def test_check_perm_write(do_dangerous_test):
test_setup_new()
s = S3Service()
sAnon = S3Service(forceNoCreds=True)
# Bucket with no write perms
b1 = S3Bucket('flaws.cloud')
b1.exists = BucketExists.YES
s.check_perm_write(b1)
if s.aws_creds_configured:
assert b1.AuthUsersWrite == Permission.DENIED
else:
assert b1.AllUsersWrite == Permission.DENIED
if do_dangerous_test:
print("[test_check_perm_write] Doing dangerous test")
ts = TestBucketService()
danger_bucket_1 = ts.create_bucket(1) # Bucket with AuthUser Write, WriteACP permissions
try:
b2 = S3Bucket(danger_bucket_1)
b2.exists = BucketExists.YES
sAnon.check_perm_write(b2)
s.check_perm_write(b2)
assert b2.AuthUsersWrite == Permission.ALLOWED
assert b2.AllUsersWrite == Permission.DENIED
finally:
ts.delete_bucket(danger_bucket_1)
danger_bucket_2 = ts.create_bucket(2) # Bucket with AllUser Write, WriteACP permissions
try:
b3 = S3Bucket(danger_bucket_2)
b3.exists = BucketExists.YES
sAnon.check_perm_write(b3)
s.check_perm_write(b3)
assert b3.AllUsersWrite == Permission.ALLOWED
assert b3.AuthUsersWrite == Permission.UNKNOWN
finally:
ts.delete_bucket(danger_bucket_2)
# Bucket with AllUsers and AuthUser Write permissions
danger_bucket_4 = ts.create_bucket(4)
try:
b4 = S3Bucket(danger_bucket_4)
b4.exists = BucketExists.YES
sAnon.check_perm_write(b4)
s.check_perm_write(b4)
assert b4.AllUsersWrite == Permission.ALLOWED
assert b4.AuthUsersWrite == Permission.UNKNOWN
finally:
ts.delete_bucket(danger_bucket_4)
else:
print("[test_check_perm_write] Skipping dangerous test")
def test_check_perm_read():
test_setup_new()
s = S3Service()
# Bucket that no one can list
b1 = S3Bucket('s3scanner-private')
b1.exists = BucketExists.YES
s.check_perm_read(b1)
if s.aws_creds_configured:
assert b1.AuthUsersRead == Permission.DENIED
else:
assert b1.AllUsersRead == Permission.DENIED
# Bucket that only AuthenticatedUsers can list
b2 = S3Bucket('s3scanner-auth-read')
b2.exists = BucketExists.YES
s.check_perm_read(b2)
if s.aws_creds_configured:
assert b2.AuthUsersRead == Permission.ALLOWED
else:
assert b2.AllUsersRead == Permission.DENIED
# Bucket that Everyone can list
b3 = S3Bucket('s3scanner-long')
b3.exists = BucketExists.YES
s.check_perm_read(b3)
if s.aws_creds_configured:
assert b3.AuthUsersRead == Permission.ALLOWED
else:
assert b3.AllUsersRead == Permission.ALLOWED
def test_check_perm_read_acl():
test_setup_new()
s = S3Service()
# Bucket with no read ACL perms
b1 = S3Bucket('s3scanner-private')
b1.exists = BucketExists.YES
s.check_perm_read_acl(b1)
if s.aws_creds_configured:
assert b1.AuthUsersReadACP == Permission.DENIED
else:
assert b1.AllUsersReadACP == Permission.DENIED
# Bucket that allows AuthenticatedUsers to read ACL
if s.aws_creds_configured:
b2 = S3Bucket('s3scanner-auth-read-acl')
b2.exists = BucketExists.YES
s.check_perm_read_acl(b2)
if s.aws_creds_configured:
assert b2.AuthUsersReadACP == Permission.ALLOWED
else:
assert b2.AllUsersReadACP == Permission.DENIED
# Bucket that allows AllUsers to read ACL
b3 = S3Bucket('s3scanner-all-readacp')
b3.exists = BucketExists.YES
s.check_perm_read_acl(b3)
assert b3.AllUsersReadACP == Permission.ALLOWED
assert b3.AllUsersWrite == Permission.DENIED
assert b3.AllUsersWriteACP == Permission.DENIED
assert b3.AuthUsersReadACP == Permission.DENIED
assert b3.AuthUsersWriteACP == Permission.DENIED
assert b3.AuthUsersWrite == Permission.DENIED
def test_download_file():
test_setup_new()
s = S3Service()
# Try to download a file that already exists
dest_folder = os.path.realpath(testingFolder)
Path(os.path.join(dest_folder, 'test_download_file.txt')).touch()
size = Path(os.path.join(dest_folder, 'test_download_file.txt')).stat().st_size
o = S3BucketObject(size=size, last_modified="2020-12-31_03-02-11z", key="test_download_file.txt")
b = S3Bucket("bucket-no-existo")
s.download_file(os.path.join(dest_folder, ''), b, True, o)
def test_check_perms_without_checking_bucket_exists():
test_setup_new()
sAnon = S3Service(forceNoCreds=True)
b1 = S3Bucket('blahblah')
with pytest.raises(BucketMightNotExistException):
sAnon.check_perm_read_acl(b1)
with pytest.raises(BucketMightNotExistException):
sAnon.check_perm_read(b1)
with pytest.raises(BucketMightNotExistException):
sAnon.check_perm_write(b1)
with pytest.raises(BucketMightNotExistException):
sAnon.check_perm_write_acl(b1)
def test_enumerate_bucket_objects():
test_setup_new()
s = S3Service()
# Empty bucket
b1 = S3Bucket('s3scanner-empty')
b1.exists = BucketExists.YES
s.check_perm_read(b1)
if s.aws_creds_configured:
assert b1.AuthUsersRead == Permission.ALLOWED
else:
assert b1.AllUsersRead == Permission.ALLOWED
s.enumerate_bucket_objects(b1)
assert b1.objects_enumerated is True
assert b1.bucketSize == 0
# Bucket with > 1000 items
if s.aws_creds_configured:
b2 = S3Bucket('s3scanner-auth-read')
b2.exists = BucketExists.YES
s.check_perm_read(b2)
assert b2.AuthUsersRead == Permission.ALLOWED
s.enumerate_bucket_objects(b2)
assert b2.objects_enumerated is True
assert b2.bucketSize == 4143
assert b2.get_human_readable_size() == "4.0KB"
else:
print("[test_enumerate_bucket_objects] Skipping test due to no AWS creds")
# Bucket without read permission
b3 = S3Bucket('s3scanner-private')
b3.exists = BucketExists.YES
s.check_perm_read(b3)
if s.aws_creds_configured:
assert b3.AuthUsersRead == Permission.DENIED
else:
assert b3.AllUsersRead == Permission.DENIED
try:
s.enumerate_bucket_objects(b3)
except AccessDeniedException:
pass
# Try to enumerate before checking if bucket exists
b4 = S3Bucket('s3scanner-enumerate-bucket')
with pytest.raises(Exception):
s.enumerate_bucket_objects(b4)
def test_bucket_exists():
test_setup_new()
s = S3Service()
# Bucket that does exist
b1 = S3Bucket('s3scanner-private')
s.check_bucket_exists(b1)
assert b1.exists is BucketExists.YES
# Bucket that doesn't exist (hopefully)
b2 = S3Bucket('asfasfasdfasdfasdf')
s.check_bucket_exists(b2)
assert b2.exists is BucketExists.NO
# Pass a thing that's not a bucket
with pytest.raises(ValueError):
s.check_bucket_exists("asdfasdf")
def test_validate_endpoint_url_nonaws():
disable_warnings()
s = S3Service()
# Test CenturyLink_Lumen
s.endpoint_url = 'https://useast.os.ctl.io'
assert s.validate_endpoint_url(use_ssl=True, verify_ssl=True, endpoint_address_style='path') is True
# Test DigitalOcean
s.endpoint_url = 'https://sfo2.digitaloceanspaces.com'
assert s.validate_endpoint_url(use_ssl=True, verify_ssl=True, endpoint_address_style='path') is True
# Test Dreamhost
s.endpoint_url = 'https://objects.dreamhost.com'
assert s.validate_endpoint_url(use_ssl=False, verify_ssl=False, endpoint_address_style='vhost') is True
# Test GCP
s.endpoint_url = 'https://storage.googleapis.com'
assert s.validate_endpoint_url(use_ssl=True, verify_ssl=True, endpoint_address_style='path') is True
# Test IBM
s.endpoint_url = 'https://s3.us-east.cloud-object-storage.appdomain.cloud'
assert s.validate_endpoint_url(use_ssl=True, verify_ssl=True, endpoint_address_style='path') is True
# Test Linode
s.endpoint_url = 'https://eu-central-1.linodeobjects.com'
assert s.validate_endpoint_url(use_ssl=True, verify_ssl=True, endpoint_address_style='path') is True
# Test Scaleway
s.endpoint_url = 'https://s3.nl-ams.scw.cloud'
assert s.validate_endpoint_url(use_ssl=True, verify_ssl=True, endpoint_address_style='path') is True
# Test Vultr
s.endpoint_url = 'https://ewr1.vultrobjects.com'
assert s.validate_endpoint_url(use_ssl=True, verify_ssl=True, endpoint_address_style='path') is True
# Test Wasabi
s.endpoint_url = 'https://s3.wasabisys.com'
assert s.validate_endpoint_url(use_ssl=True, verify_ssl=True, endpoint_address_style='path') is True
def test_init():
test_setup_new()
s = S3Service(forceNoCreds=True)
assert s.aws_creds_configured is False
def test_no_ssl():
test_setup_new()
S3Service(verify_ssl=False)
def test_parse_found_acl():
test_setup_new()
sAnon = S3Service(forceNoCreds=True)
b1 = S3Bucket('s3scanner-all-read-readacl')
b1.exists = BucketExists.YES
sAnon.check_perm_read_acl(b1)
assert b1.foundACL is not None
assert b1.AllUsersRead == Permission.ALLOWED
assert b1.AllUsersReadACP == Permission.ALLOWED
assert b1.AllUsersWrite == Permission.DENIED
assert b1.AllUsersWriteACP == Permission.DENIED
assert b1.AllUsersFullControl == Permission.DENIED
assert b1.AuthUsersReadACP == Permission.DENIED
assert b1.AuthUsersRead == Permission.DENIED
assert b1.AuthUsersWrite == Permission.DENIED
assert b1.AuthUsersWriteACP == Permission.DENIED
assert b1.AuthUsersFullControl == Permission.DENIED
test_acls_1 = {
'Grants': [
{
'Grantee': {
'Type': 'Group',
'URI': 'http://acs.amazonaws.com/groups/global/AllUsers'
},
'Permission': 'FULL_CONTROL'
}
]
}
b2 = S3Bucket('test-acl-doesnt-exist')
b2.exists = BucketExists.YES
b2.foundACL = test_acls_1
sAnon.parse_found_acl(b2)
assert b2.AllUsersRead == Permission.ALLOWED
assert b2.AllUsersReadACP == Permission.ALLOWED
assert b2.AllUsersWrite == Permission.ALLOWED
assert b2.AllUsersWriteACP == Permission.ALLOWED
assert b2.AllUsersFullControl == Permission.ALLOWED
assert b2.AuthUsersRead == Permission.DENIED
assert b2.AuthUsersReadACP == Permission.DENIED
assert b2.AuthUsersWrite == Permission.DENIED
assert b2.AuthUsersWriteACP == Permission.DENIED
assert b2.AuthUsersFullControl == Permission.DENIED
test_acls_2 = {
'Grants': [
{
'Grantee': {
'Type': 'Group',
'URI': 'http://acs.amazonaws.com/groups/global/AuthenticatedUsers'
},
'Permission': 'FULL_CONTROL'
}
]
}
b3 = S3Bucket('test-acl2-doesnt-exist')
b3.exists = BucketExists.YES
b3.foundACL = test_acls_2
sAnon.parse_found_acl(b3)
assert b3.AllUsersRead == Permission.DENIED
assert b3.AllUsersReadACP == Permission.DENIED
assert b3.AllUsersWrite == Permission.DENIED
assert b3.AllUsersWriteACP == Permission.DENIED
assert b3.AllUsersFullControl == Permission.DENIED
assert b3.AuthUsersRead == Permission.ALLOWED
assert b3.AuthUsersReadACP == Permission.ALLOWED
assert b3.AuthUsersWrite == Permission.ALLOWED
assert b3.AuthUsersWriteACP == Permission.ALLOWED
assert b3.AuthUsersFullControl == Permission.ALLOWED
test_acls_3 = {
'Grants': [
{
'Grantee': {
'Type': 'Group',
'URI': 'asdfasdf'
},
'Permission': 'READ'
}
]
}
b4 = S3Bucket('test-acl3-doesnt-exist')
b4.exists = BucketExists.YES
b4.foundACL = test_acls_3
sAnon.parse_found_acl(b4)
all_permissions = [b4.AllUsersRead, b4.AllUsersReadACP, b4.AllUsersWrite, b4.AllUsersWriteACP,
b4.AllUsersFullControl, b4.AuthUsersRead, b4.AuthUsersReadACP, b4.AuthUsersWrite,
b4.AuthUsersWriteACP, b4.AuthUsersFullControl]
for p in all_permissions:
assert p == Permission.DENIED
test_acls_4 = {
'Grants': [
{
'Grantee': {
'Type': 'Group',
'URI': 'http://acs.amazonaws.com/groups/global/AuthenticatedUsers'
},
'Permission': 'READ_ACP'
},
{
'Grantee': {
'Type': 'Group',
'URI': 'http://acs.amazonaws.com/groups/global/AllUsers'
},
'Permission': 'READ_ACP'
}
]
}
b5 = S3Bucket('test-acl4-doesnt-exist')
b5.exists = BucketExists.YES
b5.foundACL = test_acls_4
sAnon.parse_found_acl(b5)
assert b5.AllUsersRead == Permission.DENIED
assert b5.AllUsersReadACP == Permission.ALLOWED
assert b5.AllUsersWrite == Permission.DENIED
assert b5.AllUsersWriteACP == Permission.DENIED
assert b5.AllUsersFullControl == Permission.DENIED
assert b5.AuthUsersRead == Permission.DENIED
assert b5.AuthUsersReadACP == Permission.ALLOWED
assert b5.AuthUsersWrite == Permission.DENIED
assert b5.AuthUsersWriteACP == Permission.DENIED
assert b5.AuthUsersFullControl == Permission.DENIED
def test_check_perm_write_acl(do_dangerous_test):
test_setup_new()
s = S3Service()
sNoCreds = S3Service(forceNoCreds=True)
# Bucket with no permissions
b1 = S3Bucket('s3scanner-private')
b1.exists = BucketExists.YES
s.check_perm_write_acl(b1)
if s.aws_creds_configured:
assert b1.AuthUsersWriteACP == Permission.DENIED
assert b1.AllUsersWriteACP == Permission.UNKNOWN
else:
assert b1.AllUsersWriteACP == Permission.DENIED
assert b1.AuthUsersWriteACP == Permission.UNKNOWN
if do_dangerous_test:
print("[test_check_perm_write_acl] Doing dangerous tests...")
ts = TestBucketService()
# Bucket with WRITE_ACP enabled for AuthUsers
danger_bucket_3 = ts.create_bucket(3)
try:
b2 = S3Bucket(danger_bucket_3)
b2.exists = BucketExists.YES
# Check for read/write permissions so when we check for write_acl we
# send the same perms that it had originally
sNoCreds.check_perm_read(b2)
s.check_perm_read(b2)
sNoCreds.check_perm_write(b2)
s.check_perm_write(b2)
# Check for WriteACP
sNoCreds.check_perm_write_acl(b2)
s.check_perm_write_acl(b2)
# Grab permissions after our check so we can compare to original
sNoCreds.check_perm_write(b2)
s.check_perm_write(b2)
sNoCreds.check_perm_read(b2)
s.check_perm_read(b2)
if s.aws_creds_configured:
assert b2.AuthUsersWriteACP == Permission.ALLOWED
# Make sure we didn't change the original permissions
assert b2.AuthUsersWrite == Permission.ALLOWED
assert b2.AllUsersWrite == Permission.DENIED
assert b2.AllUsersRead == Permission.ALLOWED
assert b2.AuthUsersRead == Permission.UNKNOWN
else:
assert b2.AllUsersRead == Permission.ALLOWED
assert b2.AuthUsersWriteACP == Permission.UNKNOWN
except Exception as e:
raise e
finally:
ts.delete_bucket(danger_bucket_3)
# Bucket with WRITE_ACP enabled for AllUsers
danger_bucket_2 = ts.create_bucket(2)
try:
b3 = S3Bucket(danger_bucket_2)
b3.exists = BucketExists.YES
sNoCreds.check_perm_read(b3)
s.check_perm_read(b3)
sNoCreds.check_perm_write(b3)
s.check_perm_write(b3)
sNoCreds.check_perm_write_acl(b3)
s.check_perm_write_acl(b3)
sNoCreds.check_perm_write(b3)
s.check_perm_write(b3)
sNoCreds.check_perm_read(b3)
s.check_perm_read(b3)
if s.aws_creds_configured:
assert b3.AllUsersWriteACP == Permission.ALLOWED
assert b3.AuthUsersWriteACP == Permission.UNKNOWN
assert b3.AllUsersWrite == Permission.ALLOWED
else:
assert b3.AllUsersRead == Permission.ALLOWED
assert b3.AuthUsersWriteACP == Permission.UNKNOWN
except Exception as e:
raise e
finally:
ts.delete_bucket(danger_bucket_2)
# Bucket with WRITE_ACP enabled for both AllUsers and AuthUsers
danger_bucket_5 = ts.create_bucket(5)
try:
b5 = S3Bucket(danger_bucket_5)
b5.exists = BucketExists.YES
sNoCreds.check_perm_read(b5)
s.check_perm_read(b5)
sNoCreds.check_perm_write(b5)
s.check_perm_write(b5)
sNoCreds.check_perm_write_acl(b5)
s.check_perm_write_acl(b5)
sNoCreds.check_perm_write(b5)
s.check_perm_write(b5)
sNoCreds.check_perm_read(b5)
s.check_perm_read(b5)
assert b5.AllUsersWriteACP == Permission.ALLOWED
assert b5.AuthUsersWriteACP == Permission.UNKNOWN
assert b5.AllUsersWrite == Permission.DENIED
assert b5.AuthUsersWrite == Permission.DENIED
except Exception as e:
raise e
finally:
ts.delete_bucket(danger_bucket_5)
else:
print("[test_check_perm_write_acl] Skipping dangerous test...")