You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

232 lines
5.1 KiB

5 years ago
5 years ago
5 years ago
5 years ago
5 years ago
5 years ago
2 years ago
5 years ago
2 years ago
5 years ago
2 years ago
5 years ago
  1. package s3api
  2. import (
  3. . "github.com/seaweedfs/seaweedfs/weed/s3api/s3_constants"
  4. "github.com/seaweedfs/seaweedfs/weed/s3api/s3account"
  5. "github.com/stretchr/testify/assert"
  6. "reflect"
  7. "testing"
  8. jsonpb "google.golang.org/protobuf/encoding/protojson"
  9. "github.com/seaweedfs/seaweedfs/weed/pb/iam_pb"
  10. )
  11. func TestIdentityListFileFormat(t *testing.T) {
  12. s3ApiConfiguration := &iam_pb.S3ApiConfiguration{}
  13. identity1 := &iam_pb.Identity{
  14. Name: "some_name",
  15. Credentials: []*iam_pb.Credential{
  16. {
  17. AccessKey: "some_access_key1",
  18. SecretKey: "some_secret_key2",
  19. },
  20. },
  21. Actions: []string{
  22. ACTION_ADMIN,
  23. ACTION_READ,
  24. ACTION_WRITE,
  25. },
  26. }
  27. identity2 := &iam_pb.Identity{
  28. Name: "some_read_only_user",
  29. Credentials: []*iam_pb.Credential{
  30. {
  31. AccessKey: "some_access_key1",
  32. SecretKey: "some_secret_key1",
  33. },
  34. },
  35. Actions: []string{
  36. ACTION_READ,
  37. },
  38. }
  39. identity3 := &iam_pb.Identity{
  40. Name: "some_normal_user",
  41. Credentials: []*iam_pb.Credential{
  42. {
  43. AccessKey: "some_access_key2",
  44. SecretKey: "some_secret_key2",
  45. },
  46. },
  47. Actions: []string{
  48. ACTION_READ,
  49. ACTION_WRITE,
  50. },
  51. }
  52. s3ApiConfiguration.Identities = append(s3ApiConfiguration.Identities, identity1)
  53. s3ApiConfiguration.Identities = append(s3ApiConfiguration.Identities, identity2)
  54. s3ApiConfiguration.Identities = append(s3ApiConfiguration.Identities, identity3)
  55. m := jsonpb.MarshalOptions{
  56. EmitUnpopulated: true,
  57. Indent: " ",
  58. }
  59. text, _ := m.Marshal(s3ApiConfiguration)
  60. println(string(text))
  61. }
  62. func TestCanDo(t *testing.T) {
  63. ident1 := &Identity{
  64. Name: "anything",
  65. Actions: []Action{
  66. "Write:bucket1/a/b/c/*",
  67. "Write:bucket1/a/b/other",
  68. },
  69. }
  70. // object specific
  71. assert.Equal(t, true, ident1.canDo(ACTION_WRITE, "bucket1", "/a/b/c/d.txt"))
  72. assert.Equal(t, false, ident1.canDo(ACTION_WRITE, "bucket1", "/a/b/other/some"), "action without *")
  73. // bucket specific
  74. ident2 := &Identity{
  75. Name: "anything",
  76. Actions: []Action{
  77. "Read:bucket1",
  78. "Write:bucket1/*",
  79. },
  80. }
  81. assert.Equal(t, true, ident2.canDo(ACTION_READ, "bucket1", "/a/b/c/d.txt"))
  82. assert.Equal(t, true, ident2.canDo(ACTION_WRITE, "bucket1", "/a/b/c/d.txt"))
  83. assert.Equal(t, false, ident2.canDo(ACTION_LIST, "bucket1", "/a/b/c/d.txt"))
  84. // across buckets
  85. ident3 := &Identity{
  86. Name: "anything",
  87. Actions: []Action{
  88. "Read",
  89. "Write",
  90. },
  91. }
  92. assert.Equal(t, true, ident3.canDo(ACTION_READ, "bucket1", "/a/b/c/d.txt"))
  93. assert.Equal(t, true, ident3.canDo(ACTION_WRITE, "bucket1", "/a/b/c/d.txt"))
  94. assert.Equal(t, false, ident3.canDo(ACTION_LIST, "bucket1", "/a/b/other/some"))
  95. // partial buckets
  96. ident4 := &Identity{
  97. Name: "anything",
  98. Actions: []Action{
  99. "Read:special_*",
  100. },
  101. }
  102. assert.Equal(t, true, ident4.canDo(ACTION_READ, "special_bucket", "/a/b/c/d.txt"))
  103. assert.Equal(t, false, ident4.canDo(ACTION_READ, "bucket1", "/a/b/c/d.txt"))
  104. // admin buckets
  105. ident5 := &Identity{
  106. Name: "anything",
  107. Actions: []Action{
  108. "Admin:special_*",
  109. },
  110. }
  111. assert.Equal(t, true, ident5.canDo(ACTION_READ, "special_bucket", "/a/b/c/d.txt"))
  112. assert.Equal(t, true, ident5.canDo(ACTION_WRITE, "special_bucket", "/a/b/c/d.txt"))
  113. // anonymous buckets
  114. ident6 := &Identity{
  115. Name: "anonymous",
  116. Actions: []Action{
  117. "Read",
  118. },
  119. }
  120. assert.Equal(t, true, ident6.canDo(ACTION_READ, "anything_bucket", "/a/b/c/d.txt"))
  121. }
  122. type LoadS3ApiConfigurationTestCase struct {
  123. pbIdent *iam_pb.Identity
  124. expectIdent *Identity
  125. }
  126. func TestLoadS3ApiConfiguration(t *testing.T) {
  127. testCases := map[string]*LoadS3ApiConfigurationTestCase{
  128. "notSpecifyAccountId": {
  129. pbIdent: &iam_pb.Identity{
  130. Name: "notSpecifyAccountId",
  131. Actions: []string{
  132. "Read",
  133. "Write",
  134. },
  135. Credentials: []*iam_pb.Credential{
  136. {
  137. AccessKey: "some_access_key1",
  138. SecretKey: "some_secret_key2",
  139. },
  140. },
  141. },
  142. expectIdent: &Identity{
  143. Name: "notSpecifyAccountId",
  144. AccountId: s3account.AccountAdmin.Id,
  145. Actions: []Action{
  146. "Read",
  147. "Write",
  148. },
  149. Credentials: []*Credential{
  150. {
  151. AccessKey: "some_access_key1",
  152. SecretKey: "some_secret_key2",
  153. },
  154. },
  155. },
  156. },
  157. "specifiedAccountID": {
  158. pbIdent: &iam_pb.Identity{
  159. Name: "specifiedAccountID",
  160. AccountId: "specifiedAccountID",
  161. Actions: []string{
  162. "Read",
  163. "Write",
  164. },
  165. },
  166. expectIdent: &Identity{
  167. Name: "specifiedAccountID",
  168. AccountId: "specifiedAccountID",
  169. Actions: []Action{
  170. "Read",
  171. "Write",
  172. },
  173. },
  174. },
  175. "anonymous": {
  176. pbIdent: &iam_pb.Identity{
  177. Name: "anonymous",
  178. Actions: []string{
  179. "Read",
  180. "Write",
  181. },
  182. },
  183. expectIdent: &Identity{
  184. Name: "anonymous",
  185. AccountId: "anonymous",
  186. Actions: []Action{
  187. "Read",
  188. "Write",
  189. },
  190. },
  191. },
  192. }
  193. config := &iam_pb.S3ApiConfiguration{
  194. Identities: make([]*iam_pb.Identity, 0),
  195. }
  196. for _, v := range testCases {
  197. config.Identities = append(config.Identities, v.pbIdent)
  198. }
  199. iam := IdentityAccessManagement{}
  200. err := iam.loadS3ApiConfiguration(config)
  201. if err != nil {
  202. return
  203. }
  204. for _, ident := range iam.identities {
  205. tc := testCases[ident.Name]
  206. if !reflect.DeepEqual(ident, tc.expectIdent) {
  207. t.Error("not expect")
  208. }
  209. }
  210. }