policy: test for acl grants conditionals on put bucket acls

Signed-off-by: Abhishek Lekshmanan <abhishek@suse.com>

diff --git a/s3tests/functional/test_s3.py b/s3tests/functional/test_s3.py
index a0c81aba2510e1a0e65e1ba8e409d85267892501..1e705bdab990ecf2ca29d05c0faa446a4e710f74 100644 (file)
--- a/s3tests/functional/test_s3.py
+++ b/s3tests/functional/test_s3.py
@@ -9111,6 +9111,43 @@ def test_bucket_policy_list_put_bucket_acl_canned_acl():
 
 
 
+@attr(resource='bucket')
+@attr(method='put')
+@attr(operation='Test put bucket acl with acl grant headers')
+@attr('bucket-policy')
+def test_bucket_policy_list_put_bucket_acl_grants():
+    bucket = _create_keys(keys=['key/'+str(i) for i in range(5)])
+
+
+    owner_id_str = "id="+config.main.user_id
+    policy_conditional = {"StringEquals": {
+        "s3:x-amz-grant-full-control" : owner_id_str
+    }}
+
+    resource = _make_arn_resource(bucket.name)
+    policy_document = make_json_policy("s3:PutBucketAcl",resource,
+                                       conditions=policy_conditional)
+    eq(bucket.set_policy(policy_document), True)
+
+    new_conn = _get_alt_connection()
+
+    headers = {"x-amz-grant-full-control": owner_id_str}
+    res = new_conn.make_request('PUT', bucket.name, query_args = 'acl', headers=headers)
+
+    eq(res.status, 200)
+
+    # user trying to elevate himself as the owner
+    headers = {"x-amz-grant-full-control": "id=" + config.alt.user_id }
+    res = new_conn.make_request('PUT', bucket.name, query_args = 'acl', headers=headers)
+
+    eq(res.status, 403)
+
+    headers = {"x-amz-grant-read": owner_id_str}
+    res = new_conn.make_request('PUT', bucket.name, query_args = 'acl', headers=headers)
+
+    eq(res.status, 403)
+
+
 
 def _tags_from_dict(d):
     tag_list = []