def test_bucket_policy_multi_statement(self, mcg_obj, bucket_factory): """ Tests multiple statements in a bucket policy """ data = "Sample string content to write to a new S3 object" object_key = "ObjKey-" + str(uuid.uuid4().hex) user_name = "noobaa-user" + str(uuid.uuid4().hex) email = user_name + "@mail.com" # Creating OBC (account) and Noobaa user account obc = bucket_factory(amount=1, interface='OC') obc_obj = OBC(mcg_obj, obc=obc[0].name) noobaa_user = NoobaaAccount(mcg_obj, name=user_name, email=email, buckets=[obc_obj.bucket_name]) accounts = [obc_obj, noobaa_user] # Statement_1 public read access to a bucket single_statement_policy = gen_bucket_policy( sid="statement-1", user_list=["*"], actions_list=['GetObject'], resources_list=[f'{obc_obj.bucket_name}/{"*"}'], effect="Allow") # Additional Statements; Statement_2 - PutObject permission on specific user # Statement_3 - Denying Permission to DeleteObject action for aultiple Users new_statements = { "statement_2": { 'Action': 's3:PutObject', 'Effect': 'Allow', 'Principal': noobaa_user.email_id, 'Resource': [f'arn:aws:s3:::{obc_obj.bucket_name}/{"*"}'], 'Sid': 'Statement-2' }, "statement_3": { 'Action': 's3:DeleteObject', 'Effect': 'Deny', 'Principal': [obc_obj.obc_account, noobaa_user.email_id], 'Resource': [f'arn:aws:s3:::{"*"}'], 'Sid': 'Statement-3' } } for key, value in new_statements.items(): single_statement_policy["Statement"].append(value) logger.info(f"New policy {single_statement_policy}") bucket_policy = json.dumps(single_statement_policy) # Creating Policy logger.info( f'Creating multi statement bucket policy on bucket: {obc_obj.bucket_name}' ) assert helpers.put_bucket_policy( mcg_obj, obc_obj.bucket_name, bucket_policy), "Failed: PutBucketPolicy " # Getting Policy logger.info( f'Getting multi statement bucket policy from bucket: {obc_obj.bucket_name}' ) get_policy = helpers.get_bucket_policy(mcg_obj, obc_obj.bucket_name) logger.info(f"Got bucket policy: {get_policy['Policy']}") # NooBaa user writes an object to bucket logger.info( f'Writing object on bucket: {obc_obj.bucket_name} with User: {noobaa_user.email_id}' ) assert helpers.s3_put_object(noobaa_user, obc_obj.bucket_name, object_key, data), "Failed: Put Object" # Verifying public read access logger.info( f'Reading object on bucket: {obc_obj.bucket_name} with User: {obc_obj.obc_account}' ) assert helpers.s3_get_object(obc_obj, obc_obj.bucket_name, object_key), "Failed: Get Object" # Verifying Delete object is denied on both Accounts for user in accounts: logger.info( f"Verifying whether S3:DeleteObject action is denied access for {user}" ) try: helpers.s3_delete_object(user, obc_obj.bucket_name, object_key) except boto3exception.ClientError as e: logger.info(e.response) response = HttpResponseParser(e.response) if response.error['Code'] == 'AccessDenied': logger.info( f"DeleteObject failed due to: {response.error['Message']}" ) else: raise UnexpectedBehaviour( f"{e.response} received invalid error code {response.error['Code']}" )
def test_bucket_versioning_and_policies(self, mcg_obj, bucket_factory): """ Tests bucket and object versioning on Noobaa buckets and also its related actions """ data = "Sample string content to write to a new S3 object" object_key = "ObjKey-" + str(uuid.uuid4().hex) object_versions = [] # Creating a OBC user (Account) obc = bucket_factory(amount=1, interface='OC') obc_obj = OBC(mcg_obj, obc=obc[0].name) # Admin sets a policy on OBC bucket to allow versioning related actions bucket_policy_generated = gen_bucket_policy( user_list=obc_obj.obc_account, actions_list=bucket_version_action_list, resources_list=[ obc_obj.bucket_name, f'{obc_obj.bucket_name}/{"*"}' ]) bucket_policy = json.dumps(bucket_policy_generated) # Creating policy logger.info( f'Creating bucket policy on bucket: {obc_obj.bucket_name} by Admin' ) assert helpers.put_bucket_policy( mcg_obj, obc_obj.bucket_name, bucket_policy), "Failed: PutBucketPolicy" # Getting Policy logger.info(f'Getting bucket policy on bucket: {obc_obj.bucket_name}') get_policy = helpers.get_bucket_policy(mcg_obj, obc_obj.bucket_name) logger.info(f"Got bucket policy: {get_policy['Policy']}") logger.info( f'Enabling bucket versioning on {obc_obj.bucket_name} using User: {obc_obj.obc_account}' ) assert helpers.s3_put_bucket_versioning( s3_obj=obc_obj, bucketname=obc_obj.bucket_name, status="Enabled"), "Failed: PutBucketVersioning" logger.info( f'Verifying whether versioning is enabled on bucket: {obc_obj.bucket_name}' ) assert helpers.s3_get_bucket_versioning( s3_obj=obc_obj, bucketname=obc_obj.bucket_name), "Failed: GetBucketVersioning" # Admin modifies the policy to all obc-account to write/read/delete versioned objects bucket_policy_generated = gen_bucket_policy( user_list=obc_obj.obc_account, actions_list=object_version_action_list, resources_list=[ obc_obj.bucket_name, f'{obc_obj.bucket_name}/{"*"}' ]) bucket_policy = json.dumps(bucket_policy_generated) logger.info( f'Creating bucket policy on bucket: {obc_obj.bucket_name} by Admin' ) assert helpers.put_bucket_policy( mcg_obj, obc_obj.bucket_name, bucket_policy), "Failed: PutBucketPolicy" # Getting Policy logger.info(f'Getting bucket policy for bucket: {obc_obj.bucket_name}') get_policy = helpers.get_bucket_policy(mcg_obj, obc_obj.bucket_name) logger.info(f"Got bucket policy: {get_policy['Policy']}") for key in range(5): logger.info(f"Writing {key} version of {object_key}") obj = helpers.s3_put_object(s3_obj=obc_obj, bucketname=obc_obj.bucket_name, object_key=object_key, data=data) object_versions.append(obj['VersionId']) for version in object_versions: logger.info(f"Reading version: {version} of {object_key}") assert helpers.s3_get_object( s3_obj=obc_obj, bucketname=obc_obj.bucket_name, object_key=object_key, versionid=version), f"Failed: To Read object {version}" logger.info(f"Deleting version: {version} of {object_key}") assert helpers.s3_delete_object( s3_obj=obc_obj, bucketname=obc_obj.bucket_name, object_key=object_key, versionid=version), f"Failed: To Delete object with {version}" bucket_policy_generated = gen_bucket_policy( user_list=obc_obj.obc_account, actions_list=['PutBucketVersioning'], resources_list=[obc_obj.bucket_name]) bucket_policy = json.dumps(bucket_policy_generated) logger.info( f'Creating bucket policy on bucket: {obc_obj.bucket_name} by Admin' ) assert helpers.put_bucket_policy( mcg_obj, obc_obj.bucket_name, bucket_policy), "Failed: PutBucketPolicy" # Getting Policy logger.info(f'Getting bucket policy on bucket: {obc_obj.bucket_name}') get_policy = helpers.get_bucket_policy(mcg_obj, obc_obj.bucket_name) logger.info(f"Got bucket policy: {get_policy['Policy']}") logger.info( f"Suspending bucket versioning on {obc_obj.bucket_name} using User: {obc_obj.obc_account}" ) assert helpers.s3_put_bucket_versioning( s3_obj=obc_obj, bucketname=obc_obj.bucket_name, status="Suspended"), "Failed: PutBucketVersioning" # Verifying whether GetBucketVersion action is denied access logger.info( f'Verifying whether user: {obc_obj.obc_account} is denied to GetBucketVersion' ) try: helpers.s3_get_bucket_versioning(s3_obj=obc_obj, bucketname=obc_obj.bucket_name) except boto3exception.ClientError as e: logger.info(e.response) response = HttpResponseParser(e.response) if response.error['Code'] == 'AccessDenied': logger.info('Get Object action has been denied access') else: raise UnexpectedBehaviour( f"{e.response} received invalid error code {response.error['Code']}" )
def test_bucket_policy_effect_deny(self, mcg_obj, bucket_factory): """ Tests explicit "Deny" effect on bucket policy actions """ data = "Sample string content to write to a new S3 object" object_key = "ObjKey-" + str(uuid.uuid4().hex) # Creating multiple obc user (account) obc = bucket_factory(amount=1, interface='OC') obc_obj = OBC(mcg_obj, obc=obc[0].name) # Admin writes an object to bucket logger.info( f'Writing an object on bucket: {obc_obj.bucket_name} by Admin') assert helpers.s3_put_object(mcg_obj, obc_obj.bucket_name, object_key, data), "Failed: PutObject" # Admin sets policy with Effect: Deny on obc bucket with obc-account principal bucket_policy_generated = gen_bucket_policy( user_list=obc_obj.obc_account, actions_list=['GetObject'], resources_list=[f'{obc_obj.bucket_name}/{object_key}'], effect="Deny") bucket_policy = json.dumps(bucket_policy_generated) logger.info( f'Creating bucket policy on bucket: {obc_obj.bucket_name} with principal: {obc_obj.obc_account}' ) assert helpers.put_bucket_policy( mcg_obj, obc_obj.bucket_name, bucket_policy), "Failed: PutBucketPolicy" # Getting Policy logger.info( f'Getting bucket policy from bucket: {obc_obj.bucket_name}') get_policy = helpers.get_bucket_policy(mcg_obj, obc_obj.bucket_name) logger.info(f"Got bucket policy: {get_policy['Policy']}") # Verifying whether Get action is denied access logger.info( f'Verifying whether user: {obc_obj.obc_account} is denied to GetObject' ) try: helpers.s3_get_object(obc_obj, obc_obj.bucket_name, object_key) except boto3exception.ClientError as e: logger.info(e.response) response = HttpResponseParser(e.response) if response.error['Code'] == 'AccessDenied': logger.info('GetObject action has been denied access') else: raise UnexpectedBehaviour( f"{e.response} received invalid error code {response.error['Code']}" ) # Admin sets a new policy on same obc bucket with same account but with different action and resource bucket_policy_generated = gen_bucket_policy( user_list=obc_obj.obc_account, actions_list=['DeleteObject'], resources_list=[f'{obc_obj.bucket_name}/{"*"}'], effect="Deny") bucket_policy = json.dumps(bucket_policy_generated) logger.info(f'Creating bucket policy on bucket: {obc_obj.bucket_name}') assert helpers.put_bucket_policy( mcg_obj, obc_obj.bucket_name, bucket_policy), "Failed: PutBucketPolicy" # Getting Policy logger.info( f'Getting bucket policy from bucket: {obc_obj.bucket_name}') get_policy = helpers.get_bucket_policy(mcg_obj, obc_obj.bucket_name) logger.info(f"Got bucket policy: {get_policy['Policy']}") # Verifying whether delete action is denied logger.info( f'Verifying whether user: {obc_obj.obc_account} is denied to Get object' ) try: helpers.s3_delete_object(obc_obj, obc_obj.bucket_name, object_key) except boto3exception.ClientError as e: logger.info(e.response) response = HttpResponseParser(e.response) if response.error['Code'] == 'AccessDenied': logger.info('Get Object action has been denied access') else: raise UnexpectedBehaviour( f"{e.response} received invalid error code {response.error['Code']}" )
def test_object_actions(self, mcg_obj, bucket_factory): """ Test to verify different object actions and cross account access to buckets """ data = "Sample string content to write to a new S3 object" object_key = "ObjKey-" + str(uuid.uuid4().hex) # Creating multiple obc users (accounts) obc = bucket_factory(amount=1, interface='OC') obc_obj = OBC(mcg_obj, obc=obc[0].name) # Admin sets policy on obc bucket with obc account principal bucket_policy_generated = gen_bucket_policy( user_list=obc_obj.obc_account, actions_list=['PutObject'], resources_list=[f'{obc_obj.bucket_name}/{"*"}']) bucket_policy = json.dumps(bucket_policy_generated) logger.info( f'Creating bucket policy on bucket: {obc_obj.bucket_name} with principal: {obc_obj.obc_account}' ) put_policy = helpers.put_bucket_policy(mcg_obj, obc_obj.bucket_name, bucket_policy) logger.info(f'Put bucket policy response from Admin: {put_policy}') # Get Policy logger.info(f'Getting Bucket policy on bucket: {obc_obj.bucket_name}') get_policy = helpers.get_bucket_policy(mcg_obj, obc_obj.bucket_name) logger.info(f"Got bucket policy: {get_policy['Policy']}") # Verifying whether obc account can put object logger.info(f'Adding object on bucket: {obc_obj.bucket_name}') assert helpers.s3_put_object(obc_obj, obc_obj.bucket_name, object_key, data), "Failed: Put Object" # Verifying whether Get action is not allowed logger.info( f'Verifying whether user: {obc_obj.obc_account} is denied to Get object' ) try: helpers.s3_get_object(obc_obj, obc_obj.bucket_name, object_key) except boto3exception.ClientError as e: logger.info(e.response) response = HttpResponseParser(e.response) if response.error['Code'] == 'AccessDenied': logger.info('Get Object action has been denied access') else: raise UnexpectedBehaviour( f"{e.response} received invalid error code {response.error['Code']}" ) # Verifying whether obc account allowed to create multipart logger.info( f'Creating multipart on bucket: {obc_obj.bucket_name} with key: {object_key}' ) helpers.create_multipart_upload(obc_obj, obc_obj.bucket_name, object_key) # Verifying whether obc account is denied access to delete object logger.info( f'Verifying whether user: {obc_obj.obc_account} is denied to Delete object' ) try: helpers.s3_delete_object(obc_obj, obc_obj.bucket_name, object_key) except boto3exception.ClientError as e: logger.info(e.response) response = HttpResponseParser(e.response) if response.error['Code'] == 'AccessDenied': logger.info('Delete action has been denied access') else: raise UnexpectedBehaviour( f"{e.response} received invalid error code {response.error['Code']}" ) # Creating noobaa account to access bucket belonging to obc account user_name = "noobaa-user" + str(uuid.uuid4().hex) email = user_name + "@mail.com" user = NoobaaAccount(mcg_obj, name=user_name, email=email, buckets=[obc_obj.bucket_name]) # Admin sets a policy on obc-account bucket with noobaa-account principal (cross account access) new_policy_generated = gen_bucket_policy( user_list=user.email_id, actions_list=['GetObject', 'DeleteObject'], resources_list=[f'{obc_obj.bucket_name}/{"*"}']) new_policy = json.dumps(new_policy_generated) logger.info( f'Creating bucket policy on bucket: {obc_obj.bucket_name} with principal: {obc_obj.obc_account}' ) put_policy = helpers.put_bucket_policy(mcg_obj, obc_obj.bucket_name, new_policy) logger.info(f'Put bucket policy response from admin: {put_policy}') # Get Policy logger.info(f'Getting bucket policy on bucket: {obc_obj.bucket_name}') get_policy = helpers.get_bucket_policy(mcg_obj, obc_obj.bucket_name) logger.info(f"Got bucket policy: {get_policy['Policy']}") # Verifying whether Get, Delete object is allowed logger.info( f'Getting object on bucket: {obc_obj.bucket_name} with user: {user.email_id}' ) assert helpers.s3_get_object(user, obc_obj.bucket_name, object_key), "Failed: Get Object" logger.info( f'Deleting object on bucket: {obc_obj.bucket_name} with user: {user.email_id}' ) assert helpers.s3_delete_object(user, obc_obj.bucket_name, object_key), "Failed: Delete Object" # Verifying whether Put object action is denied logger.info( f'Verifying whether user: {user.email_id} is denied to Put object after updating policy' ) try: helpers.s3_put_object(user, obc_obj.bucket_name, object_key, data) except boto3exception.ClientError as e: logger.info(e.response) response = HttpResponseParser(e.response) if response.error['Code'] == 'AccessDenied': logger.info('Put object action has been denied access') else: raise UnexpectedBehaviour( f"{e.response} received invalid error code {response.error['Code']}" )