[#XX] Add test_frostfs.py

Signed-off-by: Denis Kirillov <d.kirillov@yadro.com>

s3tests_boto3/functional/test_frostfs.py

@@ -0,0 +1,177 @@
+from botocore.exceptions import ClientError
+import json
+import time
+
+from .utils import assert_raises
+from .utils import _get_status_and_error_code
+
+from . import (
+    configfile, setup_teardown, # we need this to parse config
+    get_client,
+    get_unauthenticated_client,
+    get_new_bucket,
+)
+
+
+def test_bucket_policy_frostfs_deny():
+    bucket_name = get_new_bucket()
+    client = get_client()
+    key = 'tmp'
+
+    resource1 = "arn:aws:s3:::" + bucket_name
+    resource2 = "arn:aws:s3:::" + bucket_name + "/*"
+    policy_document = json.dumps(
+        {
+            "Version": "2012-10-17",
+            "Statement": [{
+                "Effect": "Deny",
+                "Principal": "*",
+                "Action": "s3:PutObject",
+                "Resource": [
+                    "{}".format(resource1),
+                    "{}".format(resource2)
+                ],
+                "Condition": {
+                    "StringNotEquals": {
+                        "s3:RequestObjectTag/environment": "production"
+                    }
+                }
+            }]
+        }
+    )
+    client.put_bucket_policy(Bucket=bucket_name, Policy=policy_document)
+
+    # TEST 7
+    client.put_object(Bucket=bucket_name, Key=key, Tagging='environment=production')
+
+    # TEST 8
+    e = assert_raises(ClientError, client.put_object, Bucket=bucket_name, Key=key, Tagging='environment=development')
+    status, error_code = _get_status_and_error_code(e.response)
+    assert status == 403
+    assert error_code == 'AccessDenied'
+
+    # TEST 9
+    e = assert_raises(ClientError, client.put_object, Bucket=bucket_name, Key=key)
+    status, error_code = _get_status_and_error_code(e.response)
+    assert status == 403
+    assert error_code == 'AccessDenied'
+
+
+
+    policy_document = json.dumps(
+        {
+            "Version": "2012-10-17",
+            "Statement": [{
+                "Effect": "Deny",
+                "Principal": "*",
+                "Action": "s3:PutObject",
+                "Resource": [
+                    "{}".format(resource1),
+                    "{}".format(resource2)
+                ],
+                "Condition": {
+                    "StringEquals": {
+                        "s3:RequestObjectTag/environment": "production"
+                    }
+                }
+            }]
+        }
+    )
+    client.put_bucket_policy(Bucket=bucket_name, Policy=policy_document)
+
+    # TEST 10
+    e = assert_raises(ClientError, client.put_object, Bucket=bucket_name, Key=key, Tagging='environment=production')
+    status, error_code = _get_status_and_error_code(e.response)
+    assert status == 403
+    assert error_code == 'AccessDenied'
+
+    # TEST 11
+    client.put_object(Bucket=bucket_name, Key=key, Tagging='environment=development')
+
+    # TEST 12
+    client.put_object(Bucket=bucket_name, Key=key)
+
+def test_bucket_policy_frostfs_allow():
+    bucket_name = get_new_bucket()
+    client = get_client()
+    key = 'tmp'
+
+    client.put_object(Bucket=bucket_name, Key=key)
+
+    resource1 = "arn:aws:s3:::" + bucket_name
+    resource2 = "arn:aws:s3:::" + bucket_name + "/*"
+    policy_document = json.dumps(
+        {
+            "Version": "2012-10-17",
+            "Statement": [{
+                "Effect": "Allow",
+                "Principal": "*",
+                "Action": "s3:PutObjectTagging",
+                "Resource": [
+                    "{}".format(resource1),
+                    "{}".format(resource2)
+                ],
+                "Condition": {
+                    "StringNotEquals": {
+                        "s3:RequestObjectTag/environment": "production"
+                    }
+                }
+            }]
+        }
+    )
+    client.put_bucket_policy(Bucket=bucket_name, Policy=policy_document)
+    time.sleep(3)
+
+    alt_client = get_unauthenticated_client()
+
+    # TEST 1
+    e = assert_raises(ClientError, alt_client.put_object_tagging, Bucket=bucket_name, Key=key, Tagging={'TagSet':[{'Key':'environment','Value':'production'}]})
+    status, error_code = _get_status_and_error_code(e.response)
+    assert status == 403
+    assert error_code == 'AccessDenied'
+
+    # TEST 2
+    alt_client.put_object_tagging(Bucket=bucket_name, Key=key, Tagging={'TagSet':[{'Key':'environment','Value':'development'}]})
+
+    # TEST 3
+    alt_client.put_object_tagging(Bucket=bucket_name, Key=key, Tagging={'TagSet':[]})
+
+
+
+    policy_document2 = json.dumps(
+        {
+            "Version": "2012-10-17",
+            "Statement": [{
+                "Effect": "Allow",
+                "Principal": "*",
+                "Action": "s3:PutObjectTagging",
+                "Resource": [
+                    "{}".format(resource1),
+                    "{}".format(resource2)
+                ],
+                "Condition": {
+                    "StringEquals": {
+                        "s3:RequestObjectTag/environment": "production"
+                    }
+                }
+            }]
+        }
+    )
+    client.put_bucket_policy(Bucket=bucket_name, Policy=policy_document2)
+    time.sleep(15) # probably we can reduce this
+
+    # TEST 4
+    alt_client.put_object_tagging(Bucket=bucket_name, Key=key, Tagging={'TagSet':[{'Key':'environment','Value':'production'}]})
+
+    # TEST 5
+    e = assert_raises(ClientError, alt_client.put_object_tagging, Bucket=bucket_name, Key=key, Tagging={'TagSet':[{'Key':'environment','Value':'development'}]})
+    status, error_code = _get_status_and_error_code(e.response)
+    assert status == 403
+    assert error_code == 'AccessDenied'
+
+    # TEST 6
+    e = assert_raises(ClientError, alt_client.put_object_tagging, Bucket=bucket_name, Key=key, Tagging={'TagSet':[]})
+    status, error_code = _get_status_and_error_code(e.response)
+    assert status == 403
+    assert error_code == 'AccessDenied'
+