets"
+  fi
+  run bucket_cleanup_if_bucket_exists "$BUCKET_ONE_NAME"
+  assert_success
+
+  run create_versitygw_acl_user_or_get_direct_user "$USERNAME_ONE" "$PASSWORD_ONE"
+  assert_success
+  user_canonical_id=${lines[1]}
+  username=${lines[2]}
+  password=${lines[3]}
+  if [ "$DIRECT" == "true" ]; then
+    id="id=$user_canonical_id"
+  else
+    id="$user_canonical_id"
+  fi
+  envs="GRANT_FULL_CONTROL=$id OBJECT_OWNERSHIP=BucketOwnerPreferred"
+  run create_bucket_rest_expect_success "$BUCKET_ONE_NAME" "$envs"
+  assert_success
+
+  test_file="test_file"
+  run create_test_file "$test_file"
+  assert_success
+
+  run put_object_rest_with_user "$username" "$password" "$TEST_FILE_FOLDER/$test_file" "$BUCKET_ONE_NAME" "$test_file"
+  assert_success
+
+  run download_and_compare_file "$TEST_FILE_FOLDER/$test_file" "$BUCKET_ONE_NAME" "$test_file" "$TEST_FILE_FOLDER/${test_file}-copy"
+  assert_success
+}
\ No newline at end of file
diff --git a/tests/util/util_public_access_block.sh b/tests/util/util_public_access_block.sh
index f1c3cb2..473a6d9 100644
--- a/tests/util/util_public_access_block.sh
+++ b/tests/util/util_public_access_block.sh
@@ -1,13 +1,30 @@
 #!/usr/bin/env bash
 
+# Copyright 2024 Versity Software
+# This file is licensed under the Apache License, Version 2.0
+# (the "License"); you may not use this file except in compliance
+# with the License.  You may obtain a copy of the License at
+#
+#   http:#www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied.  See the License for the
+# specific language governing permissions and limitations
+# under the License.
+
 allow_public_access() {
-  if [ $# -ne 1 ]; then
-    log 2 "'allow_public_access' requires bucket name"
+  if ! check_param_count_v2 "bucket name" 1 $#; then
     return 1
   fi
-  if ! result=$(COMMAND_LOG="$COMMAND_LOG" BUCKET_NAME="$1" BLOCK_PUBLIC_ACLS="FALSE" IGNORE_PUBLIC_ACLS="FALSE" RESTRICT_PUBLIC_BUCKETS="FALSE" OUTPUT_FILE="$TEST_FILE_FOLDER/response.txt" ./tests/rest_scripts/put_public_access_block.sh); then
+  if ! result=$(COMMAND_LOG="$COMMAND_LOG" BUCKET_NAME="$1" BLOCK_PUBLIC_ACLS="FALSE" IGNORE_PUBLIC_ACLS="FALSE" RESTRICT_PUBLIC_BUCKETS="FALSE" OUTPUT_FILE="$TEST_FILE_FOLDER/response.txt" ./tests/rest_scripts/put_public_access_block.sh 2>&1); then
     log 2 "error getting public access block: $result"
     return 1
   fi
+  if [ "$result" != "200" ]; then
+    log 2 "expected '200', was '$result' ($(cat "$TEST_FILE_FOLDER/response.txt"))"
+    return 1
+  fi
   return 0
 }
\ No newline at end of file