auth_credentials_test.go 6.3 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264
  1. package s3api
  2. import (
  3. "reflect"
  4. "testing"
  5. . "github.com/seaweedfs/seaweedfs/weed/s3api/s3_constants"
  6. "github.com/stretchr/testify/assert"
  7. "github.com/seaweedfs/seaweedfs/weed/pb/iam_pb"
  8. jsonpb "google.golang.org/protobuf/encoding/protojson"
  9. )
  10. func TestIdentityListFileFormat(t *testing.T) {
  11. s3ApiConfiguration := &iam_pb.S3ApiConfiguration{}
  12. identity1 := &iam_pb.Identity{
  13. Name: "some_name",
  14. Credentials: []*iam_pb.Credential{
  15. {
  16. AccessKey: "some_access_key1",
  17. SecretKey: "some_secret_key2",
  18. },
  19. },
  20. Actions: []string{
  21. ACTION_ADMIN,
  22. ACTION_READ,
  23. ACTION_WRITE,
  24. },
  25. }
  26. identity2 := &iam_pb.Identity{
  27. Name: "some_read_only_user",
  28. Credentials: []*iam_pb.Credential{
  29. {
  30. AccessKey: "some_access_key1",
  31. SecretKey: "some_secret_key1",
  32. },
  33. },
  34. Actions: []string{
  35. ACTION_READ,
  36. },
  37. }
  38. identity3 := &iam_pb.Identity{
  39. Name: "some_normal_user",
  40. Credentials: []*iam_pb.Credential{
  41. {
  42. AccessKey: "some_access_key2",
  43. SecretKey: "some_secret_key2",
  44. },
  45. },
  46. Actions: []string{
  47. ACTION_READ,
  48. ACTION_WRITE,
  49. },
  50. }
  51. s3ApiConfiguration.Identities = append(s3ApiConfiguration.Identities, identity1)
  52. s3ApiConfiguration.Identities = append(s3ApiConfiguration.Identities, identity2)
  53. s3ApiConfiguration.Identities = append(s3ApiConfiguration.Identities, identity3)
  54. m := jsonpb.MarshalOptions{
  55. EmitUnpopulated: true,
  56. Indent: " ",
  57. }
  58. text, _ := m.Marshal(s3ApiConfiguration)
  59. println(string(text))
  60. }
  61. func TestCanDo(t *testing.T) {
  62. ident1 := &Identity{
  63. Name: "anything",
  64. Actions: []Action{
  65. "Write:bucket1/a/b/c/*",
  66. "Write:bucket1/a/b/other",
  67. },
  68. }
  69. // object specific
  70. assert.Equal(t, true, ident1.canDo(ACTION_WRITE, "bucket1", "/a/b/c/d.txt"))
  71. assert.Equal(t, false, ident1.canDo(ACTION_DELETE_BUCKET, "bucket1", ""))
  72. assert.Equal(t, false, ident1.canDo(ACTION_WRITE, "bucket1", "/a/b/other/some"), "action without *")
  73. // bucket specific
  74. ident2 := &Identity{
  75. Name: "anything",
  76. Actions: []Action{
  77. "Read:bucket1",
  78. "Write:bucket1/*",
  79. "WriteAcp:bucket1",
  80. },
  81. }
  82. assert.Equal(t, true, ident2.canDo(ACTION_READ, "bucket1", "/a/b/c/d.txt"))
  83. assert.Equal(t, true, ident2.canDo(ACTION_WRITE, "bucket1", "/a/b/c/d.txt"))
  84. assert.Equal(t, true, ident2.canDo(ACTION_WRITE_ACP, "bucket1", ""))
  85. assert.Equal(t, false, ident2.canDo(ACTION_READ_ACP, "bucket1", ""))
  86. assert.Equal(t, false, ident2.canDo(ACTION_LIST, "bucket1", "/a/b/c/d.txt"))
  87. // across buckets
  88. ident3 := &Identity{
  89. Name: "anything",
  90. Actions: []Action{
  91. "Read",
  92. "Write",
  93. },
  94. }
  95. assert.Equal(t, true, ident3.canDo(ACTION_READ, "bucket1", "/a/b/c/d.txt"))
  96. assert.Equal(t, true, ident3.canDo(ACTION_WRITE, "bucket1", "/a/b/c/d.txt"))
  97. assert.Equal(t, false, ident3.canDo(ACTION_LIST, "bucket1", "/a/b/other/some"))
  98. assert.Equal(t, false, ident3.canDo(ACTION_WRITE_ACP, "bucket1", ""))
  99. // partial buckets
  100. ident4 := &Identity{
  101. Name: "anything",
  102. Actions: []Action{
  103. "Read:special_*",
  104. "ReadAcp:special_*",
  105. },
  106. }
  107. assert.Equal(t, true, ident4.canDo(ACTION_READ, "special_bucket", "/a/b/c/d.txt"))
  108. assert.Equal(t, true, ident4.canDo(ACTION_READ_ACP, "special_bucket", ""))
  109. assert.Equal(t, false, ident4.canDo(ACTION_READ, "bucket1", "/a/b/c/d.txt"))
  110. // admin buckets
  111. ident5 := &Identity{
  112. Name: "anything",
  113. Actions: []Action{
  114. "Admin:special_*",
  115. },
  116. }
  117. assert.Equal(t, true, ident5.canDo(ACTION_READ, "special_bucket", "/a/b/c/d.txt"))
  118. assert.Equal(t, true, ident5.canDo(ACTION_READ_ACP, "special_bucket", ""))
  119. assert.Equal(t, true, ident5.canDo(ACTION_WRITE, "special_bucket", "/a/b/c/d.txt"))
  120. assert.Equal(t, true, ident5.canDo(ACTION_WRITE_ACP, "special_bucket", ""))
  121. // anonymous buckets
  122. ident6 := &Identity{
  123. Name: "anonymous",
  124. Actions: []Action{
  125. "Read",
  126. },
  127. }
  128. assert.Equal(t, true, ident6.canDo(ACTION_READ, "anything_bucket", "/a/b/c/d.txt"))
  129. //test deleteBucket operation
  130. ident7 := &Identity{
  131. Name: "anything",
  132. Actions: []Action{
  133. "DeleteBucket:bucket1",
  134. },
  135. }
  136. assert.Equal(t, true, ident7.canDo(ACTION_DELETE_BUCKET, "bucket1", ""))
  137. }
  138. type LoadS3ApiConfigurationTestCase struct {
  139. pbAccount *iam_pb.Account
  140. pbIdent *iam_pb.Identity
  141. expectIdent *Identity
  142. }
  143. func TestLoadS3ApiConfiguration(t *testing.T) {
  144. specifiedAccount := Account{
  145. Id: "specifiedAccountID",
  146. DisplayName: "specifiedAccountName",
  147. EmailAddress: "specifiedAccounEmail@example.com",
  148. }
  149. pbSpecifiedAccount := iam_pb.Account{
  150. Id: "specifiedAccountID",
  151. DisplayName: "specifiedAccountName",
  152. EmailAddress: "specifiedAccounEmail@example.com",
  153. }
  154. testCases := map[string]*LoadS3ApiConfigurationTestCase{
  155. "notSpecifyAccountId": {
  156. pbIdent: &iam_pb.Identity{
  157. Name: "notSpecifyAccountId",
  158. Actions: []string{
  159. "Read",
  160. "Write",
  161. },
  162. Credentials: []*iam_pb.Credential{
  163. {
  164. AccessKey: "some_access_key1",
  165. SecretKey: "some_secret_key2",
  166. },
  167. },
  168. },
  169. expectIdent: &Identity{
  170. Name: "notSpecifyAccountId",
  171. Account: &AccountAdmin,
  172. Actions: []Action{
  173. "Read",
  174. "Write",
  175. },
  176. Credentials: []*Credential{
  177. {
  178. AccessKey: "some_access_key1",
  179. SecretKey: "some_secret_key2",
  180. },
  181. },
  182. },
  183. },
  184. "specifiedAccountID": {
  185. pbAccount: &pbSpecifiedAccount,
  186. pbIdent: &iam_pb.Identity{
  187. Name: "specifiedAccountID",
  188. Account: &pbSpecifiedAccount,
  189. Actions: []string{
  190. "Read",
  191. "Write",
  192. },
  193. },
  194. expectIdent: &Identity{
  195. Name: "specifiedAccountID",
  196. Account: &specifiedAccount,
  197. Actions: []Action{
  198. "Read",
  199. "Write",
  200. },
  201. },
  202. },
  203. "anonymous": {
  204. pbIdent: &iam_pb.Identity{
  205. Name: "anonymous",
  206. Actions: []string{
  207. "Read",
  208. "Write",
  209. },
  210. },
  211. expectIdent: &Identity{
  212. Name: "anonymous",
  213. Account: &AccountAnonymous,
  214. Actions: []Action{
  215. "Read",
  216. "Write",
  217. },
  218. },
  219. },
  220. }
  221. config := &iam_pb.S3ApiConfiguration{
  222. Identities: make([]*iam_pb.Identity, 0),
  223. }
  224. for _, v := range testCases {
  225. config.Identities = append(config.Identities, v.pbIdent)
  226. if v.pbAccount != nil {
  227. config.Accounts = append(config.Accounts, v.pbAccount)
  228. }
  229. }
  230. iam := IdentityAccessManagement{}
  231. err := iam.loadS3ApiConfiguration(config)
  232. if err != nil {
  233. return
  234. }
  235. for _, ident := range iam.identities {
  236. tc := testCases[ident.Name]
  237. if !reflect.DeepEqual(ident, tc.expectIdent) {
  238. t.Errorf("not expect for ident name %s", ident.Name)
  239. }
  240. }
  241. }