forked from TrueCloudLab/s3-tests
commit
47a3755378
2 changed files with 317 additions and 0 deletions
|
@ -293,6 +293,18 @@ def get_bad_auth_client(aws_access_key_id='badauth'):
|
||||||
config=Config(signature_version='s3v4'))
|
config=Config(signature_version='s3v4'))
|
||||||
return client
|
return client
|
||||||
|
|
||||||
|
def get_svc_client(client_config=None, svc='s3'):
|
||||||
|
if client_config == None:
|
||||||
|
client_config = Config(signature_version='s3v4')
|
||||||
|
|
||||||
|
client = boto3.client(service_name=svc,
|
||||||
|
aws_access_key_id=config.main_access_key,
|
||||||
|
aws_secret_access_key=config.main_secret_key,
|
||||||
|
endpoint_url=config.default_endpoint,
|
||||||
|
use_ssl=config.default_is_secure,
|
||||||
|
config=client_config)
|
||||||
|
return client
|
||||||
|
|
||||||
bucket_counter = itertools.count(1)
|
bucket_counter = itertools.count(1)
|
||||||
|
|
||||||
def get_new_bucket_name():
|
def get_new_bucket_name():
|
||||||
|
|
|
@ -69,6 +69,7 @@ from . import (
|
||||||
get_objects_list,
|
get_objects_list,
|
||||||
get_main_kms_keyid,
|
get_main_kms_keyid,
|
||||||
get_secondary_kms_keyid,
|
get_secondary_kms_keyid,
|
||||||
|
get_svc_client,
|
||||||
nuke_prefixed_buckets,
|
nuke_prefixed_buckets,
|
||||||
)
|
)
|
||||||
|
|
||||||
|
@ -12396,3 +12397,307 @@ def test_user_policy():
|
||||||
PolicyName='AllAccessPolicy',
|
PolicyName='AllAccessPolicy',
|
||||||
UserName=get_tenant_user_id(),
|
UserName=get_tenant_user_id(),
|
||||||
)
|
)
|
||||||
|
|
||||||
|
|
||||||
|
@attr(resource='bucket')
|
||||||
|
@attr(method='get')
|
||||||
|
@attr(operation='get bucket policy status on a new bucket')
|
||||||
|
@attr(assertion='succeeds')
|
||||||
|
@attr('policy_status')
|
||||||
|
def test_get_bucket_policy_status():
|
||||||
|
bucket_name = get_new_bucket()
|
||||||
|
client = get_client()
|
||||||
|
resp = client.get_bucket_policy_status(Bucket=bucket_name)
|
||||||
|
eq(resp['PolicyStatus']['IsPublic'],False)
|
||||||
|
|
||||||
|
@attr(resource='bucket')
|
||||||
|
@attr(method='get')
|
||||||
|
@attr(operation='get bucket policy status on a public acl bucket')
|
||||||
|
@attr(assertion='succeeds')
|
||||||
|
@attr('policy_status')
|
||||||
|
def test_get_public_acl_bucket_policy_status():
|
||||||
|
bucket_name = get_new_bucket()
|
||||||
|
client = get_client()
|
||||||
|
client = get_client()
|
||||||
|
client.put_bucket_acl(Bucket=bucket_name, ACL='public-read')
|
||||||
|
resp = client.get_bucket_policy_status(Bucket=bucket_name)
|
||||||
|
eq(resp['PolicyStatus']['IsPublic'],True)
|
||||||
|
|
||||||
|
@attr(resource='bucket')
|
||||||
|
@attr(method='get')
|
||||||
|
@attr(operation='get bucket policy status on a authenticated acl bucket')
|
||||||
|
@attr(assertion='succeeds')
|
||||||
|
@attr('policy_status')
|
||||||
|
def test_get_authpublic_acl_bucket_policy_status():
|
||||||
|
bucket_name = get_new_bucket()
|
||||||
|
client = get_client()
|
||||||
|
client = get_client()
|
||||||
|
client.put_bucket_acl(Bucket=bucket_name, ACL='authenticated-read')
|
||||||
|
resp = client.get_bucket_policy_status(Bucket=bucket_name)
|
||||||
|
eq(resp['PolicyStatus']['IsPublic'],True)
|
||||||
|
|
||||||
|
|
||||||
|
@attr(resource='bucket')
|
||||||
|
@attr(method='get')
|
||||||
|
@attr(operation='get bucket policy status on a public policy bucket')
|
||||||
|
@attr(assertion='succeeds')
|
||||||
|
@attr('policy_status')
|
||||||
|
def test_get_publicpolicy_acl_bucket_policy_status():
|
||||||
|
bucket_name = get_new_bucket()
|
||||||
|
client = get_client()
|
||||||
|
client = get_client()
|
||||||
|
|
||||||
|
resp = client.get_bucket_policy_status(Bucket=bucket_name)
|
||||||
|
eq(resp['PolicyStatus']['IsPublic'],False)
|
||||||
|
|
||||||
|
resource1 = "arn:aws:s3:::" + bucket_name
|
||||||
|
resource2 = "arn:aws:s3:::" + bucket_name + "/*"
|
||||||
|
policy_document = json.dumps(
|
||||||
|
{
|
||||||
|
"Version": "2012-10-17",
|
||||||
|
"Statement": [{
|
||||||
|
"Effect": "Allow",
|
||||||
|
"Principal": {"AWS": "*"},
|
||||||
|
"Action": "s3:ListBucket",
|
||||||
|
"Resource": [
|
||||||
|
"{}".format(resource1),
|
||||||
|
"{}".format(resource2)
|
||||||
|
]
|
||||||
|
}]
|
||||||
|
})
|
||||||
|
|
||||||
|
client.put_bucket_policy(Bucket=bucket_name, Policy=policy_document)
|
||||||
|
resp = client.get_bucket_policy_status(Bucket=bucket_name)
|
||||||
|
eq(resp['PolicyStatus']['IsPublic'],True)
|
||||||
|
|
||||||
|
|
||||||
|
@attr(resource='bucket')
|
||||||
|
@attr(method='get')
|
||||||
|
@attr(operation='get bucket policy status on a public policy bucket')
|
||||||
|
@attr(assertion='succeeds')
|
||||||
|
@attr('policy_status')
|
||||||
|
def test_get_nonpublicpolicy_acl_bucket_policy_status():
|
||||||
|
bucket_name = get_new_bucket()
|
||||||
|
client = get_client()
|
||||||
|
client = get_client()
|
||||||
|
|
||||||
|
resp = client.get_bucket_policy_status(Bucket=bucket_name)
|
||||||
|
eq(resp['PolicyStatus']['IsPublic'],False)
|
||||||
|
|
||||||
|
resource1 = "arn:aws:s3:::" + bucket_name
|
||||||
|
resource2 = "arn:aws:s3:::" + bucket_name + "/*"
|
||||||
|
policy_document = json.dumps(
|
||||||
|
{
|
||||||
|
"Version": "2012-10-17",
|
||||||
|
"Statement": [{
|
||||||
|
"Effect": "Allow",
|
||||||
|
"Principal": {"AWS": "*"},
|
||||||
|
"Action": "s3:ListBucket",
|
||||||
|
"Resource": [
|
||||||
|
"{}".format(resource1),
|
||||||
|
"{}".format(resource2)
|
||||||
|
],
|
||||||
|
"Condition": {
|
||||||
|
"IpAddress":
|
||||||
|
{"aws:SourceIp": "10.0.0.0/32"}
|
||||||
|
}
|
||||||
|
}]
|
||||||
|
})
|
||||||
|
|
||||||
|
client.put_bucket_policy(Bucket=bucket_name, Policy=policy_document)
|
||||||
|
resp = client.get_bucket_policy_status(Bucket=bucket_name)
|
||||||
|
eq(resp['PolicyStatus']['IsPublic'],False)
|
||||||
|
|
||||||
|
|
||||||
|
@attr(resource='bucket')
|
||||||
|
@attr(method='get')
|
||||||
|
@attr(operation='get bucket policy status on a public policy bucket')
|
||||||
|
@attr(assertion='succeeds')
|
||||||
|
@attr('policy_status')
|
||||||
|
def test_get_nonpublicpolicy_deny_bucket_policy_status():
|
||||||
|
bucket_name = get_new_bucket()
|
||||||
|
client = get_client()
|
||||||
|
|
||||||
|
resp = client.get_bucket_policy_status(Bucket=bucket_name)
|
||||||
|
eq(resp['PolicyStatus']['IsPublic'],False)
|
||||||
|
|
||||||
|
resource1 = "arn:aws:s3:::" + bucket_name
|
||||||
|
resource2 = "arn:aws:s3:::" + bucket_name + "/*"
|
||||||
|
policy_document = json.dumps(
|
||||||
|
{
|
||||||
|
"Version": "2012-10-17",
|
||||||
|
"Statement": [{
|
||||||
|
"Effect": "Allow",
|
||||||
|
"NotPrincipal": {"AWS": "arn:aws:iam::s3tenant1:root"},
|
||||||
|
"Action": "s3:ListBucket",
|
||||||
|
"Resource": [
|
||||||
|
"{}".format(resource1),
|
||||||
|
"{}".format(resource2)
|
||||||
|
],
|
||||||
|
}]
|
||||||
|
})
|
||||||
|
|
||||||
|
client.put_bucket_policy(Bucket=bucket_name, Policy=policy_document)
|
||||||
|
resp = client.get_bucket_policy_status(Bucket=bucket_name)
|
||||||
|
eq(resp['PolicyStatus']['IsPublic'],True)
|
||||||
|
|
||||||
|
@attr(resource='bucket')
|
||||||
|
@attr(method='get')
|
||||||
|
@attr(operation='get public access block on a bucket')
|
||||||
|
@attr(assertion='succeeds')
|
||||||
|
@attr('policy_status')
|
||||||
|
def test_get_default_public_block():
|
||||||
|
#client = get_svc_client(svc='s3control', client_config=Config(s3={'addressing_style': 'path'}))
|
||||||
|
bucket_name = get_new_bucket()
|
||||||
|
client = get_client()
|
||||||
|
|
||||||
|
resp = client.get_public_access_block(Bucket=bucket_name)
|
||||||
|
eq(resp['PublicAccessBlockConfiguration']['BlockPublicAcls'], False)
|
||||||
|
eq(resp['PublicAccessBlockConfiguration']['BlockPublicPolicy'], False)
|
||||||
|
eq(resp['PublicAccessBlockConfiguration']['IgnorePublicAcls'], False)
|
||||||
|
eq(resp['PublicAccessBlockConfiguration']['RestrictPublicBuckets'], False)
|
||||||
|
|
||||||
|
@attr(resource='bucket')
|
||||||
|
@attr(method='put')
|
||||||
|
@attr(operation='get public access block on a bucket')
|
||||||
|
@attr(assertion='succeeds')
|
||||||
|
@attr('policy_status')
|
||||||
|
def test_put_public_block():
|
||||||
|
#client = get_svc_client(svc='s3control', client_config=Config(s3={'addressing_style': 'path'}))
|
||||||
|
bucket_name = get_new_bucket()
|
||||||
|
client = get_client()
|
||||||
|
|
||||||
|
access_conf = {'BlockPublicAcls': True,
|
||||||
|
'IgnorePublicAcls': True,
|
||||||
|
'BlockPublicPolicy': True,
|
||||||
|
'RestrictPublicBuckets': False}
|
||||||
|
|
||||||
|
client.put_public_access_block(Bucket=bucket_name, PublicAccessBlockConfiguration=access_conf)
|
||||||
|
|
||||||
|
resp = client.get_public_access_block(Bucket=bucket_name)
|
||||||
|
eq(resp['PublicAccessBlockConfiguration']['BlockPublicAcls'], access_conf['BlockPublicAcls'])
|
||||||
|
eq(resp['PublicAccessBlockConfiguration']['BlockPublicPolicy'], access_conf['BlockPublicPolicy'])
|
||||||
|
eq(resp['PublicAccessBlockConfiguration']['IgnorePublicAcls'], access_conf['IgnorePublicAcls'])
|
||||||
|
eq(resp['PublicAccessBlockConfiguration']['RestrictPublicBuckets'], access_conf['RestrictPublicBuckets'])
|
||||||
|
|
||||||
|
|
||||||
|
@attr(resource='bucket')
|
||||||
|
@attr(method='put')
|
||||||
|
@attr(operation='get public access block on a bucket')
|
||||||
|
@attr(assertion='succeeds')
|
||||||
|
@attr('policy_status')
|
||||||
|
def test_block_public_put_bucket_acls():
|
||||||
|
#client = get_svc_client(svc='s3control', client_config=Config(s3={'addressing_style': 'path'}))
|
||||||
|
bucket_name = get_new_bucket()
|
||||||
|
client = get_client()
|
||||||
|
|
||||||
|
access_conf = {'BlockPublicAcls': True,
|
||||||
|
'IgnorePublicAcls': False,
|
||||||
|
'BlockPublicPolicy': True,
|
||||||
|
'RestrictPublicBuckets': False}
|
||||||
|
|
||||||
|
client.put_public_access_block(Bucket=bucket_name, PublicAccessBlockConfiguration=access_conf)
|
||||||
|
|
||||||
|
resp = client.get_public_access_block(Bucket=bucket_name)
|
||||||
|
eq(resp['PublicAccessBlockConfiguration']['BlockPublicAcls'], access_conf['BlockPublicAcls'])
|
||||||
|
eq(resp['PublicAccessBlockConfiguration']['BlockPublicPolicy'], access_conf['BlockPublicPolicy'])
|
||||||
|
|
||||||
|
e = assert_raises(ClientError, client.put_bucket_acl, Bucket=bucket_name,ACL='public-read')
|
||||||
|
status, error_code = _get_status_and_error_code(e.response)
|
||||||
|
eq(status, 403)
|
||||||
|
|
||||||
|
e = assert_raises(ClientError, client.put_bucket_acl, Bucket=bucket_name,ACL='public-read-write')
|
||||||
|
status, error_code = _get_status_and_error_code(e.response)
|
||||||
|
eq(status, 403)
|
||||||
|
|
||||||
|
e = assert_raises(ClientError, client.put_bucket_acl, Bucket=bucket_name,ACL='authenticated-read')
|
||||||
|
status, error_code = _get_status_and_error_code(e.response)
|
||||||
|
eq(status, 403)
|
||||||
|
|
||||||
|
|
||||||
|
@attr(resource='bucket')
|
||||||
|
@attr(method='put')
|
||||||
|
@attr(operation='block public acls on canned acls')
|
||||||
|
@attr(assertion='succeeds')
|
||||||
|
@attr('policy_status')
|
||||||
|
def test_block_public_object_canned_acls():
|
||||||
|
bucket_name = get_new_bucket()
|
||||||
|
client = get_client()
|
||||||
|
|
||||||
|
access_conf = {'BlockPublicAcls': True,
|
||||||
|
'IgnorePublicAcls': False,
|
||||||
|
'BlockPublicPolicy': False,
|
||||||
|
'RestrictPublicBuckets': False}
|
||||||
|
|
||||||
|
client.put_public_access_block(Bucket=bucket_name, PublicAccessBlockConfiguration=access_conf)
|
||||||
|
|
||||||
|
# resp = client.get_public_access_block(Bucket=bucket_name)
|
||||||
|
# eq(resp['PublicAccessBlockConfiguration']['BlockPublicAcls'], access_conf['BlockPublicAcls'])
|
||||||
|
# eq(resp['PublicAccessBlockConfiguration']['BlockPublicPolicy'], access_conf['BlockPublicPolicy'])
|
||||||
|
|
||||||
|
#FIXME: use empty body until #42208
|
||||||
|
e = assert_raises(ClientError, client.put_object, Bucket=bucket_name, Key='foo1', Body='', ACL='public-read')
|
||||||
|
status, error_code = _get_status_and_error_code(e.response)
|
||||||
|
eq(status, 403)
|
||||||
|
|
||||||
|
e = assert_raises(ClientError, client.put_object, Bucket=bucket_name, Key='foo2', Body='', ACL='public-read')
|
||||||
|
status, error_code = _get_status_and_error_code(e.response)
|
||||||
|
eq(status, 403)
|
||||||
|
|
||||||
|
e = assert_raises(ClientError, client.put_object, Bucket=bucket_name, Key='foo3', Body='', ACL='authenticated-read')
|
||||||
|
status, error_code = _get_status_and_error_code(e.response)
|
||||||
|
eq(status, 403)
|
||||||
|
|
||||||
|
|
||||||
|
@attr(resource='bucket')
|
||||||
|
@attr(method='put')
|
||||||
|
@attr(operation='block public acls on canned acls')
|
||||||
|
@attr(assertion='succeeds')
|
||||||
|
@attr('policy_status')
|
||||||
|
def test_block_public_policy():
|
||||||
|
bucket_name = get_new_bucket()
|
||||||
|
client = get_client()
|
||||||
|
|
||||||
|
access_conf = {'BlockPublicAcls': False,
|
||||||
|
'IgnorePublicAcls': False,
|
||||||
|
'BlockPublicPolicy': True,
|
||||||
|
'RestrictPublicBuckets': False}
|
||||||
|
|
||||||
|
client.put_public_access_block(Bucket=bucket_name, PublicAccessBlockConfiguration=access_conf)
|
||||||
|
resource = _make_arn_resource("{}/{}".format(bucket_name, "*"))
|
||||||
|
policy_document = make_json_policy("s3:GetObject",
|
||||||
|
resource)
|
||||||
|
|
||||||
|
check_access_denied(client.put_bucket_policy, Bucket=bucket_name, Policy=policy_document)
|
||||||
|
|
||||||
|
|
||||||
|
@attr(resource='bucket')
|
||||||
|
@attr(method='put')
|
||||||
|
@attr(operation='ignore public acls on canned acls')
|
||||||
|
@attr(assertion='succeeds')
|
||||||
|
@attr('policy_status')
|
||||||
|
def test_ignore_public_acls():
|
||||||
|
bucket_name = get_new_bucket()
|
||||||
|
client = get_client()
|
||||||
|
alt_client = get_alt_client()
|
||||||
|
|
||||||
|
client.put_bucket_acl(Bucket=bucket_name, ACL='public-read')
|
||||||
|
# Public bucket should be accessible
|
||||||
|
alt_client.list_objects(Bucket=bucket_name)
|
||||||
|
|
||||||
|
client.put_object(Bucket=bucket_name,Key='key1',Body='abcde',ACL='public-read')
|
||||||
|
resp=alt_client.get_object(Bucket=bucket_name, Key='key1')
|
||||||
|
eq(_get_body(resp), 'abcde')
|
||||||
|
|
||||||
|
access_conf = {'BlockPublicAcls': False,
|
||||||
|
'IgnorePublicAcls': True,
|
||||||
|
'BlockPublicPolicy': False,
|
||||||
|
'RestrictPublicBuckets': False}
|
||||||
|
|
||||||
|
client.put_public_access_block(Bucket=bucket_name, PublicAccessBlockConfiguration=access_conf)
|
||||||
|
resource = _make_arn_resource("{}/{}".format(bucket_name, "*"))
|
||||||
|
|
||||||
|
client.put_bucket_acl(Bucket=bucket_name, ACL='public-read')
|
||||||
|
# IgnorePublicACLs is true, so regardless this should behave as a private bucket
|
||||||
|
check_access_denied(alt_client.list_objects, Bucket=bucket_name)
|
||||||
|
check_access_denied(alt_client.get_object, Bucket=bucket_name, Key='key1')
|
||||||
|
|
Loading…
Reference in a new issue