add more cases

Signed-off-by: shirady <[email protected]>
noobaa · Jan 14, 2025 · 7561ce8 · 7561ce8
1 parent a67d472
commit 7561ce8
Showing 1 changed file with 100 additions and 23 deletions.
diff --git a/src/test/unit_tests/test_s3_bucket_policy.js b/src/test/unit_tests/test_s3_bucket_policy.js
@@ -10,6 +10,7 @@ const { rpc_client, EMAIL, POOL_LIST, anon_rpc_client } = coretest;
 const MDStore = require('../../server/object_services/md_store').MDStore;
 coretest.setup({ pools_to_create: process.env.NC_CORETEST ? undefined : [POOL_LIST[1]] });
 const path = require('path');
+const _ = require('lodash');
 const fs_utils = require('../../util/fs_utils');
 
 const { S3 } = require('@aws-sdk/client-s3');
@@ -338,27 +339,44 @@ mocha.describe('s3_bucket_policy', function() {
     });
 
     mocha.describe('s3_bucket_policy with more complex policies (conflict statements)', function() {
-        const allow_all_principal_all_s3_action_statement = {
+        mocha.after(async function() {
+            await s3_owner.deleteBucketPolicy({
+                Bucket: BKT_D,
+            });
+        });
+        const allow_all_principal_all_s3_actions_statement = {
             Sid: `Allow all s3 actions on bucket ${BKT_D} to all principals`,
             Effect: 'Allow',
             Principal: { AWS: "*" },
             Action: ['s3:*'],
             Resource: [`arn:aws:s3:::${BKT_D}`, `arn:aws:s3:::${BKT_D}/*`]
         };
+        function get_deny_account_by_id_all_s3_actions_statement(_id) {
+            return {
+                Sid: `Do not allow user ${_id} get any object`,
+                Effect: 'Deny',
+                Principal: { AWS: [_id] },
+                Action: ['s3:*'],
+                Resource: [`arn:aws:s3:::${BKT_D}/*`]
+            };
+        }
+        const deny_account_by_name_all_s3_actions_statement = {
+            Sid: `Do not allow user ${user_a} get any object`,
+            Effect: 'Deny',
+            Principal: { AWS: [user_a] },
+            Action: ['s3:*'],
+            Resource: [`arn:aws:s3:::${BKT_D}/*`]
+        };
+
         mocha.it('should not allow principal get object bucket policy with 2 statements: ' +
             '(1) DENY principal by account ID (2) ALLOW account name as *', async function() {
-            // in NC we allow principal to be also 
+            // in NC we allow principal to be also IDs
             if (!is_nc_coretest) this.skip(); // eslint-disable-line no-invalid-this
+            const deny_account_by_id_all_s3_actions_statement = get_deny_account_by_id_all_s3_actions_statement(user_a_account_details._id);
             const policy = {
                 Statement: [
-                    allow_all_principal_all_s3_action_statement,
-                    {
-                        Sid: `Do not allow user ${user_a_account_details._id} get any object`,
-                        Effect: 'Deny',
-                        Principal: { AWS: [user_a_account_details._id] },
-                        Action: ['s3:*'],
-                        Resource: [`arn:aws:s3:::${BKT_D}/*`]
-                    }
+                    allow_all_principal_all_s3_actions_statement,
+                    deny_account_by_id_all_s3_actions_statement
                 ]
             };
             await s3_owner.putBucketPolicy({
@@ -392,44 +410,103 @@ mocha.describe('s3_bucket_policy', function() {
             '(1) DENY principal by account name (2) ALLOW account name as *', async function() {
             const policy = {
                 Statement: [
-                    allow_all_principal_all_s3_action_statement,
-                    {
-                        Sid: `Do not allow user ${user_a} get any object`,
-                        Effect: 'Deny',
-                        Principal: { AWS: [user_a] },
-                        Action: ['s3:*'],
-                        Resource: [`arn:aws:s3:::${BKT_D}/*`]
-                    }
+                    allow_all_principal_all_s3_actions_statement,
+                    deny_account_by_name_all_s3_actions_statement
                 ]
             };
             await s3_owner.putBucketPolicy({
                 Bucket: BKT_D,
                 Policy: JSON.stringify(policy)
             });
             // prepare - put the object to get
-            const key2 = 'file2.txt';
+            const key3 = 'file3.txt';
             const res_put_object = await s3_owner.putObject({
                 Body: BODY,
                 Bucket: BKT_D,
-                Key: key2
+                Key: key3
             });
             assert.equal(res_put_object.$metadata.httpStatusCode, 200);
             // should fail - user a has a DENY statement
             await assert_throws_async(s3_a.getObject({
                 Body: BODY,
                 Bucket: BKT_D,
-                Key: key2
+                Key: key3
             }));
             // should fail - user b does not have a DENY statement (uses the general ALLOW statement)
             const res_get_object = await s3_b.getObject({
                 Body: BODY,
                 Bucket: BKT_D,
-                Key: key2
+                Key: key3
             });
             assert.equal(res_get_object.$metadata.httpStatusCode, 200);
         });
-    });
 
+        mocha.it('should not allow principal get object bucket policy with 2 statements: ' +
+            '(1) DENY principal by account ID (2) ALLOW by account name', async function() {
+            // in NC we allow principal to be also IDs
+            if (!is_nc_coretest) this.skip(); // eslint-disable-line no-invalid-this
+            const deny_account_by_id_all_s3_actions_statement = get_deny_account_by_id_all_s3_actions_statement(user_a_account_details._id);
+            const allow_account_by_name_all_s3_actions_statement = _.cloneDeep(deny_account_by_name_all_s3_actions_statement);
+            allow_account_by_name_all_s3_actions_statement.Effect = 'Allow';
+            const policy = {
+                Statement: [
+                        deny_account_by_id_all_s3_actions_statement,
+                        allow_account_by_name_all_s3_actions_statement
+                ]
+            };
+            await s3_owner.putBucketPolicy({
+                Bucket: BKT_D,
+                Policy: JSON.stringify(policy)
+            });
+            // prepare - put the object to get
+            const key4 = 'file4.txt';
+            const res_put_object = await s3_owner.putObject({
+                Body: BODY,
+                Bucket: BKT_D,
+                Key: key4
+            });
+            assert.equal(res_put_object.$metadata.httpStatusCode, 200);
+            // should fail - user a has a DENY statement
+            await assert_throws_async(s3_a.getObject({
+                Body: BODY,
+                Bucket: BKT_D,
+                Key: key4
+            }));
+        });
+
+        mocha.it('should not allow principal get object bucket policy with 2 statements: ' +
+            '(1) DENY principal by account name (2) ALLOW by account ID', async function() {
+            // in NC we allow principal to be also IDs
+            if (!is_nc_coretest) this.skip(); // eslint-disable-line no-invalid-this
+            const deny_account_by_id_all_s3_actions_statement = get_deny_account_by_id_all_s3_actions_statement(user_a_account_details._id);
+            const allow_account_by_id_all_s3_actions_statement = _.cloneDeep(deny_account_by_id_all_s3_actions_statement);
+            allow_account_by_id_all_s3_actions_statement.Effect = 'Allow';
+            const policy = {
+                Statement: [
+                    deny_account_by_name_all_s3_actions_statement,
+                    allow_account_by_id_all_s3_actions_statement
+                ]
+            };
+            await s3_owner.putBucketPolicy({
+                Bucket: BKT_D,
+                Policy: JSON.stringify(policy)
+            });
+            // prepare - put the object to get
+            const key5 = 'file5.txt';
+            const res_put_object = await s3_owner.putObject({
+                Body: BODY,
+                Bucket: BKT_D,
+                Key: key5
+            });
+            assert.equal(res_put_object.$metadata.httpStatusCode, 200);
+            // should fail - user a has a DENY statement
+            await assert_throws_async(s3_a.getObject({
+                Body: BODY,
+                Bucket: BKT_D,
+                Key: key5
+            }));
+        });
+    });
 
     mocha.it('should be able to set bucket policy when none set', async function() {
         const self = this; // eslint-disable-line no-invalid-this