seaweedfs/weed/s3api/s3api_acl_helper_test.go

package s3api

import (
	"bytes"
	"encoding/json"
	"github.com/aws/aws-sdk-go/aws"
	"github.com/aws/aws-sdk-go/service/s3"
	"github.com/seaweedfs/seaweedfs/weed/pb/filer_pb"
	"github.com/seaweedfs/seaweedfs/weed/pb/iam_pb"
	"github.com/seaweedfs/seaweedfs/weed/s3api/s3_constants"
	"github.com/seaweedfs/seaweedfs/weed/s3api/s3err"
	"io"
	"net/http"
	"testing"
)

var accountManager *IdentityAccessManagement

func init() {
	accountManager = &IdentityAccessManagement{}
	_ = accountManager.loadS3ApiConfiguration(&iam_pb.S3ApiConfiguration{
		Accounts: []*iam_pb.Account{
			{
				Id:           "accountA",
				DisplayName:  "accountAName",
				EmailAddress: "accountA@example.com",
			},
			{
				Id:           "accountB",
				DisplayName:  "accountBName",
				EmailAddress: "accountB@example.com",
			},
		},
	})
}

func TestGetAccountId(t *testing.T) {
	req := &http.Request{
		Header: make(map[string][]string),
	}
	//case1
	//accountId: "admin"
	req.Header.Set(s3_constants.AmzAccountId, s3_constants.AccountAdminId)
	if GetAccountId(req) != s3_constants.AccountAdminId {
		t.Fatal("expect accountId: admin")
	}

	//case2
	//accountId: "anoymous"
	req.Header.Set(s3_constants.AmzAccountId, s3_constants.AccountAnonymousId)
	if GetAccountId(req) != s3_constants.AccountAnonymousId {
		t.Fatal("expect accountId: anonymous")
	}

	//case3
	//accountId is nil => "anonymous"
	req.Header.Del(s3_constants.AmzAccountId)
	if GetAccountId(req) != s3_constants.AccountAnonymousId {
		t.Fatal("expect accountId: anonymous")
	}
}

func TestExtractAcl(t *testing.T) {
	type Case struct {
		id                           int
		resultErrCode, expectErrCode s3err.ErrorCode
		resultGrants, expectGrants   []*s3.Grant
	}
	testCases := make([]*Case, 0)
	accountAdminId := "admin"
	{
		//case1 (good case)
		//parse acp from request body
		req := &http.Request{
			Header: make(map[string][]string),
		}
		req.Body = io.NopCloser(bytes.NewReader([]byte(`
	<AccessControlPolicy xmlns="http://s3.amazonaws.com/doc/2006-03-01/">
		<Owner>
			<ID>admin</ID>
			<DisplayName>admin</DisplayName>
		</Owner>
		<AccessControlList>
			<Grant>
				<Grantee xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="CanonicalUser">
					<ID>admin</ID>
				</Grantee>
				<Permission>FULL_CONTROL</Permission>
			</Grant>
			<Grant>
				<Grantee xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="Group">
					<URI>http://acs.amazonaws.com/groups/global/AllUsers</URI>
				</Grantee>
				<Permission>FULL_CONTROL</Permission>
			</Grant>
		</AccessControlList>
	</AccessControlPolicy>
	`)))
		objectWriter := "accountA"
		grants, errCode := ExtractAcl(req, accountManager, s3_constants.OwnershipObjectWriter, accountAdminId, accountAdminId, objectWriter)
		testCases = append(testCases, &Case{
			1,
			errCode, s3err.ErrNone,
			grants, []*s3.Grant{
				{
					Grantee: &s3.Grantee{
						Type: &s3_constants.GrantTypeCanonicalUser,
						ID:   &accountAdminId,
					},
					Permission: &s3_constants.PermissionFullControl,
				},
				{
					Grantee: &s3.Grantee{
						Type: &s3_constants.GrantTypeGroup,
						URI:  &s3_constants.GranteeGroupAllUsers,
					},
					Permission: &s3_constants.PermissionFullControl,
				},
			},
		})
	}

	{
		//case2 (good case)
		//parse acp from header (cannedAcl)
		req := &http.Request{
			Header: make(map[string][]string),
		}
		req.Body = nil
		req.Header.Set(s3_constants.AmzCannedAcl, s3_constants.CannedAclPrivate)
		objectWriter := "accountA"
		grants, errCode := ExtractAcl(req, accountManager, s3_constants.OwnershipObjectWriter, accountAdminId, accountAdminId, objectWriter)
		testCases = append(testCases, &Case{
			2,
			errCode, s3err.ErrNone,
			grants, []*s3.Grant{
				{
					Grantee: &s3.Grantee{
						Type: &s3_constants.GrantTypeCanonicalUser,
						ID:   &objectWriter,
					},
					Permission: &s3_constants.PermissionFullControl,
				},
			},
		})
	}

	{
		//case3 (bad case)
		//parse acp from request body (content is invalid)
		req := &http.Request{
			Header: make(map[string][]string),
		}
		req.Body = io.NopCloser(bytes.NewReader([]byte("zdfsaf")))
		req.Header.Set(s3_constants.AmzCannedAcl, s3_constants.CannedAclPrivate)
		objectWriter := "accountA"
		_, errCode := ExtractAcl(req, accountManager, s3_constants.OwnershipObjectWriter, accountAdminId, accountAdminId, objectWriter)
		testCases = append(testCases, &Case{
			id:            3,
			resultErrCode: errCode, expectErrCode: s3err.ErrInvalidRequest,
		})
	}

	//case4 (bad case)
	//parse acp from header (cannedAcl is invalid)
	req := &http.Request{
		Header: make(map[string][]string),
	}
	req.Body = nil
	req.Header.Set(s3_constants.AmzCannedAcl, "dfaksjfk")
	objectWriter := "accountA"
	_, errCode := ExtractAcl(req, accountManager, s3_constants.OwnershipObjectWriter, accountAdminId, "", objectWriter)
	testCases = append(testCases, &Case{
		id:            4,
		resultErrCode: errCode, expectErrCode: s3err.ErrInvalidRequest,
	})

	{
		//case5 (bad case)
		//parse acp from request body: owner is inconsistent
		req.Body = io.NopCloser(bytes.NewReader([]byte(`
	<AccessControlPolicy xmlns="http://s3.amazonaws.com/doc/2006-03-01/">
		<Owner>
			<ID>admin</ID>
			<DisplayName>admin</DisplayName>
		</Owner>
		<AccessControlList>
			<Grant>
				<Grantee xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="CanonicalUser">
					<ID>admin</ID>
				</Grantee>
				<Permission>FULL_CONTROL</Permission>
			</Grant>
			<Grant>
				<Grantee xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="Group">
					<URI>http://acs.amazonaws.com/groups/global/AllUsers</URI>
				</Grantee>
				<Permission>FULL_CONTROL</Permission>
			</Grant>
		</AccessControlList>
	</AccessControlPolicy>
	`)))
		objectWriter = "accountA"
		_, errCode := ExtractAcl(req, accountManager, s3_constants.OwnershipObjectWriter, accountAdminId, objectWriter, objectWriter)
		testCases = append(testCases, &Case{
			id:            5,
			resultErrCode: errCode, expectErrCode: s3err.ErrAccessDenied,
		})
	}

	for _, tc := range testCases {
		if tc.resultErrCode != tc.expectErrCode {
			t.Fatalf("case[%d]: errorCode not expect", tc.id)
		}
		if !grantsEquals(tc.resultGrants, tc.expectGrants) {
			t.Fatalf("case[%d]: grants not expect", tc.id)
		}
	}
}

func TestParseAndValidateAclHeaders(t *testing.T) {
	type Case struct {
		id                           int
		resultOwner, expectOwner     string
		resultErrCode, expectErrCode s3err.ErrorCode
		resultGrants, expectGrants   []*s3.Grant
	}
	testCases := make([]*Case, 0)
	bucketOwner := "admin"

	{
		//case1 (good case)
		//parse custom acl
		req := &http.Request{
			Header: make(map[string][]string),
		}
		objectWriter := "accountA"
		req.Header.Set(s3_constants.AmzAclFullControl, `uri="http://acs.amazonaws.com/groups/global/AllUsers", id="anonymous", emailAddress="admin@example.com"`)
		ownerId, grants, errCode := ParseAndValidateAclHeaders(req, accountManager, s3_constants.OwnershipObjectWriter, bucketOwner, objectWriter, false)
		testCases = append(testCases, &Case{
			1,
			ownerId, objectWriter,
			errCode, s3err.ErrNone,
			grants, []*s3.Grant{
				{
					Grantee: &s3.Grantee{
						Type: &s3_constants.GrantTypeGroup,
						URI:  &s3_constants.GranteeGroupAllUsers,
					},
					Permission: &s3_constants.PermissionFullControl,
				},
				{
					Grantee: &s3.Grantee{
						Type: &s3_constants.GrantTypeCanonicalUser,
						ID:   aws.String(s3_constants.AccountAnonymousId),
					},
					Permission: &s3_constants.PermissionFullControl,
				},
				{
					Grantee: &s3.Grantee{
						Type: &s3_constants.GrantTypeCanonicalUser,
						ID:   aws.String(s3_constants.AccountAdminId),
					},
					Permission: &s3_constants.PermissionFullControl,
				},
			},
		})
	}
	{
		//case2 (good case)
		//parse canned acl (ownership=ObjectWriter)
		req := &http.Request{
			Header: make(map[string][]string),
		}
		objectWriter := "accountA"
		req.Header.Set(s3_constants.AmzCannedAcl, s3_constants.CannedAclBucketOwnerFullControl)
		ownerId, grants, errCode := ParseAndValidateAclHeaders(req, accountManager, s3_constants.OwnershipObjectWriter, bucketOwner, objectWriter, false)
		testCases = append(testCases, &Case{
			2,
			ownerId, objectWriter,
			errCode, s3err.ErrNone,
			grants, []*s3.Grant{
				{
					Grantee: &s3.Grantee{
						Type: &s3_constants.GrantTypeCanonicalUser,
						ID:   &objectWriter,
					},
					Permission: &s3_constants.PermissionFullControl,
				},
				{
					Grantee: &s3.Grantee{
						Type: &s3_constants.GrantTypeCanonicalUser,
						ID:   &bucketOwner,
					},
					Permission: &s3_constants.PermissionFullControl,
				},
			},
		})
	}
	{
		//case3 (good case)
		//parse canned acl (ownership=OwnershipBucketOwnerPreferred)
		req := &http.Request{
			Header: make(map[string][]string),
		}
		objectWriter := "accountA"
		req.Header.Set(s3_constants.AmzCannedAcl, s3_constants.CannedAclBucketOwnerFullControl)
		ownerId, grants, errCode := ParseAndValidateAclHeaders(req, accountManager, s3_constants.OwnershipBucketOwnerPreferred, bucketOwner, objectWriter, false)
		testCases = append(testCases, &Case{
			3,
			ownerId, bucketOwner,
			errCode, s3err.ErrNone,
			grants, []*s3.Grant{
				{
					Grantee: &s3.Grantee{
						Type: &s3_constants.GrantTypeCanonicalUser,
						ID:   &bucketOwner,
					},
					Permission: &s3_constants.PermissionFullControl,
				},
			},
		})
	}
	{
		//case4 (bad case)
		//parse custom acl (grantee id not exists)
		req := &http.Request{
			Header: make(map[string][]string),
		}
		objectWriter := "accountA"
		req.Header.Set(s3_constants.AmzAclFullControl, `uri="http://acs.amazonaws.com/groups/global/AllUsers", id="notExistsAccount", emailAddress="admin@example.com"`)
		_, _, errCode := ParseAndValidateAclHeaders(req, accountManager, s3_constants.OwnershipObjectWriter, bucketOwner, objectWriter, false)
		testCases = append(testCases, &Case{
			id:            4,
			resultErrCode: errCode, expectErrCode: s3err.ErrInvalidRequest,
		})
	}

	{
		//case5 (bad case)
		//parse custom acl (invalid format)
		req := &http.Request{
			Header: make(map[string][]string),
		}
		objectWriter := "accountA"
		req.Header.Set(s3_constants.AmzAclFullControl, `uri="http:sfasf"`)
		_, _, errCode := ParseAndValidateAclHeaders(req, accountManager, s3_constants.OwnershipObjectWriter, bucketOwner, objectWriter, false)
		testCases = append(testCases, &Case{
			id:            5,
			resultErrCode: errCode, expectErrCode: s3err.ErrInvalidRequest,
		})
	}

	{
		//case6 (bad case)
		//parse canned acl (invalid value)
		req := &http.Request{
			Header: make(map[string][]string),
		}
		objectWriter := "accountA"
		req.Header.Set(s3_constants.AmzCannedAcl, `uri="http:sfasf"`)
		_, _, errCode := ParseAndValidateAclHeaders(req, accountManager, s3_constants.OwnershipObjectWriter, bucketOwner, objectWriter, false)
		testCases = append(testCases, &Case{
			id:            5,
			resultErrCode: errCode, expectErrCode: s3err.ErrInvalidRequest,
		})
	}

	for _, tc := range testCases {
		if tc.expectErrCode != tc.resultErrCode {
			t.Errorf("case[%d]: errCode unexpect", tc.id)
		}
		if tc.resultOwner != tc.expectOwner {
			t.Errorf("case[%d]: ownerId unexpect", tc.id)
		}
		if !grantsEquals(tc.resultGrants, tc.expectGrants) {
			t.Fatalf("case[%d]: grants not expect", tc.id)
		}
	}
}

func grantsEquals(a, b []*s3.Grant) bool {
	if len(a) != len(b) {
		return false
	}
	for i, grant := range a {
		if !GrantEquals(grant, b[i]) {
			return false
		}
	}
	return true
}

func TestDetermineReqGrants(t *testing.T) {
	{
		//case1: request account is anonymous
		accountId := s3_constants.AccountAnonymousId
		reqPermission := s3_constants.PermissionRead

		resultGrants := DetermineReqGrants(accountId, reqPermission)
		expectGrants := []*s3.Grant{
			{
				Grantee: &s3.Grantee{
					Type: &s3_constants.GrantTypeGroup,
					URI:  &s3_constants.GranteeGroupAllUsers,
				},
				Permission: &reqPermission,
			},
			{
				Grantee: &s3.Grantee{
					Type: &s3_constants.GrantTypeGroup,
					URI:  &s3_constants.GranteeGroupAllUsers,
				},
				Permission: &s3_constants.PermissionFullControl,
			},
			{
				Grantee: &s3.Grantee{
					Type: &s3_constants.GrantTypeCanonicalUser,
					ID:   &accountId,
				},
				Permission: &reqPermission,
			},
			{
				Grantee: &s3.Grantee{
					Type: &s3_constants.GrantTypeCanonicalUser,
					ID:   &accountId,
				},
				Permission: &s3_constants.PermissionFullControl,
			},
		}
		if !grantsEquals(resultGrants, expectGrants) {
			t.Fatalf("grants not expect")
		}
	}
	{
		//case2: request account is not anonymous (Iam authed)
		accountId := "accountX"
		reqPermission := s3_constants.PermissionRead

		resultGrants := DetermineReqGrants(accountId, reqPermission)
		expectGrants := []*s3.Grant{
			{
				Grantee: &s3.Grantee{
					Type: &s3_constants.GrantTypeGroup,
					URI:  &s3_constants.GranteeGroupAllUsers,
				},
				Permission: &reqPermission,
			},
			{
				Grantee: &s3.Grantee{
					Type: &s3_constants.GrantTypeGroup,
					URI:  &s3_constants.GranteeGroupAllUsers,
				},
				Permission: &s3_constants.PermissionFullControl,
			},
			{
				Grantee: &s3.Grantee{
					Type: &s3_constants.GrantTypeCanonicalUser,
					ID:   &accountId,
				},
				Permission: &reqPermission,
			},
			{
				Grantee: &s3.Grantee{
					Type: &s3_constants.GrantTypeCanonicalUser,
					ID:   &accountId,
				},
				Permission: &s3_constants.PermissionFullControl,
			},
			{
				Grantee: &s3.Grantee{
					Type: &s3_constants.GrantTypeGroup,
					URI:  &s3_constants.GranteeGroupAuthenticatedUsers,
				},
				Permission: &reqPermission,
			},
			{
				Grantee: &s3.Grantee{
					Type: &s3_constants.GrantTypeGroup,
					URI:  &s3_constants.GranteeGroupAuthenticatedUsers,
				},
				Permission: &s3_constants.PermissionFullControl,
			},
		}
		if !grantsEquals(resultGrants, expectGrants) {
			t.Fatalf("grants not expect")
		}
	}
}

func TestAssembleEntryWithAcp(t *testing.T) {
	defaultOwner := "admin"

	//case1
	//assemble with non-empty grants
	expectOwner := "accountS"
	expectGrants := []*s3.Grant{
		{
			Permission: &s3_constants.PermissionRead,
			Grantee: &s3.Grantee{
				Type: &s3_constants.GrantTypeGroup,
				ID:   aws.String(s3_constants.AccountAdminId),
				URI:  &s3_constants.GranteeGroupAllUsers,
			},
		},
	}
	entry := &filer_pb.Entry{}
	AssembleEntryWithAcp(entry, expectOwner, expectGrants)

	resultOwner := GetAcpOwner(entry.Extended, defaultOwner)
	if resultOwner != expectOwner {
		t.Fatalf("owner not expect")
	}

	resultGrants := GetAcpGrants(entry.Extended)
	if !grantsEquals(resultGrants, expectGrants) {
		t.Fatal("grants not expect")
	}

	//case2
	//assemble with empty grants (override)
	AssembleEntryWithAcp(entry, "", nil)
	resultOwner = GetAcpOwner(entry.Extended, defaultOwner)
	if resultOwner != defaultOwner {
		t.Fatalf("owner not expect")
	}

	resultGrants = GetAcpGrants(entry.Extended)
	if len(resultGrants) != 0 {
		t.Fatal("grants not expect")
	}

}

func TestGrantEquals(t *testing.T) {
	testCases := map[bool]bool{
		GrantEquals(nil, nil): true,

		GrantEquals(&s3.Grant{}, nil): false,

		GrantEquals(&s3.Grant{}, &s3.Grant{}): true,

		GrantEquals(&s3.Grant{
			Permission: &s3_constants.PermissionRead,
		}, &s3.Grant{}): false,

		GrantEquals(&s3.Grant{
			Permission: &s3_constants.PermissionRead,
		}, &s3.Grant{
			Permission: &s3_constants.PermissionRead,
		}): true,

		GrantEquals(&s3.Grant{
			Permission: &s3_constants.PermissionRead,
			Grantee:    &s3.Grantee{},
		}, &s3.Grant{
			Permission: &s3_constants.PermissionRead,
			Grantee:    &s3.Grantee{},
		}): true,

		GrantEquals(&s3.Grant{
			Permission: &s3_constants.PermissionRead,
			Grantee: &s3.Grantee{
				Type: &s3_constants.GrantTypeGroup,
			},
		}, &s3.Grant{
			Permission: &s3_constants.PermissionRead,
			Grantee:    &s3.Grantee{},
		}): false,

		//type not present, compare other fields of grant is meaningless
		GrantEquals(&s3.Grant{
			Permission: &s3_constants.PermissionRead,
			Grantee: &s3.Grantee{
				ID: aws.String(s3_constants.AccountAdminId),
				//EmailAddress: &s3account.AccountAdmin.EmailAddress,
			},
		}, &s3.Grant{
			Permission: &s3_constants.PermissionRead,
			Grantee: &s3.Grantee{
				ID: aws.String(s3_constants.AccountAdminId),
			},
		}): true,

		GrantEquals(&s3.Grant{
			Permission: &s3_constants.PermissionRead,
			Grantee: &s3.Grantee{
				Type: &s3_constants.GrantTypeGroup,
			},
		}, &s3.Grant{
			Permission: &s3_constants.PermissionRead,
			Grantee: &s3.Grantee{
				Type: &s3_constants.GrantTypeGroup,
			},
		}): true,

		GrantEquals(&s3.Grant{
			Permission: &s3_constants.PermissionRead,
			Grantee: &s3.Grantee{
				Type: &s3_constants.GrantTypeGroup,
				URI:  &s3_constants.GranteeGroupAllUsers,
			},
		}, &s3.Grant{
			Permission: &s3_constants.PermissionRead,
			Grantee: &s3.Grantee{
				Type: &s3_constants.GrantTypeGroup,
				URI:  &s3_constants.GranteeGroupAllUsers,
			},
		}): true,

		GrantEquals(&s3.Grant{
			Permission: &s3_constants.PermissionWrite,
			Grantee: &s3.Grantee{
				Type: &s3_constants.GrantTypeGroup,
				URI:  &s3_constants.GranteeGroupAllUsers,
			},
		}, &s3.Grant{
			Permission: &s3_constants.PermissionRead,
			Grantee: &s3.Grantee{
				Type: &s3_constants.GrantTypeGroup,
				URI:  &s3_constants.GranteeGroupAllUsers,
			},
		}): false,

		GrantEquals(&s3.Grant{
			Permission: &s3_constants.PermissionRead,
			Grantee: &s3.Grantee{
				Type: &s3_constants.GrantTypeGroup,
				ID:   aws.String(s3_constants.AccountAdminId),
			},
		}, &s3.Grant{
			Permission: &s3_constants.PermissionRead,
			Grantee: &s3.Grantee{
				Type: &s3_constants.GrantTypeGroup,
				ID:   aws.String(s3_constants.AccountAdminId),
			},
		}): true,

		GrantEquals(&s3.Grant{
			Permission: &s3_constants.PermissionRead,
			Grantee: &s3.Grantee{
				Type: &s3_constants.GrantTypeGroup,
				ID:   aws.String(s3_constants.AccountAdminId),
				URI:  &s3_constants.GranteeGroupAllUsers,
			},
		}, &s3.Grant{
			Permission: &s3_constants.PermissionRead,
			Grantee: &s3.Grantee{
				Type: &s3_constants.GrantTypeGroup,
				ID:   aws.String(s3_constants.AccountAdminId),
			},
		}): false,

		GrantEquals(&s3.Grant{
			Permission: &s3_constants.PermissionRead,
			Grantee: &s3.Grantee{
				Type: &s3_constants.GrantTypeGroup,
				ID:   aws.String(s3_constants.AccountAdminId),
				URI:  &s3_constants.GranteeGroupAllUsers,
			},
		}, &s3.Grant{
			Permission: &s3_constants.PermissionRead,
			Grantee: &s3.Grantee{
				Type: &s3_constants.GrantTypeGroup,
				URI:  &s3_constants.GranteeGroupAllUsers,
			},
		}): true,
	}

	for tc, expect := range testCases {
		if tc != expect {
			t.Fatal("TestGrantEquals not expect!")
		}
	}
}

func TestSetAcpOwnerHeader(t *testing.T) {
	ownerId := "accountZ"
	req := &http.Request{
		Header: make(map[string][]string),
	}
	SetAcpOwnerHeader(req, ownerId)

	if req.Header.Get(s3_constants.ExtAmzOwnerKey) != ownerId {
		t.Fatalf("owner unexpect")
	}
}

func TestSetAcpGrantsHeader(t *testing.T) {
	req := &http.Request{
		Header: make(map[string][]string),
	}
	grants := []*s3.Grant{
		{
			Permission: &s3_constants.PermissionRead,
			Grantee: &s3.Grantee{
				Type: &s3_constants.GrantTypeGroup,
				ID:   aws.String(s3_constants.AccountAdminId),
				URI:  &s3_constants.GranteeGroupAllUsers,
			},
		},
	}
	SetAcpGrantsHeader(req, grants)

	grantsJson, _ := json.Marshal(grants)
	if req.Header.Get(s3_constants.ExtAmzAclKey) != string(grantsJson) {
		t.Fatalf("owner unexpect")
	}
}