aboutsummaryrefslogtreecommitdiff
path: root/weed/s3api/policy_engine/engine_test.go
diff options
context:
space:
mode:
Diffstat (limited to 'weed/s3api/policy_engine/engine_test.go')
-rw-r--r--weed/s3api/policy_engine/engine_test.go244
1 files changed, 244 insertions, 0 deletions
diff --git a/weed/s3api/policy_engine/engine_test.go b/weed/s3api/policy_engine/engine_test.go
index 1bb36dc4a..4de537ac1 100644
--- a/weed/s3api/policy_engine/engine_test.go
+++ b/weed/s3api/policy_engine/engine_test.go
@@ -5,9 +5,23 @@ import (
"net/url"
"testing"
+ "github.com/seaweedfs/seaweedfs/weed/s3api/s3_constants"
"github.com/seaweedfs/seaweedfs/weed/s3api/s3err"
)
+// tagsToEntry converts a map of tag key-value pairs to the entry.Extended format
+// used for s3:ExistingObjectTag/<key> condition evaluation
+func tagsToEntry(tags map[string]string) map[string][]byte {
+ if tags == nil {
+ return nil
+ }
+ entry := make(map[string][]byte)
+ for k, v := range tags {
+ entry[s3_constants.AmzObjectTaggingPrefix+k] = []byte(v)
+ }
+ return entry
+}
+
func TestPolicyEngine(t *testing.T) {
engine := NewPolicyEngine()
@@ -714,3 +728,233 @@ type MockLegacyIAM struct{}
func (m *MockLegacyIAM) authRequest(r *http.Request, action Action) (Identity, s3err.ErrorCode) {
return nil, s3err.ErrNone
}
+
+// TestExistingObjectTagCondition tests s3:ExistingObjectTag/<tag-key> condition support
+func TestExistingObjectTagCondition(t *testing.T) {
+ engine := NewPolicyEngine()
+
+ // Policy that allows GetObject only for objects with specific tag
+ policyJSON := `{
+ "Version": "2012-10-17",
+ "Statement": [
+ {
+ "Effect": "Allow",
+ "Principal": "*",
+ "Action": "s3:GetObject",
+ "Resource": "arn:aws:s3:::test-bucket/*",
+ "Condition": {
+ "StringEquals": {
+ "s3:ExistingObjectTag/status": ["public"]
+ }
+ }
+ }
+ ]
+ }`
+
+ err := engine.SetBucketPolicy("test-bucket", policyJSON)
+ if err != nil {
+ t.Fatalf("Failed to set bucket policy: %v", err)
+ }
+
+ tests := []struct {
+ name string
+ objectTags map[string]string
+ expected PolicyEvaluationResult
+ }{
+ {
+ name: "Matching tag value - should allow",
+ objectTags: map[string]string{"status": "public"},
+ expected: PolicyResultAllow,
+ },
+ {
+ name: "Non-matching tag value - should be indeterminate",
+ objectTags: map[string]string{"status": "private"},
+ expected: PolicyResultIndeterminate,
+ },
+ {
+ name: "Missing tag - should be indeterminate",
+ objectTags: map[string]string{"other": "value"},
+ expected: PolicyResultIndeterminate,
+ },
+ {
+ name: "No tags - should be indeterminate",
+ objectTags: nil,
+ expected: PolicyResultIndeterminate,
+ },
+ {
+ name: "Empty tags - should be indeterminate",
+ objectTags: map[string]string{},
+ expected: PolicyResultIndeterminate,
+ },
+ {
+ name: "Multiple tags with matching one - should allow",
+ objectTags: map[string]string{"status": "public", "owner": "admin"},
+ expected: PolicyResultAllow,
+ },
+ }
+
+ for _, tt := range tests {
+ t.Run(tt.name, func(t *testing.T) {
+ args := &PolicyEvaluationArgs{
+ Action: "s3:GetObject",
+ Resource: "arn:aws:s3:::test-bucket/test-object",
+ Principal: "*",
+ ObjectEntry: tagsToEntry(tt.objectTags),
+ }
+
+ result := engine.EvaluatePolicy("test-bucket", args)
+ if result != tt.expected {
+ t.Errorf("Expected %v, got %v", tt.expected, result)
+ }
+ })
+ }
+}
+
+// TestExistingObjectTagConditionMultipleTags tests policies with multiple tag conditions
+func TestExistingObjectTagConditionMultipleTags(t *testing.T) {
+ engine := NewPolicyEngine()
+
+ // Policy that requires multiple tag conditions
+ policyJSON := `{
+ "Version": "2012-10-17",
+ "Statement": [
+ {
+ "Effect": "Allow",
+ "Principal": "*",
+ "Action": "s3:GetObject",
+ "Resource": "arn:aws:s3:::test-bucket/*",
+ "Condition": {
+ "StringEquals": {
+ "s3:ExistingObjectTag/status": ["public"],
+ "s3:ExistingObjectTag/tier": ["free", "premium"]
+ }
+ }
+ }
+ ]
+ }`
+
+ err := engine.SetBucketPolicy("test-bucket", policyJSON)
+ if err != nil {
+ t.Fatalf("Failed to set bucket policy: %v", err)
+ }
+
+ tests := []struct {
+ name string
+ objectTags map[string]string
+ expected PolicyEvaluationResult
+ }{
+ {
+ name: "Both tags match - should allow",
+ objectTags: map[string]string{"status": "public", "tier": "free"},
+ expected: PolicyResultAllow,
+ },
+ {
+ name: "Both tags match (premium tier) - should allow",
+ objectTags: map[string]string{"status": "public", "tier": "premium"},
+ expected: PolicyResultAllow,
+ },
+ {
+ name: "Only status matches - should be indeterminate",
+ objectTags: map[string]string{"status": "public"},
+ expected: PolicyResultIndeterminate,
+ },
+ {
+ name: "Only tier matches - should be indeterminate",
+ objectTags: map[string]string{"tier": "free"},
+ expected: PolicyResultIndeterminate,
+ },
+ {
+ name: "Neither tag matches - should be indeterminate",
+ objectTags: map[string]string{"status": "private", "tier": "basic"},
+ expected: PolicyResultIndeterminate,
+ },
+ }
+
+ for _, tt := range tests {
+ t.Run(tt.name, func(t *testing.T) {
+ args := &PolicyEvaluationArgs{
+ Action: "s3:GetObject",
+ Resource: "arn:aws:s3:::test-bucket/test-object",
+ Principal: "*",
+ ObjectEntry: tagsToEntry(tt.objectTags),
+ }
+
+ result := engine.EvaluatePolicy("test-bucket", args)
+ if result != tt.expected {
+ t.Errorf("Expected %v, got %v", tt.expected, result)
+ }
+ })
+ }
+}
+
+// TestExistingObjectTagDenyPolicy tests deny policies with tag conditions
+func TestExistingObjectTagDenyPolicy(t *testing.T) {
+ engine := NewPolicyEngine()
+
+ // Policy that denies access to objects with confidential tag
+ policyJSON := `{
+ "Version": "2012-10-17",
+ "Statement": [
+ {
+ "Effect": "Allow",
+ "Principal": "*",
+ "Action": "s3:GetObject",
+ "Resource": "arn:aws:s3:::test-bucket/*"
+ },
+ {
+ "Effect": "Deny",
+ "Principal": "*",
+ "Action": "s3:GetObject",
+ "Resource": "arn:aws:s3:::test-bucket/*",
+ "Condition": {
+ "StringEquals": {
+ "s3:ExistingObjectTag/classification": ["confidential"]
+ }
+ }
+ }
+ ]
+ }`
+
+ err := engine.SetBucketPolicy("test-bucket", policyJSON)
+ if err != nil {
+ t.Fatalf("Failed to set bucket policy: %v", err)
+ }
+
+ tests := []struct {
+ name string
+ objectTags map[string]string
+ expected PolicyEvaluationResult
+ }{
+ {
+ name: "No tags - allow by default statement",
+ objectTags: nil,
+ expected: PolicyResultAllow,
+ },
+ {
+ name: "Non-confidential tag - allow",
+ objectTags: map[string]string{"classification": "public"},
+ expected: PolicyResultAllow,
+ },
+ {
+ name: "Confidential tag - deny",
+ objectTags: map[string]string{"classification": "confidential"},
+ expected: PolicyResultDeny,
+ },
+ }
+
+ for _, tt := range tests {
+ t.Run(tt.name, func(t *testing.T) {
+ args := &PolicyEvaluationArgs{
+ Action: "s3:GetObject",
+ Resource: "arn:aws:s3:::test-bucket/test-object",
+ Principal: "*",
+ ObjectEntry: tagsToEntry(tt.objectTags),
+ }
+
+ result := engine.EvaluatePolicy("test-bucket", args)
+ if result != tt.expected {
+ t.Errorf("Expected %v, got %v", tt.expected, result)
+ }
+ })
+ }
+}
generated by cgit v1.2.3 (git 2.25.1) at 2025-12-20 18:27:54 +0000