From 09463265ce4e71ca3f4c882a035328db6205e25d Mon Sep 17 00:00:00 2001 From: Karthic Rao Date: Sat, 8 Oct 2016 13:34:26 +0530 Subject: [PATCH] tests: Adding anonymous requests tests for bucket policy handlers. (#2882) --- cmd/bucket-policy-handlers_test.go | 52 ++++++++++++++++++++++++++++-- cmd/object-handlers_test.go | 32 +++++++++--------- cmd/test-utils_test.go | 5 +++ 3 files changed, 70 insertions(+), 19 deletions(-) diff --git a/cmd/bucket-policy-handlers_test.go b/cmd/bucket-policy-handlers_test.go index 0ac371174..ecce8adf2 100644 --- a/cmd/bucket-policy-handlers_test.go +++ b/cmd/bucket-policy-handlers_test.go @@ -298,6 +298,23 @@ func testPutBucketPolicyHandler(obj ObjectLayer, instanceType, bucketName string } } + // Test for Anonymous/unsigned http request. + // Bucket policy related functions doesn't support anonymous requests, setting policies shouldn't make a difference. + bucketPolicyStr := fmt.Sprintf(bucketPolicyTemplate, bucketName, bucketName) + // create unsigned HTTP request for PutBucketPolicyHandler. + anonReq, err := newTestRequest("PUT", getPutPolicyURL("", bucketName), + int64(len(bucketPolicyStr)), bytes.NewReader([]byte(bucketPolicyStr))) + + if err != nil { + t.Fatalf("Minio %s: Failed to create an anonymous request for bucket \"%s\": %v", + instanceType, bucketName, err) + } + + // ExecObjectLayerAPIAnonTest - Calls the HTTP API handler using the anonymous request, validates the ErrAccessDeniedResponse, + // sets the bucket policy using the policy statement generated from `getWriteOnlyObjectStatement` so that the + // unsigned request goes through and its validated again. + ExecObjectLayerAPIAnonTest(t, "PutBucketPolicyHandler", bucketName, "", instanceType, apiRouter, anonReq, getWriteOnlyObjectStatement) + // HTTP request for testing when `objectLayer` is set to `nil`. // There is no need to use an existing bucket and valid input for creating the request // since the `objectLayer==nil` check is performed before any other checks inside the handlers. @@ -308,7 +325,7 @@ func testPutBucketPolicyHandler(obj ObjectLayer, instanceType, bucketName string 0, nil, "", "") if err != nil { - t.Errorf("Minio %s: Failed to create HTTP request for testing the reponse when object Layer is set to `nil`.", instanceType) + t.Errorf("Minio %s: Failed to create HTTP request for testing the response when object Layer is set to `nil`.", instanceType) } // execute the object layer set to `nil` test. // `ExecObjectLayerAPINilTest` manages the operation. @@ -442,6 +459,21 @@ func testGetBucketPolicyHandler(obj ObjectLayer, instanceType, bucketName string } } + // Test for Anonymous/unsigned http request. + // Bucket policy related functions doesn't support anonymous requests, setting policies shouldn't make a difference. + // create unsigned HTTP request for PutBucketPolicyHandler. + anonReq, err := newTestRequest("GET", getPutPolicyURL("", bucketName), 0, nil) + + if err != nil { + t.Fatalf("Minio %s: Failed to create an anonymous request for bucket \"%s\": %v", + instanceType, bucketName, err) + } + + // ExecObjectLayerAPIAnonTest - Calls the HTTP API handler using the anonymous request, validates the ErrAccessDeniedResponse, + // sets the bucket policy using the policy statement generated from `getWriteOnlyObjectStatement` so that the + // unsigned request goes through and its validated again. + ExecObjectLayerAPIAnonTest(t, "GetBucketPolicyHandler", bucketName, "", instanceType, apiRouter, anonReq, getReadOnlyObjectStatement) + // HTTP request for testing when `objectLayer` is set to `nil`. // There is no need to use an existing bucket and valid input for creating the request // since the `objectLayer==nil` check is performed before any other checks inside the handlers. @@ -452,7 +484,7 @@ func testGetBucketPolicyHandler(obj ObjectLayer, instanceType, bucketName string 0, nil, "", "") if err != nil { - t.Errorf("Minio %s: Failed to create HTTP request for testing the reponse when object Layer is set to `nil`.", instanceType) + t.Errorf("Minio %s: Failed to create HTTP request for testing the response when object Layer is set to `nil`.", instanceType) } // execute the object layer set to `nil` test. // `ExecObjectLayerAPINilTest` manages the operation. @@ -607,6 +639,20 @@ func testDeleteBucketPolicyHandler(obj ObjectLayer, instanceType, bucketName str t.Fatalf("Case %d: Expected the response status to be `%d`, but instead found `%d`", i+1, testCase.expectedRespStatus, recV2.Code) } } + // Test for Anonymous/unsigned http request. + // Bucket policy related functions doesn't support anonymous requests, setting policies shouldn't make a difference. + // create unsigned HTTP request for PutBucketPolicyHandler. + anonReq, err := newTestRequest("DELETE", getPutPolicyURL("", bucketName), 0, nil) + + if err != nil { + t.Fatalf("Minio %s: Failed to create an anonymous request for bucket \"%s\": %v", + instanceType, bucketName, err) + } + + // ExecObjectLayerAPIAnonTest - Calls the HTTP API handler using the anonymous request, validates the ErrAccessDeniedResponse, + // sets the bucket policy using the policy statement generated from `getWriteOnlyObjectStatement` so that the + // unsigned request goes through and its validated again. + ExecObjectLayerAPIAnonTest(t, "DeleteBucketPolicyHandler", bucketName, "", instanceType, apiRouter, anonReq, getReadOnlyObjectStatement) // HTTP request for testing when `objectLayer` is set to `nil`. // There is no need to use an existing bucket and valid input for creating the request @@ -618,7 +664,7 @@ func testDeleteBucketPolicyHandler(obj ObjectLayer, instanceType, bucketName str 0, nil, "", "") if err != nil { - t.Errorf("Minio %s: Failed to create HTTP request for testing the reponse when object Layer is set to `nil`.", instanceType) + t.Errorf("Minio %s: Failed to create HTTP request for testing the response when object Layer is set to `nil`.", instanceType) } // execute the object layer set to `nil` test. // `ExecObjectLayerAPINilTest` manages the operation. diff --git a/cmd/object-handlers_test.go b/cmd/object-handlers_test.go index bbec2ca50..d88949334 100644 --- a/cmd/object-handlers_test.go +++ b/cmd/object-handlers_test.go @@ -177,7 +177,7 @@ func testAPIGetObjectHandler(obj ObjectLayer, instanceType, bucketName string, a anonReq, err := newTestRequest("GET", getGetObjectURL("", bucketName, objectName), 0, nil) if err != nil { - t.Fatalf("Minio %s: Failed to create an anonymous request to upload part for %s/%s: %v", + t.Fatalf("Minio %s: Failed to create an anonymous request for %s/%s: %v", instanceType, bucketName, objectName, err) } @@ -197,7 +197,7 @@ func testAPIGetObjectHandler(obj ObjectLayer, instanceType, bucketName string, a 0, nil, "", "") if err != nil { - t.Errorf("Minio %s: Failed to create HTTP request for testing the reponse when object Layer is set to `nil`.", instanceType) + t.Errorf("Minio %s: Failed to create HTTP request for testing the response when object Layer is set to `nil`.", instanceType) } // execute the object layer set to `nil` test. // `ExecObjectLayerAPINilTest` manages the operation. @@ -435,7 +435,7 @@ func testAPIPutObjectHandler(obj ObjectLayer, instanceType, bucketName string, a anonReq, err := newTestRequest("PUT", getPutObjectURL("", bucketName, objectName), int64(len("hello")), bytes.NewReader([]byte("hello"))) if err != nil { - t.Fatalf("Minio %s: Failed to create an anonymous request to upload part for %s/%s: %v", + t.Fatalf("Minio %s: Failed to create an anonymous request for %s/%s: %v", instanceType, bucketName, objectName, err) } @@ -455,7 +455,7 @@ func testAPIPutObjectHandler(obj ObjectLayer, instanceType, bucketName string, a 0, nil, "", "") if err != nil { - t.Errorf("Minio %s: Failed to create HTTP request for testing the reponse when object Layer is set to `nil`.", instanceType) + t.Errorf("Minio %s: Failed to create HTTP request for testing the response when object Layer is set to `nil`.", instanceType) } // execute the object layer set to `nil` test. // `ExecObjectLayerAPINilTest` manages the operation. @@ -614,7 +614,7 @@ func testAPICopyObjectHandler(obj ObjectLayer, instanceType, bucketName string, newCopyAnonObject := "new-anon-obj" anonReq, err := newTestRequest("PUT", getCopyObjectURL("", bucketName, newCopyAnonObject), 0, nil) if err != nil { - t.Fatalf("Minio %s: Failed to create an anonymous request to upload part for %s/%s: %v", + t.Fatalf("Minio %s: Failed to create an anonymous request for %s/%s: %v", instanceType, bucketName, "new-anon-obj", err) } @@ -642,7 +642,7 @@ func testAPICopyObjectHandler(obj ObjectLayer, instanceType, bucketName string, // Its necessary to set the "X-Amz-Copy-Source" header for the request to be accepted by the handler. nilReq.Header.Set("X-Amz-Copy-Source", url.QueryEscape("/"+nilBucket+"/"+nilObject)) if err != nil { - t.Errorf("Minio %s: Failed to create HTTP request for testing the reponse when object Layer is set to `nil`.", instanceType) + t.Errorf("Minio %s: Failed to create HTTP request for testing the response when object Layer is set to `nil`.", instanceType) } // execute the object layer set to `nil` test. @@ -695,7 +695,7 @@ func testAPINewMultipartHandler(obj ObjectLayer, instanceType, bucketName string anonReq, err := newTestRequest("POST", getNewMultipartURL("", bucketName, objectName), 0, nil) if err != nil { - t.Fatalf("Minio %s: Failed to create an anonymous request to upload part for %s/%s: %v", + t.Fatalf("Minio %s: Failed to create an anonymous request for %s/%s: %v", instanceType, bucketName, objectName, err) } @@ -715,7 +715,7 @@ func testAPINewMultipartHandler(obj ObjectLayer, instanceType, bucketName string 0, nil, "", "") if err != nil { - t.Errorf("Minio %s: Failed to create HTTP request for testing the reponse when object Layer is set to `nil`.", instanceType) + t.Errorf("Minio %s: Failed to create HTTP request for testing the response when object Layer is set to `nil`.", instanceType) } // execute the object layer set to `nil` test. // `ExecObjectLayerAPINilTest` manages the operation. @@ -1069,7 +1069,7 @@ func testAPICompleteMultipartHandler(obj ObjectLayer, instanceType, bucketName s anonReq, err := newTestRequest("POST", getCompleteMultipartUploadURL("", bucketName, objectName, uploadIDs[1]), int64(len(completeBytes)), bytes.NewReader(completeBytes)) if err != nil { - t.Fatalf("Minio %s: Failed to create an anonymous request to upload part for %s/%s: %v", + t.Fatalf("Minio %s: Failed to create an anonymous request for %s/%s: %v", instanceType, bucketName, objectName, err) } @@ -1091,7 +1091,7 @@ func testAPICompleteMultipartHandler(obj ObjectLayer, instanceType, bucketName s 0, nil, "", "") if err != nil { - t.Errorf("Minio %s: Failed to create HTTP request for testing the reponse when object Layer is set to `nil`.", instanceType) + t.Errorf("Minio %s: Failed to create HTTP request for testing the response when object Layer is set to `nil`.", instanceType) } // execute the object layer set to `nil` test. // `ExecObjectLayerAPINilTest` manages the operation. @@ -1198,7 +1198,7 @@ func testAPIDeleteObjectHandler(obj ObjectLayer, instanceType, bucketName string // Test for Anonymous/unsigned http request. anonReq, err := newTestRequest("DELETE", getDeleteObjectURL("", bucketName, anonObjectName), 0, nil) if err != nil { - t.Fatalf("Minio %s: Failed to create an anonymous request to upload part for %s/%s: %v", + t.Fatalf("Minio %s: Failed to create an anonymous request for %s/%s: %v", instanceType, bucketName, anonObjectName, err) } @@ -1219,7 +1219,7 @@ func testAPIDeleteObjectHandler(obj ObjectLayer, instanceType, bucketName string 0, nil, "", "") if err != nil { - t.Errorf("Minio %s: Failed to create HTTP request for testing the reponse when object Layer is set to `nil`.", instanceType) + t.Errorf("Minio %s: Failed to create HTTP request for testing the response when object Layer is set to `nil`.", instanceType) } // execute the object layer set to `nil` test. // `ExecObjectLayerAPINilTest` manages the operation. @@ -1615,7 +1615,7 @@ func testAPIPutObjectPartHandler(obj ObjectLayer, instanceType, bucketName strin anonReq, err := newTestRequest("PUT", getPutObjectPartURL("", bucketName, testObject, uploadIDCopy, "1"), int64(len("hello")), bytes.NewReader([]byte("hello"))) if err != nil { - t.Fatalf("Minio %s: Failed to create an anonymous request to upload part for %s/%s: %v", + t.Fatalf("Minio %s: Failed to create an anonymous request for %s/%s: %v", instanceType, bucketName, testObject, err) } @@ -1635,7 +1635,7 @@ func testAPIPutObjectPartHandler(obj ObjectLayer, instanceType, bucketName strin 0, bytes.NewReader([]byte("testNilObjLayer")), "", "") if err != nil { - t.Errorf("Minio %s: Failed to create http request for testing the reponse when object Layer is set to `nil`.", instanceType) + t.Errorf("Minio %s: Failed to create http request for testing the response when object Layer is set to `nil`.", instanceType) } // execute the object layer set to `nil` test. // `ExecObjectLayerAPINilTest` manages the operation. @@ -1853,7 +1853,7 @@ func testAPIListObjectPartsHandler(obj ObjectLayer, instanceType, bucketName str anonReq, err := newTestRequest("GET", getListMultipartURLWithParams("", bucketName, testObject, uploadIDCopy, "", "", ""), 0, nil) if err != nil { - t.Fatalf("Minio %s: Failed to create an anonymous request to upload part for %s/%s: %v", + t.Fatalf("Minio %s: Failed to create an anonymous request for %s/%s: %v", instanceType, bucketName, testObject, err) } @@ -1873,7 +1873,7 @@ func testAPIListObjectPartsHandler(obj ObjectLayer, instanceType, bucketName str getListMultipartURLWithParams("", nilBucket, nilObject, "dummy-uploadID", "0", "0", ""), 0, nil, "", "") if err != nil { - t.Errorf("Minio %s:Failed to create http request for testing the reponse when object Layer is set to `nil`.", instanceType) + t.Errorf("Minio %s:Failed to create http request for testing the response when object Layer is set to `nil`.", instanceType) } // execute the object layer set to `nil` test. // `ExecObjectLayerAPINilTest` sets the Object Layer to `nil` and calls the handler. diff --git a/cmd/test-utils_test.go b/cmd/test-utils_test.go index bb699e8ba..63c06d66a 100644 --- a/cmd/test-utils_test.go +++ b/cmd/test-utils_test.go @@ -1444,6 +1444,7 @@ func ExecObjectLayerAPIAnonTest(t *testing.T, testName, bucketName, objectName, Version: "1.0", Statements: []policyStatement{policyFunc(bucketName, "")}, } + globalBucketPolicies.SetBucketPolicy(bucketName, &policy) // now call the handler again with the unsigned/anonymous request, it should be accepted. rec = httptest.NewRecorder() @@ -1456,10 +1457,14 @@ func ExecObjectLayerAPIAnonTest(t *testing.T, testName, bucketName, objectName, // expectedHTTPStatus returns 204 (http.StatusNoContent) on success. if testName == "TestAPIDeleteObjectHandler" { expectedHTTPStatus = http.StatusNoContent + } else if strings.Contains(testName, "BucketPolicyHandler") { + // BucketPolicyHandler's doesn't support anonymous request, policy changes should allow unsigned requests. + expectedHTTPStatus = http.StatusForbidden } else { // other API handlers return 200OK on success. expectedHTTPStatus = http.StatusOK } + // compare the HTTP response status code with the expected one. if rec.Code != expectedHTTPStatus { failTest(fmt.Sprintf("Expected the anonymous HTTP request to be served after the policy changes\n,Expected response HTTP status code to be %d, got %d.",