def test_from_headers_x_amz_acl_invalid(self): with self.assertRaises(InvalidArgument) as cm: ACL.from_headers({'x-amz-acl': 'invalid'}, Owner('test:tester', 'test:tester')) self.assertTrue('argument_name' in cm.exception.info) self.assertEqual(cm.exception.info['argument_name'], 'x-amz-acl') self.assertTrue('argument_value' in cm.exception.info) self.assertEqual(cm.exception.info['argument_value'], 'invalid')
def test_from_headers_x_amz_acl(self): canned_acls = ['public-read', 'public-read-write', 'authenticated-read', 'bucket-owner-read', 'bucket-owner-full-control', 'log-delivery-write'] owner = Owner('test:tester', 'test:tester') grantee_map = canned_acl_grantees(owner) for acl_str in canned_acls: acl = ACL.from_headers({'x-amz-acl': acl_str}, owner) expected = grantee_map[acl_str] self.assertEqual(len(acl.grants), len(expected)) # sanity # parse Grant object to permission and grantee actual_grants = [(grant.permission, grant.grantee) for grant in acl.grants] assertions = zip(sorted(expected), sorted(actual_grants)) for (expected_permission, expected_grantee), \ (permission, grantee) in assertions: self.assertEqual(expected_permission, permission) self.assertTrue( isinstance(grantee, expected_grantee.__class__)) if isinstance(grantee, User): self.assertEqual(expected_grantee.id, grantee.id) self.assertEqual(expected_grantee.display_name, grantee.display_name)
def get_acl(self, headers, body, bucket_owner, object_owner=None): """ Get ACL instance from S3 (e.g. x-amz-grant) headers or S3 acl xml body. """ acl = ACL.from_headers(headers, bucket_owner, object_owner, as_private=False) if acl is None: # Get acl from request body if possible. if not body: raise MissingSecurityHeader(missing_header_name='x-amz-acl') try: elem = fromstring(body, ACL.root_tag) acl = ACL.from_elem(elem, True, self.req.allow_no_owner) except (XMLSyntaxError, DocumentInvalid): raise MalformedACLError() except Exception as e: exc_type, exc_value, exc_traceback = sys.exc_info() self.logger.error(e) raise exc_type, exc_value, exc_traceback else: if body: # Specifying grant with both header and xml is not allowed. raise UnexpectedContent() return acl
def get_acl(self, headers, body, bucket_owner, object_owner=None): """ Get ACL instance from S3 (e.g. x-amz-grant) headers or S3 acl xml body. """ acl = ACL.from_headers(headers, bucket_owner, object_owner, as_private=False) if acl is None: # Get acl from request body if possible. if not body: raise MissingSecurityHeader(missing_header_name='x-amz-acl') try: elem = fromstring(body, ACL.root_tag) acl = ACL.from_elem( elem, True, self.req.allow_no_owner) except(XMLSyntaxError, DocumentInvalid): raise MalformedACLError() except Exception as e: exc_type, exc_value, exc_traceback = sys.exc_info() self.logger.error(e) raise exc_type, exc_value, exc_traceback else: if body: # Specifying grant with both header and xml is not allowed. raise UnexpectedContent() return acl
def test_from_headers_x_amz_acl(self): canned_acls = [ 'public-read', 'public-read-write', 'authenticated-read', 'bucket-owner-read', 'bucket-owner-full-control', 'log-delivery-write' ] owner = Owner('test:tester', 'test:tester') grantee_map = canned_acl_grantees(owner) for acl_str in canned_acls: acl = ACL.from_headers({'x-amz-acl': acl_str}, owner) expected = grantee_map[acl_str] self.assertEqual(len(acl.grants), len(expected)) # sanity # parse Grant object to permission and grantee actual_grants = [(grant.permission, grant.grantee) for grant in acl.grants] assertions = zip(sorted(expected), sorted(actual_grants)) for (expected_permission, expected_grantee), \ (permission, grantee) in assertions: self.assertEqual(expected_permission, permission) self.assertTrue(isinstance(grantee, expected_grantee.__class__)) if isinstance(grantee, User): self.assertEqual(expected_grantee.id, grantee.id) self.assertEqual(expected_grantee.display_name, grantee.display_name)
def PUT(self, app): if not self.acl_checked: resp = self._handle_acl(app, 'HEAD', obj='') req_acl = ACL.from_headers(self.req.headers, resp.bucket_acl.owner, Owner(self.user_id, self.user_id)) acl_headers = encode_acl('object', req_acl) self.req.headers[sysmeta_header('object', 'tmpacl')] = \ acl_headers[sysmeta_header('object', 'acl')] self.acl_checked = True
def PUT(self, app): req_acl = ACL.from_headers(self.req.headers, Owner(self.user_id, self.user_id)) # To avoid overwriting the existing bucket's ACL, we send PUT # request first before setting the ACL to make sure that the target # container does not exist. self.req.get_acl_response(app, 'PUT') # update metadata self.req.bucket_acl = req_acl # FIXME If this request is failed, there is a possibility that the # bucket which has no ACL is left. return self.req.get_acl_response(app, 'POST')
def test_encode_acl_many_grant(self): headers = {} users = [] for i in range(0, 99): users.append('id=test:tester%s' % str(i)) users = ','.join(users) headers['x-amz-grant-read'] = users acl = ACL.from_headers(headers, Owner('test:tester', 'test:tester')) acp = encode_acl('container', acl) header_value = acp[sysmeta_header('container', 'acl')] header_value = json.loads(header_value) self.assertTrue('Owner' in header_value) self.assertTrue('Grant' in header_value) self.assertEqual('test:tester', header_value['Owner']) self.assertEqual(len(header_value['Grant']), 99)
def PUT(self, app): if self.container.endswith(MULTIUPLOAD_SUFFIX): # create multiupload container doesn't need acls return req_acl = ACL.from_headers(self.req.headers, Owner(self.user_id, self.user_id)) if not self.req.environ.get('swift_owner'): raise AccessDenied() # To avoid overwriting the existing bucket's ACL, we send PUT # request first before setting the ACL to make sure that the target # container does not exist. self.req.get_acl_response(app, 'PUT', self.container) # update metadata self.req.bucket_acl = req_acl # FIXME If this request is failed, there is a possibility that the # bucket which has no ACL is left. return self.req.get_acl_response(app, 'POST')
def PUT(self, app): b_resp = self._handle_acl(app, 'HEAD', obj='') req_acl = ACL.from_headers(self.req.headers, b_resp.bucket_acl.owner, Owner(self.user_id, self.user_id)) self.req.object_acl = req_acl