You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

708 lines
19 KiB

  1. package s3acl
  2. import (
  3. "bytes"
  4. "encoding/json"
  5. "github.com/aws/aws-sdk-go/service/s3"
  6. "github.com/seaweedfs/seaweedfs/weed/pb/filer_pb"
  7. "github.com/seaweedfs/seaweedfs/weed/s3api/s3_constants"
  8. "github.com/seaweedfs/seaweedfs/weed/s3api/s3account"
  9. "github.com/seaweedfs/seaweedfs/weed/s3api/s3err"
  10. "io"
  11. "net/http"
  12. "testing"
  13. )
  14. var (
  15. accountManager = &s3account.AccountManager{
  16. IdNameMapping: map[string]string{
  17. s3account.AccountAdmin.Id: s3account.AccountAdmin.Name,
  18. s3account.AccountAnonymous.Id: s3account.AccountAnonymous.Name,
  19. "accountA": "accountA",
  20. "accountB": "accountB",
  21. },
  22. EmailIdMapping: map[string]string{
  23. s3account.AccountAdmin.EmailAddress: s3account.AccountAdmin.Id,
  24. s3account.AccountAnonymous.EmailAddress: s3account.AccountAnonymous.Id,
  25. "accountA@example.com": "accountA",
  26. "accountBexample.com": "accountB",
  27. },
  28. }
  29. )
  30. func TestGetAccountId(t *testing.T) {
  31. req := &http.Request{
  32. Header: make(map[string][]string),
  33. }
  34. //case1
  35. //accountId: "admin"
  36. req.Header.Set(s3_constants.AmzAccountId, s3account.AccountAdmin.Id)
  37. if GetAccountId(req) != s3account.AccountAdmin.Id {
  38. t.Fatal("expect accountId: admin")
  39. }
  40. //case2
  41. //accountId: "anoymous"
  42. req.Header.Set(s3_constants.AmzAccountId, s3account.AccountAnonymous.Id)
  43. if GetAccountId(req) != s3account.AccountAnonymous.Id {
  44. t.Fatal("expect accountId: anonymous")
  45. }
  46. //case3
  47. //accountId is nil => "anonymous"
  48. req.Header.Del(s3_constants.AmzAccountId)
  49. if GetAccountId(req) != s3account.AccountAnonymous.Id {
  50. t.Fatal("expect accountId: anonymous")
  51. }
  52. }
  53. func TestExtractAcl(t *testing.T) {
  54. type Case struct {
  55. id int
  56. resultErrCode, expectErrCode s3err.ErrorCode
  57. resultGrants, expectGrants []*s3.Grant
  58. }
  59. testCases := make([]*Case, 0)
  60. accountAdminId := "admin"
  61. {
  62. //case1 (good case)
  63. //parse acp from request body
  64. req := &http.Request{
  65. Header: make(map[string][]string),
  66. }
  67. req.Body = io.NopCloser(bytes.NewReader([]byte(`
  68. <AccessControlPolicy xmlns="http://s3.amazonaws.com/doc/2006-03-01/">
  69. <Owner>
  70. <ID>admin</ID>
  71. <DisplayName>admin</DisplayName>
  72. </Owner>
  73. <AccessControlList>
  74. <Grant>
  75. <Grantee xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="CanonicalUser">
  76. <ID>admin</ID>
  77. </Grantee>
  78. <Permission>FULL_CONTROL</Permission>
  79. </Grant>
  80. <Grant>
  81. <Grantee xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="Group">
  82. <URI>http://acs.amazonaws.com/groups/global/AllUsers</URI>
  83. </Grantee>
  84. <Permission>FULL_CONTROL</Permission>
  85. </Grant>
  86. </AccessControlList>
  87. </AccessControlPolicy>
  88. `)))
  89. objectWriter := "accountA"
  90. grants, errCode := ExtractAcl(req, accountManager, s3_constants.OwnershipObjectWriter, accountAdminId, accountAdminId, objectWriter)
  91. testCases = append(testCases, &Case{
  92. 1,
  93. errCode, s3err.ErrNone,
  94. grants, []*s3.Grant{
  95. {
  96. Grantee: &s3.Grantee{
  97. Type: &s3_constants.GrantTypeCanonicalUser,
  98. ID: &accountAdminId,
  99. },
  100. Permission: &s3_constants.PermissionFullControl,
  101. },
  102. {
  103. Grantee: &s3.Grantee{
  104. Type: &s3_constants.GrantTypeGroup,
  105. URI: &s3_constants.GranteeGroupAllUsers,
  106. },
  107. Permission: &s3_constants.PermissionFullControl,
  108. },
  109. },
  110. })
  111. }
  112. {
  113. //case2 (good case)
  114. //parse acp from header (cannedAcl)
  115. req := &http.Request{
  116. Header: make(map[string][]string),
  117. }
  118. req.Body = nil
  119. req.Header.Set(s3_constants.AmzCannedAcl, s3_constants.CannedAclPrivate)
  120. objectWriter := "accountA"
  121. grants, errCode := ExtractAcl(req, accountManager, s3_constants.OwnershipObjectWriter, accountAdminId, accountAdminId, objectWriter)
  122. testCases = append(testCases, &Case{
  123. 2,
  124. errCode, s3err.ErrNone,
  125. grants, []*s3.Grant{
  126. {
  127. Grantee: &s3.Grantee{
  128. Type: &s3_constants.GrantTypeCanonicalUser,
  129. ID: &objectWriter,
  130. },
  131. Permission: &s3_constants.PermissionFullControl,
  132. },
  133. },
  134. })
  135. }
  136. {
  137. //case3 (bad case)
  138. //parse acp from request body (content is invalid)
  139. req := &http.Request{
  140. Header: make(map[string][]string),
  141. }
  142. req.Body = io.NopCloser(bytes.NewReader([]byte("zdfsaf")))
  143. req.Header.Set(s3_constants.AmzCannedAcl, s3_constants.CannedAclPrivate)
  144. objectWriter := "accountA"
  145. _, errCode := ExtractAcl(req, accountManager, s3_constants.OwnershipObjectWriter, accountAdminId, accountAdminId, objectWriter)
  146. testCases = append(testCases, &Case{
  147. id: 3,
  148. resultErrCode: errCode, expectErrCode: s3err.ErrInvalidRequest,
  149. })
  150. }
  151. //case4 (bad case)
  152. //parse acp from header (cannedAcl is invalid)
  153. req := &http.Request{
  154. Header: make(map[string][]string),
  155. }
  156. req.Body = nil
  157. req.Header.Set(s3_constants.AmzCannedAcl, "dfaksjfk")
  158. objectWriter := "accountA"
  159. _, errCode := ExtractAcl(req, accountManager, s3_constants.OwnershipObjectWriter, accountAdminId, "", objectWriter)
  160. testCases = append(testCases, &Case{
  161. id: 4,
  162. resultErrCode: errCode, expectErrCode: s3err.ErrInvalidRequest,
  163. })
  164. {
  165. //case5 (bad case)
  166. //parse acp from request body: owner is inconsistent
  167. req.Body = io.NopCloser(bytes.NewReader([]byte(`
  168. <AccessControlPolicy xmlns="http://s3.amazonaws.com/doc/2006-03-01/">
  169. <Owner>
  170. <ID>admin</ID>
  171. <DisplayName>admin</DisplayName>
  172. </Owner>
  173. <AccessControlList>
  174. <Grant>
  175. <Grantee xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="CanonicalUser">
  176. <ID>admin</ID>
  177. </Grantee>
  178. <Permission>FULL_CONTROL</Permission>
  179. </Grant>
  180. <Grant>
  181. <Grantee xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="Group">
  182. <URI>http://acs.amazonaws.com/groups/global/AllUsers</URI>
  183. </Grantee>
  184. <Permission>FULL_CONTROL</Permission>
  185. </Grant>
  186. </AccessControlList>
  187. </AccessControlPolicy>
  188. `)))
  189. objectWriter = "accountA"
  190. _, errCode := ExtractAcl(req, accountManager, s3_constants.OwnershipObjectWriter, accountAdminId, objectWriter, objectWriter)
  191. testCases = append(testCases, &Case{
  192. id: 5,
  193. resultErrCode: errCode, expectErrCode: s3err.ErrAccessDenied,
  194. })
  195. }
  196. for _, tc := range testCases {
  197. if tc.resultErrCode != tc.expectErrCode {
  198. t.Fatalf("case[%d]: errorCode not expect", tc.id)
  199. }
  200. if !grantsEquals(tc.resultGrants, tc.expectGrants) {
  201. t.Fatalf("case[%d]: grants not expect", tc.id)
  202. }
  203. }
  204. }
  205. func TestParseAndValidateAclHeaders(t *testing.T) {
  206. type Case struct {
  207. id int
  208. resultOwner, expectOwner string
  209. resultErrCode, expectErrCode s3err.ErrorCode
  210. resultGrants, expectGrants []*s3.Grant
  211. }
  212. testCases := make([]*Case, 0)
  213. bucketOwner := "admin"
  214. {
  215. //case1 (good case)
  216. //parse custom acl
  217. req := &http.Request{
  218. Header: make(map[string][]string),
  219. }
  220. objectWriter := "accountA"
  221. req.Header.Set(s3_constants.AmzAclFullControl, `uri="http://acs.amazonaws.com/groups/global/AllUsers", id="anonymous", emailAddress="admin@example.com"`)
  222. ownerId, grants, errCode := ParseAndValidateAclHeaders(req, accountManager, s3_constants.OwnershipObjectWriter, bucketOwner, objectWriter, false)
  223. testCases = append(testCases, &Case{
  224. 1,
  225. ownerId, objectWriter,
  226. errCode, s3err.ErrNone,
  227. grants, []*s3.Grant{
  228. {
  229. Grantee: &s3.Grantee{
  230. Type: &s3_constants.GrantTypeGroup,
  231. URI: &s3_constants.GranteeGroupAllUsers,
  232. },
  233. Permission: &s3_constants.PermissionFullControl,
  234. },
  235. {
  236. Grantee: &s3.Grantee{
  237. Type: &s3_constants.GrantTypeCanonicalUser,
  238. ID: &s3account.AccountAnonymous.Id,
  239. },
  240. Permission: &s3_constants.PermissionFullControl,
  241. },
  242. {
  243. Grantee: &s3.Grantee{
  244. Type: &s3_constants.GrantTypeCanonicalUser,
  245. ID: &s3account.AccountAdmin.Id,
  246. },
  247. Permission: &s3_constants.PermissionFullControl,
  248. },
  249. },
  250. })
  251. }
  252. {
  253. //case2 (good case)
  254. //parse canned acl (ownership=ObjectWriter)
  255. req := &http.Request{
  256. Header: make(map[string][]string),
  257. }
  258. objectWriter := "accountA"
  259. req.Header.Set(s3_constants.AmzCannedAcl, s3_constants.CannedAclBucketOwnerFullControl)
  260. ownerId, grants, errCode := ParseAndValidateAclHeaders(req, accountManager, s3_constants.OwnershipObjectWriter, bucketOwner, objectWriter, false)
  261. testCases = append(testCases, &Case{
  262. 2,
  263. ownerId, objectWriter,
  264. errCode, s3err.ErrNone,
  265. grants, []*s3.Grant{
  266. {
  267. Grantee: &s3.Grantee{
  268. Type: &s3_constants.GrantTypeCanonicalUser,
  269. ID: &objectWriter,
  270. },
  271. Permission: &s3_constants.PermissionFullControl,
  272. },
  273. {
  274. Grantee: &s3.Grantee{
  275. Type: &s3_constants.GrantTypeCanonicalUser,
  276. ID: &bucketOwner,
  277. },
  278. Permission: &s3_constants.PermissionFullControl,
  279. },
  280. },
  281. })
  282. }
  283. {
  284. //case3 (good case)
  285. //parse canned acl (ownership=OwnershipBucketOwnerPreferred)
  286. req := &http.Request{
  287. Header: make(map[string][]string),
  288. }
  289. objectWriter := "accountA"
  290. req.Header.Set(s3_constants.AmzCannedAcl, s3_constants.CannedAclBucketOwnerFullControl)
  291. ownerId, grants, errCode := ParseAndValidateAclHeaders(req, accountManager, s3_constants.OwnershipBucketOwnerPreferred, bucketOwner, objectWriter, false)
  292. testCases = append(testCases, &Case{
  293. 3,
  294. ownerId, bucketOwner,
  295. errCode, s3err.ErrNone,
  296. grants, []*s3.Grant{
  297. {
  298. Grantee: &s3.Grantee{
  299. Type: &s3_constants.GrantTypeCanonicalUser,
  300. ID: &bucketOwner,
  301. },
  302. Permission: &s3_constants.PermissionFullControl,
  303. },
  304. },
  305. })
  306. }
  307. {
  308. //case4 (bad case)
  309. //parse custom acl (grantee id not exists)
  310. req := &http.Request{
  311. Header: make(map[string][]string),
  312. }
  313. objectWriter := "accountA"
  314. req.Header.Set(s3_constants.AmzAclFullControl, `uri="http://acs.amazonaws.com/groups/global/AllUsers", id="notExistsAccount", emailAddress="admin@example.com"`)
  315. _, _, errCode := ParseAndValidateAclHeaders(req, accountManager, s3_constants.OwnershipObjectWriter, bucketOwner, objectWriter, false)
  316. testCases = append(testCases, &Case{
  317. id: 4,
  318. resultErrCode: errCode, expectErrCode: s3err.ErrInvalidRequest,
  319. })
  320. }
  321. {
  322. //case5 (bad case)
  323. //parse custom acl (invalid format)
  324. req := &http.Request{
  325. Header: make(map[string][]string),
  326. }
  327. objectWriter := "accountA"
  328. req.Header.Set(s3_constants.AmzAclFullControl, `uri="http:sfasf"`)
  329. _, _, errCode := ParseAndValidateAclHeaders(req, accountManager, s3_constants.OwnershipObjectWriter, bucketOwner, objectWriter, false)
  330. testCases = append(testCases, &Case{
  331. id: 5,
  332. resultErrCode: errCode, expectErrCode: s3err.ErrInvalidRequest,
  333. })
  334. }
  335. {
  336. //case6 (bad case)
  337. //parse canned acl (invalid value)
  338. req := &http.Request{
  339. Header: make(map[string][]string),
  340. }
  341. objectWriter := "accountA"
  342. req.Header.Set(s3_constants.AmzCannedAcl, `uri="http:sfasf"`)
  343. _, _, errCode := ParseAndValidateAclHeaders(req, accountManager, s3_constants.OwnershipObjectWriter, bucketOwner, objectWriter, false)
  344. testCases = append(testCases, &Case{
  345. id: 5,
  346. resultErrCode: errCode, expectErrCode: s3err.ErrInvalidRequest,
  347. })
  348. }
  349. for _, tc := range testCases {
  350. if tc.expectErrCode != tc.resultErrCode {
  351. t.Errorf("case[%d]: errCode unexpect", tc.id)
  352. }
  353. if tc.resultOwner != tc.expectOwner {
  354. t.Errorf("case[%d]: ownerId unexpect", tc.id)
  355. }
  356. if !grantsEquals(tc.resultGrants, tc.expectGrants) {
  357. t.Fatalf("case[%d]: grants not expect", tc.id)
  358. }
  359. }
  360. }
  361. func grantsEquals(a, b []*s3.Grant) bool {
  362. if len(a) != len(b) {
  363. return false
  364. }
  365. for i, grant := range a {
  366. if !GrantEquals(grant, b[i]) {
  367. return false
  368. }
  369. }
  370. return true
  371. }
  372. func TestDetermineReqGrants(t *testing.T) {
  373. {
  374. //case1: request account is anonymous
  375. accountId := s3account.AccountAnonymous.Id
  376. reqPermission := s3_constants.PermissionRead
  377. resultGrants := DetermineReqGrants(accountId, reqPermission)
  378. expectGrants := []*s3.Grant{
  379. {
  380. Grantee: &s3.Grantee{
  381. Type: &s3_constants.GrantTypeGroup,
  382. URI: &s3_constants.GranteeGroupAllUsers,
  383. },
  384. Permission: &reqPermission,
  385. },
  386. {
  387. Grantee: &s3.Grantee{
  388. Type: &s3_constants.GrantTypeGroup,
  389. URI: &s3_constants.GranteeGroupAllUsers,
  390. },
  391. Permission: &s3_constants.PermissionFullControl,
  392. },
  393. {
  394. Grantee: &s3.Grantee{
  395. Type: &s3_constants.GrantTypeCanonicalUser,
  396. ID: &accountId,
  397. },
  398. Permission: &reqPermission,
  399. },
  400. {
  401. Grantee: &s3.Grantee{
  402. Type: &s3_constants.GrantTypeCanonicalUser,
  403. ID: &accountId,
  404. },
  405. Permission: &s3_constants.PermissionFullControl,
  406. },
  407. }
  408. if !grantsEquals(resultGrants, expectGrants) {
  409. t.Fatalf("grants not expect")
  410. }
  411. }
  412. {
  413. //case2: request account is not anonymous (Iam authed)
  414. accountId := "accountX"
  415. reqPermission := s3_constants.PermissionRead
  416. resultGrants := DetermineReqGrants(accountId, reqPermission)
  417. expectGrants := []*s3.Grant{
  418. {
  419. Grantee: &s3.Grantee{
  420. Type: &s3_constants.GrantTypeGroup,
  421. URI: &s3_constants.GranteeGroupAllUsers,
  422. },
  423. Permission: &reqPermission,
  424. },
  425. {
  426. Grantee: &s3.Grantee{
  427. Type: &s3_constants.GrantTypeGroup,
  428. URI: &s3_constants.GranteeGroupAllUsers,
  429. },
  430. Permission: &s3_constants.PermissionFullControl,
  431. },
  432. {
  433. Grantee: &s3.Grantee{
  434. Type: &s3_constants.GrantTypeCanonicalUser,
  435. ID: &accountId,
  436. },
  437. Permission: &reqPermission,
  438. },
  439. {
  440. Grantee: &s3.Grantee{
  441. Type: &s3_constants.GrantTypeCanonicalUser,
  442. ID: &accountId,
  443. },
  444. Permission: &s3_constants.PermissionFullControl,
  445. },
  446. {
  447. Grantee: &s3.Grantee{
  448. Type: &s3_constants.GrantTypeGroup,
  449. URI: &s3_constants.GranteeGroupAuthenticatedUsers,
  450. },
  451. Permission: &reqPermission,
  452. },
  453. {
  454. Grantee: &s3.Grantee{
  455. Type: &s3_constants.GrantTypeGroup,
  456. URI: &s3_constants.GranteeGroupAuthenticatedUsers,
  457. },
  458. Permission: &s3_constants.PermissionFullControl,
  459. },
  460. }
  461. if !grantsEquals(resultGrants, expectGrants) {
  462. t.Fatalf("grants not expect")
  463. }
  464. }
  465. }
  466. func TestAssembleEntryWithAcp(t *testing.T) {
  467. defaultOwner := "admin"
  468. {
  469. //case1
  470. expectOwner := "accountS"
  471. expectGrants := []*s3.Grant{
  472. {
  473. Permission: &s3_constants.PermissionRead,
  474. Grantee: &s3.Grantee{
  475. Type: &s3_constants.GrantTypeGroup,
  476. ID: &s3account.AccountAdmin.Id,
  477. URI: &s3_constants.GranteeGroupAllUsers,
  478. },
  479. },
  480. }
  481. entry := &filer_pb.Entry{}
  482. AssembleEntryWithAcp(entry, expectOwner, expectGrants)
  483. resultOwner := GetAcpOwner(entry.Extended, defaultOwner)
  484. if resultOwner != expectOwner {
  485. t.Fatalf("owner not expect")
  486. }
  487. resultGrants := GetAcpGrants(entry.Extended)
  488. if !grantsEquals(resultGrants, expectGrants) {
  489. t.Fatal("grants not expect")
  490. }
  491. }
  492. {
  493. //case2
  494. entry := &filer_pb.Entry{}
  495. AssembleEntryWithAcp(entry, "", nil)
  496. resultOwner := GetAcpOwner(entry.Extended, defaultOwner)
  497. if resultOwner != defaultOwner {
  498. t.Fatalf("owner not expect")
  499. }
  500. resultGrants := GetAcpGrants(entry.Extended)
  501. if len(resultGrants) != 0 {
  502. t.Fatal("grants not expect")
  503. }
  504. }
  505. }
  506. func TestGrantEquals(t *testing.T) {
  507. testCases := map[bool]bool{
  508. GrantEquals(nil, nil): true,
  509. GrantEquals(&s3.Grant{}, nil): false,
  510. GrantEquals(&s3.Grant{}, &s3.Grant{}): true,
  511. GrantEquals(&s3.Grant{
  512. Permission: &s3_constants.PermissionRead,
  513. }, &s3.Grant{}): false,
  514. GrantEquals(&s3.Grant{
  515. Permission: &s3_constants.PermissionRead,
  516. }, &s3.Grant{
  517. Permission: &s3_constants.PermissionRead,
  518. }): true,
  519. GrantEquals(&s3.Grant{
  520. Permission: &s3_constants.PermissionRead,
  521. Grantee: &s3.Grantee{},
  522. }, &s3.Grant{
  523. Permission: &s3_constants.PermissionRead,
  524. Grantee: &s3.Grantee{},
  525. }): true,
  526. GrantEquals(&s3.Grant{
  527. Permission: &s3_constants.PermissionRead,
  528. Grantee: &s3.Grantee{
  529. Type: &s3_constants.GrantTypeGroup,
  530. },
  531. }, &s3.Grant{
  532. Permission: &s3_constants.PermissionRead,
  533. Grantee: &s3.Grantee{},
  534. }): false,
  535. //type not present, compare other fields of grant is meaningless
  536. GrantEquals(&s3.Grant{
  537. Permission: &s3_constants.PermissionRead,
  538. Grantee: &s3.Grantee{
  539. ID: &s3account.AccountAdmin.Id,
  540. EmailAddress: &s3account.AccountAdmin.EmailAddress,
  541. },
  542. }, &s3.Grant{
  543. Permission: &s3_constants.PermissionRead,
  544. Grantee: &s3.Grantee{
  545. ID: &s3account.AccountAdmin.Id,
  546. },
  547. }): true,
  548. GrantEquals(&s3.Grant{
  549. Permission: &s3_constants.PermissionRead,
  550. Grantee: &s3.Grantee{
  551. Type: &s3_constants.GrantTypeGroup,
  552. },
  553. }, &s3.Grant{
  554. Permission: &s3_constants.PermissionRead,
  555. Grantee: &s3.Grantee{
  556. Type: &s3_constants.GrantTypeGroup,
  557. },
  558. }): true,
  559. GrantEquals(&s3.Grant{
  560. Permission: &s3_constants.PermissionRead,
  561. Grantee: &s3.Grantee{
  562. Type: &s3_constants.GrantTypeGroup,
  563. URI: &s3_constants.GranteeGroupAllUsers,
  564. },
  565. }, &s3.Grant{
  566. Permission: &s3_constants.PermissionRead,
  567. Grantee: &s3.Grantee{
  568. Type: &s3_constants.GrantTypeGroup,
  569. URI: &s3_constants.GranteeGroupAllUsers,
  570. },
  571. }): true,
  572. GrantEquals(&s3.Grant{
  573. Permission: &s3_constants.PermissionWrite,
  574. Grantee: &s3.Grantee{
  575. Type: &s3_constants.GrantTypeGroup,
  576. URI: &s3_constants.GranteeGroupAllUsers,
  577. },
  578. }, &s3.Grant{
  579. Permission: &s3_constants.PermissionRead,
  580. Grantee: &s3.Grantee{
  581. Type: &s3_constants.GrantTypeGroup,
  582. URI: &s3_constants.GranteeGroupAllUsers,
  583. },
  584. }): false,
  585. GrantEquals(&s3.Grant{
  586. Permission: &s3_constants.PermissionRead,
  587. Grantee: &s3.Grantee{
  588. Type: &s3_constants.GrantTypeGroup,
  589. ID: &s3account.AccountAdmin.Id,
  590. },
  591. }, &s3.Grant{
  592. Permission: &s3_constants.PermissionRead,
  593. Grantee: &s3.Grantee{
  594. Type: &s3_constants.GrantTypeGroup,
  595. ID: &s3account.AccountAdmin.Id,
  596. },
  597. }): true,
  598. GrantEquals(&s3.Grant{
  599. Permission: &s3_constants.PermissionRead,
  600. Grantee: &s3.Grantee{
  601. Type: &s3_constants.GrantTypeGroup,
  602. ID: &s3account.AccountAdmin.Id,
  603. URI: &s3_constants.GranteeGroupAllUsers,
  604. },
  605. }, &s3.Grant{
  606. Permission: &s3_constants.PermissionRead,
  607. Grantee: &s3.Grantee{
  608. Type: &s3_constants.GrantTypeGroup,
  609. ID: &s3account.AccountAdmin.Id,
  610. },
  611. }): false,
  612. GrantEquals(&s3.Grant{
  613. Permission: &s3_constants.PermissionRead,
  614. Grantee: &s3.Grantee{
  615. Type: &s3_constants.GrantTypeGroup,
  616. ID: &s3account.AccountAdmin.Id,
  617. URI: &s3_constants.GranteeGroupAllUsers,
  618. },
  619. }, &s3.Grant{
  620. Permission: &s3_constants.PermissionRead,
  621. Grantee: &s3.Grantee{
  622. Type: &s3_constants.GrantTypeGroup,
  623. URI: &s3_constants.GranteeGroupAllUsers,
  624. },
  625. }): true,
  626. }
  627. for tc, expect := range testCases {
  628. if tc != expect {
  629. t.Fatal("TestGrantEquals not expect!")
  630. }
  631. }
  632. }
  633. func TestSetAcpOwnerHeader(t *testing.T) {
  634. ownerId := "accountZ"
  635. req := &http.Request{
  636. Header: make(map[string][]string),
  637. }
  638. SetAcpOwnerHeader(req, ownerId)
  639. if req.Header.Get(s3_constants.ExtAmzOwnerKey) != ownerId {
  640. t.Fatalf("owner unexpect")
  641. }
  642. }
  643. func TestSetAcpGrantsHeader(t *testing.T) {
  644. req := &http.Request{
  645. Header: make(map[string][]string),
  646. }
  647. grants := []*s3.Grant{
  648. {
  649. Permission: &s3_constants.PermissionRead,
  650. Grantee: &s3.Grantee{
  651. Type: &s3_constants.GrantTypeGroup,
  652. ID: &s3account.AccountAdmin.Id,
  653. URI: &s3_constants.GranteeGroupAllUsers,
  654. },
  655. },
  656. }
  657. SetAcpGrantsHeader(req, grants)
  658. grantsJson, _ := json.Marshal(grants)
  659. if req.Header.Get(s3_constants.ExtAmzAclKey) != string(grantsJson) {
  660. t.Fatalf("owner unexpect")
  661. }
  662. }