mirror of
https://github.com/chrislusf/seaweedfs
synced 2025-08-16 17:12:46 +02:00
33b9017b48
* fix listing objects * add more list testing * address comments * fix next marker * fix isTruncated in listing * fix tests * address tests * Update s3api_object_handlers_multipart.go * fixes * store json into bucket content, for tagging and cors * switch bucket metadata from json to proto * fix * Update s3api_bucket_config.go * fix test issue * fix test_bucket_listv2_delimiter_prefix * Update cors.go * skip special characters * passing listing * fix test_bucket_list_delimiter_prefix * ok. fix the xsd generated go code now * fix cors tests * fix test * fix test_bucket_list_unordered and test_bucket_listv2_unordered do not accept the allow-unordered and delimiter parameter combination * fix test_bucket_list_objects_anonymous and test_bucket_listv2_objects_anonymous The tests test_bucket_list_objects_anonymous and test_bucket_listv2_objects_anonymous were failing because they try to set bucket ACL to public-read, but SeaweedFS only supported private ACL. Updated PutBucketAclHandler to use the existing ExtractAcl function which already supports all standard S3 canned ACLs Replaced the hardcoded check for only private ACL with proper ACL parsing that handles public-read, public-read-write, authenticated-read, bucket-owner-read, bucket-owner-full-control, etc. Added unit tests to verify all standard canned ACLs are accepted * fix list unordered The test is expecting the error code to be InvalidArgument instead of InvalidRequest * allow anonymous listing( and head, get) * fix test_bucket_list_maxkeys_invalid Invalid values: max-keys=blah → Returns ErrInvalidMaxKeys (HTTP 400) * updating IsPublicRead when parsing acl * more logs * CORS Test Fix * fix test_bucket_list_return_data * default to private * fix test_bucket_list_delimiter_not_skip_special * default no acl * add debug logging * more logs * use basic http client remove logs also * fixes * debug * Update stats.go * debugging * fix anonymous test expectation anonymous user can read, as configured in s3 json.
206 lines
6.4 KiB
Go
206 lines
6.4 KiB
Go
package s3api
|
|
|
|
import (
|
|
"encoding/json"
|
|
"net/http/httptest"
|
|
"testing"
|
|
|
|
"github.com/aws/aws-sdk-go/service/s3"
|
|
"github.com/seaweedfs/seaweedfs/weed/pb/filer_pb"
|
|
"github.com/seaweedfs/seaweedfs/weed/s3api/s3_constants"
|
|
"github.com/seaweedfs/seaweedfs/weed/s3api/s3err"
|
|
"github.com/stretchr/testify/assert"
|
|
"github.com/stretchr/testify/require"
|
|
)
|
|
|
|
func TestPutBucketAclCannedAclSupport(t *testing.T) {
|
|
// Test that the ExtractAcl function can handle various canned ACLs
|
|
// This tests the core functionality without requiring a fully initialized S3ApiServer
|
|
|
|
testCases := []struct {
|
|
name string
|
|
cannedAcl string
|
|
shouldWork bool
|
|
description string
|
|
}{
|
|
{
|
|
name: "private",
|
|
cannedAcl: s3_constants.CannedAclPrivate,
|
|
shouldWork: true,
|
|
description: "private ACL should be accepted",
|
|
},
|
|
{
|
|
name: "public-read",
|
|
cannedAcl: s3_constants.CannedAclPublicRead,
|
|
shouldWork: true,
|
|
description: "public-read ACL should be accepted",
|
|
},
|
|
{
|
|
name: "public-read-write",
|
|
cannedAcl: s3_constants.CannedAclPublicReadWrite,
|
|
shouldWork: true,
|
|
description: "public-read-write ACL should be accepted",
|
|
},
|
|
{
|
|
name: "authenticated-read",
|
|
cannedAcl: s3_constants.CannedAclAuthenticatedRead,
|
|
shouldWork: true,
|
|
description: "authenticated-read ACL should be accepted",
|
|
},
|
|
{
|
|
name: "bucket-owner-read",
|
|
cannedAcl: s3_constants.CannedAclBucketOwnerRead,
|
|
shouldWork: true,
|
|
description: "bucket-owner-read ACL should be accepted",
|
|
},
|
|
{
|
|
name: "bucket-owner-full-control",
|
|
cannedAcl: s3_constants.CannedAclBucketOwnerFullControl,
|
|
shouldWork: true,
|
|
description: "bucket-owner-full-control ACL should be accepted",
|
|
},
|
|
{
|
|
name: "invalid-acl",
|
|
cannedAcl: "invalid-acl-value",
|
|
shouldWork: false,
|
|
description: "invalid ACL should be rejected",
|
|
},
|
|
}
|
|
|
|
for _, tc := range testCases {
|
|
t.Run(tc.name, func(t *testing.T) {
|
|
// Create a request with the specified canned ACL
|
|
req := httptest.NewRequest("PUT", "/bucket?acl", nil)
|
|
req.Header.Set(s3_constants.AmzCannedAcl, tc.cannedAcl)
|
|
req.Header.Set(s3_constants.AmzAccountId, "test-account-123")
|
|
|
|
// Create a mock IAM for testing
|
|
mockIam := &mockIamInterface{}
|
|
|
|
// Test the ACL extraction directly
|
|
grants, errCode := ExtractAcl(req, mockIam, "", "test-account-123", "test-account-123", "test-account-123")
|
|
|
|
if tc.shouldWork {
|
|
assert.Equal(t, s3err.ErrNone, errCode, "Expected ACL parsing to succeed for %s", tc.cannedAcl)
|
|
assert.NotEmpty(t, grants, "Expected grants to be generated for valid ACL %s", tc.cannedAcl)
|
|
t.Logf("✓ PASS: %s - %s", tc.name, tc.description)
|
|
} else {
|
|
assert.NotEqual(t, s3err.ErrNone, errCode, "Expected ACL parsing to fail for invalid ACL %s", tc.cannedAcl)
|
|
t.Logf("✓ PASS: %s - %s", tc.name, tc.description)
|
|
}
|
|
})
|
|
}
|
|
}
|
|
|
|
// TestBucketWithoutACLIsNotPublicRead tests that buckets without ACLs are not public-read
|
|
func TestBucketWithoutACLIsNotPublicRead(t *testing.T) {
|
|
// Create a bucket config without ACL (like a freshly created bucket)
|
|
config := &BucketConfig{
|
|
Name: "test-bucket",
|
|
IsPublicRead: false, // Should be explicitly false
|
|
}
|
|
|
|
// Verify that buckets without ACL are not public-read
|
|
assert.False(t, config.IsPublicRead, "Bucket without ACL should not be public-read")
|
|
}
|
|
|
|
func TestBucketConfigInitialization(t *testing.T) {
|
|
// Test that BucketConfig properly initializes IsPublicRead field
|
|
config := &BucketConfig{
|
|
Name: "test-bucket",
|
|
IsPublicRead: false, // Explicitly set to false for private buckets
|
|
}
|
|
|
|
// Verify proper initialization
|
|
assert.False(t, config.IsPublicRead, "Newly created bucket should not be public-read by default")
|
|
}
|
|
|
|
// TestUpdateBucketConfigCacheConsistency tests that updateBucketConfigCacheFromEntry
|
|
// properly handles the IsPublicRead flag consistently with getBucketConfig
|
|
func TestUpdateBucketConfigCacheConsistency(t *testing.T) {
|
|
t.Run("bucket without ACL should have IsPublicRead=false", func(t *testing.T) {
|
|
// Simulate an entry without ACL (like a freshly created bucket)
|
|
entry := &filer_pb.Entry{
|
|
Name: "test-bucket",
|
|
Attributes: &filer_pb.FuseAttributes{
|
|
FileMode: 0755,
|
|
},
|
|
// Extended is nil or doesn't contain ACL
|
|
}
|
|
|
|
// Test what updateBucketConfigCacheFromEntry would create
|
|
config := &BucketConfig{
|
|
Name: entry.Name,
|
|
Entry: entry,
|
|
IsPublicRead: false, // Should be explicitly false
|
|
}
|
|
|
|
// When Extended is nil, IsPublicRead should be false
|
|
assert.False(t, config.IsPublicRead, "Bucket without Extended metadata should not be public-read")
|
|
|
|
// When Extended exists but has no ACL key, IsPublicRead should also be false
|
|
entry.Extended = make(map[string][]byte)
|
|
entry.Extended["some-other-key"] = []byte("some-value")
|
|
|
|
config = &BucketConfig{
|
|
Name: entry.Name,
|
|
Entry: entry,
|
|
IsPublicRead: false, // Should be explicitly false
|
|
}
|
|
|
|
// Simulate the else branch: no ACL means private bucket
|
|
if _, exists := entry.Extended[s3_constants.ExtAmzAclKey]; !exists {
|
|
config.IsPublicRead = false
|
|
}
|
|
|
|
assert.False(t, config.IsPublicRead, "Bucket with Extended but no ACL should not be public-read")
|
|
})
|
|
|
|
t.Run("bucket with public-read ACL should have IsPublicRead=true", func(t *testing.T) {
|
|
// Create a mock public-read ACL using AWS S3 SDK types
|
|
publicReadGrants := []*s3.Grant{
|
|
{
|
|
Grantee: &s3.Grantee{
|
|
Type: &s3_constants.GrantTypeGroup,
|
|
URI: &s3_constants.GranteeGroupAllUsers,
|
|
},
|
|
Permission: &s3_constants.PermissionRead,
|
|
},
|
|
}
|
|
|
|
aclBytes, err := json.Marshal(publicReadGrants)
|
|
require.NoError(t, err)
|
|
|
|
entry := &filer_pb.Entry{
|
|
Name: "public-bucket",
|
|
Extended: map[string][]byte{
|
|
s3_constants.ExtAmzAclKey: aclBytes,
|
|
},
|
|
}
|
|
|
|
config := &BucketConfig{
|
|
Name: entry.Name,
|
|
Entry: entry,
|
|
IsPublicRead: false, // Start with false
|
|
}
|
|
|
|
// Simulate what updateBucketConfigCacheFromEntry would do
|
|
if acl, exists := entry.Extended[s3_constants.ExtAmzAclKey]; exists {
|
|
config.ACL = acl
|
|
config.IsPublicRead = parseAndCachePublicReadStatus(acl)
|
|
}
|
|
|
|
assert.True(t, config.IsPublicRead, "Bucket with public-read ACL should be public-read")
|
|
})
|
|
}
|
|
|
|
// mockIamInterface is a simple mock for testing
|
|
type mockIamInterface struct{}
|
|
|
|
func (m *mockIamInterface) GetAccountNameById(canonicalId string) string {
|
|
return "test-user-" + canonicalId
|
|
}
|
|
|
|
func (m *mockIamInterface) GetAccountIdByEmail(email string) string {
|
|
return "account-for-" + email
|
|
}
|