mirror of
https://github.com/minio/minio.git
synced 2024-12-26 23:25:54 -05:00
516 lines
14 KiB
Go
516 lines
14 KiB
Go
/*
|
|
* MinIO Cloud Storage, (C) 2018 MinIO, Inc.
|
|
*
|
|
* Licensed under the Apache License, Version 2.0 (the "License");
|
|
* you may not use this file except in compliance with the License.
|
|
* You may obtain a copy of the License at
|
|
*
|
|
* http://www.apache.org/licenses/LICENSE-2.0
|
|
*
|
|
* Unless required by applicable law or agreed to in writing, software
|
|
* distributed under the License is distributed on an "AS IS" BASIS,
|
|
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
* See the License for the specific language governing permissions and
|
|
* limitations under the License.
|
|
*/
|
|
|
|
package iampolicy
|
|
|
|
import (
|
|
"encoding/json"
|
|
"net"
|
|
"reflect"
|
|
"testing"
|
|
|
|
"github.com/minio/minio/pkg/policy"
|
|
"github.com/minio/minio/pkg/policy/condition"
|
|
)
|
|
|
|
func TestStatementIsAllowed(t *testing.T) {
|
|
case1Statement := NewStatement(
|
|
policy.Allow,
|
|
NewActionSet(GetBucketLocationAction, PutObjectAction),
|
|
NewResourceSet(NewResource("*", "")),
|
|
condition.NewFunctions(),
|
|
)
|
|
|
|
case2Statement := NewStatement(
|
|
policy.Allow,
|
|
NewActionSet(GetObjectAction, PutObjectAction),
|
|
NewResourceSet(NewResource("mybucket", "/myobject*")),
|
|
condition.NewFunctions(),
|
|
)
|
|
|
|
_, IPNet1, err := net.ParseCIDR("192.168.1.0/24")
|
|
if err != nil {
|
|
t.Fatalf("unexpected error. %v\n", err)
|
|
}
|
|
func1, err := condition.NewIPAddressFunc(
|
|
condition.AWSSourceIP,
|
|
IPNet1,
|
|
)
|
|
if err != nil {
|
|
t.Fatalf("unexpected error. %v\n", err)
|
|
}
|
|
|
|
case3Statement := NewStatement(
|
|
policy.Allow,
|
|
NewActionSet(GetObjectAction, PutObjectAction),
|
|
NewResourceSet(NewResource("mybucket", "/myobject*")),
|
|
condition.NewFunctions(func1),
|
|
)
|
|
|
|
case4Statement := NewStatement(
|
|
policy.Deny,
|
|
NewActionSet(GetObjectAction, PutObjectAction),
|
|
NewResourceSet(NewResource("mybucket", "/myobject*")),
|
|
condition.NewFunctions(func1),
|
|
)
|
|
|
|
anonGetBucketLocationArgs := Args{
|
|
AccountName: "Q3AM3UQ867SPQQA43P2F",
|
|
Action: GetBucketLocationAction,
|
|
BucketName: "mybucket",
|
|
ConditionValues: map[string][]string{},
|
|
}
|
|
|
|
anonPutObjectActionArgs := Args{
|
|
AccountName: "Q3AM3UQ867SPQQA43P2F",
|
|
Action: PutObjectAction,
|
|
BucketName: "mybucket",
|
|
ConditionValues: map[string][]string{
|
|
"x-amz-copy-source": {"mybucket/myobject"},
|
|
"SourceIp": {"192.168.1.10"},
|
|
},
|
|
ObjectName: "myobject",
|
|
}
|
|
|
|
anonGetObjectActionArgs := Args{
|
|
AccountName: "Q3AM3UQ867SPQQA43P2F",
|
|
Action: GetObjectAction,
|
|
BucketName: "mybucket",
|
|
ConditionValues: map[string][]string{},
|
|
ObjectName: "myobject",
|
|
}
|
|
|
|
getBucketLocationArgs := Args{
|
|
AccountName: "Q3AM3UQ867SPQQA43P2F",
|
|
Action: GetBucketLocationAction,
|
|
BucketName: "mybucket",
|
|
ConditionValues: map[string][]string{},
|
|
}
|
|
|
|
putObjectActionArgs := Args{
|
|
AccountName: "Q3AM3UQ867SPQQA43P2F",
|
|
Action: PutObjectAction,
|
|
BucketName: "mybucket",
|
|
ConditionValues: map[string][]string{
|
|
"x-amz-copy-source": {"mybucket/myobject"},
|
|
"SourceIp": {"192.168.1.10"},
|
|
},
|
|
ObjectName: "myobject",
|
|
}
|
|
|
|
getObjectActionArgs := Args{
|
|
AccountName: "Q3AM3UQ867SPQQA43P2F",
|
|
Action: GetObjectAction,
|
|
BucketName: "mybucket",
|
|
ConditionValues: map[string][]string{},
|
|
ObjectName: "myobject",
|
|
}
|
|
|
|
testCases := []struct {
|
|
statement Statement
|
|
args Args
|
|
expectedResult bool
|
|
}{
|
|
{case1Statement, anonGetBucketLocationArgs, true},
|
|
{case1Statement, anonPutObjectActionArgs, true},
|
|
{case1Statement, anonGetObjectActionArgs, false},
|
|
{case1Statement, getBucketLocationArgs, true},
|
|
{case1Statement, putObjectActionArgs, true},
|
|
{case1Statement, getObjectActionArgs, false},
|
|
|
|
{case2Statement, anonGetBucketLocationArgs, false},
|
|
{case2Statement, anonPutObjectActionArgs, true},
|
|
{case2Statement, anonGetObjectActionArgs, true},
|
|
{case2Statement, getBucketLocationArgs, false},
|
|
{case2Statement, putObjectActionArgs, true},
|
|
{case2Statement, getObjectActionArgs, true},
|
|
|
|
{case3Statement, anonGetBucketLocationArgs, false},
|
|
{case3Statement, anonPutObjectActionArgs, true},
|
|
{case3Statement, anonGetObjectActionArgs, false},
|
|
{case3Statement, getBucketLocationArgs, false},
|
|
{case3Statement, putObjectActionArgs, true},
|
|
{case3Statement, getObjectActionArgs, false},
|
|
|
|
{case4Statement, anonGetBucketLocationArgs, true},
|
|
{case4Statement, anonPutObjectActionArgs, false},
|
|
{case4Statement, anonGetObjectActionArgs, true},
|
|
{case4Statement, getBucketLocationArgs, true},
|
|
{case4Statement, putObjectActionArgs, false},
|
|
{case4Statement, getObjectActionArgs, true},
|
|
}
|
|
|
|
for i, testCase := range testCases {
|
|
result := testCase.statement.IsAllowed(testCase.args)
|
|
|
|
if result != testCase.expectedResult {
|
|
t.Fatalf("case %v: expected: %v, got: %v\n", i+1, testCase.expectedResult, result)
|
|
}
|
|
}
|
|
}
|
|
|
|
func TestStatementIsValid(t *testing.T) {
|
|
_, IPNet1, err := net.ParseCIDR("192.168.1.0/24")
|
|
if err != nil {
|
|
t.Fatalf("unexpected error. %v\n", err)
|
|
}
|
|
func1, err := condition.NewIPAddressFunc(
|
|
condition.AWSSourceIP,
|
|
IPNet1,
|
|
)
|
|
if err != nil {
|
|
t.Fatalf("unexpected error. %v\n", err)
|
|
}
|
|
|
|
func2, err := condition.NewStringEqualsFunc(
|
|
condition.S3XAmzCopySource,
|
|
"mybucket/myobject",
|
|
)
|
|
if err != nil {
|
|
t.Fatalf("unexpected error. %v\n", err)
|
|
}
|
|
|
|
testCases := []struct {
|
|
statement Statement
|
|
expectErr bool
|
|
}{
|
|
// Invalid effect error.
|
|
{NewStatement(
|
|
policy.Effect("foo"),
|
|
NewActionSet(GetBucketLocationAction, PutObjectAction),
|
|
NewResourceSet(NewResource("*", "")),
|
|
condition.NewFunctions(),
|
|
), true},
|
|
// Empty actions error.
|
|
{NewStatement(
|
|
policy.Allow,
|
|
NewActionSet(),
|
|
NewResourceSet(NewResource("*", "")),
|
|
condition.NewFunctions(),
|
|
), true},
|
|
// Empty resources error.
|
|
{NewStatement(
|
|
policy.Allow,
|
|
NewActionSet(GetBucketLocationAction, PutObjectAction),
|
|
NewResourceSet(),
|
|
condition.NewFunctions(),
|
|
), true},
|
|
// Unsupported conditions for GetObject
|
|
{NewStatement(
|
|
policy.Allow,
|
|
NewActionSet(GetObjectAction, PutObjectAction),
|
|
NewResourceSet(NewResource("mybucket", "myobject*")),
|
|
condition.NewFunctions(func1, func2),
|
|
), true},
|
|
{NewStatement(
|
|
policy.Allow,
|
|
NewActionSet(GetBucketLocationAction, PutObjectAction),
|
|
NewResourceSet(NewResource("mybucket", "myobject*")),
|
|
condition.NewFunctions(),
|
|
), false},
|
|
{NewStatement(
|
|
policy.Allow,
|
|
NewActionSet(GetBucketLocationAction, PutObjectAction),
|
|
NewResourceSet(NewResource("mybucket", "")),
|
|
condition.NewFunctions(),
|
|
), false},
|
|
{NewStatement(
|
|
policy.Deny,
|
|
NewActionSet(GetObjectAction, PutObjectAction),
|
|
NewResourceSet(NewResource("mybucket", "myobject*")),
|
|
condition.NewFunctions(func1),
|
|
), false},
|
|
}
|
|
|
|
for i, testCase := range testCases {
|
|
err := testCase.statement.isValid()
|
|
expectErr := (err != nil)
|
|
|
|
if expectErr != testCase.expectErr {
|
|
t.Fatalf("case %v: error: expected: %v, got: %v", i+1, testCase.expectErr, expectErr)
|
|
}
|
|
}
|
|
}
|
|
|
|
func TestStatementMarshalJSON(t *testing.T) {
|
|
case1Statement := NewStatement(
|
|
policy.Allow,
|
|
NewActionSet(PutObjectAction),
|
|
NewResourceSet(NewResource("mybucket", "/myobject*")),
|
|
condition.NewFunctions(),
|
|
)
|
|
case1Statement.SID = "SomeId1"
|
|
case1Data := []byte(`{"Sid":"SomeId1","Effect":"Allow","Action":["s3:PutObject"],"Resource":["arn:aws:s3:::mybucket/myobject*"]}`)
|
|
|
|
func1, err := condition.NewNullFunc(
|
|
condition.S3XAmzCopySource,
|
|
true,
|
|
)
|
|
if err != nil {
|
|
t.Fatalf("unexpected error. %v\n", err)
|
|
}
|
|
case2Statement := NewStatement(
|
|
policy.Allow,
|
|
NewActionSet(PutObjectAction),
|
|
NewResourceSet(NewResource("mybucket", "/myobject*")),
|
|
condition.NewFunctions(func1),
|
|
)
|
|
case2Data := []byte(`{"Effect":"Allow","Action":["s3:PutObject"],"Resource":["arn:aws:s3:::mybucket/myobject*"],"Condition":{"Null":{"s3:x-amz-copy-source":[true]}}}`)
|
|
|
|
func2, err := condition.NewNullFunc(
|
|
condition.S3XAmzServerSideEncryption,
|
|
false,
|
|
)
|
|
if err != nil {
|
|
t.Fatalf("unexpected error. %v\n", err)
|
|
}
|
|
case3Statement := NewStatement(
|
|
policy.Deny,
|
|
NewActionSet(GetObjectAction),
|
|
NewResourceSet(NewResource("mybucket", "/myobject*")),
|
|
condition.NewFunctions(func2),
|
|
)
|
|
case3Data := []byte(`{"Effect":"Deny","Action":["s3:GetObject"],"Resource":["arn:aws:s3:::mybucket/myobject*"],"Condition":{"Null":{"s3:x-amz-server-side-encryption":[false]}}}`)
|
|
|
|
case4Statement := NewStatement(
|
|
policy.Allow,
|
|
NewActionSet(GetObjectAction, PutObjectAction),
|
|
NewResourceSet(NewResource("mybucket", "myobject*")),
|
|
condition.NewFunctions(func1, func2),
|
|
)
|
|
|
|
testCases := []struct {
|
|
statement Statement
|
|
expectedResult []byte
|
|
expectErr bool
|
|
}{
|
|
{case1Statement, case1Data, false},
|
|
{case2Statement, case2Data, false},
|
|
{case3Statement, case3Data, false},
|
|
// Invalid statement error.
|
|
{case4Statement, nil, true},
|
|
}
|
|
|
|
for i, testCase := range testCases {
|
|
result, err := json.Marshal(testCase.statement)
|
|
expectErr := (err != nil)
|
|
|
|
if expectErr != testCase.expectErr {
|
|
t.Fatalf("case %v: error: expected: %v, got: %v", i+1, testCase.expectErr, expectErr)
|
|
}
|
|
|
|
if !testCase.expectErr {
|
|
if !reflect.DeepEqual(result, testCase.expectedResult) {
|
|
t.Fatalf("case %v: result: expected: %v, got: %v", i+1, string(testCase.expectedResult), string(result))
|
|
}
|
|
}
|
|
}
|
|
}
|
|
|
|
func TestStatementUnmarshalJSON(t *testing.T) {
|
|
case1Data := []byte(`{
|
|
"Sid": "SomeId1",
|
|
"Effect": "Allow",
|
|
"Action": "s3:PutObject",
|
|
"Resource": "arn:aws:s3:::mybucket/myobject*"
|
|
}`)
|
|
case1Statement := NewStatement(
|
|
policy.Allow,
|
|
NewActionSet(PutObjectAction),
|
|
NewResourceSet(NewResource("mybucket", "/myobject*")),
|
|
condition.NewFunctions(),
|
|
)
|
|
case1Statement.SID = "SomeId1"
|
|
|
|
case2Data := []byte(`{
|
|
"Effect": "Allow",
|
|
"Action": "s3:PutObject",
|
|
"Resource": "arn:aws:s3:::mybucket/myobject*",
|
|
"Condition": {
|
|
"Null": {
|
|
"s3:x-amz-copy-source": true
|
|
}
|
|
}
|
|
}`)
|
|
func1, err := condition.NewNullFunc(
|
|
condition.S3XAmzCopySource,
|
|
true,
|
|
)
|
|
if err != nil {
|
|
t.Fatalf("unexpected error. %v\n", err)
|
|
}
|
|
case2Statement := NewStatement(
|
|
policy.Allow,
|
|
NewActionSet(PutObjectAction),
|
|
NewResourceSet(NewResource("mybucket", "/myobject*")),
|
|
condition.NewFunctions(func1),
|
|
)
|
|
|
|
case3Data := []byte(`{
|
|
"Effect": "Deny",
|
|
"Action": [
|
|
"s3:PutObject",
|
|
"s3:GetObject"
|
|
],
|
|
"Resource": "arn:aws:s3:::mybucket/myobject*",
|
|
"Condition": {
|
|
"Null": {
|
|
"s3:x-amz-server-side-encryption": "false"
|
|
}
|
|
}
|
|
}`)
|
|
func2, err := condition.NewNullFunc(
|
|
condition.S3XAmzServerSideEncryption,
|
|
false,
|
|
)
|
|
if err != nil {
|
|
t.Fatalf("unexpected error. %v\n", err)
|
|
}
|
|
case3Statement := NewStatement(
|
|
policy.Deny,
|
|
NewActionSet(PutObjectAction, GetObjectAction),
|
|
NewResourceSet(NewResource("mybucket", "/myobject*")),
|
|
condition.NewFunctions(func2),
|
|
)
|
|
|
|
case4Data := []byte(`{
|
|
"Effect": "Allow",
|
|
"Action": "s3:PutObjec",
|
|
"Resource": "arn:aws:s3:::mybucket/myobject*"
|
|
}`)
|
|
|
|
case5Data := []byte(`{
|
|
"Action": "s3:PutObject",
|
|
"Resource": "arn:aws:s3:::mybucket/myobject*"
|
|
}`)
|
|
|
|
case7Data := []byte(`{
|
|
"Effect": "Allow",
|
|
"Resource": "arn:aws:s3:::mybucket/myobject*"
|
|
}`)
|
|
|
|
case8Data := []byte(`{
|
|
"Effect": "Allow",
|
|
"Action": "s3:PutObject"
|
|
}`)
|
|
|
|
case9Data := []byte(`{
|
|
"Effect": "Allow",
|
|
"Action": "s3:PutObject",
|
|
"Resource": "arn:aws:s3:::mybucket/myobject*",
|
|
"Condition": {
|
|
}
|
|
}`)
|
|
|
|
case10Data := []byte(`{
|
|
"Effect": "Deny",
|
|
"Action": [
|
|
"s3:PutObject",
|
|
"s3:GetObject"
|
|
],
|
|
"Resource": "arn:aws:s3:::mybucket/myobject*",
|
|
"Condition": {
|
|
"StringEquals": {
|
|
"s3:x-amz-copy-source": "yourbucket/myobject*"
|
|
}
|
|
}
|
|
}`)
|
|
|
|
testCases := []struct {
|
|
data []byte
|
|
expectedResult Statement
|
|
expectErr bool
|
|
}{
|
|
{case1Data, case1Statement, false},
|
|
{case2Data, case2Statement, false},
|
|
{case3Data, case3Statement, false},
|
|
// JSON unmarshaling error.
|
|
{case4Data, Statement{}, true},
|
|
// Invalid effect error.
|
|
{case5Data, Statement{}, true},
|
|
// Empty action error.
|
|
{case7Data, Statement{}, true},
|
|
// Empty resource error.
|
|
{case8Data, Statement{}, true},
|
|
// Empty condition error.
|
|
{case9Data, Statement{}, true},
|
|
// Unsupported condition key error.
|
|
{case10Data, Statement{}, true},
|
|
}
|
|
|
|
for i, testCase := range testCases {
|
|
var result Statement
|
|
expectErr := (json.Unmarshal(testCase.data, &result) != nil)
|
|
|
|
if expectErr != testCase.expectErr {
|
|
t.Fatalf("case %v: error: expected: %v, got: %v", i+1, testCase.expectErr, expectErr)
|
|
}
|
|
|
|
if !testCase.expectErr {
|
|
if !reflect.DeepEqual(result, testCase.expectedResult) {
|
|
t.Fatalf("case %v: result: expected: %v, got: %v", i+1, testCase.expectedResult, result)
|
|
}
|
|
}
|
|
}
|
|
}
|
|
|
|
func TestStatementValidate(t *testing.T) {
|
|
case1Statement := NewStatement(
|
|
policy.Allow,
|
|
NewActionSet(PutObjectAction),
|
|
NewResourceSet(NewResource("mybucket", "/myobject*")),
|
|
condition.NewFunctions(),
|
|
)
|
|
|
|
func1, err := condition.NewNullFunc(
|
|
condition.S3XAmzCopySource,
|
|
true,
|
|
)
|
|
if err != nil {
|
|
t.Fatalf("unexpected error. %v\n", err)
|
|
}
|
|
func2, err := condition.NewNullFunc(
|
|
condition.S3XAmzServerSideEncryption,
|
|
false,
|
|
)
|
|
if err != nil {
|
|
t.Fatalf("unexpected error. %v\n", err)
|
|
}
|
|
case2Statement := NewStatement(
|
|
policy.Allow,
|
|
NewActionSet(GetObjectAction, PutObjectAction),
|
|
NewResourceSet(NewResource("mybucket", "myobject*")),
|
|
condition.NewFunctions(func1, func2),
|
|
)
|
|
|
|
testCases := []struct {
|
|
statement Statement
|
|
expectErr bool
|
|
}{
|
|
{case1Statement, false},
|
|
{case2Statement, true},
|
|
}
|
|
|
|
for i, testCase := range testCases {
|
|
err := testCase.statement.Validate()
|
|
expectErr := (err != nil)
|
|
|
|
if expectErr != testCase.expectErr {
|
|
t.Fatalf("case %v: error: expected: %v, got: %v", i+1, testCase.expectErr, expectErr)
|
|
}
|
|
}
|
|
}
|