123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128 |
- package s3api
- import (
- . "github.com/seaweedfs/seaweedfs/weed/s3api/s3_constants"
- "github.com/stretchr/testify/assert"
- "testing"
- jsonpb "google.golang.org/protobuf/encoding/protojson"
- "github.com/seaweedfs/seaweedfs/weed/pb/iam_pb"
- )
- func TestIdentityListFileFormat(t *testing.T) {
- s3ApiConfiguration := &iam_pb.S3ApiConfiguration{}
- identity1 := &iam_pb.Identity{
- Name: "some_name",
- Credentials: []*iam_pb.Credential{
- {
- AccessKey: "some_access_key1",
- SecretKey: "some_secret_key2",
- },
- },
- Actions: []string{
- ACTION_ADMIN,
- ACTION_READ,
- ACTION_WRITE,
- },
- }
- identity2 := &iam_pb.Identity{
- Name: "some_read_only_user",
- Credentials: []*iam_pb.Credential{
- {
- AccessKey: "some_access_key1",
- SecretKey: "some_secret_key1",
- },
- },
- Actions: []string{
- ACTION_READ,
- },
- }
- identity3 := &iam_pb.Identity{
- Name: "some_normal_user",
- Credentials: []*iam_pb.Credential{
- {
- AccessKey: "some_access_key2",
- SecretKey: "some_secret_key2",
- },
- },
- Actions: []string{
- ACTION_READ,
- ACTION_WRITE,
- },
- }
- s3ApiConfiguration.Identities = append(s3ApiConfiguration.Identities, identity1)
- s3ApiConfiguration.Identities = append(s3ApiConfiguration.Identities, identity2)
- s3ApiConfiguration.Identities = append(s3ApiConfiguration.Identities, identity3)
- m := jsonpb.MarshalOptions{
- EmitUnpopulated: true,
- Indent: " ",
- }
- text, _ := m.Marshal(s3ApiConfiguration)
- println(string(text))
- }
- func TestCanDo(t *testing.T) {
- ident1 := &Identity{
- Name: "anything",
- Actions: []Action{
- "Write:bucket1/a/b/c/*",
- "Write:bucket1/a/b/other",
- },
- }
- // object specific
- assert.Equal(t, true, ident1.canDo(ACTION_WRITE, "bucket1", "/a/b/c/d.txt"))
- assert.Equal(t, false, ident1.canDo(ACTION_WRITE, "bucket1", "/a/b/other/some"), "action without *")
- // bucket specific
- ident2 := &Identity{
- Name: "anything",
- Actions: []Action{
- "Read:bucket1",
- "Write:bucket1/*",
- },
- }
- assert.Equal(t, true, ident2.canDo(ACTION_READ, "bucket1", "/a/b/c/d.txt"))
- assert.Equal(t, true, ident2.canDo(ACTION_WRITE, "bucket1", "/a/b/c/d.txt"))
- assert.Equal(t, false, ident2.canDo(ACTION_LIST, "bucket1", "/a/b/c/d.txt"))
- // across buckets
- ident3 := &Identity{
- Name: "anything",
- Actions: []Action{
- "Read",
- "Write",
- },
- }
- assert.Equal(t, true, ident3.canDo(ACTION_READ, "bucket1", "/a/b/c/d.txt"))
- assert.Equal(t, true, ident3.canDo(ACTION_WRITE, "bucket1", "/a/b/c/d.txt"))
- assert.Equal(t, false, ident3.canDo(ACTION_LIST, "bucket1", "/a/b/other/some"))
- // partial buckets
- ident4 := &Identity{
- Name: "anything",
- Actions: []Action{
- "Read:special_*",
- },
- }
- assert.Equal(t, true, ident4.canDo(ACTION_READ, "special_bucket", "/a/b/c/d.txt"))
- assert.Equal(t, false, ident4.canDo(ACTION_READ, "bucket1", "/a/b/c/d.txt"))
- // admin buckets
- ident5 := &Identity{
- Name: "anything",
- Actions: []Action{
- "Admin:special_*",
- },
- }
- assert.Equal(t, true, ident5.canDo(ACTION_READ, "special_bucket", "/a/b/c/d.txt"))
- assert.Equal(t, true, ident5.canDo(ACTION_WRITE, "special_bucket", "/a/b/c/d.txt"))
- }
|