forked from TrueCloudLab/frostfs-s3-gw
[#535] Support public access block operations
Signed-off-by: Marina Biryukova <m.biryukova@yadro.com>
This commit is contained in:
parent
4f0f2ca7bd
commit
a7ce40d745
23 changed files with 940 additions and 87 deletions
|
|
@ -67,7 +67,7 @@ func prepareRouter(t *testing.T, opts ...option) *routerMock {
|
|||
Enabled: true,
|
||||
}
|
||||
|
||||
handlerTestMock := &handlerMock{t: t, cfg: middlewareSettings, buckets: map[string]*data.BucketInfo{}}
|
||||
handlerTestMock := &handlerMock{t: t, cfg: middlewareSettings, buckets: map[string]*data.BucketInfo{}, restrict: map[string]error{}}
|
||||
|
||||
cfg := Config{
|
||||
Throttle: middleware.ThrottleOpts{
|
||||
|
|
@ -647,6 +647,41 @@ func TestPreflightWithoutAuth(t *testing.T) {
|
|||
require.Equal(t, http.StatusOK, w.Code)
|
||||
}
|
||||
|
||||
func TestRestrictPublicBuckets(t *testing.T) {
|
||||
router := prepareRouter(t)
|
||||
router.middlewareSettings.denyByDefault = true
|
||||
|
||||
ns, bktName := "", "bucket"
|
||||
allowOperations(router, ns, []string{"s3:CreateBucket", "s3:ListBucket", "s3:PutBucketPublicAccessBlock"}, nil)
|
||||
createBucket(router, ns, bktName)
|
||||
listObjectsV1(router, ns, bktName, "", "", "")
|
||||
|
||||
putPublicAccessBlock(router, ns, bktName, &data.PublicAccessBlockConfiguration{
|
||||
RestrictPublicBuckets: true,
|
||||
})
|
||||
listObjectsV1Err(router, ns, bktName, "", "", "", apierr.ErrAccessDenied)
|
||||
}
|
||||
|
||||
func putPublicAccessBlock(router *routerMock, namespace, bktName string, cfg *data.PublicAccessBlockConfiguration) handlerResult {
|
||||
w := putPublicAccessBlockBase(router, namespace, bktName, cfg)
|
||||
resp := readResponse(router.t, w)
|
||||
require.Equal(router.t, s3middleware.PutPublicAccessBlockOperation, resp.Method)
|
||||
return resp
|
||||
}
|
||||
|
||||
func putPublicAccessBlockBase(router *routerMock, namespace, bktName string, cfg *data.PublicAccessBlockConfiguration) *httptest.ResponseRecorder {
|
||||
queries := url.Values{}
|
||||
queries.Add(s3middleware.PublicAccessBlockQuery, "")
|
||||
|
||||
body, err := xml.Marshal(cfg)
|
||||
require.NoError(router.t, err)
|
||||
w, r := httptest.NewRecorder(), httptest.NewRequest(http.MethodPut, "/"+bktName, bytes.NewBuffer(body))
|
||||
r.URL.RawQuery = queries.Encode()
|
||||
r.Header.Set(FrostfsNamespaceHeader, namespace)
|
||||
router.ServeHTTP(w, r)
|
||||
return w
|
||||
}
|
||||
|
||||
func allowOperations(router *routerMock, ns string, operations []string, conditions engineiam.Conditions) {
|
||||
addPolicy(router, ns, "allow", engineiam.AllowEffect, operations, conditions)
|
||||
}
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue