mirror of
https://github.com/minio/minio.git
synced 2024-12-26 15:15:55 -05:00
069432566f
Signed-off-by: Harshavardhana <harsha@minio.io>
1242 lines
32 KiB
Go
1242 lines
32 KiB
Go
// Copyright (c) 2015-2021 MinIO, Inc.
|
|
//
|
|
// This file is part of MinIO Object Storage stack
|
|
//
|
|
// This program is free software: you can redistribute it and/or modify
|
|
// it under the terms of the GNU Affero General Public License as published by
|
|
// the Free Software Foundation, either version 3 of the License, or
|
|
// (at your option) any later version.
|
|
//
|
|
// This program is distributed in the hope that it will be useful
|
|
// but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
// GNU Affero General Public License for more details.
|
|
//
|
|
// You should have received a copy of the GNU Affero General Public License
|
|
// along with this program. If not, see <http://www.gnu.org/licenses/>.
|
|
|
|
package policy
|
|
|
|
import (
|
|
"encoding/json"
|
|
"net"
|
|
"reflect"
|
|
"testing"
|
|
|
|
"github.com/minio/minio/pkg/bucket/policy/condition"
|
|
)
|
|
|
|
func TestPolicyIsAllowed(t *testing.T) {
|
|
case1Policy := Policy{
|
|
Version: DefaultVersion,
|
|
Statements: []Statement{
|
|
NewStatement(
|
|
Allow,
|
|
NewPrincipal("*"),
|
|
NewActionSet(GetBucketLocationAction, PutObjectAction),
|
|
NewResourceSet(NewResource("*", "")),
|
|
condition.NewFunctions(),
|
|
)},
|
|
}
|
|
|
|
case2Policy := Policy{
|
|
Version: DefaultVersion,
|
|
Statements: []Statement{
|
|
NewStatement(
|
|
Allow,
|
|
NewPrincipal("*"),
|
|
NewActionSet(GetObjectAction, PutObjectAction),
|
|
NewResourceSet(NewResource("mybucket", "/myobject*")),
|
|
condition.NewFunctions(),
|
|
)},
|
|
}
|
|
|
|
_, IPNet, err := net.ParseCIDR("192.168.1.0/24")
|
|
if err != nil {
|
|
t.Fatalf("unexpected error. %v\n", err)
|
|
}
|
|
func1, err := condition.NewIPAddressFunc(
|
|
condition.AWSSourceIP,
|
|
IPNet,
|
|
)
|
|
if err != nil {
|
|
t.Fatalf("unexpected error. %v\n", err)
|
|
}
|
|
|
|
case3Policy := Policy{
|
|
Version: DefaultVersion,
|
|
Statements: []Statement{
|
|
NewStatement(
|
|
Allow,
|
|
NewPrincipal("*"),
|
|
NewActionSet(GetObjectAction, PutObjectAction),
|
|
NewResourceSet(NewResource("mybucket", "/myobject*")),
|
|
condition.NewFunctions(func1),
|
|
)},
|
|
}
|
|
|
|
case4Policy := Policy{
|
|
Version: DefaultVersion,
|
|
Statements: []Statement{
|
|
NewStatement(
|
|
Deny,
|
|
NewPrincipal("*"),
|
|
NewActionSet(GetObjectAction, PutObjectAction),
|
|
NewResourceSet(NewResource("mybucket", "/myobject*")),
|
|
condition.NewFunctions(func1),
|
|
)},
|
|
}
|
|
|
|
anonGetBucketLocationArgs := Args{
|
|
AccountName: "Q3AM3UQ867SPQQA43P2F",
|
|
Action: GetBucketLocationAction,
|
|
BucketName: "mybucket",
|
|
ConditionValues: map[string][]string{},
|
|
}
|
|
|
|
anonPutObjectActionArgs := Args{
|
|
AccountName: "Q3AM3UQ867SPQQA43P2F",
|
|
Action: PutObjectAction,
|
|
BucketName: "mybucket",
|
|
ConditionValues: map[string][]string{
|
|
"x-amz-copy-source": {"mybucket/myobject"},
|
|
"SourceIp": {"192.168.1.10"},
|
|
},
|
|
ObjectName: "myobject",
|
|
}
|
|
|
|
anonGetObjectActionArgs := Args{
|
|
AccountName: "Q3AM3UQ867SPQQA43P2F",
|
|
Action: GetObjectAction,
|
|
BucketName: "mybucket",
|
|
ConditionValues: map[string][]string{},
|
|
ObjectName: "myobject",
|
|
}
|
|
|
|
getBucketLocationArgs := Args{
|
|
AccountName: "Q3AM3UQ867SPQQA43P2F",
|
|
Action: GetBucketLocationAction,
|
|
BucketName: "mybucket",
|
|
ConditionValues: map[string][]string{},
|
|
IsOwner: true,
|
|
}
|
|
|
|
putObjectActionArgs := Args{
|
|
AccountName: "Q3AM3UQ867SPQQA43P2F",
|
|
Action: PutObjectAction,
|
|
BucketName: "mybucket",
|
|
ConditionValues: map[string][]string{
|
|
"x-amz-copy-source": {"mybucket/myobject"},
|
|
"SourceIp": {"192.168.1.10"},
|
|
},
|
|
IsOwner: true,
|
|
ObjectName: "myobject",
|
|
}
|
|
|
|
getObjectActionArgs := Args{
|
|
AccountName: "Q3AM3UQ867SPQQA43P2F",
|
|
Action: GetObjectAction,
|
|
BucketName: "mybucket",
|
|
ConditionValues: map[string][]string{},
|
|
IsOwner: true,
|
|
ObjectName: "myobject",
|
|
}
|
|
|
|
testCases := []struct {
|
|
policy Policy
|
|
args Args
|
|
expectedResult bool
|
|
}{
|
|
{case1Policy, anonGetBucketLocationArgs, true},
|
|
{case1Policy, anonPutObjectActionArgs, true},
|
|
{case1Policy, anonGetObjectActionArgs, false},
|
|
{case1Policy, getBucketLocationArgs, true},
|
|
{case1Policy, putObjectActionArgs, true},
|
|
{case1Policy, getObjectActionArgs, true},
|
|
|
|
{case2Policy, anonGetBucketLocationArgs, false},
|
|
{case2Policy, anonPutObjectActionArgs, true},
|
|
{case2Policy, anonGetObjectActionArgs, true},
|
|
{case2Policy, getBucketLocationArgs, true},
|
|
{case2Policy, putObjectActionArgs, true},
|
|
{case2Policy, getObjectActionArgs, true},
|
|
|
|
{case3Policy, anonGetBucketLocationArgs, false},
|
|
{case3Policy, anonPutObjectActionArgs, true},
|
|
{case3Policy, anonGetObjectActionArgs, false},
|
|
{case3Policy, getBucketLocationArgs, true},
|
|
{case3Policy, putObjectActionArgs, true},
|
|
{case3Policy, getObjectActionArgs, true},
|
|
|
|
{case4Policy, anonGetBucketLocationArgs, false},
|
|
{case4Policy, anonPutObjectActionArgs, false},
|
|
{case4Policy, anonGetObjectActionArgs, false},
|
|
{case4Policy, getBucketLocationArgs, true},
|
|
{case4Policy, putObjectActionArgs, false},
|
|
{case4Policy, getObjectActionArgs, true},
|
|
}
|
|
|
|
for i, testCase := range testCases {
|
|
result := testCase.policy.IsAllowed(testCase.args)
|
|
|
|
if result != testCase.expectedResult {
|
|
t.Fatalf("case %v: expected: %v, got: %v\n", i+1, testCase.expectedResult, result)
|
|
}
|
|
}
|
|
}
|
|
|
|
func TestPolicyIsEmpty(t *testing.T) {
|
|
case1Policy := Policy{
|
|
Version: DefaultVersion,
|
|
Statements: []Statement{
|
|
NewStatement(
|
|
Allow,
|
|
NewPrincipal("*"),
|
|
NewActionSet(PutObjectAction),
|
|
NewResourceSet(NewResource("mybucket", "/myobject*")),
|
|
condition.NewFunctions(),
|
|
),
|
|
},
|
|
}
|
|
|
|
case2Policy := Policy{
|
|
ID: "MyPolicyForMyBucket",
|
|
Version: DefaultVersion,
|
|
}
|
|
|
|
testCases := []struct {
|
|
policy Policy
|
|
expectedResult bool
|
|
}{
|
|
{case1Policy, false},
|
|
{case2Policy, true},
|
|
}
|
|
|
|
for i, testCase := range testCases {
|
|
result := testCase.policy.IsEmpty()
|
|
|
|
if result != testCase.expectedResult {
|
|
t.Fatalf("case %v: expected: %v, got: %v\n", i+1, testCase.expectedResult, result)
|
|
}
|
|
}
|
|
}
|
|
|
|
func TestPolicyIsValid(t *testing.T) {
|
|
case1Policy := Policy{
|
|
Version: DefaultVersion,
|
|
Statements: []Statement{
|
|
NewStatement(
|
|
Allow,
|
|
NewPrincipal("*"),
|
|
NewActionSet(PutObjectAction),
|
|
NewResourceSet(NewResource("mybucket", "/myobject*")),
|
|
condition.NewFunctions(),
|
|
),
|
|
},
|
|
}
|
|
|
|
case2Policy := Policy{
|
|
Version: DefaultVersion,
|
|
Statements: []Statement{
|
|
NewStatement(
|
|
Allow,
|
|
NewPrincipal("*"),
|
|
NewActionSet(PutObjectAction),
|
|
NewResourceSet(NewResource("mybucket", "/myobject*")),
|
|
condition.NewFunctions(),
|
|
),
|
|
NewStatement(
|
|
Deny,
|
|
NewPrincipal("*"),
|
|
NewActionSet(GetObjectAction),
|
|
NewResourceSet(NewResource("mybucket", "/myobject*")),
|
|
condition.NewFunctions(),
|
|
),
|
|
},
|
|
}
|
|
|
|
case3Policy := Policy{
|
|
Version: DefaultVersion,
|
|
Statements: []Statement{
|
|
NewStatement(
|
|
Allow,
|
|
NewPrincipal("*"),
|
|
NewActionSet(PutObjectAction),
|
|
NewResourceSet(NewResource("mybucket", "/myobject*")),
|
|
condition.NewFunctions(),
|
|
),
|
|
NewStatement(
|
|
Deny,
|
|
NewPrincipal("*"),
|
|
NewActionSet(PutObjectAction),
|
|
NewResourceSet(NewResource("mybucket", "/yourobject*")),
|
|
condition.NewFunctions(),
|
|
),
|
|
},
|
|
}
|
|
|
|
func1, err := condition.NewNullFunc(
|
|
condition.S3XAmzCopySource,
|
|
true,
|
|
)
|
|
if err != nil {
|
|
t.Fatalf("unexpected error. %v\n", err)
|
|
}
|
|
func2, err := condition.NewNullFunc(
|
|
condition.S3XAmzServerSideEncryption,
|
|
false,
|
|
)
|
|
if err != nil {
|
|
t.Fatalf("unexpected error. %v\n", err)
|
|
}
|
|
|
|
case4Policy := Policy{
|
|
Version: DefaultVersion,
|
|
Statements: []Statement{
|
|
NewStatement(
|
|
Allow,
|
|
NewPrincipal("*"),
|
|
NewActionSet(PutObjectAction),
|
|
NewResourceSet(NewResource("mybucket", "/myobject*")),
|
|
condition.NewFunctions(func1),
|
|
),
|
|
NewStatement(
|
|
Deny,
|
|
NewPrincipal("*"),
|
|
NewActionSet(PutObjectAction),
|
|
NewResourceSet(NewResource("mybucket", "/myobject*")),
|
|
condition.NewFunctions(func2),
|
|
),
|
|
},
|
|
}
|
|
|
|
case5Policy := Policy{
|
|
Version: "17-10-2012",
|
|
Statements: []Statement{
|
|
NewStatement(
|
|
Allow,
|
|
NewPrincipal("*"),
|
|
NewActionSet(PutObjectAction),
|
|
NewResourceSet(NewResource("mybucket", "/myobject*")),
|
|
condition.NewFunctions(),
|
|
),
|
|
},
|
|
}
|
|
|
|
case6Policy := Policy{
|
|
ID: "MyPolicyForMyBucket1",
|
|
Version: DefaultVersion,
|
|
Statements: []Statement{
|
|
NewStatement(
|
|
Allow,
|
|
NewPrincipal("*"),
|
|
NewActionSet(GetObjectAction, PutObjectAction),
|
|
NewResourceSet(NewResource("mybucket", "myobject*")),
|
|
condition.NewFunctions(func1, func2),
|
|
),
|
|
},
|
|
}
|
|
|
|
case7Policy := Policy{
|
|
Version: DefaultVersion,
|
|
Statements: []Statement{
|
|
NewStatement(
|
|
Allow,
|
|
NewPrincipal("*"),
|
|
NewActionSet(PutObjectAction),
|
|
NewResourceSet(NewResource("mybucket", "/myobject*")),
|
|
condition.NewFunctions(),
|
|
),
|
|
NewStatement(
|
|
Deny,
|
|
NewPrincipal("*"),
|
|
NewActionSet(PutObjectAction),
|
|
NewResourceSet(NewResource("mybucket", "/myobject*")),
|
|
condition.NewFunctions(),
|
|
),
|
|
},
|
|
}
|
|
|
|
case8Policy := Policy{
|
|
Version: DefaultVersion,
|
|
Statements: []Statement{
|
|
NewStatement(
|
|
Allow,
|
|
NewPrincipal("*"),
|
|
NewActionSet(PutObjectAction),
|
|
NewResourceSet(NewResource("mybucket", "/myobject*")),
|
|
condition.NewFunctions(),
|
|
),
|
|
NewStatement(
|
|
Allow,
|
|
NewPrincipal("*"),
|
|
NewActionSet(PutObjectAction),
|
|
NewResourceSet(NewResource("mybucket", "/myobject*")),
|
|
condition.NewFunctions(),
|
|
),
|
|
},
|
|
}
|
|
|
|
testCases := []struct {
|
|
policy Policy
|
|
expectErr bool
|
|
}{
|
|
{case1Policy, false},
|
|
// allowed duplicate principal.
|
|
{case2Policy, false},
|
|
// allowed duplicate principal and action.
|
|
{case3Policy, false},
|
|
// allowed duplicate principal, action and resource.
|
|
{case4Policy, false},
|
|
// Invalid version error.
|
|
{case5Policy, true},
|
|
// Invalid statement error.
|
|
{case6Policy, true},
|
|
// Duplicate statement success different effects.
|
|
{case7Policy, false},
|
|
// Duplicate statement success, duplicate statement dropped.
|
|
{case8Policy, false},
|
|
}
|
|
|
|
for i, testCase := range testCases {
|
|
err := testCase.policy.isValid()
|
|
expectErr := (err != nil)
|
|
|
|
if expectErr != testCase.expectErr {
|
|
t.Fatalf("case %v: error: expected: %v, got: %v", i+1, testCase.expectErr, expectErr)
|
|
}
|
|
}
|
|
}
|
|
|
|
func TestPolicyMarshalJSON(t *testing.T) {
|
|
case1Policy := Policy{
|
|
ID: "MyPolicyForMyBucket1",
|
|
Version: DefaultVersion,
|
|
Statements: []Statement{
|
|
NewStatement(
|
|
Allow,
|
|
NewPrincipal("*"),
|
|
NewActionSet(PutObjectAction),
|
|
NewResourceSet(NewResource("mybucket", "/myobject*")),
|
|
condition.NewFunctions(),
|
|
),
|
|
},
|
|
}
|
|
case1Policy.Statements[0].SID = "SomeId1"
|
|
case1Data := []byte(`{"ID":"MyPolicyForMyBucket1","Version":"2012-10-17","Statement":[{"Sid":"SomeId1","Effect":"Allow","Principal":{"AWS":["*"]},"Action":["s3:PutObject"],"Resource":["arn:aws:s3:::mybucket/myobject*"]}]}`)
|
|
|
|
_, IPNet1, err := net.ParseCIDR("192.168.1.0/24")
|
|
if err != nil {
|
|
t.Fatalf("unexpected error. %v\n", err)
|
|
}
|
|
func1, err := condition.NewIPAddressFunc(
|
|
condition.AWSSourceIP,
|
|
IPNet1,
|
|
)
|
|
if err != nil {
|
|
t.Fatalf("unexpected error. %v\n", err)
|
|
}
|
|
|
|
case2Policy := Policy{
|
|
Version: DefaultVersion,
|
|
Statements: []Statement{
|
|
NewStatement(
|
|
Allow,
|
|
NewPrincipal("*"),
|
|
NewActionSet(PutObjectAction),
|
|
NewResourceSet(NewResource("mybucket", "/myobject*")),
|
|
condition.NewFunctions(),
|
|
),
|
|
NewStatement(
|
|
Deny,
|
|
NewPrincipal("*"),
|
|
NewActionSet(GetObjectAction),
|
|
NewResourceSet(NewResource("mybucket", "/yourobject*")),
|
|
condition.NewFunctions(func1),
|
|
),
|
|
},
|
|
}
|
|
case2Data := []byte(`{"Version":"2012-10-17","Statement":[{"Effect":"Allow","Principal":{"AWS":["*"]},"Action":["s3:PutObject"],"Resource":["arn:aws:s3:::mybucket/myobject*"]},{"Effect":"Deny","Principal":{"AWS":["*"]},"Action":["s3:GetObject"],"Resource":["arn:aws:s3:::mybucket/yourobject*"],"Condition":{"IpAddress":{"aws:SourceIp":["192.168.1.0/24"]}}}]}`)
|
|
|
|
case3Policy := Policy{
|
|
ID: "MyPolicyForMyBucket1",
|
|
Version: DefaultVersion,
|
|
Statements: []Statement{
|
|
NewStatement(
|
|
Allow,
|
|
NewPrincipal("Q3AM3UQ867SPQQA43P2F"),
|
|
NewActionSet(PutObjectAction),
|
|
NewResourceSet(NewResource("mybucket", "/myobject*")),
|
|
condition.NewFunctions(),
|
|
),
|
|
NewStatement(
|
|
Allow,
|
|
NewPrincipal("*"),
|
|
NewActionSet(PutObjectAction),
|
|
NewResourceSet(NewResource("mybucket", "/myobject*")),
|
|
condition.NewFunctions(),
|
|
),
|
|
},
|
|
}
|
|
case3Data := []byte(`{"ID":"MyPolicyForMyBucket1","Version":"2012-10-17","Statement":[{"Effect":"Allow","Principal":{"AWS":["Q3AM3UQ867SPQQA43P2F"]},"Action":["s3:PutObject"],"Resource":["arn:aws:s3:::mybucket/myobject*"]},{"Effect":"Allow","Principal":{"AWS":["*"]},"Action":["s3:PutObject"],"Resource":["arn:aws:s3:::mybucket/myobject*"]}]}`)
|
|
|
|
case4Policy := Policy{
|
|
ID: "MyPolicyForMyBucket1",
|
|
Version: DefaultVersion,
|
|
Statements: []Statement{
|
|
NewStatement(
|
|
Allow,
|
|
NewPrincipal("*"),
|
|
NewActionSet(PutObjectAction),
|
|
NewResourceSet(NewResource("mybucket", "/myobject*")),
|
|
condition.NewFunctions(),
|
|
),
|
|
NewStatement(
|
|
Allow,
|
|
NewPrincipal("*"),
|
|
NewActionSet(GetObjectAction),
|
|
NewResourceSet(NewResource("mybucket", "/myobject*")),
|
|
condition.NewFunctions(),
|
|
),
|
|
},
|
|
}
|
|
case4Data := []byte(`{"ID":"MyPolicyForMyBucket1","Version":"2012-10-17","Statement":[{"Effect":"Allow","Principal":{"AWS":["*"]},"Action":["s3:PutObject"],"Resource":["arn:aws:s3:::mybucket/myobject*"]},{"Effect":"Allow","Principal":{"AWS":["*"]},"Action":["s3:GetObject"],"Resource":["arn:aws:s3:::mybucket/myobject*"]}]}`)
|
|
|
|
case5Policy := Policy{
|
|
ID: "MyPolicyForMyBucket1",
|
|
Version: DefaultVersion,
|
|
Statements: []Statement{
|
|
NewStatement(
|
|
Allow,
|
|
NewPrincipal("*"),
|
|
NewActionSet(PutObjectAction),
|
|
NewResourceSet(NewResource("mybucket", "/myobject*")),
|
|
condition.NewFunctions(),
|
|
),
|
|
NewStatement(
|
|
Allow,
|
|
NewPrincipal("*"),
|
|
NewActionSet(PutObjectAction),
|
|
NewResourceSet(NewResource("mybucket", "/yourobject*")),
|
|
condition.NewFunctions(),
|
|
),
|
|
},
|
|
}
|
|
case5Data := []byte(`{"ID":"MyPolicyForMyBucket1","Version":"2012-10-17","Statement":[{"Effect":"Allow","Principal":{"AWS":["*"]},"Action":["s3:PutObject"],"Resource":["arn:aws:s3:::mybucket/myobject*"]},{"Effect":"Allow","Principal":{"AWS":["*"]},"Action":["s3:PutObject"],"Resource":["arn:aws:s3:::mybucket/yourobject*"]}]}`)
|
|
|
|
_, IPNet2, err := net.ParseCIDR("192.168.2.0/24")
|
|
if err != nil {
|
|
t.Fatalf("unexpected error. %v\n", err)
|
|
}
|
|
func2, err := condition.NewIPAddressFunc(
|
|
condition.AWSSourceIP,
|
|
IPNet2,
|
|
)
|
|
if err != nil {
|
|
t.Fatalf("unexpected error. %v\n", err)
|
|
}
|
|
|
|
case6Policy := Policy{
|
|
ID: "MyPolicyForMyBucket1",
|
|
Version: DefaultVersion,
|
|
Statements: []Statement{
|
|
NewStatement(
|
|
Allow,
|
|
NewPrincipal("*"),
|
|
NewActionSet(PutObjectAction),
|
|
NewResourceSet(NewResource("mybucket", "/myobject*")),
|
|
condition.NewFunctions(func1),
|
|
),
|
|
NewStatement(
|
|
Allow,
|
|
NewPrincipal("*"),
|
|
NewActionSet(PutObjectAction),
|
|
NewResourceSet(NewResource("mybucket", "/myobject*")),
|
|
condition.NewFunctions(func2),
|
|
),
|
|
},
|
|
}
|
|
case6Data := []byte(`{"ID":"MyPolicyForMyBucket1","Version":"2012-10-17","Statement":[{"Effect":"Allow","Principal":{"AWS":["*"]},"Action":["s3:PutObject"],"Resource":["arn:aws:s3:::mybucket/myobject*"],"Condition":{"IpAddress":{"aws:SourceIp":["192.168.1.0/24"]}}},{"Effect":"Allow","Principal":{"AWS":["*"]},"Action":["s3:PutObject"],"Resource":["arn:aws:s3:::mybucket/myobject*"],"Condition":{"IpAddress":{"aws:SourceIp":["192.168.2.0/24"]}}}]}`)
|
|
|
|
case7Policy := Policy{
|
|
ID: "MyPolicyForMyBucket1",
|
|
Version: DefaultVersion,
|
|
Statements: []Statement{
|
|
NewStatement(
|
|
Allow,
|
|
NewPrincipal("*"),
|
|
NewActionSet(GetBucketLocationAction),
|
|
NewResourceSet(NewResource("mybucket", "")),
|
|
condition.NewFunctions(),
|
|
),
|
|
},
|
|
}
|
|
case7Data := []byte(`{"ID":"MyPolicyForMyBucket1","Version":"2012-10-17","Statement":[{"Effect":"Allow","Principal":{"AWS":["*"]},"Action":["s3:GetBucketLocation"],"Resource":["arn:aws:s3:::mybucket"]}]}`)
|
|
|
|
case8Policy := Policy{
|
|
ID: "MyPolicyForMyBucket1",
|
|
Version: DefaultVersion,
|
|
Statements: []Statement{
|
|
NewStatement(
|
|
Allow,
|
|
NewPrincipal("*"),
|
|
NewActionSet(GetBucketLocationAction),
|
|
NewResourceSet(NewResource("*", "")),
|
|
condition.NewFunctions(),
|
|
),
|
|
},
|
|
}
|
|
case8Data := []byte(`{"ID":"MyPolicyForMyBucket1","Version":"2012-10-17","Statement":[{"Effect":"Allow","Principal":{"AWS":["*"]},"Action":["s3:GetBucketLocation"],"Resource":["arn:aws:s3:::*"]}]}`)
|
|
|
|
func3, err := condition.NewNullFunc(
|
|
condition.S3XAmzCopySource,
|
|
true,
|
|
)
|
|
if err != nil {
|
|
t.Fatalf("unexpected error. %v\n", err)
|
|
}
|
|
case9Policy := Policy{
|
|
ID: "MyPolicyForMyBucket1",
|
|
Version: DefaultVersion,
|
|
Statements: []Statement{
|
|
NewStatement(
|
|
Allow,
|
|
NewPrincipal("*"),
|
|
NewActionSet(GetObjectAction, PutObjectAction),
|
|
NewResourceSet(NewResource("mybucket", "myobject*")),
|
|
condition.NewFunctions(func1, func2, func3),
|
|
),
|
|
},
|
|
}
|
|
|
|
testCases := []struct {
|
|
policy Policy
|
|
expectedResult []byte
|
|
expectErr bool
|
|
}{
|
|
{case1Policy, case1Data, false},
|
|
{case2Policy, case2Data, false},
|
|
{case3Policy, case3Data, false},
|
|
{case4Policy, case4Data, false},
|
|
{case5Policy, case5Data, false},
|
|
{case6Policy, case6Data, false},
|
|
{case7Policy, case7Data, false},
|
|
{case8Policy, case8Data, false},
|
|
{case9Policy, nil, true},
|
|
}
|
|
|
|
for i, testCase := range testCases {
|
|
result, err := json.Marshal(testCase.policy)
|
|
expectErr := (err != nil)
|
|
|
|
if expectErr != testCase.expectErr {
|
|
t.Fatalf("case %v: error: expected: %v, got: %v", i+1, testCase.expectErr, expectErr)
|
|
}
|
|
|
|
if !testCase.expectErr {
|
|
if !reflect.DeepEqual(result, testCase.expectedResult) {
|
|
t.Fatalf("case %v: result: expected: %v, got: %v", i+1, string(testCase.expectedResult), string(result))
|
|
}
|
|
}
|
|
}
|
|
}
|
|
|
|
func TestPolicyUnmarshalJSON(t *testing.T) {
|
|
case1Data := []byte(`{
|
|
"ID": "MyPolicyForMyBucket1",
|
|
"Version": "2012-10-17",
|
|
"Statement": [
|
|
{
|
|
"Sid": "SomeId1",
|
|
"Effect": "Allow",
|
|
"Principal": "*",
|
|
"Action": "s3:PutObject",
|
|
"Resource": "arn:aws:s3:::mybucket/myobject*"
|
|
}
|
|
]
|
|
}`)
|
|
case1Policy := Policy{
|
|
ID: "MyPolicyForMyBucket1",
|
|
Version: DefaultVersion,
|
|
Statements: []Statement{
|
|
NewStatement(
|
|
Allow,
|
|
NewPrincipal("*"),
|
|
NewActionSet(PutObjectAction),
|
|
NewResourceSet(NewResource("mybucket", "/myobject*")),
|
|
condition.NewFunctions(),
|
|
),
|
|
},
|
|
}
|
|
case1Policy.Statements[0].SID = "SomeId1"
|
|
|
|
case2Data := []byte(`{
|
|
"Version": "2012-10-17",
|
|
"Statement": [
|
|
{
|
|
"Effect": "Allow",
|
|
"Principal": "*",
|
|
"Action": "s3:PutObject",
|
|
"Resource": "arn:aws:s3:::mybucket/myobject*"
|
|
},
|
|
{
|
|
"Effect": "Deny",
|
|
"Principal": "*",
|
|
"Action": "s3:GetObject",
|
|
"Resource": "arn:aws:s3:::mybucket/yourobject*",
|
|
"Condition": {
|
|
"IpAddress": {
|
|
"aws:SourceIp": "192.168.1.0/24"
|
|
}
|
|
}
|
|
}
|
|
]
|
|
}`)
|
|
_, IPNet1, err := net.ParseCIDR("192.168.1.0/24")
|
|
if err != nil {
|
|
t.Fatalf("unexpected error. %v\n", err)
|
|
}
|
|
func1, err := condition.NewIPAddressFunc(
|
|
condition.AWSSourceIP,
|
|
IPNet1,
|
|
)
|
|
if err != nil {
|
|
t.Fatalf("unexpected error. %v\n", err)
|
|
}
|
|
|
|
case2Policy := Policy{
|
|
Version: DefaultVersion,
|
|
Statements: []Statement{
|
|
NewStatement(
|
|
Allow,
|
|
NewPrincipal("*"),
|
|
NewActionSet(PutObjectAction),
|
|
NewResourceSet(NewResource("mybucket", "/myobject*")),
|
|
condition.NewFunctions(),
|
|
),
|
|
NewStatement(
|
|
Deny,
|
|
NewPrincipal("*"),
|
|
NewActionSet(GetObjectAction),
|
|
NewResourceSet(NewResource("mybucket", "/yourobject*")),
|
|
condition.NewFunctions(func1),
|
|
),
|
|
},
|
|
}
|
|
|
|
case3Data := []byte(`{
|
|
"ID": "MyPolicyForMyBucket1",
|
|
"Version": "2012-10-17",
|
|
"Statement": [
|
|
{
|
|
"Effect": "Allow",
|
|
"Principal": {
|
|
"AWS": [
|
|
"Q3AM3UQ867SPQQA43P2F"
|
|
]
|
|
},
|
|
"Action": "s3:PutObject",
|
|
"Resource": "arn:aws:s3:::mybucket/myobject*"
|
|
},
|
|
{
|
|
"Effect": "Allow",
|
|
"Principal": "*",
|
|
"Action": "s3:PutObject",
|
|
"Resource": "arn:aws:s3:::mybucket/myobject*"
|
|
}
|
|
]
|
|
}`)
|
|
case3Policy := Policy{
|
|
ID: "MyPolicyForMyBucket1",
|
|
Version: DefaultVersion,
|
|
Statements: []Statement{
|
|
NewStatement(
|
|
Allow,
|
|
NewPrincipal("Q3AM3UQ867SPQQA43P2F"),
|
|
NewActionSet(PutObjectAction),
|
|
NewResourceSet(NewResource("mybucket", "/myobject*")),
|
|
condition.NewFunctions(),
|
|
),
|
|
NewStatement(
|
|
Allow,
|
|
NewPrincipal("*"),
|
|
NewActionSet(PutObjectAction),
|
|
NewResourceSet(NewResource("mybucket", "/myobject*")),
|
|
condition.NewFunctions(),
|
|
),
|
|
},
|
|
}
|
|
|
|
case4Data := []byte(`{
|
|
"ID": "MyPolicyForMyBucket1",
|
|
"Version": "2012-10-17",
|
|
"Statement": [
|
|
{
|
|
"Effect": "Allow",
|
|
"Principal": "*",
|
|
"Action": "s3:PutObject",
|
|
"Resource": "arn:aws:s3:::mybucket/myobject*"
|
|
},
|
|
{
|
|
"Effect": "Allow",
|
|
"Principal": "*",
|
|
"Action": "s3:GetObject",
|
|
"Resource": "arn:aws:s3:::mybucket/myobject*"
|
|
}
|
|
]
|
|
}`)
|
|
case4Policy := Policy{
|
|
ID: "MyPolicyForMyBucket1",
|
|
Version: DefaultVersion,
|
|
Statements: []Statement{
|
|
NewStatement(
|
|
Allow,
|
|
NewPrincipal("*"),
|
|
NewActionSet(PutObjectAction),
|
|
NewResourceSet(NewResource("mybucket", "/myobject*")),
|
|
condition.NewFunctions(),
|
|
),
|
|
NewStatement(
|
|
Allow,
|
|
NewPrincipal("*"),
|
|
NewActionSet(GetObjectAction),
|
|
NewResourceSet(NewResource("mybucket", "/myobject*")),
|
|
condition.NewFunctions(),
|
|
),
|
|
},
|
|
}
|
|
|
|
case5Data := []byte(`{
|
|
"ID": "MyPolicyForMyBucket1",
|
|
"Version": "2012-10-17",
|
|
"Statement": [
|
|
{
|
|
"Effect": "Allow",
|
|
"Principal": "*",
|
|
"Action": "s3:PutObject",
|
|
"Resource": "arn:aws:s3:::mybucket/myobject*"
|
|
},
|
|
{
|
|
"Effect": "Allow",
|
|
"Principal": "*",
|
|
"Action": "s3:PutObject",
|
|
"Resource": "arn:aws:s3:::mybucket/yourobject*"
|
|
}
|
|
]
|
|
}`)
|
|
case5Policy := Policy{
|
|
ID: "MyPolicyForMyBucket1",
|
|
Version: DefaultVersion,
|
|
Statements: []Statement{
|
|
NewStatement(
|
|
Allow,
|
|
NewPrincipal("*"),
|
|
NewActionSet(PutObjectAction),
|
|
NewResourceSet(NewResource("mybucket", "/myobject*")),
|
|
condition.NewFunctions(),
|
|
),
|
|
NewStatement(
|
|
Allow,
|
|
NewPrincipal("*"),
|
|
NewActionSet(PutObjectAction),
|
|
NewResourceSet(NewResource("mybucket", "/yourobject*")),
|
|
condition.NewFunctions(),
|
|
),
|
|
},
|
|
}
|
|
|
|
case6Data := []byte(`{
|
|
"ID": "MyPolicyForMyBucket1",
|
|
"Version": "2012-10-17",
|
|
"Statement": [
|
|
{
|
|
"Effect": "Allow",
|
|
"Principal": "*",
|
|
"Action": "s3:PutObject",
|
|
"Resource": "arn:aws:s3:::mybucket/myobject*",
|
|
"Condition": {
|
|
"IpAddress": {
|
|
"aws:SourceIp": "192.168.1.0/24"
|
|
}
|
|
}
|
|
},
|
|
{
|
|
"Effect": "Allow",
|
|
"Principal": "*",
|
|
"Action": "s3:PutObject",
|
|
"Resource": "arn:aws:s3:::mybucket/myobject*",
|
|
"Condition": {
|
|
"IpAddress": {
|
|
"aws:SourceIp": "192.168.2.0/24"
|
|
}
|
|
}
|
|
}
|
|
]
|
|
}`)
|
|
_, IPNet2, err := net.ParseCIDR("192.168.2.0/24")
|
|
if err != nil {
|
|
t.Fatalf("unexpected error. %v\n", err)
|
|
}
|
|
func2, err := condition.NewIPAddressFunc(
|
|
condition.AWSSourceIP,
|
|
IPNet2,
|
|
)
|
|
if err != nil {
|
|
t.Fatalf("unexpected error. %v\n", err)
|
|
}
|
|
|
|
case6Policy := Policy{
|
|
ID: "MyPolicyForMyBucket1",
|
|
Version: DefaultVersion,
|
|
Statements: []Statement{
|
|
NewStatement(
|
|
Allow,
|
|
NewPrincipal("*"),
|
|
NewActionSet(PutObjectAction),
|
|
NewResourceSet(NewResource("mybucket", "/myobject*")),
|
|
condition.NewFunctions(func1),
|
|
),
|
|
NewStatement(
|
|
Allow,
|
|
NewPrincipal("*"),
|
|
NewActionSet(PutObjectAction),
|
|
NewResourceSet(NewResource("mybucket", "/myobject*")),
|
|
condition.NewFunctions(func2),
|
|
),
|
|
},
|
|
}
|
|
|
|
case7Data := []byte(`{
|
|
"ID": "MyPolicyForMyBucket1",
|
|
"Version": "2012-10-17",
|
|
"Statement": [
|
|
{
|
|
"Effect": "Allow",
|
|
"Principal": "*",
|
|
"Action": "s3:GetBucketLocation",
|
|
"Resource": "arn:aws:s3:::mybucket"
|
|
}
|
|
]
|
|
}`)
|
|
|
|
case7Policy := Policy{
|
|
ID: "MyPolicyForMyBucket1",
|
|
Version: DefaultVersion,
|
|
Statements: []Statement{
|
|
NewStatement(
|
|
Allow,
|
|
NewPrincipal("*"),
|
|
NewActionSet(GetBucketLocationAction),
|
|
NewResourceSet(NewResource("mybucket", "")),
|
|
condition.NewFunctions(),
|
|
),
|
|
},
|
|
}
|
|
|
|
case8Data := []byte(`{
|
|
"ID": "MyPolicyForMyBucket1",
|
|
"Version": "2012-10-17",
|
|
"Statement": [
|
|
{
|
|
"Effect": "Allow",
|
|
"Principal": "*",
|
|
"Action": "s3:GetBucketLocation",
|
|
"Resource": "arn:aws:s3:::*"
|
|
}
|
|
]
|
|
}`)
|
|
|
|
case8Policy := Policy{
|
|
ID: "MyPolicyForMyBucket1",
|
|
Version: DefaultVersion,
|
|
Statements: []Statement{
|
|
NewStatement(
|
|
Allow,
|
|
NewPrincipal("*"),
|
|
NewActionSet(GetBucketLocationAction),
|
|
NewResourceSet(NewResource("*", "")),
|
|
condition.NewFunctions(),
|
|
),
|
|
},
|
|
}
|
|
|
|
case9Data := []byte(`{
|
|
"ID": "MyPolicyForMyBucket1",
|
|
"Version": "17-10-2012",
|
|
"Statement": [
|
|
{
|
|
"Effect": "Allow",
|
|
"Principal": "*",
|
|
"Action": "s3:PutObject",
|
|
"Resource": "arn:aws:s3:::mybucket/myobject*"
|
|
}
|
|
]
|
|
}`)
|
|
|
|
case10Data := []byte(`{
|
|
"ID": "MyPolicyForMyBucket1",
|
|
"Version": "2012-10-17",
|
|
"Statement": [
|
|
{
|
|
"Effect": "Allow",
|
|
"Principal": "*",
|
|
"Action": "s3:PutObject",
|
|
"Resource": "arn:aws:s3:::mybucket/myobject*"
|
|
},
|
|
{
|
|
"Effect": "Allow",
|
|
"Principal": "*",
|
|
"Action": "s3:PutObject",
|
|
"Resource": "arn:aws:s3:::mybucket/myobject*"
|
|
}
|
|
]
|
|
}`)
|
|
|
|
case10Policy := Policy{
|
|
ID: "MyPolicyForMyBucket1",
|
|
Version: DefaultVersion,
|
|
Statements: []Statement{
|
|
NewStatement(
|
|
Allow,
|
|
NewPrincipal("*"),
|
|
NewActionSet(PutObjectAction),
|
|
NewResourceSet(NewResource("mybucket", "myobject*")),
|
|
condition.NewFunctions(),
|
|
),
|
|
},
|
|
}
|
|
|
|
case11Data := []byte(`{
|
|
"ID": "MyPolicyForMyBucket1",
|
|
"Version": "2012-10-17",
|
|
"Statement": [
|
|
{
|
|
"Effect": "Allow",
|
|
"Principal": "*",
|
|
"Action": "s3:PutObject",
|
|
"Resource": "arn:aws:s3:::mybucket/myobject*"
|
|
},
|
|
{
|
|
"Effect": "Deny",
|
|
"Principal": "*",
|
|
"Action": "s3:PutObject",
|
|
"Resource": "arn:aws:s3:::mybucket/myobject*"
|
|
}
|
|
]
|
|
}`)
|
|
|
|
case11Policy := Policy{
|
|
ID: "MyPolicyForMyBucket1",
|
|
Version: DefaultVersion,
|
|
Statements: []Statement{
|
|
NewStatement(
|
|
Allow,
|
|
NewPrincipal("*"),
|
|
NewActionSet(PutObjectAction),
|
|
NewResourceSet(NewResource("mybucket", "myobject*")),
|
|
condition.NewFunctions(),
|
|
),
|
|
NewStatement(
|
|
Deny,
|
|
NewPrincipal("*"),
|
|
NewActionSet(PutObjectAction),
|
|
NewResourceSet(NewResource("mybucket", "myobject*")),
|
|
condition.NewFunctions(),
|
|
),
|
|
},
|
|
}
|
|
|
|
testCases := []struct {
|
|
data []byte
|
|
expectedResult Policy
|
|
expectErr bool
|
|
}{
|
|
{case1Data, case1Policy, false},
|
|
{case2Data, case2Policy, false},
|
|
{case3Data, case3Policy, false},
|
|
{case4Data, case4Policy, false},
|
|
{case5Data, case5Policy, false},
|
|
{case6Data, case6Policy, false},
|
|
{case7Data, case7Policy, false},
|
|
{case8Data, case8Policy, false},
|
|
// Invalid version error.
|
|
{case9Data, Policy{}, true},
|
|
// Duplicate statement success, duplicate statement removed.
|
|
{case10Data, case10Policy, false},
|
|
// Duplicate statement success (Effect differs).
|
|
{case11Data, case11Policy, false},
|
|
}
|
|
|
|
for i, testCase := range testCases {
|
|
var result Policy
|
|
err := json.Unmarshal(testCase.data, &result)
|
|
expectErr := (err != nil)
|
|
|
|
if expectErr != testCase.expectErr {
|
|
t.Errorf("case %v: error: expected: %v, got: %v", i+1, testCase.expectErr, expectErr)
|
|
}
|
|
|
|
if !testCase.expectErr {
|
|
if !reflect.DeepEqual(result, testCase.expectedResult) {
|
|
t.Errorf("case %v: result: expected: %v, got: %v", i+1, testCase.expectedResult, result)
|
|
}
|
|
}
|
|
}
|
|
}
|
|
|
|
func TestPolicyValidate(t *testing.T) {
|
|
case1Policy := Policy{
|
|
Version: DefaultVersion,
|
|
Statements: []Statement{
|
|
NewStatement(
|
|
Allow,
|
|
NewPrincipal("*"),
|
|
NewActionSet(PutObjectAction),
|
|
NewResourceSet(NewResource("mybucket", "/myobject*")),
|
|
condition.NewFunctions(),
|
|
),
|
|
},
|
|
}
|
|
|
|
func1, err := condition.NewNullFunc(
|
|
condition.S3XAmzCopySource,
|
|
true,
|
|
)
|
|
if err != nil {
|
|
t.Fatalf("unexpected error. %v\n", err)
|
|
}
|
|
func2, err := condition.NewNullFunc(
|
|
condition.S3XAmzServerSideEncryption,
|
|
false,
|
|
)
|
|
if err != nil {
|
|
t.Fatalf("unexpected error. %v\n", err)
|
|
}
|
|
case2Policy := Policy{
|
|
ID: "MyPolicyForMyBucket1",
|
|
Version: DefaultVersion,
|
|
Statements: []Statement{
|
|
NewStatement(
|
|
Allow,
|
|
NewPrincipal("*"),
|
|
NewActionSet(GetObjectAction, PutObjectAction),
|
|
NewResourceSet(NewResource("mybucket", "myobject*")),
|
|
condition.NewFunctions(func1, func2),
|
|
),
|
|
},
|
|
}
|
|
|
|
testCases := []struct {
|
|
policy Policy
|
|
bucketName string
|
|
expectErr bool
|
|
}{
|
|
{case1Policy, "mybucket", false},
|
|
{case2Policy, "yourbucket", true},
|
|
{case1Policy, "yourbucket", true},
|
|
}
|
|
|
|
for i, testCase := range testCases {
|
|
err := testCase.policy.Validate(testCase.bucketName)
|
|
expectErr := (err != nil)
|
|
|
|
if expectErr != testCase.expectErr {
|
|
t.Fatalf("case %v: error: expected: %v, got: %v", i+1, testCase.expectErr, expectErr)
|
|
}
|
|
}
|
|
}
|
|
|
|
func TestPolicyMerge(t *testing.T) {
|
|
testCases := []struct {
|
|
policy string
|
|
}{
|
|
{`{
|
|
"Version": "2012-10-17",
|
|
"Id": "S3PolicyId1",
|
|
"Statement": [
|
|
{
|
|
"Sid": "statement1",
|
|
"Effect": "Deny",
|
|
"Principal": "*",
|
|
"Action":["s3:GetObject", "s3:PutObject"],
|
|
"Resource": "arn:aws:s3:::awsexamplebucket1/*"
|
|
}
|
|
]
|
|
}`},
|
|
{`{
|
|
"Version": "2012-10-17",
|
|
"Id": "S3PolicyId1",
|
|
"Statement": [
|
|
{
|
|
"Sid": "statement1",
|
|
"Effect": "Allow",
|
|
"Principal": "*",
|
|
"Action":"s3:GetObject",
|
|
"Resource": "arn:aws:s3:::awsexamplebucket1/*",
|
|
"Condition" : {
|
|
"IpAddress" : {
|
|
"aws:SourceIp": "192.0.2.0/24"
|
|
},
|
|
"NotIpAddress" : {
|
|
"aws:SourceIp": "192.0.2.188/32"
|
|
}
|
|
}
|
|
}
|
|
]
|
|
}`},
|
|
{`{
|
|
"Version": "2012-10-17",
|
|
"Statement": [
|
|
{
|
|
"Sid": "cross-account permission to user in your own account",
|
|
"Effect": "Allow",
|
|
"Principal": {
|
|
"AWS": "arn:aws:iam::123456789012:user/Dave"
|
|
},
|
|
"Action": "s3:PutObject",
|
|
"Resource": "arn:aws:s3:::awsexamplebucket1/*"
|
|
},
|
|
{
|
|
"Sid": "Deny your user permission to upload object if copy source is not /bucket/folder",
|
|
"Effect": "Deny",
|
|
"Principal": {
|
|
"AWS": "arn:aws:iam::123456789012:user/Dave"
|
|
},
|
|
"Action": "s3:PutObject",
|
|
"Resource": "arn:aws:s3:::awsexamplebucket1/*",
|
|
"Condition": {
|
|
"StringNotLike": {
|
|
"s3:x-amz-copy-source": "awsexamplebucket1/public/*"
|
|
}
|
|
}
|
|
}
|
|
]
|
|
}`},
|
|
}
|
|
|
|
for i, testCase := range testCases {
|
|
var p Policy
|
|
err := json.Unmarshal([]byte(testCase.policy), &p)
|
|
if err != nil {
|
|
t.Fatalf("case %v: unexpected error: %v", i+1, err)
|
|
}
|
|
|
|
var clonedPolicy Policy
|
|
clonedPolicy = clonedPolicy.Merge(p)
|
|
|
|
j, err := json.Marshal(clonedPolicy)
|
|
if err != nil {
|
|
t.Fatalf("case %v: unexpected error: %v", i+1, err)
|
|
}
|
|
|
|
err = json.Unmarshal(j, &clonedPolicy)
|
|
if err != nil {
|
|
t.Fatalf("case %v: unexpected error: %v", i+1, err)
|
|
}
|
|
|
|
if !clonedPolicy.Statements[0].Equals(p.Statements[0]) {
|
|
t.Fatalf("case %v: different policy outcome", i+1)
|
|
}
|
|
}
|
|
}
|