You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

223 lines
4.9 KiB

5 years ago
5 years ago
5 years ago
5 years ago
5 years ago
5 years ago
2 years ago
5 years ago
2 years ago
5 years ago
2 years ago
5 years ago
  1. package s3api
  2. import (
  3. . "github.com/seaweedfs/seaweedfs/weed/s3api/s3_constants"
  4. "github.com/seaweedfs/seaweedfs/weed/s3api/s3account"
  5. "github.com/stretchr/testify/assert"
  6. "reflect"
  7. "testing"
  8. jsonpb "google.golang.org/protobuf/encoding/protojson"
  9. "github.com/seaweedfs/seaweedfs/weed/pb/iam_pb"
  10. )
  11. func TestIdentityListFileFormat(t *testing.T) {
  12. s3ApiConfiguration := &iam_pb.S3ApiConfiguration{}
  13. identity1 := &iam_pb.Identity{
  14. Name: "some_name",
  15. Credentials: []*iam_pb.Credential{
  16. {
  17. AccessKey: "some_access_key1",
  18. SecretKey: "some_secret_key2",
  19. },
  20. },
  21. Actions: []string{
  22. ACTION_ADMIN,
  23. ACTION_READ,
  24. ACTION_WRITE,
  25. },
  26. }
  27. identity2 := &iam_pb.Identity{
  28. Name: "some_read_only_user",
  29. Credentials: []*iam_pb.Credential{
  30. {
  31. AccessKey: "some_access_key1",
  32. SecretKey: "some_secret_key1",
  33. },
  34. },
  35. Actions: []string{
  36. ACTION_READ,
  37. },
  38. }
  39. identity3 := &iam_pb.Identity{
  40. Name: "some_normal_user",
  41. Credentials: []*iam_pb.Credential{
  42. {
  43. AccessKey: "some_access_key2",
  44. SecretKey: "some_secret_key2",
  45. },
  46. },
  47. Actions: []string{
  48. ACTION_READ,
  49. ACTION_WRITE,
  50. },
  51. }
  52. s3ApiConfiguration.Identities = append(s3ApiConfiguration.Identities, identity1)
  53. s3ApiConfiguration.Identities = append(s3ApiConfiguration.Identities, identity2)
  54. s3ApiConfiguration.Identities = append(s3ApiConfiguration.Identities, identity3)
  55. m := jsonpb.MarshalOptions{
  56. EmitUnpopulated: true,
  57. Indent: " ",
  58. }
  59. text, _ := m.Marshal(s3ApiConfiguration)
  60. println(string(text))
  61. }
  62. func TestCanDo(t *testing.T) {
  63. ident1 := &Identity{
  64. Name: "anything",
  65. Actions: []Action{
  66. "Write:bucket1/a/b/c/*",
  67. "Write:bucket1/a/b/other",
  68. },
  69. }
  70. // object specific
  71. assert.Equal(t, true, ident1.canDo(ACTION_WRITE, "bucket1", "/a/b/c/d.txt"))
  72. assert.Equal(t, false, ident1.canDo(ACTION_WRITE, "bucket1", "/a/b/other/some"), "action without *")
  73. // bucket specific
  74. ident2 := &Identity{
  75. Name: "anything",
  76. Actions: []Action{
  77. "Read:bucket1",
  78. "Write:bucket1/*",
  79. },
  80. }
  81. assert.Equal(t, true, ident2.canDo(ACTION_READ, "bucket1", "/a/b/c/d.txt"))
  82. assert.Equal(t, true, ident2.canDo(ACTION_WRITE, "bucket1", "/a/b/c/d.txt"))
  83. assert.Equal(t, false, ident2.canDo(ACTION_LIST, "bucket1", "/a/b/c/d.txt"))
  84. // across buckets
  85. ident3 := &Identity{
  86. Name: "anything",
  87. Actions: []Action{
  88. "Read",
  89. "Write",
  90. },
  91. }
  92. assert.Equal(t, true, ident3.canDo(ACTION_READ, "bucket1", "/a/b/c/d.txt"))
  93. assert.Equal(t, true, ident3.canDo(ACTION_WRITE, "bucket1", "/a/b/c/d.txt"))
  94. assert.Equal(t, false, ident3.canDo(ACTION_LIST, "bucket1", "/a/b/other/some"))
  95. // partial buckets
  96. ident4 := &Identity{
  97. Name: "anything",
  98. Actions: []Action{
  99. "Read:special_*",
  100. },
  101. }
  102. assert.Equal(t, true, ident4.canDo(ACTION_READ, "special_bucket", "/a/b/c/d.txt"))
  103. assert.Equal(t, false, ident4.canDo(ACTION_READ, "bucket1", "/a/b/c/d.txt"))
  104. // admin buckets
  105. ident5 := &Identity{
  106. Name: "anything",
  107. Actions: []Action{
  108. "Admin:special_*",
  109. },
  110. }
  111. assert.Equal(t, true, ident5.canDo(ACTION_READ, "special_bucket", "/a/b/c/d.txt"))
  112. assert.Equal(t, true, ident5.canDo(ACTION_WRITE, "special_bucket", "/a/b/c/d.txt"))
  113. }
  114. type LoadS3ApiConfigurationTestCase struct {
  115. pbIdent *iam_pb.Identity
  116. expectIdent *Identity
  117. }
  118. func TestLoadS3ApiConfiguration(t *testing.T) {
  119. testCases := map[string]*LoadS3ApiConfigurationTestCase{
  120. "notSpecifyAccountId": {
  121. pbIdent: &iam_pb.Identity{
  122. Name: "notSpecifyAccountId",
  123. Actions: []string{
  124. "Read",
  125. "Write",
  126. },
  127. Credentials: []*iam_pb.Credential{
  128. {
  129. AccessKey: "some_access_key1",
  130. SecretKey: "some_secret_key2",
  131. },
  132. },
  133. },
  134. expectIdent: &Identity{
  135. Name: "notSpecifyAccountId",
  136. AccountId: s3account.AccountAdmin.Id,
  137. Actions: []Action{
  138. "Read",
  139. "Write",
  140. },
  141. Credentials: []*Credential{
  142. {
  143. AccessKey: "some_access_key1",
  144. SecretKey: "some_secret_key2",
  145. },
  146. },
  147. },
  148. },
  149. "specifiedAccountID": {
  150. pbIdent: &iam_pb.Identity{
  151. Name: "specifiedAccountID",
  152. AccountId: "specifiedAccountID",
  153. Actions: []string{
  154. "Read",
  155. "Write",
  156. },
  157. },
  158. expectIdent: &Identity{
  159. Name: "specifiedAccountID",
  160. AccountId: "specifiedAccountID",
  161. Actions: []Action{
  162. "Read",
  163. "Write",
  164. },
  165. },
  166. },
  167. "anonymous": {
  168. pbIdent: &iam_pb.Identity{
  169. Name: "anonymous",
  170. Actions: []string{
  171. "Read",
  172. "Write",
  173. },
  174. },
  175. expectIdent: &Identity{
  176. Name: "anonymous",
  177. AccountId: "anonymous",
  178. Actions: []Action{
  179. "Read",
  180. "Write",
  181. },
  182. },
  183. },
  184. }
  185. config := &iam_pb.S3ApiConfiguration{
  186. Identities: make([]*iam_pb.Identity, 0),
  187. }
  188. for _, v := range testCases {
  189. config.Identities = append(config.Identities, v.pbIdent)
  190. }
  191. iam := IdentityAccessManagement{}
  192. err := iam.loadS3ApiConfiguration(config)
  193. if err != nil {
  194. return
  195. }
  196. for _, ident := range iam.identities {
  197. tc := testCases[ident.Name]
  198. if !reflect.DeepEqual(ident, tc.expectIdent) {
  199. t.Error("not expect")
  200. }
  201. }
  202. }