def get_acl(self, headers, body, bucket_owner, object_owner=None): """ Get ACL instance from S3 (e.g. x-amz-grant) headers or S3 acl xml body. """ acl = ACL.from_headers(headers, bucket_owner, object_owner, as_private=False) if acl is None: # Get acl from request body if possible. if not body: raise MissingSecurityHeader(missing_header_name='x-amz-acl') try: elem = fromstring(body, ACL.root_tag) acl = ACL.from_elem(elem, True, self.req.allow_no_owner) except (XMLSyntaxError, DocumentInvalid): raise MalformedACLError() except Exception as e: exc_type, exc_value, exc_traceback = sys.exc_info() self.logger.error(e) raise exc_type, exc_value, exc_traceback else: if body: # Specifying grant with both header and xml is not allowed. raise UnexpectedContent() return acl
def get_acl(self, headers, body, bucket_owner, object_owner=None): """ Get ACL instance from S3 (e.g. x-amz-grant) headers or S3 acl xml body. """ acl = ACL.from_headers(headers, bucket_owner, object_owner, as_private=False) if acl is None: # Get acl from request body if possible. if not body: raise MissingSecurityHeader(missing_header_name='x-amz-acl') try: elem = fromstring(body, ACL.root_tag) acl = ACL.from_elem( elem, True, self.req.allow_no_owner) except(XMLSyntaxError, DocumentInvalid): raise MalformedACLError() except Exception as e: exc_type, exc_value, exc_traceback = sys.exc_info() self.logger.error(e) raise exc_type, exc_value, exc_traceback else: if body: # Specifying grant with both header and xml is not allowed. raise UnexpectedContent() return acl
def _gen_test_acl_header(owner, permission=None, grantee=None, resource='container'): if permission is None: return ACL(owner, []) if grantee is None: grantee = User('test:tester') return encode_acl(resource, ACL(owner, [Grant(grantee, permission)]))
def test_from_headers_x_amz_acl_invalid(self): with self.assertRaises(InvalidArgument) as cm: ACL.from_headers({'x-amz-acl': 'invalid'}, Owner('test:tester', 'test:tester')) self.assertTrue('argument_name' in cm.exception.info) self.assertEqual(cm.exception.info['argument_name'], 'x-amz-acl') self.assertTrue('argument_value' in cm.exception.info) self.assertEqual(cm.exception.info['argument_value'], 'invalid')
def _test_object_acl_PUT(self, account, permission='FULL_CONTROL'): acl = ACL(self.default_owner, [Grant(User(account), permission)]) req = Request.blank('/bucket/object?acl', environ={'REQUEST_METHOD': 'PUT'}, headers={'Authorization': 'AWS %s:hmac' % account, 'Date': self.get_date_header()}, body=tostring(acl.elem())) return self.call_s3api(req)
def test_from_headers_x_amz_acl(self): canned_acls = ['public-read', 'public-read-write', 'authenticated-read', 'bucket-owner-read', 'bucket-owner-full-control', 'log-delivery-write'] owner = Owner('test:tester', 'test:tester') grantee_map = canned_acl_grantees(owner) for acl_str in canned_acls: acl = ACL.from_headers({'x-amz-acl': acl_str}, owner) expected = grantee_map[acl_str] self.assertEqual(len(acl.grants), len(expected)) # sanity # parse Grant object to permission and grantee actual_grants = [(grant.permission, grant.grantee) for grant in acl.grants] assertions = zip(sorted(expected), sorted(actual_grants)) for (expected_permission, expected_grantee), \ (permission, grantee) in assertions: self.assertEqual(expected_permission, permission) self.assertTrue( isinstance(grantee, expected_grantee.__class__)) if isinstance(grantee, User): self.assertEqual(expected_grantee.id, grantee.id) self.assertEqual(expected_grantee.display_name, grantee.display_name)
def _test_set_container_permission(self, account, permission): grants = [Grant(User(account), permission)] headers = \ encode_acl('container', ACL(Owner('test:tester', 'test:tester'), grants)) self.swift.register('HEAD', '/v1/AUTH_test/bucket', swob.HTTPNoContent, headers, None)
def test_from_headers_x_amz_acl(self): canned_acls = [ 'public-read', 'public-read-write', 'authenticated-read', 'bucket-owner-read', 'bucket-owner-full-control', 'log-delivery-write' ] owner = Owner('test:tester', 'test:tester') grantee_map = canned_acl_grantees(owner) for acl_str in canned_acls: acl = ACL.from_headers({'x-amz-acl': acl_str}, owner) expected = grantee_map[acl_str] self.assertEqual(len(acl.grants), len(expected)) # sanity # parse Grant object to permission and grantee actual_grants = [(grant.permission, grant.grantee) for grant in acl.grants] assertions = zip(sorted(expected), sorted(actual_grants)) for (expected_permission, expected_grantee), \ (permission, grantee) in assertions: self.assertEqual(expected_permission, permission) self.assertTrue(isinstance(grantee, expected_grantee.__class__)) if isinstance(grantee, User): self.assertEqual(expected_grantee.id, grantee.id) self.assertEqual(expected_grantee.display_name, grantee.display_name)
def PUT(self, app): if not self.acl_checked: resp = self._handle_acl(app, 'HEAD', obj='') req_acl = ACL.from_headers(self.req.headers, resp.bucket_acl.owner, Owner(self.user_id, self.user_id)) acl_headers = encode_acl('object', req_acl) self.req.headers[sysmeta_header('object', 'tmpacl')] = \ acl_headers[sysmeta_header('object', 'acl')] self.acl_checked = True
def _test_object_PUT_copy_self(self, head_resp, put_header=None, timestamp=None): account = 'test:tester' grants = [Grant(User(account), 'FULL_CONTROL')] head_headers = \ encode_acl('object', ACL(Owner(account, account), grants)) head_headers.update({'last-modified': self.last_modified}) self.swift.register('HEAD', '/v1/AUTH_test/bucket/object', head_resp, head_headers, None) put_header = put_header or {} return self._call_object_copy('/bucket/object', put_header, timestamp)
def PUT(self, app): req_acl = ACL.from_headers(self.req.headers, Owner(self.user_id, self.user_id)) # To avoid overwriting the existing bucket's ACL, we send PUT # request first before setting the ACL to make sure that the target # container does not exist. self.req.get_acl_response(app, 'PUT') # update metadata self.req.bucket_acl = req_acl # FIXME If this request is failed, there is a possibility that the # bucket which has no ACL is left. return self.req.get_acl_response(app, 'POST')
def test_acl_from_elem_by_id_only(self): elem = ACLPrivate(Owner(id='test:tester', name='test:tester'), s3_acl=self.s3_acl, allow_no_owner=self.allow_no_owner).elem() elem.find('./Owner').remove(elem.find('./Owner/DisplayName')) acl = ACL.from_elem(elem, self.s3_acl, self.allow_no_owner) self.assertTrue(self.check_permission(acl, 'test:tester', 'READ')) self.assertTrue(self.check_permission(acl, 'test:tester', 'WRITE')) self.assertTrue(self.check_permission(acl, 'test:tester', 'READ_ACP')) self.assertTrue(self.check_permission(acl, 'test:tester', 'WRITE_ACP')) self.assertFalse(self.check_permission(acl, 'test:tester2', 'READ')) self.assertFalse(self.check_permission(acl, 'test:tester2', 'WRITE')) self.assertFalse(self.check_permission(acl, 'test:tester2', 'READ_ACP')) self.assertFalse( self.check_permission(acl, 'test:tester2', 'WRITE_ACP'))
def test_encode_acl_many_grant(self): headers = {} users = [] for i in range(0, 99): users.append('id=test:tester%s' % str(i)) users = ','.join(users) headers['x-amz-grant-read'] = users acl = ACL.from_headers(headers, Owner('test:tester', 'test:tester')) acp = encode_acl('container', acl) header_value = acp[sysmeta_header('container', 'acl')] header_value = json.loads(header_value) self.assertTrue('Owner' in header_value) self.assertTrue('Grant' in header_value) self.assertEqual('test:tester', header_value['Owner']) self.assertEqual(len(header_value['Grant']), 99)
def test_acl_from_elem(self): # check translation from element acl = ACLPrivate(Owner(id='test:tester', name='test:tester'), s3_acl=self.s3_acl, allow_no_owner=self.allow_no_owner) elem = acl.elem() acl = ACL.from_elem(elem, self.s3_acl, self.allow_no_owner) self.assertTrue(self.check_permission(acl, 'test:tester', 'READ')) self.assertTrue(self.check_permission(acl, 'test:tester', 'WRITE')) self.assertTrue(self.check_permission(acl, 'test:tester', 'READ_ACP')) self.assertTrue(self.check_permission(acl, 'test:tester', 'WRITE_ACP')) self.assertFalse(self.check_permission(acl, 'test:tester2', 'READ')) self.assertFalse(self.check_permission(acl, 'test:tester2', 'WRITE')) self.assertFalse(self.check_permission(acl, 'test:tester2', 'READ_ACP')) self.assertFalse( self.check_permission(acl, 'test:tester2', 'WRITE_ACP'))
def test_acl_from_elem_by_id_only(self): elem = ACLPrivate(Owner(id='test:tester', name='test:tester'), s3_acl=self.s3_acl, allow_no_owner=self.allow_no_owner).elem() elem.find('./Owner').remove(elem.find('./Owner/DisplayName')) acl = ACL.from_elem(elem, self.s3_acl, self.allow_no_owner) self.assertTrue(self.check_permission(acl, 'test:tester', 'READ')) self.assertTrue(self.check_permission(acl, 'test:tester', 'WRITE')) self.assertTrue(self.check_permission(acl, 'test:tester', 'READ_ACP')) self.assertTrue(self.check_permission(acl, 'test:tester', 'WRITE_ACP')) self.assertFalse(self.check_permission(acl, 'test:tester2', 'READ')) self.assertFalse(self.check_permission(acl, 'test:tester2', 'WRITE')) self.assertFalse(self.check_permission(acl, 'test:tester2', 'READ_ACP')) self.assertFalse(self.check_permission(acl, 'test:tester2', 'WRITE_ACP'))
def test_acl_from_elem(self): # check translation from element acl = ACLPrivate(Owner(id='test:tester', name='test:tester'), s3_acl=self.s3_acl, allow_no_owner=self.allow_no_owner) elem = acl.elem() acl = ACL.from_elem(elem, self.s3_acl, self.allow_no_owner) self.assertTrue(self.check_permission(acl, 'test:tester', 'READ')) self.assertTrue(self.check_permission(acl, 'test:tester', 'WRITE')) self.assertTrue(self.check_permission(acl, 'test:tester', 'READ_ACP')) self.assertTrue(self.check_permission(acl, 'test:tester', 'WRITE_ACP')) self.assertFalse(self.check_permission(acl, 'test:tester2', 'READ')) self.assertFalse(self.check_permission(acl, 'test:tester2', 'WRITE')) self.assertFalse(self.check_permission(acl, 'test:tester2', 'READ_ACP')) self.assertFalse(self.check_permission(acl, 'test:tester2', 'WRITE_ACP'))
def test_service_GET_without_owner_bucket(self): bucket_list = [] for var in range(0, 10): user_id = 'test:other' bucket = 'bucket%s' % var owner = Owner(user_id, user_id) headers = encode_acl('container', ACL(owner, [])) self.swift.register('HEAD', '/v1/AUTH_test/%s' % bucket, swob.HTTPNoContent, headers, None) bucket_list.append((bucket, var, 300 + var)) status, headers, body = \ self._test_service_GET_for_check_bucket_owner(bucket_list) self.assertEqual(status.split()[0], '200') elem = fromstring(body, 'ListAllMyBucketsResult') resp_buckets = elem.find('./Buckets') buckets = resp_buckets.iterchildren('Bucket') self.assertEqual(len(list(buckets)), 0)
def test_service_GET_bucket_list(self): bucket_list = [] for var in range(0, 10): if var % 3 == 0: user_id = 'test:tester' else: user_id = 'test:other' bucket = 'bucket%s' % var owner = Owner(user_id, user_id) headers = encode_acl('container', ACL(owner, [])) # set register to get owner of buckets if var % 3 == 2: self.swift.register('HEAD', '/v1/AUTH_test/%s' % bucket, swob.HTTPNotFound, {}, None) else: self.swift.register('HEAD', '/v1/AUTH_test/%s' % bucket, swob.HTTPNoContent, headers, None) bucket_list.append((bucket, var, 300 + var)) status, headers, body = \ self._test_service_GET_for_check_bucket_owner(bucket_list) self.assertEqual(status.split()[0], '200') elem = fromstring(body, 'ListAllMyBucketsResult') resp_buckets = elem.find('./Buckets') buckets = resp_buckets.iterchildren('Bucket') listing = list(list(buckets)[0]) self.assertEqual(len(listing), 2) names = [] for b in resp_buckets.iterchildren('Bucket'): names.append(b.find('./Name').text) # Check whether getting bucket only locate in multiples of 3 in # bucket_list which mean requested user is owner. expected_buckets = [b for i, b in enumerate(bucket_list) if i % 3 == 0] self.assertEqual(len(names), len(expected_buckets)) for i in expected_buckets: self.assertTrue(i[0] in names) self.assertEqual(len(self.swift.calls_with_headers), 11)
def PUT(self, app): if self.container.endswith(MULTIUPLOAD_SUFFIX): # create multiupload container doesn't need acls return req_acl = ACL.from_headers(self.req.headers, Owner(self.user_id, self.user_id)) if not self.req.environ.get('swift_owner'): raise AccessDenied() # To avoid overwriting the existing bucket's ACL, we send PUT # request first before setting the ACL to make sure that the target # container does not exist. self.req.get_acl_response(app, 'PUT', self.container) # update metadata self.req.bucket_acl = req_acl # FIXME If this request is failed, there is a possibility that the # bucket which has no ACL is left. return self.req.get_acl_response(app, 'POST')
def _test_object_copy_for_s3acl(self, account, src_permission=None, src_path='/src_bucket/src_obj'): owner = 'test:tester' grants = [Grant(User(account), src_permission)] \ if src_permission else [Grant(User(owner), 'FULL_CONTROL')] src_o_headers = \ encode_acl('object', ACL(Owner(owner, owner), grants)) src_o_headers.update({'last-modified': self.last_modified}) self.swift.register('HEAD', join('/v1/AUTH_test', src_path.lstrip('/')), swob.HTTPOk, src_o_headers, None) req = Request.blank('/bucket/object', environ={'REQUEST_METHOD': 'PUT'}, headers={ 'Authorization': 'AWS %s:hmac' % account, 'X-Amz-Copy-Source': src_path, 'Date': self.get_date_header() }) return self.call_s3api(req)
def _gen_test_headers(owner, grants=[], resource='container'): if not grants: grants = [Grant(User('test:tester'), 'FULL_CONTROL')] return encode_acl(resource, ACL(owner, grants))
def PUT(self, app): b_resp = self._handle_acl(app, 'HEAD', obj='') req_acl = ACL.from_headers(self.req.headers, b_resp.bucket_acl.owner, Owner(self.user_id, self.user_id)) self.req.object_acl = req_acl