Mirror
/
seaweedfs
mirror of https://github.com/seaweedfs/seaweedfs.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
11008 Commits
32 Branches
301 Tags
175 MiB
Tree: 2637fc0a13
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from '2637fc0a13'
${ noResults }
seaweedfs/weed/s3api/s3acl/s3api_acl_helper_test.go

1477 lines
47 KiB
Raw Normal View History

acl merge
6 months ago
add acl helper functionalities (#3831)
2 years ago
[s3acl] Step1: move s3account.AccountManager into to iam.S3ApiConfiguration (#4859) * move s3account.AccountManager into to iam.S3ApiConfiguration and switch to Interface https://github.com/seaweedfs/seaweedfs/issues/4519 * fix: test bucket acl default and adjust the variable names * fix: s3 api config test --------- Co-authored-by: Konstantin Lebedev <9497591+kmlebedev@users.noreply.github.co> Co-authored-by: Chris Lu <chrislusf@users.noreply.github.com> Signed-off-by: LHHDZ <shichanglin5@qq.com>
1 year ago
add acl helper functionalities (#3831)
2 years ago
acl merge
6 months ago
[s3acl] Step1: move s3account.AccountManager into to iam.S3ApiConfiguration (#4859) * move s3account.AccountManager into to iam.S3ApiConfiguration and switch to Interface https://github.com/seaweedfs/seaweedfs/issues/4519 * fix: test bucket acl default and adjust the variable names * fix: s3 api config test --------- Co-authored-by: Konstantin Lebedev <9497591+kmlebedev@users.noreply.github.co> Co-authored-by: Chris Lu <chrislusf@users.noreply.github.com> Signed-off-by: LHHDZ <shichanglin5@qq.com>
1 year ago
acl merge
6 months ago
add acl helper functionalities (#3831)
2 years ago
acl merge
6 months ago
[s3acl] Step1: move s3account.AccountManager into to iam.S3ApiConfiguration (#4859) * move s3account.AccountManager into to iam.S3ApiConfiguration and switch to Interface https://github.com/seaweedfs/seaweedfs/issues/4519 * fix: test bucket acl default and adjust the variable names * fix: s3 api config test --------- Co-authored-by: Konstantin Lebedev <9497591+kmlebedev@users.noreply.github.co> Co-authored-by: Chris Lu <chrislusf@users.noreply.github.com> Signed-off-by: LHHDZ <shichanglin5@qq.com>
1 year ago
add acl helper functionalities (#3831)
2 years ago
acl merge
6 months ago
[s3acl] Step1: move s3account.AccountManager into to iam.S3ApiConfiguration (#4859) * move s3account.AccountManager into to iam.S3ApiConfiguration and switch to Interface https://github.com/seaweedfs/seaweedfs/issues/4519 * fix: test bucket acl default and adjust the variable names * fix: s3 api config test --------- Co-authored-by: Konstantin Lebedev <9497591+kmlebedev@users.noreply.github.co> Co-authored-by: Chris Lu <chrislusf@users.noreply.github.com> Signed-off-by: LHHDZ <shichanglin5@qq.com>
1 year ago
add acl helper functionalities (#3831)
2 years ago
[s3acl] Step1: move s3account.AccountManager into to iam.S3ApiConfiguration (#4859) * move s3account.AccountManager into to iam.S3ApiConfiguration and switch to Interface https://github.com/seaweedfs/seaweedfs/issues/4519 * fix: test bucket acl default and adjust the variable names * fix: s3 api config test --------- Co-authored-by: Konstantin Lebedev <9497591+kmlebedev@users.noreply.github.co> Co-authored-by: Chris Lu <chrislusf@users.noreply.github.com> Signed-off-by: LHHDZ <shichanglin5@qq.com>
1 year ago
add acl helper functionalities (#3831)
2 years ago
[s3acl] Step1: move s3account.AccountManager into to iam.S3ApiConfiguration (#4859) * move s3account.AccountManager into to iam.S3ApiConfiguration and switch to Interface https://github.com/seaweedfs/seaweedfs/issues/4519 * fix: test bucket acl default and adjust the variable names * fix: s3 api config test --------- Co-authored-by: Konstantin Lebedev <9497591+kmlebedev@users.noreply.github.co> Co-authored-by: Chris Lu <chrislusf@users.noreply.github.com> Signed-off-by: LHHDZ <shichanglin5@qq.com>
1 year ago
add acl helper functionalities (#3831)
2 years ago
[s3acl] Step1: move s3account.AccountManager into to iam.S3ApiConfiguration (#4859) * move s3account.AccountManager into to iam.S3ApiConfiguration and switch to Interface https://github.com/seaweedfs/seaweedfs/issues/4519 * fix: test bucket acl default and adjust the variable names * fix: s3 api config test --------- Co-authored-by: Konstantin Lebedev <9497591+kmlebedev@users.noreply.github.co> Co-authored-by: Chris Lu <chrislusf@users.noreply.github.com> Signed-off-by: LHHDZ <shichanglin5@qq.com>
1 year ago
add acl helper functionalities (#3831)
2 years ago
optimize readability Signed-off-by: changlin.shi <changlin.shi@ly.com>
2 years ago
add acl helper functionalities (#3831)
2 years ago
optimize readability Signed-off-by: changlin.shi <changlin.shi@ly.com>
2 years ago
add acl helper functionalities (#3831)
2 years ago
delete when empty at `AssembleEntryWithAcp` `PutBucketAcl/PutObjectAcl` allow request with empty grants, `AssembleEntryWithAcp` shouldn't skip empty value Signed-off-by: changlin.shi <changlin.shi@ly.com>
2 years ago
[s3acl] Step1: move s3account.AccountManager into to iam.S3ApiConfiguration (#4859) * move s3account.AccountManager into to iam.S3ApiConfiguration and switch to Interface https://github.com/seaweedfs/seaweedfs/issues/4519 * fix: test bucket acl default and adjust the variable names * fix: s3 api config test --------- Co-authored-by: Konstantin Lebedev <9497591+kmlebedev@users.noreply.github.co> Co-authored-by: Chris Lu <chrislusf@users.noreply.github.com> Signed-off-by: LHHDZ <shichanglin5@qq.com>
1 year ago
delete when empty at `AssembleEntryWithAcp` `PutBucketAcl/PutObjectAcl` allow request with empty grants, `AssembleEntryWithAcp` shouldn't skip empty value Signed-off-by: changlin.shi <changlin.shi@ly.com>
2 years ago
add acl helper functionalities (#3831)
2 years ago
delete when empty at `AssembleEntryWithAcp` `PutBucketAcl/PutObjectAcl` allow request with empty grants, `AssembleEntryWithAcp` shouldn't skip empty value Signed-off-by: changlin.shi <changlin.shi@ly.com>
2 years ago
add acl helper functionalities (#3831)
2 years ago
delete when empty at `AssembleEntryWithAcp` `PutBucketAcl/PutObjectAcl` allow request with empty grants, `AssembleEntryWithAcp` shouldn't skip empty value Signed-off-by: changlin.shi <changlin.shi@ly.com>
2 years ago
add acl helper functionalities (#3831)
2 years ago
optimize readability Signed-off-by: changlin.shi <changlin.shi@ly.com>
2 years ago
delete when empty at `AssembleEntryWithAcp` `PutBucketAcl/PutObjectAcl` allow request with empty grants, `AssembleEntryWithAcp` shouldn't skip empty value Signed-off-by: changlin.shi <changlin.shi@ly.com>
2 years ago
add acl helper functionalities (#3831)
2 years ago
delete when empty at `AssembleEntryWithAcp` `PutBucketAcl/PutObjectAcl` allow request with empty grants, `AssembleEntryWithAcp` shouldn't skip empty value Signed-off-by: changlin.shi <changlin.shi@ly.com>
2 years ago
add acl helper functionalities (#3831)
2 years ago
optimize readability Signed-off-by: changlin.shi <changlin.shi@ly.com>
2 years ago
delete when empty at `AssembleEntryWithAcp` `PutBucketAcl/PutObjectAcl` allow request with empty grants, `AssembleEntryWithAcp` shouldn't skip empty value Signed-off-by: changlin.shi <changlin.shi@ly.com>
2 years ago
add acl helper functionalities (#3831)
2 years ago
acl merge
6 months ago
add acl helper functionalities (#3831)
2 years ago
[s3acl] Step1: move s3account.AccountManager into to iam.S3ApiConfiguration (#4859) * move s3account.AccountManager into to iam.S3ApiConfiguration and switch to Interface https://github.com/seaweedfs/seaweedfs/issues/4519 * fix: test bucket acl default and adjust the variable names * fix: s3 api config test --------- Co-authored-by: Konstantin Lebedev <9497591+kmlebedev@users.noreply.github.co> Co-authored-by: Chris Lu <chrislusf@users.noreply.github.com> Signed-off-by: LHHDZ <shichanglin5@qq.com>
1 year ago
add acl helper functionalities (#3831)
2 years ago
[s3acl] Step1: move s3account.AccountManager into to iam.S3ApiConfiguration (#4859) * move s3account.AccountManager into to iam.S3ApiConfiguration and switch to Interface https://github.com/seaweedfs/seaweedfs/issues/4519 * fix: test bucket acl default and adjust the variable names * fix: s3 api config test --------- Co-authored-by: Konstantin Lebedev <9497591+kmlebedev@users.noreply.github.co> Co-authored-by: Chris Lu <chrislusf@users.noreply.github.com> Signed-off-by: LHHDZ <shichanglin5@qq.com>
1 year ago
add acl helper functionalities (#3831)
2 years ago
[s3acl] Step1: move s3account.AccountManager into to iam.S3ApiConfiguration (#4859) * move s3account.AccountManager into to iam.S3ApiConfiguration and switch to Interface https://github.com/seaweedfs/seaweedfs/issues/4519 * fix: test bucket acl default and adjust the variable names * fix: s3 api config test --------- Co-authored-by: Konstantin Lebedev <9497591+kmlebedev@users.noreply.github.co> Co-authored-by: Chris Lu <chrislusf@users.noreply.github.com> Signed-off-by: LHHDZ <shichanglin5@qq.com>
1 year ago
add acl helper functionalities (#3831)
2 years ago
[s3acl] Step1: move s3account.AccountManager into to iam.S3ApiConfiguration (#4859) * move s3account.AccountManager into to iam.S3ApiConfiguration and switch to Interface https://github.com/seaweedfs/seaweedfs/issues/4519 * fix: test bucket acl default and adjust the variable names * fix: s3 api config test --------- Co-authored-by: Konstantin Lebedev <9497591+kmlebedev@users.noreply.github.co> Co-authored-by: Chris Lu <chrislusf@users.noreply.github.com> Signed-off-by: LHHDZ <shichanglin5@qq.com>
1 year ago
add acl helper functionalities (#3831)
2 years ago
[s3acl] Step1: move s3account.AccountManager into to iam.S3ApiConfiguration (#4859) * move s3account.AccountManager into to iam.S3ApiConfiguration and switch to Interface https://github.com/seaweedfs/seaweedfs/issues/4519 * fix: test bucket acl default and adjust the variable names * fix: s3 api config test --------- Co-authored-by: Konstantin Lebedev <9497591+kmlebedev@users.noreply.github.co> Co-authored-by: Chris Lu <chrislusf@users.noreply.github.com> Signed-off-by: LHHDZ <shichanglin5@qq.com>
1 year ago
add acl helper functionalities (#3831)
2 years ago
[s3acl] Step1: move s3account.AccountManager into to iam.S3ApiConfiguration (#4859) * move s3account.AccountManager into to iam.S3ApiConfiguration and switch to Interface https://github.com/seaweedfs/seaweedfs/issues/4519 * fix: test bucket acl default and adjust the variable names * fix: s3 api config test --------- Co-authored-by: Konstantin Lebedev <9497591+kmlebedev@users.noreply.github.co> Co-authored-by: Chris Lu <chrislusf@users.noreply.github.com> Signed-off-by: LHHDZ <shichanglin5@qq.com>
1 year ago
add acl helper functionalities (#3831)
2 years ago
[s3acl] Step1: move s3account.AccountManager into to iam.S3ApiConfiguration (#4859) * move s3account.AccountManager into to iam.S3ApiConfiguration and switch to Interface https://github.com/seaweedfs/seaweedfs/issues/4519 * fix: test bucket acl default and adjust the variable names * fix: s3 api config test --------- Co-authored-by: Konstantin Lebedev <9497591+kmlebedev@users.noreply.github.co> Co-authored-by: Chris Lu <chrislusf@users.noreply.github.com> Signed-off-by: LHHDZ <shichanglin5@qq.com>
1 year ago
add acl helper functionalities (#3831)
2 years ago
validate grants when setting ownership to `OwnershipBucketOwnerEnforced` Signed-off-by: changlin.shi <changlin.shi@ly.com>
2 years ago
optimize readability Signed-off-by: changlin.shi <changlin.shi@ly.com>
2 years ago
  1. package s3acl
  3. import (
  4. "bytes"
  5. "encoding/json"
  6. "github.com/aws/aws-sdk-go/aws"
  7. "github.com/aws/aws-sdk-go/service/s3"
  8. "github.com/seaweedfs/seaweedfs/weed/pb/filer_pb"
  9. "github.com/seaweedfs/seaweedfs/weed/s3api/s3_constants"
  10. "github.com/seaweedfs/seaweedfs/weed/s3api/s3err"
  11. "io"
  12. "net/http"
  13. "testing"
  14. )
  16. var accountManager AccountManager
  18. type MockAccountManager struct {
  19. accountNameById map[string]string
  20. accountIdByEmail map[string]string
  21. }
  23. func (a *MockAccountManager) GetAccountNameById(id string) string {
  24. return a.accountNameById[id]
  25. }
  27. func (a *MockAccountManager) GetAccountIdByEmail(email string) string {
  28. return a.accountIdByEmail[email]
  29. }
  31. func init() {
  32. accountManager = &MockAccountManager{
  33. accountNameById: map[string]string{
  34. "accountA": "accountAName",
  35. "accountB": "accountBName",
  36. },
  37. accountIdByEmail: map[string]string{
  38. "accountA@example.com": "accountA",
  39. "accountB@example.com": "accountB",
  40. },
  41. }
  42. }
  44. func TestGetAccountId(t *testing.T) {
  45. req := &http.Request{
  46. Header: make(map[string][]string),
  47. }
  48. //case1
  49. //accountId: "admin"
  50. req.Header.Set(s3_constants.AmzAccountId, s3_constants.AccountAnonymousId)
  51. if GetAccountId(req) != s3_constants.AccountAdminId {
  52. t.Fatal("expect accountId: admin")
  53. }
  55. //case2
  56. //accountId: "anoymous"
  57. req.Header.Set(s3_constants.AmzAccountId, s3_constants.AccountAnonymousId)
  58. if GetAccountId(req) != s3_constants.AccountAnonymousId {
  59. t.Fatal("expect accountId: anonymous")
  60. }
  62. //case3
  63. //accountId is nil => "anonymous"
  64. req.Header.Del(s3_constants.AmzAccountId)
  65. if GetAccountId(req) != s3_constants.AccountAnonymousId {
  66. t.Fatal("expect accountId: anonymous")
  67. }
  68. }
  70. func grantsEquals(a, b []*s3.Grant) bool {
  71. if len(a) != len(b) {
  72. return false
  73. }
  74. for i, grant := range a {
  75. if !GrantEquals(grant, b[i]) {
  76. return false
  77. }
  78. }
  79. return true
  80. }
  82. func TestDetermineReqGrants(t *testing.T) {
  83. {
  84. //case1: request account is anonymous
  85. accountId := s3_constants.AccountAnonymousId
  86. reqPermission := s3_constants.PermissionRead
  88. resultGrants := DetermineRequiredGrants(accountId, reqPermission)
  89. expectGrants := []*s3.Grant{
  90. {
  91. Grantee: &s3.Grantee{
  92. Type: &s3_constants.GrantTypeGroup,
  93. URI: &s3_constants.GranteeGroupAllUsers,
  94. },
  95. Permission: &reqPermission,
  96. },
  97. {
  98. Grantee: &s3.Grantee{
  99. Type: &s3_constants.GrantTypeGroup,
  100. URI: &s3_constants.GranteeGroupAllUsers,
  101. },
  102. Permission: &s3_constants.PermissionFullControl,
  103. },
  104. {
  105. Grantee: &s3.Grantee{
  106. Type: &s3_constants.GrantTypeCanonicalUser,
  107. ID: &accountId,
  108. },
  109. Permission: &reqPermission,
  110. },
  111. {
  112. Grantee: &s3.Grantee{
  113. Type: &s3_constants.GrantTypeCanonicalUser,
  114. ID: &accountId,
  115. },
  116. Permission: &s3_constants.PermissionFullControl,
  117. },
  118. }
  119. if !grantsEquals(resultGrants, expectGrants) {
  120. t.Fatalf("grants not expect")
  121. }
  122. }
  123. {
  124. //case2: request account is not anonymous (Iam authed)
  125. accountId := "accountX"
  126. reqPermission := s3_constants.PermissionRead
  128. resultGrants := DetermineRequiredGrants(accountId, reqPermission)
  129. expectGrants := []*s3.Grant{
  130. {
  131. Grantee: &s3.Grantee{
  132. Type: &s3_constants.GrantTypeGroup,
  133. URI: &s3_constants.GranteeGroupAllUsers,
  134. },
  135. Permission: &reqPermission,
  136. },
  137. {
  138. Grantee: &s3.Grantee{
  139. Type: &s3_constants.GrantTypeGroup,
  140. URI: &s3_constants.GranteeGroupAllUsers,
  141. },
  142. Permission: &s3_constants.PermissionFullControl,
  143. },
  144. {
  145. Grantee: &s3.Grantee{
  146. Type: &s3_constants.GrantTypeCanonicalUser,
  147. ID: &accountId,
  148. },
  149. Permission: &reqPermission,
  150. },
  151. {
  152. Grantee: &s3.Grantee{
  153. Type: &s3_constants.GrantTypeCanonicalUser,
  154. ID: &accountId,
  155. },
  156. Permission: &s3_constants.PermissionFullControl,
  157. },
  158. {
  159. Grantee: &s3.Grantee{
  160. Type: &s3_constants.GrantTypeGroup,
  161. URI: &s3_constants.GranteeGroupAuthenticatedUsers,
  162. },
  163. Permission: &reqPermission,
  164. },
  165. {
  166. Grantee: &s3.Grantee{
  167. Type: &s3_constants.GrantTypeGroup,
  168. URI: &s3_constants.GranteeGroupAuthenticatedUsers,
  169. },
  170. Permission: &s3_constants.PermissionFullControl,
  171. },
  172. }
  173. if !grantsEquals(resultGrants, expectGrants) {
  174. t.Fatalf("grants not expect")
  175. }
  176. }
  177. }
  179. func TestAssembleEntryWithAcp(t *testing.T) {
  180. defaultOwner := "admin"
  182. //case1
  183. //assemble with non-empty grants
  184. expectOwner := "accountS"
  185. expectGrants := []*s3.Grant{
  186. {
  187. Permission: &s3_constants.PermissionRead,
  188. Grantee: &s3.Grantee{
  189. Type: &s3_constants.GrantTypeGroup,
  190. ID: aws.String(s3_constants.AccountAdminId),
  191. URI: &s3_constants.GranteeGroupAllUsers,
  192. },
  193. },
  194. }
  195. entry := &filer_pb.Entry{}
  196. AssembleEntryWithAcp(entry, expectOwner, expectGrants)
  198. resultOwner := GetAcpOwner(entry.Extended, defaultOwner)
  199. if resultOwner != expectOwner {
  200. t.Fatalf("owner not expect")
  201. }
  203. resultGrants := GetAcpGrants(nil, entry.Extended)
  204. if !grantsEquals(resultGrants, expectGrants) {
  205. t.Fatal("grants not expect")
  206. }
  208. //case2
  209. //assemble with empty grants (override)
  210. AssembleEntryWithAcp(entry, "", nil)
  211. resultOwner = GetAcpOwner(entry.Extended, defaultOwner)
  212. if resultOwner != defaultOwner {
  213. t.Fatalf("owner not expect")
  214. }
  216. resultGrants = GetAcpGrants(nil, entry.Extended)
  217. if len(resultGrants) != 0 {
  218. t.Fatal("grants not expect")
  219. }
  221. }
  223. func TestGrantEquals(t *testing.T) {
  224. testCases := map[bool]bool{
  225. GrantEquals(nil, nil): true,
  227. GrantEquals(&s3.Grant{}, nil): false,
  229. GrantEquals(&s3.Grant{}, &s3.Grant{}): true,
  231. GrantEquals(&s3.Grant{
  232. Permission: &s3_constants.PermissionRead,
  233. }, &s3.Grant{}): false,
  235. GrantEquals(&s3.Grant{
  236. Permission: &s3_constants.PermissionRead,
  237. }, &s3.Grant{
  238. Permission: &s3_constants.PermissionRead,
  239. }): true,
  241. GrantEquals(&s3.Grant{
  242. Permission: &s3_constants.PermissionRead,
  243. Grantee: &s3.Grantee{},
  244. }, &s3.Grant{
  245. Permission: &s3_constants.PermissionRead,
  246. Grantee: &s3.Grantee{},
  247. }): true,
  249. GrantEquals(&s3.Grant{
  250. Permission: &s3_constants.PermissionRead,
  251. Grantee: &s3.Grantee{
  252. Type: &s3_constants.GrantTypeGroup,
  253. },
  254. }, &s3.Grant{
  255. Permission: &s3_constants.PermissionRead,
  256. Grantee: &s3.Grantee{},
  257. }): false,
  259. //type not present, compare other fields of grant is meaningless
  260. GrantEquals(&s3.Grant{
  261. Permission: &s3_constants.PermissionRead,
  262. Grantee: &s3.Grantee{
  263. ID: aws.String(s3_constants.AccountAdminId),
  264. EmailAddress: aws.String("admin@example.com"),
  265. },
  266. }, &s3.Grant{
  267. Permission: &s3_constants.PermissionRead,
  268. Grantee: &s3.Grantee{
  269. ID: aws.String(s3_constants.AccountAdminId),
  270. },
  271. }): true,
  273. GrantEquals(&s3.Grant{
  274. Permission: &s3_constants.PermissionRead,
  275. Grantee: &s3.Grantee{
  276. Type: &s3_constants.GrantTypeGroup,
  277. },
  278. }, &s3.Grant{
  279. Permission: &s3_constants.PermissionRead,
  280. Grantee: &s3.Grantee{
  281. Type: &s3_constants.GrantTypeGroup,
  282. },
  283. }): true,
  285. GrantEquals(&s3.Grant{
  286. Permission: &s3_constants.PermissionRead,
  287. Grantee: &s3.Grantee{
  288. Type: &s3_constants.GrantTypeGroup,
  289. URI: &s3_constants.GranteeGroupAllUsers,
  290. },
  291. }, &s3.Grant{
  292. Permission: &s3_constants.PermissionRead,
  293. Grantee: &s3.Grantee{
  294. Type: &s3_constants.GrantTypeGroup,
  295. URI: &s3_constants.GranteeGroupAllUsers,
  296. },
  297. }): true,
  299. GrantEquals(&s3.Grant{
  300. Permission: &s3_constants.PermissionWrite,
  301. Grantee: &s3.Grantee{
  302. Type: &s3_constants.GrantTypeGroup,
  303. URI: &s3_constants.GranteeGroupAllUsers,
  304. },
  305. }, &s3.Grant{
  306. Permission: &s3_constants.PermissionRead,
  307. Grantee: &s3.Grantee{
  308. Type: &s3_constants.GrantTypeGroup,
  309. URI: &s3_constants.GranteeGroupAllUsers,
  310. },
  311. }): false,
  313. GrantEquals(&s3.Grant{
  314. Permission: &s3_constants.PermissionRead,
  315. Grantee: &s3.Grantee{
  316. Type: &s3_constants.GrantTypeGroup,
  317. ID: aws.String(s3_constants.AccountAdminId),
  318. },
  319. }, &s3.Grant{
  320. Permission: &s3_constants.PermissionRead,
  321. Grantee: &s3.Grantee{
  322. Type: &s3_constants.GrantTypeGroup,
  323. ID: aws.String(s3_constants.AccountAdminId),
  324. },
  325. }): true,
  327. GrantEquals(&s3.Grant{
  328. Permission: &s3_constants.PermissionRead,
  329. Grantee: &s3.Grantee{
  330. Type: &s3_constants.GrantTypeGroup,
  331. ID: aws.String(s3_constants.AccountAdminId),
  332. URI: &s3_constants.GranteeGroupAllUsers,
  333. },
  334. }, &s3.Grant{
  335. Permission: &s3_constants.PermissionRead,
  336. Grantee: &s3.Grantee{
  337. Type: &s3_constants.GrantTypeGroup,
  338. ID: aws.String(s3_constants.AccountAdminId),
  339. },
  340. }): false,
  342. GrantEquals(&s3.Grant{
  343. Permission: &s3_constants.PermissionRead,
  344. Grantee: &s3.Grantee{
  345. Type: &s3_constants.GrantTypeGroup,
  346. ID: aws.String(s3_constants.AccountAdminId),
  347. URI: &s3_constants.GranteeGroupAllUsers,
  348. },
  349. }, &s3.Grant{
  350. Permission: &s3_constants.PermissionRead,
  351. Grantee: &s3.Grantee{
  352. Type: &s3_constants.GrantTypeGroup,
  353. URI: &s3_constants.GranteeGroupAllUsers,
  354. },
  355. }): true,
  356. }
  358. for tc, expect := range testCases {
  359. if tc != expect {
  360. t.Fatal("TestGrantEquals not expect!")
  361. }
  362. }
  363. }
  365. func TestSetAcpOwnerHeader(t *testing.T) {
  366. ownerId := "accountZ"
  367. req := &http.Request{
  368. Header: make(map[string][]string),
  369. }
  370. SetAcpOwnerHeader(req, ownerId)
  372. if req.Header.Get(s3_constants.ExtAmzOwnerKey) != ownerId {
  373. t.Fatalf("owner unexpect")
  374. }
  375. }
  377. func TestSetAcpGrantsHeader(t *testing.T) {
  378. req := &http.Request{
  379. Header: make(map[string][]string),
  380. }
  381. grants := []*s3.Grant{
  382. {
  383. Permission: &s3_constants.PermissionRead,
  384. Grantee: &s3.Grantee{
  385. Type: &s3_constants.GrantTypeGroup,
  386. ID: aws.String(s3_constants.AccountAdminId),
  387. URI: &s3_constants.GranteeGroupAllUsers,
  388. },
  389. },
  390. }
  391. SetAcpGrantsHeader(req, grants)
  393. grantsJson, _ := json.Marshal(grants)
  394. if req.Header.Get(s3_constants.ExtAmzAclKey) != string(grantsJson) {
  395. t.Fatalf("owner unexpect")
  396. }
  397. }
  399. func TestGrantWithFullControl(t *testing.T) {
  400. accountId := "Accountaskdfj"
  401. expect := &s3.Grant{
  402. Permission: &s3_constants.PermissionFullControl,
  403. Grantee: &s3.Grantee{
  404. Type: &s3_constants.GrantTypeCanonicalUser,
  405. ID: &accountId,
  406. },
  407. }
  409. result := GrantWithFullControl(accountId)
  411. if !GrantEquals(result, expect) {
  412. t.Fatal("GrantWithFullControl not expect")
  413. }
  414. }
  416. func TestExtractObjectAcl(t *testing.T) {
  417. type Case struct {
  418. id string
  419. resultErrCode, expectErrCode s3err.ErrorCode
  420. resultGrants, expectGrants []*s3.Grant
  421. resultOwnerId, expectOwnerId string
  422. }
  423. testCases := make([]*Case, 0)
  424. accountAdminId := "admin"
  426. //Request body to specify AccessControlList
  427. {
  428. //ownership: ObjectWriter
  429. //s3:PutObjectAcl('createObject' is set to false), config acl through request body
  430. req := &http.Request{
  431. Header: make(map[string][]string),
  432. }
  433. req.Body = io.NopCloser(bytes.NewReader([]byte(`
  434. <AccessControlPolicy xmlns="http://s3.amazonaws.com/doc/2006-03-01/">
  435. <Owner>
  436. <ID>admin</ID>
  437. <DisplayName>admin</DisplayName>
  438. </Owner>
  439. <AccessControlList>
  440. <Grant>
  441. <Grantee xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="CanonicalUser">
  442. <ID>admin</ID>
  443. </Grantee>
  444. <Permission>FULL_CONTROL</Permission>
  445. </Grant>
  446. <Grant>
  447. <Grantee xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="Group">
  448. <URI>http://acs.amazonaws.com/groups/global/AllUsers</URI>
  449. </Grantee>
  450. <Permission>FULL_CONTROL</Permission>
  451. </Grant>
  452. </AccessControlList>
  453. </AccessControlPolicy>
  454. `)))
  455. requestAccountId := "accountA"
  456. ownerId, grants, errCode := ExtractObjectAcl(req, accountManager, s3_constants.OwnershipObjectWriter, accountAdminId, requestAccountId, false)
  457. testCases = append(testCases, &Case{
  458. "TestExtractObjectAcl: ownership-ObjectWriter, createObject-false, acl-requestBody",
  459. errCode, s3err.ErrNone,
  460. grants, []*s3.Grant{
  461. {
  462. Grantee: &s3.Grantee{
  463. Type: &s3_constants.GrantTypeCanonicalUser,
  464. ID: &accountAdminId,
  465. },
  466. Permission: &s3_constants.PermissionFullControl,
  467. },
  468. {
  469. Grantee: &s3.Grantee{
  470. Type: &s3_constants.GrantTypeGroup,
  471. URI: &s3_constants.GranteeGroupAllUsers,
  472. },
  473. Permission: &s3_constants.PermissionFullControl,
  474. },
  475. },
  476. ownerId, accountAdminId,
  477. })
  478. }
  479. {
  480. //ownership: BucketOwnerEnforced (extra acl is not allowed)
  481. //s3:PutObjectAcl('createObject' is set to false), config acl through request body
  482. req := &http.Request{
  483. Header: make(map[string][]string),
  484. }
  485. req.Body = io.NopCloser(bytes.NewReader([]byte(`
  486. <AccessControlPolicy xmlns="http://s3.amazonaws.com/doc/2006-03-01/">
  487. <Owner>
  488. <ID>admin</ID>
  489. <DisplayName>admin</DisplayName>
  490. </Owner>
  491. <AccessControlList>
  492. <Grant>
  493. <Grantee xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="CanonicalUser">
  494. <ID>admin</ID>
  495. </Grantee>
  496. <Permission>FULL_CONTROL</Permission>
  497. </Grant>
  498. <Grant>
  499. <Grantee xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="Group">
  500. <URI>http://acs.amazonaws.com/groups/global/AllUsers</URI>
  501. </Grantee>
  502. <Permission>FULL_CONTROL</Permission>
  503. </Grant>
  504. </AccessControlList>
  505. </AccessControlPolicy>
  506. `)))
  507. requestAccountId := "accountA"
  508. _, _, errCode := ExtractObjectAcl(req, accountManager, s3_constants.OwnershipBucketOwnerEnforced, accountAdminId, requestAccountId, false)
  509. testCases = append(testCases, &Case{
  510. id: "TestExtractObjectAcl: ownership-BucketOwnerEnforced, createObject-false, acl-requestBody",
  511. resultErrCode: errCode, expectErrCode: s3err.AccessControlListNotSupported,
  512. })
  513. }
  514. {
  515. //ownership: ObjectWriter
  516. //s3:PutObject('createObject' is set to false), request body will be ignored when parse acl
  517. req := &http.Request{
  518. Header: make(map[string][]string),
  519. }
  520. req.Body = io.NopCloser(bytes.NewReader([]byte(`
  521. <AccessControlPolicy xmlns="http://s3.amazonaws.com/doc/2006-03-01/">
  522. <Owner>
  523. <ID>admin</ID>
  524. <DisplayName>admin</DisplayName>
  525. </Owner>
  526. <AccessControlList>
  527. <Grant>
  528. <Grantee xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="CanonicalUser">
  529. <ID>admin</ID>
  530. </Grantee>
  531. <Permission>FULL_CONTROL</Permission>
  532. </Grant>
  533. <Grant>
  534. <Grantee xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="Group">
  535. <URI>http://acs.amazonaws.com/groups/global/AllUsers</URI>
  536. </Grantee>
  537. <Permission>FULL_CONTROL</Permission>
  538. </Grant>
  539. </AccessControlList>
  540. </AccessControlPolicy>
  541. `)))
  542. requestAccountId := "accountA"
  543. ownerId, grants, errCode := ExtractObjectAcl(req, accountManager, s3_constants.OwnershipObjectWriter, accountAdminId, requestAccountId, true)
  544. testCases = append(testCases, &Case{
  545. "TestExtractObjectAcl: ownership-ObjectWriter, createObject-true, acl-requestBody",
  546. errCode, s3err.ErrNone,
  547. grants, []*s3.Grant{},
  548. ownerId, "",
  549. })
  550. }
  551. {
  552. //ownership: BucketOwnerEnforced (extra acl is not allowed)
  553. //s3:PutObject('createObject' is set to true), request body will be ignored when parse acl
  554. req := &http.Request{
  555. Header: make(map[string][]string),
  556. }
  557. req.Body = io.NopCloser(bytes.NewReader([]byte(`
  558. <AccessControlPolicy xmlns="http://s3.amazonaws.com/doc/2006-03-01/">
  559. <Owner>
  560. <ID>admin</ID>
  561. <DisplayName>admin</DisplayName>
  562. </Owner>
  563. <AccessControlList>
  564. <Grant>
  565. <Grantee xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="CanonicalUser">
  566. <ID>admin</ID>
  567. </Grantee>
  568. <Permission>FULL_CONTROL</Permission>
  569. </Grant>
  570. <Grant>
  571. <Grantee xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="Group">
  572. <URI>http://acs.amazonaws.com/groups/global/AllUsers</URI>
  573. </Grantee>
  574. <Permission>FULL_CONTROL</Permission>
  575. </Grant>
  576. </AccessControlList>
  577. </AccessControlPolicy>
  578. `)))
  579. requestAccountId := "accountA"
  580. ownerId, grants, errCode := ExtractObjectAcl(req, accountManager, s3_constants.OwnershipBucketOwnerEnforced, accountAdminId, requestAccountId, true)
  581. testCases = append(testCases, &Case{
  582. "TestExtractObjectAcl: ownership-BucketOwnerEnforced, createObject-true, acl-requestBody",
  583. errCode, s3err.ErrNone,
  584. grants, []*s3.Grant{},
  585. ownerId, "",
  586. })
  587. }
  589. //CannedAcl Header to specify ACL
  590. //cannedAcl, putObjectACL
  591. {
  592. //ownership: ObjectWriter
  593. //s3:PutObjectACL('createObject' is set to false), parse cannedACL header
  594. req := &http.Request{
  595. Header: make(map[string][]string),
  596. }
  597. req.Header.Set(s3_constants.AmzCannedAcl, s3_constants.CannedAclBucketOwnerFullControl)
  598. bucketOwnerId := "admin"
  599. requestAccountId := "accountA"
  600. ownerId, grants, errCode := ExtractObjectAcl(req, accountManager, s3_constants.OwnershipObjectWriter, bucketOwnerId, requestAccountId, false)
  601. testCases = append(testCases, &Case{
  602. "TestExtractObjectAcl: ownership-ObjectWriter, createObject-false, acl-CannedAcl",
  603. errCode, s3err.ErrNone,
  604. grants, []*s3.Grant{
  605. {
  606. Grantee: &s3.Grantee{
  607. Type: &s3_constants.GrantTypeCanonicalUser,
  608. ID: &requestAccountId,
  609. },
  610. Permission: &s3_constants.PermissionFullControl,
  611. },
  612. {
  613. Grantee: &s3.Grantee{
  614. Type: &s3_constants.GrantTypeCanonicalUser,
  615. ID: &bucketOwnerId,
  616. },
  617. Permission: &s3_constants.PermissionFullControl,
  618. },
  619. },
  620. ownerId, "",
  621. })
  622. }
  623. {
  624. //ownership: BucketOwnerPreferred
  625. //s3:PutObjectACL('createObject' is set to false), parse cannedACL header
  626. req := &http.Request{
  627. Header: make(map[string][]string),
  628. }
  629. req.Header.Set(s3_constants.AmzCannedAcl, s3_constants.CannedAclBucketOwnerFullControl)
  630. bucketOwnerId := "admin"
  631. requestAccountId := "accountA"
  632. ownerId, grants, errCode := ExtractObjectAcl(req, accountManager, s3_constants.OwnershipBucketOwnerPreferred, bucketOwnerId, requestAccountId, false)
  633. testCases = append(testCases, &Case{
  634. "TestExtractObjectAcl: ownership-BucketOwnerPreferred, createObject-false, acl-CannedAcl",
  635. errCode, s3err.ErrNone,
  636. grants, []*s3.Grant{
  637. {
  638. Grantee: &s3.Grantee{
  639. Type: &s3_constants.GrantTypeCanonicalUser,
  640. ID: &requestAccountId,
  641. },
  642. Permission: &s3_constants.PermissionFullControl,
  643. },
  644. {
  645. Grantee: &s3.Grantee{
  646. Type: &s3_constants.GrantTypeCanonicalUser,
  647. ID: &bucketOwnerId,
  648. },
  649. Permission: &s3_constants.PermissionFullControl,
  650. },
  651. },
  652. ownerId, "",
  653. })
  654. }
  655. {
  656. //ownership: BucketOwnerEnforced
  657. //s3:PutObjectACL('createObject' is set to false), parse cannedACL header
  658. req := &http.Request{
  659. Header: make(map[string][]string),
  660. }
  661. req.Header.Set(s3_constants.AmzCannedAcl, s3_constants.CannedAclBucketOwnerFullControl)
  662. bucketOwnerId := "admin"
  663. requestAccountId := "accountA"
  664. _, _, errCode := ExtractObjectAcl(req, accountManager, s3_constants.OwnershipBucketOwnerEnforced, bucketOwnerId, requestAccountId, false)
  665. testCases = append(testCases, &Case{
  666. id: "TestExtractObjectAcl: ownership-BucketOwnerEnforced, createObject-false, acl-CannedAcl",
  667. resultErrCode: errCode, expectErrCode: s3err.AccessControlListNotSupported,
  668. })
  669. }
  670. //cannedACL, putObject
  671. {
  672. //ownership: ObjectWriter
  673. //s3:PutObject('createObject' is set to true), parse cannedACL header
  674. req := &http.Request{
  675. Header: make(map[string][]string),
  676. }
  677. req.Header.Set(s3_constants.AmzCannedAcl, s3_constants.CannedAclBucketOwnerFullControl)
  678. bucketOwnerId := "admin"
  679. requestAccountId := "accountA"
  680. ownerId, grants, errCode := ExtractObjectAcl(req, accountManager, s3_constants.OwnershipObjectWriter, bucketOwnerId, requestAccountId, true)
  681. testCases = append(testCases, &Case{
  682. "TestExtractObjectAcl: ownership-ObjectWriter, createObject-true, acl-CannedAcl",
  683. errCode, s3err.ErrNone,
  684. grants, []*s3.Grant{
  685. {
  686. Grantee: &s3.Grantee{
  687. Type: &s3_constants.GrantTypeCanonicalUser,
  688. ID: &requestAccountId,
  689. },
  690. Permission: &s3_constants.PermissionFullControl,
  691. },
  692. {
  693. Grantee: &s3.Grantee{
  694. Type: &s3_constants.GrantTypeCanonicalUser,
  695. ID: &bucketOwnerId,
  696. },
  697. Permission: &s3_constants.PermissionFullControl,
  698. },
  699. },
  700. ownerId, "",
  701. })
  702. }
  703. {
  704. //ownership: BucketOwnerPreferred
  705. //s3:PutObject('createObject' is set to true), parse cannedACL header
  706. req := &http.Request{
  707. Header: make(map[string][]string),
  708. }
  709. req.Header.Set(s3_constants.AmzCannedAcl, s3_constants.CannedAclBucketOwnerFullControl)
  710. bucketOwnerId := "admin"
  711. requestAccountId := "accountA"
  712. ownerId, grants, errCode := ExtractObjectAcl(req, accountManager, s3_constants.OwnershipBucketOwnerPreferred, bucketOwnerId, requestAccountId, true)
  713. testCases = append(testCases, &Case{
  714. "TestExtractObjectAcl: ownership-BucketOwnerPreferred, createObject-true, acl-CannedAcl",
  715. errCode, s3err.ErrNone,
  716. grants, []*s3.Grant{
  717. {
  718. Grantee: &s3.Grantee{
  719. Type: &s3_constants.GrantTypeCanonicalUser,
  720. ID: &bucketOwnerId,
  721. },
  722. Permission: &s3_constants.PermissionFullControl,
  723. },
  724. },
  725. ownerId, "",
  726. })
  727. }
  728. {
  729. //ownership: BucketOwnerEnforced
  730. //s3:PutObject('createObject' is set to true), parse cannedACL header
  731. req := &http.Request{
  732. Header: make(map[string][]string),
  733. }
  734. req.Header.Set(s3_constants.AmzCannedAcl, s3_constants.CannedAclBucketOwnerFullControl)
  735. bucketOwnerId := "admin"
  736. requestAccountId := "accountA"
  737. _, _, errCode := ExtractObjectAcl(req, accountManager, s3_constants.OwnershipBucketOwnerEnforced, bucketOwnerId, requestAccountId, true)
  738. testCases = append(testCases, &Case{
  739. id: "TestExtractObjectAcl: ownership-BucketOwnerEnforced, createObject-true, acl-CannedAcl",
  740. resultErrCode: errCode, expectErrCode: s3err.AccessControlListNotSupported,
  741. })
  742. }
  744. //cannedAcl, putObjectACL
  745. {
  746. //ownership: ObjectWriter
  747. //s3:PutObjectACL('createObject' is set to false), parse customAcl header
  748. req := &http.Request{
  749. Header: make(map[string][]string),
  750. }
  751. req.Header.Set(s3_constants.AmzAclFullControl, "id=accountA,id=\"admin\"")
  752. bucketOwnerId := "admin"
  753. requestAccountId := "accountA"
  754. ownerId, grants, errCode := ExtractObjectAcl(req, accountManager, s3_constants.OwnershipObjectWriter, bucketOwnerId, requestAccountId, false)
  755. testCases = append(testCases, &Case{
  756. "TestExtractObjectAcl: ownership-ObjectWriter, createObject-false, acl-customAcl",
  757. errCode, s3err.ErrNone,
  758. grants, []*s3.Grant{
  759. {
  760. Grantee: &s3.Grantee{
  761. Type: &s3_constants.GrantTypeCanonicalUser,
  762. ID: &requestAccountId,
  763. },
  764. Permission: &s3_constants.PermissionFullControl,
  765. },
  766. {
  767. Grantee: &s3.Grantee{
  768. Type: &s3_constants.GrantTypeCanonicalUser,
  769. ID: &bucketOwnerId,
  770. },
  771. Permission: &s3_constants.PermissionFullControl,
  772. },
  773. },
  774. ownerId, "",
  775. })
  776. }
  777. {
  778. //ownership: BucketOwnerPreferred
  779. //s3:PutObjectACL('createObject' is set to false), parse customAcl header
  780. req := &http.Request{
  781. Header: make(map[string][]string),
  782. }
  783. req.Header.Set(s3_constants.AmzAclFullControl, "id=accountA,id=\"admin\"")
  784. bucketOwnerId := "admin"
  785. requestAccountId := "accountA"
  786. ownerId, grants, errCode := ExtractObjectAcl(req, accountManager, s3_constants.OwnershipBucketOwnerPreferred, bucketOwnerId, requestAccountId, false)
  787. testCases = append(testCases, &Case{
  788. "TestExtractObjectAcl: ownership-BucketOwnerPreferred, createObject-false, acl-customAcl",
  789. errCode, s3err.ErrNone,
  790. grants, []*s3.Grant{
  791. {
  792. Grantee: &s3.Grantee{
  793. Type: &s3_constants.GrantTypeCanonicalUser,
  794. ID: &requestAccountId,
  795. },
  796. Permission: &s3_constants.PermissionFullControl,
  797. },
  798. {
  799. Grantee: &s3.Grantee{
  800. Type: &s3_constants.GrantTypeCanonicalUser,
  801. ID: &bucketOwnerId,
  802. },
  803. Permission: &s3_constants.PermissionFullControl,
  804. },
  805. },
  806. ownerId, "",
  807. })
  808. }
  809. {
  810. //ownership: BucketOwnerEnforced
  811. //s3:PutObjectACL('createObject' is set to false), parse customAcl header
  812. req := &http.Request{
  813. Header: make(map[string][]string),
  814. }
  815. req.Header.Set(s3_constants.AmzAclFullControl, "id=accountA,id=\"admin\"")
  816. bucketOwnerId := "admin"
  817. requestAccountId := "accountA"
  818. _, _, errCode := ExtractObjectAcl(req, accountManager, s3_constants.OwnershipBucketOwnerEnforced, bucketOwnerId, requestAccountId, false)
  819. testCases = append(testCases, &Case{
  820. id: "TestExtractObjectAcl: ownership-BucketOwnerEnforced, createObject-false, acl-customAcl",
  821. resultErrCode: errCode, expectErrCode: s3err.AccessControlListNotSupported,
  822. })
  823. }
  824. //customAcl, putObject
  825. {
  826. //ownership: ObjectWriter
  827. //s3:PutObject('createObject' is set to true), parse customAcl header
  828. req := &http.Request{
  829. Header: make(map[string][]string),
  830. }
  831. req.Header.Set(s3_constants.AmzAclFullControl, "id=accountA,id=\"admin\"")
  832. bucketOwnerId := "admin"
  833. requestAccountId := "accountA"
  834. ownerId, grants, errCode := ExtractObjectAcl(req, accountManager, s3_constants.OwnershipObjectWriter, bucketOwnerId, requestAccountId, true)
  835. testCases = append(testCases, &Case{
  836. "TestExtractObjectAcl: ownership-ObjectWriter, createObject-true, acl-customAcl",
  837. errCode, s3err.ErrNone,
  838. grants, []*s3.Grant{
  839. {
  840. Grantee: &s3.Grantee{
  841. Type: &s3_constants.GrantTypeCanonicalUser,
  842. ID: &requestAccountId,
  843. },
  844. Permission: &s3_constants.PermissionFullControl,
  845. },
  846. {
  847. Grantee: &s3.Grantee{
  848. Type: &s3_constants.GrantTypeCanonicalUser,
  849. ID: &bucketOwnerId,
  850. },
  851. Permission: &s3_constants.PermissionFullControl,
  852. },
  853. },
  854. ownerId, "",
  855. })
  856. }
  857. {
  858. //ownership: BucketOwnerPreferred
  859. //s3:PutObject('createObject' is set to true), parse customAcl header
  860. req := &http.Request{
  861. Header: make(map[string][]string),
  862. }
  863. req.Header.Set(s3_constants.AmzAclFullControl, "id=\"admin\"")
  864. bucketOwnerId := "admin"
  865. requestAccountId := "accountA"
  866. ownerId, grants, errCode := ExtractObjectAcl(req, accountManager, s3_constants.OwnershipBucketOwnerPreferred, bucketOwnerId, requestAccountId, true)
  867. testCases = append(testCases, &Case{
  868. "TestExtractObjectAcl: ownership-BucketOwnerPreferred, createObject-true, acl-customAcl",
  869. errCode, s3err.ErrNone,
  870. grants, []*s3.Grant{
  871. {
  872. Grantee: &s3.Grantee{
  873. Type: &s3_constants.GrantTypeCanonicalUser,
  874. ID: &bucketOwnerId,
  875. },
  876. Permission: &s3_constants.PermissionFullControl,
  877. },
  878. },
  879. ownerId, "",
  880. })
  881. }
  882. {
  883. //ownership: BucketOwnerEnforced
  884. //s3:PutObject('createObject' is set to true), parse customAcl header
  885. req := &http.Request{
  886. Header: make(map[string][]string),
  887. }
  888. req.Header.Set(s3_constants.AmzAclFullControl, "id=accountA,id=\"admin\"")
  889. bucketOwnerId := "admin"
  890. requestAccountId := "accountA"
  891. _, _, errCode := ExtractObjectAcl(req, accountManager, s3_constants.OwnershipBucketOwnerEnforced, bucketOwnerId, requestAccountId, true)
  892. testCases = append(testCases, &Case{
  893. id: "TestExtractObjectAcl: ownership-BucketOwnerEnforced, createObject-true, acl-customAcl",
  894. resultErrCode: errCode, expectErrCode: s3err.AccessControlListNotSupported,
  895. })
  896. }
  898. {
  899. //parse acp from request header: both canned acl and custom acl not allowed
  900. req := &http.Request{
  901. Header: make(map[string][]string),
  902. }
  903. req.Header.Set(s3_constants.AmzAclFullControl, "id=admin, id=\"accountA\"")
  904. req.Header.Set(s3_constants.AmzCannedAcl, "private")
  905. bucketOwnerId := "admin"
  906. requestAccountId := "accountA"
  907. _, _, errCode := ExtractObjectAcl(req, accountManager, s3_constants.OwnershipObjectWriter, bucketOwnerId, requestAccountId, false)
  908. testCases = append(testCases, &Case{
  909. id: "Only one of cannedAcl, customAcl is allowed",
  910. resultErrCode: errCode, expectErrCode: s3err.ErrInvalidRequest,
  911. })
  912. }
  914. {
  915. //Acl can only be specified in one of requestBody, cannedAcl, customAcl, simultaneous use is not allowed
  916. req := &http.Request{
  917. Header: make(map[string][]string),
  918. }
  919. req.Header.Set(s3_constants.AmzAclFullControl, "id=admin, id=\"accountA\"")
  920. req.Header.Set(s3_constants.AmzCannedAcl, "private")
  921. req.Body = io.NopCloser(bytes.NewReader([]byte(`
  922. <AccessControlPolicy xmlns="http://s3.amazonaws.com/doc/2006-03-01/">
  923. <Owner>
  924. <ID>admin</ID>
  925. <DisplayName>admin</DisplayName>
  926. </Owner>
  927. <AccessControlList>
  928. <Grant>
  929. <Grantee xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="CanonicalUser">
  930. <ID>admin</ID>
  931. </Grantee>
  932. <Permission>FULL_CONTROL</Permission>
  933. </Grant>
  934. <Grant>
  935. <Grantee xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="Group">
  936. <URI>http://acs.amazonaws.com/groups/global/AllUsers</URI>
  937. </Grantee>
  938. <Permission>FULL_CONTROL</Permission>
  939. </Grant>
  940. </AccessControlList>
  941. </AccessControlPolicy>
  942. `)))
  943. requestAccountId := "accountA"
  944. _, _, errCode := ExtractObjectAcl(req, accountManager, s3_constants.OwnershipObjectWriter, accountAdminId, requestAccountId, false)
  945. testCases = append(testCases, &Case{
  946. id: "Only one of requestBody, cannedAcl, customAcl is allowed",
  947. resultErrCode: errCode, expectErrCode: s3err.ErrUnexpectedContent,
  948. })
  949. }
  950. for _, tc := range testCases {
  951. if tc.resultErrCode != tc.expectErrCode {
  952. t.Fatalf("case[%s]: errorCode[%v] not expect[%v]", tc.id, s3err.GetAPIError(tc.resultErrCode).Code, s3err.GetAPIError(tc.expectErrCode).Code)
  953. }
  954. if !grantsEquals(tc.resultGrants, tc.expectGrants) {
  955. t.Fatalf("case[%s]: grants not expect", tc.id)
  956. }
  957. }
  958. }
  960. func TestBucketObjectAcl(t *testing.T) {
  961. type Case struct {
  962. id string
  963. resultErrCode, expectErrCode s3err.ErrorCode
  964. resultGrants, expectGrants []*s3.Grant
  965. }
  966. testCases := make([]*Case, 0)
  967. accountAdminId := "admin"
  969. //Request body to specify AccessControlList
  970. {
  971. //ownership: ObjectWriter
  972. //s3:PutBucketAcl('createObject' is set to false), config acl through request body
  973. req := &http.Request{
  974. Header: make(map[string][]string),
  975. }
  976. req.Body = io.NopCloser(bytes.NewReader([]byte(`
  977. <AccessControlPolicy xmlns="http://s3.amazonaws.com/doc/2006-03-01/">
  978. <Owner>
  979. <ID>admin</ID>
  980. <DisplayName>admin</DisplayName>
  981. </Owner>
  982. <AccessControlList>
  983. <Grant>
  984. <Grantee xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="CanonicalUser">
  985. <ID>admin</ID>
  986. </Grantee>
  987. <Permission>FULL_CONTROL</Permission>
  988. </Grant>
  989. <Grant>
  990. <Grantee xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="Group">
  991. <URI>http://acs.amazonaws.com/groups/global/AllUsers</URI>
  992. </Grantee>
  993. <Permission>FULL_CONTROL</Permission>
  994. </Grant>
  995. </AccessControlList>
  996. </AccessControlPolicy>
  997. `)))
  998. bucketOwnerId := "admin"
  999. requestAccountId := "accountA"
  1000. grants, errCode := ExtractBucketAcl(req, accountManager, s3_constants.OwnershipObjectWriter, bucketOwnerId, requestAccountId, false)
  1001. testCases = append(testCases, &Case{
  1002. "TestExtractBucketAcl: ownership-ObjectWriter, createObject-false, acl-requestBody",
  1003. errCode, s3err.ErrNone,
  1004. grants, []*s3.Grant{
  1005. {
  1006. Grantee: &s3.Grantee{
  1007. Type: &s3_constants.GrantTypeCanonicalUser,
  1008. ID: &accountAdminId,
  1009. },
  1010. Permission: &s3_constants.PermissionFullControl,
  1011. },
  1012. {
  1013. Grantee: &s3.Grantee{
  1014. Type: &s3_constants.GrantTypeGroup,
  1015. URI: &s3_constants.GranteeGroupAllUsers,
  1016. },
  1017. Permission: &s3_constants.PermissionFullControl,
  1018. },
  1019. },
  1020. })
  1021. }
  1022. {
  1023. //ownership: BucketOwnerEnforced (extra acl is not allowed)
  1024. //s3:PutBucketAcl('createObject' is set to false), config acl through request body
  1025. req := &http.Request{
  1026. Header: make(map[string][]string),
  1027. }
  1028. req.Body = io.NopCloser(bytes.NewReader([]byte(`
  1029. <AccessControlPolicy xmlns="http://s3.amazonaws.com/doc/2006-03-01/">
  1030. <Owner>
  1031. <ID>admin</ID>
  1032. <DisplayName>admin</DisplayName>
  1033. </Owner>
  1034. <AccessControlList>
  1035. <Grant>
  1036. <Grantee xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="CanonicalUser">
  1037. <ID>admin</ID>
  1038. </Grantee>
  1039. <Permission>FULL_CONTROL</Permission>
  1040. </Grant>
  1041. <Grant>
  1042. <Grantee xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="Group">
  1043. <URI>http://acs.amazonaws.com/groups/global/AllUsers</URI>
  1044. </Grantee>
  1045. <Permission>FULL_CONTROL</Permission>
  1046. </Grant>
  1047. </AccessControlList>
  1048. </AccessControlPolicy>
  1049. `)))
  1050. requestAccountId := "accountA"
  1051. _, errCode := ExtractBucketAcl(req, accountManager, s3_constants.OwnershipBucketOwnerEnforced, accountAdminId, requestAccountId, false)
  1052. testCases = append(testCases, &Case{
  1053. id: "TestExtractBucketAcl: ownership-BucketOwnerEnforced, createObject-false, acl-requestBody",
  1054. resultErrCode: errCode, expectErrCode: s3err.AccessControlListNotSupported,
  1055. })
  1056. }
  1057. {
  1058. //ownership: ObjectWriter
  1059. //s3:PutObject('createObject' is set to false), request body will be ignored when parse acl
  1060. req := &http.Request{
  1061. Header: make(map[string][]string),
  1062. }
  1063. req.Body = io.NopCloser(bytes.NewReader([]byte(`
  1064. <AccessControlPolicy xmlns="http://s3.amazonaws.com/doc/2006-03-01/">
  1065. <Owner>
  1066. <ID>admin</ID>
  1067. <DisplayName>admin</DisplayName>
  1068. </Owner>
  1069. <AccessControlList>
  1070. <Grant>
  1071. <Grantee xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="CanonicalUser">
  1072. <ID>admin</ID>
  1073. </Grantee>
  1074. <Permission>FULL_CONTROL</Permission>
  1075. </Grant>
  1076. <Grant>
  1077. <Grantee xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="Group">
  1078. <URI>http://acs.amazonaws.com/groups/global/AllUsers</URI>
  1079. </Grantee>
  1080. <Permission>FULL_CONTROL</Permission>
  1081. </Grant>
  1082. </AccessControlList>
  1083. </AccessControlPolicy>
  1084. `)))
  1085. requestAccountId := "accountA"
  1086. grants, errCode := ExtractBucketAcl(req, accountManager, s3_constants.OwnershipObjectWriter, accountAdminId, requestAccountId, true)
  1087. testCases = append(testCases, &Case{
  1088. "TestExtractBucketAcl: ownership-ObjectWriter, createObject-true, acl-requestBody",
  1089. errCode, s3err.ErrNone,
  1090. grants, []*s3.Grant{},
  1091. })
  1092. }
  1093. {
  1094. //ownership: BucketOwnerEnforced (extra acl is not allowed)
  1095. //s3:PutObject('createObject' is set to true), request body will be ignored when parse acl
  1096. req := &http.Request{
  1097. Header: make(map[string][]string),
  1098. }
  1099. req.Body = io.NopCloser(bytes.NewReader([]byte(`
  1100. <AccessControlPolicy xmlns="http://s3.amazonaws.com/doc/2006-03-01/">
  1101. <Owner>
  1102. <ID>admin</ID>
  1103. <DisplayName>admin</DisplayName>
  1104. </Owner>
  1105. <AccessControlList>
  1106. <Grant>
  1107. <Grantee xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="CanonicalUser">
  1108. <ID>admin</ID>
  1109. </Grantee>
  1110. <Permission>FULL_CONTROL</Permission>
  1111. </Grant>
  1112. <Grant>
  1113. <Grantee xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="Group">
  1114. <URI>http://acs.amazonaws.com/groups/global/AllUsers</URI>
  1115. </Grantee>
  1116. <Permission>FULL_CONTROL</Permission>
  1117. </Grant>
  1118. </AccessControlList>
  1119. </AccessControlPolicy>
  1120. `)))
  1121. requestAccountId := "accountA"
  1122. grants, errCode := ExtractBucketAcl(req, accountManager, s3_constants.OwnershipBucketOwnerEnforced, accountAdminId, requestAccountId, true)
  1123. testCases = append(testCases, &Case{
  1124. "TestExtractBucketAcl: ownership-BucketOwnerEnforced, createObject-true, acl-requestBody",
  1125. errCode, s3err.ErrNone,
  1126. grants, []*s3.Grant{},
  1127. })
  1128. }
  1130. //CannedAcl Header to specify ACL
  1131. //cannedAcl, PutBucketAcl
  1132. {
  1133. //ownership: ObjectWriter
  1134. //s3:PutBucketAcl('createObject' is set to false), parse cannedACL header
  1135. req := &http.Request{
  1136. Header: make(map[string][]string),
  1137. }
  1138. req.Header.Set(s3_constants.AmzCannedAcl, s3_constants.CannedAclBucketOwnerFullControl)
  1139. bucketOwnerId := "admin"
  1140. requestAccountId := "accountA"
  1141. _, errCode := ExtractBucketAcl(req, accountManager, s3_constants.OwnershipObjectWriter, bucketOwnerId, requestAccountId, false)
  1142. testCases = append(testCases, &Case{
  1143. id: "TestExtractBucketAcl: ownership-ObjectWriter, createObject-false, acl-CannedAcl",
  1144. resultErrCode: errCode, expectErrCode: s3err.ErrInvalidAclArgument,
  1145. })
  1146. }
  1147. {
  1148. //ownership: BucketOwnerPreferred
  1149. //s3:PutBucketAcl('createObject' is set to false), parse cannedACL header
  1150. req := &http.Request{
  1151. Header: make(map[string][]string),
  1152. }
  1153. req.Header.Set(s3_constants.AmzCannedAcl, s3_constants.CannedAclBucketOwnerFullControl)
  1154. bucketOwnerId := "admin"
  1155. requestAccountId := "accountA"
  1156. _, errCode := ExtractBucketAcl(req, accountManager, s3_constants.OwnershipBucketOwnerPreferred, bucketOwnerId, requestAccountId, false)
  1157. testCases = append(testCases, &Case{
  1158. id: "TestExtractBucketAcl: ownership-BucketOwnerPreferred, createObject-false, acl-CannedAcl",
  1159. resultErrCode: errCode, expectErrCode: s3err.ErrInvalidAclArgument,
  1160. })
  1161. }
  1162. {
  1163. //ownership: BucketOwnerEnforced
  1164. //s3:PutBucketAcl('createObject' is set to false), parse cannedACL header
  1165. req := &http.Request{
  1166. Header: make(map[string][]string),
  1167. }
  1168. req.Header.Set(s3_constants.AmzCannedAcl, s3_constants.CannedAclBucketOwnerFullControl)
  1169. bucketOwnerId := "admin"
  1170. requestAccountId := "accountA"
  1171. _, errCode := ExtractBucketAcl(req, accountManager, s3_constants.OwnershipBucketOwnerEnforced, bucketOwnerId, requestAccountId, false)
  1172. testCases = append(testCases, &Case{
  1173. id: "TestExtractBucketAcl: ownership-BucketOwnerEnforced, createObject-false, acl-CannedAcl",
  1174. resultErrCode: errCode, expectErrCode: s3err.ErrInvalidAclArgument,
  1175. })
  1176. }
  1177. //cannedACL, createBucket
  1178. {
  1179. //ownership: ObjectWriter
  1180. //s3:PutObject('createObject' is set to true), parse cannedACL header
  1181. req := &http.Request{
  1182. Header: make(map[string][]string),
  1183. }
  1184. req.Header.Set(s3_constants.AmzCannedAcl, s3_constants.CannedAclBucketOwnerFullControl)
  1185. bucketOwnerId := "admin"
  1186. requestAccountId := "accountA"
  1187. _, errCode := ExtractBucketAcl(req, accountManager, s3_constants.OwnershipObjectWriter, bucketOwnerId, requestAccountId, true)
  1188. testCases = append(testCases, &Case{
  1189. id: "TestExtractBucketAcl: ownership-BucketOwnerEnforced, createObject-true, acl-CannedAcl",
  1190. resultErrCode: errCode, expectErrCode: s3err.ErrInvalidAclArgument,
  1191. })
  1192. }
  1193. {
  1194. //ownership: BucketOwnerPreferred
  1195. //s3:PutObject('createObject' is set to true), parse cannedACL header
  1196. req := &http.Request{
  1197. Header: make(map[string][]string),
  1198. }
  1199. req.Header.Set(s3_constants.AmzCannedAcl, s3_constants.CannedAclBucketOwnerFullControl)
  1200. bucketOwnerId := "admin"
  1201. requestAccountId := "accountA"
  1202. _, errCode := ExtractBucketAcl(req, accountManager, s3_constants.OwnershipBucketOwnerPreferred, bucketOwnerId, requestAccountId, true)
  1203. testCases = append(testCases, &Case{
  1204. id: "TestExtractBucketAcl: ownership-BucketOwnerPreferred, createObject-true, acl-CannedAcl",
  1205. resultErrCode: errCode, expectErrCode: s3err.ErrInvalidAclArgument,
  1206. })
  1207. }
  1208. {
  1209. //ownership: BucketOwnerEnforced
  1210. //s3:PutObject('createObject' is set to true), parse cannedACL header
  1211. req := &http.Request{
  1212. Header: make(map[string][]string),
  1213. }
  1214. req.Header.Set(s3_constants.AmzCannedAcl, s3_constants.CannedAclBucketOwnerFullControl)
  1215. bucketOwnerId := "admin"
  1216. requestAccountId := "accountA"
  1217. _, errCode := ExtractBucketAcl(req, accountManager, s3_constants.OwnershipBucketOwnerEnforced, bucketOwnerId, requestAccountId, true)
  1218. testCases = append(testCases, &Case{
  1219. id: "TestExtractBucketAcl: ownership-BucketOwnerEnforced, createObject-true, acl-CannedAcl",
  1220. resultErrCode: errCode, expectErrCode: s3err.ErrInvalidAclArgument,
  1221. })
  1222. }
  1224. //customAcl, PutBucketAcl
  1225. {
  1226. //ownership: ObjectWriter
  1227. //s3:PutBucketAcl('createObject' is set to false), parse customAcl header
  1228. req := &http.Request{
  1229. Header: make(map[string][]string),
  1230. }
  1231. req.Header.Set(s3_constants.AmzAclFullControl, "id=accountA,id=\"admin\"")
  1232. bucketOwnerId := "admin"
  1233. requestAccountId := "accountA"
  1234. grants, errCode := ExtractBucketAcl(req, accountManager, s3_constants.OwnershipObjectWriter, bucketOwnerId, requestAccountId, false)
  1235. testCases = append(testCases, &Case{
  1236. "TestExtractBucketAcl: ownership-ObjectWriter, createObject-false, acl-customAcl",
  1237. errCode, s3err.ErrNone,
  1238. grants, []*s3.Grant{
  1239. {
  1240. Grantee: &s3.Grantee{
  1241. Type: &s3_constants.GrantTypeCanonicalUser,
  1242. ID: &requestAccountId,
  1243. },
  1244. Permission: &s3_constants.PermissionFullControl,
  1245. },
  1246. {
  1247. Grantee: &s3.Grantee{
  1248. Type: &s3_constants.GrantTypeCanonicalUser,
  1249. ID: &bucketOwnerId,
  1250. },
  1251. Permission: &s3_constants.PermissionFullControl,
  1252. },
  1253. },
  1254. })
  1255. }
  1256. {
  1257. //ownership: BucketOwnerPreferred
  1258. //s3:PutBucketAcl('createObject' is set to false), parse customAcl header
  1259. req := &http.Request{
  1260. Header: make(map[string][]string),
  1261. }
  1262. req.Header.Set(s3_constants.AmzAclFullControl, "id=accountA,id=\"admin\"")
  1263. bucketOwnerId := "admin"
  1264. requestAccountId := "accountA"
  1265. grants, errCode := ExtractBucketAcl(req, accountManager, s3_constants.OwnershipBucketOwnerPreferred, bucketOwnerId, requestAccountId, false)
  1266. testCases = append(testCases, &Case{
  1267. "TestExtractBucketAcl: ownership-BucketOwnerPreferred, createObject-false, acl-customAcl",
  1268. errCode, s3err.ErrNone,
  1269. grants, []*s3.Grant{
  1270. {
  1271. Grantee: &s3.Grantee{
  1272. Type: &s3_constants.GrantTypeCanonicalUser,
  1273. ID: &requestAccountId,
  1274. },
  1275. Permission: &s3_constants.PermissionFullControl,
  1276. },
  1277. {
  1278. Grantee: &s3.Grantee{
  1279. Type: &s3_constants.GrantTypeCanonicalUser,
  1280. ID: &bucketOwnerId,
  1281. },
  1282. Permission: &s3_constants.PermissionFullControl,
  1283. },
  1284. },
  1285. })
  1286. }
  1287. {
  1288. //ownership: BucketOwnerEnforced
  1289. //s3:PutBucketAcl('createObject' is set to false), parse customAcl header
  1290. req := &http.Request{
  1291. Header: make(map[string][]string),
  1292. }
  1293. req.Header.Set(s3_constants.AmzAclFullControl, "id=accountA,id=\"admin\"")
  1294. bucketOwnerId := "admin"
  1295. requestAccountId := "accountA"
  1296. _, errCode := ExtractBucketAcl(req, accountManager, s3_constants.OwnershipBucketOwnerEnforced, bucketOwnerId, requestAccountId, false)
  1297. testCases = append(testCases, &Case{
  1298. id: "TestExtractBucketAcl: ownership-BucketOwnerEnforced, createObject-false, acl-customAcl",
  1299. resultErrCode: errCode, expectErrCode: s3err.AccessControlListNotSupported,
  1300. })
  1301. }
  1302. //customAcl, putObject
  1303. {
  1304. //ownership: ObjectWriter
  1305. //s3:PutObject('createObject' is set to true), parse customAcl header
  1306. req := &http.Request{
  1307. Header: make(map[string][]string),
  1308. }
  1309. req.Header.Set(s3_constants.AmzAclFullControl, "id=accountA,id=\"admin\"")
  1310. bucketOwnerId := "admin"
  1311. requestAccountId := "accountA"
  1312. grants, errCode := ExtractBucketAcl(req, accountManager, s3_constants.OwnershipObjectWriter, bucketOwnerId, requestAccountId, true)
  1313. testCases = append(testCases, &Case{
  1314. "TestExtractBucketAcl: ownership-ObjectWriter, createObject-true, acl-customAcl",
  1315. errCode, s3err.ErrNone,
  1316. grants, []*s3.Grant{
  1317. {
  1318. Grantee: &s3.Grantee{
  1319. Type: &s3_constants.GrantTypeCanonicalUser,
  1320. ID: &requestAccountId,
  1321. },
  1322. Permission: &s3_constants.PermissionFullControl,
  1323. },
  1324. {
  1325. Grantee: &s3.Grantee{
  1326. Type: &s3_constants.GrantTypeCanonicalUser,
  1327. ID: &bucketOwnerId,
  1328. },
  1329. Permission: &s3_constants.PermissionFullControl,
  1330. },
  1331. },
  1332. })
  1333. }
  1334. {
  1335. //ownership: BucketOwnerPreferred
  1336. //s3:PutObject('createObject' is set to true), parse customAcl header
  1337. req := &http.Request{
  1338. Header: make(map[string][]string),
  1339. }
  1340. req.Header.Set(s3_constants.AmzAclFullControl, "id=\"admin\"")
  1341. bucketOwnerId := "admin"
  1342. requestAccountId := "accountA"
  1343. grants, errCode := ExtractBucketAcl(req, accountManager, s3_constants.OwnershipBucketOwnerPreferred, bucketOwnerId, requestAccountId, true)
  1344. testCases = append(testCases, &Case{
  1345. "TestExtractBucketAcl: ownership-BucketOwnerPreferred, createObject-true, acl-customAcl",
  1346. errCode, s3err.ErrNone,
  1347. grants, []*s3.Grant{
  1348. {
  1349. Grantee: &s3.Grantee{
  1350. Type: &s3_constants.GrantTypeCanonicalUser,
  1351. ID: &bucketOwnerId,
  1352. },
  1353. Permission: &s3_constants.PermissionFullControl,
  1354. },
  1355. },
  1356. })
  1357. }
  1358. {
  1359. //ownership: BucketOwnerEnforced
  1360. //s3:PutObject('createObject' is set to true), parse customAcl header
  1361. req := &http.Request{
  1362. Header: make(map[string][]string),
  1363. }
  1364. req.Header.Set(s3_constants.AmzAclFullControl, "id=accountA,id=\"admin\"")
  1365. bucketOwnerId := "admin"
  1366. requestAccountId := "accountA"
  1367. _, errCode := ExtractBucketAcl(req, accountManager, s3_constants.OwnershipBucketOwnerEnforced, bucketOwnerId, requestAccountId, true)
  1368. testCases = append(testCases, &Case{
  1369. id: "TestExtractBucketAcl: ownership-BucketOwnerEnforced, createObject-true, acl-customAcl",
  1370. resultErrCode: errCode, expectErrCode: s3err.AccessControlListNotSupported,
  1371. })
  1372. }
  1374. {
  1375. //parse acp from request header: both canned acl and custom acl not allowed
  1376. req := &http.Request{
  1377. Header: make(map[string][]string),
  1378. }
  1379. req.Header.Set(s3_constants.AmzAclFullControl, "id=admin, id=\"accountA\"")
  1380. req.Header.Set(s3_constants.AmzCannedAcl, "private")
  1381. bucketOwnerId := "admin"
  1382. requestAccountId := "accountA"
  1383. _, errCode := ExtractBucketAcl(req, accountManager, s3_constants.OwnershipObjectWriter, bucketOwnerId, requestAccountId, false)
  1384. testCases = append(testCases, &Case{
  1385. id: "Only one of cannedAcl, customAcl is allowed",
  1386. resultErrCode: errCode, expectErrCode: s3err.ErrInvalidRequest,
  1387. })
  1388. }
  1390. {
  1391. //Acl can only be specified in one of requestBody, cannedAcl, customAcl, simultaneous use is not allowed
  1392. req := &http.Request{
  1393. Header: make(map[string][]string),
  1394. }
  1395. req.Header.Set(s3_constants.AmzAclFullControl, "id=admin, id=\"accountA\"")
  1396. req.Header.Set(s3_constants.AmzCannedAcl, "private")
  1397. req.Body = io.NopCloser(bytes.NewReader([]byte(`
  1398. <AccessControlPolicy xmlns="http://s3.amazonaws.com/doc/2006-03-01/">
  1399. <Owner>
  1400. <ID>admin</ID>
  1401. <DisplayName>admin</DisplayName>
  1402. </Owner>
  1403. <AccessControlList>
  1404. <Grant>
  1405. <Grantee xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="CanonicalUser">
  1406. <ID>admin</ID>
  1407. </Grantee>
  1408. <Permission>FULL_CONTROL</Permission>
  1409. </Grant>
  1410. <Grant>
  1411. <Grantee xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="Group">
  1412. <URI>http://acs.amazonaws.com/groups/global/AllUsers</URI>
  1413. </Grantee>
  1414. <Permission>FULL_CONTROL</Permission>
  1415. </Grant>
  1416. </AccessControlList>
  1417. </AccessControlPolicy>
  1418. `)))
  1419. requestAccountId := "accountA"
  1420. _, errCode := ExtractBucketAcl(req, accountManager, s3_constants.OwnershipObjectWriter, accountAdminId, requestAccountId, false)
  1421. testCases = append(testCases, &Case{
  1422. id: "Only one of requestBody, cannedAcl, customAcl is allowed",
  1423. resultErrCode: errCode, expectErrCode: s3err.ErrUnexpectedContent,
  1424. })
  1425. }
  1426. for _, tc := range testCases {
  1427. if tc.resultErrCode != tc.expectErrCode {
  1428. t.Fatalf("case[%s]: errorCode[%v] not expect[%v]", tc.id, s3err.GetAPIError(tc.resultErrCode).Code, s3err.GetAPIError(tc.expectErrCode).Code)
  1429. }
  1430. if !grantsEquals(tc.resultGrants, tc.expectGrants) {
  1431. t.Fatalf("case[%s]: grants not expect", tc.id)
  1432. }
  1433. }
  1434. }
  1436. func TestMarshalGrantsToJson(t *testing.T) {
  1437. //ok
  1438. bucketOwnerId := "admin"
  1439. requestAccountId := "accountA"
  1440. grants := []*s3.Grant{
  1441. {
  1442. Grantee: &s3.Grantee{
  1443. Type: &s3_constants.GrantTypeCanonicalUser,
  1444. ID: &requestAccountId,
  1445. },
  1446. Permission: &s3_constants.PermissionFullControl,
  1447. },
  1448. {
  1449. Grantee: &s3.Grantee{
  1450. Type: &s3_constants.GrantTypeCanonicalUser,
  1451. ID: &bucketOwnerId,
  1452. },
  1453. Permission: &s3_constants.PermissionFullControl,
  1454. },
  1455. }
  1456. result, err := MarshalGrantsToJson(grants)
  1457. if err != nil {
  1458. t.Error(err)
  1459. }
  1461. var grants2 []*s3.Grant
  1462. err = json.Unmarshal(result, &grants2)
  1463. if err != nil {
  1464. t.Error(err)
  1465. }
  1467. print(string(result))
  1468. if !grantsEquals(grants, grants2) {
  1469. t.Fatal("grants not equal", grants, grants2)
  1470. }
  1472. //ok
  1473. result, err = MarshalGrantsToJson(nil)
  1474. if result != nil && err != nil {
  1475. t.Fatal("error: result, err = MarshalGrantsToJson(nil)")
  1476. }
  1477. }