You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
128 lines
3.0 KiB
128 lines
3.0 KiB
package s3api
|
|
|
|
import (
|
|
. "github.com/seaweedfs/seaweedfs/weed/s3api/s3_constants"
|
|
"github.com/stretchr/testify/assert"
|
|
"testing"
|
|
|
|
"github.com/golang/protobuf/jsonpb"
|
|
|
|
"github.com/seaweedfs/seaweedfs/weed/pb/iam_pb"
|
|
)
|
|
|
|
func TestIdentityListFileFormat(t *testing.T) {
|
|
|
|
s3ApiConfiguration := &iam_pb.S3ApiConfiguration{}
|
|
|
|
identity1 := &iam_pb.Identity{
|
|
Name: "some_name",
|
|
Credentials: []*iam_pb.Credential{
|
|
{
|
|
AccessKey: "some_access_key1",
|
|
SecretKey: "some_secret_key2",
|
|
},
|
|
},
|
|
Actions: []string{
|
|
ACTION_ADMIN,
|
|
ACTION_READ,
|
|
ACTION_WRITE,
|
|
},
|
|
}
|
|
identity2 := &iam_pb.Identity{
|
|
Name: "some_read_only_user",
|
|
Credentials: []*iam_pb.Credential{
|
|
{
|
|
AccessKey: "some_access_key1",
|
|
SecretKey: "some_secret_key1",
|
|
},
|
|
},
|
|
Actions: []string{
|
|
ACTION_READ,
|
|
},
|
|
}
|
|
identity3 := &iam_pb.Identity{
|
|
Name: "some_normal_user",
|
|
Credentials: []*iam_pb.Credential{
|
|
{
|
|
AccessKey: "some_access_key2",
|
|
SecretKey: "some_secret_key2",
|
|
},
|
|
},
|
|
Actions: []string{
|
|
ACTION_READ,
|
|
ACTION_WRITE,
|
|
},
|
|
}
|
|
|
|
s3ApiConfiguration.Identities = append(s3ApiConfiguration.Identities, identity1)
|
|
s3ApiConfiguration.Identities = append(s3ApiConfiguration.Identities, identity2)
|
|
s3ApiConfiguration.Identities = append(s3ApiConfiguration.Identities, identity3)
|
|
|
|
m := jsonpb.Marshaler{
|
|
EmitDefaults: true,
|
|
Indent: " ",
|
|
}
|
|
|
|
text, _ := m.MarshalToString(s3ApiConfiguration)
|
|
|
|
println(text)
|
|
|
|
}
|
|
|
|
func TestCanDo(t *testing.T) {
|
|
ident1 := &Identity{
|
|
Name: "anything",
|
|
Actions: []Action{
|
|
"Write:bucket1/a/b/c/*",
|
|
"Write:bucket1/a/b/other",
|
|
},
|
|
}
|
|
// object specific
|
|
assert.Equal(t, true, ident1.canDo(ACTION_WRITE, "bucket1", "/a/b/c/d.txt"))
|
|
assert.Equal(t, false, ident1.canDo(ACTION_WRITE, "bucket1", "/a/b/other/some"), "action without *")
|
|
|
|
// bucket specific
|
|
ident2 := &Identity{
|
|
Name: "anything",
|
|
Actions: []Action{
|
|
"Read:bucket1",
|
|
"Write:bucket1/*",
|
|
},
|
|
}
|
|
assert.Equal(t, true, ident2.canDo(ACTION_READ, "bucket1", "/a/b/c/d.txt"))
|
|
assert.Equal(t, true, ident2.canDo(ACTION_WRITE, "bucket1", "/a/b/c/d.txt"))
|
|
assert.Equal(t, false, ident2.canDo(ACTION_LIST, "bucket1", "/a/b/c/d.txt"))
|
|
|
|
// across buckets
|
|
ident3 := &Identity{
|
|
Name: "anything",
|
|
Actions: []Action{
|
|
"Read",
|
|
"Write",
|
|
},
|
|
}
|
|
assert.Equal(t, true, ident3.canDo(ACTION_READ, "bucket1", "/a/b/c/d.txt"))
|
|
assert.Equal(t, true, ident3.canDo(ACTION_WRITE, "bucket1", "/a/b/c/d.txt"))
|
|
assert.Equal(t, false, ident3.canDo(ACTION_LIST, "bucket1", "/a/b/other/some"))
|
|
|
|
// partial buckets
|
|
ident4 := &Identity{
|
|
Name: "anything",
|
|
Actions: []Action{
|
|
"Read:special_*",
|
|
},
|
|
}
|
|
assert.Equal(t, true, ident4.canDo(ACTION_READ, "special_bucket", "/a/b/c/d.txt"))
|
|
assert.Equal(t, false, ident4.canDo(ACTION_READ, "bucket1", "/a/b/c/d.txt"))
|
|
|
|
// admin buckets
|
|
ident5 := &Identity{
|
|
Name: "anything",
|
|
Actions: []Action{
|
|
"Admin:special_*",
|
|
},
|
|
}
|
|
assert.Equal(t, true, ident5.canDo(ACTION_READ, "special_bucket", "/a/b/c/d.txt"))
|
|
assert.Equal(t, true, ident5.canDo(ACTION_WRITE, "special_bucket", "/a/b/c/d.txt"))
|
|
|
|
}
|