def test_acl_bucket_owner_full_control(self): acl = ACLBucketOwnerFullControl( bucket_owner=Owner('test:tester2', 'test:tester2'), object_owner=Owner('test:tester', 'test:tester')) self.assertTrue(self.check_permission(acl, 'test:tester', 'READ')) self.assertTrue(self.check_permission(acl, 'test:tester', 'WRITE')) self.assertTrue(self.check_permission(acl, 'test:tester', 'READ_ACP')) self.assertTrue(self.check_permission(acl, 'test:tester', 'WRITE_ACP')) self.assertTrue(self.check_permission(acl, 'test:tester2', 'READ')) self.assertTrue(self.check_permission(acl, 'test:tester2', 'WRITE')) self.assertTrue(self.check_permission(acl, 'test:tester2', 'READ_ACP')) self.assertTrue(self.check_permission(acl, 'test:tester2', 'WRITE_ACP'))
def test_acl_bucket_owner_read(self): acl = ACLBucketOwnerRead( bucket_owner=Owner('test:tester2', 'test:tester2'), object_owner=Owner('test:tester', 'test:tester')) self.assertTrue(self.check_permission(acl, 'test:tester', 'READ')) self.assertTrue(self.check_permission(acl, 'test:tester', 'WRITE')) self.assertTrue(self.check_permission(acl, 'test:tester', 'READ_ACP')) self.assertTrue(self.check_permission(acl, 'test:tester', 'WRITE_ACP')) self.assertTrue(self.check_permission(acl, 'test:tester2', 'READ')) self.assertFalse(self.check_permission(acl, 'test:tester2', 'WRITE')) self.assertFalse(self.check_permission(acl, 'test:tester2', 'READ_ACP')) self.assertFalse(self.check_permission(acl, 'test:tester2', 'WRITE_ACP'))
def _test_object_PUT_copy(self, head_resp, put_header={}): account = 'test:tester' grants = [Grant(User(account), 'FULL_CONTROL')] head_headers = \ encode_acl('object', ACL(Owner(account, account), grants)) head_headers.update({'last-modified': self.last_modified}) self.swift.register('HEAD', '/v1/AUTH_test/some/source', head_resp, head_headers, None) put_headers = { 'Authorization': 'AWS test:tester:hmac', 'X-Amz-Copy-Source': '/some/source', 'Date': self.get_date_header() } put_headers.update(put_header) req = Request.blank('/bucket/object', environ={'REQUEST_METHOD': 'PUT'}, headers=put_headers) req.date = datetime.now() req.content_type = 'text/plain' with patch('swift3.utils.time.time', return_value=1396353600.000000): return self.call_swift3(req)
def _test_set_container_permission(self, account, permission): grants = [Grant(User(account), permission)] headers = \ encode_acl('container', ACL(Owner('test:tester', 'test:tester'), grants)) self.swift.register('HEAD', '/v1/AUTH_test/bucket', swob.HTTPNoContent, headers, None)
def test_from_headers_x_amz_acl(self): canned_acls = [ 'public-read', 'public-read-write', 'authenticated-read', 'bucket-owner-read', 'bucket-owner-full-control', 'log-delivery-write' ] owner = Owner('test:tester', 'test:tester') grantee_map = canned_acl_grantees(owner) for acl_str in canned_acls: acl = ACL.from_headers({'x-amz-acl': acl_str}, owner) expected = grantee_map[acl_str] self.assertEquals(len(acl.grants), len(expected)) # sanity # parse Grant object to permission and grantee actual_grants = [(grant.permission, grant.grantee) for grant in acl.grants] assertions = zip(sorted(expected), sorted(actual_grants)) for (expected_permission, expected_grantee), \ (permission, grantee) in assertions: self.assertEquals(expected_permission, permission) self.assertTrue(isinstance(grantee, expected_grantee.__class__)) if isinstance(grantee, User): self.assertEquals(expected_grantee.id, grantee.id) self.assertEquals(expected_grantee.display_name, grantee.display_name)
def s3acl_decorator(*args, **kwargs): if not args and not kwargs: raise NotMethodException('Use s3acl decorator for a method') def call_func(failing_point=''): try: func(*args, **kwargs) except AssertionError: # Make traceback message to clarify the assertion exc_type, exc_instance, exc_traceback = sys.exc_info() formatted_traceback = ''.join( traceback.format_tb(exc_traceback)) message = '\n%s\n%s:\n%s' % (formatted_traceback, exc_type.__name__, exc_instance.message) message += failing_point raise exc_type(message) if not s3acl_only: call_func() with patch('swift3.cfg.CONF.s3_acl', True): owner = Owner('test:tester', 'test:tester') instance = args[0] generate_s3acl_environ('test', instance.swift, owner) call_func(' (fail at s3_acl)')
def test_from_headers_x_amz_acl_invalid(self): with self.assertRaises(InvalidArgument) as cm: ACL.from_headers({'x-amz-acl': 'invalid'}, Owner('test:tester', 'test:tester')) self.assertTrue('argument_name' in cm.exception.info) self.assertEquals(cm.exception.info['argument_name'], 'x-amz-acl') self.assertTrue('argument_value' in cm.exception.info) self.assertEquals(cm.exception.info['argument_value'], 'invalid')
def test_canned_acl_grantees(self): grantee_map = canned_acl_grantees(Owner('test:tester', 'test:tester')) canned_acls = ['private', 'public-read', 'public-read-write', 'authenticated-read', 'bucket-owner-read', 'bucket-owner-full-control', 'log-delivery-write'] for canned_acl in canned_acls: self.assertTrue(canned_acl in grantee_map) self.assertEquals(len(canned_acls), len(grantee_map)) # sanity
def PUT(self, app): if not self.obj: # Initiate Multipart Uploads (put +segment container) resp = self._handle_acl(app, 'HEAD') req_acl = ACL.from_headers(self.req.headers, resp.bucket_acl.owner, Owner(self.user_id, self.user_id)) acl_headers = encode_acl('object', req_acl) self.req.headers[sysmeta_header('object', 'tmpacl')] = \ acl_headers[sysmeta_header('object', 'acl')]
def test_object_PUT_copy_without_dst_obj_permission(self): account = 'test:other' grants = [Grant(User(account), 'WRITE')] headers = encode_acl('container', ACL(Owner(account, account), grants)) self.swift.register('HEAD', '/v1/AUTH_test/bucket', swob.HTTPNoContent, headers, None) status, headers, body = \ self._test_object_copy_for_s3acl(account, 'READ') self.assertEquals(status.split()[0], '403')
def test_encode_acl_object(self): acl = ACLPrivate(Owner(id='test:tester', name='test:tester')) acp = encode_acl('object', acl) header_value = json.loads(acp[sysmeta_header('object', 'acl')]) self.assertTrue('Owner' in header_value) self.assertTrue('Grant' in header_value) self.assertEqual('test:tester', header_value['Owner']) self.assertEqual(len(header_value['Grant']), 1)
def PUT(self, app): if not self.acl_checked: resp = self._handle_acl(app, 'HEAD', obj='') req_acl = ACL.from_headers(self.req.headers, resp.bucket_acl.owner, Owner(self.user_id, self.user_id)) acl_headers = encode_acl('object', req_acl) self.req.headers[sysmeta_header('object', 'tmpacl')] = \ acl_headers[sysmeta_header('object', 'acl')] self.acl_checked = True
def setUp(self): super(TestSwift3S3Acl, self).setUp() CONF.s3_acl = True account = 'test' owner_name = '%s:tester' % account self.default_owner = Owner(owner_name, owner_name) generate_s3acl_environ(account, self.swift, self.default_owner)
def test_acl_elem(self): acl = ACLPrivate(Owner(id='test:tester', name='test:tester')) elem = acl.elem() self.assertTrue(elem.find('./Owner') is not None) self.assertTrue(elem.find('./AccessControlList') is not None) grants = [e for e in elem.findall('./AccessControlList/Grant')] self.assertEquals(len(grants), 1) self.assertEquals(grants[0].find('./Grantee/ID').text, 'test:tester') self.assertEquals(grants[0].find('./Grantee/DisplayName').text, 'test:tester')
def test_bucket_acl_PUT_with_other_owner(self): req = Request.blank('/bucket?acl', environ={'REQUEST_METHOD': 'PUT'}, headers={'Authorization': 'AWS test:tester:hmac'}, body=tostring( ACLPrivate( Owner(id='test:other', name='test:other')).elem())) status, headers, body = self.call_swift3(req) self.assertEquals(self._get_error_code(body), 'AccessDenied')
def __init__(self, s3_acl): self.sysmeta_headers = {} if s3_acl: owner = Owner(id='test:tester', name='test:tester') self.sysmeta_headers.update( _gen_test_acl_header(owner, 'FULL_CONTROL', resource='container')) self.sysmeta_headers.update( _gen_test_acl_header(owner, 'FULL_CONTROL', resource='object'))
def _test_object_PUT_copy_self(self, head_resp, put_header={}): account = 'test:tester' grants = [Grant(User(account), 'FULL_CONTROL')] head_headers = \ encode_acl('object', ACL(Owner(account, account), grants)) head_headers.update({'last-modified': self.last_modified}) self.swift.register('HEAD', '/v1/AUTH_test/bucket/object', head_resp, head_headers, None) return self._call_object_copy('/bucket/object', put_header)
def PUT(self, app): b_resp = self._handle_acl(app, 'HEAD', obj='') inherits = None if CONF.s3_acl and CONF.s3_acl_inherit: inherits = b_resp.bucket_acl.grants req_acl = ACL.from_headers(self.req.headers, b_resp.bucket_acl.owner, Owner(self.user_id, self.user_id), inherit_grants=inherits) self.req.object_acl = req_acl
def _test_object_PUT_copy(self, head_resp, put_header=None, src_path='/some/source', timestamp=None): account = 'test:tester' grants = [Grant(User(account), 'FULL_CONTROL')] head_headers = \ encode_acl('object', ACL(Owner(account, account), grants)) head_headers.update({'last-modified': self.last_modified}) self.swift.register('HEAD', '/v1/AUTH_test/some/source', head_resp, head_headers, None) put_header = put_header or {} return self._call_object_copy(src_path, put_header, timestamp)
def test_acl_authenticated_read(self): acl = ACLAuthenticatedRead(Owner(id='test:tester', name='test:tester')) self.assertTrue(self.check_permission(acl, 'test:tester', 'READ')) self.assertTrue(self.check_permission(acl, 'test:tester', 'WRITE')) self.assertTrue(self.check_permission(acl, 'test:tester', 'READ_ACP')) self.assertTrue(self.check_permission(acl, 'test:tester', 'WRITE_ACP')) self.assertTrue(self.check_permission(acl, 'test:tester2', 'READ')) self.assertFalse(self.check_permission(acl, 'test:tester2', 'WRITE')) self.assertFalse(self.check_permission(acl, 'test:tester2', 'READ_ACP')) self.assertFalse( self.check_permission(acl, 'test:tester2', 'WRITE_ACP'))
def test_grant_with_both_header_and_xml(self): req = Request.blank('/bucket/object?acl', environ={'REQUEST_METHOD': 'PUT'}, headers={'Authorization': 'AWS test:tester:hmac', 'Date': self.get_date_header(), 'x-amz-grant-full-control': 'id=test:tester'}, body=tostring( ACLPrivate( Owner(id='test:tester', name='test:tester')).elem())) status, headers, body = self.call_swift3(req) self.assertEquals(self._get_error_code(body), 'UnexpectedContent')
def test_acl_public_read_write(self): acl = ACLPublicReadWrite(Owner(id='test:tester', name='test:tester')) self.assertTrue(self.check_permission(acl, 'test:tester', 'READ')) self.assertTrue(self.check_permission(acl, 'test:tester', 'WRITE')) self.assertTrue(self.check_permission(acl, 'test:tester', 'READ_ACP')) self.assertTrue(self.check_permission(acl, 'test:tester', 'WRITE_ACP')) self.assertTrue(self.check_permission(acl, 'test:tester2', 'READ')) self.assertTrue(self.check_permission(acl, 'test:tester2', 'WRITE')) self.assertFalse(self.check_permission(acl, 'test:tester2', 'READ_ACP')) self.assertFalse( self.check_permission(acl, 'test:tester2', 'WRITE_ACP'))
def test_acl_private(self): acl = ACLPrivate(Owner(id='test:tester', name='test:tester')) self.assertTrue(self.check_permission(acl, 'test:tester', 'READ')) self.assertTrue(self.check_permission(acl, 'test:tester', 'WRITE')) self.assertTrue(self.check_permission(acl, 'test:tester', 'READ_ACP')) self.assertTrue(self.check_permission(acl, 'test:tester', 'WRITE_ACP')) self.assertFalse(self.check_permission(acl, 'test:tester2', 'READ')) self.assertFalse(self.check_permission(acl, 'test:tester2', 'WRITE')) self.assertFalse(self.check_permission(acl, 'test:tester2', 'READ_ACP')) self.assertFalse( self.check_permission(acl, 'test:tester2', 'WRITE_ACP'))
def test_object_multipart_upload_complete_s3acl(self): acl_headers = encode_acl( 'object', ACLPublicRead(Owner('test:tester', 'test:tester'))) headers = {} headers[sysmeta_header('object', 'tmpacl')] = \ acl_headers.get(sysmeta_header('object', 'acl')) headers['X-Object-Meta-Foo'] = 'bar' self.swift.register('HEAD', '/v1/AUTH_test/bucket+segments/object/X', swob.HTTPOk, headers, None) req = Request.blank('/bucket/object?uploadId=X', environ={'REQUEST_METHOD': 'POST'}, headers={'Authorization': 'AWS test:tester:hmac'}, body=xml) status, headers, body = self.call_swift3(req) fromstring(body, 'CompleteMultipartUploadResult') self.assertEquals(status.split()[0], '200') _, _, headers = self.swift.calls_with_headers[-2] self.assertEquals(headers.get('X-Object-Meta-Foo'), 'bar') self.assertEquals( tostring( ACLPublicRead(Owner('test:tester', 'test:tester')).elem()), tostring(decode_acl('object', headers).elem()))
def test_acl_from_elem_by_id_only(self): elem = ACLPrivate(Owner(id='test:tester', name='test:tester')).elem() elem.find('./Owner').remove(elem.find('./Owner/DisplayName')) acl = ACL.from_elem(elem) self.assertTrue(self.check_permission(acl, 'test:tester', 'READ')) self.assertTrue(self.check_permission(acl, 'test:tester', 'WRITE')) self.assertTrue(self.check_permission(acl, 'test:tester', 'READ_ACP')) self.assertTrue(self.check_permission(acl, 'test:tester', 'WRITE_ACP')) self.assertFalse(self.check_permission(acl, 'test:tester2', 'READ')) self.assertFalse(self.check_permission(acl, 'test:tester2', 'WRITE')) self.assertFalse(self.check_permission(acl, 'test:tester2', 'READ_ACP')) self.assertFalse( self.check_permission(acl, 'test:tester2', 'WRITE_ACP'))
def PUT(self, app): req_acl = ACL.from_headers(self.req.headers, Owner(self.user_id, self.user_id)) # To avoid overwriting the existing bucket's ACL, we send PUT # request first before setting the ACL to make sure that the target # container does not exist. self.req.get_acl_response(app, 'PUT') # update metadata self.req.bucket_acl = req_acl # FIXME If this request is failed, there is a possibility that the # bucket which has no ACL is left. return self.req.get_acl_response(app, 'POST')
def test_acl_from_elem(self): # check translation from element acl = ACLPrivate(Owner(id='test:tester', name='test:tester')) elem = acl.elem() acl = ACL.from_elem(elem) self.assertTrue(self.check_permission(acl, 'test:tester', 'READ')) self.assertTrue(self.check_permission(acl, 'test:tester', 'WRITE')) self.assertTrue(self.check_permission(acl, 'test:tester', 'READ_ACP')) self.assertTrue(self.check_permission(acl, 'test:tester', 'WRITE_ACP')) self.assertFalse(self.check_permission(acl, 'test:tester2', 'READ')) self.assertFalse(self.check_permission(acl, 'test:tester2', 'WRITE')) self.assertFalse(self.check_permission(acl, 'test:tester2', 'READ_ACP')) self.assertFalse( self.check_permission(acl, 'test:tester2', 'WRITE_ACP'))
def test_bucket_PUT_with_canned_s3acl(self): account = 'test:tester' acl = \ encode_acl('container', ACLPublicRead(Owner(account, account))) req = Request.blank('/bucket', environ={'REQUEST_METHOD': 'PUT'}, headers={'Authorization': 'AWS test:tester:hmac', 'Date': self.get_date_header(), 'X-Amz-Acl': 'public-read'}) status, headers, body = self.call_swift3(req) self.assertEqual(status.split()[0], '200') _, _, headers = self.swift.calls_with_headers[-1] self.assertTrue('X-Container-Read' not in headers) self.assertTrue('X-Container-Sysmeta-Swift3-Acl' in headers) self.assertEqual(headers.get('X-Container-Sysmeta-Swift3-Acl'), acl['x-container-sysmeta-swift3-acl'])
def test_encode_acl_many_grant(self): headers = {} users = [] for i in range(0, 99): users.append('id=test:tester%s' % str(i)) users = ','.join(users) headers['x-amz-grant-read'] = users acl = ACL.from_headers(headers, Owner('test:tester', 'test:tester')) acp = encode_acl('container', acl) header_value = acp[sysmeta_header('container', 'acl')] header_value = json.loads(header_value) self.assertTrue('Owner' in header_value) self.assertTrue('Grant' in header_value) self.assertEqual('test:tester', header_value['Owner']) self.assertEqual(len(header_value['Grant']), 99)
def _test_object_copy_for_s3acl(self, account, src_permission=None, src_path='/src_bucket/src_obj'): owner = 'test:tester' grants = [Grant(User(account), src_permission)] \ if src_permission else [Grant(User(owner), 'FULL_CONTROL')] src_o_headers = \ encode_acl('object', ACL(Owner(owner, owner), grants)) self.swift.register( 'HEAD', join('/v1/AUTH_test', src_path.lstrip('/')), swob.HTTPOk, src_o_headers, None) req = Request.blank( '/bucket/object', environ={'REQUEST_METHOD': 'PUT'}, headers={'Authorization': 'AWS %s:hmac' % account, 'X-Amz-Copy-Source': src_path}) return self.call_swift3(req)