mirror of
https://github.com/versity/versitygw.git
synced 2026-02-07 19:00:46 +00:00
2561ef9708
Closes #1731 Implements the admin `CreateBucket` (`PATCH /:bucket/create`) endpoint and CLI command, which create a new bucket with the provided owner access key ID. The endpoint internally calls the S3 `CreateBucket` API, storing the new owner information in the request context under the `bucket-owner` key. This value is then retrieved by the S3 API layer and the backends. The endpoint uses the custom `x-vgw-owner` HTTP header to pass the bucket owner access key ID. The admin CLI command mirrors `aws s3api create-bucket` and supports all flags implemented by the gateway (for example, `--create-bucket-configuration`, `--acl`, `--object-ownership`, etc.).
365 lines
10 KiB
Go
365 lines
10 KiB
Go
// Copyright 2023 Versity Software
|
|
// This file is licensed under the Apache License, Version 2.0
|
|
// (the "License"); you may not use this file except in compliance
|
|
// with the License. You may obtain a copy of the License at
|
|
//
|
|
// http://www.apache.org/licenses/LICENSE-2.0
|
|
//
|
|
// Unless required by applicable law or agreed to in writing,
|
|
// software distributed under the License is distributed on an
|
|
// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
|
|
// KIND, either express or implied. See the License for the
|
|
// specific language governing permissions and limitations
|
|
// under the License.
|
|
|
|
package integration
|
|
|
|
import (
|
|
"context"
|
|
"encoding/xml"
|
|
"fmt"
|
|
"net/http"
|
|
"strings"
|
|
"time"
|
|
|
|
"github.com/aws/aws-sdk-go-v2/service/s3"
|
|
"github.com/aws/aws-sdk-go-v2/service/s3/types"
|
|
"github.com/versity/versitygw/s3err"
|
|
"github.com/versity/versitygw/s3response"
|
|
)
|
|
|
|
func IAM_user_access_denied(s *S3Conf) error {
|
|
testName := "IAM_user_access_denied"
|
|
runF(testName)
|
|
|
|
testuser := getUser("user")
|
|
err := createUsers(s, []user{testuser})
|
|
if err != nil {
|
|
failF("%v: %v", testName, err)
|
|
return fmt.Errorf("%v: %w", testName, err)
|
|
}
|
|
|
|
out, err := execCommand(s.getAdminCommand("-a", testuser.access, "-s", testuser.secret, "-er", s.endpoint, "delete-user", "-a", "random_access")...)
|
|
if err == nil {
|
|
failF("%v: expected cmd error", testName)
|
|
return fmt.Errorf("%v: expected cmd error", testName)
|
|
}
|
|
if !strings.Contains(string(out), s3err.GetAPIError(s3err.ErrAdminAccessDenied).Code) {
|
|
failF("%v: expected response error message to be %v, instead got %s",
|
|
testName, s3err.GetAPIError(s3err.ErrAdminAccessDenied).Error(), out)
|
|
return fmt.Errorf("%v: expected response error message to be %v, instead got %s",
|
|
testName, s3err.GetAPIError(s3err.ErrAdminAccessDenied).Error(), out)
|
|
}
|
|
|
|
passF(testName)
|
|
|
|
return nil
|
|
}
|
|
|
|
func IAM_userplus_access_denied(s *S3Conf) error {
|
|
testName := "IAM_userplus_access_denied"
|
|
runF(testName)
|
|
|
|
testuser := getUser("userplus")
|
|
err := createUsers(s, []user{testuser})
|
|
if err != nil {
|
|
failF("%v: %v", testName, err)
|
|
return fmt.Errorf("%v: %w", testName, err)
|
|
}
|
|
|
|
out, err := execCommand(s.getAdminCommand("-a", testuser.access, "-s", testuser.secret, "-er", s.endpoint, "delete-user", "-a", "random_access")...)
|
|
if err == nil {
|
|
failF("%v: expected cmd error", testName)
|
|
return fmt.Errorf("%v: expected cmd error", testName)
|
|
}
|
|
if !strings.Contains(string(out), s3err.GetAPIError(s3err.ErrAdminAccessDenied).Code) {
|
|
failF("%v: expected response error message to be %v, instead got %s",
|
|
testName, s3err.GetAPIError(s3err.ErrAdminAccessDenied).Error(), out)
|
|
return fmt.Errorf("%v: expected response error message to be %v, instead got %s",
|
|
testName, s3err.GetAPIError(s3err.ErrAdminAccessDenied).Error(), out)
|
|
}
|
|
|
|
passF(testName)
|
|
|
|
return nil
|
|
}
|
|
|
|
func IAM_userplus_CreateBucket(s *S3Conf) error {
|
|
testName := "IAM_userplus_CreateBucket"
|
|
return actionHandler(s, testName, func(s3client *s3.Client, bucket string) error {
|
|
testuser := getUser("userplus")
|
|
err := createUsers(s, []user{testuser})
|
|
if err != nil {
|
|
return err
|
|
}
|
|
|
|
cfg := *s
|
|
cfg.awsID = testuser.access
|
|
cfg.awsSecret = testuser.secret
|
|
|
|
bckt := getBucketName()
|
|
err = setup(&cfg, bckt)
|
|
if err != nil {
|
|
return err
|
|
}
|
|
|
|
ctx, cancel := context.WithTimeout(context.Background(), shortTimeout)
|
|
_, err = s3client.HeadBucket(ctx, &s3.HeadBucketInput{Bucket: &bckt})
|
|
cancel()
|
|
if err != nil {
|
|
return err
|
|
}
|
|
|
|
err = teardown(&cfg, bckt)
|
|
if err != nil {
|
|
return err
|
|
}
|
|
|
|
return nil
|
|
})
|
|
}
|
|
|
|
func IAM_admin_ChangeBucketOwner(s *S3Conf) error {
|
|
testName := "IAM_admin_ChangeBucketOwner"
|
|
return actionHandler(s, testName, func(s3client *s3.Client, bucket string) error {
|
|
testuser, adminuser := getUser("user"), getUser("admin")
|
|
err := createUsers(s, []user{adminuser, testuser})
|
|
if err != nil {
|
|
return err
|
|
}
|
|
|
|
err = changeBucketsOwner(s, []string{bucket}, testuser.access)
|
|
if err != nil {
|
|
return err
|
|
}
|
|
|
|
ctx, cancel := context.WithTimeout(context.Background(), shortTimeout)
|
|
resp, err := s3client.GetBucketAcl(ctx, &s3.GetBucketAclInput{Bucket: &bucket})
|
|
cancel()
|
|
if err != nil {
|
|
return err
|
|
}
|
|
|
|
if getString(resp.Owner.ID) != testuser.access {
|
|
return fmt.Errorf("expected the bucket owner to be %v, instead got %v",
|
|
testuser.access, getString(resp.Owner.ID))
|
|
}
|
|
|
|
return nil
|
|
})
|
|
}
|
|
|
|
func IAM_ChangeBucketOwner_back_to_root(s *S3Conf) error {
|
|
testName := "IAM_ChangeBucketOwner_back_to_root"
|
|
return actionHandler(s, testName, func(s3client *s3.Client, bucket string) error {
|
|
testuser := getUser("user")
|
|
if err := createUsers(s, []user{testuser}); err != nil {
|
|
return err
|
|
}
|
|
|
|
// Change the bucket ownership to a random user
|
|
if err := changeBucketsOwner(s, []string{bucket}, testuser.access); err != nil {
|
|
return err
|
|
}
|
|
|
|
// Change the bucket ownership back to the root user
|
|
if err := changeBucketsOwner(s, []string{bucket}, s.awsID); err != nil {
|
|
return err
|
|
}
|
|
|
|
return nil
|
|
})
|
|
}
|
|
|
|
func IAM_ListBuckets(s *S3Conf) error {
|
|
testName := "IAM_ListBuckets"
|
|
return actionHandler(s, testName, func(s3client *s3.Client, bucket string) error {
|
|
return listBuckets(s)
|
|
})
|
|
}
|
|
|
|
func IAM_CreateBucket_empty_owner_header(s *S3Conf) error {
|
|
testName := "IAM_CreateBucket_empty_owner_header"
|
|
return actionHandlerNoSetup(s, testName, func(s3client *s3.Client, bucket string) error {
|
|
req, err := createSignedReq(
|
|
http.MethodPatch,
|
|
s.endpoint,
|
|
fmt.Sprintf("%s/create", bucket),
|
|
s.awsID,
|
|
s.awsSecret,
|
|
"s3",
|
|
s.awsRegion,
|
|
nil,
|
|
time.Now(),
|
|
nil,
|
|
)
|
|
if err != nil {
|
|
return err
|
|
}
|
|
|
|
resp, err := s.httpClient.Do(req)
|
|
if err != nil {
|
|
return err
|
|
}
|
|
|
|
return checkHTTPResponseApiErr(resp, s3err.GetAPIError(s3err.ErrAdminEmptyBucketOwnerHeader))
|
|
})
|
|
}
|
|
|
|
func IAM_CreateBucket_non_existing_user(s *S3Conf) error {
|
|
testName := "IAM_CreateBucket_non_existing_user"
|
|
return actionHandlerNoSetup(s, testName, func(s3client *s3.Client, bucket string) error {
|
|
req, err := createSignedReq(
|
|
http.MethodPatch,
|
|
s.endpoint,
|
|
fmt.Sprintf("%s/create", bucket),
|
|
s.awsID,
|
|
s.awsSecret,
|
|
"s3",
|
|
s.awsRegion,
|
|
nil,
|
|
time.Now(),
|
|
map[string]string{
|
|
"x-vgw-owner": "non-existing-user",
|
|
},
|
|
)
|
|
if err != nil {
|
|
return err
|
|
}
|
|
|
|
resp, err := s.httpClient.Do(req)
|
|
if err != nil {
|
|
return err
|
|
}
|
|
|
|
return checkHTTPResponseApiErr(resp, s3err.GetAPIError(s3err.ErrAdminUserNotFound))
|
|
})
|
|
}
|
|
|
|
func IAM_CreateBucket_success(s *S3Conf) error {
|
|
testName := "IAM_CreateBucket_success"
|
|
return actionHandlerNoSetup(s, testName, func(s3client *s3.Client, bucket string) error {
|
|
tagSet := []types.Tag{
|
|
{Key: getPtr("key"), Value: getPtr("value")},
|
|
}
|
|
body, err := xml.Marshal(s3response.CreateBucketConfiguration{
|
|
TagSet: tagSet,
|
|
})
|
|
if err != nil {
|
|
return err
|
|
}
|
|
|
|
testUser1, testUser2 := getUser("user"), getUser("user")
|
|
err = createUsers(s, []user{testUser1, testUser2})
|
|
if err != nil {
|
|
return err
|
|
}
|
|
|
|
req, err := createSignedReq(
|
|
http.MethodPatch,
|
|
s.endpoint,
|
|
fmt.Sprintf("%s/create", bucket),
|
|
s.awsID,
|
|
s.awsSecret,
|
|
"s3",
|
|
s.awsRegion,
|
|
body,
|
|
time.Now(),
|
|
map[string]string{
|
|
"x-amz-bucket-object-lock-enabled": "true",
|
|
"x-amz-object-ownership": string(types.ObjectOwnershipBucketOwnerPreferred),
|
|
"x-amz-grant-read": testUser2.access,
|
|
"x-vgw-owner": testUser1.access,
|
|
},
|
|
)
|
|
if err != nil {
|
|
return err
|
|
}
|
|
|
|
resp, err := s.httpClient.Do(req)
|
|
if err != nil {
|
|
return err
|
|
}
|
|
|
|
if resp.StatusCode != http.StatusCreated {
|
|
return fmt.Errorf("expected the response status code to be %v, instead got %v", http.StatusCreated, resp.StatusCode)
|
|
}
|
|
|
|
ctx, cancel := context.WithTimeout(context.Background(), shortTimeout)
|
|
tagging, err := s3client.GetBucketTagging(ctx, &s3.GetBucketTaggingInput{
|
|
Bucket: &bucket,
|
|
})
|
|
cancel()
|
|
if err != nil {
|
|
return err
|
|
}
|
|
|
|
if !areTagsSame(tagSet, tagging.TagSet) {
|
|
return fmt.Errorf("expected the bucket tagging to be %v, instead got %v", tagSet, tagging.TagSet)
|
|
}
|
|
|
|
ctx, cancel = context.WithTimeout(context.Background(), shortTimeout)
|
|
ownership, err := s3client.GetBucketOwnershipControls(ctx, &s3.GetBucketOwnershipControlsInput{
|
|
Bucket: &bucket,
|
|
})
|
|
cancel()
|
|
if err != nil {
|
|
return err
|
|
}
|
|
|
|
var ownershipControls types.ObjectOwnership
|
|
if ownership.OwnershipControls != nil && len(ownership.OwnershipControls.Rules) == 1 {
|
|
ownershipControls = ownership.OwnershipControls.Rules[0].ObjectOwnership
|
|
}
|
|
|
|
if ownershipControls != types.ObjectOwnershipBucketOwnerPreferred {
|
|
return fmt.Errorf("expected the bucket ownership controls to be %s, instaed got %s", types.ObjectOwnershipBucketOwnerPreferred, ownershipControls)
|
|
}
|
|
|
|
ctx, cancel = context.WithTimeout(context.Background(), shortTimeout)
|
|
acl, err := s3client.GetBucketAcl(ctx, &s3.GetBucketAclInput{
|
|
Bucket: &bucket,
|
|
})
|
|
cancel()
|
|
if err != nil {
|
|
return err
|
|
}
|
|
|
|
if len(acl.Grants) != 2 {
|
|
return fmt.Errorf("expected the length of acl grants to be 2, instead got %v", len(acl.Grants))
|
|
}
|
|
|
|
var granteeChecked bool
|
|
var ownerChecked bool
|
|
for _, grant := range acl.Grants {
|
|
// owner
|
|
if getString(grant.Grantee.ID) == testUser1.access {
|
|
ownerChecked = true
|
|
if grant.Permission != types.PermissionFullControl {
|
|
return fmt.Errorf("expected the owner '%s' to have %s permission, instead got %s", testUser1.access, types.PermissionFullControl, grant.Permission)
|
|
}
|
|
|
|
continue
|
|
}
|
|
|
|
if getString(grant.Grantee.ID) != testUser2.access {
|
|
return fmt.Errorf("expected the grantee ID to be %v, instaed got %v", testUser2.access, getString(grant.Grantee.ID))
|
|
}
|
|
if grant.Permission != types.PermissionRead {
|
|
return fmt.Errorf("expected the %v user permission to be %s, instead got %s", testUser2.access, types.PermissionRead, grant.Permission)
|
|
}
|
|
|
|
granteeChecked = true
|
|
}
|
|
|
|
if !ownerChecked {
|
|
return fmt.Errorf("missing the owner '%s' full control acl", testUser1.access)
|
|
}
|
|
if !granteeChecked {
|
|
return fmt.Errorf("missing the user %s in read grantees acl", testUser2.access)
|
|
}
|
|
|
|
return teardown(s, bucket)
|
|
})
|
|
}
|