From b1e1ba0edf761e4841f7eebcb9fdbae8eddfa336 Mon Sep 17 00:00:00 2001
From: Abhishek Lekshmanan <abhishek@suse.com>
Date: Thu, 27 Jul 2017 17:34:11 +0200
Subject: [PATCH] s3: policy tests for ListBucket with prefix, delimiter &
 max-keys

Allow conditionals on ListBucket similar to s3 docs which allow for
these clauses

Signed-off-by: Abhishek Lekshmanan <abhishek@suse.com>
---
 s3tests/functional/test_s3.py | 119 +++++++++++++++++++++++++++++++++-
 1 file changed, 118 insertions(+), 1 deletion(-)

diff --git a/s3tests/functional/test_s3.py b/s3tests/functional/test_s3.py
index 279121c..86b4eb1 100644
--- a/s3tests/functional/test_s3.py
+++ b/s3tests/functional/test_s3.py
@@ -8928,7 +8928,7 @@ def test_bucket_policy_another_bucket():
 @attr(resource='bucket')
 @attr(method='put')
 @attr(operation='Test put condition operator end with ifExists')
-@attr('policy')
+@attr('bucket-policy')
 def test_bucket_policy_set_condition_operator_end_with_IfExists():
     bucket = _create_keys(keys=['foo'])
     policy = '''{
@@ -8961,6 +8961,123 @@ def test_bucket_policy_set_condition_operator_end_with_IfExists():
     eq(res.status, 403)
 
 
+@attr(resource='bucket')
+@attr(method='get')
+@attr(operation='Test listbucket with prefix')
+@attr('bucket-policy')
+def test_bucket_policy_list_bucket_with_prefix():
+    bucket = _create_keys(keys=['foo','folder/foo1','folder/foo2','folder/foo3','foo2'])
+    tag_conditional = {"StringEquals": {
+        "s3:prefix" : "folder"
+    }}
+
+    resource = _make_arn_resource(bucket.name)
+    policy_document = make_json_policy("s3:ListBucket",
+                                       resource,
+                                       conditions=tag_conditional)
+
+    eq(bucket.set_policy(policy_document), True)
+
+    new_conn = _get_alt_connection()
+
+    # boto2 cannot give me a bucket object without doing a get bucket :/
+    res = new_conn.make_request('GET', bucket.name, query_args = 'prefix=folder')
+    eq(res.status, 200)
+    ns = {"aws" : "http://s3.amazonaws.com/doc/2006-03-01/"}
+    keys = ET.fromstring(res.read()).findall('.//aws:Key', ns)
+    eq(len(keys), 3)
+
+    res = new_conn.make_request('GET', bucket.name, query_args = 'prefix=somethingelse')
+    eq(res.status, 403)
+
+    res = new_conn.make_request('GET', bucket.name)
+    eq(res.status, 403)
+
+
+@attr(resource='bucket')
+@attr(method='get')
+@attr(operation='Test listbucket with maxkeys')
+@attr('bucket-policy')
+def test_bucket_policy_list_bucket_with_maxkeys():
+    bucket = _create_keys(keys=['key'+str(i) for i in range(8)])
+
+    list_conditional = {"NumericLessThanEquals": {
+        "s3:max-keys" : "6"
+    }}
+
+    resource = _make_arn_resource(bucket.name)
+    policy_document = make_json_policy("s3:ListBucket",
+                                       resource,
+                                       conditions=list_conditional)
+
+
+    eq(bucket.set_policy(policy_document), True)
+
+    new_conn = _get_alt_connection()
+
+
+    res = new_conn.make_request('GET', bucket.name, query_args = 'max-keys=6')
+    eq(res.status, 200)
+    ns = {"aws" : "http://s3.amazonaws.com/doc/2006-03-01/"}
+    keys = ET.fromstring(res.read()).findall('.//aws:Key', ns)
+    eq(len(keys), 6)
+
+    res = new_conn.make_request('GET', bucket.name, query_args = 'max-keys=5')
+    eq(res.status, 200)
+    ns = {"aws" : "http://s3.amazonaws.com/doc/2006-03-01/"}
+    keys = ET.fromstring(res.read()).findall('.//aws:Key', ns)
+    eq(len(keys), 5)
+
+    res = new_conn.make_request('GET', bucket.name, query_args = 'max-keys=7')
+    eq(res.status, 403)
+
+    res = new_conn.make_request('GET', bucket.name)
+    eq(res.status, 403)
+
+
+@attr(resource='bucket')
+@attr(method='get')
+@attr(operation='Test listbucket with delimiter')
+@attr('bucket-policy')
+def test_bucket_policy_list_bucket_with_delimiter():
+    bucket = _create_keys(keys=['key/'+str(i) for i in range(5)])
+
+    list_conditional = {"StringEquals": {
+        "s3:delimiter" : "/"
+    }}
+
+    resource = _make_arn_resource(bucket.name)
+    policy_document = make_json_policy("s3:ListBucket",
+                                       resource,
+                                       conditions=list_conditional)
+    eq(bucket.set_policy(policy_document), True)
+
+    new_conn = _get_alt_connection()
+
+    # specifying a delimiter will list contents without the delimiter
+    res = new_conn.make_request('GET', bucket.name, query_args = 'delimiter=/')
+    eq(res.status, 200)
+    ns = {"aws" : "http://s3.amazonaws.com/doc/2006-03-01/"}
+    keys = ET.fromstring(res.read()).findall('.//aws:Key', ns)
+    eq(len(keys), 0)
+
+    # now lets upload some keys again
+    bucket2 = _create_keys(keys=['key'+str(i) for i in range(5)])
+    resource = _make_arn_resource(bucket2.name)
+    policy2 = make_json_policy("s3:ListBucket",
+                               resource,
+                               conditions=list_conditional)
+    eq(bucket2.set_policy(policy2), True)
+    res = new_conn.make_request('GET', bucket2.name, query_args = 'delimiter=/')
+    eq(res.status, 200)
+    ns = {"aws" : "http://s3.amazonaws.com/doc/2006-03-01/"}
+    keys = ET.fromstring(res.read()).findall('.//aws:Key', ns)
+    eq(len(keys), 5)
+
+    res = new_conn.make_request('GET', bucket.name)
+    eq(res.status, 403)
+
+
 def _tags_from_dict(d):
     tag_list = []
     for k,v in d.items():