Mirror
/
seaweedfs
mirror of https://github.com/seaweedfs/seaweedfs.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
8867 Commits
32 Branches
297 Tags
164 MiB
Tree: 1cdbc8beb5
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from '1cdbc8beb5'
${ noResults }
seaweedfs/weed/s3api/auth_credentials_test.go

222 lines
4.9 KiB
Raw Normal View History

support acl
5 years ago
move to https://github.com/seaweedfs/seaweedfs
2 years ago
wildcard prefix to restrict access to directories in s3 bucket https://github.com/chrislusf/seaweedfs/discussions/2551
3 years ago
add ownership rest apis (#3765)
2 years ago
support acl
5 years ago
also migrate jsonpb
2 years ago
support acl
5 years ago
move to https://github.com/seaweedfs/seaweedfs
2 years ago
support acl
5 years ago
configuration stores the identity list
5 years ago
support acl
5 years ago
configuration stores the identity list
5 years ago
support acl
5 years ago
fix tests
2 years ago
support acl
5 years ago
fix tests
2 years ago
support acl
5 years ago
fix tests
2 years ago
support acl
5 years ago
wildcard prefix to restrict access to directories in s3 bucket https://github.com/chrislusf/seaweedfs/discussions/2551
3 years ago
fix auth permission checking
3 years ago
wildcard prefix to restrict access to directories in s3 bucket https://github.com/chrislusf/seaweedfs/discussions/2551
3 years ago
fix auth permission checking
3 years ago
wildcard prefix to restrict access to directories in s3 bucket https://github.com/chrislusf/seaweedfs/discussions/2551
3 years ago
fix auth permission checking
3 years ago
wildcard prefix to restrict access to directories in s3 bucket https://github.com/chrislusf/seaweedfs/discussions/2551
3 years ago
fix auth permission checking
3 years ago
wildcard prefix to restrict access to directories in s3 bucket https://github.com/chrislusf/seaweedfs/discussions/2551
3 years ago
https://github.com/chrislusf/seaweedfs/issues/2583
3 years ago
add ownership rest apis (#3765)
2 years ago
https://github.com/chrislusf/seaweedfs/issues/2583
3 years ago
add ownership rest apis (#3765)
2 years ago
wildcard prefix to restrict access to directories in s3 bucket https://github.com/chrislusf/seaweedfs/discussions/2551
3 years ago
  1. package s3api
  3. import (
  4. . "github.com/seaweedfs/seaweedfs/weed/s3api/s3_constants"
  5. "github.com/stretchr/testify/assert"
  6. "reflect"
  7. "testing"
  9. jsonpb "google.golang.org/protobuf/encoding/protojson"
  11. "github.com/seaweedfs/seaweedfs/weed/pb/iam_pb"
  12. )
  14. func TestIdentityListFileFormat(t *testing.T) {
  16. s3ApiConfiguration := &iam_pb.S3ApiConfiguration{}
  18. identity1 := &iam_pb.Identity{
  19. Name: "some_name",
  20. Credentials: []*iam_pb.Credential{
  21. {
  22. AccessKey: "some_access_key1",
  23. SecretKey: "some_secret_key2",
  24. },
  25. },
  26. Actions: []string{
  27. ACTION_ADMIN,
  28. ACTION_READ,
  29. ACTION_WRITE,
  30. },
  31. }
  32. identity2 := &iam_pb.Identity{
  33. Name: "some_read_only_user",
  34. Credentials: []*iam_pb.Credential{
  35. {
  36. AccessKey: "some_access_key1",
  37. SecretKey: "some_secret_key1",
  38. },
  39. },
  40. Actions: []string{
  41. ACTION_READ,
  42. },
  43. }
  44. identity3 := &iam_pb.Identity{
  45. Name: "some_normal_user",
  46. Credentials: []*iam_pb.Credential{
  47. {
  48. AccessKey: "some_access_key2",
  49. SecretKey: "some_secret_key2",
  50. },
  51. },
  52. Actions: []string{
  53. ACTION_READ,
  54. ACTION_WRITE,
  55. },
  56. }
  58. s3ApiConfiguration.Identities = append(s3ApiConfiguration.Identities, identity1)
  59. s3ApiConfiguration.Identities = append(s3ApiConfiguration.Identities, identity2)
  60. s3ApiConfiguration.Identities = append(s3ApiConfiguration.Identities, identity3)
  62. m := jsonpb.MarshalOptions{
  63. EmitUnpopulated: true,
  64. Indent: " ",
  65. }
  67. text, _ := m.Marshal(s3ApiConfiguration)
  69. println(string(text))
  71. }
  73. func TestCanDo(t *testing.T) {
  74. ident1 := &Identity{
  75. Name: "anything",
  76. Actions: []Action{
  77. "Write:bucket1/a/b/c/*",
  78. "Write:bucket1/a/b/other",
  79. },
  80. }
  81. // object specific
  82. assert.Equal(t, true, ident1.canDo(ACTION_WRITE, "bucket1", "/a/b/c/d.txt"))
  83. assert.Equal(t, false, ident1.canDo(ACTION_WRITE, "bucket1", "/a/b/other/some"), "action without *")
  85. // bucket specific
  86. ident2 := &Identity{
  87. Name: "anything",
  88. Actions: []Action{
  89. "Read:bucket1",
  90. "Write:bucket1/*",
  91. },
  92. }
  93. assert.Equal(t, true, ident2.canDo(ACTION_READ, "bucket1", "/a/b/c/d.txt"))
  94. assert.Equal(t, true, ident2.canDo(ACTION_WRITE, "bucket1", "/a/b/c/d.txt"))
  95. assert.Equal(t, false, ident2.canDo(ACTION_LIST, "bucket1", "/a/b/c/d.txt"))
  97. // across buckets
  98. ident3 := &Identity{
  99. Name: "anything",
  100. Actions: []Action{
  101. "Read",
  102. "Write",
  103. },
  104. }
  105. assert.Equal(t, true, ident3.canDo(ACTION_READ, "bucket1", "/a/b/c/d.txt"))
  106. assert.Equal(t, true, ident3.canDo(ACTION_WRITE, "bucket1", "/a/b/c/d.txt"))
  107. assert.Equal(t, false, ident3.canDo(ACTION_LIST, "bucket1", "/a/b/other/some"))
  109. // partial buckets
  110. ident4 := &Identity{
  111. Name: "anything",
  112. Actions: []Action{
  113. "Read:special_*",
  114. },
  115. }
  116. assert.Equal(t, true, ident4.canDo(ACTION_READ, "special_bucket", "/a/b/c/d.txt"))
  117. assert.Equal(t, false, ident4.canDo(ACTION_READ, "bucket1", "/a/b/c/d.txt"))
  119. // admin buckets
  120. ident5 := &Identity{
  121. Name: "anything",
  122. Actions: []Action{
  123. "Admin:special_*",
  124. },
  125. }
  126. assert.Equal(t, true, ident5.canDo(ACTION_READ, "special_bucket", "/a/b/c/d.txt"))
  127. assert.Equal(t, true, ident5.canDo(ACTION_WRITE, "special_bucket", "/a/b/c/d.txt"))
  128. }
  130. type LoadS3ApiConfigurationTestCase struct {
  131. pbIdent *iam_pb.Identity
  132. expectIdent *Identity
  133. }
  135. func TestLoadS3ApiConfiguration(t *testing.T) {
  136. testCases := map[string]*LoadS3ApiConfigurationTestCase{
  137. "notSpecifyAccountId": {
  138. pbIdent: &iam_pb.Identity{
  139. Name: "notSpecifyAccountId",
  140. Actions: []string{
  141. "Read",
  142. "Write",
  143. },
  144. Credentials: []*iam_pb.Credential{
  145. {
  146. AccessKey: "some_access_key1",
  147. SecretKey: "some_secret_key2",
  148. },
  149. },
  150. },
  151. expectIdent: &Identity{
  152. Name: "notSpecifyAccountId",
  153. AccountId: AccountAdmin.Id,
  154. Actions: []Action{
  155. "Read",
  156. "Write",
  157. },
  158. Credentials: []*Credential{
  159. {
  160. AccessKey: "some_access_key1",
  161. SecretKey: "some_secret_key2",
  162. },
  163. },
  164. },
  165. },
  166. "specifiedAccountID": {
  167. pbIdent: &iam_pb.Identity{
  168. Name: "specifiedAccountID",
  169. AccountId: "specifiedAccountID",
  170. Actions: []string{
  171. "Read",
  172. "Write",
  173. },
  174. },
  175. expectIdent: &Identity{
  176. Name: "specifiedAccountID",
  177. AccountId: "specifiedAccountID",
  178. Actions: []Action{
  179. "Read",
  180. "Write",
  181. },
  182. },
  183. },
  184. "anonymous": {
  185. pbIdent: &iam_pb.Identity{
  186. Name: "anonymous",
  187. Actions: []string{
  188. "Read",
  189. "Write",
  190. },
  191. },
  192. expectIdent: &Identity{
  193. Name: "anonymous",
  194. AccountId: "anonymous",
  195. Actions: []Action{
  196. "Read",
  197. "Write",
  198. },
  199. },
  200. },
  201. }
  203. config := &iam_pb.S3ApiConfiguration{
  204. Identities: make([]*iam_pb.Identity, 0),
  205. }
  206. for _, v := range testCases {
  207. config.Identities = append(config.Identities, v.pbIdent)
  208. }
  210. iam := IdentityAccessManagement{}
  211. err := iam.loadS3ApiConfiguration(config)
  212. if err != nil {
  213. return
  214. }
  216. for _, ident := range iam.identities {
  217. tc := testCases[ident.Name]
  218. if !reflect.DeepEqual(ident, tc.expectIdent) {
  219. t.Error("not expect")
  220. }
  221. }
  222. }