def test_bucket_policy_actions(self, mcg_obj, bucket_factory):
"""
Tests user access to Put, Get, Delete bucket policy actions
"""
# Creating obc and obc object to get account details, keys etc
obc_name = bucket_factory(amount=1, interface='OC')[0].name
obc_obj = OBC(obc_name)
bucket_policy_generated = gen_bucket_policy(
user_list=obc_obj.obc_account,
actions_list=['PutBucketPolicy'],
resources_list=[obc_obj.bucket_name])
bucket_policy = json.dumps(bucket_policy_generated)
# Admin creates a policy on the user bucket, for Action: PutBucketPolicy
logger.info(
f'Creating policy by admin on bucket: {obc_obj.bucket_name}')
put_policy = put_bucket_policy(mcg_obj, obc_obj.bucket_name,
bucket_policy)
logger.info(f'Put bucket policy response from admin: {put_policy}')
# Verifying Put bucket policy by user by changing the actions to GetBucketPolicy & DeleteBucketPolicy
user_generated_policy = gen_bucket_policy(
user_list=obc_obj.obc_account,
actions_list=['GetBucketPolicy', 'DeleteBucketPolicy'],
resources_list=[obc_obj.bucket_name])
bucket_policy1 = json.dumps(user_generated_policy)
logger.info(
f'Changing bucket policy by User on bucket: {obc_obj.bucket_name}')
put_policy_user = put_bucket_policy(obc_obj, obc_obj.bucket_name,
bucket_policy1)
logger.info(f'Put bucket policy response from user: {put_policy_user}')
# Verifying whether user can get the bucket policy after modification
get_policy = get_bucket_policy(obc_obj, obc_obj.bucket_name)
logger.info(f"Got bucket policy: {get_policy['Policy']}")
# Verifying whether user is not allowed Put the bucket policy after modification
logger.info(
f'Verifying whether user: {obc_obj.obc_account} is denied to put objects'
)
try:
put_bucket_policy(obc_obj, obc_obj.bucket_name, bucket_policy1)
except boto3exception.ClientError as e:
logger.info(e.response)
response = HttpResponseParser(e.response)
if response.error['Code'] == 'AccessDenied':
logger.info(
f'Put bucket policy has been denied access to the user: {obc_obj.obc_account}'
)
else:
raise UnexpectedBehaviour(
f"{e.response} received invalid error code {response.error['Code']}"
)
# Verifying whether user can Delete the bucket policy after modification
logger.info(f'Deleting bucket policy on bucket: {obc_obj.bucket_name}')
delete_policy = delete_bucket_policy(obc_obj, obc_obj.bucket_name)
logger.info(f'Delete policy response: {delete_policy}')
def test_basic_bucket_policy_operations(self, mcg_obj, bucket_factory):
"""
Test Add, Modify, delete bucket policies
"""
# Creating obc and obc object to get account details, keys etc
obc_name = bucket_factory(amount=1, interface='OC')[0].name
obc_obj = OBC(obc_name)
bucket_policy_generated = gen_bucket_policy(
user_list=obc_obj.obc_account,
actions_list=['GetObject'],
resources_list=[obc_obj.bucket_name])
bucket_policy = json.dumps(bucket_policy_generated)
# Add Bucket Policy
logger.info(f'Creating bucket policy on bucket: {obc_obj.bucket_name}')
put_policy = put_bucket_policy(mcg_obj, obc_obj.bucket_name,
bucket_policy)
if put_policy is not None:
response = HttpResponseParser(put_policy)
if response.status_code == 200:
logger.info('Bucket policy has been created successfully')
else:
raise InvalidStatusCode(
f"Invalid Status code: {response.status_code}")
else:
raise NoBucketPolicyResponse("Put policy response is none")
# Get bucket policy
logger.info(f'Getting Bucket policy on bucket: {obc_obj.bucket_name}')
get_policy = get_bucket_policy(mcg_obj, obc_obj.bucket_name)
logger.info(f"Got bucket policy: {get_policy['Policy']}")
# Modifying bucket policy to take new policy
logger.info('Modifying bucket policy')
actions_list = ['ListBucket', 'CreateBucket']
actions = list(map(lambda action: "s3:%s" % action, actions_list))
modified_policy_generated = gen_bucket_policy(
user_list=obc_obj.obc_account,
actions_list=actions_list,
resources_list=[obc_obj.bucket_name])
bucket_policy_modified = json.dumps(modified_policy_generated)
put_modified_policy = put_bucket_policy(mcg_obj, obc_obj.bucket_name,
bucket_policy_modified)
if put_modified_policy is not None:
response = HttpResponseParser(put_modified_policy)
if response.status_code == 200:
logger.info('Bucket policy has been modified successfully')
else:
raise InvalidStatusCode(
f"Invalid Status code: {response.status_code}")
else:
raise NoBucketPolicyResponse(
"Put modified policy response is none")
# Get Modified Policy
get_modified_policy = get_bucket_policy(mcg_obj, obc_obj.bucket_name)
modified_policy = json.loads(get_modified_policy['Policy'])
logger.info(f'Got modified bucket policy: {modified_policy}')
actions_from_modified_policy = modified_policy['statement'][0][
'action']
modified_actions = list(map(str, actions_from_modified_policy))
initial_actions = list(map(str.lower, actions))
logger.info(f'Actions from modified_policy: {modified_actions}')
logger.info(f'User provided actions actions: {initial_actions}')
if modified_actions == initial_actions:
logger.info("Modified actions and initial actions are same")
else:
raise UnexpectedBehaviour(
'Modification Failed: Action lists are not identical')
# Delete Policy
logger.info(
f'Delete bucket policy by admin on bucket: {obc_obj.bucket_name}')
delete_policy = delete_bucket_policy(mcg_obj, obc_obj.bucket_name)
logger.info(f'Delete policy response: {delete_policy}')
if delete_policy is not None:
response = HttpResponseParser(delete_policy)
if response.status_code == 204:
logger.info('Bucket policy is deleted successfully')
else:
raise InvalidStatusCode(
f"Invalid Status code: {response.status_code}")
else:
raise NoBucketPolicyResponse("Delete policy response is none")
# Confirming again by calling get_bucket_policy
try:
get_bucket_policy(mcg_obj, obc_obj.bucket_name)
except boto3exception.ClientError as e:
logger.info(e.response)
response = HttpResponseParser(e.response)
if response.error['Code'] == 'NoSuchBucketPolicy':
logger.info('Bucket policy has been deleted successfully')
else:
raise UnexpectedBehaviour(
f"{e.response} received invalid error code {response.error['Code']}"
)