def test_from_headers_x_amz_acl_invalid(self): with self.assertRaises(InvalidArgument) as cm: ACL.from_headers({'x-amz-acl': 'invalid'}, Owner('test:tester', 'test:tester')) self.assertTrue('argument_name' in cm.exception.info) self.assertEquals(cm.exception.info['argument_name'], 'x-amz-acl') self.assertTrue('argument_value' in cm.exception.info) self.assertEquals(cm.exception.info['argument_value'], 'invalid')
def test_from_headers_x_amz_acl(self): canned_acls = ['public-read', 'public-read-write', 'authenticated-read', 'bucket-owner-read', 'bucket-owner-full-control', 'log-delivery-write'] owner = Owner('test:tester', 'test:tester') grantee_map = canned_acl_grantees(owner) for acl_str in canned_acls: acl = ACL.from_headers({'x-amz-acl': acl_str}, owner) expected = grantee_map[acl_str] self.assertEquals(len(acl.grants), len(expected)) # sanity # parse Grant object to permission and grantee actual_grants = [(grant.permission, grant.grantee) for grant in acl.grants] assertions = zip(sorted(expected), sorted(actual_grants)) for (expected_permission, expected_grantee), \ (permission, grantee) in assertions: self.assertEquals(expected_permission, permission) self.assertTrue( isinstance(grantee, expected_grantee.__class__)) if isinstance(grantee, User): self.assertEquals(expected_grantee.id, grantee.id) self.assertEquals(expected_grantee.display_name, grantee.display_name)
def test_from_headers_x_amz_acl(self): canned_acls = [ 'public-read', 'public-read-write', 'authenticated-read', 'bucket-owner-read', 'bucket-owner-full-control', 'log-delivery-write' ] owner = Owner('test:tester', 'test:tester') grantee_map = canned_acl_grantees(owner) for acl_str in canned_acls: acl = ACL.from_headers({'x-amz-acl': acl_str}, owner) expected = grantee_map[acl_str] self.assertEquals(len(acl.grants), len(expected)) # sanity # parse Grant object to permission and grantee actual_grants = [(grant.permission, grant.grantee) for grant in acl.grants] assertions = zip(sorted(expected), sorted(actual_grants)) for (expected_permission, expected_grantee), \ (permission, grantee) in assertions: self.assertEquals(expected_permission, permission) self.assertTrue(isinstance(grantee, expected_grantee.__class__)) if isinstance(grantee, User): self.assertEquals(expected_grantee.id, grantee.id) self.assertEquals(expected_grantee.display_name, grantee.display_name)
def get_acl(headers, body, bucket_owner, object_owner=None): """ Get ACL instance from S3 (e.g. x-amz-grant) headers or S3 acl xml body. """ acl = ACL.from_headers(headers, bucket_owner, object_owner, as_private=False) if acl is None: # Get acl from request body if possible. if not body: msg = 'Your request was missing a required header' raise MissingSecurityHeader(msg, missing_header_name='x-amz-acl') try: elem = fromstring(body, ACL.root_tag) acl = ACL.from_elem(elem) except (XMLSyntaxError, DocumentInvalid): raise MalformedACLError() except Exception as e: exc_type, exc_value, exc_traceback = sys.exc_info() LOGGER.error(e) raise exc_type, exc_value, exc_traceback else: if body: # Specifying grant with both header and xml is not allowed. raise UnexpectedContent() return acl
def get_acl(headers, body, bucket_owner, object_owner=None): """ Get ACL instance from S3 (e.g. x-amz-grant) headers or S3 acl xml body. """ acl = ACL.from_headers(headers, bucket_owner, object_owner, as_private=False) if acl is None: # Get acl from request body if possible. if not body: msg = 'Your request was missing a required header' raise MissingSecurityHeader(msg, missing_header_name='x-amz-acl') try: elem = fromstring(body, ACL.root_tag) acl = ACL.from_elem(elem) except(XMLSyntaxError, DocumentInvalid): raise MalformedACLError() except Exception as e: exc_type, exc_value, exc_traceback = sys.exc_info() LOGGER.error(e) raise exc_type, exc_value, exc_traceback else: if body: # Specifying grant with both header and xml is not allowed. raise UnexpectedContent() return acl
def PUT(self, app): if not self.obj: # Initiate Multipart Uploads (put +segment container) resp = self._handle_acl(app, 'HEAD') req_acl = ACL.from_headers(self.req.headers, resp.bucket_acl.owner, Owner(self.user_id, self.user_id)) acl_headers = encode_acl('object', req_acl) self.req.headers[sysmeta_header('object', 'tmpacl')] = \ acl_headers[sysmeta_header('object', 'acl')]
def PUT(self, app): if not self.acl_checked: resp = self._handle_acl(app, 'HEAD', obj='') req_acl = ACL.from_headers(self.req.headers, resp.bucket_acl.owner, Owner(self.user_id, self.user_id)) acl_headers = encode_acl('object', req_acl) self.req.headers[sysmeta_header('object', 'tmpacl')] = \ acl_headers[sysmeta_header('object', 'acl')] self.acl_checked = True
def PUT(self, app): b_resp = self._handle_acl(app, 'HEAD', obj='') inherits = None if CONF.s3_acl and CONF.s3_acl_inherit: inherits = b_resp.bucket_acl.grants req_acl = ACL.from_headers(self.req.headers, b_resp.bucket_acl.owner, Owner(self.user_id, self.user_id), inherit_grants=inherits) self.req.object_acl = req_acl
def PUT(self, app): req_acl = ACL.from_headers(self.req.headers, Owner(self.user_id, self.user_id)) # To avoid overwriting the existing bucket's ACL, we send PUT # request first before setting the ACL to make sure that the target # container does not exist. self.req.get_acl_response(app, 'PUT') # update metadata self.req.bucket_acl = req_acl # FIXME If this request is failed, there is a possibility that the # bucket which has no ACL is left. return self.req.get_acl_response(app, 'POST')
def test_encode_acl_many_grant(self): headers = {} users = [] for i in range(0, 99): users.append('id=test:tester%s' % str(i)) users = ','.join(users) headers['x-amz-grant-read'] = users acl = ACL.from_headers(headers, Owner('test:tester', 'test:tester')) acp = encode_acl('container', acl) header_value = acp[sysmeta_header('container', 'acl')] header_value = json.loads(header_value) self.assertTrue('Owner' in header_value) self.assertTrue('Grant' in header_value) self.assertEqual('test:tester', header_value['Owner']) self.assertEqual(len(header_value['Grant']), 99)
def PUT(self, req): """ Handle PUT Bucket request """ xml = req.xml(MAX_PUT_BUCKET_BODY_SIZE) if xml: # check location try: elem = fromstring(xml, 'CreateBucketConfiguration') location = elem.find('./LocationConstraint').text except (XMLSyntaxError, DocumentInvalid): raise MalformedXML() except Exception as e: LOGGER.error(e) raise if location != CONF.location: # Swift3 cannot support multiple reagions now. raise InvalidLocationConstraint() if CONF.s3_acl: req_acl = ACL.from_headers(req.headers, Owner(req.user_id, req.user_id)) # To avoid overwriting the existing bucket's ACL, we send PUT # request first before setting the ACL to make sure that the target # container does not exist. resp = req.get_response(self.app) # update metadata req.bucket_acl = req_acl # FIXME If this request is failed, there is a possibility that the # bucket which has no ACL is left. req.get_response(self.app, 'POST') else: if 'HTTP_X_AMZ_ACL' in req.environ: handle_acl_header(req) resp = req.get_response(self.app) resp.status = HTTP_OK resp.location = '/' + req.container_name return resp
def PUT(self, req): """ Handle PUT Object and PUT Object (Copy) request """ if CONF.s3_acl: if 'X-Amz-Copy-Source' in req.headers: src_path = req.headers['X-Amz-Copy-Source'] src_path = src_path if src_path.startswith('/') else \ ('/' + src_path) src_bucket, src_obj = split_path(src_path, 0, 2, True) req.get_response(self.app, 'HEAD', src_bucket, src_obj, permission='READ') b_resp = req.get_response(self.app, 'HEAD', obj='') # To avoid overwriting the existing object by unauthorized user, # we send HEAD request first before writing the object to make # sure that the target object does not exist or the user that sent # the PUT request have write permission. try: req.get_response(self.app, 'HEAD') except NoSuchKey: pass req_acl = ACL.from_headers(req.headers, b_resp.bucket_acl.owner, Owner(req.user_id, req.user_id)) req.object_acl = req_acl resp = req.get_response(self.app) if 'X-Amz-Copy-Source' in req.headers: elem = Element('CopyObjectResult') SubElement(elem, 'ETag').text = '"%s"' % resp.etag body = tostring(elem, use_s3ns=False) return HTTPOk(body=body, headers=resp.headers) resp.status = HTTP_OK return resp
def PUT(self, app): b_resp = self._handle_acl(app, 'HEAD', obj='') req_acl = ACL.from_headers(self.req.headers, b_resp.bucket_acl.owner, Owner(self.user_id, self.user_id)) self.req.object_acl = req_acl