Mirror
/
seaweedfs
mirror of https://github.com/seaweedfs/seaweedfs.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
9366 Commits
33 Branches
301 Tags
176 MiB
Tree: b253a20faf
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from 'b253a20faf'
${ noResults }
seaweedfs/weed/s3api/s3api_acl_helper_test.go

1789 lines
56 KiB
Raw Normal View History

[s3acl] Step1: move s3account.AccountManager into to iam.S3ApiConfiguration (#4859) * move s3account.AccountManager into to iam.S3ApiConfiguration and switch to Interface https://github.com/seaweedfs/seaweedfs/issues/4519 * fix: test bucket acl default and adjust the variable names * fix: s3 api config test --------- Co-authored-by: Konstantin Lebedev <9497591+kmlebedev@users.noreply.github.co> Co-authored-by: Chris Lu <chrislusf@users.noreply.github.com> Signed-off-by: LHHDZ <shichanglin5@qq.com>
1 year ago
add acl helper functionalities (#3831)
2 years ago
[s3acl] Step1: move s3account.AccountManager into to iam.S3ApiConfiguration (#4859) * move s3account.AccountManager into to iam.S3ApiConfiguration and switch to Interface https://github.com/seaweedfs/seaweedfs/issues/4519 * fix: test bucket acl default and adjust the variable names * fix: s3 api config test --------- Co-authored-by: Konstantin Lebedev <9497591+kmlebedev@users.noreply.github.co> Co-authored-by: Chris Lu <chrislusf@users.noreply.github.com> Signed-off-by: LHHDZ <shichanglin5@qq.com>
1 year ago
add acl helper functionalities (#3831)
2 years ago
[s3acl] Step1: move s3account.AccountManager into to iam.S3ApiConfiguration (#4859) * move s3account.AccountManager into to iam.S3ApiConfiguration and switch to Interface https://github.com/seaweedfs/seaweedfs/issues/4519 * fix: test bucket acl default and adjust the variable names * fix: s3 api config test --------- Co-authored-by: Konstantin Lebedev <9497591+kmlebedev@users.noreply.github.co> Co-authored-by: Chris Lu <chrislusf@users.noreply.github.com> Signed-off-by: LHHDZ <shichanglin5@qq.com>
1 year ago
add acl helper functionalities (#3831)
2 years ago
[s3acl] Step1: move s3account.AccountManager into to iam.S3ApiConfiguration (#4859) * move s3account.AccountManager into to iam.S3ApiConfiguration and switch to Interface https://github.com/seaweedfs/seaweedfs/issues/4519 * fix: test bucket acl default and adjust the variable names * fix: s3 api config test --------- Co-authored-by: Konstantin Lebedev <9497591+kmlebedev@users.noreply.github.co> Co-authored-by: Chris Lu <chrislusf@users.noreply.github.com> Signed-off-by: LHHDZ <shichanglin5@qq.com>
1 year ago
add acl helper functionalities (#3831)
2 years ago
[s3acl] Step1: move s3account.AccountManager into to iam.S3ApiConfiguration (#4859) * move s3account.AccountManager into to iam.S3ApiConfiguration and switch to Interface https://github.com/seaweedfs/seaweedfs/issues/4519 * fix: test bucket acl default and adjust the variable names * fix: s3 api config test --------- Co-authored-by: Konstantin Lebedev <9497591+kmlebedev@users.noreply.github.co> Co-authored-by: Chris Lu <chrislusf@users.noreply.github.com> Signed-off-by: LHHDZ <shichanglin5@qq.com>
1 year ago
add acl helper functionalities (#3831)
2 years ago
[s3acl] Step1: move s3account.AccountManager into to iam.S3ApiConfiguration (#4859) * move s3account.AccountManager into to iam.S3ApiConfiguration and switch to Interface https://github.com/seaweedfs/seaweedfs/issues/4519 * fix: test bucket acl default and adjust the variable names * fix: s3 api config test --------- Co-authored-by: Konstantin Lebedev <9497591+kmlebedev@users.noreply.github.co> Co-authored-by: Chris Lu <chrislusf@users.noreply.github.com> Signed-off-by: LHHDZ <shichanglin5@qq.com>
1 year ago
add acl helper functionalities (#3831)
2 years ago
[s3acl] Step1: move s3account.AccountManager into to iam.S3ApiConfiguration (#4859) * move s3account.AccountManager into to iam.S3ApiConfiguration and switch to Interface https://github.com/seaweedfs/seaweedfs/issues/4519 * fix: test bucket acl default and adjust the variable names * fix: s3 api config test --------- Co-authored-by: Konstantin Lebedev <9497591+kmlebedev@users.noreply.github.co> Co-authored-by: Chris Lu <chrislusf@users.noreply.github.com> Signed-off-by: LHHDZ <shichanglin5@qq.com>
1 year ago
add acl helper functionalities (#3831)
2 years ago
[s3acl] Step1: move s3account.AccountManager into to iam.S3ApiConfiguration (#4859) * move s3account.AccountManager into to iam.S3ApiConfiguration and switch to Interface https://github.com/seaweedfs/seaweedfs/issues/4519 * fix: test bucket acl default and adjust the variable names * fix: s3 api config test --------- Co-authored-by: Konstantin Lebedev <9497591+kmlebedev@users.noreply.github.co> Co-authored-by: Chris Lu <chrislusf@users.noreply.github.com> Signed-off-by: LHHDZ <shichanglin5@qq.com>
1 year ago
add acl helper functionalities (#3831)
2 years ago
[s3acl] Step1: move s3account.AccountManager into to iam.S3ApiConfiguration (#4859) * move s3account.AccountManager into to iam.S3ApiConfiguration and switch to Interface https://github.com/seaweedfs/seaweedfs/issues/4519 * fix: test bucket acl default and adjust the variable names * fix: s3 api config test --------- Co-authored-by: Konstantin Lebedev <9497591+kmlebedev@users.noreply.github.co> Co-authored-by: Chris Lu <chrislusf@users.noreply.github.com> Signed-off-by: LHHDZ <shichanglin5@qq.com>
1 year ago
add acl helper functionalities (#3831)
2 years ago
[s3acl] Step1: move s3account.AccountManager into to iam.S3ApiConfiguration (#4859) * move s3account.AccountManager into to iam.S3ApiConfiguration and switch to Interface https://github.com/seaweedfs/seaweedfs/issues/4519 * fix: test bucket acl default and adjust the variable names * fix: s3 api config test --------- Co-authored-by: Konstantin Lebedev <9497591+kmlebedev@users.noreply.github.co> Co-authored-by: Chris Lu <chrislusf@users.noreply.github.com> Signed-off-by: LHHDZ <shichanglin5@qq.com>
1 year ago
add acl helper functionalities (#3831)
2 years ago
optimize readability Signed-off-by: changlin.shi <changlin.shi@ly.com>
2 years ago
add acl helper functionalities (#3831)
2 years ago
optimize readability Signed-off-by: changlin.shi <changlin.shi@ly.com>
2 years ago
add acl helper functionalities (#3831)
2 years ago
delete when empty at `AssembleEntryWithAcp` `PutBucketAcl/PutObjectAcl` allow request with empty grants, `AssembleEntryWithAcp` shouldn't skip empty value Signed-off-by: changlin.shi <changlin.shi@ly.com>
2 years ago
[s3acl] Step1: move s3account.AccountManager into to iam.S3ApiConfiguration (#4859) * move s3account.AccountManager into to iam.S3ApiConfiguration and switch to Interface https://github.com/seaweedfs/seaweedfs/issues/4519 * fix: test bucket acl default and adjust the variable names * fix: s3 api config test --------- Co-authored-by: Konstantin Lebedev <9497591+kmlebedev@users.noreply.github.co> Co-authored-by: Chris Lu <chrislusf@users.noreply.github.com> Signed-off-by: LHHDZ <shichanglin5@qq.com>
1 year ago
delete when empty at `AssembleEntryWithAcp` `PutBucketAcl/PutObjectAcl` allow request with empty grants, `AssembleEntryWithAcp` shouldn't skip empty value Signed-off-by: changlin.shi <changlin.shi@ly.com>
2 years ago
add acl helper functionalities (#3831)
2 years ago
delete when empty at `AssembleEntryWithAcp` `PutBucketAcl/PutObjectAcl` allow request with empty grants, `AssembleEntryWithAcp` shouldn't skip empty value Signed-off-by: changlin.shi <changlin.shi@ly.com>
2 years ago
add acl helper functionalities (#3831)
2 years ago
delete when empty at `AssembleEntryWithAcp` `PutBucketAcl/PutObjectAcl` allow request with empty grants, `AssembleEntryWithAcp` shouldn't skip empty value Signed-off-by: changlin.shi <changlin.shi@ly.com>
2 years ago
add acl helper functionalities (#3831)
2 years ago
optimize readability Signed-off-by: changlin.shi <changlin.shi@ly.com>
2 years ago
delete when empty at `AssembleEntryWithAcp` `PutBucketAcl/PutObjectAcl` allow request with empty grants, `AssembleEntryWithAcp` shouldn't skip empty value Signed-off-by: changlin.shi <changlin.shi@ly.com>
2 years ago
add acl helper functionalities (#3831)
2 years ago
delete when empty at `AssembleEntryWithAcp` `PutBucketAcl/PutObjectAcl` allow request with empty grants, `AssembleEntryWithAcp` shouldn't skip empty value Signed-off-by: changlin.shi <changlin.shi@ly.com>
2 years ago
add acl helper functionalities (#3831)
2 years ago
optimize readability Signed-off-by: changlin.shi <changlin.shi@ly.com>
2 years ago
delete when empty at `AssembleEntryWithAcp` `PutBucketAcl/PutObjectAcl` allow request with empty grants, `AssembleEntryWithAcp` shouldn't skip empty value Signed-off-by: changlin.shi <changlin.shi@ly.com>
2 years ago
add acl helper functionalities (#3831)
2 years ago
[s3acl] Step1: move s3account.AccountManager into to iam.S3ApiConfiguration (#4859) * move s3account.AccountManager into to iam.S3ApiConfiguration and switch to Interface https://github.com/seaweedfs/seaweedfs/issues/4519 * fix: test bucket acl default and adjust the variable names * fix: s3 api config test --------- Co-authored-by: Konstantin Lebedev <9497591+kmlebedev@users.noreply.github.co> Co-authored-by: Chris Lu <chrislusf@users.noreply.github.com> Signed-off-by: LHHDZ <shichanglin5@qq.com>
1 year ago
add acl helper functionalities (#3831)
2 years ago
[s3acl] Step1: move s3account.AccountManager into to iam.S3ApiConfiguration (#4859) * move s3account.AccountManager into to iam.S3ApiConfiguration and switch to Interface https://github.com/seaweedfs/seaweedfs/issues/4519 * fix: test bucket acl default and adjust the variable names * fix: s3 api config test --------- Co-authored-by: Konstantin Lebedev <9497591+kmlebedev@users.noreply.github.co> Co-authored-by: Chris Lu <chrislusf@users.noreply.github.com> Signed-off-by: LHHDZ <shichanglin5@qq.com>
1 year ago
add acl helper functionalities (#3831)
2 years ago
[s3acl] Step1: move s3account.AccountManager into to iam.S3ApiConfiguration (#4859) * move s3account.AccountManager into to iam.S3ApiConfiguration and switch to Interface https://github.com/seaweedfs/seaweedfs/issues/4519 * fix: test bucket acl default and adjust the variable names * fix: s3 api config test --------- Co-authored-by: Konstantin Lebedev <9497591+kmlebedev@users.noreply.github.co> Co-authored-by: Chris Lu <chrislusf@users.noreply.github.com> Signed-off-by: LHHDZ <shichanglin5@qq.com>
1 year ago
add acl helper functionalities (#3831)
2 years ago
[s3acl] Step1: move s3account.AccountManager into to iam.S3ApiConfiguration (#4859) * move s3account.AccountManager into to iam.S3ApiConfiguration and switch to Interface https://github.com/seaweedfs/seaweedfs/issues/4519 * fix: test bucket acl default and adjust the variable names * fix: s3 api config test --------- Co-authored-by: Konstantin Lebedev <9497591+kmlebedev@users.noreply.github.co> Co-authored-by: Chris Lu <chrislusf@users.noreply.github.com> Signed-off-by: LHHDZ <shichanglin5@qq.com>
1 year ago
add acl helper functionalities (#3831)
2 years ago
[s3acl] Step1: move s3account.AccountManager into to iam.S3ApiConfiguration (#4859) * move s3account.AccountManager into to iam.S3ApiConfiguration and switch to Interface https://github.com/seaweedfs/seaweedfs/issues/4519 * fix: test bucket acl default and adjust the variable names * fix: s3 api config test --------- Co-authored-by: Konstantin Lebedev <9497591+kmlebedev@users.noreply.github.co> Co-authored-by: Chris Lu <chrislusf@users.noreply.github.com> Signed-off-by: LHHDZ <shichanglin5@qq.com>
1 year ago
add acl helper functionalities (#3831)
2 years ago
[s3acl] Step1: move s3account.AccountManager into to iam.S3ApiConfiguration (#4859) * move s3account.AccountManager into to iam.S3ApiConfiguration and switch to Interface https://github.com/seaweedfs/seaweedfs/issues/4519 * fix: test bucket acl default and adjust the variable names * fix: s3 api config test --------- Co-authored-by: Konstantin Lebedev <9497591+kmlebedev@users.noreply.github.co> Co-authored-by: Chris Lu <chrislusf@users.noreply.github.com> Signed-off-by: LHHDZ <shichanglin5@qq.com>
1 year ago
add acl helper functionalities (#3831)
2 years ago
[s3acl] Step1: move s3account.AccountManager into to iam.S3ApiConfiguration (#4859) * move s3account.AccountManager into to iam.S3ApiConfiguration and switch to Interface https://github.com/seaweedfs/seaweedfs/issues/4519 * fix: test bucket acl default and adjust the variable names * fix: s3 api config test --------- Co-authored-by: Konstantin Lebedev <9497591+kmlebedev@users.noreply.github.co> Co-authored-by: Chris Lu <chrislusf@users.noreply.github.com> Signed-off-by: LHHDZ <shichanglin5@qq.com>
1 year ago
add acl helper functionalities (#3831)
2 years ago
[s3acl] Step1: move s3account.AccountManager into to iam.S3ApiConfiguration (#4859) * move s3account.AccountManager into to iam.S3ApiConfiguration and switch to Interface https://github.com/seaweedfs/seaweedfs/issues/4519 * fix: test bucket acl default and adjust the variable names * fix: s3 api config test --------- Co-authored-by: Konstantin Lebedev <9497591+kmlebedev@users.noreply.github.co> Co-authored-by: Chris Lu <chrislusf@users.noreply.github.com> Signed-off-by: LHHDZ <shichanglin5@qq.com>
1 year ago
add acl helper functionalities (#3831)
2 years ago
validate grants when setting ownership to `OwnershipBucketOwnerEnforced` Signed-off-by: changlin.shi <changlin.shi@ly.com>
2 years ago
optimize readability Signed-off-by: changlin.shi <changlin.shi@ly.com>
2 years ago
  1. package s3api
  3. import (
  4. "bytes"
  5. "encoding/json"
  6. "github.com/aws/aws-sdk-go/aws"
  7. "github.com/aws/aws-sdk-go/service/s3"
  8. "github.com/seaweedfs/seaweedfs/weed/pb/filer_pb"
  9. "github.com/seaweedfs/seaweedfs/weed/pb/iam_pb"
  10. "github.com/seaweedfs/seaweedfs/weed/s3api/s3_constants"
  11. "github.com/seaweedfs/seaweedfs/weed/s3api/s3err"
  12. "io"
  13. "net/http"
  14. "testing"
  15. )
  17. var accountManager *IdentityAccessManagement
  19. func init() {
  20. accountManager = &IdentityAccessManagement{}
  21. _ = accountManager.loadS3ApiConfiguration(&iam_pb.S3ApiConfiguration{
  22. Accounts: []*iam_pb.Account{
  23. {
  24. Id: "accountA",
  25. DisplayName: "accountAName",
  26. EmailAddress: "accountA@example.com",
  27. },
  28. {
  29. Id: "accountB",
  30. DisplayName: "accountBName",
  31. EmailAddress: "accountB@example.com",
  32. },
  33. },
  34. })
  35. }
  37. func TestGetAccountId(t *testing.T) {
  38. req := &http.Request{
  39. Header: make(map[string][]string),
  40. }
  41. //case1
  42. //accountId: "admin"
  43. req.Header.Set(s3_constants.AmzAccountId, s3_constants.AccountAdminId)
  44. if GetAccountId(req) != s3_constants.AccountAdminId {
  45. t.Fatal("expect accountId: admin")
  46. }
  48. //case2
  49. //accountId: "anoymous"
  50. req.Header.Set(s3_constants.AmzAccountId, s3_constants.AccountAnonymousId)
  51. if GetAccountId(req) != s3_constants.AccountAnonymousId {
  52. t.Fatal("expect accountId: anonymous")
  53. }
  55. //case3
  56. //accountId is nil => "anonymous"
  57. req.Header.Del(s3_constants.AmzAccountId)
  58. if GetAccountId(req) != s3_constants.AccountAnonymousId {
  59. t.Fatal("expect accountId: anonymous")
  60. }
  61. }
  63. func TestExtractAcl(t *testing.T) {
  64. type Case struct {
  65. id int
  66. resultErrCode, expectErrCode s3err.ErrorCode
  67. resultGrants, expectGrants []*s3.Grant
  68. }
  69. testCases := make([]*Case, 0)
  70. accountAdminId := "admin"
  71. {
  72. //case1 (good case)
  73. //parse acp from request body
  74. req := &http.Request{
  75. Header: make(map[string][]string),
  76. }
  77. req.Body = io.NopCloser(bytes.NewReader([]byte(`
  78. <AccessControlPolicy xmlns="http://s3.amazonaws.com/doc/2006-03-01/">
  79. <Owner>
  80. <ID>admin</ID>
  81. <DisplayName>admin</DisplayName>
  82. </Owner>
  83. <AccessControlList>
  84. <Grant>
  85. <Grantee xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="CanonicalUser">
  86. <ID>admin</ID>
  87. </Grantee>
  88. <Permission>FULL_CONTROL</Permission>
  89. </Grant>
  90. <Grant>
  91. <Grantee xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="Group">
  92. <URI>http://acs.amazonaws.com/groups/global/AllUsers</URI>
  93. </Grantee>
  94. <Permission>FULL_CONTROL</Permission>
  95. </Grant>
  96. </AccessControlList>
  97. </AccessControlPolicy>
  98. `)))
  99. objectWriter := "accountA"
  100. grants, errCode := ExtractAcl(req, accountManager, s3_constants.OwnershipObjectWriter, accountAdminId, accountAdminId, objectWriter)
  101. testCases = append(testCases, &Case{
  102. 1,
  103. errCode, s3err.ErrNone,
  104. grants, []*s3.Grant{
  105. {
  106. Grantee: &s3.Grantee{
  107. Type: &s3_constants.GrantTypeCanonicalUser,
  108. ID: &accountAdminId,
  109. },
  110. Permission: &s3_constants.PermissionFullControl,
  111. },
  112. {
  113. Grantee: &s3.Grantee{
  114. Type: &s3_constants.GrantTypeGroup,
  115. URI: &s3_constants.GranteeGroupAllUsers,
  116. },
  117. Permission: &s3_constants.PermissionFullControl,
  118. },
  119. },
  120. })
  121. }
  123. {
  124. //case2 (good case)
  125. //parse acp from header (cannedAcl)
  126. req := &http.Request{
  127. Header: make(map[string][]string),
  128. }
  129. req.Body = nil
  130. req.Header.Set(s3_constants.AmzCannedAcl, s3_constants.CannedAclPrivate)
  131. objectWriter := "accountA"
  132. grants, errCode := ExtractAcl(req, accountManager, s3_constants.OwnershipObjectWriter, accountAdminId, accountAdminId, objectWriter)
  133. testCases = append(testCases, &Case{
  134. 2,
  135. errCode, s3err.ErrNone,
  136. grants, []*s3.Grant{
  137. {
  138. Grantee: &s3.Grantee{
  139. Type: &s3_constants.GrantTypeCanonicalUser,
  140. ID: &objectWriter,
  141. },
  142. Permission: &s3_constants.PermissionFullControl,
  143. },
  144. },
  145. })
  146. }
  148. {
  149. //case3 (bad case)
  150. //parse acp from request body (content is invalid)
  151. req := &http.Request{
  152. Header: make(map[string][]string),
  153. }
  154. req.Body = io.NopCloser(bytes.NewReader([]byte("zdfsaf")))
  155. req.Header.Set(s3_constants.AmzCannedAcl, s3_constants.CannedAclPrivate)
  156. objectWriter := "accountA"
  157. _, errCode := ExtractAcl(req, accountManager, s3_constants.OwnershipObjectWriter, accountAdminId, accountAdminId, objectWriter)
  158. testCases = append(testCases, &Case{
  159. id: 3,
  160. resultErrCode: errCode, expectErrCode: s3err.ErrInvalidRequest,
  161. })
  162. }
  164. //case4 (bad case)
  165. //parse acp from header (cannedAcl is invalid)
  166. req := &http.Request{
  167. Header: make(map[string][]string),
  168. }
  169. req.Body = nil
  170. req.Header.Set(s3_constants.AmzCannedAcl, "dfaksjfk")
  171. objectWriter := "accountA"
  172. _, errCode := ExtractAcl(req, accountManager, s3_constants.OwnershipObjectWriter, accountAdminId, "", objectWriter)
  173. testCases = append(testCases, &Case{
  174. id: 4,
  175. resultErrCode: errCode, expectErrCode: s3err.ErrInvalidRequest,
  176. })
  178. {
  179. //case5 (bad case)
  180. //parse acp from request body: owner is inconsistent
  181. req.Body = io.NopCloser(bytes.NewReader([]byte(`
  182. <AccessControlPolicy xmlns="http://s3.amazonaws.com/doc/2006-03-01/">
  183. <Owner>
  184. <ID>admin</ID>
  185. <DisplayName>admin</DisplayName>
  186. </Owner>
  187. <AccessControlList>
  188. <Grant>
  189. <Grantee xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="CanonicalUser">
  190. <ID>admin</ID>
  191. </Grantee>
  192. <Permission>FULL_CONTROL</Permission>
  193. </Grant>
  194. <Grant>
  195. <Grantee xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="Group">
  196. <URI>http://acs.amazonaws.com/groups/global/AllUsers</URI>
  197. </Grantee>
  198. <Permission>FULL_CONTROL</Permission>
  199. </Grant>
  200. </AccessControlList>
  201. </AccessControlPolicy>
  202. `)))
  203. objectWriter = "accountA"
  204. _, errCode := ExtractAcl(req, accountManager, s3_constants.OwnershipObjectWriter, accountAdminId, objectWriter, objectWriter)
  205. testCases = append(testCases, &Case{
  206. id: 5,
  207. resultErrCode: errCode, expectErrCode: s3err.ErrAccessDenied,
  208. })
  209. }
  211. for _, tc := range testCases {
  212. if tc.resultErrCode != tc.expectErrCode {
  213. t.Fatalf("case[%d]: errorCode not expect", tc.id)
  214. }
  215. if !grantsEquals(tc.resultGrants, tc.expectGrants) {
  216. t.Fatalf("case[%d]: grants not expect", tc.id)
  217. }
  218. }
  219. }
  221. func TestParseAndValidateAclHeaders(t *testing.T) {
  222. type Case struct {
  223. id int
  224. resultOwner, expectOwner string
  225. resultErrCode, expectErrCode s3err.ErrorCode
  226. resultGrants, expectGrants []*s3.Grant
  227. }
  228. testCases := make([]*Case, 0)
  229. bucketOwner := "admin"
  231. {
  232. //case1 (good case)
  233. //parse custom acl
  234. req := &http.Request{
  235. Header: make(map[string][]string),
  236. }
  237. objectWriter := "accountA"
  238. req.Header.Set(s3_constants.AmzAclFullControl, `uri="http://acs.amazonaws.com/groups/global/AllUsers", id="anonymous", emailAddress="admin@example.com"`)
  239. ownerId, grants, errCode := ParseAndValidateAclHeaders(req, accountManager, s3_constants.OwnershipObjectWriter, bucketOwner, objectWriter, false)
  240. testCases = append(testCases, &Case{
  241. 1,
  242. ownerId, objectWriter,
  243. errCode, s3err.ErrNone,
  244. grants, []*s3.Grant{
  245. {
  246. Grantee: &s3.Grantee{
  247. Type: &s3_constants.GrantTypeGroup,
  248. URI: &s3_constants.GranteeGroupAllUsers,
  249. },
  250. Permission: &s3_constants.PermissionFullControl,
  251. },
  252. {
  253. Grantee: &s3.Grantee{
  254. Type: &s3_constants.GrantTypeCanonicalUser,
  255. ID: aws.String(s3_constants.AccountAnonymousId),
  256. },
  257. Permission: &s3_constants.PermissionFullControl,
  258. },
  259. {
  260. Grantee: &s3.Grantee{
  261. Type: &s3_constants.GrantTypeCanonicalUser,
  262. ID: aws.String(s3_constants.AccountAdminId),
  263. },
  264. Permission: &s3_constants.PermissionFullControl,
  265. },
  266. },
  267. })
  268. }
  269. {
  270. //case2 (good case)
  271. //parse canned acl (ownership=ObjectWriter)
  272. req := &http.Request{
  273. Header: make(map[string][]string),
  274. }
  275. objectWriter := "accountA"
  276. req.Header.Set(s3_constants.AmzCannedAcl, s3_constants.CannedAclBucketOwnerFullControl)
  277. ownerId, grants, errCode := ParseAndValidateAclHeaders(req, accountManager, s3_constants.OwnershipObjectWriter, bucketOwner, objectWriter, false)
  278. testCases = append(testCases, &Case{
  279. 2,
  280. ownerId, objectWriter,
  281. errCode, s3err.ErrNone,
  282. grants, []*s3.Grant{
  283. {
  284. Grantee: &s3.Grantee{
  285. Type: &s3_constants.GrantTypeCanonicalUser,
  286. ID: &objectWriter,
  287. },
  288. Permission: &s3_constants.PermissionFullControl,
  289. },
  290. {
  291. Grantee: &s3.Grantee{
  292. Type: &s3_constants.GrantTypeCanonicalUser,
  293. ID: &bucketOwner,
  294. },
  295. Permission: &s3_constants.PermissionFullControl,
  296. },
  297. },
  298. })
  299. }
  300. {
  301. //case3 (good case)
  302. //parse canned acl (ownership=OwnershipBucketOwnerPreferred)
  303. req := &http.Request{
  304. Header: make(map[string][]string),
  305. }
  306. objectWriter := "accountA"
  307. req.Header.Set(s3_constants.AmzCannedAcl, s3_constants.CannedAclBucketOwnerFullControl)
  308. ownerId, grants, errCode := ParseAndValidateAclHeaders(req, accountManager, s3_constants.OwnershipBucketOwnerPreferred, bucketOwner, objectWriter, false)
  309. testCases = append(testCases, &Case{
  310. 3,
  311. ownerId, bucketOwner,
  312. errCode, s3err.ErrNone,
  313. grants, []*s3.Grant{
  314. {
  315. Grantee: &s3.Grantee{
  316. Type: &s3_constants.GrantTypeCanonicalUser,
  317. ID: &bucketOwner,
  318. },
  319. Permission: &s3_constants.PermissionFullControl,
  320. },
  321. },
  322. })
  323. }
  324. {
  325. //case4 (bad case)
  326. //parse custom acl (grantee id not exists)
  327. req := &http.Request{
  328. Header: make(map[string][]string),
  329. }
  330. objectWriter := "accountA"
  331. req.Header.Set(s3_constants.AmzAclFullControl, `uri="http://acs.amazonaws.com/groups/global/AllUsers", id="notExistsAccount", emailAddress="admin@example.com"`)
  332. _, _, errCode := ParseAndValidateAclHeaders(req, accountManager, s3_constants.OwnershipObjectWriter, bucketOwner, objectWriter, false)
  333. testCases = append(testCases, &Case{
  334. id: 4,
  335. resultErrCode: errCode, expectErrCode: s3err.ErrInvalidRequest,
  336. })
  337. }
  339. {
  340. //case5 (bad case)
  341. //parse custom acl (invalid format)
  342. req := &http.Request{
  343. Header: make(map[string][]string),
  344. }
  345. objectWriter := "accountA"
  346. req.Header.Set(s3_constants.AmzAclFullControl, `uri="http:sfasf"`)
  347. _, _, errCode := ParseAndValidateAclHeaders(req, accountManager, s3_constants.OwnershipObjectWriter, bucketOwner, objectWriter, false)
  348. testCases = append(testCases, &Case{
  349. id: 5,
  350. resultErrCode: errCode, expectErrCode: s3err.ErrInvalidRequest,
  351. })
  352. }
  354. {
  355. //case6 (bad case)
  356. //parse canned acl (invalid value)
  357. req := &http.Request{
  358. Header: make(map[string][]string),
  359. }
  360. objectWriter := "accountA"
  361. req.Header.Set(s3_constants.AmzCannedAcl, `uri="http:sfasf"`)
  362. _, _, errCode := ParseAndValidateAclHeaders(req, accountManager, s3_constants.OwnershipObjectWriter, bucketOwner, objectWriter, false)
  363. testCases = append(testCases, &Case{
  364. id: 5,
  365. resultErrCode: errCode, expectErrCode: s3err.ErrInvalidRequest,
  366. })
  367. }
  369. for _, tc := range testCases {
  370. if tc.expectErrCode != tc.resultErrCode {
  371. t.Errorf("case[%d]: errCode unexpect", tc.id)
  372. }
  373. if tc.resultOwner != tc.expectOwner {
  374. t.Errorf("case[%d]: ownerId unexpect", tc.id)
  375. }
  376. if !grantsEquals(tc.resultGrants, tc.expectGrants) {
  377. t.Fatalf("case[%d]: grants not expect", tc.id)
  378. }
  379. }
  380. }
  382. func grantsEquals(a, b []*s3.Grant) bool {
  383. if len(a) != len(b) {
  384. return false
  385. }
  386. for i, grant := range a {
  387. if !GrantEquals(grant, b[i]) {
  388. return false
  389. }
  390. }
  391. return true
  392. }
  394. func TestDetermineReqGrants(t *testing.T) {
  395. {
  396. //case1: request account is anonymous
  397. accountId := s3_constants.AccountAnonymousId
  398. reqPermission := s3_constants.PermissionRead
  400. resultGrants := DetermineRequiredGrants(accountId, reqPermission)
  401. expectGrants := []*s3.Grant{
  402. {
  403. Grantee: &s3.Grantee{
  404. Type: &s3_constants.GrantTypeGroup,
  405. URI: &s3_constants.GranteeGroupAllUsers,
  406. },
  407. Permission: &reqPermission,
  408. },
  409. {
  410. Grantee: &s3.Grantee{
  411. Type: &s3_constants.GrantTypeGroup,
  412. URI: &s3_constants.GranteeGroupAllUsers,
  413. },
  414. Permission: &s3_constants.PermissionFullControl,
  415. },
  416. {
  417. Grantee: &s3.Grantee{
  418. Type: &s3_constants.GrantTypeCanonicalUser,
  419. ID: &accountId,
  420. },
  421. Permission: &reqPermission,
  422. },
  423. {
  424. Grantee: &s3.Grantee{
  425. Type: &s3_constants.GrantTypeCanonicalUser,
  426. ID: &accountId,
  427. },
  428. Permission: &s3_constants.PermissionFullControl,
  429. },
  430. }
  431. if !grantsEquals(resultGrants, expectGrants) {
  432. t.Fatalf("grants not expect")
  433. }
  434. }
  435. {
  436. //case2: request account is not anonymous (Iam authed)
  437. accountId := "accountX"
  438. reqPermission := s3_constants.PermissionRead
  440. resultGrants := DetermineRequiredGrants(accountId, reqPermission)
  441. expectGrants := []*s3.Grant{
  442. {
  443. Grantee: &s3.Grantee{
  444. Type: &s3_constants.GrantTypeGroup,
  445. URI: &s3_constants.GranteeGroupAllUsers,
  446. },
  447. Permission: &reqPermission,
  448. },
  449. {
  450. Grantee: &s3.Grantee{
  451. Type: &s3_constants.GrantTypeGroup,
  452. URI: &s3_constants.GranteeGroupAllUsers,
  453. },
  454. Permission: &s3_constants.PermissionFullControl,
  455. },
  456. {
  457. Grantee: &s3.Grantee{
  458. Type: &s3_constants.GrantTypeCanonicalUser,
  459. ID: &accountId,
  460. },
  461. Permission: &reqPermission,
  462. },
  463. {
  464. Grantee: &s3.Grantee{
  465. Type: &s3_constants.GrantTypeCanonicalUser,
  466. ID: &accountId,
  467. },
  468. Permission: &s3_constants.PermissionFullControl,
  469. },
  470. {
  471. Grantee: &s3.Grantee{
  472. Type: &s3_constants.GrantTypeGroup,
  473. URI: &s3_constants.GranteeGroupAuthenticatedUsers,
  474. },
  475. Permission: &reqPermission,
  476. },
  477. {
  478. Grantee: &s3.Grantee{
  479. Type: &s3_constants.GrantTypeGroup,
  480. URI: &s3_constants.GranteeGroupAuthenticatedUsers,
  481. },
  482. Permission: &s3_constants.PermissionFullControl,
  483. },
  484. }
  485. if !grantsEquals(resultGrants, expectGrants) {
  486. t.Fatalf("grants not expect")
  487. }
  488. }
  489. }
  491. func TestAssembleEntryWithAcp(t *testing.T) {
  492. defaultOwner := "admin"
  494. //case1
  495. //assemble with non-empty grants
  496. expectOwner := "accountS"
  497. expectGrants := []*s3.Grant{
  498. {
  499. Permission: &s3_constants.PermissionRead,
  500. Grantee: &s3.Grantee{
  501. Type: &s3_constants.GrantTypeGroup,
  502. ID: aws.String(s3_constants.AccountAdminId),
  503. URI: &s3_constants.GranteeGroupAllUsers,
  504. },
  505. },
  506. }
  507. entry := &filer_pb.Entry{}
  508. AssembleEntryWithAcp(entry, expectOwner, expectGrants)
  510. resultOwner := GetAcpOwner(entry.Extended, defaultOwner)
  511. if resultOwner != expectOwner {
  512. t.Fatalf("owner not expect")
  513. }
  515. resultGrants := GetAcpGrants(nil, entry.Extended)
  516. if !grantsEquals(resultGrants, expectGrants) {
  517. t.Fatal("grants not expect")
  518. }
  520. //case2
  521. //assemble with empty grants (override)
  522. AssembleEntryWithAcp(entry, "", nil)
  523. resultOwner = GetAcpOwner(entry.Extended, defaultOwner)
  524. if resultOwner != defaultOwner {
  525. t.Fatalf("owner not expect")
  526. }
  528. resultGrants = GetAcpGrants(nil, entry.Extended)
  529. if len(resultGrants) != 0 {
  530. t.Fatal("grants not expect")
  531. }
  533. }
  535. func TestGrantEquals(t *testing.T) {
  536. testCases := map[bool]bool{
  537. GrantEquals(nil, nil): true,
  539. GrantEquals(&s3.Grant{}, nil): false,
  541. GrantEquals(&s3.Grant{}, &s3.Grant{}): true,
  543. GrantEquals(&s3.Grant{
  544. Permission: &s3_constants.PermissionRead,
  545. }, &s3.Grant{}): false,
  547. GrantEquals(&s3.Grant{
  548. Permission: &s3_constants.PermissionRead,
  549. }, &s3.Grant{
  550. Permission: &s3_constants.PermissionRead,
  551. }): true,
  553. GrantEquals(&s3.Grant{
  554. Permission: &s3_constants.PermissionRead,
  555. Grantee: &s3.Grantee{},
  556. }, &s3.Grant{
  557. Permission: &s3_constants.PermissionRead,
  558. Grantee: &s3.Grantee{},
  559. }): true,
  561. GrantEquals(&s3.Grant{
  562. Permission: &s3_constants.PermissionRead,
  563. Grantee: &s3.Grantee{
  564. Type: &s3_constants.GrantTypeGroup,
  565. },
  566. }, &s3.Grant{
  567. Permission: &s3_constants.PermissionRead,
  568. Grantee: &s3.Grantee{},
  569. }): false,
  571. //type not present, compare other fields of grant is meaningless
  572. GrantEquals(&s3.Grant{
  573. Permission: &s3_constants.PermissionRead,
  574. Grantee: &s3.Grantee{
  575. ID: aws.String(s3_constants.AccountAdminId),
  576. //EmailAddress: &s3account.AccountAdmin.EmailAddress,
  577. },
  578. }, &s3.Grant{
  579. Permission: &s3_constants.PermissionRead,
  580. Grantee: &s3.Grantee{
  581. ID: aws.String(s3_constants.AccountAdminId),
  582. },
  583. }): true,
  585. GrantEquals(&s3.Grant{
  586. Permission: &s3_constants.PermissionRead,
  587. Grantee: &s3.Grantee{
  588. Type: &s3_constants.GrantTypeGroup,
  589. },
  590. }, &s3.Grant{
  591. Permission: &s3_constants.PermissionRead,
  592. Grantee: &s3.Grantee{
  593. Type: &s3_constants.GrantTypeGroup,
  594. },
  595. }): true,
  597. GrantEquals(&s3.Grant{
  598. Permission: &s3_constants.PermissionRead,
  599. Grantee: &s3.Grantee{
  600. Type: &s3_constants.GrantTypeGroup,
  601. URI: &s3_constants.GranteeGroupAllUsers,
  602. },
  603. }, &s3.Grant{
  604. Permission: &s3_constants.PermissionRead,
  605. Grantee: &s3.Grantee{
  606. Type: &s3_constants.GrantTypeGroup,
  607. URI: &s3_constants.GranteeGroupAllUsers,
  608. },
  609. }): true,
  611. GrantEquals(&s3.Grant{
  612. Permission: &s3_constants.PermissionWrite,
  613. Grantee: &s3.Grantee{
  614. Type: &s3_constants.GrantTypeGroup,
  615. URI: &s3_constants.GranteeGroupAllUsers,
  616. },
  617. }, &s3.Grant{
  618. Permission: &s3_constants.PermissionRead,
  619. Grantee: &s3.Grantee{
  620. Type: &s3_constants.GrantTypeGroup,
  621. URI: &s3_constants.GranteeGroupAllUsers,
  622. },
  623. }): false,
  625. GrantEquals(&s3.Grant{
  626. Permission: &s3_constants.PermissionRead,
  627. Grantee: &s3.Grantee{
  628. Type: &s3_constants.GrantTypeGroup,
  629. ID: aws.String(s3_constants.AccountAdminId),
  630. },
  631. }, &s3.Grant{
  632. Permission: &s3_constants.PermissionRead,
  633. Grantee: &s3.Grantee{
  634. Type: &s3_constants.GrantTypeGroup,
  635. ID: aws.String(s3_constants.AccountAdminId),
  636. },
  637. }): true,
  639. GrantEquals(&s3.Grant{
  640. Permission: &s3_constants.PermissionRead,
  641. Grantee: &s3.Grantee{
  642. Type: &s3_constants.GrantTypeGroup,
  643. ID: aws.String(s3_constants.AccountAdminId),
  644. URI: &s3_constants.GranteeGroupAllUsers,
  645. },
  646. }, &s3.Grant{
  647. Permission: &s3_constants.PermissionRead,
  648. Grantee: &s3.Grantee{
  649. Type: &s3_constants.GrantTypeGroup,
  650. ID: aws.String(s3_constants.AccountAdminId),
  651. },
  652. }): false,
  654. GrantEquals(&s3.Grant{
  655. Permission: &s3_constants.PermissionRead,
  656. Grantee: &s3.Grantee{
  657. Type: &s3_constants.GrantTypeGroup,
  658. ID: aws.String(s3_constants.AccountAdminId),
  659. URI: &s3_constants.GranteeGroupAllUsers,
  660. },
  661. }, &s3.Grant{
  662. Permission: &s3_constants.PermissionRead,
  663. Grantee: &s3.Grantee{
  664. Type: &s3_constants.GrantTypeGroup,
  665. URI: &s3_constants.GranteeGroupAllUsers,
  666. },
  667. }): true,
  668. }
  670. for tc, expect := range testCases {
  671. if tc != expect {
  672. t.Fatal("TestGrantEquals not expect!")
  673. }
  674. }
  675. }
  677. func TestSetAcpOwnerHeader(t *testing.T) {
  678. ownerId := "accountZ"
  679. req := &http.Request{
  680. Header: make(map[string][]string),
  681. }
  682. SetAcpOwnerHeader(req, ownerId)
  684. if req.Header.Get(s3_constants.ExtAmzOwnerKey) != ownerId {
  685. t.Fatalf("owner unexpect")
  686. }
  687. }
  689. func TestSetAcpGrantsHeader(t *testing.T) {
  690. req := &http.Request{
  691. Header: make(map[string][]string),
  692. }
  693. grants := []*s3.Grant{
  694. {
  695. Permission: &s3_constants.PermissionRead,
  696. Grantee: &s3.Grantee{
  697. Type: &s3_constants.GrantTypeGroup,
  698. ID: aws.String(s3_constants.AccountAdminId),
  699. URI: &s3_constants.GranteeGroupAllUsers,
  700. },
  701. },
  702. }
  703. SetAcpGrantsHeader(req, grants)
  705. grantsJson, _ := json.Marshal(grants)
  706. if req.Header.Get(s3_constants.ExtAmzAclKey) != string(grantsJson) {
  707. t.Fatalf("owner unexpect")
  708. }
  709. }
  711. func TestGrantWithFullControl(t *testing.T) {
  712. accountId := "Accountaskdfj"
  713. expect := &s3.Grant{
  714. Permission: &s3_constants.PermissionFullControl,
  715. Grantee: &s3.Grantee{
  716. Type: &s3_constants.GrantTypeCanonicalUser,
  717. ID: &accountId,
  718. },
  719. }
  721. result := GrantWithFullControl(accountId)
  723. if !GrantEquals(result, expect) {
  724. t.Fatal("GrantWithFullControl not expect")
  725. }
  726. }
  728. func TestExtractObjectAcl(t *testing.T) {
  729. type Case struct {
  730. id string
  731. resultErrCode, expectErrCode s3err.ErrorCode
  732. resultGrants, expectGrants []*s3.Grant
  733. resultOwnerId, expectOwnerId string
  734. }
  735. testCases := make([]*Case, 0)
  736. accountAdminId := "admin"
  738. //Request body to specify AccessControlList
  739. {
  740. //ownership: ObjectWriter
  741. //s3:PutObjectAcl('createObject' is set to false), config acl through request body
  742. req := &http.Request{
  743. Header: make(map[string][]string),
  744. }
  745. req.Body = io.NopCloser(bytes.NewReader([]byte(`
  746. <AccessControlPolicy xmlns="http://s3.amazonaws.com/doc/2006-03-01/">
  747. <Owner>
  748. <ID>admin</ID>
  749. <DisplayName>admin</DisplayName>
  750. </Owner>
  751. <AccessControlList>
  752. <Grant>
  753. <Grantee xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="CanonicalUser">
  754. <ID>admin</ID>
  755. </Grantee>
  756. <Permission>FULL_CONTROL</Permission>
  757. </Grant>
  758. <Grant>
  759. <Grantee xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="Group">
  760. <URI>http://acs.amazonaws.com/groups/global/AllUsers</URI>
  761. </Grantee>
  762. <Permission>FULL_CONTROL</Permission>
  763. </Grant>
  764. </AccessControlList>
  765. </AccessControlPolicy>
  766. `)))
  767. requestAccountId := "accountA"
  768. ownerId, grants, errCode := ExtractObjectAcl(req, accountManager, s3_constants.OwnershipObjectWriter, accountAdminId, requestAccountId, false)
  769. testCases = append(testCases, &Case{
  770. "TestExtractObjectAcl: ownership-ObjectWriter, createObject-false, acl-requestBody",
  771. errCode, s3err.ErrNone,
  772. grants, []*s3.Grant{
  773. {
  774. Grantee: &s3.Grantee{
  775. Type: &s3_constants.GrantTypeCanonicalUser,
  776. ID: &accountAdminId,
  777. },
  778. Permission: &s3_constants.PermissionFullControl,
  779. },
  780. {
  781. Grantee: &s3.Grantee{
  782. Type: &s3_constants.GrantTypeGroup,
  783. URI: &s3_constants.GranteeGroupAllUsers,
  784. },
  785. Permission: &s3_constants.PermissionFullControl,
  786. },
  787. },
  788. ownerId, accountAdminId,
  789. })
  790. }
  791. {
  792. //ownership: BucketOwnerEnforced (extra acl is not allowed)
  793. //s3:PutObjectAcl('createObject' is set to false), config acl through request body
  794. req := &http.Request{
  795. Header: make(map[string][]string),
  796. }
  797. req.Body = io.NopCloser(bytes.NewReader([]byte(`
  798. <AccessControlPolicy xmlns="http://s3.amazonaws.com/doc/2006-03-01/">
  799. <Owner>
  800. <ID>admin</ID>
  801. <DisplayName>admin</DisplayName>
  802. </Owner>
  803. <AccessControlList>
  804. <Grant>
  805. <Grantee xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="CanonicalUser">
  806. <ID>admin</ID>
  807. </Grantee>
  808. <Permission>FULL_CONTROL</Permission>
  809. </Grant>
  810. <Grant>
  811. <Grantee xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="Group">
  812. <URI>http://acs.amazonaws.com/groups/global/AllUsers</URI>
  813. </Grantee>
  814. <Permission>FULL_CONTROL</Permission>
  815. </Grant>
  816. </AccessControlList>
  817. </AccessControlPolicy>
  818. `)))
  819. requestAccountId := "accountA"
  820. _, _, errCode := ExtractObjectAcl(req, accountManager, s3_constants.OwnershipBucketOwnerEnforced, accountAdminId, requestAccountId, false)
  821. testCases = append(testCases, &Case{
  822. id: "TestExtractObjectAcl: ownership-BucketOwnerEnforced, createObject-false, acl-requestBody",
  823. resultErrCode: errCode, expectErrCode: s3err.AccessControlListNotSupported,
  824. })
  825. }
  826. {
  827. //ownership: ObjectWriter
  828. //s3:PutObject('createObject' is set to false), request body will be ignored when parse acl
  829. req := &http.Request{
  830. Header: make(map[string][]string),
  831. }
  832. req.Body = io.NopCloser(bytes.NewReader([]byte(`
  833. <AccessControlPolicy xmlns="http://s3.amazonaws.com/doc/2006-03-01/">
  834. <Owner>
  835. <ID>admin</ID>
  836. <DisplayName>admin</DisplayName>
  837. </Owner>
  838. <AccessControlList>
  839. <Grant>
  840. <Grantee xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="CanonicalUser">
  841. <ID>admin</ID>
  842. </Grantee>
  843. <Permission>FULL_CONTROL</Permission>
  844. </Grant>
  845. <Grant>
  846. <Grantee xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="Group">
  847. <URI>http://acs.amazonaws.com/groups/global/AllUsers</URI>
  848. </Grantee>
  849. <Permission>FULL_CONTROL</Permission>
  850. </Grant>
  851. </AccessControlList>
  852. </AccessControlPolicy>
  853. `)))
  854. requestAccountId := "accountA"
  855. ownerId, grants, errCode := ExtractObjectAcl(req, accountManager, s3_constants.OwnershipObjectWriter, accountAdminId, requestAccountId, true)
  856. testCases = append(testCases, &Case{
  857. "TestExtractObjectAcl: ownership-ObjectWriter, createObject-true, acl-requestBody",
  858. errCode, s3err.ErrNone,
  859. grants, []*s3.Grant{},
  860. ownerId, "",
  861. })
  862. }
  863. {
  864. //ownership: BucketOwnerEnforced (extra acl is not allowed)
  865. //s3:PutObject('createObject' is set to true), request body will be ignored when parse acl
  866. req := &http.Request{
  867. Header: make(map[string][]string),
  868. }
  869. req.Body = io.NopCloser(bytes.NewReader([]byte(`
  870. <AccessControlPolicy xmlns="http://s3.amazonaws.com/doc/2006-03-01/">
  871. <Owner>
  872. <ID>admin</ID>
  873. <DisplayName>admin</DisplayName>
  874. </Owner>
  875. <AccessControlList>
  876. <Grant>
  877. <Grantee xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="CanonicalUser">
  878. <ID>admin</ID>
  879. </Grantee>
  880. <Permission>FULL_CONTROL</Permission>
  881. </Grant>
  882. <Grant>
  883. <Grantee xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="Group">
  884. <URI>http://acs.amazonaws.com/groups/global/AllUsers</URI>
  885. </Grantee>
  886. <Permission>FULL_CONTROL</Permission>
  887. </Grant>
  888. </AccessControlList>
  889. </AccessControlPolicy>
  890. `)))
  891. requestAccountId := "accountA"
  892. ownerId, grants, errCode := ExtractObjectAcl(req, accountManager, s3_constants.OwnershipBucketOwnerEnforced, accountAdminId, requestAccountId, true)
  893. testCases = append(testCases, &Case{
  894. "TestExtractObjectAcl: ownership-BucketOwnerEnforced, createObject-true, acl-requestBody",
  895. errCode, s3err.ErrNone,
  896. grants, []*s3.Grant{},
  897. ownerId, "",
  898. })
  899. }
  901. //CannedAcl Header to specify ACL
  902. //cannedAcl, putObjectACL
  903. {
  904. //ownership: ObjectWriter
  905. //s3:PutObjectACL('createObject' is set to false), parse cannedACL header
  906. req := &http.Request{
  907. Header: make(map[string][]string),
  908. }
  909. req.Header.Set(s3_constants.AmzCannedAcl, s3_constants.CannedAclBucketOwnerFullControl)
  910. bucketOwnerId := "admin"
  911. requestAccountId := "accountA"
  912. ownerId, grants, errCode := ExtractObjectAcl(req, accountManager, s3_constants.OwnershipObjectWriter, bucketOwnerId, requestAccountId, false)
  913. testCases = append(testCases, &Case{
  914. "TestExtractObjectAcl: ownership-ObjectWriter, createObject-false, acl-CannedAcl",
  915. errCode, s3err.ErrNone,
  916. grants, []*s3.Grant{
  917. {
  918. Grantee: &s3.Grantee{
  919. Type: &s3_constants.GrantTypeCanonicalUser,
  920. ID: &requestAccountId,
  921. },
  922. Permission: &s3_constants.PermissionFullControl,
  923. },
  924. {
  925. Grantee: &s3.Grantee{
  926. Type: &s3_constants.GrantTypeCanonicalUser,
  927. ID: &bucketOwnerId,
  928. },
  929. Permission: &s3_constants.PermissionFullControl,
  930. },
  931. },
  932. ownerId, "",
  933. })
  934. }
  935. {
  936. //ownership: BucketOwnerPreferred
  937. //s3:PutObjectACL('createObject' is set to false), parse cannedACL header
  938. req := &http.Request{
  939. Header: make(map[string][]string),
  940. }
  941. req.Header.Set(s3_constants.AmzCannedAcl, s3_constants.CannedAclBucketOwnerFullControl)
  942. bucketOwnerId := "admin"
  943. requestAccountId := "accountA"
  944. ownerId, grants, errCode := ExtractObjectAcl(req, accountManager, s3_constants.OwnershipBucketOwnerPreferred, bucketOwnerId, requestAccountId, false)
  945. testCases = append(testCases, &Case{
  946. "TestExtractObjectAcl: ownership-BucketOwnerPreferred, createObject-false, acl-CannedAcl",
  947. errCode, s3err.ErrNone,
  948. grants, []*s3.Grant{
  949. {
  950. Grantee: &s3.Grantee{
  951. Type: &s3_constants.GrantTypeCanonicalUser,
  952. ID: &requestAccountId,
  953. },
  954. Permission: &s3_constants.PermissionFullControl,
  955. },
  956. {
  957. Grantee: &s3.Grantee{
  958. Type: &s3_constants.GrantTypeCanonicalUser,
  959. ID: &bucketOwnerId,
  960. },
  961. Permission: &s3_constants.PermissionFullControl,
  962. },
  963. },
  964. ownerId, "",
  965. })
  966. }
  967. {
  968. //ownership: BucketOwnerEnforced
  969. //s3:PutObjectACL('createObject' is set to false), parse cannedACL header
  970. req := &http.Request{
  971. Header: make(map[string][]string),
  972. }
  973. req.Header.Set(s3_constants.AmzCannedAcl, s3_constants.CannedAclBucketOwnerFullControl)
  974. bucketOwnerId := "admin"
  975. requestAccountId := "accountA"
  976. _, _, errCode := ExtractObjectAcl(req, accountManager, s3_constants.OwnershipBucketOwnerEnforced, bucketOwnerId, requestAccountId, false)
  977. testCases = append(testCases, &Case{
  978. id: "TestExtractObjectAcl: ownership-BucketOwnerEnforced, createObject-false, acl-CannedAcl",
  979. resultErrCode: errCode, expectErrCode: s3err.AccessControlListNotSupported,
  980. })
  981. }
  982. //cannedACL, putObject
  983. {
  984. //ownership: ObjectWriter
  985. //s3:PutObject('createObject' is set to true), parse cannedACL header
  986. req := &http.Request{
  987. Header: make(map[string][]string),
  988. }
  989. req.Header.Set(s3_constants.AmzCannedAcl, s3_constants.CannedAclBucketOwnerFullControl)
  990. bucketOwnerId := "admin"
  991. requestAccountId := "accountA"
  992. ownerId, grants, errCode := ExtractObjectAcl(req, accountManager, s3_constants.OwnershipObjectWriter, bucketOwnerId, requestAccountId, true)
  993. testCases = append(testCases, &Case{
  994. "TestExtractObjectAcl: ownership-ObjectWriter, createObject-true, acl-CannedAcl",
  995. errCode, s3err.ErrNone,
  996. grants, []*s3.Grant{
  997. {
  998. Grantee: &s3.Grantee{
  999. Type: &s3_constants.GrantTypeCanonicalUser,
  1000. ID: &requestAccountId,
  1001. },
  1002. Permission: &s3_constants.PermissionFullControl,
  1003. },
  1004. {
  1005. Grantee: &s3.Grantee{
  1006. Type: &s3_constants.GrantTypeCanonicalUser,
  1007. ID: &bucketOwnerId,
  1008. },
  1009. Permission: &s3_constants.PermissionFullControl,
  1010. },
  1011. },
  1012. ownerId, "",
  1013. })
  1014. }
  1015. {
  1016. //ownership: BucketOwnerPreferred
  1017. //s3:PutObject('createObject' is set to true), parse cannedACL header
  1018. req := &http.Request{
  1019. Header: make(map[string][]string),
  1020. }
  1021. req.Header.Set(s3_constants.AmzCannedAcl, s3_constants.CannedAclBucketOwnerFullControl)
  1022. bucketOwnerId := "admin"
  1023. requestAccountId := "accountA"
  1024. ownerId, grants, errCode := ExtractObjectAcl(req, accountManager, s3_constants.OwnershipBucketOwnerPreferred, bucketOwnerId, requestAccountId, true)
  1025. testCases = append(testCases, &Case{
  1026. "TestExtractObjectAcl: ownership-BucketOwnerPreferred, createObject-true, acl-CannedAcl",
  1027. errCode, s3err.ErrNone,
  1028. grants, []*s3.Grant{
  1029. {
  1030. Grantee: &s3.Grantee{
  1031. Type: &s3_constants.GrantTypeCanonicalUser,
  1032. ID: &bucketOwnerId,
  1033. },
  1034. Permission: &s3_constants.PermissionFullControl,
  1035. },
  1036. },
  1037. ownerId, "",
  1038. })
  1039. }
  1040. {
  1041. //ownership: BucketOwnerEnforced
  1042. //s3:PutObject('createObject' is set to true), parse cannedACL header
  1043. req := &http.Request{
  1044. Header: make(map[string][]string),
  1045. }
  1046. req.Header.Set(s3_constants.AmzCannedAcl, s3_constants.CannedAclBucketOwnerFullControl)
  1047. bucketOwnerId := "admin"
  1048. requestAccountId := "accountA"
  1049. _, _, errCode := ExtractObjectAcl(req, accountManager, s3_constants.OwnershipBucketOwnerEnforced, bucketOwnerId, requestAccountId, true)
  1050. testCases = append(testCases, &Case{
  1051. id: "TestExtractObjectAcl: ownership-BucketOwnerEnforced, createObject-true, acl-CannedAcl",
  1052. resultErrCode: errCode, expectErrCode: s3err.AccessControlListNotSupported,
  1053. })
  1054. }
  1056. //cannedAcl, putObjectACL
  1057. {
  1058. //ownership: ObjectWriter
  1059. //s3:PutObjectACL('createObject' is set to false), parse customAcl header
  1060. req := &http.Request{
  1061. Header: make(map[string][]string),
  1062. }
  1063. req.Header.Set(s3_constants.AmzAclFullControl, "id=accountA,id=\"admin\"")
  1064. bucketOwnerId := "admin"
  1065. requestAccountId := "accountA"
  1066. ownerId, grants, errCode := ExtractObjectAcl(req, accountManager, s3_constants.OwnershipObjectWriter, bucketOwnerId, requestAccountId, false)
  1067. testCases = append(testCases, &Case{
  1068. "TestExtractObjectAcl: ownership-ObjectWriter, createObject-false, acl-customAcl",
  1069. errCode, s3err.ErrNone,
  1070. grants, []*s3.Grant{
  1071. {
  1072. Grantee: &s3.Grantee{
  1073. Type: &s3_constants.GrantTypeCanonicalUser,
  1074. ID: &requestAccountId,
  1075. },
  1076. Permission: &s3_constants.PermissionFullControl,
  1077. },
  1078. {
  1079. Grantee: &s3.Grantee{
  1080. Type: &s3_constants.GrantTypeCanonicalUser,
  1081. ID: &bucketOwnerId,
  1082. },
  1083. Permission: &s3_constants.PermissionFullControl,
  1084. },
  1085. },
  1086. ownerId, "",
  1087. })
  1088. }
  1089. {
  1090. //ownership: BucketOwnerPreferred
  1091. //s3:PutObjectACL('createObject' is set to false), parse customAcl header
  1092. req := &http.Request{
  1093. Header: make(map[string][]string),
  1094. }
  1095. req.Header.Set(s3_constants.AmzAclFullControl, "id=accountA,id=\"admin\"")
  1096. bucketOwnerId := "admin"
  1097. requestAccountId := "accountA"
  1098. ownerId, grants, errCode := ExtractObjectAcl(req, accountManager, s3_constants.OwnershipBucketOwnerPreferred, bucketOwnerId, requestAccountId, false)
  1099. testCases = append(testCases, &Case{
  1100. "TestExtractObjectAcl: ownership-BucketOwnerPreferred, createObject-false, acl-customAcl",
  1101. errCode, s3err.ErrNone,
  1102. grants, []*s3.Grant{
  1103. {
  1104. Grantee: &s3.Grantee{
  1105. Type: &s3_constants.GrantTypeCanonicalUser,
  1106. ID: &requestAccountId,
  1107. },
  1108. Permission: &s3_constants.PermissionFullControl,
  1109. },
  1110. {
  1111. Grantee: &s3.Grantee{
  1112. Type: &s3_constants.GrantTypeCanonicalUser,
  1113. ID: &bucketOwnerId,
  1114. },
  1115. Permission: &s3_constants.PermissionFullControl,
  1116. },
  1117. },
  1118. ownerId, "",
  1119. })
  1120. }
  1121. {
  1122. //ownership: BucketOwnerEnforced
  1123. //s3:PutObjectACL('createObject' is set to false), parse customAcl header
  1124. req := &http.Request{
  1125. Header: make(map[string][]string),
  1126. }
  1127. req.Header.Set(s3_constants.AmzAclFullControl, "id=accountA,id=\"admin\"")
  1128. bucketOwnerId := "admin"
  1129. requestAccountId := "accountA"
  1130. _, _, errCode := ExtractObjectAcl(req, accountManager, s3_constants.OwnershipBucketOwnerEnforced, bucketOwnerId, requestAccountId, false)
  1131. testCases = append(testCases, &Case{
  1132. id: "TestExtractObjectAcl: ownership-BucketOwnerEnforced, createObject-false, acl-customAcl",
  1133. resultErrCode: errCode, expectErrCode: s3err.AccessControlListNotSupported,
  1134. })
  1135. }
  1136. //customAcl, putObject
  1137. {
  1138. //ownership: ObjectWriter
  1139. //s3:PutObject('createObject' is set to true), parse customAcl header
  1140. req := &http.Request{
  1141. Header: make(map[string][]string),
  1142. }
  1143. req.Header.Set(s3_constants.AmzAclFullControl, "id=accountA,id=\"admin\"")
  1144. bucketOwnerId := "admin"
  1145. requestAccountId := "accountA"
  1146. ownerId, grants, errCode := ExtractObjectAcl(req, accountManager, s3_constants.OwnershipObjectWriter, bucketOwnerId, requestAccountId, true)
  1147. testCases = append(testCases, &Case{
  1148. "TestExtractObjectAcl: ownership-ObjectWriter, createObject-true, acl-customAcl",
  1149. errCode, s3err.ErrNone,
  1150. grants, []*s3.Grant{
  1151. {
  1152. Grantee: &s3.Grantee{
  1153. Type: &s3_constants.GrantTypeCanonicalUser,
  1154. ID: &requestAccountId,
  1155. },
  1156. Permission: &s3_constants.PermissionFullControl,
  1157. },
  1158. {
  1159. Grantee: &s3.Grantee{
  1160. Type: &s3_constants.GrantTypeCanonicalUser,
  1161. ID: &bucketOwnerId,
  1162. },
  1163. Permission: &s3_constants.PermissionFullControl,
  1164. },
  1165. },
  1166. ownerId, "",
  1167. })
  1168. }
  1169. {
  1170. //ownership: BucketOwnerPreferred
  1171. //s3:PutObject('createObject' is set to true), parse customAcl header
  1172. req := &http.Request{
  1173. Header: make(map[string][]string),
  1174. }
  1175. req.Header.Set(s3_constants.AmzAclFullControl, "id=\"admin\"")
  1176. bucketOwnerId := "admin"
  1177. requestAccountId := "accountA"
  1178. ownerId, grants, errCode := ExtractObjectAcl(req, accountManager, s3_constants.OwnershipBucketOwnerPreferred, bucketOwnerId, requestAccountId, true)
  1179. testCases = append(testCases, &Case{
  1180. "TestExtractObjectAcl: ownership-BucketOwnerPreferred, createObject-true, acl-customAcl",
  1181. errCode, s3err.ErrNone,
  1182. grants, []*s3.Grant{
  1183. {
  1184. Grantee: &s3.Grantee{
  1185. Type: &s3_constants.GrantTypeCanonicalUser,
  1186. ID: &bucketOwnerId,
  1187. },
  1188. Permission: &s3_constants.PermissionFullControl,
  1189. },
  1190. },
  1191. ownerId, "",
  1192. })
  1193. }
  1194. {
  1195. //ownership: BucketOwnerEnforced
  1196. //s3:PutObject('createObject' is set to true), parse customAcl header
  1197. req := &http.Request{
  1198. Header: make(map[string][]string),
  1199. }
  1200. req.Header.Set(s3_constants.AmzAclFullControl, "id=accountA,id=\"admin\"")
  1201. bucketOwnerId := "admin"
  1202. requestAccountId := "accountA"
  1203. _, _, errCode := ExtractObjectAcl(req, accountManager, s3_constants.OwnershipBucketOwnerEnforced, bucketOwnerId, requestAccountId, true)
  1204. testCases = append(testCases, &Case{
  1205. id: "TestExtractObjectAcl: ownership-BucketOwnerEnforced, createObject-true, acl-customAcl",
  1206. resultErrCode: errCode, expectErrCode: s3err.AccessControlListNotSupported,
  1207. })
  1208. }
  1210. {
  1211. //parse acp from request header: both canned acl and custom acl not allowed
  1212. req := &http.Request{
  1213. Header: make(map[string][]string),
  1214. }
  1215. req.Header.Set(s3_constants.AmzAclFullControl, "id=admin, id=\"accountA\"")
  1216. req.Header.Set(s3_constants.AmzCannedAcl, "private")
  1217. bucketOwnerId := "admin"
  1218. requestAccountId := "accountA"
  1219. _, _, errCode := ExtractObjectAcl(req, accountManager, s3_constants.OwnershipObjectWriter, bucketOwnerId, requestAccountId, false)
  1220. testCases = append(testCases, &Case{
  1221. id: "Only one of cannedAcl, customAcl is allowed",
  1222. resultErrCode: errCode, expectErrCode: s3err.ErrInvalidRequest,
  1223. })
  1224. }
  1226. {
  1227. //Acl can only be specified in one of requestBody, cannedAcl, customAcl, simultaneous use is not allowed
  1228. req := &http.Request{
  1229. Header: make(map[string][]string),
  1230. }
  1231. req.Header.Set(s3_constants.AmzAclFullControl, "id=admin, id=\"accountA\"")
  1232. req.Header.Set(s3_constants.AmzCannedAcl, "private")
  1233. req.Body = io.NopCloser(bytes.NewReader([]byte(`
  1234. <AccessControlPolicy xmlns="http://s3.amazonaws.com/doc/2006-03-01/">
  1235. <Owner>
  1236. <ID>admin</ID>
  1237. <DisplayName>admin</DisplayName>
  1238. </Owner>
  1239. <AccessControlList>
  1240. <Grant>
  1241. <Grantee xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="CanonicalUser">
  1242. <ID>admin</ID>
  1243. </Grantee>
  1244. <Permission>FULL_CONTROL</Permission>
  1245. </Grant>
  1246. <Grant>
  1247. <Grantee xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="Group">
  1248. <URI>http://acs.amazonaws.com/groups/global/AllUsers</URI>
  1249. </Grantee>
  1250. <Permission>FULL_CONTROL</Permission>
  1251. </Grant>
  1252. </AccessControlList>
  1253. </AccessControlPolicy>
  1254. `)))
  1255. requestAccountId := "accountA"
  1256. _, _, errCode := ExtractObjectAcl(req, accountManager, s3_constants.OwnershipObjectWriter, accountAdminId, requestAccountId, false)
  1257. testCases = append(testCases, &Case{
  1258. id: "Only one of requestBody, cannedAcl, customAcl is allowed",
  1259. resultErrCode: errCode, expectErrCode: s3err.ErrUnexpectedContent,
  1260. })
  1261. }
  1262. for _, tc := range testCases {
  1263. if tc.resultErrCode != tc.expectErrCode {
  1264. t.Fatalf("case[%s]: errorCode[%v] not expect[%v]", tc.id, s3err.GetAPIError(tc.resultErrCode).Code, s3err.GetAPIError(tc.expectErrCode).Code)
  1265. }
  1266. if !grantsEquals(tc.resultGrants, tc.expectGrants) {
  1267. t.Fatalf("case[%s]: grants not expect", tc.id)
  1268. }
  1269. }
  1270. }
  1272. func TestBucketObjectAcl(t *testing.T) {
  1273. type Case struct {
  1274. id string
  1275. resultErrCode, expectErrCode s3err.ErrorCode
  1276. resultGrants, expectGrants []*s3.Grant
  1277. }
  1278. testCases := make([]*Case, 0)
  1279. accountAdminId := "admin"
  1281. //Request body to specify AccessControlList
  1282. {
  1283. //ownership: ObjectWriter
  1284. //s3:PutBucketAcl('createObject' is set to false), config acl through request body
  1285. req := &http.Request{
  1286. Header: make(map[string][]string),
  1287. }
  1288. req.Body = io.NopCloser(bytes.NewReader([]byte(`
  1289. <AccessControlPolicy xmlns="http://s3.amazonaws.com/doc/2006-03-01/">
  1290. <Owner>
  1291. <ID>admin</ID>
  1292. <DisplayName>admin</DisplayName>
  1293. </Owner>
  1294. <AccessControlList>
  1295. <Grant>
  1296. <Grantee xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="CanonicalUser">
  1297. <ID>admin</ID>
  1298. </Grantee>
  1299. <Permission>FULL_CONTROL</Permission>
  1300. </Grant>
  1301. <Grant>
  1302. <Grantee xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="Group">
  1303. <URI>http://acs.amazonaws.com/groups/global/AllUsers</URI>
  1304. </Grantee>
  1305. <Permission>FULL_CONTROL</Permission>
  1306. </Grant>
  1307. </AccessControlList>
  1308. </AccessControlPolicy>
  1309. `)))
  1310. bucketOwnerId := "admin"
  1311. requestAccountId := "accountA"
  1312. grants, errCode := ExtractBucketAcl(req, accountManager, s3_constants.OwnershipObjectWriter, bucketOwnerId, requestAccountId, false)
  1313. testCases = append(testCases, &Case{
  1314. "TestExtractBucketAcl: ownership-ObjectWriter, createObject-false, acl-requestBody",
  1315. errCode, s3err.ErrNone,
  1316. grants, []*s3.Grant{
  1317. {
  1318. Grantee: &s3.Grantee{
  1319. Type: &s3_constants.GrantTypeCanonicalUser,
  1320. ID: &accountAdminId,
  1321. },
  1322. Permission: &s3_constants.PermissionFullControl,
  1323. },
  1324. {
  1325. Grantee: &s3.Grantee{
  1326. Type: &s3_constants.GrantTypeGroup,
  1327. URI: &s3_constants.GranteeGroupAllUsers,
  1328. },
  1329. Permission: &s3_constants.PermissionFullControl,
  1330. },
  1331. },
  1332. })
  1333. }
  1334. {
  1335. //ownership: BucketOwnerEnforced (extra acl is not allowed)
  1336. //s3:PutBucketAcl('createObject' is set to false), config acl through request body
  1337. req := &http.Request{
  1338. Header: make(map[string][]string),
  1339. }
  1340. req.Body = io.NopCloser(bytes.NewReader([]byte(`
  1341. <AccessControlPolicy xmlns="http://s3.amazonaws.com/doc/2006-03-01/">
  1342. <Owner>
  1343. <ID>admin</ID>
  1344. <DisplayName>admin</DisplayName>
  1345. </Owner>
  1346. <AccessControlList>
  1347. <Grant>
  1348. <Grantee xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="CanonicalUser">
  1349. <ID>admin</ID>
  1350. </Grantee>
  1351. <Permission>FULL_CONTROL</Permission>
  1352. </Grant>
  1353. <Grant>
  1354. <Grantee xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="Group">
  1355. <URI>http://acs.amazonaws.com/groups/global/AllUsers</URI>
  1356. </Grantee>
  1357. <Permission>FULL_CONTROL</Permission>
  1358. </Grant>
  1359. </AccessControlList>
  1360. </AccessControlPolicy>
  1361. `)))
  1362. requestAccountId := "accountA"
  1363. _, errCode := ExtractBucketAcl(req, accountManager, s3_constants.OwnershipBucketOwnerEnforced, accountAdminId, requestAccountId, false)
  1364. testCases = append(testCases, &Case{
  1365. id: "TestExtractBucketAcl: ownership-BucketOwnerEnforced, createObject-false, acl-requestBody",
  1366. resultErrCode: errCode, expectErrCode: s3err.AccessControlListNotSupported,
  1367. })
  1368. }
  1369. {
  1370. //ownership: ObjectWriter
  1371. //s3:PutObject('createObject' is set to false), request body will be ignored when parse acl
  1372. req := &http.Request{
  1373. Header: make(map[string][]string),
  1374. }
  1375. req.Body = io.NopCloser(bytes.NewReader([]byte(`
  1376. <AccessControlPolicy xmlns="http://s3.amazonaws.com/doc/2006-03-01/">
  1377. <Owner>
  1378. <ID>admin</ID>
  1379. <DisplayName>admin</DisplayName>
  1380. </Owner>
  1381. <AccessControlList>
  1382. <Grant>
  1383. <Grantee xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="CanonicalUser">
  1384. <ID>admin</ID>
  1385. </Grantee>
  1386. <Permission>FULL_CONTROL</Permission>
  1387. </Grant>
  1388. <Grant>
  1389. <Grantee xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="Group">
  1390. <URI>http://acs.amazonaws.com/groups/global/AllUsers</URI>
  1391. </Grantee>
  1392. <Permission>FULL_CONTROL</Permission>
  1393. </Grant>
  1394. </AccessControlList>
  1395. </AccessControlPolicy>
  1396. `)))
  1397. requestAccountId := "accountA"
  1398. grants, errCode := ExtractBucketAcl(req, accountManager, s3_constants.OwnershipObjectWriter, accountAdminId, requestAccountId, true)
  1399. testCases = append(testCases, &Case{
  1400. "TestExtractBucketAcl: ownership-ObjectWriter, createObject-true, acl-requestBody",
  1401. errCode, s3err.ErrNone,
  1402. grants, []*s3.Grant{},
  1403. })
  1404. }
  1405. {
  1406. //ownership: BucketOwnerEnforced (extra acl is not allowed)
  1407. //s3:PutObject('createObject' is set to true), request body will be ignored when parse acl
  1408. req := &http.Request{
  1409. Header: make(map[string][]string),
  1410. }
  1411. req.Body = io.NopCloser(bytes.NewReader([]byte(`
  1412. <AccessControlPolicy xmlns="http://s3.amazonaws.com/doc/2006-03-01/">
  1413. <Owner>
  1414. <ID>admin</ID>
  1415. <DisplayName>admin</DisplayName>
  1416. </Owner>
  1417. <AccessControlList>
  1418. <Grant>
  1419. <Grantee xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="CanonicalUser">
  1420. <ID>admin</ID>
  1421. </Grantee>
  1422. <Permission>FULL_CONTROL</Permission>
  1423. </Grant>
  1424. <Grant>
  1425. <Grantee xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="Group">
  1426. <URI>http://acs.amazonaws.com/groups/global/AllUsers</URI>
  1427. </Grantee>
  1428. <Permission>FULL_CONTROL</Permission>
  1429. </Grant>
  1430. </AccessControlList>
  1431. </AccessControlPolicy>
  1432. `)))
  1433. requestAccountId := "accountA"
  1434. grants, errCode := ExtractBucketAcl(req, accountManager, s3_constants.OwnershipBucketOwnerEnforced, accountAdminId, requestAccountId, true)
  1435. testCases = append(testCases, &Case{
  1436. "TestExtractBucketAcl: ownership-BucketOwnerEnforced, createObject-true, acl-requestBody",
  1437. errCode, s3err.ErrNone,
  1438. grants, []*s3.Grant{},
  1439. })
  1440. }
  1442. //CannedAcl Header to specify ACL
  1443. //cannedAcl, PutBucketAcl
  1444. {
  1445. //ownership: ObjectWriter
  1446. //s3:PutBucketAcl('createObject' is set to false), parse cannedACL header
  1447. req := &http.Request{
  1448. Header: make(map[string][]string),
  1449. }
  1450. req.Header.Set(s3_constants.AmzCannedAcl, s3_constants.CannedAclBucketOwnerFullControl)
  1451. bucketOwnerId := "admin"
  1452. requestAccountId := "accountA"
  1453. _, errCode := ExtractBucketAcl(req, accountManager, s3_constants.OwnershipObjectWriter, bucketOwnerId, requestAccountId, false)
  1454. testCases = append(testCases, &Case{
  1455. id: "TestExtractBucketAcl: ownership-ObjectWriter, createObject-false, acl-CannedAcl",
  1456. resultErrCode: errCode, expectErrCode: s3err.ErrInvalidAclArgument,
  1457. })
  1458. }
  1459. {
  1460. //ownership: BucketOwnerPreferred
  1461. //s3:PutBucketAcl('createObject' is set to false), parse cannedACL header
  1462. req := &http.Request{
  1463. Header: make(map[string][]string),
  1464. }
  1465. req.Header.Set(s3_constants.AmzCannedAcl, s3_constants.CannedAclBucketOwnerFullControl)
  1466. bucketOwnerId := "admin"
  1467. requestAccountId := "accountA"
  1468. _, errCode := ExtractBucketAcl(req, accountManager, s3_constants.OwnershipBucketOwnerPreferred, bucketOwnerId, requestAccountId, false)
  1469. testCases = append(testCases, &Case{
  1470. id: "TestExtractBucketAcl: ownership-BucketOwnerPreferred, createObject-false, acl-CannedAcl",
  1471. resultErrCode: errCode, expectErrCode: s3err.ErrInvalidAclArgument,
  1472. })
  1473. }
  1474. {
  1475. //ownership: BucketOwnerEnforced
  1476. //s3:PutBucketAcl('createObject' is set to false), parse cannedACL header
  1477. req := &http.Request{
  1478. Header: make(map[string][]string),
  1479. }
  1480. req.Header.Set(s3_constants.AmzCannedAcl, s3_constants.CannedAclBucketOwnerFullControl)
  1481. bucketOwnerId := "admin"
  1482. requestAccountId := "accountA"
  1483. _, errCode := ExtractBucketAcl(req, accountManager, s3_constants.OwnershipBucketOwnerEnforced, bucketOwnerId, requestAccountId, false)
  1484. testCases = append(testCases, &Case{
  1485. id: "TestExtractBucketAcl: ownership-BucketOwnerEnforced, createObject-false, acl-CannedAcl",
  1486. resultErrCode: errCode, expectErrCode: s3err.ErrInvalidAclArgument,
  1487. })
  1488. }
  1489. //cannedACL, createBucket
  1490. {
  1491. //ownership: ObjectWriter
  1492. //s3:PutObject('createObject' is set to true), parse cannedACL header
  1493. req := &http.Request{
  1494. Header: make(map[string][]string),
  1495. }
  1496. req.Header.Set(s3_constants.AmzCannedAcl, s3_constants.CannedAclBucketOwnerFullControl)
  1497. bucketOwnerId := "admin"
  1498. requestAccountId := "accountA"
  1499. _, errCode := ExtractBucketAcl(req, accountManager, s3_constants.OwnershipObjectWriter, bucketOwnerId, requestAccountId, true)
  1500. testCases = append(testCases, &Case{
  1501. id: "TestExtractBucketAcl: ownership-BucketOwnerEnforced, createObject-true, acl-CannedAcl",
  1502. resultErrCode: errCode, expectErrCode: s3err.ErrInvalidAclArgument,
  1503. })
  1504. }
  1505. {
  1506. //ownership: BucketOwnerPreferred
  1507. //s3:PutObject('createObject' is set to true), parse cannedACL header
  1508. req := &http.Request{
  1509. Header: make(map[string][]string),
  1510. }
  1511. req.Header.Set(s3_constants.AmzCannedAcl, s3_constants.CannedAclBucketOwnerFullControl)
  1512. bucketOwnerId := "admin"
  1513. requestAccountId := "accountA"
  1514. _, errCode := ExtractBucketAcl(req, accountManager, s3_constants.OwnershipBucketOwnerPreferred, bucketOwnerId, requestAccountId, true)
  1515. testCases = append(testCases, &Case{
  1516. id: "TestExtractBucketAcl: ownership-BucketOwnerPreferred, createObject-true, acl-CannedAcl",
  1517. resultErrCode: errCode, expectErrCode: s3err.ErrInvalidAclArgument,
  1518. })
  1519. }
  1520. {
  1521. //ownership: BucketOwnerEnforced
  1522. //s3:PutObject('createObject' is set to true), parse cannedACL header
  1523. req := &http.Request{
  1524. Header: make(map[string][]string),
  1525. }
  1526. req.Header.Set(s3_constants.AmzCannedAcl, s3_constants.CannedAclBucketOwnerFullControl)
  1527. bucketOwnerId := "admin"
  1528. requestAccountId := "accountA"
  1529. _, errCode := ExtractBucketAcl(req, accountManager, s3_constants.OwnershipBucketOwnerEnforced, bucketOwnerId, requestAccountId, true)
  1530. testCases = append(testCases, &Case{
  1531. id: "TestExtractBucketAcl: ownership-BucketOwnerEnforced, createObject-true, acl-CannedAcl",
  1532. resultErrCode: errCode, expectErrCode: s3err.ErrInvalidAclArgument,
  1533. })
  1534. }
  1536. //customAcl, PutBucketAcl
  1537. {
  1538. //ownership: ObjectWriter
  1539. //s3:PutBucketAcl('createObject' is set to false), parse customAcl header
  1540. req := &http.Request{
  1541. Header: make(map[string][]string),
  1542. }
  1543. req.Header.Set(s3_constants.AmzAclFullControl, "id=accountA,id=\"admin\"")
  1544. bucketOwnerId := "admin"
  1545. requestAccountId := "accountA"
  1546. grants, errCode := ExtractBucketAcl(req, accountManager, s3_constants.OwnershipObjectWriter, bucketOwnerId, requestAccountId, false)
  1547. testCases = append(testCases, &Case{
  1548. "TestExtractBucketAcl: ownership-ObjectWriter, createObject-false, acl-customAcl",
  1549. errCode, s3err.ErrNone,
  1550. grants, []*s3.Grant{
  1551. {
  1552. Grantee: &s3.Grantee{
  1553. Type: &s3_constants.GrantTypeCanonicalUser,
  1554. ID: &requestAccountId,
  1555. },
  1556. Permission: &s3_constants.PermissionFullControl,
  1557. },
  1558. {
  1559. Grantee: &s3.Grantee{
  1560. Type: &s3_constants.GrantTypeCanonicalUser,
  1561. ID: &bucketOwnerId,
  1562. },
  1563. Permission: &s3_constants.PermissionFullControl,
  1564. },
  1565. },
  1566. })
  1567. }
  1568. {
  1569. //ownership: BucketOwnerPreferred
  1570. //s3:PutBucketAcl('createObject' is set to false), parse customAcl header
  1571. req := &http.Request{
  1572. Header: make(map[string][]string),
  1573. }
  1574. req.Header.Set(s3_constants.AmzAclFullControl, "id=accountA,id=\"admin\"")
  1575. bucketOwnerId := "admin"
  1576. requestAccountId := "accountA"
  1577. grants, errCode := ExtractBucketAcl(req, accountManager, s3_constants.OwnershipBucketOwnerPreferred, bucketOwnerId, requestAccountId, false)
  1578. testCases = append(testCases, &Case{
  1579. "TestExtractBucketAcl: ownership-BucketOwnerPreferred, createObject-false, acl-customAcl",
  1580. errCode, s3err.ErrNone,
  1581. grants, []*s3.Grant{
  1582. {
  1583. Grantee: &s3.Grantee{
  1584. Type: &s3_constants.GrantTypeCanonicalUser,
  1585. ID: &requestAccountId,
  1586. },
  1587. Permission: &s3_constants.PermissionFullControl,
  1588. },
  1589. {
  1590. Grantee: &s3.Grantee{
  1591. Type: &s3_constants.GrantTypeCanonicalUser,
  1592. ID: &bucketOwnerId,
  1593. },
  1594. Permission: &s3_constants.PermissionFullControl,
  1595. },
  1596. },
  1597. })
  1598. }
  1599. {
  1600. //ownership: BucketOwnerEnforced
  1601. //s3:PutBucketAcl('createObject' is set to false), parse customAcl header
  1602. req := &http.Request{
  1603. Header: make(map[string][]string),
  1604. }
  1605. req.Header.Set(s3_constants.AmzAclFullControl, "id=accountA,id=\"admin\"")
  1606. bucketOwnerId := "admin"
  1607. requestAccountId := "accountA"
  1608. _, errCode := ExtractBucketAcl(req, accountManager, s3_constants.OwnershipBucketOwnerEnforced, bucketOwnerId, requestAccountId, false)
  1609. testCases = append(testCases, &Case{
  1610. id: "TestExtractBucketAcl: ownership-BucketOwnerEnforced, createObject-false, acl-customAcl",
  1611. resultErrCode: errCode, expectErrCode: s3err.AccessControlListNotSupported,
  1612. })
  1613. }
  1614. //customAcl, putObject
  1615. {
  1616. //ownership: ObjectWriter
  1617. //s3:PutObject('createObject' is set to true), parse customAcl header
  1618. req := &http.Request{
  1619. Header: make(map[string][]string),
  1620. }
  1621. req.Header.Set(s3_constants.AmzAclFullControl, "id=accountA,id=\"admin\"")
  1622. bucketOwnerId := "admin"
  1623. requestAccountId := "accountA"
  1624. grants, errCode := ExtractBucketAcl(req, accountManager, s3_constants.OwnershipObjectWriter, bucketOwnerId, requestAccountId, true)
  1625. testCases = append(testCases, &Case{
  1626. "TestExtractBucketAcl: ownership-ObjectWriter, createObject-true, acl-customAcl",
  1627. errCode, s3err.ErrNone,
  1628. grants, []*s3.Grant{
  1629. {
  1630. Grantee: &s3.Grantee{
  1631. Type: &s3_constants.GrantTypeCanonicalUser,
  1632. ID: &requestAccountId,
  1633. },
  1634. Permission: &s3_constants.PermissionFullControl,
  1635. },
  1636. {
  1637. Grantee: &s3.Grantee{
  1638. Type: &s3_constants.GrantTypeCanonicalUser,
  1639. ID: &bucketOwnerId,
  1640. },
  1641. Permission: &s3_constants.PermissionFullControl,
  1642. },
  1643. },
  1644. })
  1645. }
  1646. {
  1647. //ownership: BucketOwnerPreferred
  1648. //s3:PutObject('createObject' is set to true), parse customAcl header
  1649. req := &http.Request{
  1650. Header: make(map[string][]string),
  1651. }
  1652. req.Header.Set(s3_constants.AmzAclFullControl, "id=\"admin\"")
  1653. bucketOwnerId := "admin"
  1654. requestAccountId := "accountA"
  1655. grants, errCode := ExtractBucketAcl(req, accountManager, s3_constants.OwnershipBucketOwnerPreferred, bucketOwnerId, requestAccountId, true)
  1656. testCases = append(testCases, &Case{
  1657. "TestExtractBucketAcl: ownership-BucketOwnerPreferred, createObject-true, acl-customAcl",
  1658. errCode, s3err.ErrNone,
  1659. grants, []*s3.Grant{
  1660. {
  1661. Grantee: &s3.Grantee{
  1662. Type: &s3_constants.GrantTypeCanonicalUser,
  1663. ID: &bucketOwnerId,
  1664. },
  1665. Permission: &s3_constants.PermissionFullControl,
  1666. },
  1667. },
  1668. })
  1669. }
  1670. {
  1671. //ownership: BucketOwnerEnforced
  1672. //s3:PutObject('createObject' is set to true), parse customAcl header
  1673. req := &http.Request{
  1674. Header: make(map[string][]string),
  1675. }
  1676. req.Header.Set(s3_constants.AmzAclFullControl, "id=accountA,id=\"admin\"")
  1677. bucketOwnerId := "admin"
  1678. requestAccountId := "accountA"
  1679. _, errCode := ExtractBucketAcl(req, accountManager, s3_constants.OwnershipBucketOwnerEnforced, bucketOwnerId, requestAccountId, true)
  1680. testCases = append(testCases, &Case{
  1681. id: "TestExtractBucketAcl: ownership-BucketOwnerEnforced, createObject-true, acl-customAcl",
  1682. resultErrCode: errCode, expectErrCode: s3err.AccessControlListNotSupported,
  1683. })
  1684. }
  1686. {
  1687. //parse acp from request header: both canned acl and custom acl not allowed
  1688. req := &http.Request{
  1689. Header: make(map[string][]string),
  1690. }
  1691. req.Header.Set(s3_constants.AmzAclFullControl, "id=admin, id=\"accountA\"")
  1692. req.Header.Set(s3_constants.AmzCannedAcl, "private")
  1693. bucketOwnerId := "admin"
  1694. requestAccountId := "accountA"
  1695. _, errCode := ExtractBucketAcl(req, accountManager, s3_constants.OwnershipObjectWriter, bucketOwnerId, requestAccountId, false)
  1696. testCases = append(testCases, &Case{
  1697. id: "Only one of cannedAcl, customAcl is allowed",
  1698. resultErrCode: errCode, expectErrCode: s3err.ErrInvalidRequest,
  1699. })
  1700. }
  1702. {
  1703. //Acl can only be specified in one of requestBody, cannedAcl, customAcl, simultaneous use is not allowed
  1704. req := &http.Request{
  1705. Header: make(map[string][]string),
  1706. }
  1707. req.Header.Set(s3_constants.AmzAclFullControl, "id=admin, id=\"accountA\"")
  1708. req.Header.Set(s3_constants.AmzCannedAcl, "private")
  1709. req.Body = io.NopCloser(bytes.NewReader([]byte(`
  1710. <AccessControlPolicy xmlns="http://s3.amazonaws.com/doc/2006-03-01/">
  1711. <Owner>
  1712. <ID>admin</ID>
  1713. <DisplayName>admin</DisplayName>
  1714. </Owner>
  1715. <AccessControlList>
  1716. <Grant>
  1717. <Grantee xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="CanonicalUser">
  1718. <ID>admin</ID>
  1719. </Grantee>
  1720. <Permission>FULL_CONTROL</Permission>
  1721. </Grant>
  1722. <Grant>
  1723. <Grantee xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="Group">
  1724. <URI>http://acs.amazonaws.com/groups/global/AllUsers</URI>
  1725. </Grantee>
  1726. <Permission>FULL_CONTROL</Permission>
  1727. </Grant>
  1728. </AccessControlList>
  1729. </AccessControlPolicy>
  1730. `)))
  1731. requestAccountId := "accountA"
  1732. _, errCode := ExtractBucketAcl(req, accountManager, s3_constants.OwnershipObjectWriter, accountAdminId, requestAccountId, false)
  1733. testCases = append(testCases, &Case{
  1734. id: "Only one of requestBody, cannedAcl, customAcl is allowed",
  1735. resultErrCode: errCode, expectErrCode: s3err.ErrUnexpectedContent,
  1736. })
  1737. }
  1738. for _, tc := range testCases {
  1739. if tc.resultErrCode != tc.expectErrCode {
  1740. t.Fatalf("case[%s]: errorCode[%v] not expect[%v]", tc.id, s3err.GetAPIError(tc.resultErrCode).Code, s3err.GetAPIError(tc.expectErrCode).Code)
  1741. }
  1742. if !grantsEquals(tc.resultGrants, tc.expectGrants) {
  1743. t.Fatalf("case[%s]: grants not expect", tc.id)
  1744. }
  1745. }
  1746. }
  1748. func TestMarshalGrantsToJson(t *testing.T) {
  1749. //ok
  1750. bucketOwnerId := "admin"
  1751. requestAccountId := "accountA"
  1752. grants := []*s3.Grant{
  1753. {
  1754. Grantee: &s3.Grantee{
  1755. Type: &s3_constants.GrantTypeCanonicalUser,
  1756. ID: &requestAccountId,
  1757. },
  1758. Permission: &s3_constants.PermissionFullControl,
  1759. },
  1760. {
  1761. Grantee: &s3.Grantee{
  1762. Type: &s3_constants.GrantTypeCanonicalUser,
  1763. ID: &bucketOwnerId,
  1764. },
  1765. Permission: &s3_constants.PermissionFullControl,
  1766. },
  1767. }
  1768. result, err := MarshalGrantsToJson(grants)
  1769. if err != nil {
  1770. t.Error(err)
  1771. }
  1773. var grants2 []*s3.Grant
  1774. err = json.Unmarshal(result, &grants2)
  1775. if err != nil {
  1776. t.Error(err)
  1777. }
  1779. print(string(result))
  1780. if !grantsEquals(grants, grants2) {
  1781. t.Fatal("grants not equal", grants, grants2)
  1782. }
  1784. //ok
  1785. result, err = MarshalGrantsToJson(nil)
  1786. if result != nil && err != nil {
  1787. t.Fatal("error: result, err = MarshalGrantsToJson(nil)")
  1788. }
  1789. }