From ebb31e02f9569cb33b72b1e3122ae1c1de2ae6f1 Mon Sep 17 00:00:00 2001 From: Abhishek Lekshmanan Date: Fri, 20 Oct 2017 15:41:32 +0200 Subject: [PATCH] policy: test policy with sse-c encryption Signed-off-by: Abhishek Lekshmanan --- s3tests/functional/test_s3.py | 46 +++++++++++++++++++++++++++++++++++ 1 file changed, 46 insertions(+) diff --git a/s3tests/functional/test_s3.py b/s3tests/functional/test_s3.py index ee99a10..7c8ebb2 100644 --- a/s3tests/functional/test_s3.py +++ b/s3tests/functional/test_s3.py @@ -9976,3 +9976,49 @@ def test_bucket_policy_put_obj_grant(): # Normal case without any restrictions, owner is the uploader eq(utils.get_grantee(acl2, "FULL_CONTROL"), config.alt.user_id) + + +@attr(resource='object') +@attr(method='put') +@attr(operation='Deny put obj requests without encryption') +@attr(assertion='success') +@attr('encryption') +@attr('bucket-policy') +def test_bucket_policy_put_obj_enc(): + + bucket = get_new_bucket() + + deny_incorrect_algo = { + "StringNotEquals": { + "s3:x-amz-server-side-encryption": "AES256" + } + } + + deny_unencrypted_obj = { + "Null" : { + "s3:x-amz-server-side-encryption": "true" + } + } + + p = Policy() + resource = _make_arn_resource("{}/{}".format(bucket.name, "*")) + + s1 = Statement("s3:PutObject", resource, effect="Deny", condition=deny_incorrect_algo) + s2 = Statement("s3:PutObject", resource, effect="Deny", condition=deny_unencrypted_obj) + policy_document = p.add_statement(s1).add_statement(s2).to_json() + + bucket.set_policy(policy_document) + + key1_str ='testobj' + key1 = bucket.new_key(key1_str) + check_access_denied(key1.set_contents_from_string, key1_str) + + sse_client_headers = { + 'x-amz-server-side-encryption' : 'AES256', + 'x-amz-server-side-encryption-customer-algorithm': 'AES256', + 'x-amz-server-side-encryption-customer-key': 'pO3upElrwuEXSoFwCfnZPdSsmt/xWeFa0N9KgDijwVs=', + 'x-amz-server-side-encryption-customer-key-md5': 'DWygnHRtgiJ77HCm+1rvHw==' + } + + + key1.set_contents_from_string(key1_str, headers=sse_client_headers)