Compatibility tests for S3 clones
Find a file
Casey Bodley 66e8f000c9 sts: remove test_get_session_token_permanent_creds_denied
Fixes: https://tracker.ceph.com/issues/69001

Signed-off-by: Casey Bodley <cbodley@redhat.com>
2024-11-22 08:41:08 -05:00
s3tests test_headers: use fixture to hook request headers 2024-03-10 10:39:26 -04:00
s3tests_boto3 sts: remove test_get_session_token_permanent_creds_denied 2024-11-22 08:41:08 -05:00
.gitignore QoL: Fix tox.ini syntax and other minor things 2023-02-28 12:19:54 +01:00
LICENSE MIT licensed. 2011-04-04 15:19:59 -07:00
pytest.ini add "checksum" marker, since new checksum tests reference it 2024-07-03 09:52:32 -04:00
README.rst remove filtering from boto3 test example for simplicity 2023-07-06 11:29:40 +03:00
requirements.txt requirements: unpin pytz version 2024-06-24 13:27:26 -04:00
s3tests.conf.SAMPLE s3: reenable tenanted bucket policy test 2024-08-14 08:19:41 -04:00
setup.py remove all non-functional tests and infra 2020-01-14 12:20:07 -05:00
tox.ini QoL: Fix tox.ini syntax and other minor things 2023-02-28 12:19:54 +01:00

========================
 S3 compatibility tests
========================

This is a set of unofficial Amazon AWS S3 compatibility
tests, that can be useful to people implementing software
that exposes an S3-like API. The tests use the Boto2 and Boto3 libraries.

The tests use the Tox tool. To get started, ensure you have the ``tox``
software installed; e.g. on Debian/Ubuntu::

	sudo apt-get install tox

You will need to create a configuration file with the location of the
service and two different credentials. A sample configuration file named
``s3tests.conf.SAMPLE`` has been provided in this repo. This file can be
used to run the s3 tests on a Ceph cluster started with vstart.

Once you have that file copied and edited, you can run the tests with::

	S3TEST_CONF=your.conf tox

You can specify which directory of tests to run::

	S3TEST_CONF=your.conf tox -- s3tests_boto3/functional

You can specify which file of tests to run::

	S3TEST_CONF=your.conf tox s3tests_boto3/functional/test_s3.py

You can specify which test to run::

	S3TEST_CONF=your.conf tox s3tests_boto3/functional/test_s3.py::test_bucket_list_empty

Some tests have attributes set based on their current reliability and
things like AWS not enforcing their spec stricly. You can filter tests
based on their attributes::

	S3TEST_CONF=aws.conf tox -- -m 'not fails_on_aws'

Most of the tests have both Boto3 and Boto2 versions. Tests written in
Boto2 are in the ``s3tests`` directory. Tests written in Boto3 are
located in the ``s3test_boto3`` directory.

You can run only the boto3 tests with::

	S3TEST_CONF=your.conf tox -- s3tests_boto3/functional

========================
 STS compatibility tests
========================

This section contains some basic tests for the AssumeRole, GetSessionToken and AssumeRoleWithWebIdentity API's. The test file is located under ``s3tests_boto3/functional``.

To run the STS tests, the vstart cluster should be started with the following parameter (in addition to any parameters already used with it)::

        vstart.sh -o rgw_sts_key=abcdefghijklmnop -o rgw_s3_auth_use_sts=true

Note that the ``rgw_sts_key`` can be set to anything that is 128 bits in length.
After the cluster is up the following command should be executed::

      radosgw-admin caps add --tenant=testx --uid="9876543210abcdef0123456789abcdef0123456789abcdef0123456789abcdef" --caps="roles=*"

You can run only the sts tests (all the three API's) with::

        S3TEST_CONF=your.conf tox s3tests_boto3/functional/test_sts.py

You can filter tests based on the attributes. There is a attribute named ``test_of_sts`` to run AssumeRole and GetSessionToken tests and ``webidentity_test`` to run the AssumeRoleWithWebIdentity tests. If you want to execute only ``test_of_sts`` tests you can apply that filter as below::

        S3TEST_CONF=your.conf tox -- -m test_of_sts s3tests_boto3/functional/test_sts.py

For running ``webidentity_test`` you'll need have Keycloak running.

In order to run any STS test you'll need to add "iam" section to the config file. For further reference on how your config file should look check ``s3tests.conf.SAMPLE``.

========================
 IAM policy tests
========================

This is a set of IAM policy tests.
This section covers tests for user policies such as Put, Get, List, Delete, user policies with s3 actions, conflicting user policies etc
These tests uses Boto3 libraries. Tests are written in the ``s3test_boto3`` directory.

These iam policy tests uses two users with profile name "iam" and "s3 alt" as mentioned in s3tests.conf.SAMPLE.
If Ceph cluster is started with vstart, then above two users will get created as part of vstart with same access key, secrete key etc as mentioned in s3tests.conf.SAMPLE.
Out of those two users, "iam" user is with capabilities --caps=user-policy=* and "s3 alt" user is without capabilities.
Adding above capabilities to "iam" user is also taken care by vstart (If Ceph cluster is started with vstart).

To run these tests, create configuration file with section "iam" and "s3 alt" refer s3tests.conf.SAMPLE.
Once you have that configuration file copied and edited, you can run all the tests with::

	S3TEST_CONF=your.conf tox s3tests_boto3/functional/test_iam.py

You can also specify specific test to run::

	S3TEST_CONF=your.conf tox s3tests_boto3/functional/test_iam.py::test_put_user_policy

Some tests have attributes set such as "fails_on_rgw".
You can filter tests based on their attributes::

	S3TEST_CONF=your.conf tox -- s3tests_boto3/functional/test_iam.py -m 'not fails_on_rgw'