Files
versitygw/tests/test_s3api_policy_object.sh
dependabot[bot] f24377b1e9 chore(deps): bump actions/checkout from 6 to 7
Bumps [actions/checkout](https://github.com/actions/checkout) from 6 to 7.
- [Release notes](https://github.com/actions/checkout/releases)
- [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md)
- [Commits](https://github.com/actions/checkout/compare/v6...v7)

---
updated-dependencies:
- dependency-name: actions/checkout
  dependency-version: '7'
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>

test: README updates, speed up some file integrity checks
2026-06-23 20:34:26 -03:00

375 lines
13 KiB
Bash

#!/usr/bin/env bats
# Copyright 2024 Versity Software
# This file is licensed under the Apache License, Version 2.0
# (the "License"); you may not use this file except in compliance
# with the License. You may obtain a copy of the License at
#
# http:#www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing,
# software distributed under the License is distributed on an
# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
# KIND, either express or implied. See the License for the
# specific language governing permissions and limitations
# under the License.
source ./tests/drivers/delete_object/delete_object_s3api.sh
source ./tests/drivers/put_bucket_policy/put_bucket_policy.sh
test_s3api_policy_allow_deny() {
policy_file="policy_file"
test_file="test_file"
run create_test_files "$policy_file"
assert_success
run setup_user_v2 "user" 1 "$BUCKET_ONE_NAME"
assert_success
# shellcheck disable=SC2154
user_id=${lines[0]}
username=${lines[1]}
password=${lines[2]}
run setup_bucket_and_file "$BUCKET_ONE_NAME" "$test_file"
assert_success
run setup_policy_with_double_statement "$TEST_FILE_FOLDER/$policy_file" "2012-10-17" \
"Deny" "$user_id" "s3:GetObject" "arn:aws:s3:::$BUCKET_ONE_NAME/$test_file" \
"Allow" "$user_id" "s3:GetObject" "arn:aws:s3:::$BUCKET_ONE_NAME/$test_file"
assert_success
run put_bucket_policy "s3api" "$BUCKET_ONE_NAME" "$TEST_FILE_FOLDER/$policy_file"
assert_success
run put_object "s3api" "$TEST_FILE_FOLDER/$test_file" "$BUCKET_ONE_NAME" "$test_file"
assert_success
run verify_user_cant_get_object "s3api" "$BUCKET_ONE_NAME" "$test_file" "$TEST_FILE_FOLDER/$test_file-copy" "$username" "$password"
assert_success
}
test_s3api_policy_delete() {
policy_file="policy_file"
test_file_one="test_file_one"
test_file_two="test_file_two"
run create_test_files "$policy_file"
assert_success
run setup_user_v2 "user" 1 "$BUCKET_ONE_NAME"
assert_success
user_id=${lines[0]}
username=${lines[1]}
password=${lines[2]}
effect="Allow"
principal="$user_id"
action="s3:DeleteObject"
resource="arn:aws:s3:::$BUCKET_ONE_NAME/$test_file_two"
run setup_bucket_and_files "$BUCKET_ONE_NAME" "$test_file_one" "$test_file_two"
assert_success
run setup_policy_with_single_statement "$TEST_FILE_FOLDER/$policy_file" "2012-10-17" "$effect" "$principal" "$action" "$resource"
assert_success
log 5 "Policy: $(cat "$TEST_FILE_FOLDER/$policy_file")"
run put_bucket_policy "s3api" "$BUCKET_ONE_NAME" "$TEST_FILE_FOLDER/$policy_file"
assert_success
run put_object "s3api" "$TEST_FILE_FOLDER/$test_file_one" "$BUCKET_ONE_NAME" "$test_file_one"
assert_success
run put_object "s3api" "$TEST_FILE_FOLDER/$test_file_two" "$BUCKET_ONE_NAME" "$test_file_two"
assert_success
run block_delete_object_without_permission "$BUCKET_ONE_NAME" "$test_file_one" "$username" "$password"
assert_success
run delete_object_with_user "s3api" "$BUCKET_ONE_NAME" "$test_file_two" "$username" "$password"
assert_success
}
test_s3api_policy_deny() {
policy_file="policy_file"
test_file_one="test_file_one"
test_file_two="test_file_two"
run create_test_files "$policy_file"
assert_success
run setup_user_v2 "user" 1 "$BUCKET_ONE_NAME"
assert_success
user_id=${lines[0]}
username=${lines[1]}
password=${lines[2]}
run setup_bucket_and_files "$BUCKET_ONE_NAME" "$test_file_one" "$test_file_two"
assert_success
run setup_policy_with_double_statement "$TEST_FILE_FOLDER/$policy_file" "2012-10-17" \
"Deny" "$user_id" "s3:GetObject" "arn:aws:s3:::$BUCKET_ONE_NAME/$test_file_two" \
"Allow" "$user_id" "s3:GetObject" "arn:aws:s3:::$BUCKET_ONE_NAME/*"
assert_success
log 5 "Policy: $(cat "$TEST_FILE_FOLDER/$policy_file")"
run put_bucket_policy "s3api" "$BUCKET_ONE_NAME" "$TEST_FILE_FOLDER/$policy_file"
assert_success
run put_object "s3api" "$TEST_FILE_FOLDER/$test_file_one" "$BUCKET_ONE_NAME" "$test_file_one"
assert_success
run put_object "s3api" "$TEST_FILE_FOLDER/$test_file_one" "$BUCKET_ONE_NAME" "$test_file_two"
assert_success
run get_object_with_user "s3api" "$BUCKET_ONE_NAME" "$test_file_one" "$TEST_FILE_FOLDER/$test_file_one-copy" "$username" "$password"
assert_success
run verify_user_cant_get_object "s3api" "$BUCKET_ONE_NAME" "$test_file_two" "$TEST_FILE_FOLDER/$test_file_two-copy" "$username" "$password"
assert_success
}
test_s3api_policy_get_object_file_wildcard() {
policy_file="policy_file_one"
policy_file_two="policy_file_two"
policy_file_three="policy_fil"
run setup_bucket_and_files "$BUCKET_ONE_NAME" "$policy_file_two" "$policy_file_three"
assert_success
run setup_user_v2 "user" 1 "$BUCKET_ONE_NAME"
assert_success
user_id=${lines[0]}
username=${lines[1]}
password=${lines[2]}
effect="Allow"
principal="$user_id"
action="s3:GetObject"
resource="arn:aws:s3:::$BUCKET_ONE_NAME/policy_file*"
run setup_policy_with_single_statement "$TEST_FILE_FOLDER/$policy_file" "2012-10-17" "$effect" "$principal" "$action" "$resource"
assert_success
run put_bucket_policy "s3api" "$BUCKET_ONE_NAME" "$TEST_FILE_FOLDER/$policy_file"
assert_success
run put_object "s3api" "$TEST_FILE_FOLDER/$policy_file" "$BUCKET_ONE_NAME" "$policy_file"
assert_success
run put_object "s3api" "$TEST_FILE_FOLDER/$policy_file_two" "$BUCKET_ONE_NAME" "$policy_file_two"
assert_success
run put_object "s3api" "$TEST_FILE_FOLDER/$policy_file_three" "$BUCKET_ONE_NAME" "$policy_file_three"
assert_success
run download_and_compare_file_with_user "$TEST_FILE_FOLDER/$policy_file" "$BUCKET_ONE_NAME" "$policy_file" "$TEST_FILE_FOLDER/$policy_file-copy" "$username" "$password"
assert_success
run download_and_compare_file_with_user "$TEST_FILE_FOLDER/$policy_file_two" "$BUCKET_ONE_NAME" "$policy_file_two" "$TEST_FILE_FOLDER/$policy_file_two-copy" "$username" "$password"
assert_success
run verify_user_cant_get_object "s3api" "$BUCKET_ONE_NAME" "$policy_file_three" "$TEST_FILE_FOLDER/$policy_file_three" "$username" "$password"
assert_success
}
test_s3api_policy_get_object_folder_wildcard() {
policy_file="policy_file"
test_folder="test_folder"
test_file="test_file"
run create_test_folder "$test_folder"
assert_success
run setup_bucket_and_file "$BUCKET_ONE_NAME" "$test_folder/$test_file"
assert_success
run setup_user_v2 "user" 1 "$BUCKET_ONE_NAME"
assert_success
user_id=${lines[0]}
username=${lines[1]}
password=${lines[2]}
effect="Allow"
principal="$user_id"
action="s3:GetObject"
resource="arn:aws:s3:::$BUCKET_ONE_NAME/$test_folder/*"
run setup_policy_with_single_statement "$TEST_FILE_FOLDER/$policy_file" "2012-10-17" "$effect" "$principal" "$action" "$resource"
assert_success
run put_bucket_policy "s3api" "$BUCKET_ONE_NAME" "$TEST_FILE_FOLDER/$policy_file"
assert_success
run put_object "s3api" "$TEST_FILE_FOLDER/$test_folder/$test_file" "$BUCKET_ONE_NAME" "$test_folder/$test_file"
assert_success
run download_and_compare_file_with_user "$TEST_FILE_FOLDER/$test_folder/$test_file" "$BUCKET_ONE_NAME" "$test_folder/$test_file" "$TEST_FILE_FOLDER/$test_file-copy" "$username" "$password"
assert_success
}
test_s3api_policy_get_object_specific_file() {
policy_file="policy_file"
test_file="test_file"
test_file_two="test_file_two"
run setup_user_v2 "user" 1 "$BUCKET_ONE_NAME"
assert_success
user_id=${lines[0]}
username=${lines[1]}
password=${lines[2]}
run setup_bucket_and_files "$BUCKET_ONE_NAME" "$test_file" "$test_file_two"
assert_success
effect="Allow"
principal="$user_id"
action="s3:GetObject"
resource="arn:aws:s3:::$BUCKET_ONE_NAME/test_file"
run setup_policy_with_single_statement "$TEST_FILE_FOLDER/$policy_file" "2012-10-17" "$effect" "$principal" "$action" "$resource"
assert_success
run put_bucket_policy "s3api" "$BUCKET_ONE_NAME" "$TEST_FILE_FOLDER/$policy_file"
assert_success
run put_object "s3api" "$TEST_FILE_FOLDER/$test_file" "$BUCKET_ONE_NAME" "$test_file"
assert_success
run put_object "s3api" "$TEST_FILE_FOLDER/$test_file_two" "$BUCKET_ONE_NAME" "$test_file_two"
assert_success
run download_and_compare_file_with_user "$TEST_FILE_FOLDER/$test_file" "$BUCKET_ONE_NAME" "$test_file" "$TEST_FILE_FOLDER/$test_file-copy" "$username" "$password"
assert_success
run verify_user_cant_get_object "s3api" "$BUCKET_ONE_NAME" "$test_file_two" "$TEST_FILE_FOLDER/$test_file_two-copy" "$username" "$password"
assert_success
}
test_s3api_policy_get_object_with_user() {
test_file="test_file"
run setup_bucket_and_file "$BUCKET_ONE_NAME" "$test_file"
assert_success
run put_object "s3api" "$TEST_FILE_FOLDER/$test_file" "$BUCKET_ONE_NAME" "$test_file"
assert_success
run setup_user_v2 "user" 1 "$BUCKET_ONE_NAME"
assert_success
user_id=${lines[0]}
username=${lines[1]}
password=${lines[2]}
run verify_user_cant_get_object "s3api" "$BUCKET_ONE_NAME" "$test_file" "$TEST_FILE_FOLDER/$test_file-copy" "$username" "$password"
assert_success
policy_file="policy_file"
effect="Allow"
principal="$user_id"
action="s3:GetObject"
resource="arn:aws:s3:::$BUCKET_ONE_NAME/$test_file"
run setup_policy_with_single_statement "$TEST_FILE_FOLDER/$policy_file" "2012-10-17" "$effect" "$principal" "$action" "$resource"
assert_success
run put_bucket_policy "s3api" "$BUCKET_ONE_NAME" "$TEST_FILE_FOLDER/$policy_file"
assert_success
run download_and_compare_file_with_user "$TEST_FILE_FOLDER/$test_file" "$BUCKET_ONE_NAME" "$test_file" "$TEST_FILE_FOLDER/$test_file-copy" "$username" "$password"
assert_success
}
test_s3api_policy_invalid_action() {
policy_file="policy_file"
effect="Allow"
principal="*"
action="s3:GetObjectt"
resource="arn:aws:s3:::$BUCKET_ONE_NAME/*"
# shellcheck disable=SC2154
run setup_policy_with_single_statement "$TEST_FILE_FOLDER/$policy_file" "2012-10-17" "$effect" "$principal" "$action" "$resource"
assert_success
run setup_bucket "$BUCKET_ONE_NAME"
assert_success
run check_for_empty_policy "s3api" "$BUCKET_ONE_NAME"
assert_success
run put_and_check_for_malformed_policy "$BUCKET_ONE_NAME" "$TEST_FILE_FOLDER/$policy_file"
assert_success
}
test_s3api_policy_put_wildcard() {
policy_file="policy_file"
test_folder="test_folder"
test_file="test_file"
run create_test_folder "$test_folder"
assert_success
run setup_user_v2 "user" 1 "$BUCKET_ONE_NAME"
assert_success
# shellcheck disable=SC2154
user_id=${lines[0]}
username=${lines[1]}
password=${lines[2]}
run setup_bucket_and_file "$BUCKET_ONE_NAME" "$test_folder/$test_file"
assert_success
run setup_policy_with_single_statement "$TEST_FILE_FOLDER/$policy_file" "2012-10-17" "Allow" "$user_id" "s3:PutObject" "arn:aws:s3:::$BUCKET_ONE_NAME/$test_folder/*"
assert_success
run put_bucket_policy "s3api" "$BUCKET_ONE_NAME" "$TEST_FILE_FOLDER/$policy_file"
assert_success
run put_object_with_user "s3api" "$TEST_FILE_FOLDER/$test_folder/$test_file" "$BUCKET_ONE_NAME" "$test_file" "$username" "$password"
assert_failure
# shellcheck disable=SC2154
assert_output -p "AccessDenied"
run put_object_with_user "s3api" "$TEST_FILE_FOLDER/$test_folder/$test_file" "$BUCKET_ONE_NAME" "$test_folder/$test_file" "$username" "$password"
assert_success
run verify_user_cant_get_object "s3api" "$BUCKET_ONE_NAME" "$test_folder/$test_file" "$test_folder/$test_file-copy" "$username" "$password"
assert_success
run check_file_integrity "$TEST_FILE_FOLDER/$test_folder/$test_file" "$BUCKET_ONE_NAME" "$test_folder/$test_file" "$TEST_FILE_FOLDER/$test_file-copy"
assert_success
}
test_s3api_policy_two_principals() {
policy_file="policy_file"
test_file="test_file"
run setup_bucket_and_file "$BUCKET_ONE_NAME" "$test_file"
assert_success
run setup_user_v2 "user" 1 "$BUCKET_ONE_NAME"
assert_success
user_id_one=${lines[0]}
username_one=${lines[1]}
password_one=${lines[2]}
run setup_user_v2 "user" 2 "$BUCKET_ONE_NAME"
assert_success
user_id_two=${lines[0]}
username_two=${lines[1]}
password_two=${lines[2]}
run put_object "s3api" "$TEST_FILE_FOLDER/$test_file" "$BUCKET_ONE_NAME" "$test_file"
assert_success
run get_object_with_user "s3api" "$BUCKET_ONE_NAME" "$test_file" "$TEST_FILE_FOLDER/copy_one" "$username_one" "$password_one"
assert_failure
run get_object_with_user "s3api" "$BUCKET_ONE_NAME" "$test_file" "$TEST_FILE_FOLDER/copy_two" "$username_two" "$password_two"
assert_failure
run setup_policy_with_single_statement "$TEST_FILE_FOLDER/$policy_file" "2012-10-17" "Allow" "$user_id_one,$user_id_two" "s3:GetObject" "arn:aws:s3:::$BUCKET_ONE_NAME/*"
assert_success
run put_bucket_policy "s3api" "$BUCKET_ONE_NAME" "$TEST_FILE_FOLDER/$policy_file"
assert_success
run get_object_with_user "s3api" "$BUCKET_ONE_NAME" "$test_file" "$TEST_FILE_FOLDER/copy_one" "$username_one" "$password_one"
assert_success
run get_object_with_user "s3api" "$BUCKET_ONE_NAME" "$test_file" "$TEST_FILE_FOLDER/copy_two" "$username_two" "$password_two"
assert_success
}