From 474c1404e23fc7c96138b3671c9a8d3e8f340015 Mon Sep 17 00:00:00 2001 From: Seena Fallah Date: Fri, 19 Jul 2024 20:48:06 +0200 Subject: [PATCH 1/3] BucketPolicy: donot allow NotPrincipal with Allow Effect Ref. https://github.com/ceph/ceph/pull/58686 Signed-off-by: Seena Fallah --- s3tests_boto3/functional/test_s3.py | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/s3tests_boto3/functional/test_s3.py b/s3tests_boto3/functional/test_s3.py index 98b3cdd..ebdd6c4 100644 --- a/s3tests_boto3/functional/test_s3.py +++ b/s3tests_boto3/functional/test_s3.py @@ -12793,13 +12793,10 @@ def test_get_nonpublicpolicy_acl_bucket_policy_status(): assert resp['PolicyStatus']['IsPublic'] == False -def test_get_nonpublicpolicy_deny_bucket_policy_status(): +def test_bucket_policy_allow_notprincipal(): bucket_name = get_new_bucket() client = get_client() - resp = client.get_bucket_policy_status(Bucket=bucket_name) - assert resp['PolicyStatus']['IsPublic'] == False - resource1 = "arn:aws:s3:::" + bucket_name resource2 = "arn:aws:s3:::" + bucket_name + "/*" policy_document = json.dumps( @@ -12816,9 +12813,12 @@ def test_get_nonpublicpolicy_deny_bucket_policy_status(): }] }) - client.put_bucket_policy(Bucket=bucket_name, Policy=policy_document) - resp = client.get_bucket_policy_status(Bucket=bucket_name) - assert resp['PolicyStatus']['IsPublic'] == True + e = assert_raises(ClientError, + client.put_bucket_policy, Bucket=bucket_name, Policy=policy_document) + status, error_code = _get_status_and_error_code(e.response) + assert status == 400 + assert error_code == 'InvalidArgument' or error_code == 'MalformedPolicy' + def test_get_undefined_public_block(): bucket_name = get_new_bucket() From 93a3b6c704cfeb2a59d91f3eda634e9046e16585 Mon Sep 17 00:00:00 2001 From: Seena Fallah Date: Fri, 19 Jul 2024 20:50:26 +0200 Subject: [PATCH 2/3] PolicyStatus: add test for policy with Principal Ref. https://github.com/ceph/ceph/pull/58686 Signed-off-by: Seena Fallah --- s3tests_boto3/functional/test_s3.py | 25 +++++++++++++++++++++++++ 1 file changed, 25 insertions(+) diff --git a/s3tests_boto3/functional/test_s3.py b/s3tests_boto3/functional/test_s3.py index ebdd6c4..39da62e 100644 --- a/s3tests_boto3/functional/test_s3.py +++ b/s3tests_boto3/functional/test_s3.py @@ -12793,6 +12793,31 @@ def test_get_nonpublicpolicy_acl_bucket_policy_status(): assert resp['PolicyStatus']['IsPublic'] == False +def test_get_nonpublicpolicy_principal_bucket_policy_status(): + bucket_name = get_new_bucket() + client = get_client() + + resource1 = "arn:aws:s3:::" + bucket_name + resource2 = "arn:aws:s3:::" + bucket_name + "/*" + policy_document = json.dumps( + { + "Version": "2012-10-17", + "Statement": [{ + "Effect": "Allow", + "Principal": {"AWS": "arn:aws:iam::s3tenant1:root"}, + "Action": "s3:ListBucket", + "Resource": [ + "{}".format(resource1), + "{}".format(resource2) + ], + }] + }) + + client.put_bucket_policy(Bucket=bucket_name, Policy=policy_document) + resp = client.get_bucket_policy_status(Bucket=bucket_name) + assert resp['PolicyStatus']['IsPublic'] == False + + def test_bucket_policy_allow_notprincipal(): bucket_name = get_new_bucket() client = get_client() From a83396cda772d5cb4fa0c8bbc7b9116e3e605749 Mon Sep 17 00:00:00 2001 From: Seena Fallah Date: Fri, 19 Jul 2024 20:51:10 +0200 Subject: [PATCH 3/3] BlockPublicPolicy: add test when policy has principal Ref. https://tracker.ceph.com/issues/67048 Signed-off-by: Seena Fallah --- s3tests_boto3/functional/test_s3.py | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) diff --git a/s3tests_boto3/functional/test_s3.py b/s3tests_boto3/functional/test_s3.py index 39da62e..dbd8e75 100644 --- a/s3tests_boto3/functional/test_s3.py +++ b/s3tests_boto3/functional/test_s3.py @@ -12984,6 +12984,23 @@ def test_block_public_policy(): check_access_denied(client.put_bucket_policy, Bucket=bucket_name, Policy=policy_document) +def test_block_public_policy_with_principal(): + bucket_name = get_new_bucket() + client = get_client() + + access_conf = {'BlockPublicAcls': False, + 'IgnorePublicAcls': False, + 'BlockPublicPolicy': True, + 'RestrictPublicBuckets': False} + + client.put_public_access_block(Bucket=bucket_name, PublicAccessBlockConfiguration=access_conf) + resource = _make_arn_resource("{}/{}".format(bucket_name, "*")) + policy_document = make_json_policy("s3:GetObject", + resource, principal={"AWS": "arn:aws:iam::s3tenant1:root"}) + + client.put_bucket_policy(Bucket=bucket_name, Policy=policy_document) + + def test_ignore_public_acls(): bucket_name = get_new_bucket() client = get_client()