TrueCloudLab/s3-tests
7
0
Fork 1
mirror of https://github.com/ceph/s3-tests.git synced 2024-11-21 11:51:06 +00:00
Code Issues 1 Projects Releases Packages Wiki Activity

Merge pull request #573 from clwluvw/public-policy

Browse source 
BucketPolicy: donot allow NotPrincipal with Allow Effect
This commit is contained in:
Casey Bodley 2024-07-25 15:33:14 +01:00 committed by GitHub
commit 82fedef5a5
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
1 changed files with 46 additions and 4 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

50
s3tests_boto3/functional/test_s3.py
View file

@ -12793,13 +12793,35 @@ def test_get_nonpublicpolicy_acl_bucket_policy_status():
assert resp['PolicyStatus']['IsPublic'] == False assert resp['PolicyStatus']['IsPublic'] == False
def test_get_nonpublicpolicy_deny_bucket_policy_status(): def test_get_nonpublicpolicy_principal_bucket_policy_status():
bucket_name = get_new_bucket() bucket_name = get_new_bucket()
client = get_client() client = get_client()
resource1 = "arn:aws:s3:::" + bucket_name
resource2 = "arn:aws:s3:::" + bucket_name + "/*"
policy_document = json.dumps(
{
"Version": "2012-10-17",
"Statement": [{
"Effect": "Allow",
"Principal": {"AWS": "arn:aws:iam::s3tenant1:root"},
"Action": "s3:ListBucket",
"Resource": [
"{}".format(resource1),
"{}".format(resource2)
],
}]
})
client.put_bucket_policy(Bucket=bucket_name, Policy=policy_document)
resp = client.get_bucket_policy_status(Bucket=bucket_name) resp = client.get_bucket_policy_status(Bucket=bucket_name)
assert resp['PolicyStatus']['IsPublic'] == False assert resp['PolicyStatus']['IsPublic'] == False
def test_bucket_policy_allow_notprincipal():
bucket_name = get_new_bucket()
client = get_client()
resource1 = "arn:aws:s3:::" + bucket_name resource1 = "arn:aws:s3:::" + bucket_name
resource2 = "arn:aws:s3:::" + bucket_name + "/*" resource2 = "arn:aws:s3:::" + bucket_name + "/*"
policy_document = json.dumps( policy_document = json.dumps(
@ -12816,9 +12838,12 @@ def test_get_nonpublicpolicy_deny_bucket_policy_status():
}] }]
}) })
client.put_bucket_policy(Bucket=bucket_name, Policy=policy_document) e = assert_raises(ClientError,
resp = client.get_bucket_policy_status(Bucket=bucket_name) client.put_bucket_policy, Bucket=bucket_name, Policy=policy_document)
assert resp['PolicyStatus']['IsPublic'] == True status, error_code = _get_status_and_error_code(e.response)
assert status == 400
assert error_code == 'InvalidArgument' or error_code == 'MalformedPolicy'
def test_get_undefined_public_block(): def test_get_undefined_public_block():
bucket_name = get_new_bucket() bucket_name = get_new_bucket()
@ -12959,6 +12984,23 @@ def test_block_public_policy():
check_access_denied(client.put_bucket_policy, Bucket=bucket_name, Policy=policy_document) check_access_denied(client.put_bucket_policy, Bucket=bucket_name, Policy=policy_document)
def test_block_public_policy_with_principal():
bucket_name = get_new_bucket()
client = get_client()
access_conf = {'BlockPublicAcls': False,
'IgnorePublicAcls': False,
'BlockPublicPolicy': True,
'RestrictPublicBuckets': False}
client.put_public_access_block(Bucket=bucket_name, PublicAccessBlockConfiguration=access_conf)
resource = _make_arn_resource("{}/{}".format(bucket_name, "*"))
policy_document = make_json_policy("s3:GetObject",
resource, principal={"AWS": "arn:aws:iam::s3tenant1:root"})
client.put_bucket_policy(Bucket=bucket_name, Policy=policy_document)
def test_ignore_public_acls(): def test_ignore_public_acls():
bucket_name = get_new_bucket() bucket_name = get_new_bucket()
client = get_client() client = get_client()