acl_helper_test.go 19 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566567568569570571572573574575576577578579580581582583584585586587588589590591592593594595596597598599600601602603604605606607608609610611612613614615616617618619620621622623624625626627628629630631632633634635636637638639640641642643644645646647648649650651652653654655656657658659660661662663664665666667668669670671672673674675676677678679680681682683684685686687688689690691692693694695696697698699700701702703704705706
  1. package s3acl
  2. import (
  3. "bytes"
  4. "encoding/json"
  5. "github.com/aws/aws-sdk-go/service/s3"
  6. "github.com/seaweedfs/seaweedfs/weed/pb/filer_pb"
  7. "github.com/seaweedfs/seaweedfs/weed/s3api/s3_constants"
  8. "github.com/seaweedfs/seaweedfs/weed/s3api/s3account"
  9. "github.com/seaweedfs/seaweedfs/weed/s3api/s3err"
  10. "io"
  11. "net/http"
  12. "testing"
  13. )
  14. var (
  15. accountManager = &s3account.AccountManager{
  16. IdNameMapping: map[string]string{
  17. s3account.AccountAdmin.Id: s3account.AccountAdmin.Name,
  18. s3account.AccountAnonymous.Id: s3account.AccountAnonymous.Name,
  19. "accountA": "accountA",
  20. "accountB": "accountB",
  21. },
  22. EmailIdMapping: map[string]string{
  23. s3account.AccountAdmin.EmailAddress: s3account.AccountAdmin.Id,
  24. s3account.AccountAnonymous.EmailAddress: s3account.AccountAnonymous.Id,
  25. "accountA@example.com": "accountA",
  26. "accountBexample.com": "accountB",
  27. },
  28. }
  29. )
  30. func TestGetAccountId(t *testing.T) {
  31. req := &http.Request{
  32. Header: make(map[string][]string),
  33. }
  34. //case1
  35. //accountId: "admin"
  36. req.Header.Set(s3_constants.AmzAccountId, s3account.AccountAdmin.Id)
  37. if GetAccountId(req) != s3account.AccountAdmin.Id {
  38. t.Fatal("expect accountId: admin")
  39. }
  40. //case2
  41. //accountId: "anoymous"
  42. req.Header.Set(s3_constants.AmzAccountId, s3account.AccountAnonymous.Id)
  43. if GetAccountId(req) != s3account.AccountAnonymous.Id {
  44. t.Fatal("expect accountId: anonymous")
  45. }
  46. //case3
  47. //accountId is nil => "anonymous"
  48. req.Header.Del(s3_constants.AmzAccountId)
  49. if GetAccountId(req) != s3account.AccountAnonymous.Id {
  50. t.Fatal("expect accountId: anonymous")
  51. }
  52. }
  53. func TestExtractAcl(t *testing.T) {
  54. type Case struct {
  55. id int
  56. resultErrCode, expectErrCode s3err.ErrorCode
  57. resultGrants, expectGrants []*s3.Grant
  58. }
  59. testCases := make([]*Case, 0)
  60. accountAdminId := "admin"
  61. {
  62. //case1 (good case)
  63. //parse acp from request body
  64. req := &http.Request{
  65. Header: make(map[string][]string),
  66. }
  67. req.Body = io.NopCloser(bytes.NewReader([]byte(`
  68. <AccessControlPolicy xmlns="http://s3.amazonaws.com/doc/2006-03-01/">
  69. <Owner>
  70. <ID>admin</ID>
  71. <DisplayName>admin</DisplayName>
  72. </Owner>
  73. <AccessControlList>
  74. <Grant>
  75. <Grantee xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="CanonicalUser">
  76. <ID>admin</ID>
  77. </Grantee>
  78. <Permission>FULL_CONTROL</Permission>
  79. </Grant>
  80. <Grant>
  81. <Grantee xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="Group">
  82. <URI>http://acs.amazonaws.com/groups/global/AllUsers</URI>
  83. </Grantee>
  84. <Permission>FULL_CONTROL</Permission>
  85. </Grant>
  86. </AccessControlList>
  87. </AccessControlPolicy>
  88. `)))
  89. objectWriter := "accountA"
  90. grants, errCode := ExtractAcl(req, accountManager, s3_constants.OwnershipObjectWriter, accountAdminId, accountAdminId, objectWriter)
  91. testCases = append(testCases, &Case{
  92. 1,
  93. errCode, s3err.ErrNone,
  94. grants, []*s3.Grant{
  95. {
  96. Grantee: &s3.Grantee{
  97. Type: &s3_constants.GrantTypeCanonicalUser,
  98. ID: &accountAdminId,
  99. },
  100. Permission: &s3_constants.PermissionFullControl,
  101. },
  102. {
  103. Grantee: &s3.Grantee{
  104. Type: &s3_constants.GrantTypeGroup,
  105. URI: &s3_constants.GranteeGroupAllUsers,
  106. },
  107. Permission: &s3_constants.PermissionFullControl,
  108. },
  109. },
  110. })
  111. }
  112. {
  113. //case2 (good case)
  114. //parse acp from header (cannedAcl)
  115. req := &http.Request{
  116. Header: make(map[string][]string),
  117. }
  118. req.Body = nil
  119. req.Header.Set(s3_constants.AmzCannedAcl, s3_constants.CannedAclPrivate)
  120. objectWriter := "accountA"
  121. grants, errCode := ExtractAcl(req, accountManager, s3_constants.OwnershipObjectWriter, accountAdminId, accountAdminId, objectWriter)
  122. testCases = append(testCases, &Case{
  123. 2,
  124. errCode, s3err.ErrNone,
  125. grants, []*s3.Grant{
  126. {
  127. Grantee: &s3.Grantee{
  128. Type: &s3_constants.GrantTypeCanonicalUser,
  129. ID: &objectWriter,
  130. },
  131. Permission: &s3_constants.PermissionFullControl,
  132. },
  133. },
  134. })
  135. }
  136. {
  137. //case3 (bad case)
  138. //parse acp from request body (content is invalid)
  139. req := &http.Request{
  140. Header: make(map[string][]string),
  141. }
  142. req.Body = io.NopCloser(bytes.NewReader([]byte("zdfsaf")))
  143. req.Header.Set(s3_constants.AmzCannedAcl, s3_constants.CannedAclPrivate)
  144. objectWriter := "accountA"
  145. _, errCode := ExtractAcl(req, accountManager, s3_constants.OwnershipObjectWriter, accountAdminId, accountAdminId, objectWriter)
  146. testCases = append(testCases, &Case{
  147. id: 3,
  148. resultErrCode: errCode, expectErrCode: s3err.ErrInvalidRequest,
  149. })
  150. }
  151. //case4 (bad case)
  152. //parse acp from header (cannedAcl is invalid)
  153. req := &http.Request{
  154. Header: make(map[string][]string),
  155. }
  156. req.Body = nil
  157. req.Header.Set(s3_constants.AmzCannedAcl, "dfaksjfk")
  158. objectWriter := "accountA"
  159. _, errCode := ExtractAcl(req, accountManager, s3_constants.OwnershipObjectWriter, accountAdminId, "", objectWriter)
  160. testCases = append(testCases, &Case{
  161. id: 4,
  162. resultErrCode: errCode, expectErrCode: s3err.ErrInvalidRequest,
  163. })
  164. {
  165. //case5 (bad case)
  166. //parse acp from request body: owner is inconsistent
  167. req.Body = io.NopCloser(bytes.NewReader([]byte(`
  168. <AccessControlPolicy xmlns="http://s3.amazonaws.com/doc/2006-03-01/">
  169. <Owner>
  170. <ID>admin</ID>
  171. <DisplayName>admin</DisplayName>
  172. </Owner>
  173. <AccessControlList>
  174. <Grant>
  175. <Grantee xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="CanonicalUser">
  176. <ID>admin</ID>
  177. </Grantee>
  178. <Permission>FULL_CONTROL</Permission>
  179. </Grant>
  180. <Grant>
  181. <Grantee xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="Group">
  182. <URI>http://acs.amazonaws.com/groups/global/AllUsers</URI>
  183. </Grantee>
  184. <Permission>FULL_CONTROL</Permission>
  185. </Grant>
  186. </AccessControlList>
  187. </AccessControlPolicy>
  188. `)))
  189. objectWriter = "accountA"
  190. _, errCode := ExtractAcl(req, accountManager, s3_constants.OwnershipObjectWriter, accountAdminId, objectWriter, objectWriter)
  191. testCases = append(testCases, &Case{
  192. id: 5,
  193. resultErrCode: errCode, expectErrCode: s3err.ErrAccessDenied,
  194. })
  195. }
  196. for _, tc := range testCases {
  197. if tc.resultErrCode != tc.expectErrCode {
  198. t.Fatalf("case[%d]: errorCode not expect", tc.id)
  199. }
  200. if !grantsEquals(tc.resultGrants, tc.expectGrants) {
  201. t.Fatalf("case[%d]: grants not expect", tc.id)
  202. }
  203. }
  204. }
  205. func TestParseAndValidateAclHeaders(t *testing.T) {
  206. type Case struct {
  207. id int
  208. resultOwner, expectOwner string
  209. resultErrCode, expectErrCode s3err.ErrorCode
  210. resultGrants, expectGrants []*s3.Grant
  211. }
  212. testCases := make([]*Case, 0)
  213. bucketOwner := "admin"
  214. {
  215. //case1 (good case)
  216. //parse custom acl
  217. req := &http.Request{
  218. Header: make(map[string][]string),
  219. }
  220. objectWriter := "accountA"
  221. req.Header.Set(s3_constants.AmzAclFullControl, `uri="http://acs.amazonaws.com/groups/global/AllUsers", id="anonymous", emailAddress="admin@example.com"`)
  222. ownerId, grants, errCode := ParseAndValidateAclHeaders(req, accountManager, s3_constants.OwnershipObjectWriter, bucketOwner, objectWriter, false)
  223. testCases = append(testCases, &Case{
  224. 1,
  225. ownerId, objectWriter,
  226. errCode, s3err.ErrNone,
  227. grants, []*s3.Grant{
  228. {
  229. Grantee: &s3.Grantee{
  230. Type: &s3_constants.GrantTypeGroup,
  231. URI: &s3_constants.GranteeGroupAllUsers,
  232. },
  233. Permission: &s3_constants.PermissionFullControl,
  234. },
  235. {
  236. Grantee: &s3.Grantee{
  237. Type: &s3_constants.GrantTypeCanonicalUser,
  238. ID: &s3account.AccountAnonymous.Id,
  239. },
  240. Permission: &s3_constants.PermissionFullControl,
  241. },
  242. {
  243. Grantee: &s3.Grantee{
  244. Type: &s3_constants.GrantTypeCanonicalUser,
  245. ID: &s3account.AccountAdmin.Id,
  246. },
  247. Permission: &s3_constants.PermissionFullControl,
  248. },
  249. },
  250. })
  251. }
  252. {
  253. //case2 (good case)
  254. //parse canned acl (ownership=ObjectWriter)
  255. req := &http.Request{
  256. Header: make(map[string][]string),
  257. }
  258. objectWriter := "accountA"
  259. req.Header.Set(s3_constants.AmzCannedAcl, s3_constants.CannedAclBucketOwnerFullControl)
  260. ownerId, grants, errCode := ParseAndValidateAclHeaders(req, accountManager, s3_constants.OwnershipObjectWriter, bucketOwner, objectWriter, false)
  261. testCases = append(testCases, &Case{
  262. 2,
  263. ownerId, objectWriter,
  264. errCode, s3err.ErrNone,
  265. grants, []*s3.Grant{
  266. {
  267. Grantee: &s3.Grantee{
  268. Type: &s3_constants.GrantTypeCanonicalUser,
  269. ID: &objectWriter,
  270. },
  271. Permission: &s3_constants.PermissionFullControl,
  272. },
  273. {
  274. Grantee: &s3.Grantee{
  275. Type: &s3_constants.GrantTypeCanonicalUser,
  276. ID: &bucketOwner,
  277. },
  278. Permission: &s3_constants.PermissionFullControl,
  279. },
  280. },
  281. })
  282. }
  283. {
  284. //case3 (good case)
  285. //parse canned acl (ownership=OwnershipBucketOwnerPreferred)
  286. req := &http.Request{
  287. Header: make(map[string][]string),
  288. }
  289. objectWriter := "accountA"
  290. req.Header.Set(s3_constants.AmzCannedAcl, s3_constants.CannedAclBucketOwnerFullControl)
  291. ownerId, grants, errCode := ParseAndValidateAclHeaders(req, accountManager, s3_constants.OwnershipBucketOwnerPreferred, bucketOwner, objectWriter, false)
  292. testCases = append(testCases, &Case{
  293. 3,
  294. ownerId, bucketOwner,
  295. errCode, s3err.ErrNone,
  296. grants, []*s3.Grant{
  297. {
  298. Grantee: &s3.Grantee{
  299. Type: &s3_constants.GrantTypeCanonicalUser,
  300. ID: &bucketOwner,
  301. },
  302. Permission: &s3_constants.PermissionFullControl,
  303. },
  304. },
  305. })
  306. }
  307. {
  308. //case4 (bad case)
  309. //parse custom acl (grantee id not exists)
  310. req := &http.Request{
  311. Header: make(map[string][]string),
  312. }
  313. objectWriter := "accountA"
  314. req.Header.Set(s3_constants.AmzAclFullControl, `uri="http://acs.amazonaws.com/groups/global/AllUsers", id="notExistsAccount", emailAddress="admin@example.com"`)
  315. _, _, errCode := ParseAndValidateAclHeaders(req, accountManager, s3_constants.OwnershipObjectWriter, bucketOwner, objectWriter, false)
  316. testCases = append(testCases, &Case{
  317. id: 4,
  318. resultErrCode: errCode, expectErrCode: s3err.ErrInvalidRequest,
  319. })
  320. }
  321. {
  322. //case5 (bad case)
  323. //parse custom acl (invalid format)
  324. req := &http.Request{
  325. Header: make(map[string][]string),
  326. }
  327. objectWriter := "accountA"
  328. req.Header.Set(s3_constants.AmzAclFullControl, `uri="http:sfasf"`)
  329. _, _, errCode := ParseAndValidateAclHeaders(req, accountManager, s3_constants.OwnershipObjectWriter, bucketOwner, objectWriter, false)
  330. testCases = append(testCases, &Case{
  331. id: 5,
  332. resultErrCode: errCode, expectErrCode: s3err.ErrInvalidRequest,
  333. })
  334. }
  335. {
  336. //case6 (bad case)
  337. //parse canned acl (invalid value)
  338. req := &http.Request{
  339. Header: make(map[string][]string),
  340. }
  341. objectWriter := "accountA"
  342. req.Header.Set(s3_constants.AmzCannedAcl, `uri="http:sfasf"`)
  343. _, _, errCode := ParseAndValidateAclHeaders(req, accountManager, s3_constants.OwnershipObjectWriter, bucketOwner, objectWriter, false)
  344. testCases = append(testCases, &Case{
  345. id: 5,
  346. resultErrCode: errCode, expectErrCode: s3err.ErrInvalidRequest,
  347. })
  348. }
  349. for _, tc := range testCases {
  350. if tc.expectErrCode != tc.resultErrCode {
  351. t.Errorf("case[%d]: errCode unexpect", tc.id)
  352. }
  353. if tc.resultOwner != tc.expectOwner {
  354. t.Errorf("case[%d]: ownerId unexpect", tc.id)
  355. }
  356. if !grantsEquals(tc.resultGrants, tc.expectGrants) {
  357. t.Fatalf("case[%d]: grants not expect", tc.id)
  358. }
  359. }
  360. }
  361. func grantsEquals(a, b []*s3.Grant) bool {
  362. if len(a) != len(b) {
  363. return false
  364. }
  365. for i, grant := range a {
  366. if !GrantEquals(grant, b[i]) {
  367. return false
  368. }
  369. }
  370. return true
  371. }
  372. func TestDetermineReqGrants(t *testing.T) {
  373. {
  374. //case1: request account is anonymous
  375. accountId := s3account.AccountAnonymous.Id
  376. reqPermission := s3_constants.PermissionRead
  377. resultGrants := DetermineReqGrants(accountId, reqPermission)
  378. expectGrants := []*s3.Grant{
  379. {
  380. Grantee: &s3.Grantee{
  381. Type: &s3_constants.GrantTypeGroup,
  382. URI: &s3_constants.GranteeGroupAllUsers,
  383. },
  384. Permission: &reqPermission,
  385. },
  386. {
  387. Grantee: &s3.Grantee{
  388. Type: &s3_constants.GrantTypeGroup,
  389. URI: &s3_constants.GranteeGroupAllUsers,
  390. },
  391. Permission: &s3_constants.PermissionFullControl,
  392. },
  393. {
  394. Grantee: &s3.Grantee{
  395. Type: &s3_constants.GrantTypeCanonicalUser,
  396. ID: &accountId,
  397. },
  398. Permission: &reqPermission,
  399. },
  400. {
  401. Grantee: &s3.Grantee{
  402. Type: &s3_constants.GrantTypeCanonicalUser,
  403. ID: &accountId,
  404. },
  405. Permission: &s3_constants.PermissionFullControl,
  406. },
  407. }
  408. if !grantsEquals(resultGrants, expectGrants) {
  409. t.Fatalf("grants not expect")
  410. }
  411. }
  412. {
  413. //case2: request account is not anonymous (Iam authed)
  414. accountId := "accountX"
  415. reqPermission := s3_constants.PermissionRead
  416. resultGrants := DetermineReqGrants(accountId, reqPermission)
  417. expectGrants := []*s3.Grant{
  418. {
  419. Grantee: &s3.Grantee{
  420. Type: &s3_constants.GrantTypeGroup,
  421. URI: &s3_constants.GranteeGroupAllUsers,
  422. },
  423. Permission: &reqPermission,
  424. },
  425. {
  426. Grantee: &s3.Grantee{
  427. Type: &s3_constants.GrantTypeGroup,
  428. URI: &s3_constants.GranteeGroupAllUsers,
  429. },
  430. Permission: &s3_constants.PermissionFullControl,
  431. },
  432. {
  433. Grantee: &s3.Grantee{
  434. Type: &s3_constants.GrantTypeCanonicalUser,
  435. ID: &accountId,
  436. },
  437. Permission: &reqPermission,
  438. },
  439. {
  440. Grantee: &s3.Grantee{
  441. Type: &s3_constants.GrantTypeCanonicalUser,
  442. ID: &accountId,
  443. },
  444. Permission: &s3_constants.PermissionFullControl,
  445. },
  446. {
  447. Grantee: &s3.Grantee{
  448. Type: &s3_constants.GrantTypeGroup,
  449. URI: &s3_constants.GranteeGroupAuthenticatedUsers,
  450. },
  451. Permission: &reqPermission,
  452. },
  453. {
  454. Grantee: &s3.Grantee{
  455. Type: &s3_constants.GrantTypeGroup,
  456. URI: &s3_constants.GranteeGroupAuthenticatedUsers,
  457. },
  458. Permission: &s3_constants.PermissionFullControl,
  459. },
  460. }
  461. if !grantsEquals(resultGrants, expectGrants) {
  462. t.Fatalf("grants not expect")
  463. }
  464. }
  465. }
  466. func TestAssembleEntryWithAcp(t *testing.T) {
  467. defaultOwner := "admin"
  468. //case1
  469. //assemble with non-empty grants
  470. expectOwner := "accountS"
  471. expectGrants := []*s3.Grant{
  472. {
  473. Permission: &s3_constants.PermissionRead,
  474. Grantee: &s3.Grantee{
  475. Type: &s3_constants.GrantTypeGroup,
  476. ID: &s3account.AccountAdmin.Id,
  477. URI: &s3_constants.GranteeGroupAllUsers,
  478. },
  479. },
  480. }
  481. entry := &filer_pb.Entry{}
  482. AssembleEntryWithAcp(entry, expectOwner, expectGrants)
  483. resultOwner := GetAcpOwner(entry.Extended, defaultOwner)
  484. if resultOwner != expectOwner {
  485. t.Fatalf("owner not expect")
  486. }
  487. resultGrants := GetAcpGrants(entry.Extended)
  488. if !grantsEquals(resultGrants, expectGrants) {
  489. t.Fatal("grants not expect")
  490. }
  491. //case2
  492. //assemble with empty grants (override)
  493. AssembleEntryWithAcp(entry, "", nil)
  494. resultOwner = GetAcpOwner(entry.Extended, defaultOwner)
  495. if resultOwner != defaultOwner {
  496. t.Fatalf("owner not expect")
  497. }
  498. resultGrants = GetAcpGrants(entry.Extended)
  499. if len(resultGrants) != 0 {
  500. t.Fatal("grants not expect")
  501. }
  502. }
  503. func TestGrantEquals(t *testing.T) {
  504. testCases := map[bool]bool{
  505. GrantEquals(nil, nil): true,
  506. GrantEquals(&s3.Grant{}, nil): false,
  507. GrantEquals(&s3.Grant{}, &s3.Grant{}): true,
  508. GrantEquals(&s3.Grant{
  509. Permission: &s3_constants.PermissionRead,
  510. }, &s3.Grant{}): false,
  511. GrantEquals(&s3.Grant{
  512. Permission: &s3_constants.PermissionRead,
  513. }, &s3.Grant{
  514. Permission: &s3_constants.PermissionRead,
  515. }): true,
  516. GrantEquals(&s3.Grant{
  517. Permission: &s3_constants.PermissionRead,
  518. Grantee: &s3.Grantee{},
  519. }, &s3.Grant{
  520. Permission: &s3_constants.PermissionRead,
  521. Grantee: &s3.Grantee{},
  522. }): true,
  523. GrantEquals(&s3.Grant{
  524. Permission: &s3_constants.PermissionRead,
  525. Grantee: &s3.Grantee{
  526. Type: &s3_constants.GrantTypeGroup,
  527. },
  528. }, &s3.Grant{
  529. Permission: &s3_constants.PermissionRead,
  530. Grantee: &s3.Grantee{},
  531. }): false,
  532. //type not present, compare other fields of grant is meaningless
  533. GrantEquals(&s3.Grant{
  534. Permission: &s3_constants.PermissionRead,
  535. Grantee: &s3.Grantee{
  536. ID: &s3account.AccountAdmin.Id,
  537. EmailAddress: &s3account.AccountAdmin.EmailAddress,
  538. },
  539. }, &s3.Grant{
  540. Permission: &s3_constants.PermissionRead,
  541. Grantee: &s3.Grantee{
  542. ID: &s3account.AccountAdmin.Id,
  543. },
  544. }): true,
  545. GrantEquals(&s3.Grant{
  546. Permission: &s3_constants.PermissionRead,
  547. Grantee: &s3.Grantee{
  548. Type: &s3_constants.GrantTypeGroup,
  549. },
  550. }, &s3.Grant{
  551. Permission: &s3_constants.PermissionRead,
  552. Grantee: &s3.Grantee{
  553. Type: &s3_constants.GrantTypeGroup,
  554. },
  555. }): true,
  556. GrantEquals(&s3.Grant{
  557. Permission: &s3_constants.PermissionRead,
  558. Grantee: &s3.Grantee{
  559. Type: &s3_constants.GrantTypeGroup,
  560. URI: &s3_constants.GranteeGroupAllUsers,
  561. },
  562. }, &s3.Grant{
  563. Permission: &s3_constants.PermissionRead,
  564. Grantee: &s3.Grantee{
  565. Type: &s3_constants.GrantTypeGroup,
  566. URI: &s3_constants.GranteeGroupAllUsers,
  567. },
  568. }): true,
  569. GrantEquals(&s3.Grant{
  570. Permission: &s3_constants.PermissionWrite,
  571. Grantee: &s3.Grantee{
  572. Type: &s3_constants.GrantTypeGroup,
  573. URI: &s3_constants.GranteeGroupAllUsers,
  574. },
  575. }, &s3.Grant{
  576. Permission: &s3_constants.PermissionRead,
  577. Grantee: &s3.Grantee{
  578. Type: &s3_constants.GrantTypeGroup,
  579. URI: &s3_constants.GranteeGroupAllUsers,
  580. },
  581. }): false,
  582. GrantEquals(&s3.Grant{
  583. Permission: &s3_constants.PermissionRead,
  584. Grantee: &s3.Grantee{
  585. Type: &s3_constants.GrantTypeGroup,
  586. ID: &s3account.AccountAdmin.Id,
  587. },
  588. }, &s3.Grant{
  589. Permission: &s3_constants.PermissionRead,
  590. Grantee: &s3.Grantee{
  591. Type: &s3_constants.GrantTypeGroup,
  592. ID: &s3account.AccountAdmin.Id,
  593. },
  594. }): true,
  595. GrantEquals(&s3.Grant{
  596. Permission: &s3_constants.PermissionRead,
  597. Grantee: &s3.Grantee{
  598. Type: &s3_constants.GrantTypeGroup,
  599. ID: &s3account.AccountAdmin.Id,
  600. URI: &s3_constants.GranteeGroupAllUsers,
  601. },
  602. }, &s3.Grant{
  603. Permission: &s3_constants.PermissionRead,
  604. Grantee: &s3.Grantee{
  605. Type: &s3_constants.GrantTypeGroup,
  606. ID: &s3account.AccountAdmin.Id,
  607. },
  608. }): false,
  609. GrantEquals(&s3.Grant{
  610. Permission: &s3_constants.PermissionRead,
  611. Grantee: &s3.Grantee{
  612. Type: &s3_constants.GrantTypeGroup,
  613. ID: &s3account.AccountAdmin.Id,
  614. URI: &s3_constants.GranteeGroupAllUsers,
  615. },
  616. }, &s3.Grant{
  617. Permission: &s3_constants.PermissionRead,
  618. Grantee: &s3.Grantee{
  619. Type: &s3_constants.GrantTypeGroup,
  620. URI: &s3_constants.GranteeGroupAllUsers,
  621. },
  622. }): true,
  623. }
  624. for tc, expect := range testCases {
  625. if tc != expect {
  626. t.Fatal("TestGrantEquals not expect!")
  627. }
  628. }
  629. }
  630. func TestSetAcpOwnerHeader(t *testing.T) {
  631. ownerId := "accountZ"
  632. req := &http.Request{
  633. Header: make(map[string][]string),
  634. }
  635. SetAcpOwnerHeader(req, ownerId)
  636. if req.Header.Get(s3_constants.ExtAmzOwnerKey) != ownerId {
  637. t.Fatalf("owner unexpect")
  638. }
  639. }
  640. func TestSetAcpGrantsHeader(t *testing.T) {
  641. req := &http.Request{
  642. Header: make(map[string][]string),
  643. }
  644. grants := []*s3.Grant{
  645. {
  646. Permission: &s3_constants.PermissionRead,
  647. Grantee: &s3.Grantee{
  648. Type: &s3_constants.GrantTypeGroup,
  649. ID: &s3account.AccountAdmin.Id,
  650. URI: &s3_constants.GranteeGroupAllUsers,
  651. },
  652. },
  653. }
  654. SetAcpGrantsHeader(req, grants)
  655. grantsJson, _ := json.Marshal(grants)
  656. if req.Header.Get(s3_constants.ExtAmzAclKey) != string(grantsJson) {
  657. t.Fatalf("owner unexpect")
  658. }
  659. }