Mirror
/
seaweedfs
mirror of https://github.com/seaweedfs/seaweedfs.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
9362 Commits
32 Branches
297 Tags
164 MiB
Tree: 18d941ba25
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from '18d941ba25'
${ noResults }
seaweedfs/weed/s3api/s3acl/acl_helper_test.go

1466 lines
47 KiB
Raw Normal View History

add acl helper functionalities (#3831)
2 years ago
optimize readability Signed-off-by: changlin.shi <changlin.shi@ly.com>
2 years ago
add acl helper functionalities (#3831)
2 years ago
optimize readability Signed-off-by: changlin.shi <changlin.shi@ly.com>
2 years ago
add acl helper functionalities (#3831)
2 years ago
delete when empty at `AssembleEntryWithAcp` `PutBucketAcl/PutObjectAcl` allow request with empty grants, `AssembleEntryWithAcp` shouldn't skip empty value Signed-off-by: changlin.shi <changlin.shi@ly.com>
2 years ago
add acl helper functionalities (#3831)
2 years ago
delete when empty at `AssembleEntryWithAcp` `PutBucketAcl/PutObjectAcl` allow request with empty grants, `AssembleEntryWithAcp` shouldn't skip empty value Signed-off-by: changlin.shi <changlin.shi@ly.com>
2 years ago
add acl helper functionalities (#3831)
2 years ago
delete when empty at `AssembleEntryWithAcp` `PutBucketAcl/PutObjectAcl` allow request with empty grants, `AssembleEntryWithAcp` shouldn't skip empty value Signed-off-by: changlin.shi <changlin.shi@ly.com>
2 years ago
add acl helper functionalities (#3831)
2 years ago
optimize readability Signed-off-by: changlin.shi <changlin.shi@ly.com>
2 years ago
delete when empty at `AssembleEntryWithAcp` `PutBucketAcl/PutObjectAcl` allow request with empty grants, `AssembleEntryWithAcp` shouldn't skip empty value Signed-off-by: changlin.shi <changlin.shi@ly.com>
2 years ago
add acl helper functionalities (#3831)
2 years ago
delete when empty at `AssembleEntryWithAcp` `PutBucketAcl/PutObjectAcl` allow request with empty grants, `AssembleEntryWithAcp` shouldn't skip empty value Signed-off-by: changlin.shi <changlin.shi@ly.com>
2 years ago
add acl helper functionalities (#3831)
2 years ago
optimize readability Signed-off-by: changlin.shi <changlin.shi@ly.com>
2 years ago
delete when empty at `AssembleEntryWithAcp` `PutBucketAcl/PutObjectAcl` allow request with empty grants, `AssembleEntryWithAcp` shouldn't skip empty value Signed-off-by: changlin.shi <changlin.shi@ly.com>
2 years ago
add acl helper functionalities (#3831)
2 years ago
validate grants when setting ownership to `OwnershipBucketOwnerEnforced` Signed-off-by: changlin.shi <changlin.shi@ly.com>
2 years ago
optimize readability Signed-off-by: changlin.shi <changlin.shi@ly.com>
2 years ago
  1. package s3acl
  3. import (
  4. "bytes"
  5. "encoding/json"
  6. "github.com/aws/aws-sdk-go/service/s3"
  7. "github.com/seaweedfs/seaweedfs/weed/pb/filer_pb"
  8. "github.com/seaweedfs/seaweedfs/weed/s3api/s3_constants"
  9. "github.com/seaweedfs/seaweedfs/weed/s3api/s3account"
  10. "github.com/seaweedfs/seaweedfs/weed/s3api/s3err"
  11. "io"
  12. "net/http"
  13. "testing"
  14. )
  16. var (
  17. accountManager = &s3account.AccountManager{
  18. IdNameMapping: map[string]string{
  19. s3account.AccountAdmin.Id: s3account.AccountAdmin.Name,
  20. s3account.AccountAnonymous.Id: s3account.AccountAnonymous.Name,
  21. "accountA": "accountA",
  22. "accountB": "accountB",
  23. },
  24. EmailIdMapping: map[string]string{
  25. s3account.AccountAdmin.EmailAddress: s3account.AccountAdmin.Id,
  26. s3account.AccountAnonymous.EmailAddress: s3account.AccountAnonymous.Id,
  27. "accountA@example.com": "accountA",
  28. "accountBexample.com": "accountB",
  29. },
  30. }
  31. )
  33. func TestGetAccountId(t *testing.T) {
  34. req := &http.Request{
  35. Header: make(map[string][]string),
  36. }
  37. //case1
  38. //accountId: "admin"
  39. req.Header.Set(s3_constants.AmzAccountId, s3account.AccountAdmin.Id)
  40. if GetAccountId(req) != s3account.AccountAdmin.Id {
  41. t.Fatal("expect accountId: admin")
  42. }
  44. //case2
  45. //accountId: "anoymous"
  46. req.Header.Set(s3_constants.AmzAccountId, s3account.AccountAnonymous.Id)
  47. if GetAccountId(req) != s3account.AccountAnonymous.Id {
  48. t.Fatal("expect accountId: anonymous")
  49. }
  51. //case3
  52. //accountId is nil => "anonymous"
  53. req.Header.Del(s3_constants.AmzAccountId)
  54. if GetAccountId(req) != s3account.AccountAnonymous.Id {
  55. t.Fatal("expect accountId: anonymous")
  56. }
  57. }
  59. func grantsEquals(a, b []*s3.Grant) bool {
  60. if len(a) != len(b) {
  61. return false
  62. }
  63. for i, grant := range a {
  64. if !GrantEquals(grant, b[i]) {
  65. return false
  66. }
  67. }
  68. return true
  69. }
  71. func TestDetermineReqGrants(t *testing.T) {
  72. {
  73. //case1: request account is anonymous
  74. accountId := s3account.AccountAnonymous.Id
  75. reqPermission := s3_constants.PermissionRead
  77. resultGrants := DetermineRequiredGrants(accountId, reqPermission)
  78. expectGrants := []*s3.Grant{
  79. {
  80. Grantee: &s3.Grantee{
  81. Type: &s3_constants.GrantTypeGroup,
  82. URI: &s3_constants.GranteeGroupAllUsers,
  83. },
  84. Permission: &reqPermission,
  85. },
  86. {
  87. Grantee: &s3.Grantee{
  88. Type: &s3_constants.GrantTypeGroup,
  89. URI: &s3_constants.GranteeGroupAllUsers,
  90. },
  91. Permission: &s3_constants.PermissionFullControl,
  92. },
  93. {
  94. Grantee: &s3.Grantee{
  95. Type: &s3_constants.GrantTypeCanonicalUser,
  96. ID: &accountId,
  97. },
  98. Permission: &reqPermission,
  99. },
  100. {
  101. Grantee: &s3.Grantee{
  102. Type: &s3_constants.GrantTypeCanonicalUser,
  103. ID: &accountId,
  104. },
  105. Permission: &s3_constants.PermissionFullControl,
  106. },
  107. }
  108. if !grantsEquals(resultGrants, expectGrants) {
  109. t.Fatalf("grants not expect")
  110. }
  111. }
  112. {
  113. //case2: request account is not anonymous (Iam authed)
  114. accountId := "accountX"
  115. reqPermission := s3_constants.PermissionRead
  117. resultGrants := DetermineRequiredGrants(accountId, reqPermission)
  118. expectGrants := []*s3.Grant{
  119. {
  120. Grantee: &s3.Grantee{
  121. Type: &s3_constants.GrantTypeGroup,
  122. URI: &s3_constants.GranteeGroupAllUsers,
  123. },
  124. Permission: &reqPermission,
  125. },
  126. {
  127. Grantee: &s3.Grantee{
  128. Type: &s3_constants.GrantTypeGroup,
  129. URI: &s3_constants.GranteeGroupAllUsers,
  130. },
  131. Permission: &s3_constants.PermissionFullControl,
  132. },
  133. {
  134. Grantee: &s3.Grantee{
  135. Type: &s3_constants.GrantTypeCanonicalUser,
  136. ID: &accountId,
  137. },
  138. Permission: &reqPermission,
  139. },
  140. {
  141. Grantee: &s3.Grantee{
  142. Type: &s3_constants.GrantTypeCanonicalUser,
  143. ID: &accountId,
  144. },
  145. Permission: &s3_constants.PermissionFullControl,
  146. },
  147. {
  148. Grantee: &s3.Grantee{
  149. Type: &s3_constants.GrantTypeGroup,
  150. URI: &s3_constants.GranteeGroupAuthenticatedUsers,
  151. },
  152. Permission: &reqPermission,
  153. },
  154. {
  155. Grantee: &s3.Grantee{
  156. Type: &s3_constants.GrantTypeGroup,
  157. URI: &s3_constants.GranteeGroupAuthenticatedUsers,
  158. },
  159. Permission: &s3_constants.PermissionFullControl,
  160. },
  161. }
  162. if !grantsEquals(resultGrants, expectGrants) {
  163. t.Fatalf("grants not expect")
  164. }
  165. }
  166. }
  168. func TestAssembleEntryWithAcp(t *testing.T) {
  169. defaultOwner := "admin"
  171. //case1
  172. //assemble with non-empty grants
  173. expectOwner := "accountS"
  174. expectGrants := []*s3.Grant{
  175. {
  176. Permission: &s3_constants.PermissionRead,
  177. Grantee: &s3.Grantee{
  178. Type: &s3_constants.GrantTypeGroup,
  179. ID: &s3account.AccountAdmin.Id,
  180. URI: &s3_constants.GranteeGroupAllUsers,
  181. },
  182. },
  183. }
  184. entry := &filer_pb.Entry{}
  185. AssembleEntryWithAcp(entry, expectOwner, expectGrants)
  187. resultOwner := GetAcpOwner(entry.Extended, defaultOwner)
  188. if resultOwner != expectOwner {
  189. t.Fatalf("owner not expect")
  190. }
  192. resultGrants := GetAcpGrants(nil, entry.Extended)
  193. if !grantsEquals(resultGrants, expectGrants) {
  194. t.Fatal("grants not expect")
  195. }
  197. //case2
  198. //assemble with empty grants (override)
  199. AssembleEntryWithAcp(entry, "", nil)
  200. resultOwner = GetAcpOwner(entry.Extended, defaultOwner)
  201. if resultOwner != defaultOwner {
  202. t.Fatalf("owner not expect")
  203. }
  205. resultGrants = GetAcpGrants(nil, entry.Extended)
  206. if len(resultGrants) != 0 {
  207. t.Fatal("grants not expect")
  208. }
  210. }
  212. func TestGrantEquals(t *testing.T) {
  213. testCases := map[bool]bool{
  214. GrantEquals(nil, nil): true,
  216. GrantEquals(&s3.Grant{}, nil): false,
  218. GrantEquals(&s3.Grant{}, &s3.Grant{}): true,
  220. GrantEquals(&s3.Grant{
  221. Permission: &s3_constants.PermissionRead,
  222. }, &s3.Grant{}): false,
  224. GrantEquals(&s3.Grant{
  225. Permission: &s3_constants.PermissionRead,
  226. }, &s3.Grant{
  227. Permission: &s3_constants.PermissionRead,
  228. }): true,
  230. GrantEquals(&s3.Grant{
  231. Permission: &s3_constants.PermissionRead,
  232. Grantee: &s3.Grantee{},
  233. }, &s3.Grant{
  234. Permission: &s3_constants.PermissionRead,
  235. Grantee: &s3.Grantee{},
  236. }): true,
  238. GrantEquals(&s3.Grant{
  239. Permission: &s3_constants.PermissionRead,
  240. Grantee: &s3.Grantee{
  241. Type: &s3_constants.GrantTypeGroup,
  242. },
  243. }, &s3.Grant{
  244. Permission: &s3_constants.PermissionRead,
  245. Grantee: &s3.Grantee{},
  246. }): false,
  248. //type not present, compare other fields of grant is meaningless
  249. GrantEquals(&s3.Grant{
  250. Permission: &s3_constants.PermissionRead,
  251. Grantee: &s3.Grantee{
  252. ID: &s3account.AccountAdmin.Id,
  253. EmailAddress: &s3account.AccountAdmin.EmailAddress,
  254. },
  255. }, &s3.Grant{
  256. Permission: &s3_constants.PermissionRead,
  257. Grantee: &s3.Grantee{
  258. ID: &s3account.AccountAdmin.Id,
  259. },
  260. }): true,
  262. GrantEquals(&s3.Grant{
  263. Permission: &s3_constants.PermissionRead,
  264. Grantee: &s3.Grantee{
  265. Type: &s3_constants.GrantTypeGroup,
  266. },
  267. }, &s3.Grant{
  268. Permission: &s3_constants.PermissionRead,
  269. Grantee: &s3.Grantee{
  270. Type: &s3_constants.GrantTypeGroup,
  271. },
  272. }): true,
  274. GrantEquals(&s3.Grant{
  275. Permission: &s3_constants.PermissionRead,
  276. Grantee: &s3.Grantee{
  277. Type: &s3_constants.GrantTypeGroup,
  278. URI: &s3_constants.GranteeGroupAllUsers,
  279. },
  280. }, &s3.Grant{
  281. Permission: &s3_constants.PermissionRead,
  282. Grantee: &s3.Grantee{
  283. Type: &s3_constants.GrantTypeGroup,
  284. URI: &s3_constants.GranteeGroupAllUsers,
  285. },
  286. }): true,
  288. GrantEquals(&s3.Grant{
  289. Permission: &s3_constants.PermissionWrite,
  290. Grantee: &s3.Grantee{
  291. Type: &s3_constants.GrantTypeGroup,
  292. URI: &s3_constants.GranteeGroupAllUsers,
  293. },
  294. }, &s3.Grant{
  295. Permission: &s3_constants.PermissionRead,
  296. Grantee: &s3.Grantee{
  297. Type: &s3_constants.GrantTypeGroup,
  298. URI: &s3_constants.GranteeGroupAllUsers,
  299. },
  300. }): false,
  302. GrantEquals(&s3.Grant{
  303. Permission: &s3_constants.PermissionRead,
  304. Grantee: &s3.Grantee{
  305. Type: &s3_constants.GrantTypeGroup,
  306. ID: &s3account.AccountAdmin.Id,
  307. },
  308. }, &s3.Grant{
  309. Permission: &s3_constants.PermissionRead,
  310. Grantee: &s3.Grantee{
  311. Type: &s3_constants.GrantTypeGroup,
  312. ID: &s3account.AccountAdmin.Id,
  313. },
  314. }): true,
  316. GrantEquals(&s3.Grant{
  317. Permission: &s3_constants.PermissionRead,
  318. Grantee: &s3.Grantee{
  319. Type: &s3_constants.GrantTypeGroup,
  320. ID: &s3account.AccountAdmin.Id,
  321. URI: &s3_constants.GranteeGroupAllUsers,
  322. },
  323. }, &s3.Grant{
  324. Permission: &s3_constants.PermissionRead,
  325. Grantee: &s3.Grantee{
  326. Type: &s3_constants.GrantTypeGroup,
  327. ID: &s3account.AccountAdmin.Id,
  328. },
  329. }): false,
  331. GrantEquals(&s3.Grant{
  332. Permission: &s3_constants.PermissionRead,
  333. Grantee: &s3.Grantee{
  334. Type: &s3_constants.GrantTypeGroup,
  335. ID: &s3account.AccountAdmin.Id,
  336. URI: &s3_constants.GranteeGroupAllUsers,
  337. },
  338. }, &s3.Grant{
  339. Permission: &s3_constants.PermissionRead,
  340. Grantee: &s3.Grantee{
  341. Type: &s3_constants.GrantTypeGroup,
  342. URI: &s3_constants.GranteeGroupAllUsers,
  343. },
  344. }): true,
  345. }
  347. for tc, expect := range testCases {
  348. if tc != expect {
  349. t.Fatal("TestGrantEquals not expect!")
  350. }
  351. }
  352. }
  354. func TestSetAcpOwnerHeader(t *testing.T) {
  355. ownerId := "accountZ"
  356. req := &http.Request{
  357. Header: make(map[string][]string),
  358. }
  359. SetAcpOwnerHeader(req, ownerId)
  361. if req.Header.Get(s3_constants.ExtAmzOwnerKey) != ownerId {
  362. t.Fatalf("owner unexpect")
  363. }
  364. }
  366. func TestSetAcpGrantsHeader(t *testing.T) {
  367. req := &http.Request{
  368. Header: make(map[string][]string),
  369. }
  370. grants := []*s3.Grant{
  371. {
  372. Permission: &s3_constants.PermissionRead,
  373. Grantee: &s3.Grantee{
  374. Type: &s3_constants.GrantTypeGroup,
  375. ID: &s3account.AccountAdmin.Id,
  376. URI: &s3_constants.GranteeGroupAllUsers,
  377. },
  378. },
  379. }
  380. SetAcpGrantsHeader(req, grants)
  382. grantsJson, _ := json.Marshal(grants)
  383. if req.Header.Get(s3_constants.ExtAmzAclKey) != string(grantsJson) {
  384. t.Fatalf("owner unexpect")
  385. }
  386. }
  388. func TestGrantWithFullControl(t *testing.T) {
  389. accountId := "Accountaskdfj"
  390. expect := &s3.Grant{
  391. Permission: &s3_constants.PermissionFullControl,
  392. Grantee: &s3.Grantee{
  393. Type: &s3_constants.GrantTypeCanonicalUser,
  394. ID: &accountId,
  395. },
  396. }
  398. result := GrantWithFullControl(accountId)
  400. if !GrantEquals(result, expect) {
  401. t.Fatal("GrantWithFullControl not expect")
  402. }
  403. }
  405. func TestExtractObjectAcl(t *testing.T) {
  406. type Case struct {
  407. id string
  408. resultErrCode, expectErrCode s3err.ErrorCode
  409. resultGrants, expectGrants []*s3.Grant
  410. resultOwnerId, expectOwnerId string
  411. }
  412. testCases := make([]*Case, 0)
  413. accountAdminId := "admin"
  415. //Request body to specify AccessControlList
  416. {
  417. //ownership: ObjectWriter
  418. //s3:PutObjectAcl('createObject' is set to false), config acl through request body
  419. req := &http.Request{
  420. Header: make(map[string][]string),
  421. }
  422. req.Body = io.NopCloser(bytes.NewReader([]byte(`
  423. <AccessControlPolicy xmlns="http://s3.amazonaws.com/doc/2006-03-01/">
  424. <Owner>
  425. <ID>admin</ID>
  426. <DisplayName>admin</DisplayName>
  427. </Owner>
  428. <AccessControlList>
  429. <Grant>
  430. <Grantee xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="CanonicalUser">
  431. <ID>admin</ID>
  432. </Grantee>
  433. <Permission>FULL_CONTROL</Permission>
  434. </Grant>
  435. <Grant>
  436. <Grantee xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="Group">
  437. <URI>http://acs.amazonaws.com/groups/global/AllUsers</URI>
  438. </Grantee>
  439. <Permission>FULL_CONTROL</Permission>
  440. </Grant>
  441. </AccessControlList>
  442. </AccessControlPolicy>
  443. `)))
  444. requestAccountId := "accountA"
  445. ownerId, grants, errCode := ExtractObjectAcl(req, accountManager, s3_constants.OwnershipObjectWriter, accountAdminId, requestAccountId, false)
  446. testCases = append(testCases, &Case{
  447. "TestExtractObjectAcl: ownership-ObjectWriter, createObject-false, acl-requestBody",
  448. errCode, s3err.ErrNone,
  449. grants, []*s3.Grant{
  450. {
  451. Grantee: &s3.Grantee{
  452. Type: &s3_constants.GrantTypeCanonicalUser,
  453. ID: &accountAdminId,
  454. },
  455. Permission: &s3_constants.PermissionFullControl,
  456. },
  457. {
  458. Grantee: &s3.Grantee{
  459. Type: &s3_constants.GrantTypeGroup,
  460. URI: &s3_constants.GranteeGroupAllUsers,
  461. },
  462. Permission: &s3_constants.PermissionFullControl,
  463. },
  464. },
  465. ownerId, accountAdminId,
  466. })
  467. }
  468. {
  469. //ownership: BucketOwnerEnforced (extra acl is not allowed)
  470. //s3:PutObjectAcl('createObject' is set to false), config acl through request body
  471. req := &http.Request{
  472. Header: make(map[string][]string),
  473. }
  474. req.Body = io.NopCloser(bytes.NewReader([]byte(`
  475. <AccessControlPolicy xmlns="http://s3.amazonaws.com/doc/2006-03-01/">
  476. <Owner>
  477. <ID>admin</ID>
  478. <DisplayName>admin</DisplayName>
  479. </Owner>
  480. <AccessControlList>
  481. <Grant>
  482. <Grantee xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="CanonicalUser">
  483. <ID>admin</ID>
  484. </Grantee>
  485. <Permission>FULL_CONTROL</Permission>
  486. </Grant>
  487. <Grant>
  488. <Grantee xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="Group">
  489. <URI>http://acs.amazonaws.com/groups/global/AllUsers</URI>
  490. </Grantee>
  491. <Permission>FULL_CONTROL</Permission>
  492. </Grant>
  493. </AccessControlList>
  494. </AccessControlPolicy>
  495. `)))
  496. requestAccountId := "accountA"
  497. _, _, errCode := ExtractObjectAcl(req, accountManager, s3_constants.OwnershipBucketOwnerEnforced, accountAdminId, requestAccountId, false)
  498. testCases = append(testCases, &Case{
  499. id: "TestExtractObjectAcl: ownership-BucketOwnerEnforced, createObject-false, acl-requestBody",
  500. resultErrCode: errCode, expectErrCode: s3err.AccessControlListNotSupported,
  501. })
  502. }
  503. {
  504. //ownership: ObjectWriter
  505. //s3:PutObject('createObject' is set to false), request body will be ignored when parse acl
  506. req := &http.Request{
  507. Header: make(map[string][]string),
  508. }
  509. req.Body = io.NopCloser(bytes.NewReader([]byte(`
  510. <AccessControlPolicy xmlns="http://s3.amazonaws.com/doc/2006-03-01/">
  511. <Owner>
  512. <ID>admin</ID>
  513. <DisplayName>admin</DisplayName>
  514. </Owner>
  515. <AccessControlList>
  516. <Grant>
  517. <Grantee xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="CanonicalUser">
  518. <ID>admin</ID>
  519. </Grantee>
  520. <Permission>FULL_CONTROL</Permission>
  521. </Grant>
  522. <Grant>
  523. <Grantee xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="Group">
  524. <URI>http://acs.amazonaws.com/groups/global/AllUsers</URI>
  525. </Grantee>
  526. <Permission>FULL_CONTROL</Permission>
  527. </Grant>
  528. </AccessControlList>
  529. </AccessControlPolicy>
  530. `)))
  531. requestAccountId := "accountA"
  532. ownerId, grants, errCode := ExtractObjectAcl(req, accountManager, s3_constants.OwnershipObjectWriter, accountAdminId, requestAccountId, true)
  533. testCases = append(testCases, &Case{
  534. "TestExtractObjectAcl: ownership-ObjectWriter, createObject-true, acl-requestBody",
  535. errCode, s3err.ErrNone,
  536. grants, []*s3.Grant{},
  537. ownerId, "",
  538. })
  539. }
  540. {
  541. //ownership: BucketOwnerEnforced (extra acl is not allowed)
  542. //s3:PutObject('createObject' is set to true), request body will be ignored when parse acl
  543. req := &http.Request{
  544. Header: make(map[string][]string),
  545. }
  546. req.Body = io.NopCloser(bytes.NewReader([]byte(`
  547. <AccessControlPolicy xmlns="http://s3.amazonaws.com/doc/2006-03-01/">
  548. <Owner>
  549. <ID>admin</ID>
  550. <DisplayName>admin</DisplayName>
  551. </Owner>
  552. <AccessControlList>
  553. <Grant>
  554. <Grantee xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="CanonicalUser">
  555. <ID>admin</ID>
  556. </Grantee>
  557. <Permission>FULL_CONTROL</Permission>
  558. </Grant>
  559. <Grant>
  560. <Grantee xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="Group">
  561. <URI>http://acs.amazonaws.com/groups/global/AllUsers</URI>
  562. </Grantee>
  563. <Permission>FULL_CONTROL</Permission>
  564. </Grant>
  565. </AccessControlList>
  566. </AccessControlPolicy>
  567. `)))
  568. requestAccountId := "accountA"
  569. ownerId, grants, errCode := ExtractObjectAcl(req, accountManager, s3_constants.OwnershipBucketOwnerEnforced, accountAdminId, requestAccountId, true)
  570. testCases = append(testCases, &Case{
  571. "TestExtractObjectAcl: ownership-BucketOwnerEnforced, createObject-true, acl-requestBody",
  572. errCode, s3err.ErrNone,
  573. grants, []*s3.Grant{},
  574. ownerId, "",
  575. })
  576. }
  578. //CannedAcl Header to specify ACL
  579. //cannedAcl, putObjectACL
  580. {
  581. //ownership: ObjectWriter
  582. //s3:PutObjectACL('createObject' is set to false), parse cannedACL header
  583. req := &http.Request{
  584. Header: make(map[string][]string),
  585. }
  586. req.Header.Set(s3_constants.AmzCannedAcl, s3_constants.CannedAclBucketOwnerFullControl)
  587. bucketOwnerId := "admin"
  588. requestAccountId := "accountA"
  589. ownerId, grants, errCode := ExtractObjectAcl(req, accountManager, s3_constants.OwnershipObjectWriter, bucketOwnerId, requestAccountId, false)
  590. testCases = append(testCases, &Case{
  591. "TestExtractObjectAcl: ownership-ObjectWriter, createObject-false, acl-CannedAcl",
  592. errCode, s3err.ErrNone,
  593. grants, []*s3.Grant{
  594. {
  595. Grantee: &s3.Grantee{
  596. Type: &s3_constants.GrantTypeCanonicalUser,
  597. ID: &requestAccountId,
  598. },
  599. Permission: &s3_constants.PermissionFullControl,
  600. },
  601. {
  602. Grantee: &s3.Grantee{
  603. Type: &s3_constants.GrantTypeCanonicalUser,
  604. ID: &bucketOwnerId,
  605. },
  606. Permission: &s3_constants.PermissionFullControl,
  607. },
  608. },
  609. ownerId, "",
  610. })
  611. }
  612. {
  613. //ownership: BucketOwnerPreferred
  614. //s3:PutObjectACL('createObject' is set to false), parse cannedACL header
  615. req := &http.Request{
  616. Header: make(map[string][]string),
  617. }
  618. req.Header.Set(s3_constants.AmzCannedAcl, s3_constants.CannedAclBucketOwnerFullControl)
  619. bucketOwnerId := "admin"
  620. requestAccountId := "accountA"
  621. ownerId, grants, errCode := ExtractObjectAcl(req, accountManager, s3_constants.OwnershipBucketOwnerPreferred, bucketOwnerId, requestAccountId, false)
  622. testCases = append(testCases, &Case{
  623. "TestExtractObjectAcl: ownership-BucketOwnerPreferred, createObject-false, acl-CannedAcl",
  624. errCode, s3err.ErrNone,
  625. grants, []*s3.Grant{
  626. {
  627. Grantee: &s3.Grantee{
  628. Type: &s3_constants.GrantTypeCanonicalUser,
  629. ID: &requestAccountId,
  630. },
  631. Permission: &s3_constants.PermissionFullControl,
  632. },
  633. {
  634. Grantee: &s3.Grantee{
  635. Type: &s3_constants.GrantTypeCanonicalUser,
  636. ID: &bucketOwnerId,
  637. },
  638. Permission: &s3_constants.PermissionFullControl,
  639. },
  640. },
  641. ownerId, "",
  642. })
  643. }
  644. {
  645. //ownership: BucketOwnerEnforced
  646. //s3:PutObjectACL('createObject' is set to false), parse cannedACL header
  647. req := &http.Request{
  648. Header: make(map[string][]string),
  649. }
  650. req.Header.Set(s3_constants.AmzCannedAcl, s3_constants.CannedAclBucketOwnerFullControl)
  651. bucketOwnerId := "admin"
  652. requestAccountId := "accountA"
  653. _, _, errCode := ExtractObjectAcl(req, accountManager, s3_constants.OwnershipBucketOwnerEnforced, bucketOwnerId, requestAccountId, false)
  654. testCases = append(testCases, &Case{
  655. id: "TestExtractObjectAcl: ownership-BucketOwnerEnforced, createObject-false, acl-CannedAcl",
  656. resultErrCode: errCode, expectErrCode: s3err.AccessControlListNotSupported,
  657. })
  658. }
  659. //cannedACL, putObject
  660. {
  661. //ownership: ObjectWriter
  662. //s3:PutObject('createObject' is set to true), parse cannedACL header
  663. req := &http.Request{
  664. Header: make(map[string][]string),
  665. }
  666. req.Header.Set(s3_constants.AmzCannedAcl, s3_constants.CannedAclBucketOwnerFullControl)
  667. bucketOwnerId := "admin"
  668. requestAccountId := "accountA"
  669. ownerId, grants, errCode := ExtractObjectAcl(req, accountManager, s3_constants.OwnershipObjectWriter, bucketOwnerId, requestAccountId, true)
  670. testCases = append(testCases, &Case{
  671. "TestExtractObjectAcl: ownership-ObjectWriter, createObject-true, acl-CannedAcl",
  672. errCode, s3err.ErrNone,
  673. grants, []*s3.Grant{
  674. {
  675. Grantee: &s3.Grantee{
  676. Type: &s3_constants.GrantTypeCanonicalUser,
  677. ID: &requestAccountId,
  678. },
  679. Permission: &s3_constants.PermissionFullControl,
  680. },
  681. {
  682. Grantee: &s3.Grantee{
  683. Type: &s3_constants.GrantTypeCanonicalUser,
  684. ID: &bucketOwnerId,
  685. },
  686. Permission: &s3_constants.PermissionFullControl,
  687. },
  688. },
  689. ownerId, "",
  690. })
  691. }
  692. {
  693. //ownership: BucketOwnerPreferred
  694. //s3:PutObject('createObject' is set to true), parse cannedACL header
  695. req := &http.Request{
  696. Header: make(map[string][]string),
  697. }
  698. req.Header.Set(s3_constants.AmzCannedAcl, s3_constants.CannedAclBucketOwnerFullControl)
  699. bucketOwnerId := "admin"
  700. requestAccountId := "accountA"
  701. ownerId, grants, errCode := ExtractObjectAcl(req, accountManager, s3_constants.OwnershipBucketOwnerPreferred, bucketOwnerId, requestAccountId, true)
  702. testCases = append(testCases, &Case{
  703. "TestExtractObjectAcl: ownership-BucketOwnerPreferred, createObject-true, acl-CannedAcl",
  704. errCode, s3err.ErrNone,
  705. grants, []*s3.Grant{
  706. {
  707. Grantee: &s3.Grantee{
  708. Type: &s3_constants.GrantTypeCanonicalUser,
  709. ID: &bucketOwnerId,
  710. },
  711. Permission: &s3_constants.PermissionFullControl,
  712. },
  713. },
  714. ownerId, "",
  715. })
  716. }
  717. {
  718. //ownership: BucketOwnerEnforced
  719. //s3:PutObject('createObject' is set to true), parse cannedACL header
  720. req := &http.Request{
  721. Header: make(map[string][]string),
  722. }
  723. req.Header.Set(s3_constants.AmzCannedAcl, s3_constants.CannedAclBucketOwnerFullControl)
  724. bucketOwnerId := "admin"
  725. requestAccountId := "accountA"
  726. _, _, errCode := ExtractObjectAcl(req, accountManager, s3_constants.OwnershipBucketOwnerEnforced, bucketOwnerId, requestAccountId, true)
  727. testCases = append(testCases, &Case{
  728. id: "TestExtractObjectAcl: ownership-BucketOwnerEnforced, createObject-true, acl-CannedAcl",
  729. resultErrCode: errCode, expectErrCode: s3err.AccessControlListNotSupported,
  730. })
  731. }
  733. //cannedAcl, putObjectACL
  734. {
  735. //ownership: ObjectWriter
  736. //s3:PutObjectACL('createObject' is set to false), parse customAcl header
  737. req := &http.Request{
  738. Header: make(map[string][]string),
  739. }
  740. req.Header.Set(s3_constants.AmzAclFullControl, "id=accountA,id=\"admin\"")
  741. bucketOwnerId := "admin"
  742. requestAccountId := "accountA"
  743. ownerId, grants, errCode := ExtractObjectAcl(req, accountManager, s3_constants.OwnershipObjectWriter, bucketOwnerId, requestAccountId, false)
  744. testCases = append(testCases, &Case{
  745. "TestExtractObjectAcl: ownership-ObjectWriter, createObject-false, acl-customAcl",
  746. errCode, s3err.ErrNone,
  747. grants, []*s3.Grant{
  748. {
  749. Grantee: &s3.Grantee{
  750. Type: &s3_constants.GrantTypeCanonicalUser,
  751. ID: &requestAccountId,
  752. },
  753. Permission: &s3_constants.PermissionFullControl,
  754. },
  755. {
  756. Grantee: &s3.Grantee{
  757. Type: &s3_constants.GrantTypeCanonicalUser,
  758. ID: &bucketOwnerId,
  759. },
  760. Permission: &s3_constants.PermissionFullControl,
  761. },
  762. },
  763. ownerId, "",
  764. })
  765. }
  766. {
  767. //ownership: BucketOwnerPreferred
  768. //s3:PutObjectACL('createObject' is set to false), parse customAcl header
  769. req := &http.Request{
  770. Header: make(map[string][]string),
  771. }
  772. req.Header.Set(s3_constants.AmzAclFullControl, "id=accountA,id=\"admin\"")
  773. bucketOwnerId := "admin"
  774. requestAccountId := "accountA"
  775. ownerId, grants, errCode := ExtractObjectAcl(req, accountManager, s3_constants.OwnershipBucketOwnerPreferred, bucketOwnerId, requestAccountId, false)
  776. testCases = append(testCases, &Case{
  777. "TestExtractObjectAcl: ownership-BucketOwnerPreferred, createObject-false, acl-customAcl",
  778. errCode, s3err.ErrNone,
  779. grants, []*s3.Grant{
  780. {
  781. Grantee: &s3.Grantee{
  782. Type: &s3_constants.GrantTypeCanonicalUser,
  783. ID: &requestAccountId,
  784. },
  785. Permission: &s3_constants.PermissionFullControl,
  786. },
  787. {
  788. Grantee: &s3.Grantee{
  789. Type: &s3_constants.GrantTypeCanonicalUser,
  790. ID: &bucketOwnerId,
  791. },
  792. Permission: &s3_constants.PermissionFullControl,
  793. },
  794. },
  795. ownerId, "",
  796. })
  797. }
  798. {
  799. //ownership: BucketOwnerEnforced
  800. //s3:PutObjectACL('createObject' is set to false), parse customAcl header
  801. req := &http.Request{
  802. Header: make(map[string][]string),
  803. }
  804. req.Header.Set(s3_constants.AmzAclFullControl, "id=accountA,id=\"admin\"")
  805. bucketOwnerId := "admin"
  806. requestAccountId := "accountA"
  807. _, _, errCode := ExtractObjectAcl(req, accountManager, s3_constants.OwnershipBucketOwnerEnforced, bucketOwnerId, requestAccountId, false)
  808. testCases = append(testCases, &Case{
  809. id: "TestExtractObjectAcl: ownership-BucketOwnerEnforced, createObject-false, acl-customAcl",
  810. resultErrCode: errCode, expectErrCode: s3err.AccessControlListNotSupported,
  811. })
  812. }
  813. //customAcl, putObject
  814. {
  815. //ownership: ObjectWriter
  816. //s3:PutObject('createObject' is set to true), parse customAcl header
  817. req := &http.Request{
  818. Header: make(map[string][]string),
  819. }
  820. req.Header.Set(s3_constants.AmzAclFullControl, "id=accountA,id=\"admin\"")
  821. bucketOwnerId := "admin"
  822. requestAccountId := "accountA"
  823. ownerId, grants, errCode := ExtractObjectAcl(req, accountManager, s3_constants.OwnershipObjectWriter, bucketOwnerId, requestAccountId, true)
  824. testCases = append(testCases, &Case{
  825. "TestExtractObjectAcl: ownership-ObjectWriter, createObject-true, acl-customAcl",
  826. errCode, s3err.ErrNone,
  827. grants, []*s3.Grant{
  828. {
  829. Grantee: &s3.Grantee{
  830. Type: &s3_constants.GrantTypeCanonicalUser,
  831. ID: &requestAccountId,
  832. },
  833. Permission: &s3_constants.PermissionFullControl,
  834. },
  835. {
  836. Grantee: &s3.Grantee{
  837. Type: &s3_constants.GrantTypeCanonicalUser,
  838. ID: &bucketOwnerId,
  839. },
  840. Permission: &s3_constants.PermissionFullControl,
  841. },
  842. },
  843. ownerId, "",
  844. })
  845. }
  846. {
  847. //ownership: BucketOwnerPreferred
  848. //s3:PutObject('createObject' is set to true), parse customAcl header
  849. req := &http.Request{
  850. Header: make(map[string][]string),
  851. }
  852. req.Header.Set(s3_constants.AmzAclFullControl, "id=\"admin\"")
  853. bucketOwnerId := "admin"
  854. requestAccountId := "accountA"
  855. ownerId, grants, errCode := ExtractObjectAcl(req, accountManager, s3_constants.OwnershipBucketOwnerPreferred, bucketOwnerId, requestAccountId, true)
  856. testCases = append(testCases, &Case{
  857. "TestExtractObjectAcl: ownership-BucketOwnerPreferred, createObject-true, acl-customAcl",
  858. errCode, s3err.ErrNone,
  859. grants, []*s3.Grant{
  860. {
  861. Grantee: &s3.Grantee{
  862. Type: &s3_constants.GrantTypeCanonicalUser,
  863. ID: &bucketOwnerId,
  864. },
  865. Permission: &s3_constants.PermissionFullControl,
  866. },
  867. },
  868. ownerId, "",
  869. })
  870. }
  871. {
  872. //ownership: BucketOwnerEnforced
  873. //s3:PutObject('createObject' is set to true), parse customAcl header
  874. req := &http.Request{
  875. Header: make(map[string][]string),
  876. }
  877. req.Header.Set(s3_constants.AmzAclFullControl, "id=accountA,id=\"admin\"")
  878. bucketOwnerId := "admin"
  879. requestAccountId := "accountA"
  880. _, _, errCode := ExtractObjectAcl(req, accountManager, s3_constants.OwnershipBucketOwnerEnforced, bucketOwnerId, requestAccountId, true)
  881. testCases = append(testCases, &Case{
  882. id: "TestExtractObjectAcl: ownership-BucketOwnerEnforced, createObject-true, acl-customAcl",
  883. resultErrCode: errCode, expectErrCode: s3err.AccessControlListNotSupported,
  884. })
  885. }
  887. {
  888. //parse acp from request header: both canned acl and custom acl not allowed
  889. req := &http.Request{
  890. Header: make(map[string][]string),
  891. }
  892. req.Header.Set(s3_constants.AmzAclFullControl, "id=admin, id=\"accountA\"")
  893. req.Header.Set(s3_constants.AmzCannedAcl, "private")
  894. bucketOwnerId := "admin"
  895. requestAccountId := "accountA"
  896. _, _, errCode := ExtractObjectAcl(req, accountManager, s3_constants.OwnershipObjectWriter, bucketOwnerId, requestAccountId, false)
  897. testCases = append(testCases, &Case{
  898. id: "Only one of cannedAcl, customAcl is allowed",
  899. resultErrCode: errCode, expectErrCode: s3err.ErrInvalidRequest,
  900. })
  901. }
  903. {
  904. //Acl can only be specified in one of requestBody, cannedAcl, customAcl, simultaneous use is not allowed
  905. req := &http.Request{
  906. Header: make(map[string][]string),
  907. }
  908. req.Header.Set(s3_constants.AmzAclFullControl, "id=admin, id=\"accountA\"")
  909. req.Header.Set(s3_constants.AmzCannedAcl, "private")
  910. req.Body = io.NopCloser(bytes.NewReader([]byte(`
  911. <AccessControlPolicy xmlns="http://s3.amazonaws.com/doc/2006-03-01/">
  912. <Owner>
  913. <ID>admin</ID>
  914. <DisplayName>admin</DisplayName>
  915. </Owner>
  916. <AccessControlList>
  917. <Grant>
  918. <Grantee xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="CanonicalUser">
  919. <ID>admin</ID>
  920. </Grantee>
  921. <Permission>FULL_CONTROL</Permission>
  922. </Grant>
  923. <Grant>
  924. <Grantee xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="Group">
  925. <URI>http://acs.amazonaws.com/groups/global/AllUsers</URI>
  926. </Grantee>
  927. <Permission>FULL_CONTROL</Permission>
  928. </Grant>
  929. </AccessControlList>
  930. </AccessControlPolicy>
  931. `)))
  932. requestAccountId := "accountA"
  933. _, _, errCode := ExtractObjectAcl(req, accountManager, s3_constants.OwnershipObjectWriter, accountAdminId, requestAccountId, false)
  934. testCases = append(testCases, &Case{
  935. id: "Only one of requestBody, cannedAcl, customAcl is allowed",
  936. resultErrCode: errCode, expectErrCode: s3err.ErrUnexpectedContent,
  937. })
  938. }
  939. for _, tc := range testCases {
  940. if tc.resultErrCode != tc.expectErrCode {
  941. t.Fatalf("case[%s]: errorCode[%v] not expect[%v]", tc.id, s3err.GetAPIError(tc.resultErrCode).Code, s3err.GetAPIError(tc.expectErrCode).Code)
  942. }
  943. if !grantsEquals(tc.resultGrants, tc.expectGrants) {
  944. t.Fatalf("case[%s]: grants not expect", tc.id)
  945. }
  946. }
  947. }
  949. func TestBucketObjectAcl(t *testing.T) {
  950. type Case struct {
  951. id string
  952. resultErrCode, expectErrCode s3err.ErrorCode
  953. resultGrants, expectGrants []*s3.Grant
  954. }
  955. testCases := make([]*Case, 0)
  956. accountAdminId := "admin"
  958. //Request body to specify AccessControlList
  959. {
  960. //ownership: ObjectWriter
  961. //s3:PutBucketAcl('createObject' is set to false), config acl through request body
  962. req := &http.Request{
  963. Header: make(map[string][]string),
  964. }
  965. req.Body = io.NopCloser(bytes.NewReader([]byte(`
  966. <AccessControlPolicy xmlns="http://s3.amazonaws.com/doc/2006-03-01/">
  967. <Owner>
  968. <ID>admin</ID>
  969. <DisplayName>admin</DisplayName>
  970. </Owner>
  971. <AccessControlList>
  972. <Grant>
  973. <Grantee xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="CanonicalUser">
  974. <ID>admin</ID>
  975. </Grantee>
  976. <Permission>FULL_CONTROL</Permission>
  977. </Grant>
  978. <Grant>
  979. <Grantee xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="Group">
  980. <URI>http://acs.amazonaws.com/groups/global/AllUsers</URI>
  981. </Grantee>
  982. <Permission>FULL_CONTROL</Permission>
  983. </Grant>
  984. </AccessControlList>
  985. </AccessControlPolicy>
  986. `)))
  987. bucketOwnerId := "admin"
  988. requestAccountId := "accountA"
  989. grants, errCode := ExtractBucketAcl(req, accountManager, s3_constants.OwnershipObjectWriter, bucketOwnerId, requestAccountId, false)
  990. testCases = append(testCases, &Case{
  991. "TestExtractBucketAcl: ownership-ObjectWriter, createObject-false, acl-requestBody",
  992. errCode, s3err.ErrNone,
  993. grants, []*s3.Grant{
  994. {
  995. Grantee: &s3.Grantee{
  996. Type: &s3_constants.GrantTypeCanonicalUser,
  997. ID: &accountAdminId,
  998. },
  999. Permission: &s3_constants.PermissionFullControl,
  1000. },
  1001. {
  1002. Grantee: &s3.Grantee{
  1003. Type: &s3_constants.GrantTypeGroup,
  1004. URI: &s3_constants.GranteeGroupAllUsers,
  1005. },
  1006. Permission: &s3_constants.PermissionFullControl,
  1007. },
  1008. },
  1009. })
  1010. }
  1011. {
  1012. //ownership: BucketOwnerEnforced (extra acl is not allowed)
  1013. //s3:PutBucketAcl('createObject' is set to false), config acl through request body
  1014. req := &http.Request{
  1015. Header: make(map[string][]string),
  1016. }
  1017. req.Body = io.NopCloser(bytes.NewReader([]byte(`
  1018. <AccessControlPolicy xmlns="http://s3.amazonaws.com/doc/2006-03-01/">
  1019. <Owner>
  1020. <ID>admin</ID>
  1021. <DisplayName>admin</DisplayName>
  1022. </Owner>
  1023. <AccessControlList>
  1024. <Grant>
  1025. <Grantee xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="CanonicalUser">
  1026. <ID>admin</ID>
  1027. </Grantee>
  1028. <Permission>FULL_CONTROL</Permission>
  1029. </Grant>
  1030. <Grant>
  1031. <Grantee xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="Group">
  1032. <URI>http://acs.amazonaws.com/groups/global/AllUsers</URI>
  1033. </Grantee>
  1034. <Permission>FULL_CONTROL</Permission>
  1035. </Grant>
  1036. </AccessControlList>
  1037. </AccessControlPolicy>
  1038. `)))
  1039. requestAccountId := "accountA"
  1040. _, errCode := ExtractBucketAcl(req, accountManager, s3_constants.OwnershipBucketOwnerEnforced, accountAdminId, requestAccountId, false)
  1041. testCases = append(testCases, &Case{
  1042. id: "TestExtractBucketAcl: ownership-BucketOwnerEnforced, createObject-false, acl-requestBody",
  1043. resultErrCode: errCode, expectErrCode: s3err.AccessControlListNotSupported,
  1044. })
  1045. }
  1046. {
  1047. //ownership: ObjectWriter
  1048. //s3:PutObject('createObject' is set to false), request body will be ignored when parse acl
  1049. req := &http.Request{
  1050. Header: make(map[string][]string),
  1051. }
  1052. req.Body = io.NopCloser(bytes.NewReader([]byte(`
  1053. <AccessControlPolicy xmlns="http://s3.amazonaws.com/doc/2006-03-01/">
  1054. <Owner>
  1055. <ID>admin</ID>
  1056. <DisplayName>admin</DisplayName>
  1057. </Owner>
  1058. <AccessControlList>
  1059. <Grant>
  1060. <Grantee xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="CanonicalUser">
  1061. <ID>admin</ID>
  1062. </Grantee>
  1063. <Permission>FULL_CONTROL</Permission>
  1064. </Grant>
  1065. <Grant>
  1066. <Grantee xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="Group">
  1067. <URI>http://acs.amazonaws.com/groups/global/AllUsers</URI>
  1068. </Grantee>
  1069. <Permission>FULL_CONTROL</Permission>
  1070. </Grant>
  1071. </AccessControlList>
  1072. </AccessControlPolicy>
  1073. `)))
  1074. requestAccountId := "accountA"
  1075. grants, errCode := ExtractBucketAcl(req, accountManager, s3_constants.OwnershipObjectWriter, accountAdminId, requestAccountId, true)
  1076. testCases = append(testCases, &Case{
  1077. "TestExtractBucketAcl: ownership-ObjectWriter, createObject-true, acl-requestBody",
  1078. errCode, s3err.ErrNone,
  1079. grants, []*s3.Grant{},
  1080. })
  1081. }
  1082. {
  1083. //ownership: BucketOwnerEnforced (extra acl is not allowed)
  1084. //s3:PutObject('createObject' is set to true), request body will be ignored when parse acl
  1085. req := &http.Request{
  1086. Header: make(map[string][]string),
  1087. }
  1088. req.Body = io.NopCloser(bytes.NewReader([]byte(`
  1089. <AccessControlPolicy xmlns="http://s3.amazonaws.com/doc/2006-03-01/">
  1090. <Owner>
  1091. <ID>admin</ID>
  1092. <DisplayName>admin</DisplayName>
  1093. </Owner>
  1094. <AccessControlList>
  1095. <Grant>
  1096. <Grantee xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="CanonicalUser">
  1097. <ID>admin</ID>
  1098. </Grantee>
  1099. <Permission>FULL_CONTROL</Permission>
  1100. </Grant>
  1101. <Grant>
  1102. <Grantee xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="Group">
  1103. <URI>http://acs.amazonaws.com/groups/global/AllUsers</URI>
  1104. </Grantee>
  1105. <Permission>FULL_CONTROL</Permission>
  1106. </Grant>
  1107. </AccessControlList>
  1108. </AccessControlPolicy>
  1109. `)))
  1110. requestAccountId := "accountA"
  1111. grants, errCode := ExtractBucketAcl(req, accountManager, s3_constants.OwnershipBucketOwnerEnforced, accountAdminId, requestAccountId, true)
  1112. testCases = append(testCases, &Case{
  1113. "TestExtractBucketAcl: ownership-BucketOwnerEnforced, createObject-true, acl-requestBody",
  1114. errCode, s3err.ErrNone,
  1115. grants, []*s3.Grant{},
  1116. })
  1117. }
  1119. //CannedAcl Header to specify ACL
  1120. //cannedAcl, PutBucketAcl
  1121. {
  1122. //ownership: ObjectWriter
  1123. //s3:PutBucketAcl('createObject' is set to false), parse cannedACL header
  1124. req := &http.Request{
  1125. Header: make(map[string][]string),
  1126. }
  1127. req.Header.Set(s3_constants.AmzCannedAcl, s3_constants.CannedAclBucketOwnerFullControl)
  1128. bucketOwnerId := "admin"
  1129. requestAccountId := "accountA"
  1130. _, errCode := ExtractBucketAcl(req, accountManager, s3_constants.OwnershipObjectWriter, bucketOwnerId, requestAccountId, false)
  1131. testCases = append(testCases, &Case{
  1132. id: "TestExtractBucketAcl: ownership-ObjectWriter, createObject-false, acl-CannedAcl",
  1133. resultErrCode: errCode, expectErrCode: s3err.ErrInvalidAclArgument,
  1134. })
  1135. }
  1136. {
  1137. //ownership: BucketOwnerPreferred
  1138. //s3:PutBucketAcl('createObject' is set to false), parse cannedACL header
  1139. req := &http.Request{
  1140. Header: make(map[string][]string),
  1141. }
  1142. req.Header.Set(s3_constants.AmzCannedAcl, s3_constants.CannedAclBucketOwnerFullControl)
  1143. bucketOwnerId := "admin"
  1144. requestAccountId := "accountA"
  1145. _, errCode := ExtractBucketAcl(req, accountManager, s3_constants.OwnershipBucketOwnerPreferred, bucketOwnerId, requestAccountId, false)
  1146. testCases = append(testCases, &Case{
  1147. id: "TestExtractBucketAcl: ownership-BucketOwnerPreferred, createObject-false, acl-CannedAcl",
  1148. resultErrCode: errCode, expectErrCode: s3err.ErrInvalidAclArgument,
  1149. })
  1150. }
  1151. {
  1152. //ownership: BucketOwnerEnforced
  1153. //s3:PutBucketAcl('createObject' is set to false), parse cannedACL header
  1154. req := &http.Request{
  1155. Header: make(map[string][]string),
  1156. }
  1157. req.Header.Set(s3_constants.AmzCannedAcl, s3_constants.CannedAclBucketOwnerFullControl)
  1158. bucketOwnerId := "admin"
  1159. requestAccountId := "accountA"
  1160. _, errCode := ExtractBucketAcl(req, accountManager, s3_constants.OwnershipBucketOwnerEnforced, bucketOwnerId, requestAccountId, false)
  1161. testCases = append(testCases, &Case{
  1162. id: "TestExtractBucketAcl: ownership-BucketOwnerEnforced, createObject-false, acl-CannedAcl",
  1163. resultErrCode: errCode, expectErrCode: s3err.ErrInvalidAclArgument,
  1164. })
  1165. }
  1166. //cannedACL, createBucket
  1167. {
  1168. //ownership: ObjectWriter
  1169. //s3:PutObject('createObject' is set to true), parse cannedACL header
  1170. req := &http.Request{
  1171. Header: make(map[string][]string),
  1172. }
  1173. req.Header.Set(s3_constants.AmzCannedAcl, s3_constants.CannedAclBucketOwnerFullControl)
  1174. bucketOwnerId := "admin"
  1175. requestAccountId := "accountA"
  1176. _, errCode := ExtractBucketAcl(req, accountManager, s3_constants.OwnershipObjectWriter, bucketOwnerId, requestAccountId, true)
  1177. testCases = append(testCases, &Case{
  1178. id: "TestExtractBucketAcl: ownership-BucketOwnerEnforced, createObject-true, acl-CannedAcl",
  1179. resultErrCode: errCode, expectErrCode: s3err.ErrInvalidAclArgument,
  1180. })
  1181. }
  1182. {
  1183. //ownership: BucketOwnerPreferred
  1184. //s3:PutObject('createObject' is set to true), parse cannedACL header
  1185. req := &http.Request{
  1186. Header: make(map[string][]string),
  1187. }
  1188. req.Header.Set(s3_constants.AmzCannedAcl, s3_constants.CannedAclBucketOwnerFullControl)
  1189. bucketOwnerId := "admin"
  1190. requestAccountId := "accountA"
  1191. _, errCode := ExtractBucketAcl(req, accountManager, s3_constants.OwnershipBucketOwnerPreferred, bucketOwnerId, requestAccountId, true)
  1192. testCases = append(testCases, &Case{
  1193. id: "TestExtractBucketAcl: ownership-BucketOwnerPreferred, createObject-true, acl-CannedAcl",
  1194. resultErrCode: errCode, expectErrCode: s3err.ErrInvalidAclArgument,
  1195. })
  1196. }
  1197. {
  1198. //ownership: BucketOwnerEnforced
  1199. //s3:PutObject('createObject' is set to true), parse cannedACL header
  1200. req := &http.Request{
  1201. Header: make(map[string][]string),
  1202. }
  1203. req.Header.Set(s3_constants.AmzCannedAcl, s3_constants.CannedAclBucketOwnerFullControl)
  1204. bucketOwnerId := "admin"
  1205. requestAccountId := "accountA"
  1206. _, errCode := ExtractBucketAcl(req, accountManager, s3_constants.OwnershipBucketOwnerEnforced, bucketOwnerId, requestAccountId, true)
  1207. testCases = append(testCases, &Case{
  1208. id: "TestExtractBucketAcl: ownership-BucketOwnerEnforced, createObject-true, acl-CannedAcl",
  1209. resultErrCode: errCode, expectErrCode: s3err.ErrInvalidAclArgument,
  1210. })
  1211. }
  1213. //customAcl, PutBucketAcl
  1214. {
  1215. //ownership: ObjectWriter
  1216. //s3:PutBucketAcl('createObject' is set to false), parse customAcl header
  1217. req := &http.Request{
  1218. Header: make(map[string][]string),
  1219. }
  1220. req.Header.Set(s3_constants.AmzAclFullControl, "id=accountA,id=\"admin\"")
  1221. bucketOwnerId := "admin"
  1222. requestAccountId := "accountA"
  1223. grants, errCode := ExtractBucketAcl(req, accountManager, s3_constants.OwnershipObjectWriter, bucketOwnerId, requestAccountId, false)
  1224. testCases = append(testCases, &Case{
  1225. "TestExtractBucketAcl: ownership-ObjectWriter, createObject-false, acl-customAcl",
  1226. errCode, s3err.ErrNone,
  1227. grants, []*s3.Grant{
  1228. {
  1229. Grantee: &s3.Grantee{
  1230. Type: &s3_constants.GrantTypeCanonicalUser,
  1231. ID: &requestAccountId,
  1232. },
  1233. Permission: &s3_constants.PermissionFullControl,
  1234. },
  1235. {
  1236. Grantee: &s3.Grantee{
  1237. Type: &s3_constants.GrantTypeCanonicalUser,
  1238. ID: &bucketOwnerId,
  1239. },
  1240. Permission: &s3_constants.PermissionFullControl,
  1241. },
  1242. },
  1243. })
  1244. }
  1245. {
  1246. //ownership: BucketOwnerPreferred
  1247. //s3:PutBucketAcl('createObject' is set to false), parse customAcl header
  1248. req := &http.Request{
  1249. Header: make(map[string][]string),
  1250. }
  1251. req.Header.Set(s3_constants.AmzAclFullControl, "id=accountA,id=\"admin\"")
  1252. bucketOwnerId := "admin"
  1253. requestAccountId := "accountA"
  1254. grants, errCode := ExtractBucketAcl(req, accountManager, s3_constants.OwnershipBucketOwnerPreferred, bucketOwnerId, requestAccountId, false)
  1255. testCases = append(testCases, &Case{
  1256. "TestExtractBucketAcl: ownership-BucketOwnerPreferred, createObject-false, acl-customAcl",
  1257. errCode, s3err.ErrNone,
  1258. grants, []*s3.Grant{
  1259. {
  1260. Grantee: &s3.Grantee{
  1261. Type: &s3_constants.GrantTypeCanonicalUser,
  1262. ID: &requestAccountId,
  1263. },
  1264. Permission: &s3_constants.PermissionFullControl,
  1265. },
  1266. {
  1267. Grantee: &s3.Grantee{
  1268. Type: &s3_constants.GrantTypeCanonicalUser,
  1269. ID: &bucketOwnerId,
  1270. },
  1271. Permission: &s3_constants.PermissionFullControl,
  1272. },
  1273. },
  1274. })
  1275. }
  1276. {
  1277. //ownership: BucketOwnerEnforced
  1278. //s3:PutBucketAcl('createObject' is set to false), parse customAcl header
  1279. req := &http.Request{
  1280. Header: make(map[string][]string),
  1281. }
  1282. req.Header.Set(s3_constants.AmzAclFullControl, "id=accountA,id=\"admin\"")
  1283. bucketOwnerId := "admin"
  1284. requestAccountId := "accountA"
  1285. _, errCode := ExtractBucketAcl(req, accountManager, s3_constants.OwnershipBucketOwnerEnforced, bucketOwnerId, requestAccountId, false)
  1286. testCases = append(testCases, &Case{
  1287. id: "TestExtractBucketAcl: ownership-BucketOwnerEnforced, createObject-false, acl-customAcl",
  1288. resultErrCode: errCode, expectErrCode: s3err.AccessControlListNotSupported,
  1289. })
  1290. }
  1291. //customAcl, putObject
  1292. {
  1293. //ownership: ObjectWriter
  1294. //s3:PutObject('createObject' is set to true), parse customAcl header
  1295. req := &http.Request{
  1296. Header: make(map[string][]string),
  1297. }
  1298. req.Header.Set(s3_constants.AmzAclFullControl, "id=accountA,id=\"admin\"")
  1299. bucketOwnerId := "admin"
  1300. requestAccountId := "accountA"
  1301. grants, errCode := ExtractBucketAcl(req, accountManager, s3_constants.OwnershipObjectWriter, bucketOwnerId, requestAccountId, true)
  1302. testCases = append(testCases, &Case{
  1303. "TestExtractBucketAcl: ownership-ObjectWriter, createObject-true, acl-customAcl",
  1304. errCode, s3err.ErrNone,
  1305. grants, []*s3.Grant{
  1306. {
  1307. Grantee: &s3.Grantee{
  1308. Type: &s3_constants.GrantTypeCanonicalUser,
  1309. ID: &requestAccountId,
  1310. },
  1311. Permission: &s3_constants.PermissionFullControl,
  1312. },
  1313. {
  1314. Grantee: &s3.Grantee{
  1315. Type: &s3_constants.GrantTypeCanonicalUser,
  1316. ID: &bucketOwnerId,
  1317. },
  1318. Permission: &s3_constants.PermissionFullControl,
  1319. },
  1320. },
  1321. })
  1322. }
  1323. {
  1324. //ownership: BucketOwnerPreferred
  1325. //s3:PutObject('createObject' is set to true), parse customAcl header
  1326. req := &http.Request{
  1327. Header: make(map[string][]string),
  1328. }
  1329. req.Header.Set(s3_constants.AmzAclFullControl, "id=\"admin\"")
  1330. bucketOwnerId := "admin"
  1331. requestAccountId := "accountA"
  1332. grants, errCode := ExtractBucketAcl(req, accountManager, s3_constants.OwnershipBucketOwnerPreferred, bucketOwnerId, requestAccountId, true)
  1333. testCases = append(testCases, &Case{
  1334. "TestExtractBucketAcl: ownership-BucketOwnerPreferred, createObject-true, acl-customAcl",
  1335. errCode, s3err.ErrNone,
  1336. grants, []*s3.Grant{
  1337. {
  1338. Grantee: &s3.Grantee{
  1339. Type: &s3_constants.GrantTypeCanonicalUser,
  1340. ID: &bucketOwnerId,
  1341. },
  1342. Permission: &s3_constants.PermissionFullControl,
  1343. },
  1344. },
  1345. })
  1346. }
  1347. {
  1348. //ownership: BucketOwnerEnforced
  1349. //s3:PutObject('createObject' is set to true), parse customAcl header
  1350. req := &http.Request{
  1351. Header: make(map[string][]string),
  1352. }
  1353. req.Header.Set(s3_constants.AmzAclFullControl, "id=accountA,id=\"admin\"")
  1354. bucketOwnerId := "admin"
  1355. requestAccountId := "accountA"
  1356. _, errCode := ExtractBucketAcl(req, accountManager, s3_constants.OwnershipBucketOwnerEnforced, bucketOwnerId, requestAccountId, true)
  1357. testCases = append(testCases, &Case{
  1358. id: "TestExtractBucketAcl: ownership-BucketOwnerEnforced, createObject-true, acl-customAcl",
  1359. resultErrCode: errCode, expectErrCode: s3err.AccessControlListNotSupported,
  1360. })
  1361. }
  1363. {
  1364. //parse acp from request header: both canned acl and custom acl not allowed
  1365. req := &http.Request{
  1366. Header: make(map[string][]string),
  1367. }
  1368. req.Header.Set(s3_constants.AmzAclFullControl, "id=admin, id=\"accountA\"")
  1369. req.Header.Set(s3_constants.AmzCannedAcl, "private")
  1370. bucketOwnerId := "admin"
  1371. requestAccountId := "accountA"
  1372. _, errCode := ExtractBucketAcl(req, accountManager, s3_constants.OwnershipObjectWriter, bucketOwnerId, requestAccountId, false)
  1373. testCases = append(testCases, &Case{
  1374. id: "Only one of cannedAcl, customAcl is allowed",
  1375. resultErrCode: errCode, expectErrCode: s3err.ErrInvalidRequest,
  1376. })
  1377. }
  1379. {
  1380. //Acl can only be specified in one of requestBody, cannedAcl, customAcl, simultaneous use is not allowed
  1381. req := &http.Request{
  1382. Header: make(map[string][]string),
  1383. }
  1384. req.Header.Set(s3_constants.AmzAclFullControl, "id=admin, id=\"accountA\"")
  1385. req.Header.Set(s3_constants.AmzCannedAcl, "private")
  1386. req.Body = io.NopCloser(bytes.NewReader([]byte(`
  1387. <AccessControlPolicy xmlns="http://s3.amazonaws.com/doc/2006-03-01/">
  1388. <Owner>
  1389. <ID>admin</ID>
  1390. <DisplayName>admin</DisplayName>
  1391. </Owner>
  1392. <AccessControlList>
  1393. <Grant>
  1394. <Grantee xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="CanonicalUser">
  1395. <ID>admin</ID>
  1396. </Grantee>
  1397. <Permission>FULL_CONTROL</Permission>
  1398. </Grant>
  1399. <Grant>
  1400. <Grantee xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="Group">
  1401. <URI>http://acs.amazonaws.com/groups/global/AllUsers</URI>
  1402. </Grantee>
  1403. <Permission>FULL_CONTROL</Permission>
  1404. </Grant>
  1405. </AccessControlList>
  1406. </AccessControlPolicy>
  1407. `)))
  1408. requestAccountId := "accountA"
  1409. _, errCode := ExtractBucketAcl(req, accountManager, s3_constants.OwnershipObjectWriter, accountAdminId, requestAccountId, false)
  1410. testCases = append(testCases, &Case{
  1411. id: "Only one of requestBody, cannedAcl, customAcl is allowed",
  1412. resultErrCode: errCode, expectErrCode: s3err.ErrUnexpectedContent,
  1413. })
  1414. }
  1415. for _, tc := range testCases {
  1416. if tc.resultErrCode != tc.expectErrCode {
  1417. t.Fatalf("case[%s]: errorCode[%v] not expect[%v]", tc.id, s3err.GetAPIError(tc.resultErrCode).Code, s3err.GetAPIError(tc.expectErrCode).Code)
  1418. }
  1419. if !grantsEquals(tc.resultGrants, tc.expectGrants) {
  1420. t.Fatalf("case[%s]: grants not expect", tc.id)
  1421. }
  1422. }
  1423. }
  1425. func TestMarshalGrantsToJson(t *testing.T) {
  1426. //ok
  1427. bucketOwnerId := "admin"
  1428. requestAccountId := "accountA"
  1429. grants := []*s3.Grant{
  1430. {
  1431. Grantee: &s3.Grantee{
  1432. Type: &s3_constants.GrantTypeCanonicalUser,
  1433. ID: &requestAccountId,
  1434. },
  1435. Permission: &s3_constants.PermissionFullControl,
  1436. },
  1437. {
  1438. Grantee: &s3.Grantee{
  1439. Type: &s3_constants.GrantTypeCanonicalUser,
  1440. ID: &bucketOwnerId,
  1441. },
  1442. Permission: &s3_constants.PermissionFullControl,
  1443. },
  1444. }
  1445. result, err := MarshalGrantsToJson(grants)
  1446. if err != nil {
  1447. t.Error(err)
  1448. }
  1450. var grants2 []*s3.Grant
  1451. err = json.Unmarshal(result, &grants2)
  1452. if err != nil {
  1453. t.Error(err)
  1454. }
  1456. print(string(result))
  1457. if !grantsEquals(grants, grants2) {
  1458. t.Fatal("grants not equal", grants, grants2)
  1459. }
  1461. //ok
  1462. result, err = MarshalGrantsToJson(nil)
  1463. if result != nil && err != nil {
  1464. t.Fatal("error: result, err = MarshalGrantsToJson(nil)")
  1465. }
  1466. }