auth_credentials_test.go 6.0 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253
  1. package s3api
  2. import (
  3. . "github.com/seaweedfs/seaweedfs/weed/s3api/s3_constants"
  4. "github.com/stretchr/testify/assert"
  5. "reflect"
  6. "testing"
  7. "github.com/seaweedfs/seaweedfs/weed/pb/iam_pb"
  8. jsonpb "google.golang.org/protobuf/encoding/protojson"
  9. )
  10. func TestIdentityListFileFormat(t *testing.T) {
  11. s3ApiConfiguration := &iam_pb.S3ApiConfiguration{}
  12. identity1 := &iam_pb.Identity{
  13. Name: "some_name",
  14. Credentials: []*iam_pb.Credential{
  15. {
  16. AccessKey: "some_access_key1",
  17. SecretKey: "some_secret_key2",
  18. },
  19. },
  20. Actions: []string{
  21. ACTION_ADMIN,
  22. ACTION_READ,
  23. ACTION_WRITE,
  24. },
  25. }
  26. identity2 := &iam_pb.Identity{
  27. Name: "some_read_only_user",
  28. Credentials: []*iam_pb.Credential{
  29. {
  30. AccessKey: "some_access_key1",
  31. SecretKey: "some_secret_key1",
  32. },
  33. },
  34. Actions: []string{
  35. ACTION_READ,
  36. },
  37. }
  38. identity3 := &iam_pb.Identity{
  39. Name: "some_normal_user",
  40. Credentials: []*iam_pb.Credential{
  41. {
  42. AccessKey: "some_access_key2",
  43. SecretKey: "some_secret_key2",
  44. },
  45. },
  46. Actions: []string{
  47. ACTION_READ,
  48. ACTION_WRITE,
  49. },
  50. }
  51. s3ApiConfiguration.Identities = append(s3ApiConfiguration.Identities, identity1)
  52. s3ApiConfiguration.Identities = append(s3ApiConfiguration.Identities, identity2)
  53. s3ApiConfiguration.Identities = append(s3ApiConfiguration.Identities, identity3)
  54. m := jsonpb.MarshalOptions{
  55. EmitUnpopulated: true,
  56. Indent: " ",
  57. }
  58. text, _ := m.Marshal(s3ApiConfiguration)
  59. println(string(text))
  60. }
  61. func TestCanDo(t *testing.T) {
  62. ident1 := &Identity{
  63. Name: "anything",
  64. Actions: []Action{
  65. "Write:bucket1/a/b/c/*",
  66. "Write:bucket1/a/b/other",
  67. },
  68. }
  69. // object specific
  70. assert.Equal(t, true, ident1.canDo(ACTION_WRITE, "bucket1", "/a/b/c/d.txt"))
  71. assert.Equal(t, false, ident1.canDo(ACTION_WRITE, "bucket1", "/a/b/other/some"), "action without *")
  72. // bucket specific
  73. ident2 := &Identity{
  74. Name: "anything",
  75. Actions: []Action{
  76. "Read:bucket1",
  77. "Write:bucket1/*",
  78. "WriteAcp:bucket1",
  79. },
  80. }
  81. assert.Equal(t, true, ident2.canDo(ACTION_READ, "bucket1", "/a/b/c/d.txt"))
  82. assert.Equal(t, true, ident2.canDo(ACTION_WRITE, "bucket1", "/a/b/c/d.txt"))
  83. assert.Equal(t, true, ident2.canDo(ACTION_WRITE_ACP, "bucket1", ""))
  84. assert.Equal(t, false, ident2.canDo(ACTION_READ_ACP, "bucket1", ""))
  85. assert.Equal(t, false, ident2.canDo(ACTION_LIST, "bucket1", "/a/b/c/d.txt"))
  86. // across buckets
  87. ident3 := &Identity{
  88. Name: "anything",
  89. Actions: []Action{
  90. "Read",
  91. "Write",
  92. },
  93. }
  94. assert.Equal(t, true, ident3.canDo(ACTION_READ, "bucket1", "/a/b/c/d.txt"))
  95. assert.Equal(t, true, ident3.canDo(ACTION_WRITE, "bucket1", "/a/b/c/d.txt"))
  96. assert.Equal(t, false, ident3.canDo(ACTION_LIST, "bucket1", "/a/b/other/some"))
  97. assert.Equal(t, false, ident3.canDo(ACTION_WRITE_ACP, "bucket1", ""))
  98. // partial buckets
  99. ident4 := &Identity{
  100. Name: "anything",
  101. Actions: []Action{
  102. "Read:special_*",
  103. "ReadAcp:special_*",
  104. },
  105. }
  106. assert.Equal(t, true, ident4.canDo(ACTION_READ, "special_bucket", "/a/b/c/d.txt"))
  107. assert.Equal(t, true, ident4.canDo(ACTION_READ_ACP, "special_bucket", ""))
  108. assert.Equal(t, false, ident4.canDo(ACTION_READ, "bucket1", "/a/b/c/d.txt"))
  109. // admin buckets
  110. ident5 := &Identity{
  111. Name: "anything",
  112. Actions: []Action{
  113. "Admin:special_*",
  114. },
  115. }
  116. assert.Equal(t, true, ident5.canDo(ACTION_READ, "special_bucket", "/a/b/c/d.txt"))
  117. assert.Equal(t, true, ident5.canDo(ACTION_READ_ACP, "special_bucket", ""))
  118. assert.Equal(t, true, ident5.canDo(ACTION_WRITE, "special_bucket", "/a/b/c/d.txt"))
  119. assert.Equal(t, true, ident5.canDo(ACTION_WRITE_ACP, "special_bucket", ""))
  120. // anonymous buckets
  121. ident6 := &Identity{
  122. Name: "anonymous",
  123. Actions: []Action{
  124. "Read",
  125. },
  126. }
  127. assert.Equal(t, true, ident6.canDo(ACTION_READ, "anything_bucket", "/a/b/c/d.txt"))
  128. }
  129. type LoadS3ApiConfigurationTestCase struct {
  130. pbAccount *iam_pb.Account
  131. pbIdent *iam_pb.Identity
  132. expectIdent *Identity
  133. }
  134. func TestLoadS3ApiConfiguration(t *testing.T) {
  135. specifiedAccount := Account{
  136. Id: "specifiedAccountID",
  137. DisplayName: "specifiedAccountName",
  138. EmailAddress: "specifiedAccounEmail@example.com",
  139. }
  140. pbSpecifiedAccount := iam_pb.Account{
  141. Id: "specifiedAccountID",
  142. DisplayName: "specifiedAccountName",
  143. EmailAddress: "specifiedAccounEmail@example.com",
  144. }
  145. testCases := map[string]*LoadS3ApiConfigurationTestCase{
  146. "notSpecifyAccountId": {
  147. pbIdent: &iam_pb.Identity{
  148. Name: "notSpecifyAccountId",
  149. Actions: []string{
  150. "Read",
  151. "Write",
  152. },
  153. Credentials: []*iam_pb.Credential{
  154. {
  155. AccessKey: "some_access_key1",
  156. SecretKey: "some_secret_key2",
  157. },
  158. },
  159. },
  160. expectIdent: &Identity{
  161. Name: "notSpecifyAccountId",
  162. Account: &AccountAdmin,
  163. Actions: []Action{
  164. "Read",
  165. "Write",
  166. },
  167. Credentials: []*Credential{
  168. {
  169. AccessKey: "some_access_key1",
  170. SecretKey: "some_secret_key2",
  171. },
  172. },
  173. },
  174. },
  175. "specifiedAccountID": {
  176. pbAccount: &pbSpecifiedAccount,
  177. pbIdent: &iam_pb.Identity{
  178. Name: "specifiedAccountID",
  179. Account: &pbSpecifiedAccount,
  180. Actions: []string{
  181. "Read",
  182. "Write",
  183. },
  184. },
  185. expectIdent: &Identity{
  186. Name: "specifiedAccountID",
  187. Account: &specifiedAccount,
  188. Actions: []Action{
  189. "Read",
  190. "Write",
  191. },
  192. },
  193. },
  194. "anonymous": {
  195. pbIdent: &iam_pb.Identity{
  196. Name: "anonymous",
  197. Actions: []string{
  198. "Read",
  199. "Write",
  200. },
  201. },
  202. expectIdent: &Identity{
  203. Name: "anonymous",
  204. Account: &AccountAnonymous,
  205. Actions: []Action{
  206. "Read",
  207. "Write",
  208. },
  209. },
  210. },
  211. }
  212. config := &iam_pb.S3ApiConfiguration{
  213. Identities: make([]*iam_pb.Identity, 0),
  214. }
  215. for _, v := range testCases {
  216. config.Identities = append(config.Identities, v.pbIdent)
  217. if v.pbAccount != nil {
  218. config.Accounts = append(config.Accounts, v.pbAccount)
  219. }
  220. }
  221. iam := IdentityAccessManagement{}
  222. err := iam.loadS3ApiConfiguration(config)
  223. if err != nil {
  224. return
  225. }
  226. for _, ident := range iam.identities {
  227. tc := testCases[ident.Name]
  228. if !reflect.DeepEqual(ident, tc.expectIdent) {
  229. t.Errorf("not expect for ident name %s", ident.Name)
  230. }
  231. }
  232. }