frostfs-s3-gw/api/handler/acl_test.go

package handler

import (
	"bytes"
	"crypto/ecdsa"
	"crypto/rand"
	"crypto/sha256"
	"encoding/hex"
	"encoding/json"
	"encoding/xml"
	"fmt"
	"io"
	"net/http"
	"net/http/httptest"
	"testing"

	"git.frostfs.info/TrueCloudLab/frostfs-s3-gw/api"
	"git.frostfs.info/TrueCloudLab/frostfs-s3-gw/api/data"
	s3errors "git.frostfs.info/TrueCloudLab/frostfs-s3-gw/api/errors"
	"git.frostfs.info/TrueCloudLab/frostfs-s3-gw/api/layer"
	"git.frostfs.info/TrueCloudLab/frostfs-s3-gw/api/middleware"
	"git.frostfs.info/TrueCloudLab/frostfs-s3-gw/creds/accessbox"
	"git.frostfs.info/TrueCloudLab/frostfs-sdk-go/bearer"
	"git.frostfs.info/TrueCloudLab/frostfs-sdk-go/eacl"
	"git.frostfs.info/TrueCloudLab/frostfs-sdk-go/object"
	oid "git.frostfs.info/TrueCloudLab/frostfs-sdk-go/object/id"
	"git.frostfs.info/TrueCloudLab/frostfs-sdk-go/session"
	engineiam "git.frostfs.info/TrueCloudLab/policy-engine/iam"
	"git.frostfs.info/TrueCloudLab/policy-engine/pkg/engine"
	"github.com/nspcc-dev/neo-go/pkg/crypto/keys"
	"github.com/stretchr/testify/require"
)

func TestTableToAst(t *testing.T) {
	b := make([]byte, 32)
	_, err := io.ReadFull(rand.Reader, b)
	require.NoError(t, err)
	var id oid.ID
	id.SetSHA256(sha256.Sum256(b))

	key, err := keys.NewPrivateKey()
	require.NoError(t, err)
	key2, err := keys.NewPrivateKey()
	require.NoError(t, err)

	table := new(eacl.Table)
	record := eacl.NewRecord()
	record.SetAction(eacl.ActionAllow)
	record.SetOperation(eacl.OperationGet)
	eacl.AddFormedTarget(record, eacl.RoleOthers)
	table.AddRecord(record)
	record2 := eacl.NewRecord()
	record2.SetAction(eacl.ActionDeny)
	record2.SetOperation(eacl.OperationPut)
	// Unknown role is used, because it is ignored when keys are set
	eacl.AddFormedTarget(record2, eacl.RoleUnknown, *(*ecdsa.PublicKey)(key.PublicKey()), *((*ecdsa.PublicKey)(key2.PublicKey())))
	record2.AddObjectAttributeFilter(eacl.MatchStringEqual, object.AttributeFilePath, "objectName")
	record2.AddObjectIDFilter(eacl.MatchStringEqual, id)
	table.AddRecord(record2)

	expectedAst := &ast{
		Resources: []*astResource{
			{
				resourceInfo: resourceInfo{Bucket: "bucketName"},
				Operations: []*astOperation{{
					Op:     eacl.OperationGet,
					Action: eacl.ActionAllow,
				}}},
			{
				resourceInfo: resourceInfo{
					Bucket:  "bucketName",
					Object:  "objectName",
					Version: id.EncodeToString(),
				},
				Operations: []*astOperation{{
					Users: []string{
						hex.EncodeToString(key.PublicKey().Bytes()),
						hex.EncodeToString(key2.PublicKey().Bytes()),
					},
					Op:     eacl.OperationPut,
					Action: eacl.ActionDeny,
				}}},
		},
	}

	actualAst := tableToAst(table, expectedAst.Resources[0].Bucket)

	if actualAst.Resources[0].Name() == expectedAst.Resources[0].Name() {
		require.Equal(t, expectedAst, actualAst)
	} else {
		require.Equal(t, len(expectedAst.Resources), len(actualAst.Resources))
		require.Equal(t, expectedAst.Resources[0], actualAst.Resources[1])
		require.Equal(t, expectedAst.Resources[1], actualAst.Resources[0])
	}
}

func TestPolicyToAst(t *testing.T) {
	key, err := keys.NewPrivateKey()
	require.NoError(t, err)

	policy := &bucketPolicy{
		Statement: []statement{
			{
				Effect:    "Allow",
				Principal: principal{AWS: allUsersWildcard},
				Action:    []string{"s3:PutObject"},
				Resource:  []string{"arn:aws:s3:::bucketName"},
			},
			{
				Effect: "Deny",
				Principal: principal{
					CanonicalUser: hex.EncodeToString(key.PublicKey().Bytes()),
				},
				Action:   []string{"s3:GetObject"},
				Resource: []string{"arn:aws:s3:::bucketName/object"},
			}},
	}
	policy.Bucket = "bucketName"

	expectedAst := &ast{
		Resources: []*astResource{
			{
				resourceInfo: resourceInfo{
					Bucket: "bucketName",
				},
				Operations: []*astOperation{{
					Op:     eacl.OperationPut,
					Action: eacl.ActionAllow,
				}},
			},
			{
				resourceInfo: resourceInfo{
					Bucket: "bucketName",
					Object: "object",
				},
				Operations: getReadOps(key, false, eacl.ActionDeny),
			},
		},
	}

	actualAst, err := policyToAst(policy)
	require.NoError(t, err)

	if actualAst.Resources[0].Name() == expectedAst.Resources[0].Name() {
		require.Equal(t, expectedAst, actualAst)
	} else {
		require.Equal(t, len(expectedAst.Resources), len(actualAst.Resources))
		require.Equal(t, expectedAst.Resources[0], actualAst.Resources[1])
		require.Equal(t, expectedAst.Resources[1], actualAst.Resources[0])
	}
}

func getReadOps(key *keys.PrivateKey, groupGrantee bool, action eacl.Action) []*astOperation {
	var (
		result []*astOperation
		users  []string
	)
	if !groupGrantee {
		users = append(users, hex.EncodeToString(key.PublicKey().Bytes()))
	}

	for _, op := range readOps {
		result = append(result, &astOperation{
			Users:  users,
			Op:     op,
			Action: action,
		})
	}

	return result
}

func TestMergeAstUnModified(t *testing.T) {
	key, err := keys.NewPrivateKey()
	require.NoError(t, err)

	child := &ast{
		Resources: []*astResource{
			{
				resourceInfo: resourceInfo{
					Bucket: "bucket",
					Object: "objectName",
				},
				Operations: []*astOperation{{
					Users:  []string{hex.EncodeToString(key.PublicKey().Bytes())},
					Op:     eacl.OperationPut,
					Action: eacl.ActionDeny,
				}},
			},
		},
	}

	parent := &ast{
		Resources: []*astResource{
			{
				resourceInfo: resourceInfo{
					Bucket: "bucket",
				},
				Operations: []*astOperation{{
					Op:     eacl.OperationGet,
					Action: eacl.ActionAllow,
				}},
			},
			child.Resources[0],
		},
	}

	result, updated := mergeAst(parent, child)
	require.False(t, updated)
	require.Equal(t, parent, result)
}

func TestMergeAstModified(t *testing.T) {
	child := &ast{
		Resources: []*astResource{
			{
				resourceInfo: resourceInfo{
					Bucket: "bucket",
					Object: "objectName",
				},
				Operations: []*astOperation{{
					Op:     eacl.OperationPut,
					Action: eacl.ActionDeny,
				}, {
					Users:  []string{"user2"},
					Op:     eacl.OperationGet,
					Action: eacl.ActionDeny,
				}},
			},
		},
	}

	parent := &ast{
		Resources: []*astResource{
			{
				resourceInfo: resourceInfo{
					Bucket: "bucket",
					Object: "objectName",
				},
				Operations: []*astOperation{{
					Users:  []string{"user1"},
					Op:     eacl.OperationGet,
					Action: eacl.ActionDeny,
				}},
			},
		},
	}

	expected := &ast{
		Resources: []*astResource{
			{
				resourceInfo: resourceInfo{
					Bucket: "bucket",
					Object: "objectName",
				},
				Operations: []*astOperation{
					child.Resources[0].Operations[0],
					{
						Users:  []string{"user1", "user2"},
						Op:     eacl.OperationGet,
						Action: eacl.ActionDeny,
					},
				},
			},
		},
	}

	actual, updated := mergeAst(parent, child)
	require.True(t, updated)
	require.Equal(t, expected, actual)
}

func TestMergeAppended(t *testing.T) {
	key, err := keys.NewPrivateKey()
	require.NoError(t, err)
	users := []string{hex.EncodeToString(key.PublicKey().Bytes())}

	parent := &ast{
		Resources: []*astResource{
			{
				resourceInfo: resourceInfo{
					Bucket: "bucket",
				},
				Operations: []*astOperation{
					{
						Users:  users,
						Op:     eacl.OperationGet,
						Action: eacl.ActionAllow,
					},
					{
						Users:  users,
						Op:     eacl.OperationPut,
						Action: eacl.ActionAllow,
					},
					{
						Users:  users,
						Op:     eacl.OperationDelete,
						Action: eacl.ActionAllow,
					},
					{
						Op:     eacl.OperationGet,
						Action: eacl.ActionDeny,
					},
					{
						Op:     eacl.OperationPut,
						Action: eacl.ActionDeny,
					},
					{
						Op:     eacl.OperationDelete,
						Action: eacl.ActionDeny,
					},
				},
			},
		},
	}

	child := &ast{
		Resources: []*astResource{
			{
				resourceInfo: resourceInfo{
					Bucket: "bucket",
					Object: "objectName",
				},
				Operations: []*astOperation{
					{
						Users:  users,
						Op:     eacl.OperationGet,
						Action: eacl.ActionAllow,
					},
					{
						Users:  users,
						Op:     eacl.OperationPut,
						Action: eacl.ActionAllow,
					},
					{
						Users:  users,
						Op:     eacl.OperationDelete,
						Action: eacl.ActionAllow,
					},
					{
						Op:     eacl.OperationGet,
						Action: eacl.ActionAllow,
					},
					{
						Op:     eacl.OperationPut,
						Action: eacl.ActionAllow,
					},
					{
						Op:     eacl.OperationDelete,
						Action: eacl.ActionAllow,
					},
				},
			},
		},
	}

	expected := &ast{
		Resources: []*astResource{
			{
				resourceInfo: resourceInfo{
					Bucket: "bucket",
				},
				Operations: []*astOperation{
					{
						Users:  users,
						Op:     eacl.OperationGet,
						Action: eacl.ActionAllow,
					},
					{
						Users:  users,
						Op:     eacl.OperationPut,
						Action: eacl.ActionAllow,
					},
					{
						Users:  users,
						Op:     eacl.OperationDelete,
						Action: eacl.ActionAllow,
					},
					{
						Op:     eacl.OperationGet,
						Action: eacl.ActionDeny,
					},
					{
						Op:     eacl.OperationPut,
						Action: eacl.ActionDeny,
					},
					{
						Op:     eacl.OperationDelete,
						Action: eacl.ActionDeny,
					},
				},
			},
			{
				resourceInfo: resourceInfo{
					Bucket: "bucket",
					Object: "objectName",
				},
				Operations: []*astOperation{
					{
						Users:  users,
						Op:     eacl.OperationGet,
						Action: eacl.ActionAllow,
					},
					{
						Users:  users,
						Op:     eacl.OperationPut,
						Action: eacl.ActionAllow,
					},
					{
						Users:  users,
						Op:     eacl.OperationDelete,
						Action: eacl.ActionAllow,
					},
					{
						Op:     eacl.OperationGet,
						Action: eacl.ActionAllow,
					},
					{
						Op:     eacl.OperationPut,
						Action: eacl.ActionAllow,
					},
					{
						Op:     eacl.OperationDelete,
						Action: eacl.ActionAllow,
					},
				},
			},
		},
	}
	actual, updated := mergeAst(parent, child)
	require.True(t, updated)
	require.Equal(t, expected, actual)
}

func TestOrder(t *testing.T) {
	key, err := keys.NewPrivateKey()
	require.NoError(t, err)
	users := []string{hex.EncodeToString(key.PublicKey().Bytes())}
	targetUser := eacl.NewTarget()
	targetUser.SetBinaryKeys([][]byte{key.PublicKey().Bytes()})
	targetOther := eacl.NewTarget()
	targetOther.SetRole(eacl.RoleOthers)
	bucketName := "bucket"
	objectName := "objectName"

	expectedAst := &ast{
		Resources: []*astResource{
			{
				resourceInfo: resourceInfo{
					Bucket: bucketName,
				},
				Operations: []*astOperation{
					{
						Users:  users,
						Op:     eacl.OperationGet,
						Action: eacl.ActionAllow,
					},
					{
						Op:     eacl.OperationGet,
						Action: eacl.ActionDeny,
					},
				},
			},
			{
				resourceInfo: resourceInfo{
					Bucket: bucketName,
					Object: objectName,
				},
				Operations: []*astOperation{
					{
						Users:  users,
						Op:     eacl.OperationPut,
						Action: eacl.ActionAllow,
					},
					{
						Op:     eacl.OperationPut,
						Action: eacl.ActionDeny,
					},
				},
			},
		},
	}
	bucketServiceRec := &ServiceRecord{Resource: expectedAst.Resources[0].Name(), GroupRecordsLength: 2}
	bucketUsersGetRec := eacl.NewRecord()
	bucketUsersGetRec.SetOperation(eacl.OperationGet)
	bucketUsersGetRec.SetAction(eacl.ActionAllow)
	bucketUsersGetRec.SetTargets(*targetUser)
	bucketOtherGetRec := eacl.NewRecord()
	bucketOtherGetRec.SetOperation(eacl.OperationGet)
	bucketOtherGetRec.SetAction(eacl.ActionDeny)
	bucketOtherGetRec.SetTargets(*targetOther)
	objectServiceRec := &ServiceRecord{Resource: expectedAst.Resources[1].Name(), GroupRecordsLength: 2}
	objectUsersPutRec := eacl.NewRecord()
	objectUsersPutRec.SetOperation(eacl.OperationPut)
	objectUsersPutRec.SetAction(eacl.ActionAllow)
	objectUsersPutRec.AddObjectAttributeFilter(eacl.MatchStringEqual, object.AttributeFilePath, objectName)
	objectUsersPutRec.SetTargets(*targetUser)
	objectOtherPutRec := eacl.NewRecord()
	objectOtherPutRec.SetOperation(eacl.OperationPut)
	objectOtherPutRec.SetAction(eacl.ActionDeny)
	objectOtherPutRec.AddObjectAttributeFilter(eacl.MatchStringEqual, object.AttributeFilePath, objectName)
	objectOtherPutRec.SetTargets(*targetOther)

	expectedEacl := eacl.NewTable()
	expectedEacl.AddRecord(objectServiceRec.ToEACLRecord())
	expectedEacl.AddRecord(objectOtherPutRec)
	expectedEacl.AddRecord(objectUsersPutRec)
	expectedEacl.AddRecord(bucketServiceRec.ToEACLRecord())
	expectedEacl.AddRecord(bucketOtherGetRec)
	expectedEacl.AddRecord(bucketUsersGetRec)

	t.Run("astToTable order and vice versa", func(t *testing.T) {
		actualEacl, err := astToTable(expectedAst)
		require.NoError(t, err)
		require.Equal(t, expectedEacl, actualEacl)

		actualAst := tableToAst(actualEacl, bucketName)
		require.Equal(t, expectedAst, actualAst)
	})

	t.Run("tableToAst order and vice versa", func(t *testing.T) {
		actualAst := tableToAst(expectedEacl, bucketName)
		require.Equal(t, expectedAst, actualAst)

		actualEacl, err := astToTable(actualAst)
		require.NoError(t, err)
		require.Equal(t, expectedEacl, actualEacl)
	})

	t.Run("append a resource", func(t *testing.T) {
		childName := "child"
		child := &ast{Resources: []*astResource{{
			resourceInfo: resourceInfo{
				Bucket: bucketName,
				Object: childName,
			},
			Operations: []*astOperation{{Op: eacl.OperationDelete, Action: eacl.ActionDeny}}}},
		}

		childRecord := eacl.NewRecord()
		childRecord.SetOperation(eacl.OperationDelete)
		childRecord.SetAction(eacl.ActionDeny)
		childRecord.SetTargets(*targetOther)
		childRecord.AddObjectAttributeFilter(eacl.MatchStringEqual, object.AttributeFilePath, childName)

		mergedAst, updated := mergeAst(expectedAst, child)
		require.True(t, updated)

		mergedEacl, err := astToTable(mergedAst)
		require.NoError(t, err)

		require.Equal(t, *childRecord, mergedEacl.Records()[1])
	})
}

func TestMergeAstModifiedConflict(t *testing.T) {
	child := &ast{
		Resources: []*astResource{
			{
				resourceInfo: resourceInfo{
					Bucket: "bucket",
					Object: "objectName",
				},
				Operations: []*astOperation{{
					Users:  []string{"user1"},
					Op:     eacl.OperationPut,
					Action: eacl.ActionDeny,
				}, {
					Users:  []string{"user3"},
					Op:     eacl.OperationGet,
					Action: eacl.ActionAllow,
				}},
			},
		},
	}

	parent := &ast{
		Resources: []*astResource{
			{
				resourceInfo: resourceInfo{
					Bucket: "bucket",
					Object: "objectName",
				},
				Operations: []*astOperation{{
					Users:  []string{"user1"},
					Op:     eacl.OperationPut,
					Action: eacl.ActionAllow,
				}, {
					Users:  []string{"user2"},
					Op:     eacl.OperationPut,
					Action: eacl.ActionDeny,
				}, {
					Users:  []string{"user3"},
					Op:     eacl.OperationGet,
					Action: eacl.ActionDeny,
				}},
			},
		},
	}

	expected := &ast{
		Resources: []*astResource{
			{
				resourceInfo: resourceInfo{
					Bucket: "bucket",
					Object: "objectName",
				},
				Operations: []*astOperation{
					{
						Users:  []string{"user2", "user1"},
						Op:     eacl.OperationPut,
						Action: eacl.ActionDeny,
					}, {
						Users:  []string{"user3"},
						Op:     eacl.OperationGet,
						Action: eacl.ActionAllow,
					},
				},
			},
		},
	}

	actual, updated := mergeAst(parent, child)
	require.True(t, updated)
	require.Equal(t, expected, actual)
}

func TestAstToTable(t *testing.T) {
	key, err := keys.NewPrivateKey()
	require.NoError(t, err)

	ast := &ast{
		Resources: []*astResource{
			{
				resourceInfo: resourceInfo{
					Bucket: "bucketName",
				},
				Operations: []*astOperation{{
					Users:  []string{hex.EncodeToString(key.PublicKey().Bytes())},
					Op:     eacl.OperationPut,
					Action: eacl.ActionAllow,
				}},
			},
			{
				resourceInfo: resourceInfo{
					Bucket: "bucketName",
					Object: "objectName",
				},
				Operations: []*astOperation{{
					Op:     eacl.OperationGet,
					Action: eacl.ActionDeny,
				}},
			},
		},
	}

	expectedTable := eacl.NewTable()
	serviceRec1 := &ServiceRecord{Resource: ast.Resources[0].Name(), GroupRecordsLength: 1}
	record1 := eacl.NewRecord()
	record1.SetAction(eacl.ActionAllow)
	record1.SetOperation(eacl.OperationPut)
	// Unknown role is used, because it is ignored when keys are set
	eacl.AddFormedTarget(record1, eacl.RoleUnknown, *(*ecdsa.PublicKey)(key.PublicKey()))

	serviceRec2 := &ServiceRecord{Resource: ast.Resources[1].Name(), GroupRecordsLength: 1}
	record2 := eacl.NewRecord()
	record2.SetAction(eacl.ActionDeny)
	record2.SetOperation(eacl.OperationGet)
	eacl.AddFormedTarget(record2, eacl.RoleOthers)
	record2.AddObjectAttributeFilter(eacl.MatchStringEqual, object.AttributeFilePath, "objectName")

	expectedTable.AddRecord(serviceRec2.ToEACLRecord())
	expectedTable.AddRecord(record2)
	expectedTable.AddRecord(serviceRec1.ToEACLRecord())
	expectedTable.AddRecord(record1)

	actualTable, err := astToTable(ast)
	require.NoError(t, err)
	require.Equal(t, expectedTable, actualTable)
}

func TestRemoveUsers(t *testing.T) {
	resource := &astResource{
		resourceInfo: resourceInfo{
			Bucket: "bucket",
		},
		Operations: []*astOperation{{
			Users:  []string{"user1", "user3", "user4"},
			Op:     eacl.OperationPut,
			Action: eacl.ActionAllow,
		},
			{
				Users:  []string{"user5"},
				Op:     eacl.OperationGet,
				Action: eacl.ActionDeny,
			},
		},
	}

	op1 := &astOperation{
		Op:     eacl.OperationPut,
		Action: eacl.ActionAllow,
	}
	op2 := &astOperation{
		Op:     eacl.OperationGet,
		Action: eacl.ActionDeny,
	}

	removeUsers(resource, op1, []string{"user1", "user2", "user4"}) // modify astOperation
	removeUsers(resource, op2, []string{"user5"})                   // remove astOperation

	require.Equal(t, len(resource.Operations), 1)
	require.Equal(t, []string{"user3"}, resource.Operations[0].Users)
}

func TestBucketAclToPolicy(t *testing.T) {
	key, err := keys.NewPrivateKey()
	require.NoError(t, err)
	key2, err := keys.NewPrivateKey()
	require.NoError(t, err)

	id := hex.EncodeToString(key.PublicKey().Bytes())
	id2 := hex.EncodeToString(key2.PublicKey().Bytes())

	acl := &AccessControlPolicy{
		Owner: Owner{
			ID:          id,
			DisplayName: "user1",
		},
		AccessControlList: []*Grant{{
			Grantee: &Grantee{
				URI:  allUsersGroup,
				Type: acpGroup,
			},
			Permission: aclRead,
		}, {
			Grantee: &Grantee{
				ID:   id2,
				Type: acpCanonicalUser,
			},
			Permission: aclWrite,
		}},
	}

	resInfo := &resourceInfo{
		Bucket: "bucketName",
	}

	expectedPolicy := &bucketPolicy{
		Bucket: resInfo.Bucket,
		Statement: []statement{
			{
				Effect: "Allow",
				Principal: principal{
					CanonicalUser: id,
				},
				Action:   []string{"s3:ListBucket", "s3:ListBucketVersions", "s3:ListBucketMultipartUploads", "s3:PutObject", "s3:DeleteObject"},
				Resource: []string{arnAwsPrefix + resInfo.Name()},
			},
			{
				Effect:    "Allow",
				Principal: principal{AWS: allUsersWildcard},
				Action:    []string{"s3:ListBucket", "s3:ListBucketVersions", "s3:ListBucketMultipartUploads"},
				Resource:  []string{arnAwsPrefix + resInfo.Name()},
			},
			{
				Effect: "Allow",
				Principal: principal{
					CanonicalUser: id2,
				},
				Action:   []string{"s3:PutObject", "s3:DeleteObject"},
				Resource: []string{arnAwsPrefix + resInfo.Name()},
			},
		},
	}

	actualPolicy, err := aclToPolicy(acl, resInfo)
	require.NoError(t, err)
	require.Equal(t, expectedPolicy, actualPolicy)
}

func TestObjectAclToPolicy(t *testing.T) {
	key, err := keys.NewPrivateKey()
	require.NoError(t, err)
	key2, err := keys.NewPrivateKey()
	require.NoError(t, err)

	id := hex.EncodeToString(key.PublicKey().Bytes())
	id2 := hex.EncodeToString(key2.PublicKey().Bytes())

	acl := &AccessControlPolicy{
		Owner: Owner{
			ID:          id,
			DisplayName: "user1",
		},
		AccessControlList: []*Grant{{
			Grantee: &Grantee{
				ID:   id,
				Type: acpCanonicalUser,
			},
			Permission: aclFullControl,
		}, {
			Grantee: &Grantee{
				ID:   id2,
				Type: acpCanonicalUser,
			},
			Permission: aclFullControl,
		}, {
			Grantee: &Grantee{
				URI:  allUsersGroup,
				Type: acpGroup,
			},
			Permission: aclRead,
		}},
	}

	resInfo := &resourceInfo{
		Bucket: "bucketName",
		Object: "object",
	}

	expectedPolicy := &bucketPolicy{
		Bucket: resInfo.Bucket,
		Statement: []statement{
			{
				Effect: "Allow",
				Principal: principal{
					CanonicalUser: id,
				},
				Action:   []string{"s3:GetObject", "s3:GetObjectVersion"},
				Resource: []string{arnAwsPrefix + resInfo.Name()},
			},
			{
				Effect: "Allow",
				Principal: principal{
					CanonicalUser: id2,
				},
				Action:   []string{"s3:GetObject", "s3:GetObjectVersion"},
				Resource: []string{arnAwsPrefix + resInfo.Name()},
			},
			{
				Effect:    "Allow",
				Principal: principal{AWS: allUsersWildcard},
				Action:    []string{"s3:GetObject", "s3:GetObjectVersion"},
				Resource:  []string{arnAwsPrefix + resInfo.Name()},
			},
		},
	}

	actualPolicy, err := aclToPolicy(acl, resInfo)
	require.NoError(t, err)
	require.Equal(t, expectedPolicy, actualPolicy)
}

func TestObjectWithVersionAclToTable(t *testing.T) {
	key, err := keys.NewPrivateKey()
	require.NoError(t, err)
	id := hex.EncodeToString(key.PublicKey().Bytes())

	acl := &AccessControlPolicy{
		Owner: Owner{
			ID:          id,
			DisplayName: "user1",
		},
		AccessControlList: []*Grant{{
			Grantee: &Grantee{
				ID:   id,
				Type: acpCanonicalUser,
			},
			Permission: aclFullControl,
		}},
	}

	resInfoObject := &resourceInfo{
		Bucket: "bucketName",
		Object: "object",
	}
	expectedTable := allowedTableForPrivateObject(t, key, resInfoObject)
	actualTable := tableFromACL(t, acl, resInfoObject)
	checkTables(t, expectedTable, actualTable)

	resInfoObjectVersion := &resourceInfo{
		Bucket:  "bucketName",
		Object:  "objectVersion",
		Version: "Gfrct4Afhio8pCGCCKVNTf1kyexQjMBeaUfvDtQCkAvg",
	}
	expectedTable = allowedTableForPrivateObject(t, key, resInfoObjectVersion)
	actualTable = tableFromACL(t, acl, resInfoObjectVersion)
	checkTables(t, expectedTable, actualTable)
}

func allowedTableForPrivateObject(t *testing.T, key *keys.PrivateKey, resInfo *resourceInfo) *eacl.Table {
	var isVersion bool
	var objID oid.ID
	if resInfo.Version != "" {
		isVersion = true
		err := objID.DecodeString(resInfo.Version)
		require.NoError(t, err)
	}

	expectedTable := eacl.NewTable()
	serviceRec := &ServiceRecord{Resource: resInfo.Name(), GroupRecordsLength: len(readOps) * 2}
	expectedTable.AddRecord(serviceRec.ToEACLRecord())

	for i := len(readOps) - 1; i >= 0; i-- {
		op := readOps[i]
		record := getAllowRecord(op, key.PublicKey())
		if isVersion {
			record.AddObjectIDFilter(eacl.MatchStringEqual, objID)
		} else {
			record.AddObjectAttributeFilter(eacl.MatchStringEqual, object.AttributeFilePath, resInfo.Object)
		}
		expectedTable.AddRecord(record)
	}
	for i := len(readOps) - 1; i >= 0; i-- {
		op := readOps[i]
		record := getOthersRecord(op, eacl.ActionDeny)
		if isVersion {
			record.AddObjectIDFilter(eacl.MatchStringEqual, objID)
		} else {
			record.AddObjectAttributeFilter(eacl.MatchStringEqual, object.AttributeFilePath, resInfo.Object)
		}
		expectedTable.AddRecord(record)
	}

	return expectedTable
}

func tableFromACL(t *testing.T, acl *AccessControlPolicy, resInfo *resourceInfo) *eacl.Table {
	actualPolicy, err := aclToPolicy(acl, resInfo)
	require.NoError(t, err)
	actualAst, err := policyToAst(actualPolicy)
	require.NoError(t, err)
	actualTable, err := astToTable(actualAst)
	require.NoError(t, err)
	return actualTable
}

func checkTables(t *testing.T, expectedTable, actualTable *eacl.Table) {
	require.Equal(t, len(expectedTable.Records()), len(actualTable.Records()), "different number of records")
	for i, record := range expectedTable.Records() {
		actRecord := actualTable.Records()[i]

		require.Equal(t, len(record.Targets()), len(actRecord.Targets()), "different number of targets")
		for j, target := range record.Targets() {
			actTarget := actRecord.Targets()[j]

			expected := fmt.Sprintf("%s %v", target.Role().String(), target.BinaryKeys())
			actual := fmt.Sprintf("%s %v", actTarget.Role().String(), actTarget.BinaryKeys())
			require.Equalf(t, target, actTarget, "want: '%s'\ngot: '%s'", expected, actual)
		}

		require.Equal(t, len(record.Filters()), len(actRecord.Filters()), "different number of filters")
		for j, filter := range record.Filters() {
			actFilter := actRecord.Filters()[j]

			expected := fmt.Sprintf("%s:%s %s %s", filter.From().String(), filter.Key(), filter.Matcher().String(), filter.Value())
			actual := fmt.Sprintf("%s:%s %s %s", actFilter.From().String(), actFilter.Key(), actFilter.Matcher().String(), actFilter.Value())
			require.Equalf(t, filter, actFilter, "want: '%s'\ngot: '%s'", expected, actual)
		}

		require.Equal(t, record.Action().String(), actRecord.Action().String())
		require.Equal(t, record.Operation().String(), actRecord.Operation().String())
	}
}

func TestParseCannedACLHeaders(t *testing.T) {
	key, err := keys.NewPrivateKey()
	require.NoError(t, err)

	id := hex.EncodeToString(key.PublicKey().Bytes())
	address := key.PublicKey().Address()

	req := &http.Request{
		Header: map[string][]string{
			api.AmzACL: {basicACLReadOnly},
		},
	}

	expectedACL := &AccessControlPolicy{
		Owner: Owner{
			ID:          id,
			DisplayName: address,
		},
		AccessControlList: []*Grant{{
			Grantee: &Grantee{
				ID:          id,
				DisplayName: address,
				Type:        acpCanonicalUser,
			},
			Permission: aclFullControl,
		}, {
			Grantee: &Grantee{
				URI:  allUsersGroup,
				Type: acpGroup,
			},
			Permission: aclRead,
		}},
	}

	actualACL, err := parseACLHeaders(req.Header, key.PublicKey())
	require.NoError(t, err)
	require.Equal(t, expectedACL, actualACL)
}

func TestParseACLHeaders(t *testing.T) {
	key, err := keys.NewPrivateKey()
	require.NoError(t, err)

	id := hex.EncodeToString(key.PublicKey().Bytes())
	address := key.PublicKey().Address()

	req := &http.Request{
		Header: map[string][]string{
			api.AmzGrantFullControl: {"id=\"user1\""},
			api.AmzGrantRead:        {"uri=\"" + allUsersGroup + "\", id=\"user2\""},
			api.AmzGrantWrite:       {"id=\"user2\", id=\"user3\""},
		},
	}

	expectedACL := &AccessControlPolicy{
		Owner: Owner{
			ID:          id,
			DisplayName: address,
		},
		AccessControlList: []*Grant{{
			Grantee: &Grantee{
				ID:          id,
				DisplayName: address,
				Type:        acpCanonicalUser,
			},
			Permission: aclFullControl,
		}, {
			Grantee: &Grantee{
				ID:   "user1",
				Type: acpCanonicalUser,
			},
			Permission: aclFullControl,
		}, {
			Grantee: &Grantee{
				URI:  allUsersGroup,
				Type: acpGroup,
			},
			Permission: aclRead,
		}, {
			Grantee: &Grantee{
				ID:   "user2",
				Type: acpCanonicalUser,
			},
			Permission: aclRead,
		}, {
			Grantee: &Grantee{
				ID:   "user2",
				Type: acpCanonicalUser,
			},
			Permission: aclWrite,
		}, {
			Grantee: &Grantee{
				ID:   "user3",
				Type: acpCanonicalUser,
			},
			Permission: aclWrite,
		}},
	}

	actualACL, err := parseACLHeaders(req.Header, key.PublicKey())
	require.NoError(t, err)
	require.Equal(t, expectedACL, actualACL)
}

func TestAddGranteeError(t *testing.T) {
	headers := map[string][]string{
		api.AmzGrantFullControl: {"i=\"user1\""},
		api.AmzGrantRead:        {"uri, id=\"user2\""},
		api.AmzGrantWrite:       {"emailAddress=\"user2\""},
		"unknown header":        {"something"},
	}

	expectedList := []*Grant{{
		Permission: "predefined",
	}}

	actualList, err := addGrantees(expectedList, headers, "unknown header1")
	require.NoError(t, err)
	require.Equal(t, expectedList, actualList)

	actualList, err = addGrantees(expectedList, headers, "unknown header")
	require.Error(t, err)
	require.Nil(t, actualList)

	actualList, err = addGrantees(expectedList, headers, api.AmzGrantFullControl)
	require.Error(t, err)
	require.Nil(t, actualList)

	actualList, err = addGrantees(expectedList, headers, api.AmzGrantRead)
	require.Error(t, err)
	require.Nil(t, actualList)

	actualList, err = addGrantees(expectedList, headers, api.AmzGrantWrite)
	require.Error(t, err)
	require.Nil(t, actualList)
}

func TestBucketAclToTable(t *testing.T) {
	key, err := keys.NewPrivateKey()
	require.NoError(t, err)
	key2, err := keys.NewPrivateKey()
	require.NoError(t, err)

	id := hex.EncodeToString(key.PublicKey().Bytes())
	id2 := hex.EncodeToString(key2.PublicKey().Bytes())

	acl := &AccessControlPolicy{
		Owner: Owner{
			ID:          id,
			DisplayName: "user1",
		},
		AccessControlList: []*Grant{{
			Grantee: &Grantee{
				URI:  allUsersGroup,
				Type: acpGroup,
			},
			Permission: aclRead,
		}, {
			Grantee: &Grantee{
				ID:   id2,
				Type: acpCanonicalUser,
			},
			Permission: aclWrite,
		}},
	}

	expectedTable := new(eacl.Table)
	for _, op := range readOps {
		expectedTable.AddRecord(getOthersRecord(op, eacl.ActionAllow))
	}
	for _, op := range writeOps {
		expectedTable.AddRecord(getAllowRecord(op, key2.PublicKey()))
	}
	for _, op := range fullOps {
		expectedTable.AddRecord(getAllowRecord(op, key.PublicKey()))
	}
	for _, op := range fullOps {
		expectedTable.AddRecord(getOthersRecord(op, eacl.ActionDeny))
	}
	resInfo := &resourceInfo{
		Bucket: "bucketName",
	}

	actualTable, err := bucketACLToTable(acl, resInfo)
	require.NoError(t, err)
	require.Equal(t, expectedTable.Records(), actualTable.Records())
}

func TestObjectAclToAst(t *testing.T) {
	b := make([]byte, 32)
	_, err := io.ReadFull(rand.Reader, b)
	require.NoError(t, err)
	var objID oid.ID
	objID.SetSHA256(sha256.Sum256(b))

	key, err := keys.NewPrivateKey()
	require.NoError(t, err)
	key2, err := keys.NewPrivateKey()
	require.NoError(t, err)

	id := hex.EncodeToString(key.PublicKey().Bytes())
	id2 := hex.EncodeToString(key2.PublicKey().Bytes())

	acl := &AccessControlPolicy{
		Owner: Owner{
			ID:          id,
			DisplayName: "user1",
		},
		AccessControlList: []*Grant{{
			Grantee: &Grantee{
				ID:   id,
				Type: acpCanonicalUser,
			},
			Permission: aclFullControl,
		}, {
			Grantee: &Grantee{
				ID:   id2,
				Type: acpCanonicalUser,
			},
			Permission: aclRead,
		},
		},
	}

	resInfo := &resourceInfo{
		Bucket:  "bucketName",
		Object:  "object",
		Version: objID.EncodeToString(),
	}

	var operations []*astOperation
	for _, op := range readOps {
		astOp := &astOperation{Users: []string{
			hex.EncodeToString(key.PublicKey().Bytes()),
			hex.EncodeToString(key2.PublicKey().Bytes()),
		},
			Op:     op,
			Action: eacl.ActionAllow,
		}
		operations = append(operations, astOp)
	}

	expectedAst := &ast{
		Resources: []*astResource{
			{
				resourceInfo: *resInfo,
				Operations:   operations,
			},
		},
	}

	actualAst, err := aclToAst(acl, resInfo)
	require.NoError(t, err)
	require.Equal(t, expectedAst, actualAst)
}

func TestBucketAclToAst(t *testing.T) {
	b := make([]byte, 32)
	_, err := io.ReadFull(rand.Reader, b)
	require.NoError(t, err)
	var objID oid.ID
	objID.SetSHA256(sha256.Sum256(b))

	key, err := keys.NewPrivateKey()
	require.NoError(t, err)
	key2, err := keys.NewPrivateKey()
	require.NoError(t, err)

	id := hex.EncodeToString(key.PublicKey().Bytes())
	id2 := hex.EncodeToString(key2.PublicKey().Bytes())

	acl := &AccessControlPolicy{
		Owner: Owner{
			ID:          id,
			DisplayName: "user1",
		},
		AccessControlList: []*Grant{
			{
				Grantee: &Grantee{
					ID:   id2,
					Type: acpCanonicalUser,
				},
				Permission: aclWrite,
			}, {
				Grantee: &Grantee{
					URI:  allUsersGroup,
					Type: acpGroup,
				},
				Permission: aclRead,
			},
		},
	}

	var operations []*astOperation
	for _, op := range readOps {
		astOp := &astOperation{Users: []string{
			hex.EncodeToString(key.PublicKey().Bytes()),
		},
			Op:     op,
			Action: eacl.ActionAllow,
		}
		operations = append(operations, astOp)
	}
	for _, op := range writeOps {
		astOp := &astOperation{Users: []string{
			hex.EncodeToString(key.PublicKey().Bytes()),
			hex.EncodeToString(key2.PublicKey().Bytes()),
		},
			Op:     op,
			Action: eacl.ActionAllow,
		}
		operations = append(operations, astOp)
	}
	for _, op := range readOps {
		astOp := &astOperation{
			Op:     op,
			Action: eacl.ActionAllow,
		}
		operations = append(operations, astOp)
	}

	resInfo := &resourceInfo{Bucket: "bucketName"}

	expectedAst := &ast{
		Resources: []*astResource{
			{
				resourceInfo: *resInfo,
				Operations:   operations,
			},
		},
	}

	actualAst, err := aclToAst(acl, resInfo)
	require.NoError(t, err)
	require.Equal(t, expectedAst, actualAst)
}

func TestPutBucketACL(t *testing.T) {
	tc := prepareHandlerContext(t)
	tc.config.aclEnabled = true
	bktName := "bucket-for-acl"

	info := createBucket(tc, bktName)

	header := map[string]string{api.AmzACL: "public-read"}
	putBucketACL(tc, bktName, info.Box, header)

	header = map[string]string{api.AmzACL: "private"}
	putBucketACL(tc, bktName, info.Box, header)
	checkLastRecords(t, tc, info.BktInfo, eacl.ActionDeny)
}

func TestPutBucketAPE(t *testing.T) {
	hc := prepareHandlerContext(t)
	bktName := "bucket-for-acl-ape"

	info := createBucket(hc, bktName)

	_, err := hc.tp.ContainerEACL(hc.Context(), layer.PrmContainerEACL{ContainerID: info.BktInfo.CID})
	require.ErrorContains(t, err, "not found")

	chains, err := hc.h.ape.(*apeMock).ListChains(engine.NamespaceTarget(""))
	require.NoError(t, err)
	require.Len(t, chains, 2)
}

func TestPutObjectACLErrorAPE(t *testing.T) {
	hc := prepareHandlerContext(t)
	bktName, objName := "bucket-for-acl-ape", "object"

	info := createBucket(hc, bktName)

	putObjectWithHeadersAssertS3Error(hc, bktName, objName, map[string]string{api.AmzACL: basicACLPublic}, s3errors.ErrAccessControlListNotSupported)
	putObjectWithHeaders(hc, bktName, objName, map[string]string{api.AmzACL: basicACLPrivate}) // only `private` canned acl is allowed, that is actually ignored
	putObjectWithHeaders(hc, bktName, objName, nil)

	aclBody := &AccessControlPolicy{}
	putObjectACLAssertS3Error(hc, bktName, objName, info.Box, nil, aclBody, s3errors.ErrAccessControlListNotSupported)

	aclRes := getObjectACL(hc, bktName, objName)
	checkPrivateACL(t, aclRes, info.Key.PublicKey())
}

func TestCreateObjectACLErrorAPE(t *testing.T) {
	hc := prepareHandlerContext(t)
	bktName, objName, objNameCopy := "bucket-for-acl-ape", "object", "copy"

	createBucket(hc, bktName)

	putObject(hc, bktName, objName)
	copyObject(hc, bktName, objName, objNameCopy, CopyMeta{Headers: map[string]string{api.AmzACL: basicACLPublic}}, http.StatusBadRequest)
	copyObject(hc, bktName, objName, objNameCopy, CopyMeta{Headers: map[string]string{api.AmzACL: basicACLPrivate}}, http.StatusOK)

	createMultipartUploadAssertS3Error(hc, bktName, objName, map[string]string{api.AmzACL: basicACLPublic}, s3errors.ErrAccessControlListNotSupported)
	createMultipartUpload(hc, bktName, objName, map[string]string{api.AmzACL: basicACLPrivate})
}

func TestPutObjectACLBackwardCompatibility(t *testing.T) {
	hc := prepareHandlerContext(t)
	hc.config.aclEnabled = true
	bktName, objName := "bucket-for-acl-ape", "object"

	info := createBucket(hc, bktName)

	putObjectWithHeadersBase(hc, bktName, objName, map[string]string{api.AmzACL: basicACLPrivate}, info.Box, nil)
	putObjectWithHeadersBase(hc, bktName, objName, map[string]string{api.AmzACL: basicACLPublic}, info.Box, nil)

	aclRes := getObjectACL(hc, bktName, objName)
	require.Len(t, aclRes.AccessControlList, 2)
	require.Equal(t, hex.EncodeToString(info.Key.PublicKey().Bytes()), aclRes.AccessControlList[0].Grantee.ID)
	require.Equal(t, aclFullControl, aclRes.AccessControlList[0].Permission)
	require.Equal(t, allUsersGroup, aclRes.AccessControlList[1].Grantee.URI)
	require.Equal(t, aclFullControl, aclRes.AccessControlList[1].Permission)

	aclBody := &AccessControlPolicy{}
	putObjectACLBase(hc, bktName, objName, info.Box, nil, aclBody)
}

func TestBucketACLAPE(t *testing.T) {
	hc := prepareHandlerContext(t)
	bktName := "bucket-for-acl-ape"

	info := createBucket(hc, bktName)

	aclBody := &AccessControlPolicy{}
	putBucketACLAssertS3Error(hc, bktName, info.Box, nil, aclBody, s3errors.ErrAccessControlListNotSupported)

	aclRes := getBucketACL(hc, bktName)
	checkPrivateACL(t, aclRes, info.Key.PublicKey())

	putBucketACL(hc, bktName, info.Box, map[string]string{api.AmzACL: basicACLPrivate})
	aclRes = getBucketACL(hc, bktName)
	checkPrivateACL(t, aclRes, info.Key.PublicKey())

	putBucketACL(hc, bktName, info.Box, map[string]string{api.AmzACL: basicACLReadOnly})
	aclRes = getBucketACL(hc, bktName)
	checkPublicReadACL(t, aclRes, info.Key.PublicKey())

	putBucketACL(hc, bktName, info.Box, map[string]string{api.AmzACL: basicACLPublic})
	aclRes = getBucketACL(hc, bktName)
	checkPublicReadWriteACL(t, aclRes, info.Key.PublicKey())
}

func checkPrivateACL(t *testing.T, aclRes *AccessControlPolicy, ownerKey *keys.PublicKey) {
	checkACLOwner(t, aclRes, ownerKey, 1)
}

func checkPublicReadACL(t *testing.T, aclRes *AccessControlPolicy, ownerKey *keys.PublicKey) {
	checkACLOwner(t, aclRes, ownerKey, 2)

	require.Equal(t, allUsersGroup, aclRes.AccessControlList[1].Grantee.URI)
	require.Equal(t, aclRead, aclRes.AccessControlList[1].Permission)
}

func checkPublicReadWriteACL(t *testing.T, aclRes *AccessControlPolicy, ownerKey *keys.PublicKey) {
	checkACLOwner(t, aclRes, ownerKey, 3)

	require.Equal(t, allUsersGroup, aclRes.AccessControlList[1].Grantee.URI)
	require.Equal(t, aclWrite, aclRes.AccessControlList[1].Permission)

	require.Equal(t, allUsersGroup, aclRes.AccessControlList[2].Grantee.URI)
	require.Equal(t, aclRead, aclRes.AccessControlList[2].Permission)
}

func checkACLOwner(t *testing.T, aclRes *AccessControlPolicy, ownerKey *keys.PublicKey, ln int) {
	ownerIDStr := hex.EncodeToString(ownerKey.Bytes())
	ownerNameStr := ownerKey.Address()

	require.Equal(t, ownerIDStr, aclRes.Owner.ID)
	require.Equal(t, ownerNameStr, aclRes.Owner.DisplayName)

	require.Len(t, aclRes.AccessControlList, ln)

	require.Equal(t, ownerIDStr, aclRes.AccessControlList[0].Grantee.ID)
	require.Equal(t, ownerNameStr, aclRes.AccessControlList[0].Grantee.DisplayName)
	require.Equal(t, aclFullControl, aclRes.AccessControlList[0].Permission)
}

func TestBucketPolicy(t *testing.T) {
	hc := prepareHandlerContext(t)
	bktName := "bucket-for-policy"

	createTestBucket(hc, bktName)

	getBucketPolicy(hc, bktName, s3errors.ErrNoSuchBucketPolicy)

	newPolicy := engineiam.Policy{
		Version: "2012-10-17",
		Statement: []engineiam.Statement{{
			Principal: map[engineiam.PrincipalType][]string{engineiam.Wildcard: {}},
			Effect:    engineiam.DenyEffect,
			Action:    engineiam.Action{"s3:PutObject"},
			Resource:  engineiam.Resource{"arn:aws:s3:::test/*"},
		}},
	}

	putBucketPolicy(hc, bktName, newPolicy, s3errors.ErrMalformedPolicy)

	newPolicy.Statement[0].Resource[0] = arnAwsPrefix + bktName + "/*"
	putBucketPolicy(hc, bktName, newPolicy)

	bktPolicy := getBucketPolicy(hc, bktName)
	require.Equal(t, newPolicy, bktPolicy)
}

func TestBucketPolicyStatus(t *testing.T) {
	hc := prepareHandlerContext(t)
	bktName := "bucket-for-policy"

	createTestBucket(hc, bktName)

	getBucketPolicy(hc, bktName, s3errors.ErrNoSuchBucketPolicy)

	newPolicy := engineiam.Policy{
		Version: "2012-10-17",
		Statement: []engineiam.Statement{{
			NotPrincipal: engineiam.Principal{engineiam.Wildcard: {}},
			Effect:       engineiam.AllowEffect,
			Action:       engineiam.Action{"s3:PutObject"},
			Resource:     engineiam.Resource{arnAwsPrefix + bktName + "/*"},
		}},
	}

	putBucketPolicy(hc, bktName, newPolicy, s3errors.ErrMalformedPolicyNotPrincipal)

	newPolicy.Statement[0].NotPrincipal = nil
	newPolicy.Statement[0].Principal = map[engineiam.PrincipalType][]string{engineiam.Wildcard: {}}
	putBucketPolicy(hc, bktName, newPolicy)
	bktPolicyStatus := getBucketPolicyStatus(hc, bktName)
	require.True(t, PolicyStatusIsPublicTrue == bktPolicyStatus.IsPublic)

	key, err := keys.NewPrivateKey()
	require.NoError(t, err)
	hc.Handler().frostfsid.(*frostfsidMock).data["devenv"] = key.PublicKey()

	newPolicy.Statement[0].Principal = map[engineiam.PrincipalType][]string{engineiam.AWSPrincipalType: {"arn:aws:iam:::user/devenv"}}
	putBucketPolicy(hc, bktName, newPolicy)
	bktPolicyStatus = getBucketPolicyStatus(hc, bktName)
	require.True(t, PolicyStatusIsPublicFalse == bktPolicyStatus.IsPublic)
}

func TestBucketPolicyUnmarshal(t *testing.T) {
	for _, tc := range []struct {
		name   string
		policy string
	}{
		{
			name: "action/resource array",
			policy: `
{
	"Version": "2012-10-17",
	"Statement": [{
		"Principal": {
			"AWS": "arn:aws:iam::111122223333:role/JohnDoe"
		},
		"Effect": "Allow",
		"Action": [
			"s3:GetObject",
			"s3:GetObjectVersion"
		],
		"Resource": [
			"arn:aws:s3:::DOC-EXAMPLE-BUCKET/*",
			"arn:aws:s3:::DOC-EXAMPLE-BUCKET2/*"
		]
	}]
}
`,
		},
		{
			name: "action/resource string",
			policy: `
{
	"Version": "2012-10-17",
	"Statement": [{
		"Principal": {
			"AWS": "arn:aws:iam::111122223333:role/JohnDoe"
		},
		"Effect": "Deny",
		"Action": "s3:GetObject",
		"Resource": "arn:aws:s3:::DOC-EXAMPLE-BUCKET/*"
	}]
}
`,
		},
	} {
		t.Run(tc.name, func(t *testing.T) {
			bktPolicy := &bucketPolicy{}
			err := json.Unmarshal([]byte(tc.policy), bktPolicy)
			require.NoError(t, err)
		})
	}
}

func TestPutBucketPolicy(t *testing.T) {
	bktPolicy := `
{
	"Version": "2012-10-17",
	"Statement": [{
		"Principal": "*",
		"Effect": "Deny",
		"Action": "s3:GetObject",
		"Resource": "arn:aws:s3:::bucket-for-policy/*"
	}]
}
`
	hc := prepareHandlerContext(t)
	bktName := "bucket-for-policy"

	createTestBucket(hc, bktName)

	w, r := prepareTestPayloadRequest(hc, bktName, "", bytes.NewReader([]byte(bktPolicy)))
	hc.Handler().PutBucketPolicyHandler(w, r)
	assertStatus(hc.t, w, http.StatusOK)
}

func getBucketPolicy(hc *handlerContext, bktName string, errCode ...s3errors.ErrorCode) engineiam.Policy {
	w, r := prepareTestRequest(hc, bktName, "", nil)
	hc.Handler().GetBucketPolicyHandler(w, r)

	var policy engineiam.Policy
	if len(errCode) == 0 {
		assertStatus(hc.t, w, http.StatusOK)
		err := json.NewDecoder(w.Result().Body).Decode(&policy)
		require.NoError(hc.t, err)
	} else {
		assertS3Error(hc.t, w, s3errors.GetAPIError(errCode[0]))
	}

	return policy
}

func getBucketPolicyStatus(hc *handlerContext, bktName string, errCode ...s3errors.ErrorCode) PolicyStatus {
	w, r := prepareTestRequest(hc, bktName, "", nil)
	hc.Handler().GetBucketPolicyStatusHandler(w, r)

	var policyStatus PolicyStatus
	if len(errCode) == 0 {
		assertStatus(hc.t, w, http.StatusOK)
		err := xml.NewDecoder(w.Result().Body).Decode(&policyStatus)
		require.NoError(hc.t, err)
	} else {
		assertS3Error(hc.t, w, s3errors.GetAPIError(errCode[0]))
	}

	return policyStatus
}

func putBucketPolicy(hc *handlerContext, bktName string, bktPolicy engineiam.Policy, errCode ...s3errors.ErrorCode) {
	body, err := json.Marshal(bktPolicy)
	require.NoError(hc.t, err)

	w, r := prepareTestPayloadRequest(hc, bktName, "", bytes.NewReader(body))
	hc.Handler().PutBucketPolicyHandler(w, r)

	if len(errCode) == 0 {
		assertStatus(hc.t, w, http.StatusOK)
	} else {
		assertS3Error(hc.t, w, s3errors.GetAPIError(errCode[0]))
	}
}

func checkLastRecords(t *testing.T, tc *handlerContext, bktInfo *data.BucketInfo, action eacl.Action) {
	bktACL, err := tc.Layer().GetBucketACL(tc.Context(), bktInfo)
	require.NoError(t, err)

	length := len(bktACL.EACL.Records())

	if length < 7 {
		t.Fatalf("length of records is less than 7: '%d'", length)
	}

	for _, rec := range bktACL.EACL.Records()[length-7:] {
		if rec.Action() != action || rec.Targets()[0].Role() != eacl.RoleOthers {
			t.Fatalf("inavid last record: '%s', '%s', '%s',", rec.Action(), rec.Operation(), rec.Targets()[0].Role())
		}
	}
}

func createAccessBox(t *testing.T) (*accessbox.Box, *keys.PrivateKey) {
	key, err := keys.NewPrivateKey()
	require.NoError(t, err)

	var bearerToken bearer.Token
	err = bearerToken.Sign(key.PrivateKey)
	require.NoError(t, err)

	tok := new(session.Container)
	tok.ForVerb(session.VerbContainerSetEACL)
	err = tok.Sign(key.PrivateKey)
	require.NoError(t, err)

	tok2 := new(session.Container)
	tok2.ForVerb(session.VerbContainerPut)
	err = tok2.Sign(key.PrivateKey)
	require.NoError(t, err)

	box := &accessbox.Box{
		Gate: &accessbox.GateData{
			SessionTokens: []*session.Container{tok, tok2},
			BearerToken:   &bearerToken,
		},
	}

	return box, key
}

type createBucketInfo struct {
	BktInfo *data.BucketInfo
	Box     *accessbox.Box
	Key     *keys.PrivateKey
}

func createBucket(hc *handlerContext, bktName string) *createBucketInfo {
	box, key := createAccessBox(hc.t)

	w := createBucketBase(hc, bktName, box)
	assertStatus(hc.t, w, http.StatusOK)

	bktInfo, err := hc.Layer().GetBucketInfo(hc.Context(), bktName)
	require.NoError(hc.t, err)

	return &createBucketInfo{
		BktInfo: bktInfo,
		Box:     box,
		Key:     key,
	}
}

func createBucketAssertS3Error(hc *handlerContext, bktName string, box *accessbox.Box, code s3errors.ErrorCode) {
	w := createBucketBase(hc, bktName, box)
	assertS3Error(hc.t, w, s3errors.GetAPIError(code))
}

func createBucketBase(hc *handlerContext, bktName string, box *accessbox.Box) *httptest.ResponseRecorder {
	w, r := prepareTestRequest(hc, bktName, "", nil)
	ctx := middleware.SetBoxData(r.Context(), box)
	r = r.WithContext(ctx)
	hc.Handler().CreateBucketHandler(w, r)
	return w
}

func putBucketACL(hc *handlerContext, bktName string, box *accessbox.Box, header map[string]string) {
	w := putBucketACLBase(hc, bktName, box, header, nil)
	assertStatus(hc.t, w, http.StatusOK)
}

func putBucketACLAssertS3Error(hc *handlerContext, bktName string, box *accessbox.Box, header map[string]string, body *AccessControlPolicy, code s3errors.ErrorCode) {
	w := putBucketACLBase(hc, bktName, box, header, body)
	assertS3Error(hc.t, w, s3errors.GetAPIError(code))
}

func putBucketACLBase(hc *handlerContext, bktName string, box *accessbox.Box, header map[string]string, body *AccessControlPolicy) *httptest.ResponseRecorder {
	w, r := prepareTestRequest(hc, bktName, "", body)
	for key, val := range header {
		r.Header.Set(key, val)
	}
	ctx := middleware.SetBoxData(r.Context(), box)
	r = r.WithContext(ctx)
	hc.Handler().PutBucketACLHandler(w, r)
	return w
}

func getBucketACL(hc *handlerContext, bktName string) *AccessControlPolicy {
	w := getBucketACLBase(hc, bktName)
	assertStatus(hc.t, w, http.StatusOK)
	res := &AccessControlPolicy{}
	parseTestResponse(hc.t, w, res)
	return res
}

func getBucketACLBase(hc *handlerContext, bktName string) *httptest.ResponseRecorder {
	w, r := prepareTestRequest(hc, bktName, "", nil)
	hc.Handler().GetBucketACLHandler(w, r)
	return w
}

func putObjectACLAssertS3Error(hc *handlerContext, bktName, objName string, box *accessbox.Box, header map[string]string, body *AccessControlPolicy, code s3errors.ErrorCode) {
	w := putObjectACLBase(hc, bktName, objName, box, header, body)
	assertS3Error(hc.t, w, s3errors.GetAPIError(code))
}

func putObjectACLBase(hc *handlerContext, bktName, objName string, box *accessbox.Box, header map[string]string, body *AccessControlPolicy) *httptest.ResponseRecorder {
	w, r := prepareTestRequest(hc, bktName, objName, body)
	for key, val := range header {
		r.Header.Set(key, val)
	}
	ctx := middleware.SetBoxData(r.Context(), box)
	r = r.WithContext(ctx)
	hc.Handler().PutObjectACLHandler(w, r)
	return w
}

func getObjectACL(hc *handlerContext, bktName, objName string) *AccessControlPolicy {
	w := getObjectACLBase(hc, bktName, objName)
	assertStatus(hc.t, w, http.StatusOK)
	res := &AccessControlPolicy{}
	parseTestResponse(hc.t, w, res)
	return res
}

func getObjectACLBase(hc *handlerContext, bktName, objName string) *httptest.ResponseRecorder {
	w, r := prepareTestRequest(hc, bktName, objName, nil)
	hc.Handler().GetObjectACLHandler(w, r)
	return w
}

func putObjectWithHeaders(hc *handlerContext, bktName, objName string, headers map[string]string) http.Header {
	w := putObjectWithHeadersBase(hc, bktName, objName, headers, nil, nil)
	assertStatus(hc.t, w, http.StatusOK)
	return w.Header()
}

func putObjectWithHeadersAssertS3Error(hc *handlerContext, bktName, objName string, headers map[string]string, code s3errors.ErrorCode) {
	w := putObjectWithHeadersBase(hc, bktName, objName, headers, nil, nil)
	assertS3Error(hc.t, w, s3errors.GetAPIError(code))
}

func putObjectWithHeadersBase(hc *handlerContext, bktName, objName string, headers map[string]string, box *accessbox.Box, data []byte) *httptest.ResponseRecorder {
	body := bytes.NewReader(data)
	w, r := prepareTestPayloadRequest(hc, bktName, objName, body)

	for k, v := range headers {
		r.Header.Set(k, v)
	}

	ctx := middleware.SetBoxData(r.Context(), box)
	r = r.WithContext(ctx)

	hc.Handler().PutObjectHandler(w, r)
	return w
}