def test_anonymous_read_only(self, mcg_obj, bucket_factory):
"""
Tests read only access by an anonymous user
"""
data = "Sample string content to write to a new S3 object"
object_key = "ObjKey-" + str(uuid.uuid4().hex)
user_name = "noobaa-user" + str(uuid.uuid4().hex)
email = user_name + "@mail.com"
# Creating a s3 bucket
s3_bucket = bucket_factory(amount=1, interface='S3')[0]
# Creating a random user account
user = NoobaaAccount(mcg_obj,
name=user_name,
email=email,
buckets=[s3_bucket.name])
# Admin sets policy all users '*' (Public access)
bucket_policy_generated = gen_bucket_policy(
user_list=["*"],
actions_list=['GetObject'],
resources_list=[f'{s3_bucket.name}/{"*"}'])
bucket_policy = json.dumps(bucket_policy_generated)
logger.info(
f'Creating bucket policy on bucket: {s3_bucket.name} with wildcard (*) Principal'
)
put_policy = helpers.put_bucket_policy(mcg_obj, s3_bucket.name,
bucket_policy)
logger.info(f'Put bucket policy response from Admin: {put_policy}')
# Getting Policy
logger.info(f'Getting bucket policy on bucket: {s3_bucket.name}')
get_policy = helpers.get_bucket_policy(mcg_obj, s3_bucket.name)
logger.info(f"Got bucket policy: {get_policy['Policy']}")
# Admin writes an object to bucket
logger.info(f'Writing object on bucket: {s3_bucket.name} by admin')
assert helpers.s3_put_object(mcg_obj, s3_bucket.name, object_key,
data), "Failed: PutObject"
# Reading the object by anonymous user
logger.info(
f'Getting object by user: {user.email_id} on bucket: {s3_bucket.name} '
)
assert helpers.s3_get_object(
user, s3_bucket.name,
object_key), f"Failed: Get Object by user {user.email_id}"
def test_bucket_policy_multi_statement(self, mcg_obj, bucket_factory):
"""
Tests multiple statements in a bucket policy
"""
data = "Sample string content to write to a new S3 object"
object_key = "ObjKey-" + str(uuid.uuid4().hex)
user_name = "noobaa-user" + str(uuid.uuid4().hex)
email = user_name + "@mail.com"
# Creating OBC (account) and Noobaa user account
obc = bucket_factory(amount=1, interface='OC')
obc_obj = OBC(mcg_obj, obc=obc[0].name)
noobaa_user = NoobaaAccount(mcg_obj,
name=user_name,
email=email,
buckets=[obc_obj.bucket_name])
accounts = [obc_obj, noobaa_user]
# Statement_1 public read access to a bucket
single_statement_policy = gen_bucket_policy(
sid="statement-1",
user_list=["*"],
actions_list=['GetObject'],
resources_list=[f'{obc_obj.bucket_name}/{"*"}'],
effect="Allow")
# Additional Statements; Statement_2 - PutObject permission on specific user
# Statement_3 - Denying Permission to DeleteObject action for aultiple Users
new_statements = {
"statement_2": {
'Action': 's3:PutObject',
'Effect': 'Allow',
'Principal': noobaa_user.email_id,
'Resource': [f'arn:aws:s3:::{obc_obj.bucket_name}/{"*"}'],
'Sid': 'Statement-2'
},
"statement_3": {
'Action': 's3:DeleteObject',
'Effect': 'Deny',
'Principal': [obc_obj.obc_account, noobaa_user.email_id],
'Resource': [f'arn:aws:s3:::{"*"}'],
'Sid': 'Statement-3'
}
}
for key, value in new_statements.items():
single_statement_policy["Statement"].append(value)
logger.info(f"New policy {single_statement_policy}")
bucket_policy = json.dumps(single_statement_policy)
# Creating Policy
logger.info(
f'Creating multi statement bucket policy on bucket: {obc_obj.bucket_name}'
)
assert helpers.put_bucket_policy(
mcg_obj, obc_obj.bucket_name,
bucket_policy), "Failed: PutBucketPolicy "
# Getting Policy
logger.info(
f'Getting multi statement bucket policy from bucket: {obc_obj.bucket_name}'
)
get_policy = helpers.get_bucket_policy(mcg_obj, obc_obj.bucket_name)
logger.info(f"Got bucket policy: {get_policy['Policy']}")
# NooBaa user writes an object to bucket
logger.info(
f'Writing object on bucket: {obc_obj.bucket_name} with User: {noobaa_user.email_id}'
)
assert helpers.s3_put_object(noobaa_user, obc_obj.bucket_name,
object_key, data), "Failed: Put Object"
# Verifying public read access
logger.info(
f'Reading object on bucket: {obc_obj.bucket_name} with User: {obc_obj.obc_account}'
)
assert helpers.s3_get_object(obc_obj, obc_obj.bucket_name,
object_key), "Failed: Get Object"
# Verifying Delete object is denied on both Accounts
for user in accounts:
logger.info(
f"Verifying whether S3:DeleteObject action is denied access for {user}"
)
try:
helpers.s3_delete_object(user, obc_obj.bucket_name, object_key)
except boto3exception.ClientError as e:
logger.info(e.response)
response = HttpResponseParser(e.response)
if response.error['Code'] == 'AccessDenied':
logger.info(
f"DeleteObject failed due to: {response.error['Message']}"
)
else:
raise UnexpectedBehaviour(
f"{e.response} received invalid error code {response.error['Code']}"
)
def test_bucket_policy_effect_deny(self, mcg_obj, bucket_factory):
"""
Tests explicit "Deny" effect on bucket policy actions
"""
data = "Sample string content to write to a new S3 object"
object_key = "ObjKey-" + str(uuid.uuid4().hex)
# Creating multiple obc user (account)
obc = bucket_factory(amount=1, interface='OC')
obc_obj = OBC(mcg_obj, obc=obc[0].name)
# Admin writes an object to bucket
logger.info(
f'Writing an object on bucket: {obc_obj.bucket_name} by Admin')
assert helpers.s3_put_object(mcg_obj, obc_obj.bucket_name, object_key,
data), "Failed: PutObject"
# Admin sets policy with Effect: Deny on obc bucket with obc-account principal
bucket_policy_generated = gen_bucket_policy(
user_list=obc_obj.obc_account,
actions_list=['GetObject'],
resources_list=[f'{obc_obj.bucket_name}/{object_key}'],
effect="Deny")
bucket_policy = json.dumps(bucket_policy_generated)
logger.info(
f'Creating bucket policy on bucket: {obc_obj.bucket_name} with principal: {obc_obj.obc_account}'
)
assert helpers.put_bucket_policy(
mcg_obj, obc_obj.bucket_name,
bucket_policy), "Failed: PutBucketPolicy"
# Getting Policy
logger.info(
f'Getting bucket policy from bucket: {obc_obj.bucket_name}')
get_policy = helpers.get_bucket_policy(mcg_obj, obc_obj.bucket_name)
logger.info(f"Got bucket policy: {get_policy['Policy']}")
# Verifying whether Get action is denied access
logger.info(
f'Verifying whether user: {obc_obj.obc_account} is denied to GetObject'
)
try:
helpers.s3_get_object(obc_obj, obc_obj.bucket_name, object_key)
except boto3exception.ClientError as e:
logger.info(e.response)
response = HttpResponseParser(e.response)
if response.error['Code'] == 'AccessDenied':
logger.info('GetObject action has been denied access')
else:
raise UnexpectedBehaviour(
f"{e.response} received invalid error code {response.error['Code']}"
)
# Admin sets a new policy on same obc bucket with same account but with different action and resource
bucket_policy_generated = gen_bucket_policy(
user_list=obc_obj.obc_account,
actions_list=['DeleteObject'],
resources_list=[f'{obc_obj.bucket_name}/{"*"}'],
effect="Deny")
bucket_policy = json.dumps(bucket_policy_generated)
logger.info(f'Creating bucket policy on bucket: {obc_obj.bucket_name}')
assert helpers.put_bucket_policy(
mcg_obj, obc_obj.bucket_name,
bucket_policy), "Failed: PutBucketPolicy"
# Getting Policy
logger.info(
f'Getting bucket policy from bucket: {obc_obj.bucket_name}')
get_policy = helpers.get_bucket_policy(mcg_obj, obc_obj.bucket_name)
logger.info(f"Got bucket policy: {get_policy['Policy']}")
# Verifying whether delete action is denied
logger.info(
f'Verifying whether user: {obc_obj.obc_account} is denied to Get object'
)
try:
helpers.s3_delete_object(obc_obj, obc_obj.bucket_name, object_key)
except boto3exception.ClientError as e:
logger.info(e.response)
response = HttpResponseParser(e.response)
if response.error['Code'] == 'AccessDenied':
logger.info('Get Object action has been denied access')
else:
raise UnexpectedBehaviour(
f"{e.response} received invalid error code {response.error['Code']}"
)
def test_bucket_versioning_and_policies(self, mcg_obj, bucket_factory):
"""
Tests bucket and object versioning on Noobaa buckets and also its related actions
"""
data = "Sample string content to write to a new S3 object"
object_key = "ObjKey-" + str(uuid.uuid4().hex)
object_versions = []
# Creating a OBC user (Account)
obc = bucket_factory(amount=1, interface='OC')
obc_obj = OBC(mcg_obj, obc=obc[0].name)
# Admin sets a policy on OBC bucket to allow versioning related actions
bucket_policy_generated = gen_bucket_policy(
user_list=obc_obj.obc_account,
actions_list=bucket_version_action_list,
resources_list=[
obc_obj.bucket_name, f'{obc_obj.bucket_name}/{"*"}'
])
bucket_policy = json.dumps(bucket_policy_generated)
# Creating policy
logger.info(
f'Creating bucket policy on bucket: {obc_obj.bucket_name} by Admin'
)
assert helpers.put_bucket_policy(
mcg_obj, obc_obj.bucket_name,
bucket_policy), "Failed: PutBucketPolicy"
# Getting Policy
logger.info(f'Getting bucket policy on bucket: {obc_obj.bucket_name}')
get_policy = helpers.get_bucket_policy(mcg_obj, obc_obj.bucket_name)
logger.info(f"Got bucket policy: {get_policy['Policy']}")
logger.info(
f'Enabling bucket versioning on {obc_obj.bucket_name} using User: {obc_obj.obc_account}'
)
assert helpers.s3_put_bucket_versioning(
s3_obj=obc_obj, bucketname=obc_obj.bucket_name,
status="Enabled"), "Failed: PutBucketVersioning"
logger.info(
f'Verifying whether versioning is enabled on bucket: {obc_obj.bucket_name}'
)
assert helpers.s3_get_bucket_versioning(
s3_obj=obc_obj,
bucketname=obc_obj.bucket_name), "Failed: GetBucketVersioning"
# Admin modifies the policy to all obc-account to write/read/delete versioned objects
bucket_policy_generated = gen_bucket_policy(
user_list=obc_obj.obc_account,
actions_list=object_version_action_list,
resources_list=[
obc_obj.bucket_name, f'{obc_obj.bucket_name}/{"*"}'
])
bucket_policy = json.dumps(bucket_policy_generated)
logger.info(
f'Creating bucket policy on bucket: {obc_obj.bucket_name} by Admin'
)
assert helpers.put_bucket_policy(
mcg_obj, obc_obj.bucket_name,
bucket_policy), "Failed: PutBucketPolicy"
# Getting Policy
logger.info(f'Getting bucket policy for bucket: {obc_obj.bucket_name}')
get_policy = helpers.get_bucket_policy(mcg_obj, obc_obj.bucket_name)
logger.info(f"Got bucket policy: {get_policy['Policy']}")
for key in range(5):
logger.info(f"Writing {key} version of {object_key}")
obj = helpers.s3_put_object(s3_obj=obc_obj,
bucketname=obc_obj.bucket_name,
object_key=object_key,
data=data)
object_versions.append(obj['VersionId'])
for version in object_versions:
logger.info(f"Reading version: {version} of {object_key}")
assert helpers.s3_get_object(
s3_obj=obc_obj,
bucketname=obc_obj.bucket_name,
object_key=object_key,
versionid=version), f"Failed: To Read object {version}"
logger.info(f"Deleting version: {version} of {object_key}")
assert helpers.s3_delete_object(
s3_obj=obc_obj,
bucketname=obc_obj.bucket_name,
object_key=object_key,
versionid=version), f"Failed: To Delete object with {version}"
bucket_policy_generated = gen_bucket_policy(
user_list=obc_obj.obc_account,
actions_list=['PutBucketVersioning'],
resources_list=[obc_obj.bucket_name])
bucket_policy = json.dumps(bucket_policy_generated)
logger.info(
f'Creating bucket policy on bucket: {obc_obj.bucket_name} by Admin'
)
assert helpers.put_bucket_policy(
mcg_obj, obc_obj.bucket_name,
bucket_policy), "Failed: PutBucketPolicy"
# Getting Policy
logger.info(f'Getting bucket policy on bucket: {obc_obj.bucket_name}')
get_policy = helpers.get_bucket_policy(mcg_obj, obc_obj.bucket_name)
logger.info(f"Got bucket policy: {get_policy['Policy']}")
logger.info(
f"Suspending bucket versioning on {obc_obj.bucket_name} using User: {obc_obj.obc_account}"
)
assert helpers.s3_put_bucket_versioning(
s3_obj=obc_obj, bucketname=obc_obj.bucket_name,
status="Suspended"), "Failed: PutBucketVersioning"
# Verifying whether GetBucketVersion action is denied access
logger.info(
f'Verifying whether user: {obc_obj.obc_account} is denied to GetBucketVersion'
)
try:
helpers.s3_get_bucket_versioning(s3_obj=obc_obj,
bucketname=obc_obj.bucket_name)
except boto3exception.ClientError as e:
logger.info(e.response)
response = HttpResponseParser(e.response)
if response.error['Code'] == 'AccessDenied':
logger.info('Get Object action has been denied access')
else:
raise UnexpectedBehaviour(
f"{e.response} received invalid error code {response.error['Code']}"
)
def test_object_actions(self, mcg_obj, bucket_factory):
"""
Test to verify different object actions and cross account access to buckets
"""
data = "Sample string content to write to a new S3 object"
object_key = "ObjKey-" + str(uuid.uuid4().hex)
# Creating multiple obc users (accounts)
obc = bucket_factory(amount=1, interface='OC')
obc_obj = OBC(mcg_obj, obc=obc[0].name)
# Admin sets policy on obc bucket with obc account principal
bucket_policy_generated = gen_bucket_policy(
user_list=obc_obj.obc_account,
actions_list=['PutObject'],
resources_list=[f'{obc_obj.bucket_name}/{"*"}'])
bucket_policy = json.dumps(bucket_policy_generated)
logger.info(
f'Creating bucket policy on bucket: {obc_obj.bucket_name} with principal: {obc_obj.obc_account}'
)
put_policy = helpers.put_bucket_policy(mcg_obj, obc_obj.bucket_name,
bucket_policy)
logger.info(f'Put bucket policy response from Admin: {put_policy}')
# Get Policy
logger.info(f'Getting Bucket policy on bucket: {obc_obj.bucket_name}')
get_policy = helpers.get_bucket_policy(mcg_obj, obc_obj.bucket_name)
logger.info(f"Got bucket policy: {get_policy['Policy']}")
# Verifying whether obc account can put object
logger.info(f'Adding object on bucket: {obc_obj.bucket_name}')
assert helpers.s3_put_object(obc_obj, obc_obj.bucket_name, object_key,
data), "Failed: Put Object"
# Verifying whether Get action is not allowed
logger.info(
f'Verifying whether user: {obc_obj.obc_account} is denied to Get object'
)
try:
helpers.s3_get_object(obc_obj, obc_obj.bucket_name, object_key)
except boto3exception.ClientError as e:
logger.info(e.response)
response = HttpResponseParser(e.response)
if response.error['Code'] == 'AccessDenied':
logger.info('Get Object action has been denied access')
else:
raise UnexpectedBehaviour(
f"{e.response} received invalid error code {response.error['Code']}"
)
# Verifying whether obc account allowed to create multipart
logger.info(
f'Creating multipart on bucket: {obc_obj.bucket_name} with key: {object_key}'
)
helpers.create_multipart_upload(obc_obj, obc_obj.bucket_name,
object_key)
# Verifying whether obc account is denied access to delete object
logger.info(
f'Verifying whether user: {obc_obj.obc_account} is denied to Delete object'
)
try:
helpers.s3_delete_object(obc_obj, obc_obj.bucket_name, object_key)
except boto3exception.ClientError as e:
logger.info(e.response)
response = HttpResponseParser(e.response)
if response.error['Code'] == 'AccessDenied':
logger.info('Delete action has been denied access')
else:
raise UnexpectedBehaviour(
f"{e.response} received invalid error code {response.error['Code']}"
)
# Creating noobaa account to access bucket belonging to obc account
user_name = "noobaa-user" + str(uuid.uuid4().hex)
email = user_name + "@mail.com"
user = NoobaaAccount(mcg_obj,
name=user_name,
email=email,
buckets=[obc_obj.bucket_name])
# Admin sets a policy on obc-account bucket with noobaa-account principal (cross account access)
new_policy_generated = gen_bucket_policy(
user_list=user.email_id,
actions_list=['GetObject', 'DeleteObject'],
resources_list=[f'{obc_obj.bucket_name}/{"*"}'])
new_policy = json.dumps(new_policy_generated)
logger.info(
f'Creating bucket policy on bucket: {obc_obj.bucket_name} with principal: {obc_obj.obc_account}'
)
put_policy = helpers.put_bucket_policy(mcg_obj, obc_obj.bucket_name,
new_policy)
logger.info(f'Put bucket policy response from admin: {put_policy}')
# Get Policy
logger.info(f'Getting bucket policy on bucket: {obc_obj.bucket_name}')
get_policy = helpers.get_bucket_policy(mcg_obj, obc_obj.bucket_name)
logger.info(f"Got bucket policy: {get_policy['Policy']}")
# Verifying whether Get, Delete object is allowed
logger.info(
f'Getting object on bucket: {obc_obj.bucket_name} with user: {user.email_id}'
)
assert helpers.s3_get_object(user, obc_obj.bucket_name,
object_key), "Failed: Get Object"
logger.info(
f'Deleting object on bucket: {obc_obj.bucket_name} with user: {user.email_id}'
)
assert helpers.s3_delete_object(user, obc_obj.bucket_name,
object_key), "Failed: Delete Object"
# Verifying whether Put object action is denied
logger.info(
f'Verifying whether user: {user.email_id} is denied to Put object after updating policy'
)
try:
helpers.s3_put_object(user, obc_obj.bucket_name, object_key, data)
except boto3exception.ClientError as e:
logger.info(e.response)
response = HttpResponseParser(e.response)
if response.error['Code'] == 'AccessDenied':
logger.info('Put object action has been denied access')
else:
raise UnexpectedBehaviour(
f"{e.response} received invalid error code {response.error['Code']}"
)