mirror of https://github.com/versity/versitygw.git synced 2026-05-22 20:01:27 +00:00

Files

niksis02 9f786b3c2c feat: global error refactoring

Fixes #2123
Fixes #2120
Fixes #2116
Fixes #2111
Fixes #2108
Fixes #2086
Fixes #2085
Fixes #2083
Fixes #2081
Fixes #2080
Fixes #2073
Fixes #2072
Fixes #2071
Fixes #2069
Fixes #2044
Fixes #2043
Fixes #2042
Fixes #2041
Fixes #2040
Fixes #2039
Fixes #2036
Fixes #2035
Fixes #2034
Fixes #2028
Fixes #2020
Fixes #1842
Fixes #1810
Fixes #1780
Fixes #1775
Fixes #1736
Fixes #1705
Fixes #1663
Fixes #1645
Fixes #1583
Fixes #1526
Fixes #1514
Fixes #1493
Fixes #1487
Fixes #959
Fixes #779
Closes #823
Closes #85

Refactor global S3 error handling around structured error types and centralized XML response generation.

All S3 errors now share the common APIError base for the fields every error has: Code, HTTP status code, and Message. Non-traditional errors that need AWS-compatible XML fields now have dedicated typed errors in the s3err package. Each typed error implements the shared S3Error behavior so controllers and middleware can handle errors consistently while still emitting error-specific XML fields.

Add a dedicated InvalidArgumentError type because InvalidArgument is used widely across request validation, auth, copy source handling, object lock validation, multipart validation, and header parsing. The new InvalidArgument path uses explicit InvalidArgErrorCode constants with predefined descriptions and ArgumentName values, keeping call sites readable while preserving the correct InvalidArgument XML shape and optional ArgumentValue.

New structured errors added in s3err:
- `AccessForbiddenError`: Method, ResourceType
- `BadDigestError`: CalculatedDigest, ExpectedDigest
- `BucketError`: BucketName
- `ContentSHA256MismatchError`: ClientComputedContentSHA256, S3ComputedContentSHA256
- `EntityTooLargeError`: ProposedSize, MaxSizeAllowed
- `EntityTooSmallError`: ProposedSize, MinSizeAllowed
- `ExpiredPresignedURLError`: ServerTime, XAmzExpires, Expires
- `InvalidAccessKeyIdError`: AWSAccessKeyId
- `InvalidArgumentError`: Description, ArgumentName, ArgumentValue
- `InvalidChunkSizeError`: Chunk, BadChunkSize
- `InvalidDigestError`: ContentMD5
- `InvalidLocationConstraintError`: LocationConstraint
- `InvalidPartError`: UploadId, PartNumber, ETag
- `InvalidRangeError`: RangeRequested, ActualObjectSize
- `InvalidTagError`: TagKey, TagValue
- `KeyTooLongError`: Size, MaxSizeAllowed
- `MetadataTooLargeError`: Size, MaxSizeAllowed
- `MethodNotAllowedError`: Method, ResourceType, AllowedMethods
- `NoSuchUploadError`: UploadId
- `NoSuchVersionError`: Key, VersionId
- `NotImplementedError`: Header, AdditionalMessage
- `PreconditionFailedError`: Condition
- `RequestTimeTooSkewedError`: RequestTime, ServerTime, MaxAllowedSkewMilliseconds
- `SignatureDoesNotMatchError`: AWSAccessKeyId, StringToSign, SignatureProvided, StringToSignBytes, CanonicalRequest, CanonicalRequestBytes

Fix CompleteMultipartUpload validation in the Azure backend so missing or empty `ETag` values return the appropriate S3 error instead of allowing a gateway panic.

Fix presigned authentication expiration validation to compare server time in `UTC`, matching the `UTC` timestamp used by presigned URL signing.

Add request ID and host ID support across S3 requests. Each request now receives AWS S3-like identifiers, returned in response headers as `x-amz-request-id` and `x-amz-id-2` and included in all XML error responses as RequestId and HostId. The generated ID structure is designed to resemble AWS S3 request IDs and host IDs.

The request signature calculation/validation for streaming uploads was previously delayed until the request body was fully read, both for Authorization header authentication and presigned URLs.
Now, the signature is validated immediately in the authorization middlewares without reading the request body, since the signature calculation itself does not depend on the request body. Instead, only the `x-amz-content-sha256` SHA-256 hash calculation is delayed.

2026-05-21 23:49:34 +04:00

certs

chore: cleanup top level repo by moving test related dirs to tests

2024-03-10 09:15:22 -07:00

checker

chore: run go modernize tool

2026-03-10 09:47:37 -07:00

commands

test: ListObjects util code reorg, return value/multipart fixes

2026-05-20 14:30:41 -03:00

drivers

test: ListObjects util code reorg, return value/multipart fixes

2026-05-20 14:30:41 -03:00

host-style-tests

feat: automates the host-style tests in the pipeline

2025-05-23 02:22:45 +04:00

integration

feat: global error refactoring

2026-05-21 23:49:34 +04:00

rest_scripts

test: DeleteObjects payload testing

2026-05-08 14:46:54 -03:00

README.md

Command-Line Tests

Instructions - Running Locally
* Posix Backend
* Static Bucket Mode
* S3 Backend
* Direct Mode
Instructions - Running With Docker
Instructions - Running With Docker-Compose
Environment Parameters
* Secret
* Non-Secret
REST Scripts

Instructions - Running Locally

Posix Backend

Note

: many of the required libraries, and a good rundown of the installation procedure, can be found in the Dockerfile_test_bats dockerfile in the root folder.

Build the versitygw binary.
Install the command-line interface(s) you want to test if unavailable on your machine.
- aws cli: Instructions are here.
- s3cmd: Instructions are here.
- mc: Instructions are here.
Install BATS. Instructions are here.
Install bats-support and bats-assert. This can be done by saving the root folder of each repo (https://github.com/bats-core/bats-support and https://github.com/ztombol/bats-assert) in the tests folder.
If running on Mac OS, install jq with the command brew install jq.
Create a .secrets file in the tests folder, and add the AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, AWS_REGION, and AWS_PROFILE values to the file.
Create a local AWS profile for connection to S3, and add the AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, and AWS_REGION values for your account to the profile. Example:

    export AWS_PROFILE=versity-test
    export AWS_ACCESS_KEY_ID=<your account ID>
    export AWS_SECRET_ACCESS_KEY=<your account key>
    export AWS_REGION=<your account region>
    aws configure set aws_access_key_id $AWS_ACCESS_KEY_ID --profile $AWS_PROFILE
    aws configure set aws_secret_access_key $AWS_SECRET_ACCESS_KEY --profile $AWS_PROFILE
    aws configure set aws_region $AWS_REGION --profile $AWS_PROFILE

Create an environment file (.env) similar to the ones in this folder, setting the AWS_PROFILE parameter to the name of the profile you created.
If using SSL, create a local private key and certificate, such as with the commands below. Afterwards, set the KEY and CERT fields in the .env file to these, respectively.

    openssl genpkey -algorithm RSA -out versitygw.pem -pkeyopt rsa_keygen_bits:2048
    openssl req -new -x509 -key versitygw.pem -out cert.pem -days 365

Set BUCKET_ONE_NAME and BUCKET_TWO_NAME to the desired names of your buckets, for older and static bucket tests, or prefixes, for newer and non-static bucket tests. If you don't want them to be created each time, set RECREATE_BUCKETS to false.
In the root repo folder, run single test group with VERSITYGW_TEST_ENV=<env file> tests/run.sh <options>. To print options, run tests/run.sh -h. To run all tests (not recommended), run VERSITYGW_TEST_ENV=<env file> tests/run_all.sh.
BATS tests can also be run directly with the format VERSIYTGW_TEST_ENV=<env file> tests/<test file name>, or for single tests, VERSIYTGW_TEST_ENV=<env file> tests/<file name> -f <test name>. Example: VERSITYGW_TEST_ENV=tests/.env tests/test_rest_bucket.sh -f "REST - HeadBucket".

Static Bucket Mode

To preserve buckets while running tests, set RECREATE_BUCKETS to false. Two utility functions are included, if needed, to create, and delete buckets for this: tests/setup_static.sh and tests/remove_static.sh. Note that this creates a bucket with object lock enabled, and some tests may fail if the bucket being tested doesn't have object lock enabled.

S3 Backend (Not Working)

Instructions are mostly the same; however, testing with the S3 backend requires two S3 accounts. Ideally, these are two real accounts, but one can also be a dummy account that versity uses internally.

To set up the latter:

Create a new AWS profile with ID and key values set to dummy 20-char allcaps and 40-char alphabetical values respectively.
In the .secrets file being used, create the fields AWS_ACCESS_KEY_ID_TWO and AWS_SECRET_ACCESS_KEY_TWO. Set these values to the actual AWS ID and key.
Set the values for AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY the same dummy values set in the AWS profile, and set AWS_PROFILE to the profile you just created.
Create a new AWS profile with these dummy values. In the .env file being used, set the AWS_PROFILE parameter to the name of this new profile, and the ID and key fields to the dummy values.
Set BACKEND to s3. Also, change the MC_ALIAS value if testing mc in this configuration.

Direct Mode

To communicate directly with s3, in order to compare the gateway results to direct results:

Create an AWS profile with the direct connection info. Set AWS_PROFILE to this.
Set RUN_VERSITYGW to false.
Set AWS_ENDPOINT_URL to the typical endpoint location (usually https://s3.amazonaws.com).
If testing s3cmd, create a new s3cfg.local file with host_base and host_bucket set to s3.amazonaws.com.
If testing mc, change the MC_ALIAS value to a new value such as versity-direct.

Instructions - Running With Docker

Copy .secrets.default to .secrets in the tests folder and change the parameters and add the additional s3 fields explained in the S3 Backend section above if running with the s3 backend.
By default, the dockerfile uses the arm architecture (usually modern Mac). If using amd (usually earlier Mac or Linux), you can either replace the corresponding ARG values directly, or with arg="<param>=<amd library or folder>" Also, you can determine which is used by your OS with uname -a.
Build and run the Dockerfile_test_bats file. Change the SECRETS_FILE and CONFIG_FILE parameters to point to your secrets and config file, respectively, if not using the defaults. Example: docker build -t <tag> --build-arg="SECRETS_FILE=<file>" --build-arg="CONFIG_FILE=<file>" -f tests/Dockerfile_test_bats ..
To run the entire suite, run docker run -it <image name>. This is not recommended due to the sheer amount of tests. To run an individual suite, pass in the name of the suite as defined in tests/run.sh (e.g. REST bucket tests -> docker run -it <image tag or ID> rest-bucket). Also, multiple specific suites can be run, if separated by comma.
To list all suites available, the -h tag can be passed. Example: docker run -t <image tag or ID> -h.
By default, the config is placed in the /home/tester/config folder inside the container. Logs are printed to /home/tester/log. To overwrite the config, an .env folder can be placed in a mounted host folder, and to view the logs, a mounted folder can also be used. Example: docker run -v $PWD/runtime/config:/home/tester/config -v $PWD/runtime/log:/home/tester/log -t bats_test s3
To use tag functionality, the --tags parameter can be passed to the container.
To troubleshoot the Docker container, use docker run -it --entrypoint /bin/bash <image tag or ID> to use the shell and examine the container.

Instructions - Running with docker-compose

A file named docker-compose-bats.yml is provided in the root folder. A few configurations are provided, and you can also create your own provided you have a secrets and config file:

insecure (without certificates), with creation/removal of buckets
secure, posix backend, with static buckets
secure, posix backend, with creation/removal of buckets
secure, s3 backend, with creation/removal of buckets
direct mode

To use each of these, creating a separate .env file for each is suggested. How to do so is explained below.

To run in insecure mode, comment out the CERT and KEY parameters in the .env file, and change the prefix for the AWS_ENDPOINT_URL parameter to http://. Also, set S3CMD_CONFIG to point to a copy of the default s3cmd config file that has use_https set to false. Finally, change MC_ALIAS to something new to avoid overwriting the secure MC_ALIAS values.

To use static buckets set the RECREATE_BUCKETS value to false.

For the s3 backend, see the S3 Backend instructions above.

If using AMD rather than ARM architecture, add the corresponding args values matching those in the Dockerfile for amd libraries.

A single instance can be run with docker-compose -f docker-compose-bats.yml up <service name>

Environment Parameters

Secret

AWS_PROFILE, AWS_ENDPOINT_URL, AWS_REGION, AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY: identical to the same parameters in s3.

AWS_CANONICAL_ID: for direct mode, the canonical ID for the main user (owner)

ACL_AWS_CANONICAL_ID: for direct mode, the canonical ID for the user to test ACL changes and access by non-owners

ACL_AWS_ACCESS_KEY_ID, ACL_AWS_SECRET_ACCESS_KEY: for direct mode, the ID and key for the S3 user in the ACL_AWS_CANONICAL_ID account.

ACL_AWS_ACCESS_KEY_ID_TWO, ACL_AWS_SECRET_ACCESS_KEY_TWO: if running a second versitygw application, the user ID and secret key for this application.

USER_ID_{role}_{id}, USERNAME_{role}_{id}, PASSWORD_{role}_{id}: for setup_user_v2 non-autocreated users, the format for the user.

example: USER_ID_USER_1={name}: user ID corresponding to the first user with user permissions in the test.

Non-Secret

VERSITY_EXE: location of the versity executable relative to test folder.

RUN_VERSITYGW: whether to run the versitygw executable, should be set to false when running tests directly against s3, or testing against another S3-compatible endpoint.

PORT: port to run the versity app on, if not specified, defaults to 7070.

PORT_TWO: port to run the second versity app on, if running two versity applications simultaneously. If not specified, defaults to 7071.

BACKEND: the storage backend type for the gateway, e.g. posix or s3.

LOCAL_FOLDER: if running with a posix backend, the backend storage folder.

BUCKET_ONE_NAME, BUCKET_TWO_NAME: test bucket names. In newer tests and when RECREATE_BUCKETS is set to true, these are prefixes and the suffixes are autogenerated.

RECREATE_BUCKETS: whether to delete buckets between tests. If set to false, the bucket will be restored to an original state for the purpose of ensuring consistent tests, but not deleted.

CERT, KEY: certificate and key locations if using SSL.

S3CMD_CONFIG: location of s3cmd config file if running s3cmd tests.

SECRETS_FILE: file where sensitive values, such as AWS_SECRET_ACCESS_KEY, should be stored.

MC_ALIAS: Minio MC alias if running MC tests.

LOG_LEVEL: level for test logger (1 - only critical, 2 - errors, 3 - warnings, 4 - info, 5 - debug info, 6 - tracing)

GOCOVERDIR: folder to put golang coverage info in, if checking coverage info.

USERS_FOLDER: folder to use if storing IAM data in a folder.

USERS_BUCKET: bucket to use if storing IAM data in an S3 bucket

IAM_TYPE: how to store IAM data (s3 or folder).

TEST_LOG_FILE: log file location for these bats tests.

VERSITY_LOG_FILE: log file for versity application as it is tested by bats tests.

DIRECT: if true, bypass versitygw and run directly against s3, for comparison and validity-checking purposes. This parameter disables the AWS_ENDPOINT_URL parameter.

DIRECT_DISPLAY_NAME: AWS ACL main user display name if DIRECT is set to true.

DIRECT_AWS_USER_ID: AWS policy 12-digit user ID if DIRECT is set to true.

USERNAME_ONE, PASSWORD_ONE, USERNAME_TWO, PASSWORD_TWO: setup_user (v1), credentials for users created and tested for non-root user versitygw operations (non-setup_user_v2).

TEST_FILE_FOLDER: where to put temporary test files.

REMOVE_TEST_FILE_FOLDER: whether to delete the test file folder between tests, should be set to true unless checking the files after a single test, or not yet sure that the test folder is in a safe location to avoid deleting other files.

VERSIONING_DIR: where to put gateway file versioning info.

COMMAND_LOG: where to store list of client commands, which if using will be reported during test failures.

TIME_LOG: optional log to show duration of individual tests

DIRECT_S3_ROOT_ACCOUNT_NAME: for direct mode, S3 username for user with root permissions

DELETE_BUCKETS_AFTER_TEST: whether or not to delete buckets after individual tests, useful for debugging if the post-test bucket state needs to be checked

AUTOGENERATE_USERS: setup_user_v2, whether or not to autocreate users for tests. If set to false, users must be pre-created (see Secret section above).

USER_AUTOGENERATION_PREFIX: setup_user_v2, if AUTOGENERATE_USERS is set to true, the prefix for the autocreated username.

CREATE_STATIC_USERS_IF_NONEXISTENT: setup_user_v2, if AUTOGENERATE_USERS is set to false, generate non-existing users if they don't exist, but don't delete them, as with user autogeneration

DIRECT_POST_COMMAND_DELAY: in v1 direct mode, time to wait before sending new commands to try to prevent propagation delay issues

SKIP_ACL_TESTING: avoid ACL tests for systems which do not use ACLs

MAX_FILE_DOWNLOAD_CHUNK_SIZE: when set, will divide the download of large files with GetObject into chunks of the given size. Useful for direct testing with slower connections.

SKIP_USERS_TESTS: skip versitygw-specific users tests, set to false to test against other S3 gateways

MAX_OPENSSL_COMMAND_LOG_BYTES: number of OpenSSL command bytes to display in command log, can prevent the display of too many chars in the case of large payload commands, -1 means display whole command

COVERAGE_LOG: if set, where to write test or test suite coverage data

PYTHON_ENV_FOLDER: where to place or use the python environment to calculate certain AWS checksums. The default is env in the TEST_FILE_FOLDER.

TEMPLATE_MATRIX_FILE: YAML file location used to retrieve the templates for expected responses, in some cases

SKIP_POLICY: set to true to skip tests involving policies

SKIP_BUCKET_OWNERSHIP_CONTROLS: set to true to avoid bucket ownership operations. This is needed to properly set up and clean the buckets if these operations are not supported by the server.

BYPASS_ENV_FILE: skip loading .env file on startup, default is false

REST Scripts

REST scripts are included for calls to S3's REST API in the ./tests/rest_scripts/ folder. To call a script, the following parameters are needed:

AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, etc.
AWS_ENDPOINT_URL (default: https://localhost:7070)
OUTPUT_FILE: file where the command's response data is written
Any other parameters specified at the top of the script file, such as payloads and variables. Sometimes, defaults are included.

Upon success, the script will return a response code, and write the data to the OUTPUT_FILE location.

Example: AWS_ACCESS_KEY_ID={id} AWS_SECRET_ACCESS_KEY={key} AWS_ENDPOINT_URL=https://s3.amazonaws.com OUTPUT_FILE=./output_file.xml ./tests/rest_scripts/list_buckets.sh