787 lines
40 KiB
Go
787 lines
40 KiB
Go
/*
|
|
* Minio Cloud Storage, (C) 2016 Minio, Inc.
|
|
*
|
|
* Licensed under the Apache License, Version 2.0 (the "License");
|
|
* you may not use this file except in compliance with the License.
|
|
* You may obtain a copy of the License at
|
|
*
|
|
* http://www.apache.org/licenses/LICENSE-2.0
|
|
*
|
|
* Unless required by applicable law or agreed to in writing, software
|
|
* distributed under the License is distributed on an "AS IS" BASIS,
|
|
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
* See the License for the specific language governing permissions and
|
|
* limitations under the License.
|
|
*/
|
|
|
|
package cmd
|
|
|
|
import (
|
|
"bytes"
|
|
"fmt"
|
|
"io/ioutil"
|
|
"net/http"
|
|
"net/http/httptest"
|
|
"testing"
|
|
|
|
"github.com/minio/minio-go/pkg/set"
|
|
)
|
|
|
|
// Tests validate Bucket policy resource matcher.
|
|
func TestBucketPolicyResourceMatch(t *testing.T) {
|
|
|
|
// generates statement with given resource..
|
|
generateStatement := func(resource string) policyStatement {
|
|
statement := policyStatement{}
|
|
statement.Resources = set.CreateStringSet([]string{resource}...)
|
|
return statement
|
|
}
|
|
|
|
// generates resource prefix.
|
|
generateResource := func(bucketName, objectName string) string {
|
|
return AWSResourcePrefix + bucketName + "/" + objectName
|
|
}
|
|
|
|
testCases := []struct {
|
|
resourceToMatch string
|
|
statement policyStatement
|
|
expectedResourceMatch bool
|
|
}{
|
|
// Test case 1-4.
|
|
// Policy with resource ending with bucket/* allows access to all objects inside the given bucket.
|
|
{generateResource("minio-bucket", ""), generateStatement(fmt.Sprintf("%s%s", AWSResourcePrefix, "minio-bucket"+"/*")), true},
|
|
{generateResource("minio-bucket", ""), generateStatement(fmt.Sprintf("%s%s", AWSResourcePrefix, "minio-bucket"+"/*")), true},
|
|
{generateResource("minio-bucket", ""), generateStatement(fmt.Sprintf("%s%s", AWSResourcePrefix, "minio-bucket"+"/*")), true},
|
|
{generateResource("minio-bucket", ""), generateStatement(fmt.Sprintf("%s%s", AWSResourcePrefix, "minio-bucket"+"/*")), true},
|
|
// Test case - 5.
|
|
// Policy with resource ending with bucket/oo* should not allow access to bucket/output.txt.
|
|
{generateResource("minio-bucket", "output.txt"), generateStatement(fmt.Sprintf("%s%s", AWSResourcePrefix, "minio-bucket"+"/oo*")), false},
|
|
// Test case - 6.
|
|
// Policy with resource ending with bucket/oo* should allow access to bucket/ootput.txt.
|
|
{generateResource("minio-bucket", "ootput.txt"), generateStatement(fmt.Sprintf("%s%s", AWSResourcePrefix, "minio-bucket"+"/oo*")), true},
|
|
// Test case - 7.
|
|
// Policy with resource ending with bucket/oo* allows access to all subfolders starting with "oo" inside given bucket.
|
|
{generateResource("minio-bucket", "oop-bucket/my-file"), generateStatement(fmt.Sprintf("%s%s", AWSResourcePrefix, "minio-bucket"+"/oo*")), true},
|
|
// Test case - 8.
|
|
{generateResource("minio-bucket", "Asia/India/1.pjg"), generateStatement(fmt.Sprintf("%s%s", AWSResourcePrefix, "minio-bucket"+"/Asia/Japan/*")), false},
|
|
// Test case - 9.
|
|
{generateResource("minio-bucket", "Asia/India/1.pjg"), generateStatement(fmt.Sprintf("%s%s", AWSResourcePrefix, "minio-bucket"+"/Asia/Japan/*")), false},
|
|
// Test case - 10.
|
|
// Proves that the name space is flat.
|
|
{generateResource("minio-bucket", "Africa/Bihar/India/design_info.doc/Bihar"), generateStatement(fmt.Sprintf("%s%s", AWSResourcePrefix,
|
|
"minio-bucket"+"/*/India/*/Bihar")), true},
|
|
// Test case - 11.
|
|
// Proves that the name space is flat.
|
|
{generateResource("minio-bucket", "Asia/China/India/States/Bihar/output.txt"), generateStatement(fmt.Sprintf("%s%s", AWSResourcePrefix,
|
|
"minio-bucket"+"/*/India/*/Bihar/*")), true},
|
|
}
|
|
for i, testCase := range testCases {
|
|
actualResourceMatch := bucketPolicyResourceMatch(testCase.resourceToMatch, testCase.statement)
|
|
if testCase.expectedResourceMatch != actualResourceMatch {
|
|
t.Errorf("Test %d: Expected Resource match to be `%v`, but instead found it to be `%v`", i+1, testCase.expectedResourceMatch, actualResourceMatch)
|
|
}
|
|
}
|
|
}
|
|
|
|
// TestBucketPolicyActionMatch - Test validates whether given action on the
|
|
// bucket/object matches the allowed actions in policyStatement.
|
|
// This test preserves the allowed actions for all 3 sets of policies, that is read-write,read-only, write-only.
|
|
// The intention of the test is to catch any changes made to allowed action for on eof the above 3 major policy groups mentioned.
|
|
func TestBucketPolicyActionMatch(t *testing.T) {
|
|
bucketName := getRandomBucketName()
|
|
objectPrefix := "test-object"
|
|
|
|
testCases := []struct {
|
|
action string
|
|
statement policyStatement
|
|
expectedResult bool
|
|
}{
|
|
// s3:GetBucketLocation is the action necessary to be present in the bucket policy to allow
|
|
// fetching of bucket location on an Anonymous/unsigned request.
|
|
|
|
//r ead-write bucket policy is expected to allow GetBucketLocation operation on an anonymous request (Test case - 1).
|
|
{"s3:GetBucketLocation", getReadWriteBucketStatement(bucketName, objectPrefix), true},
|
|
// write-only bucket policy is expected to allow GetBucketLocation operation on an anonymous request (Test case - 2).
|
|
{"s3:GetBucketLocation", getWriteOnlyBucketStatement(bucketName, objectPrefix), true},
|
|
// read-only bucket policy is expected to allow GetBucketLocation operation on an anonymous request (Test case - 3).
|
|
{"s3:GetBucketLocation", getReadOnlyBucketStatement(bucketName, objectPrefix), true},
|
|
|
|
// Any of the Object level access permissions shouldn't allow for GetBucketLocation operation on an Anonymous/unsigned request (Test cases 4-6).
|
|
{"s3:GetBucketLocation", getReadWriteObjectStatement(bucketName, objectPrefix), false},
|
|
{"s3:GetBucketLocation", getWriteOnlyObjectStatement(bucketName, objectPrefix), false},
|
|
{"s3:GetBucketLocation", getReadOnlyObjectStatement(bucketName, objectPrefix), false},
|
|
|
|
// s3:ListBucketMultipartUploads is the action necessary to be present in the bucket policy to allow
|
|
// Listing of multipart uploads in a given bucket for an Anonymous/unsigned request.
|
|
|
|
//read-write bucket policy is expected to allow ListBucketMultipartUploads operation on an anonymous request (Test case 7).
|
|
{"s3:ListBucketMultipartUploads", getReadWriteBucketStatement(bucketName, objectPrefix), true},
|
|
// write-only bucket policy is expected to allow ListBucketMultipartUploads operation on an anonymous request (Test case 8).
|
|
{"s3:ListBucketMultipartUploads", getWriteOnlyBucketStatement(bucketName, objectPrefix), true},
|
|
// read-only bucket policy is expected to not allow ListBucketMultipartUploads operation on an anonymous request (Test case 9).
|
|
// the allowed actions in read-only bucket statement are "s3:GetBucketLocation","s3:ListBucket",
|
|
// this should not allow for ListBucketMultipartUploads operations.
|
|
{"s3:ListBucketMultipartUploads", getReadOnlyBucketStatement(bucketName, objectPrefix), false},
|
|
|
|
// Any of the object level policy will not allow for s3:ListBucketMultipartUploads (Test cases 10-12).
|
|
{"s3:ListBucketMultipartUploads", getReadWriteObjectStatement(bucketName, objectPrefix), false},
|
|
{"s3:ListBucketMultipartUploads", getWriteOnlyObjectStatement(bucketName, objectPrefix), false},
|
|
{"s3:ListBucketMultipartUploads", getReadOnlyObjectStatement(bucketName, objectPrefix), false},
|
|
|
|
// s3:ListBucket is the action necessary to be present in the bucket policy to allow
|
|
// listing of all objects inside a given bucket on an Anonymous/unsigned request.
|
|
|
|
// Cases for testing ListBucket access for different Bucket level access permissions.
|
|
// read-only bucket policy is expected to allow ListBucket operation on an anonymous request (Test case 13).
|
|
{"s3:ListBucket", getReadOnlyBucketStatement(bucketName, objectPrefix), true},
|
|
// read-write bucket policy is expected to allow ListBucket operation on an anonymous request (Test case 14).
|
|
{"s3:ListBucket", getReadWriteBucketStatement(bucketName, objectPrefix), true},
|
|
// write-only bucket policy is expected to not allow ListBucket operation on an anonymous request (Test case 15).
|
|
// the allowed actions in write-only bucket statement are "s3:GetBucketLocation", "s3:ListBucketMultipartUploads",
|
|
// this should not allow for ListBucket operations.
|
|
{"s3:ListBucket", getWriteOnlyBucketStatement(bucketName, objectPrefix), false},
|
|
|
|
// Cases for testing ListBucket access for different Object level access permissions (Test cases 16-18).
|
|
// Any of the Object level access permissions shouldn't allow for ListBucket operation on an Anonymous/unsigned request.
|
|
{"s3:ListBucket", getReadOnlyObjectStatement(bucketName, objectPrefix), false},
|
|
{"s3:ListBucket", getReadWriteObjectStatement(bucketName, objectPrefix), false},
|
|
{"s3:ListBucket", getWriteOnlyObjectStatement(bucketName, objectPrefix), false},
|
|
|
|
// s3:DeleteObject is the action necessary to be present in the bucket policy to allow
|
|
// deleting/removal of objects inside a given bucket for an Anonymous/unsigned request.
|
|
|
|
// Cases for testing DeleteObject access for different Bucket level access permissions (Test cases 19-21).
|
|
// Any of the Bucket level access permissions shouldn't allow for DeleteObject operation on an Anonymous/unsigned request.
|
|
{"s3:DeleteObject", getReadOnlyBucketStatement(bucketName, objectPrefix), false},
|
|
{"s3:DeleteObject", getReadWriteBucketStatement(bucketName, objectPrefix), false},
|
|
{"s3:DeleteObject", getWriteOnlyBucketStatement(bucketName, objectPrefix), false},
|
|
|
|
// Cases for testing DeleteObject access for different Object level access permissions (Test cases 22).
|
|
// read-only bucket policy is expected to not allow Delete Object operation on an anonymous request.
|
|
{"s3:DeleteObject", getReadOnlyObjectStatement(bucketName, objectPrefix), false},
|
|
// read-write bucket policy is expected to allow Delete Bucket operation on an anonymous request (Test cases 23).
|
|
{"s3:DeleteObject", getReadWriteObjectStatement(bucketName, objectPrefix), true},
|
|
// write-only bucket policy is expected to allow Delete Object operation on an anonymous request (Test cases 24).
|
|
{"s3:DeleteObject", getWriteOnlyObjectStatement(bucketName, objectPrefix), true},
|
|
|
|
// s3:AbortMultipartUpload is the action necessary to be present in the bucket policy to allow
|
|
// cancelling or abortion of an already initiated multipart upload operation for an Anonymous/unsigned request.
|
|
|
|
// Cases for testing AbortMultipartUpload access for different Bucket level access permissions (Test cases 25-27).
|
|
// Any of the Bucket level access permissions shouldn't allow for AbortMultipartUpload operation on an Anonymous/unsigned request.
|
|
{"s3:AbortMultipartUpload", getReadOnlyBucketStatement(bucketName, objectPrefix), false},
|
|
{"s3:AbortMultipartUpload", getReadWriteBucketStatement(bucketName, objectPrefix), false},
|
|
{"s3:AbortMultipartUpload", getWriteOnlyBucketStatement(bucketName, objectPrefix), false},
|
|
|
|
// Cases for testing AbortMultipartUpload access for different Object level access permissions.
|
|
// read-only object policy is expected to not allow AbortMultipartUpload operation on an anonymous request (Test case 28).
|
|
{"s3:AbortMultipartUpload", getReadOnlyObjectStatement(bucketName, objectPrefix), false},
|
|
// read-write object policy is expected to allow AbortMultipartUpload operation on an anonymous request (Test case 29).
|
|
{"s3:AbortMultipartUpload", getReadWriteObjectStatement(bucketName, objectPrefix), true},
|
|
// write-only object policy is expected to allow AbortMultipartUpload operation on an anonymous request (Test case 30).
|
|
{"s3:AbortMultipartUpload", getWriteOnlyObjectStatement(bucketName, objectPrefix), true},
|
|
|
|
// s3:PutObject is the action necessary to be present in the bucket policy to allow
|
|
// uploading of an object for an Anonymous/unsigned request.
|
|
|
|
// Cases for testing PutObject access for different Bucket level access permissions (Test cases 31-33).
|
|
// Any of the Bucket level access permissions shouldn't allow for PutObject operation on an Anonymous/unsigned request.
|
|
{"s3:PutObject", getReadOnlyBucketStatement(bucketName, objectPrefix), false},
|
|
{"s3:PutObject", getReadWriteBucketStatement(bucketName, objectPrefix), false},
|
|
{"s3:PutObject", getWriteOnlyBucketStatement(bucketName, objectPrefix), false},
|
|
|
|
// Cases for testing PutObject access for different Object level access permissions.
|
|
// read-only object policy is expected to not allow PutObject operation on an anonymous request (Test case 34).
|
|
{"s3:PutObject", getReadOnlyObjectStatement(bucketName, objectPrefix), false},
|
|
// read-write object policy is expected to allow PutObject operation on an anonymous request (Test case 35).
|
|
{"s3:PutObject", getReadWriteObjectStatement(bucketName, objectPrefix), true},
|
|
// write-only object policy is expected to allow PutObject operation on an anonymous request (Test case 36).
|
|
{"s3:PutObject", getWriteOnlyObjectStatement(bucketName, objectPrefix), true},
|
|
|
|
// s3:GetObject is the action necessary to be present in the bucket policy to allow
|
|
// downloading of an object for an Anonymous/unsigned request.
|
|
|
|
// Cases for testing GetObject access for different Bucket level access permissions (Test cases 37-39).
|
|
// Any of the Bucket level access permissions shouldn't allow for GetObject operation on an Anonymous/unsigned request.
|
|
{"s3:GetObject", getReadOnlyBucketStatement(bucketName, objectPrefix), false},
|
|
{"s3:GetObject", getReadWriteBucketStatement(bucketName, objectPrefix), false},
|
|
{"s3:GetObject", getWriteOnlyBucketStatement(bucketName, objectPrefix), false},
|
|
|
|
// Cases for testing GetObject access for different Object level access permissions.
|
|
// read-only bucket policy is expected to allow downloading of an Object on an anonymous request (Test case 40).
|
|
{"s3:GetObject", getReadOnlyObjectStatement(bucketName, objectPrefix), true},
|
|
// read-write bucket policy is expected to allow downloading of an Object on an anonymous request (Test case 41).
|
|
{"s3:GetObject", getReadWriteObjectStatement(bucketName, objectPrefix), true},
|
|
// write-only bucket policy is expected to not allow downloading of an Object on an anonymous request (Test case 42).
|
|
{"s3:GetObject", getWriteOnlyObjectStatement(bucketName, objectPrefix), false},
|
|
|
|
// s3:ListMultipartUploadParts is the action necessary to be present in the bucket policy to allow
|
|
// Listing of uploaded parts for an Anonymous/unsigned request.
|
|
|
|
// Any of the Bucket level access permissions shouldn't allow for ListMultipartUploadParts operation on an Anonymous/unsigned request.
|
|
// read-only bucket policy is expected to not allow ListMultipartUploadParts operation on an anonymous request (Test cases 43-45).
|
|
{"s3:ListMultipartUploadParts", getReadOnlyBucketStatement(bucketName, objectPrefix), false},
|
|
{"s3:ListMultipartUploadParts", getReadWriteBucketStatement(bucketName, objectPrefix), false},
|
|
{"s3:ListMultipartUploadParts", getWriteOnlyBucketStatement(bucketName, objectPrefix), false},
|
|
|
|
// read-only object policy is expected to not allow ListMultipartUploadParts operation on an anonymous request (Test case 46).
|
|
{"s3:ListMultipartUploadParts", getReadOnlyObjectStatement(bucketName, objectPrefix), false},
|
|
// read-write object policy is expected to allow ListMultipartUploadParts operation on an anonymous request (Test case 47).
|
|
{"s3:ListMultipartUploadParts", getReadWriteObjectStatement(bucketName, objectPrefix), true},
|
|
// write-only object policy is expected to allow ListMultipartUploadParts operation on an anonymous request (Test case 48).
|
|
{"s3:ListMultipartUploadParts", getWriteOnlyObjectStatement(bucketName, objectPrefix), true},
|
|
}
|
|
for i, testCase := range testCases {
|
|
actualResult := bucketPolicyActionMatch(testCase.action, testCase.statement)
|
|
if testCase.expectedResult != actualResult {
|
|
t.Errorf("Test %d: Expected the result to be `%v`, but instead found it to be `%v`", i+1, testCase.expectedResult, actualResult)
|
|
}
|
|
}
|
|
}
|
|
|
|
// Wrapper for calling Put Bucket Policy HTTP handler tests for both XL multiple disks and single node setup.
|
|
func TestPutBucketPolicyHandler(t *testing.T) {
|
|
ExecObjectLayerAPITest(t, testPutBucketPolicyHandler, []string{"PutBucketPolicy"})
|
|
}
|
|
|
|
// testPutBucketPolicyHandler - Test for Bucket policy end point.
|
|
// TODO: Add exhaustive cases with various combination of statement fields.
|
|
func testPutBucketPolicyHandler(obj ObjectLayer, instanceType, bucketName string, apiRouter http.Handler,
|
|
credentials credential, t *testing.T) {
|
|
initBucketPolicies(obj)
|
|
|
|
// template for constructing HTTP request body for PUT bucket policy.
|
|
bucketPolicyTemplate := `{"Version":"2012-10-17","Statement":[{"Sid":"","Effect":"Allow","Principal":{"AWS":["*"]},"Action":["s3:GetBucketLocation","s3:ListBucket"],"Resource":["arn:aws:s3:::%s"]},{"Sid":"","Effect":"Allow","Principal":{"AWS":["*"]},"Action":["s3:GetObject"],"Resource":["arn:aws:s3:::%s/this*"]}]}`
|
|
|
|
// test cases with sample input and expected output.
|
|
testCases := []struct {
|
|
bucketName string
|
|
accessKey string
|
|
secretKey string
|
|
// expected Response.
|
|
expectedRespStatus int
|
|
}{
|
|
{bucketName, credentials.AccessKeyID, credentials.SecretAccessKey, http.StatusNoContent},
|
|
}
|
|
|
|
// Iterating over the test cases, calling the function under test and asserting the response.
|
|
for i, testCase := range testCases {
|
|
// obtain the put bucket policy request body.
|
|
bucketPolicyStr := fmt.Sprintf(bucketPolicyTemplate, testCase.bucketName, testCase.bucketName)
|
|
// initialize HTTP NewRecorder, this records any mutations to response writer inside the handler.
|
|
recV4 := httptest.NewRecorder()
|
|
// construct HTTP request for PUT bucket policy endpoint.
|
|
reqV4, err := newTestSignedRequestV4("PUT", getPutPolicyURL("", testCase.bucketName),
|
|
int64(len(bucketPolicyStr)), bytes.NewReader([]byte(bucketPolicyStr)), testCase.accessKey, testCase.secretKey)
|
|
if err != nil {
|
|
t.Fatalf("Test %d: %s: Failed to create HTTP request for PutBucketPolicyHandler: <ERROR> %v", i+1, instanceType, err)
|
|
}
|
|
// Since `apiRouter` satisfies `http.Handler` it has a ServeHTTP to execute the logic ofthe handler.
|
|
// Call the ServeHTTP to execute the handler.
|
|
apiRouter.ServeHTTP(recV4, reqV4)
|
|
if recV4.Code != testCase.expectedRespStatus {
|
|
t.Errorf("Test %d: %s: Expected the response status to be `%d`, but instead found `%d`", i+1, instanceType, testCase.expectedRespStatus, recV4.Code)
|
|
}
|
|
// initialize HTTP NewRecorder, this records any mutations to response writer inside the handler.
|
|
recV2 := httptest.NewRecorder()
|
|
// construct HTTP request for PUT bucket policy endpoint.
|
|
reqV2, err := newTestSignedRequestV2("PUT", getPutPolicyURL("", testCase.bucketName),
|
|
int64(len(bucketPolicyStr)), bytes.NewReader([]byte(bucketPolicyStr)), testCase.accessKey, testCase.secretKey)
|
|
if err != nil {
|
|
t.Fatalf("Test %d: %s: Failed to create HTTP request for PutBucketPolicyHandler: <ERROR> %v", i+1, instanceType, err)
|
|
}
|
|
// Since `apiRouter` satisfies `http.Handler` it has a ServeHTTP to execute the logic ofthe handler.
|
|
// Call the ServeHTTP to execute the handler.
|
|
apiRouter.ServeHTTP(recV2, reqV2)
|
|
if recV2.Code != testCase.expectedRespStatus {
|
|
t.Errorf("Test %d: %s: Expected the response status to be `%d`, but instead found `%d`", i+1, instanceType, testCase.expectedRespStatus, recV2.Code)
|
|
}
|
|
}
|
|
|
|
// Test for Anonymous/unsigned http request.
|
|
// Bucket policy related functions doesn't support anonymous requests, setting policies shouldn't make a difference.
|
|
bucketPolicyStr := fmt.Sprintf(bucketPolicyTemplate, bucketName, bucketName)
|
|
// create unsigned HTTP request for PutBucketPolicyHandler.
|
|
anonReq, err := newTestRequest("PUT", getPutPolicyURL("", bucketName),
|
|
int64(len(bucketPolicyStr)), bytes.NewReader([]byte(bucketPolicyStr)))
|
|
|
|
if err != nil {
|
|
t.Fatalf("Minio %s: Failed to create an anonymous request for bucket \"%s\": <ERROR> %v",
|
|
instanceType, bucketName, err)
|
|
}
|
|
|
|
// ExecObjectLayerAPIAnonTest - Calls the HTTP API handler using the anonymous request, validates the ErrAccessDeniedResponse,
|
|
// sets the bucket policy using the policy statement generated from `getWriteOnlyObjectStatement` so that the
|
|
// unsigned request goes through and its validated again.
|
|
ExecObjectLayerAPIAnonTest(t, "PutBucketPolicyHandler", bucketName, "", instanceType, apiRouter, anonReq, getWriteOnlyObjectStatement)
|
|
|
|
// HTTP request for testing when `objectLayer` is set to `nil`.
|
|
// There is no need to use an existing bucket and valid input for creating the request
|
|
// since the `objectLayer==nil` check is performed before any other checks inside the handlers.
|
|
// The only aim is to generate an HTTP request in a way that the relevant/registered end point is evoked/called.
|
|
nilBucket := "dummy-bucket"
|
|
|
|
nilReq, err := newTestSignedRequestV4("PUT", getPutPolicyURL("", nilBucket),
|
|
0, nil, "", "")
|
|
|
|
if err != nil {
|
|
t.Errorf("Minio %s: Failed to create HTTP request for testing the response when object Layer is set to `nil`.", instanceType)
|
|
}
|
|
// execute the object layer set to `nil` test.
|
|
// `ExecObjectLayerAPINilTest` manages the operation.
|
|
ExecObjectLayerAPINilTest(t, nilBucket, "", instanceType, apiRouter, nilReq)
|
|
}
|
|
|
|
// Wrapper for calling Get Bucket Policy HTTP handler tests for both XL multiple disks and single node setup.
|
|
func TestGetBucketPolicyHandler(t *testing.T) {
|
|
ExecObjectLayerAPITest(t, testGetBucketPolicyHandler, []string{"PutBucketPolicy", "GetBucketPolicy"})
|
|
}
|
|
|
|
// testGetBucketPolicyHandler - Test for end point which fetches the access policy json of the given bucket.
|
|
// TODO: Add exhaustive cases with various combination of statement fields.
|
|
func testGetBucketPolicyHandler(obj ObjectLayer, instanceType, bucketName string, apiRouter http.Handler,
|
|
credentials credential, t *testing.T) {
|
|
// initialize bucket policy.
|
|
initBucketPolicies(obj)
|
|
|
|
// template for constructing HTTP request body for PUT bucket policy.
|
|
bucketPolicyTemplate := `{"Version":"2012-10-17","Statement":[{"Action":["s3:GetBucketLocation","s3:ListBucket"],"Effect":"Allow","Principal":{"AWS":["*"]},"Resource":["arn:aws:s3:::%s"],"Sid":""},{"Action":["s3:GetObject"],"Effect":"Allow","Principal":{"AWS":["*"]},"Resource":["arn:aws:s3:::%s/this*"],"Sid":""}]}`
|
|
|
|
// Writing bucket policy before running test on GetBucketPolicy.
|
|
putTestPolicies := []struct {
|
|
bucketName string
|
|
accessKey string
|
|
secretKey string
|
|
// expected Response.
|
|
expectedRespStatus int
|
|
}{
|
|
{bucketName, credentials.AccessKeyID, credentials.SecretAccessKey, http.StatusNoContent},
|
|
}
|
|
|
|
// Iterating over the cases and writing the bucket policy.
|
|
// its required to write the policies first before running tests on GetBucketPolicy.
|
|
for i, testPolicy := range putTestPolicies {
|
|
// obtain the put bucket policy request body.
|
|
bucketPolicyStr := fmt.Sprintf(bucketPolicyTemplate, testPolicy.bucketName, testPolicy.bucketName)
|
|
// initialize HTTP NewRecorder, this records any mutations to response writer inside the handler.
|
|
recV4 := httptest.NewRecorder()
|
|
// construct HTTP request for PUT bucket policy endpoint.
|
|
reqV4, err := newTestSignedRequestV4("PUT", getPutPolicyURL("", testPolicy.bucketName),
|
|
int64(len(bucketPolicyStr)), bytes.NewReader([]byte(bucketPolicyStr)), testPolicy.accessKey, testPolicy.secretKey)
|
|
if err != nil {
|
|
t.Fatalf("Test %d: Failed to create HTTP request for PutBucketPolicyHandler: <ERROR> %v", i+1, err)
|
|
}
|
|
// Since `apiRouter` satisfies `http.Handler` it has a ServeHTTP to execute the logic ofthe handler.
|
|
// Call the ServeHTTP to execute the handler.
|
|
apiRouter.ServeHTTP(recV4, reqV4)
|
|
if recV4.Code != testPolicy.expectedRespStatus {
|
|
t.Fatalf("Case %d: Expected the response status to be `%d`, but instead found `%d`", i+1, testPolicy.expectedRespStatus, recV4.Code)
|
|
}
|
|
// initialize HTTP NewRecorder, this records any mutations to response writer inside the handler.
|
|
recV2 := httptest.NewRecorder()
|
|
// construct HTTP request for PUT bucket policy endpoint.
|
|
reqV2, err := newTestSignedRequestV2("PUT", getPutPolicyURL("", testPolicy.bucketName),
|
|
int64(len(bucketPolicyStr)), bytes.NewReader([]byte(bucketPolicyStr)), testPolicy.accessKey, testPolicy.secretKey)
|
|
if err != nil {
|
|
t.Fatalf("Test %d: Failed to create HTTP request for PutBucketPolicyHandler: <ERROR> %v", i+1, err)
|
|
}
|
|
// Since `apiRouter` satisfies `http.Handler` it has a ServeHTTP to execute the logic ofthe handler.
|
|
// Call the ServeHTTP to execute the handler.
|
|
apiRouter.ServeHTTP(recV2, reqV2)
|
|
if recV2.Code != testPolicy.expectedRespStatus {
|
|
t.Fatalf("Case %d: Expected the response status to be `%d`, but instead found `%d`", i+1, testPolicy.expectedRespStatus, recV2.Code)
|
|
}
|
|
}
|
|
|
|
// test cases with inputs and expected result for GetBucketPolicyHandler.
|
|
testCases := []struct {
|
|
bucketName string
|
|
accessKey string
|
|
secretKey string
|
|
// expected output.
|
|
expectedBucketPolicy string
|
|
expectedRespStatus int
|
|
}{
|
|
{bucketName, credentials.AccessKeyID, credentials.SecretAccessKey, bucketPolicyTemplate, http.StatusOK},
|
|
}
|
|
// Iterating over the cases, fetching the policy and validating the response.
|
|
for i, testCase := range testCases {
|
|
// expected bucket policy json string.
|
|
expectedBucketPolicyStr := fmt.Sprintf(testCase.expectedBucketPolicy, testCase.bucketName, testCase.bucketName)
|
|
// initialize HTTP NewRecorder, this records any mutations to response writer inside the handler.
|
|
recV4 := httptest.NewRecorder()
|
|
// construct HTTP request for PUT bucket policy endpoint.
|
|
reqV4, err := newTestSignedRequestV4("GET", getGetPolicyURL("", testCase.bucketName),
|
|
0, nil, testCase.accessKey, testCase.secretKey)
|
|
|
|
if err != nil {
|
|
t.Fatalf("Test %d: Failed to create HTTP request for GetBucketPolicyHandler: <ERROR> %v", i+1, err)
|
|
}
|
|
// Since `apiRouter` satisfies `http.Handler` it has a ServeHTTP to execute the logic of the handler.
|
|
// Call the ServeHTTP to execute the handler, GetBucketPolicyHandler handles the request.
|
|
apiRouter.ServeHTTP(recV4, reqV4)
|
|
// Assert the response code with the expected status.
|
|
if recV4.Code != testCase.expectedRespStatus {
|
|
t.Fatalf("Case %d: Expected the response status to be `%d`, but instead found `%d`", i+1, testCase.expectedRespStatus, recV4.Code)
|
|
}
|
|
// read the response body.
|
|
bucketPolicyReadBuf, err := ioutil.ReadAll(recV4.Body)
|
|
if err != nil {
|
|
t.Fatalf("Test %d: %s: Failed parsing response body: <ERROR> %v", i+1, instanceType, err)
|
|
}
|
|
// Verify whether the bucket policy fetched is same as the one inserted.
|
|
if expectedBucketPolicyStr != string(bucketPolicyReadBuf) {
|
|
t.Errorf("Test %d: %s: Bucket policy differs from expected value.", i+1, instanceType)
|
|
}
|
|
// initialize HTTP NewRecorder, this records any mutations to response writer inside the handler.
|
|
recV2 := httptest.NewRecorder()
|
|
// construct HTTP request for PUT bucket policy endpoint.
|
|
reqV2, err := newTestSignedRequestV2("GET", getGetPolicyURL("", testCase.bucketName),
|
|
0, nil, testCase.accessKey, testCase.secretKey)
|
|
if err != nil {
|
|
t.Fatalf("Test %d: Failed to create HTTP request for GetBucketPolicyHandler: <ERROR> %v", i+1, err)
|
|
}
|
|
// Since `apiRouter` satisfies `http.Handler` it has a ServeHTTP to execute the logic of the handler.
|
|
// Call the ServeHTTP to execute the handler, GetBucketPolicyHandler handles the request.
|
|
apiRouter.ServeHTTP(recV2, reqV2)
|
|
// Assert the response code with the expected status.
|
|
if recV2.Code != testCase.expectedRespStatus {
|
|
t.Fatalf("Case %d: Expected the response status to be `%d`, but instead found `%d`", i+1, testCase.expectedRespStatus, recV2.Code)
|
|
}
|
|
// read the response body.
|
|
bucketPolicyReadBuf, err = ioutil.ReadAll(recV2.Body)
|
|
if err != nil {
|
|
t.Fatalf("Test %d: %s: Failed parsing response body: <ERROR> %v", i+1, instanceType, err)
|
|
}
|
|
// Verify whether the bucket policy fetched is same as the one inserted.
|
|
if expectedBucketPolicyStr != string(bucketPolicyReadBuf) {
|
|
t.Errorf("Test %d: %s: Bucket policy differs from expected value.", i+1, instanceType)
|
|
}
|
|
}
|
|
|
|
// Test for Anonymous/unsigned http request.
|
|
// Bucket policy related functions doesn't support anonymous requests, setting policies shouldn't make a difference.
|
|
// create unsigned HTTP request for PutBucketPolicyHandler.
|
|
anonReq, err := newTestRequest("GET", getPutPolicyURL("", bucketName), 0, nil)
|
|
|
|
if err != nil {
|
|
t.Fatalf("Minio %s: Failed to create an anonymous request for bucket \"%s\": <ERROR> %v",
|
|
instanceType, bucketName, err)
|
|
}
|
|
|
|
// ExecObjectLayerAPIAnonTest - Calls the HTTP API handler using the anonymous request, validates the ErrAccessDeniedResponse,
|
|
// sets the bucket policy using the policy statement generated from `getWriteOnlyObjectStatement` so that the
|
|
// unsigned request goes through and its validated again.
|
|
ExecObjectLayerAPIAnonTest(t, "GetBucketPolicyHandler", bucketName, "", instanceType, apiRouter, anonReq, getReadOnlyObjectStatement)
|
|
|
|
// HTTP request for testing when `objectLayer` is set to `nil`.
|
|
// There is no need to use an existing bucket and valid input for creating the request
|
|
// since the `objectLayer==nil` check is performed before any other checks inside the handlers.
|
|
// The only aim is to generate an HTTP request in a way that the relevant/registered end point is evoked/called.
|
|
nilBucket := "dummy-bucket"
|
|
|
|
nilReq, err := newTestSignedRequestV4("GET", getGetPolicyURL("", nilBucket),
|
|
0, nil, "", "")
|
|
|
|
if err != nil {
|
|
t.Errorf("Minio %s: Failed to create HTTP request for testing the response when object Layer is set to `nil`.", instanceType)
|
|
}
|
|
// execute the object layer set to `nil` test.
|
|
// `ExecObjectLayerAPINilTest` manages the operation.
|
|
ExecObjectLayerAPINilTest(t, nilBucket, "", instanceType, apiRouter, nilReq)
|
|
|
|
}
|
|
|
|
// Wrapper for calling Delete Bucket Policy HTTP handler tests for both XL multiple disks and single node setup.
|
|
func TestDeleteBucketPolicyHandler(t *testing.T) {
|
|
ExecObjectLayerAPITest(t, testDeleteBucketPolicyHandler, []string{"PutBucketPolicy", "DeleteBucketPolicy"})
|
|
}
|
|
|
|
// testDeleteBucketPolicyHandler - Test for Delete bucket policy end point.
|
|
// TODO: Add exhaustive cases with various combination of statement fields.
|
|
func testDeleteBucketPolicyHandler(obj ObjectLayer, instanceType, bucketName string, apiRouter http.Handler,
|
|
credentials credential, t *testing.T) {
|
|
// initialize bucket policy.
|
|
initBucketPolicies(obj)
|
|
|
|
// template for constructing HTTP request body for PUT bucket policy.
|
|
bucketPolicyTemplate := `{
|
|
"Version": "2012-10-17",
|
|
"Statement": [
|
|
{
|
|
"Action": [
|
|
"s3:GetBucketLocation",
|
|
"s3:ListBucket"
|
|
],
|
|
"Effect": "Allow",
|
|
"Principal": {
|
|
"AWS": [
|
|
"*"
|
|
]
|
|
},
|
|
"Resource": [
|
|
"arn:aws:s3:::%s"
|
|
]
|
|
},
|
|
{
|
|
"Action": [
|
|
"s3:GetObject"
|
|
],
|
|
"Effect": "Allow",
|
|
"Principal": {
|
|
"AWS": [
|
|
"*"
|
|
]
|
|
},
|
|
"Resource": [
|
|
"arn:aws:s3:::%s/this*"
|
|
]
|
|
}
|
|
]
|
|
}`
|
|
|
|
// Writing bucket policy before running test on DeleteBucketPolicy.
|
|
putTestPolicies := []struct {
|
|
bucketName string
|
|
accessKey string
|
|
secretKey string
|
|
// expected Response.
|
|
expectedRespStatus int
|
|
}{
|
|
{bucketName, credentials.AccessKeyID, credentials.SecretAccessKey, http.StatusNoContent},
|
|
}
|
|
|
|
// Iterating over the cases and writing the bucket policy.
|
|
// its required to write the policies first before running tests on GetBucketPolicy.
|
|
for i, testPolicy := range putTestPolicies {
|
|
// obtain the put bucket policy request body.
|
|
bucketPolicyStr := fmt.Sprintf(bucketPolicyTemplate, testPolicy.bucketName, testPolicy.bucketName)
|
|
// initialize HTTP NewRecorder, this records any mutations to response writer inside the handler.
|
|
recV4 := httptest.NewRecorder()
|
|
// construct HTTP request for PUT bucket policy endpoint.
|
|
reqV4, err := newTestSignedRequestV4("PUT", getPutPolicyURL("", testPolicy.bucketName),
|
|
int64(len(bucketPolicyStr)), bytes.NewReader([]byte(bucketPolicyStr)), testPolicy.accessKey, testPolicy.secretKey)
|
|
if err != nil {
|
|
t.Fatalf("Test %d: Failed to create HTTP request for PutBucketPolicyHandler: <ERROR> %v", i+1, err)
|
|
}
|
|
// Since `apiRouter` satisfies `http.Handler` it has a ServeHTTP to execute the logic of the handler.
|
|
// Call the ServeHTTP to execute the handler.
|
|
apiRouter.ServeHTTP(recV4, reqV4)
|
|
if recV4.Code != testPolicy.expectedRespStatus {
|
|
t.Fatalf("Case %d: Expected the response status to be `%d`, but instead found `%d`", i+1, testPolicy.expectedRespStatus, recV4.Code)
|
|
}
|
|
}
|
|
|
|
// testcases with input and expected output for DeleteBucketPolicyHandler.
|
|
testCases := []struct {
|
|
bucketName string
|
|
accessKey string
|
|
secretKey string
|
|
// expected Response.
|
|
expectedRespStatus int
|
|
}{
|
|
{bucketName, credentials.AccessKeyID, credentials.SecretAccessKey, http.StatusNoContent},
|
|
}
|
|
// Iterating over the cases and deleting the bucket policy and then asserting response.
|
|
for i, testCase := range testCases {
|
|
// initialize HTTP NewRecorder, this records any mutations to response writer inside the handler.
|
|
recV4 := httptest.NewRecorder()
|
|
// construct HTTP request for Delete bucket policy endpoint.
|
|
reqV4, err := newTestSignedRequestV4("DELETE", getDeletePolicyURL("", testCase.bucketName),
|
|
0, nil, testCase.accessKey, testCase.secretKey)
|
|
if err != nil {
|
|
t.Fatalf("Test %d: Failed to create HTTP request for GetBucketPolicyHandler: <ERROR> %v", i+1, err)
|
|
}
|
|
// Since `apiRouter` satisfies `http.Handler` it has a ServeHTTP to execute the logic of the handler.
|
|
// Call the ServeHTTP to execute the handler, DeleteBucketPolicyHandler handles the request.
|
|
apiRouter.ServeHTTP(recV4, reqV4)
|
|
// Assert the response code with the expected status.
|
|
if recV4.Code != testCase.expectedRespStatus {
|
|
t.Fatalf("Case %d: Expected the response status to be `%d`, but instead found `%d`", i+1, testCase.expectedRespStatus, recV4.Code)
|
|
}
|
|
}
|
|
|
|
// Iterating over the cases and writing the bucket policy.
|
|
// its required to write the policies first before running tests on GetBucketPolicy.
|
|
for i, testPolicy := range putTestPolicies {
|
|
// obtain the put bucket policy request body.
|
|
bucketPolicyStr := fmt.Sprintf(bucketPolicyTemplate, testPolicy.bucketName, testPolicy.bucketName)
|
|
// initialize HTTP NewRecorder, this records any mutations to response writer inside the handler.
|
|
recV2 := httptest.NewRecorder()
|
|
// construct HTTP request for PUT bucket policy endpoint.
|
|
reqV2, err := newTestSignedRequestV2("PUT", getPutPolicyURL("", testPolicy.bucketName),
|
|
int64(len(bucketPolicyStr)), bytes.NewReader([]byte(bucketPolicyStr)), testPolicy.accessKey, testPolicy.secretKey)
|
|
if err != nil {
|
|
t.Fatalf("Test %d: Failed to create HTTP request for PutBucketPolicyHandler: <ERROR> %v", i+1, err)
|
|
}
|
|
// Since `apiRouter` satisfies `http.Handler` it has a ServeHTTP to execute the logic of the handler.
|
|
// Call the ServeHTTP to execute the handler.
|
|
apiRouter.ServeHTTP(recV2, reqV2)
|
|
if recV2.Code != testPolicy.expectedRespStatus {
|
|
t.Fatalf("Case %d: Expected the response status to be `%d`, but instead found `%d`", i+1, testPolicy.expectedRespStatus, recV2.Code)
|
|
}
|
|
}
|
|
|
|
for i, testCase := range testCases {
|
|
// initialize HTTP NewRecorder, this records any mutations to response writer inside the handler.
|
|
recV2 := httptest.NewRecorder()
|
|
// construct HTTP request for Delete bucket policy endpoint.
|
|
reqV2, err := newTestSignedRequestV2("DELETE", getDeletePolicyURL("", testCase.bucketName),
|
|
0, nil, testCase.accessKey, testCase.secretKey)
|
|
if err != nil {
|
|
t.Fatalf("Test %d: Failed to create HTTP request for GetBucketPolicyHandler: <ERROR> %v", i+1, err)
|
|
}
|
|
// Since `apiRouter` satisfies `http.Handler` it has a ServeHTTP to execute the logic of the handler.
|
|
// Call the ServeHTTP to execute the handler, DeleteBucketPolicyHandler handles the request.
|
|
apiRouter.ServeHTTP(recV2, reqV2)
|
|
// Assert the response code with the expected status.
|
|
if recV2.Code != testCase.expectedRespStatus {
|
|
t.Fatalf("Case %d: Expected the response status to be `%d`, but instead found `%d`", i+1, testCase.expectedRespStatus, recV2.Code)
|
|
}
|
|
}
|
|
// Test for Anonymous/unsigned http request.
|
|
// Bucket policy related functions doesn't support anonymous requests, setting policies shouldn't make a difference.
|
|
// create unsigned HTTP request for PutBucketPolicyHandler.
|
|
anonReq, err := newTestRequest("DELETE", getPutPolicyURL("", bucketName), 0, nil)
|
|
|
|
if err != nil {
|
|
t.Fatalf("Minio %s: Failed to create an anonymous request for bucket \"%s\": <ERROR> %v",
|
|
instanceType, bucketName, err)
|
|
}
|
|
|
|
// ExecObjectLayerAPIAnonTest - Calls the HTTP API handler using the anonymous request, validates the ErrAccessDeniedResponse,
|
|
// sets the bucket policy using the policy statement generated from `getWriteOnlyObjectStatement` so that the
|
|
// unsigned request goes through and its validated again.
|
|
ExecObjectLayerAPIAnonTest(t, "DeleteBucketPolicyHandler", bucketName, "", instanceType, apiRouter, anonReq, getReadOnlyObjectStatement)
|
|
|
|
// HTTP request for testing when `objectLayer` is set to `nil`.
|
|
// There is no need to use an existing bucket and valid input for creating the request
|
|
// since the `objectLayer==nil` check is performed before any other checks inside the handlers.
|
|
// The only aim is to generate an HTTP request in a way that the relevant/registered end point is evoked/called.
|
|
nilBucket := "dummy-bucket"
|
|
|
|
nilReq, err := newTestSignedRequestV4("DELETE", getDeletePolicyURL("", nilBucket),
|
|
0, nil, "", "")
|
|
|
|
if err != nil {
|
|
t.Errorf("Minio %s: Failed to create HTTP request for testing the response when object Layer is set to `nil`.", instanceType)
|
|
}
|
|
// execute the object layer set to `nil` test.
|
|
// `ExecObjectLayerAPINilTest` manages the operation.
|
|
ExecObjectLayerAPINilTest(t, nilBucket, "", instanceType, apiRouter, nilReq)
|
|
}
|
|
|
|
// TestBucketPolicyConditionMatch - Tests to validate whether bucket policy conditions match.
|
|
func TestBucketPolicyConditionMatch(t *testing.T) {
|
|
// obtain the inner map[string]set.StringSet for policyStatement.Conditions .
|
|
getInnerMap := func(key2, value string) map[string]set.StringSet {
|
|
innerMap := make(map[string]set.StringSet)
|
|
innerMap[key2] = set.CreateStringSet(value)
|
|
return innerMap
|
|
}
|
|
|
|
// obtain policyStatement with Conditions set.
|
|
getStatementWithCondition := func(key1, key2, value string) policyStatement {
|
|
innerMap := getInnerMap(key2, value)
|
|
// to set policyStatment.Conditions .
|
|
conditions := make(map[string]map[string]set.StringSet)
|
|
conditions[key1] = innerMap
|
|
// new policy statement.
|
|
statement := policyStatement{}
|
|
// set the condition.
|
|
statement.Conditions = conditions
|
|
return statement
|
|
}
|
|
|
|
testCases := []struct {
|
|
statementCondition policyStatement
|
|
condition map[string]set.StringSet
|
|
|
|
expectedMatch bool
|
|
}{
|
|
|
|
// Test case - 1.
|
|
// StringEquals condition matches.
|
|
{
|
|
|
|
statementCondition: getStatementWithCondition("StringEquals", "s3:prefix", "Asia/"),
|
|
condition: getInnerMap("prefix", "Asia/"),
|
|
|
|
expectedMatch: true,
|
|
},
|
|
// Test case - 2.
|
|
// StringEquals condition doesn't match.
|
|
{
|
|
|
|
statementCondition: getStatementWithCondition("StringEquals", "s3:prefix", "Asia/"),
|
|
condition: getInnerMap("prefix", "Africa/"),
|
|
|
|
expectedMatch: false,
|
|
},
|
|
// Test case - 3.
|
|
// StringEquals condition matches.
|
|
{
|
|
|
|
statementCondition: getStatementWithCondition("StringEquals", "s3:max-keys", "Asia/"),
|
|
condition: getInnerMap("max-keys", "Asia/"),
|
|
|
|
expectedMatch: true,
|
|
},
|
|
// Test case - 4.
|
|
// StringEquals condition doesn't match.
|
|
{
|
|
|
|
statementCondition: getStatementWithCondition("StringEquals", "s3:max-keys", "Asia/"),
|
|
condition: getInnerMap("max-keys", "Africa/"),
|
|
|
|
expectedMatch: false,
|
|
},
|
|
// Test case - 5.
|
|
// StringNotEquals condition matches.
|
|
{
|
|
|
|
statementCondition: getStatementWithCondition("StringNotEquals", "s3:prefix", "Asia/"),
|
|
condition: getInnerMap("prefix", "Asia/"),
|
|
|
|
expectedMatch: true,
|
|
},
|
|
// Test case - 6.
|
|
// StringNotEquals condition doesn't match.
|
|
{
|
|
|
|
statementCondition: getStatementWithCondition("StringNotEquals", "s3:prefix", "Asia/"),
|
|
condition: getInnerMap("prefix", "Africa/"),
|
|
|
|
expectedMatch: false,
|
|
},
|
|
// Test case - 7.
|
|
// StringNotEquals condition matches.
|
|
{
|
|
|
|
statementCondition: getStatementWithCondition("StringNotEquals", "s3:max-keys", "Asia/"),
|
|
condition: getInnerMap("max-keys", "Asia/"),
|
|
|
|
expectedMatch: true,
|
|
},
|
|
// Test case - 8.
|
|
// StringNotEquals condition doesn't match.
|
|
{
|
|
|
|
statementCondition: getStatementWithCondition("StringNotEquals", "s3:max-keys", "Asia/"),
|
|
condition: getInnerMap("max-keys", "Africa/"),
|
|
|
|
expectedMatch: false,
|
|
},
|
|
}
|
|
|
|
for i, tc := range testCases {
|
|
t.Run(fmt.Sprintf("Test case %d: Failed.", i+1), func(t *testing.T) {
|
|
// call the function under test and assert the result with the expected result.
|
|
doesMatch := bucketPolicyConditionMatch(tc.condition, tc.statementCondition)
|
|
if tc.expectedMatch != doesMatch {
|
|
t.Errorf("Expected the match to be `%v`; got `%v`.", tc.expectedMatch, doesMatch)
|
|
}
|
|
})
|
|
}
|
|
}
|