From 47e3772e0bc7a83fddab727527895261d2c697fa Mon Sep 17 00:00:00 2001
From: Abhishek Lekshmanan <abhishek@suse.com>
Date: Fri, 20 Oct 2017 16:23:55 +0200
Subject: [PATCH] policy: test existingobject tag on get acl

Signed-off-by: Abhishek Lekshmanan <abhishek@suse.com>
---
 s3tests/functional/test_s3.py | 55 +++++++++++++++++++++++++++++++++++
 1 file changed, 55 insertions(+)

diff --git a/s3tests/functional/test_s3.py b/s3tests/functional/test_s3.py
index 38583c7..728766c 100644
--- a/s3tests/functional/test_s3.py
+++ b/s3tests/functional/test_s3.py
@@ -10056,3 +10056,58 @@ def test_bucket_policy_put_obj_request_obj_tag():
 
     headers = {"x-amz-tagging" : "security=public"}
     key1.set_contents_from_string(key1_str, headers=headers)
+
+
+@attr(resource='object')
+@attr(method='get')
+@attr(operation='Test ExistingObjectTag conditional on get object acl')
+@attr(assertion='success')
+@attr('tagging')
+@attr('bucket-policy')
+def test_bucket_policy_get_obj_acl_existing_tag():
+
+    bucket = _create_keys(keys=['publictag','privatetag','invalidtag'])
+
+
+    tag_conditional = {"StringEquals": {
+        "s3:ExistingObjectTag/security" : "public"
+    }}
+
+    resource = _make_arn_resource("{}/{}".format(bucket.name, "*"))
+    policy_document = make_json_policy("s3:GetObjectAcl",
+                                       resource,
+                                       conditions=tag_conditional)
+
+    bucket.set_policy(policy_document)
+    input_tagset = S3TestTagSet()
+    input_tagset.add_tag('security','public')
+    input_tagset.add_tag('foo','bar')
+
+    input_tagset2 = S3TestTagSet()
+    input_tagset2.add_tag('security','private')
+
+    input_tagset3 = S3TestTagSet()
+    input_tagset3.add_tag('security1','public')
+
+    res = _put_obj_tags(bucket, 'publictag', input_tagset.to_xml())
+    eq(res.status, 200)
+
+    res = _put_obj_tags(bucket, 'privatetag', input_tagset2.to_xml())
+    eq(res.status, 200)
+
+    res = _put_obj_tags(bucket, 'invalidtag', input_tagset3.to_xml())
+    eq(res.status, 200)
+
+    new_conn = _get_alt_connection()
+    res = new_conn.make_request("GET",bucket.name, 'publictag', query_args='acl')
+    eq(res.status, 200)
+
+    # A get object itself should fail since we allowed only GetObjectTagging
+    res = new_conn.make_request("GET",bucket.name, 'publictag')
+    eq(res.status, 403)
+
+    res = new_conn.make_request("GET",bucket.name, 'privatetag', query_args='tagging')
+    eq(res.status, 403)
+
+    res = new_conn.make_request("GET",bucket.name, 'invalidtag', query_args='tagging')
+    eq(res.status, 403)