[#XX] Add test_frostfs.py

Signed-off-by: Denis Kirillov <d.kirillov@yadro.com>
This commit is contained in:
Denis Kirillov 2024-10-08 12:23:04 +03:00
parent 08df9352f9
commit f8120b10f7

View file

@ -0,0 +1,177 @@
from botocore.exceptions import ClientError
import json
import time
from .utils import assert_raises
from .utils import _get_status_and_error_code
from . import (
configfile, setup_teardown, # we need this to parse config
get_client,
get_unauthenticated_client,
get_new_bucket,
)
def test_bucket_policy_frostfs_deny():
bucket_name = get_new_bucket()
client = get_client()
key = 'tmp'
resource1 = "arn:aws:s3:::" + bucket_name
resource2 = "arn:aws:s3:::" + bucket_name + "/*"
policy_document = json.dumps(
{
"Version": "2012-10-17",
"Statement": [{
"Effect": "Deny",
"Principal": "*",
"Action": "s3:PutObject",
"Resource": [
"{}".format(resource1),
"{}".format(resource2)
],
"Condition": {
"StringNotEquals": {
"s3:RequestObjectTag/environment": "production"
}
}
}]
}
)
client.put_bucket_policy(Bucket=bucket_name, Policy=policy_document)
# TEST 7
client.put_object(Bucket=bucket_name, Key=key, Tagging='environment=production')
# TEST 8
e = assert_raises(ClientError, client.put_object, Bucket=bucket_name, Key=key, Tagging='environment=development')
status, error_code = _get_status_and_error_code(e.response)
assert status == 403
assert error_code == 'AccessDenied'
# TEST 9
e = assert_raises(ClientError, client.put_object, Bucket=bucket_name, Key=key)
status, error_code = _get_status_and_error_code(e.response)
assert status == 403
assert error_code == 'AccessDenied'
policy_document = json.dumps(
{
"Version": "2012-10-17",
"Statement": [{
"Effect": "Deny",
"Principal": "*",
"Action": "s3:PutObject",
"Resource": [
"{}".format(resource1),
"{}".format(resource2)
],
"Condition": {
"StringEquals": {
"s3:RequestObjectTag/environment": "production"
}
}
}]
}
)
client.put_bucket_policy(Bucket=bucket_name, Policy=policy_document)
# TEST 10
e = assert_raises(ClientError, client.put_object, Bucket=bucket_name, Key=key, Tagging='environment=production')
status, error_code = _get_status_and_error_code(e.response)
assert status == 403
assert error_code == 'AccessDenied'
# TEST 11
client.put_object(Bucket=bucket_name, Key=key, Tagging='environment=development')
# TEST 12
client.put_object(Bucket=bucket_name, Key=key)
def test_bucket_policy_frostfs_allow():
bucket_name = get_new_bucket()
client = get_client()
key = 'tmp'
client.put_object(Bucket=bucket_name, Key=key)
resource1 = "arn:aws:s3:::" + bucket_name
resource2 = "arn:aws:s3:::" + bucket_name + "/*"
policy_document = json.dumps(
{
"Version": "2012-10-17",
"Statement": [{
"Effect": "Allow",
"Principal": "*",
"Action": "s3:PutObjectTagging",
"Resource": [
"{}".format(resource1),
"{}".format(resource2)
],
"Condition": {
"StringNotEquals": {
"s3:RequestObjectTag/environment": "production"
}
}
}]
}
)
client.put_bucket_policy(Bucket=bucket_name, Policy=policy_document)
time.sleep(3)
alt_client = get_unauthenticated_client()
# TEST 1
e = assert_raises(ClientError, alt_client.put_object_tagging, Bucket=bucket_name, Key=key, Tagging={'TagSet':[{'Key':'environment','Value':'production'}]})
status, error_code = _get_status_and_error_code(e.response)
assert status == 403
assert error_code == 'AccessDenied'
# TEST 2
alt_client.put_object_tagging(Bucket=bucket_name, Key=key, Tagging={'TagSet':[{'Key':'environment','Value':'development'}]})
# TEST 3
alt_client.put_object_tagging(Bucket=bucket_name, Key=key, Tagging={'TagSet':[]})
policy_document2 = json.dumps(
{
"Version": "2012-10-17",
"Statement": [{
"Effect": "Allow",
"Principal": "*",
"Action": "s3:PutObjectTagging",
"Resource": [
"{}".format(resource1),
"{}".format(resource2)
],
"Condition": {
"StringEquals": {
"s3:RequestObjectTag/environment": "production"
}
}
}]
}
)
client.put_bucket_policy(Bucket=bucket_name, Policy=policy_document2)
time.sleep(15) # probably we can reduce this
# TEST 4
alt_client.put_object_tagging(Bucket=bucket_name, Key=key, Tagging={'TagSet':[{'Key':'environment','Value':'production'}]})
# TEST 5
e = assert_raises(ClientError, alt_client.put_object_tagging, Bucket=bucket_name, Key=key, Tagging={'TagSet':[{'Key':'environment','Value':'development'}]})
status, error_code = _get_status_and_error_code(e.response)
assert status == 403
assert error_code == 'AccessDenied'
# TEST 6
e = assert_raises(ClientError, alt_client.put_object_tagging, Bucket=bucket_name, Key=key, Tagging={'TagSet':[]})
status, error_code = _get_status_and_error_code(e.response)
assert status == 403
assert error_code == 'AccessDenied'