def test_uri_put_file(sts_conn):
bn = 'wal-e.sts.uri.put.file'
cf = connection.OrdinaryCallingFormat()
policy_text = make_policy(bn, 'test-prefix', allow_get_location=True)
fed = sts_conn.get_federation_token('wal-e-test-uri-put-file',
policy=policy_text)
key_path = 'test-prefix/test-key'
creds = Credentials(fed.credentials.access_key, fed.credentials.secret_key,
fed.credentials.session_token)
with FreshBucket(bn,
keys=[key_path],
calling_format=cf,
host='s3-us-west-1.amazonaws.com') as fb:
fb.create(location='us-west-1')
uri_put_file(creds, 's3://' + bn + '/' + key_path,
StringIO('test-content'))
k = connection.Key(fb.conn.get_bucket(bn, validate=False))
k.name = key_path
assert k.get_contents_as_string() == 'test-content'
def test_real_get_location():
"""Exercise a case where a get location call is needed.
In cases where a bucket has offensive characters -- like dots --
that would otherwise break TLS, test sniffing the right endpoint
so it can be used to address the bucket.
"""
creds = Credentials(os.getenv('AWS_ACCESS_KEY_ID'),
os.getenv('AWS_SECRET_ACCESS_KEY'))
bucket_name = 'wal-e-test-us-west-1.get.location'
cinfo = calling_format.from_store_name(bucket_name)
with FreshBucket(bucket_name,
host='s3-us-west-1.amazonaws.com',
calling_format=connection.OrdinaryCallingFormat()) as fb:
fb.create(location='us-west-1')
conn = cinfo.connect(creds)
assert cinfo.region == 'us-west-1'
assert cinfo.calling_format is connection.OrdinaryCallingFormat
assert conn.host == 's3-us-west-1.amazonaws.com'
def test_cipher_suites():
# Imported for its side effects of setting up ssl cipher suites
# and gevent.
from wal_e import cmd
# Quiet pyflakes.
assert cmd
creds = Credentials(os.getenv('AWS_ACCESS_KEY_ID'),
os.getenv('AWS_SECRET_ACCESS_KEY'))
cinfo = calling_format.from_store_name('irrelevant', region='us-east-1')
conn = cinfo.connect(creds)
# Warm up the pool and the connection in it; new_http_connection
# seems to be a more natural choice, but leaves the '.sock'
# attribute null.
conn.get_all_buckets()
# Set up 'port' keyword argument for newer Botos that require it.
spec = inspect.getargspec(conn._pool.get_http_connection)
kw = {'host': 's3.amazonaws.com', 'is_secure': True}
if 'port' in spec.args:
kw['port'] = 443
htcon = conn._pool.get_http_connection(**kw)
chosen_cipher_suite = htcon.sock.cipher()[0].split('-')
# Test for the expected cipher suite.
#
# This can change or vary on different platforms somewhat
# harmlessly, but do the simple thing and insist on an exact match
# for now.
assert (chosen_cipher_suite == ['AES256', 'SHA']
or chosen_cipher_suite == ['AES128', 'SHA']
or chosen_cipher_suite == ['ECDHE', 'RSA', 'AES128', 'SHA'])
def test_policy(sts_conn, monkeypatch):
"""Sanity checks for the intended ACLs of the policy"""
monkeypatch.setenv('AWS_REGION', 'us-west-1')
# Use periods to force OrdinaryCallingFormat when using
# calling_format.from_store_name.
bn = bucket_name_mangle('wal-e.sts.list.test')
h = 's3-us-west-1.amazonaws.com'
cf = connection.OrdinaryCallingFormat()
fed = sts_conn.get_federation_token('wal-e-test-list-bucket',
policy=make_policy(bn, 'test-prefix'))
test_payload = 'wal-e test'
keys = [
'test-prefix/hello', 'test-prefix/world', 'not-in-prefix/goodbye',
'not-in-prefix/world'
]
creds = Credentials(fed.credentials.access_key, fed.credentials.secret_key,
fed.credentials.session_token)
with FreshBucket(bn, keys=keys, calling_format=cf, host=h) as fb:
# Superuser creds, for testing keys not in the prefix.
bucket_superset_creds = fb.create(location='us-west-1')
cinfo = calling_format.from_store_name(bn)
conn = cinfo.connect(creds)
conn.host = h
# Bucket using the token, subject to the policy.
bucket = conn.get_bucket(bn, validate=False)
for name in keys:
if name.startswith('test-prefix/'):
# Test the PUT privilege.
k = connection.Key(bucket)
else:
# Not in the prefix, so PUT will not work.
k = connection.Key(bucket_superset_creds)
k.key = name
k.set_contents_from_string(test_payload)
# Test listing keys within the prefix.
prefix_fetched_keys = list(bucket.list(prefix='test-prefix/'))
assert len(prefix_fetched_keys) == 2
# Test the GET privilege.
for key in prefix_fetched_keys:
assert key.get_contents_as_string() == b'wal-e test'
# Try a bogus listing outside the valid prefix.
with pytest.raises(exception.S3ResponseError) as e:
list(bucket.list(prefix=''))
assert e.value.status == 403
# Test the rejection of PUT outside of prefix.
k = connection.Key(bucket)
k.key = 'not-in-prefix/world'
with pytest.raises(exception.S3ResponseError) as e:
k.set_contents_from_string(test_payload)
assert e.value.status == 403