test: Put/GetBucketPolicy test, user, log updates

versity · Nov 28, 2024 · ba3800e · ba3800e
1 parent d93a4bb
commit ba3800e
Show file tree

Hide file tree

Showing 6 changed files with 99 additions and 37 deletions.
diff --git a/tests/logger.sh b/tests/logger.sh
@@ -129,8 +129,10 @@ log_message() {
     return 1
   fi
   now="$(date "+%Y-%m-%d %H:%M:%S")"
-  echo "$now $1 $2"
+  if [[ ( "$1" == "CRIT" ) || ( "$1" == "ERROR" ) ]]; then
+    echo "$now $1 $2" >&2
+  fi
   if [[ -n "$TEST_LOG_FILE" ]]; then
-    echo "$now $1 $2" >> "$TEST_LOG_FILE"
+    echo "$now $1 $2" >> "$TEST_FILE_FOLDER/log.tmp"
   fi
 }
diff --git a/tests/setup.sh b/tests/setup.sh
@@ -27,6 +27,13 @@ source ./tests/versity.sh
 setup() {
   base_setup
 
+  if [ -n "$TEST_LOG_FILE" ]; then
+    if [ -e "$TEST_FILE_FOLDER/log.tmp" ]; then
+      rm "$TEST_FILE_FOLDER/log.tmp"
+    fi
+    touch "$TEST_FILE_FOLDER/log.tmp"
+  fi
+
   log 4 "Running test $BATS_TEST_NAME"
   if [[ $LOG_LEVEL -ge 5 ]] || [[ -n "$TIME_LOG" ]]; then
     start_time=$(date +%s)
@@ -60,7 +67,11 @@ teardown() {
   if [[ ( "$BATS_TEST_COMPLETED" -ne 1 ) && ( -e "$COMMAND_LOG" ) ]]; then
     cat "$COMMAND_LOG"
     echo "**********************************************************************************"
+    echo "********************************** LOG *******************************************"
+    cat "$TEST_FILE_FOLDER/log.tmp"
+    echo "**********************************************************************************"
   fi
+  cat "$TEST_FILE_FOLDER/log.tmp" >> "$TEST_LOG_FILE"
   # shellcheck disable=SC2154
   if ! bucket_cleanup_if_bucket_exists "s3api" "$BUCKET_ONE_NAME"; then
     log 3 "error deleting bucket $BUCKET_ONE_NAME or contents"

diff --git a/tests/test_rest.sh b/tests/test_rest.sh
@@ -430,9 +430,16 @@ export RUN_USERS=true
   run setup_bucket "s3api" "$BUCKET_ONE_NAME"
   assert_success
 
+  run setup_user_versitygw_or_direct "$USERNAME_ONE" "$PASSWORD_ONE" "user" "$BUCKET_ONE_NAME"
+  assert_success
+  log 5 "username: ${lines[0]}"
+  log 5 "password: ${lines[1]}"
+
+  sleep 5
+
   run setup_policy_with_single_statement "$TEST_FILE_FOLDER/policy_file.txt" "2012-10-17" "Allow" "$USERNAME_ONE" "s3:PutBucketTagging" "arn:aws:s3:::$BUCKET_ONE_NAME"
   assert_success
 
-  run put_and_check_policy_rest "$BUCKET_ONE_NAME" "$TEST_FILE_FOLDER/policy_file.txt"
+  run put_and_check_policy_rest "$BUCKET_ONE_NAME" "$TEST_FILE_FOLDER/policy_file.txt" "Allow" "$USERNAME_ONE" "s3:PutBucketTagging" "arn:aws:s3:::$BUCKET_ONE_NAME"
   assert_success
 }
diff --git a/tests/test_s3api_policy_multipart.sh b/tests/test_s3api_policy_multipart.sh
@@ -28,18 +28,18 @@ test_s3api_policy_abort_multipart_upload() {
   run setup_bucket "s3api" "$BUCKET_ONE_NAME"
   assert_success
 
+  principal="$username"
   if [[ $DIRECT == "true" ]]; then
     setup_user_direct "$username" "user" "$BUCKET_ONE_NAME" || fail "error setting up direct user $username"
-    principal="{\"AWS\": \"arn:aws:iam::$DIRECT_AWS_USER_ID:user/$username\"}"
     # shellcheck disable=SC2154
     username=$key_id
     # shellcheck disable=SC2154
     password=$secret_key
   else
     password=$PASSWORD_ONE
     setup_user "$username" "$password" "user" || fail "error setting up user $username"
-    principal="\"$username\""
   fi
+  principal="$USERNAME_ONE"
 
   setup_policy_with_double_statement "$TEST_FILE_FOLDER/$policy_file" "2012-10-17" \
     "Allow" "$principal" "s3:PutObject" "arn:aws:s3:::$BUCKET_ONE_NAME/*" \

diff --git a/tests/util/util_policy.sh b/tests/util/util_policy.sh
@@ -50,7 +50,7 @@ get_modified_principal() {
   fi
   IFS=',' read -r -a principals <<< "$1"
   modified_principal=""
-  if [ "${#principals}" -gt 1 ]; then
+  if [ "${#principals[@]}" -gt 1 ]; then
     modified_principal="["
   fi
   for ((idx=0; idx<${#principals[@]}; idx++)); do
@@ -64,11 +64,11 @@ get_modified_principal() {
       # shellcheck disable=SC2089
       modified_principal+="\"${principals[$idx]}\""
     fi
-    if [[ ( "${#principals}" -gt 1 ) && ( $idx -lt ${#principals[@]}-1 ) ]]; then
+    if [[ ( "${#principals[@]}" -gt 1 ) && ( $idx -lt ${#principals[@]}-1 ) ]]; then
       modified_principal+=","
     fi
   done
-  if [ "${#principals}" -gt 1 ]; then
+  if [ "${#principals[@]}" -gt 1 ]; then
     modified_principal+="]"
   fi
   log 5 "modified principal: $modified_principal"
@@ -175,50 +175,63 @@ get_and_check_policy() {
 
   # shellcheck disable=SC2154
   log 5 "POLICY:  $bucket_policy"
-  if ! statement=$(echo "$bucket_policy" | jq -r '.Statement[0]' 2>&1); then
+  if ! check_policy "$bucket_policy" "$3" "$4" "$5" "$6"; then
+    log 2 "error checking policy"
+    return 1
+  fi
+  return 0
+}
+
+check_policy() {
+  if [ $# -ne 5 ]; then
+    log 2 "'check_policy' requires policy, expected effect, policy, action, resource"
+    return 1
+  fi
+  log 5 "policy: $1"
+  if ! statement=$(echo -n "$1" | jq -r '.Statement[0]' 2>&1); then
     log 2 "error getting statement value: $statement"
     return 1
   fi
   if ! returned_effect=$(echo "$statement" | jq -r '.Effect' 2>&1); then
     log 2 "error getting effect: $returned_effect"
     return 1
   fi
-  if [[ "$3" != "$returned_effect" ]]; then
-    log 2 "effect mismatch (expected '$3', actual '$returned_effect')"
+  if [[ "$2" != "$returned_effect" ]]; then
+    log 2 "effect mismatch (expected '$2', actual '$returned_effect')"
     return 1
   fi
   if ! returned_principal=$(echo "$statement" | jq -r '.Principal' 2>&1); then
     log 2 "error getting principal: $returned_principal"
     return 1
   fi
   if [[ -n $DIRECT ]] && arn=$(echo "$returned_principal" | jq -r '.AWS' 2>&1); then
-    if [[ $arn != "arn:aws:iam::$DIRECT_AWS_USER_ID:user/$DIRECT_S3_ROOT_ACCOUNT_NAME" ]]; then
-      log 2 "arn mismatch"
+    if [[ $arn != "$3" ]]; then
+      log 2 "arn mismatch (expected '$3', actual '$arn')"
       return 1
     fi
   else
-    if [[ "$4" != "$returned_principal" ]]; then
-      log 2 "principal mismatch (expected '$4', actual '$returned_principal')"
+    if [[ "$3" != "$returned_principal" ]]; then
+      log 2 "principal mismatch (expected '$3', actual '$returned_principal')"
       return 1
     fi
   fi
   if ! returned_action=$(echo "$statement" | jq -r '.Action' 2>&1); then
     log 2 "error getting action: $returned_action"
     return 1
   fi
-  if [[ "$5" != "$returned_action" ]]; then
-    log 2 "action mismatch (expected '$5', actual '$returned_action')"
+  if [[ "$4" != "$returned_action" ]]; then
+    log 2 "action mismatch (expected '$4', actual '$returned_action')"
     return 1
   fi
   if ! returned_resource=$(echo "$statement" | jq -r '.Resource' 2>&1); then
     log 2 "error getting resource: $returned_resource"
     return 1
   fi
-  if [[ "$6" != "$returned_resource" ]]; then
-    log 2 "resource mismatch (expected '$6', actual '$returned_resource')"
+  if [[ "$5" != "$returned_resource" ]]; then
+    log 2 "resource mismatch (expected '$5', actual '$returned_resource')"
     return 1
   fi
-  return 0
+    return 0
 }
 
 put_and_check_for_malformed_policy() {
@@ -273,7 +286,7 @@ get_and_compare_policy_with_file() {
     return 1
   fi
   # shellcheck disable=SC2154
-  echo "$bucket_policy" > "$4-copy"
+  echo -n "$bucket_policy" > "$4-copy"
   log 5 "ORIG: $(cat "$4")"
   log 5 "COPY: $(cat "$4-copy")"
   if ! compare_files "$4" "$4-copy"; then
@@ -284,17 +297,17 @@ get_and_compare_policy_with_file() {
 }
 
 put_and_check_policy_rest() {
-  if [ $# -ne 2 ]; then
-    log 2 "'put_policy_rest' requires bucket name, policy file"
+  if [ $# -ne 6 ]; then
+    log 2 "'put_policy_rest' requires bucket name, policy file, effect, principal, action, resource"
     return 1
   fi
   if ! result=$(COMMAND_LOG="$COMMAND_LOG" BUCKET_NAME="$1" POLICY_FILE="$2" OUTPUT_FILE="$TEST_FILE_FOLDER/result.txt" ./tests/rest_scripts/put_bucket_policy.sh); then
     log 2 "error putting policy: $result"
     return 1
   fi
   log 5 "response code: $result"
-  if [ "$result" != "200" ]; then
-    log 2 "unexpected response code, expected '200', actual '$result'"
+  if [[ ( "$result" != "204" ) && ( "$result" != "200" ) ]]; then
+    log 2 "unexpected response code, expected '200' or '204', actual '$result' (reply: $(cat "$TEST_FILE_FOLDER/result.txt"))"
     return 1
   fi
   log 5 "response: $(cat "$TEST_FILE_FOLDER/result.txt")"
@@ -303,12 +316,17 @@ put_and_check_policy_rest() {
     return 1
   fi
   if [ "$result" != "200" ]; then
-    log 2 "unexpected response code, expected '200', actual '$result'"
+    log 2 "unexpected response code, expected '200', actual '$result' (reply: $(cat "$TEST_FILE_FOLDER/policy.txt"))"
     return 1
   fi
   log 5 "policy: $(cat "$TEST_FILE_FOLDER/policy.txt")"
-  if ! compare_files "$TEST_FILE_FOLDER/policy.txt" "$2"; then
-    log 2 "policies not equal (one: $(cat "$TEST_FILE_FOLDER/policy.txt"), two: $(cat "$2"))"
+  if [ "$DIRECT" == "true" ]; then
+    principal="arn:aws:iam::$DIRECT_AWS_USER_ID:user/$4"
+  else
+    principal="$4"
+  fi
+  if ! check_policy "$(cat "$TEST_FILE_FOLDER/policy.txt")" "$3" "$principal" "$5" "$6"; then
+    log 2 "policies not equal"
     return 1
   fi
   return 0

diff --git a/tests/util/util_users.sh b/tests/util/util_users.sh
@@ -53,6 +53,30 @@ setup_user_direct() {
   return 0
 }
 
+setup_user_versitygw_or_direct() {
+  if [ $# -ne 4 ]; then
+    # NOTE:  bucket name is required for direct
+    log 2 "'setup_user_versitygw_or_direct' requires username, password, role, bucket name"
+    return 1
+  fi
+  if [ "$DIRECT" != "true" ]; then
+    if ! setup_user "$1" "$2" "$3"; then
+      log 2 "error setting up versitygw user"
+      return 1
+    fi
+    echo "$1"
+    echo "$2"
+  else
+    if ! setup_user_direct "$1" "$3" "$4"; then
+      log 2 "error setting up direct user"
+      return 1
+    fi
+    echo "$key_id"
+    echo "$secret_key"
+  fi
+  return 0
+}
+
 create_user_versitygw() {
   log 6 "create_user_versitygw"
   if [[ $# -ne 3 ]]; then
@@ -117,7 +141,7 @@ put_user_policy_userplus() {
   ]
 }
 EOF
-  if ! error=$(send_command aws iam put-user-policy --user-name "$1" --policy-name "UserPolicy" --policy-document "file://$TEST_FILE_FOLDER/user_policy_file" 2>&1); then
+  if ! error=$(send_command aws --endpoint-url=https://iam.amazonaws.com iam put-user-policy --user-name "$1" --policy-name "UserPolicy" --policy-document "file://$TEST_FILE_FOLDER/user_policy_file" 2>&1); then
     log 2 "error putting user policy: $error"
     return 1
   fi
@@ -154,15 +178,15 @@ create_user_direct() {
     log 2 "create user direct command requires desired username, role, bucket name"
     return 1
   fi
-  if ! error=$(send_command aws iam create-user --user-name "$1" 2>&1); then
+  if ! error=$(send_command aws --endpoint-url=https://iam.amazonaws.com iam create-user --user-name "$1" 2>&1); then
     log 2 "error creating new user: $error"
     return 1
   fi
   if ! put_user_policy "$1" "$2" "$3"; then
     log 2 "error attaching user policy"
     return 1
   fi
-  if ! keys=$(send_command aws iam create-access-key --user-name "$1" 2>&1); then
+  if ! keys=$(send_command aws --endpoint-url=https://iam.amazonaws.com iam create-access-key --user-name "$1" 2>&1); then
     log 2 "error creating keys for new user: $keys"
     return 1
   fi
@@ -193,7 +217,7 @@ create_user_with_user() {
 list_users_direct() {
   log 6 "list_users_direct"
   # AWS_ENDPOINT_URL of s3.amazonaws.com doesn't work here
-  if ! users=$(send_command aws --profile="$AWS_PROFILE" iam list-users 2>&1); then
+  if ! users=$(send_command aws --profile="$AWS_PROFILE" --endpoint-url=https://iam.amazonaws.com iam list-users 2>&1); then
     log 2 "error listing users via direct s3 call: $users"
     return 1
   fi
@@ -266,17 +290,17 @@ delete_user_direct() {
     log 2 "delete user direct command requires username"
     return 1
   fi
-  if ! policies=$(send_command aws iam list-user-policies --user-name "$1" --query 'PolicyNames' --output text 2>&1); then
+  if ! policies=$(send_command aws --endpoint-url=https://iam.amazonaws.com iam list-user-policies --user-name "$1" --query 'PolicyNames' --output text 2>&1); then
     log 2 "error getting user policies: $error"
     return 1
   fi
   for policy_name in $policies; do
-    if ! user_policy_delete_error=$(send_command aws iam delete-user-policy --user-name "$1" --policy-name "$policy_name" 2>&1); then
+    if ! user_policy_delete_error=$(send_command aws --endpoint-url=https://iam.amazonaws.com iam delete-user-policy --user-name "$1" --policy-name "$policy_name" 2>&1); then
       log 2 "error deleting user policy: $user_policy_delete_error"
       return 1
     fi
   done
-  if ! keys=$(send_command aws iam list-access-keys --user-name "$1" 2>&1); then
+  if ! keys=$(send_command aws --endpoint-url=https://iam.amazonaws.com iam list-access-keys --user-name "$1" 2>&1); then
     log 2 "error getting keys: $keys"
     return 1
   fi
@@ -285,12 +309,12 @@ delete_user_direct() {
     return 1
   fi
   if [[ $key != "null" ]]; then
-    if ! error=$(send_command aws iam delete-access-key --user-name "$1" --access-key-id "$key" 2>&1); then
+    if ! error=$(send_command aws --endpoint-url=https://iam.amazonaws.com iam delete-access-key --user-name "$1" --access-key-id "$key" 2>&1); then
       log 2 "error deleting access key: $error"
       return 1
     fi
   fi
-  if ! error=$(send_command aws --profile="$AWS_PROFILE" iam delete-user --user-name "$1" 2>&1); then
+  if ! error=$(send_command aws --endpoint-url=https://iam.amazonaws.com --profile="$AWS_PROFILE" iam delete-user --user-name "$1" 2>&1); then
     log 2 "error deleting user: $error"
     return 1
   fi