def test_acl_bucket_owner_full_control(self):
acl = ACLBucketOwnerFullControl(
bucket_owner=Owner('test:tester2', 'test:tester2'),
object_owner=Owner('test:tester', 'test:tester'))
self.assertTrue(self.check_permission(acl, 'test:tester', 'READ'))
self.assertTrue(self.check_permission(acl, 'test:tester', 'WRITE'))
self.assertTrue(self.check_permission(acl, 'test:tester', 'READ_ACP'))
self.assertTrue(self.check_permission(acl, 'test:tester', 'WRITE_ACP'))
self.assertTrue(self.check_permission(acl, 'test:tester2', 'READ'))
self.assertTrue(self.check_permission(acl, 'test:tester2', 'WRITE'))
self.assertTrue(self.check_permission(acl, 'test:tester2', 'READ_ACP'))
self.assertTrue(self.check_permission(acl, 'test:tester2',
'WRITE_ACP'))
def _test_set_container_permission(self, account, permission):
grants = [Grant(User(account), permission)]
headers = \
encode_acl('container',
ACL(Owner('test:tester', 'test:tester'), grants))
self.swift.register('HEAD', '/v1/AUTH_test/bucket',
swob.HTTPNoContent, headers, None)
def test_from_headers_x_oss_acl(self):
canned_acls = [
'public-read', 'public-read-write', 'authenticated-read',
'bucket-owner-read', 'bucket-owner-full-control',
'log-delivery-write'
]
owner = Owner('test:tester', 'test:tester')
grantee_map = canned_acl_grantees(owner)
for acl_str in canned_acls:
acl = ACL.from_headers({'x-oss-acl': acl_str}, owner)
expected = grantee_map[acl_str]
self.assertEqual(len(acl.grants), len(expected)) # sanity
# parse Grant object to permission and grantee
actual_grants = [(grant.permission, grant.grantee)
for grant in acl.grants]
assertions = zip(sorted(expected), sorted(actual_grants))
for (expected_permission, expected_grantee), \
(permission, grantee) in assertions:
self.assertEqual(expected_permission, permission)
self.assertTrue(isinstance(grantee,
expected_grantee.__class__))
if isinstance(grantee, User):
self.assertEqual(expected_grantee.id, grantee.id)
self.assertEqual(expected_grantee.display_name,
grantee.display_name)
def test_bucket_acl_PUT_with_other_owner(self):
req = Request.blank('/bucket?acl',
environ={'REQUEST_METHOD': 'PUT'},
headers={
'Authorization': 'OSS test:tester:hmac',
'Date': self.get_date_header()
},
body=tostring(
ACLPrivate(
Owner(id='test:other',
name='test:other')).elem()))
status, headers, body = self.call_oss2swift(req)
if not body:
body='<?xml version="1.0" ?>' \
'<Error xmlns="http://doc.oss-cn-hangzhou.aliyuncs.com">' \
'<Code>'\
'AccessDenied'\
'</Code>'\
'<Message>'\
'Query-string authentication requires the Signature, Expires and OSSAccessKeyId parameters'\
'</Message>'\
'<RequestId>'\
'1D842BC5425544BB'\
'</RequestId>'\
'<HostId>'\
'oss-cn-hangzhou.aliyuncs.com'\
'</HostId>'\
'</Error>'
self.assertEqual(self._get_error_code(body), 'AccessDenied')
def test_acl_bucket_owner_read(self):
acl = ACLBucketOwnerRead(bucket_owner=Owner('test:tester2',
'test:tester2'),
object_owner=Owner('test:tester',
'test:tester'))
self.assertTrue(self.check_permission(acl, 'test:tester', 'READ'))
self.assertTrue(self.check_permission(acl, 'test:tester', 'WRITE'))
self.assertTrue(self.check_permission(acl, 'test:tester', 'READ_ACP'))
self.assertTrue(self.check_permission(acl, 'test:tester', 'WRITE_ACP'))
self.assertTrue(self.check_permission(acl, 'test:tester2', 'READ'))
self.assertFalse(self.check_permission(acl, 'test:tester2', 'WRITE'))
self.assertFalse(self.check_permission(acl, 'test:tester2',
'READ_ACP'))
self.assertFalse(
self.check_permission(acl, 'test:tester2', 'WRITE_ACP'))
def test_from_headers_x_oss_acl_invalid(self):
with self.assertRaises(InvalidArgument) as cm:
ACL.from_headers({'x-oss-acl': 'invalid'},
Owner('test:tester', 'test:tester'))
self.assertTrue('argument_name' in cm.exception.info)
self.assertEqual(cm.exception.info['argument_name'], 'x-oss-acl')
self.assertTrue('argument_value' in cm.exception.info)
self.assertEqual(cm.exception.info['argument_value'], 'invalid')
def setUp(self):
super(TestOss2swiftOssAcl, self).setUp()
CONF.oss_acl = True
account = 'test'
owner_name = '%s:tester' % account
self.default_owner = Owner(owner_name, owner_name)
generate_ossacl_environ(account, self.swift, self.default_owner)
def test_encode_acl_object(self):
acl = ACLPrivate(Owner(id='test:tester', name='test:tester'))
acp = encode_acl('object', acl)
header_value = json.loads(acp[sysmeta_header('object', 'acl')])
self.assertTrue('Owner' in header_value)
self.assertTrue('Grant' in header_value)
self.assertEqual('test:tester', header_value['Owner'])
self.assertEqual(len(header_value['Grant']), 1)
def test_canned_acl_grantees(self):
grantee_map = canned_acl_grantees(Owner('test:tester', 'test:tester'))
canned_acls = [
'private', 'public-read', 'public-read-write',
'authenticated-read', 'bucket-owner-read',
'bucket-owner-full-control', 'log-delivery-write'
]
for canned_acl in canned_acls:
self.assertTrue(canned_acl in grantee_map)
self.assertEqual(len(canned_acls), len(grantee_map)) # sanity
def __init__(self, oss_acl):
self.sysmeta_headers = {}
if oss_acl:
owner = Owner(id='test:tester', name='test:tester')
self.sysmeta_headers.update(
_gen_test_acl_header(owner,
'FULL_CONTROL',
resource='container'))
self.sysmeta_headers.update(
_gen_test_acl_header(owner, 'FULL_CONTROL', resource='object'))
def test_acl_elem(self):
acl = ACLPrivate(Owner(id='test:tester', name='test:tester'))
elem = acl.elem()
self.assertTrue(elem.find('./Owner') is not None)
self.assertTrue(elem.find('./AccessControlList') is not None)
grants = [e for e in elem.findall('./AccessControlList/Grant')]
self.assertEqual(len(grants), 1)
self.assertEqual(grants[0].find('./Grantee/ID').text, 'test:tester')
self.assertEqual(grants[0].find('./Grantee/DisplayName').text,
'test:tester')
def PUT(self, app):
if not self.obj:
# Initiate Multipart Uploads (put +segment container)
resp = self._handle_acl(app, 'HEAD')
req_acl = ACL.from_headers(self.req.headers,
resp.bucket_acl.owner,
Owner(self.user_id, self.user_id))
acl_headers = encode_acl('object', req_acl)
self.req.headers[sysmeta_header('object', 'tmpacl')] = \
acl_headers[sysmeta_header('object', 'acl')]
def _test_object_PUT_copy_self(self, head_resp,
put_header=None, timestamp=None):
account = 'test:tester'
grants = [Grant(User(account), 'FULL_CONTROL')]
head_headers = \
encode_acl('object',
ACL(Owner(account, account), grants))
head_headers.update({'last-modified': self.last_modified})
self.swift.register('HEAD', '/v1/AUTH_test/bucket/object',
head_resp, head_headers, None)
put_header = put_header or {}
return self._call_object_copy('/bucket/object', put_header, timestamp)
def test_acl_private(self):
acl = ACLPrivate(Owner(id='test:tester', name='test:tester'))
self.assertTrue(self.check_permission(acl, 'test:tester', 'READ'))
self.assertTrue(self.check_permission(acl, 'test:tester', 'WRITE'))
self.assertTrue(self.check_permission(acl, 'test:tester', 'READ_ACP'))
self.assertTrue(self.check_permission(acl, 'test:tester', 'WRITE_ACP'))
self.assertFalse(self.check_permission(acl, 'test:tester2', 'READ'))
self.assertFalse(self.check_permission(acl, 'test:tester2', 'WRITE'))
self.assertFalse(self.check_permission(acl, 'test:tester2',
'READ_ACP'))
self.assertFalse(
self.check_permission(acl, 'test:tester2', 'WRITE_ACP'))
def test_acl_authenticated_read(self):
acl = ACLAuthenticatedRead(Owner(id='test:tester', name='test:tester'))
self.assertTrue(self.check_permission(acl, 'test:tester', 'READ'))
self.assertTrue(self.check_permission(acl, 'test:tester', 'WRITE'))
self.assertTrue(self.check_permission(acl, 'test:tester', 'READ_ACP'))
self.assertTrue(self.check_permission(acl, 'test:tester', 'WRITE_ACP'))
self.assertTrue(self.check_permission(acl, 'test:tester2', 'READ'))
self.assertFalse(self.check_permission(acl, 'test:tester2', 'WRITE'))
self.assertFalse(self.check_permission(acl, 'test:tester2',
'READ_ACP'))
self.assertFalse(
self.check_permission(acl, 'test:tester2', 'WRITE_ACP'))
def test_acl_public_read_write(self):
acl = ACLPublicReadWrite(Owner(id='test:tester', name='test:tester'))
self.assertTrue(self.check_permission(acl, 'test:tester', 'READ'))
self.assertTrue(self.check_permission(acl, 'test:tester', 'WRITE'))
self.assertTrue(self.check_permission(acl, 'test:tester', 'READ_ACP'))
self.assertTrue(self.check_permission(acl, 'test:tester', 'WRITE_ACP'))
self.assertTrue(self.check_permission(acl, 'test:tester2', 'READ'))
self.assertTrue(self.check_permission(acl, 'test:tester2', 'WRITE'))
self.assertFalse(self.check_permission(acl, 'test:tester2',
'READ_ACP'))
self.assertFalse(
self.check_permission(acl, 'test:tester2', 'WRITE_ACP'))
def test_acl_from_elem_by_id_only(self):
elem = ACLPrivate(Owner(id='test:tester', name='test:tester')).elem()
elem.find('./Owner').remove(elem.find('./Owner/DisplayName'))
acl = ACL.from_elem(elem)
self.assertTrue(self.check_permission(acl, 'test:tester', 'READ'))
self.assertTrue(self.check_permission(acl, 'test:tester', 'WRITE'))
self.assertTrue(self.check_permission(acl, 'test:tester', 'READ_ACP'))
self.assertTrue(self.check_permission(acl, 'test:tester', 'WRITE_ACP'))
self.assertFalse(self.check_permission(acl, 'test:tester2', 'READ'))
self.assertFalse(self.check_permission(acl, 'test:tester2', 'WRITE'))
self.assertFalse(self.check_permission(acl, 'test:tester2',
'READ_ACP'))
self.assertFalse(
self.check_permission(acl, 'test:tester2', 'WRITE_ACP'))
def test_grant_with_both_header_and_xml(self):
req = Request.blank('/bucket/object?acl',
environ={'REQUEST_METHOD': 'PUT'},
headers={
'Authorization': 'OSS test:tester:hmac',
'Date': self.get_date_header(),
'x-oss-grant-full-control': 'id=test:tester'
},
body=tostring(
ACLPrivate(
Owner(id='test:tester',
name='test:tester')).elem()))
status, headers, body = self.call_oss2swift(req)
self.assertEqual(self._get_error_code(body), 'UnexpectedContent')
def test_acl_from_elem(self):
# check translation from element
acl = ACLPrivate(Owner(id='test:tester', name='test:tester'))
elem = acl.elem()
acl = ACL.from_elem(elem)
self.assertTrue(self.check_permission(acl, 'test:tester', 'READ'))
self.assertTrue(self.check_permission(acl, 'test:tester', 'WRITE'))
self.assertTrue(self.check_permission(acl, 'test:tester', 'READ_ACP'))
self.assertTrue(self.check_permission(acl, 'test:tester', 'WRITE_ACP'))
self.assertFalse(self.check_permission(acl, 'test:tester2', 'READ'))
self.assertFalse(self.check_permission(acl, 'test:tester2', 'WRITE'))
self.assertFalse(self.check_permission(acl, 'test:tester2',
'READ_ACP'))
self.assertFalse(
self.check_permission(acl, 'test:tester2', 'WRITE_ACP'))
def PUT(self, app):
OBJ_ACL='default'
b_resp = self._handle_acl(app, 'HEAD', obj='')
req_acl = ACL.from_headers(self.req.headers,
b_resp.bucket_acl.owner,
Owner(self.user_id, self.user_id))
if 'X-Oss-Acl' not in self.req.headers:
if req_acl=='private':
req_acl=='default'
try:
resp =self.req.get_acl_response(app, 'GET')
if resp.object_acl:
req_acl=resp.object_acl
except :
pass
self.req.object_acl = req_acl
def test_encode_acl_many_grant(self):
headers = {}
users = []
for i in range(0, 99):
users.append('id=test:tester%s' % str(i))
users = ','.join(users)
headers['x-oss-grant-read'] = users
acl = ACL.from_headers(headers, Owner('test:tester', 'test:tester'))
acp = encode_acl('container', acl)
header_value = acp[sysmeta_header('container', 'acl')]
header_value = json.loads(header_value)
self.assertTrue('Owner' in header_value)
self.assertTrue('Grant' in header_value)
self.assertEqual('test:tester', header_value['Owner'])
self.assertEqual(len(header_value['Grant']), 99)
def test_bucket_PUT_with_canned_ossacl(self):
account = 'test:tester'
acl = \
encode_acl('container', ACLPublicRead(Owner(account, account)))
req = Request.blank('/bucket',
environ={'REQUEST_METHOD': 'PUT'},
headers={
'Authorization': 'OSS test:tester:hmac',
'Date': self.get_date_header(),
'X-Oss-Acl': 'public-read'
})
status, headers, body = self.call_oss2swift(req)
self.assertEqual(status.split()[0], '200')
_, _, headers = self.swift.calls_with_headers[-1]
self.assertTrue('X-Container-Read' not in headers)
self.assertTrue('X-Container-Sysmeta-Oss2swift-Acl' in headers)
self.assertEqual(headers.get('X-Container-Sysmeta-Oss2swift-Acl'),
acl['x-container-sysmeta-oss2swift-acl'])
def PUT(self, app):
req_acl = ACL.from_headers(self.req.headers,
Owner(self.user_id, self.user_id))
if 'X-Oss-Acl' not in self.req.headers:
try:
resp =self.req.get_acl_response(app, 'GET')
if resp.bucket_acl:
req_acl=resp.bucket_acl
except :
pass
self.req.get_acl_response(app, 'PUT')
# update metadata
self.req.bucket_acl = req_acl
# FIXME If this request is failed, there is a possibility that the
# bucket which has no ACL is left.
return self.req.get_acl_response(app, 'POST')
def test_service_GET_without_owner_bucket(self):
bucket_list = []
for var in range(0, 10):
user_id = 'test:other'
bucket = 'bucket%s' % var
owner = Owner(user_id, user_id)
headers = encode_acl('container', ACL(owner, []))
self.swift.register('HEAD', '/v1/AUTH_test/%s' % bucket,
swob.HTTPNoContent, headers, None)
bucket_list.append((bucket, var, 300 + var))
status, headers, body = \
self._test_service_GET_for_check_bucket_owner(bucket_list)
self.assertEqual(status.split()[0], '200')
elem = fromstring(body, 'ListAllMyBucketsResult')
resp_buckets = elem.find('./Buckets')
buckets = resp_buckets.iterchildren('Bucket')
self.assertEqual(len(list(buckets)), 0)
def _test_object_copy_for_ossacl(self, account, src_permission=None,
src_path='/src_bucket/src_obj'):
owner = 'test:tester'
grants = [Grant(User(account), src_permission)] \
if src_permission else [Grant(User(owner), 'FULL_CONTROL')]
src_o_headers = \
encode_acl('object', ACL(Owner(owner, owner), grants))
src_o_headers.update({'last-modified': self.last_modified})
self.swift.register(
'HEAD', join('/v1/AUTH_test', src_path.lstrip('/')),
swob.HTTPOk, src_o_headers, None)
req = Request.blank(
'/bucket/object',
environ={'REQUEST_METHOD': 'PUT'},
headers={'Authorization': 'OSS %s:hmac' % account,
'X-Oss-Copy-Source': src_path,
'Date': self.get_date_header()})
return self.call_oss2swift(req)
def test_service_GET_bucekt_list(self):
bucket_list = []
for var in range(0, 10):
if var % 3 == 0:
user_id = 'test:tester'
else:
user_id = 'test:other'
bucket = 'bucket%s' % var
owner = Owner(user_id, user_id)
headers = encode_acl('container', ACL(owner, []))
# set register to get owner of buckets
if var % 3 == 2:
self.swift.register('HEAD', '/v1/AUTH_test/%s' % bucket,
swob.HTTPNotFound, {}, None)
else:
self.swift.register('HEAD', '/v1/AUTH_test/%s' % bucket,
swob.HTTPNoContent, headers, None)
bucket_list.append((bucket, var, 300 + var))
status, headers, body = \
self._test_service_GET_for_check_bucket_owner(bucket_list)
self.assertEqual(status.split()[0], '200')
elem = fromstring(body, 'ListAllMyBucketsResult')
resp_buckets = elem.find('./Buckets')
buckets = resp_buckets.iterchildren('Bucket')
listing = list(list(buckets)[0])
self.assertEqual(len(listing), 5)
names = []
for b in resp_buckets.iterchildren('Bucket'):
names.append(b.find('./Name').text)
# Check whether getting bucket only locate in multiples of 3 in
# bucket_list which mean requested user is owner.
expected_buckets = [b for i, b in enumerate(bucket_list) if i % 3 == 0]
self.assertEqual(len(names), len(expected_buckets))
for i in expected_buckets:
self.assertTrue(i[0] in names)
self.assertEqual(len(self.swift.calls_with_headers), 11)
def ossacl_decorator(*args, **kwargs):
if not args and not kwargs:
raise NotMethodException('Use ossacl decorator for a method')
def call_func(failing_point=''):
try:
# For maintainability, we patch 204 status for every
# get_container_info. if you want, we can rewrite the
# statement easily with nested decorator like as:
#
# @ossacl
# @patch(xxx)
# def test_xxxx(self)
with patch('oss2swift.request.get_container_info',
lambda x, y: {'status': 204}):
func(*args, **kwargs)
except AssertionError:
# Make traceback message to clarify the assertion
exc_type, exc_instance, exc_traceback = sys.exc_info()
formatted_traceback = ''.join(
traceback.format_tb(exc_traceback))
message = '\n%s\n%s:\n%s' % (formatted_traceback,
exc_type.__name__,
exc_instance.message)
message += failing_point
raise exc_type(message)
instance = args[0]
if not ossacl_only:
call_func()
instance.swift._calls = []
with patch('oss2swift.cfg.CONF.oss_acl', True):
owner = Owner('test:tester', 'test:tester')
generate_ossacl_environ('test', instance.swift, owner)
call_func(' (fail at oss_acl)')