--- /dev/null
+import json
+
+from botocore.exceptions import ClientError
+from nose.plugins.attrib import attr
+from nose.tools import eq_ as eq
+
+from s3tests_boto3.functional.utils import assert_raises
+from s3tests_boto3.functional.test_s3 import _multipart_upload
+from . import (
+ get_alt_client,
+ get_iam_client,
+ get_new_bucket,
+ get_iam_s3client,
+ get_alt_iam_client,
+ get_alt_user_id,
+)
+from .utils import _get_status, _get_status_and_error_code
+
+
+@attr(resource='user-policy')
+@attr(method='put')
+@attr(operation='Verify Put User Policy')
+@attr(assertion='succeeds')
+@attr('user-policy')
+@attr('test_of_iam')
+def test_put_user_policy():
+ client = get_iam_client()
+
+ policy_document = json.dumps(
+ {"Version": "2012-10-17",
+ "Statement": {
+ "Effect": "Allow",
+ "Action": "*",
+ "Resource": "*"}}
+ )
+ response = client.put_user_policy(PolicyDocument=policy_document, PolicyName='AllAccessPolicy',
+ UserName=get_alt_user_id())
+ eq(response['ResponseMetadata']['HTTPStatusCode'], 200)
+ response = client.delete_user_policy(PolicyName='AllAccessPolicy',
+ UserName=get_alt_user_id())
+ eq(response['ResponseMetadata']['HTTPStatusCode'], 200)
+
+
+@attr(resource='user-policy')
+@attr(method='put')
+@attr(operation='Verify Put User Policy with invalid user')
+@attr(assertion='succeeds')
+@attr('user-policy')
+@attr('test_of_iam')
+def test_put_user_policy_invalid_user():
+ client = get_iam_client()
+
+ policy_document = json.dumps(
+ {"Version": "2012-10-17",
+ "Statement": {
+ "Effect": "Allow",
+ "Action": "*",
+ "Resource": "*"}}
+ )
+ e = assert_raises(ClientError, client.put_user_policy, PolicyDocument=policy_document,
+ PolicyName='AllAccessPolicy', UserName="some-non-existing-user-id")
+ status = _get_status(e.response)
+ eq(status, 404)
+
+
+@attr(resource='user-policy')
+@attr(method='put')
+@attr(operation='Verify Put User Policy using parameter value outside limit')
+@attr(assertion='succeeds')
+@attr('user-policy')
+@attr('test_of_iam')
+def test_put_user_policy_parameter_limit():
+ client = get_iam_client()
+
+ policy_document = json.dumps(
+ {"Version": "2012-10-17",
+ "Statement": [{
+ "Effect": "Allow",
+ "Action": "*",
+ "Resource": "*"}] * 1000
+ }
+ )
+ e = assert_raises(ClientError, client.put_user_policy, PolicyDocument=policy_document,
+ PolicyName='AllAccessPolicy' * 10, UserName=get_alt_user_id())
+ status = _get_status(e.response)
+ eq(status, 400)
+
+
+@attr(resource='user-policy')
+@attr(method='put')
+@attr(operation='Verify Put User Policy using invalid policy document elements')
+@attr(assertion='succeeds')
+@attr('user-policy')
+@attr('test_of_iam')
+@attr('fails_on_rgw')
+def test_put_user_policy_invalid_element():
+ client = get_iam_client()
+
+ # With Version other than 2012-10-17
+ policy_document = json.dumps(
+ {"Version": "2010-10-17",
+ "Statement": [{
+ "Effect": "Allow",
+ "Action": "*",
+ "Resource": "*"}]
+ }
+ )
+ e = assert_raises(ClientError, client.put_user_policy, PolicyDocument=policy_document,
+ PolicyName='AllAccessPolicy', UserName=get_alt_user_id())
+ status = _get_status(e.response)
+ eq(status, 400)
+
+ # With no Statement
+ policy_document = json.dumps(
+ {
+ "Version": "2012-10-17",
+ }
+ )
+ e = assert_raises(ClientError, client.put_user_policy, PolicyDocument=policy_document,
+ PolicyName='AllAccessPolicy', UserName=get_alt_user_id())
+ status = _get_status(e.response)
+ eq(status, 400)
+
+ # with same Sid for 2 statements
+ policy_document = json.dumps(
+ {"Version": "2012-10-17",
+ "Statement": [
+ {"Sid": "98AB54CF",
+ "Effect": "Allow",
+ "Action": "*",
+ "Resource": "*"},
+ {"Sid": "98AB54CF",
+ "Effect": "Allow",
+ "Action": "*",
+ "Resource": "*"}]
+ }
+ )
+ e = assert_raises(ClientError, client.put_user_policy, PolicyDocument=policy_document,
+ PolicyName='AllAccessPolicy', UserName=get_alt_user_id())
+ status = _get_status(e.response)
+ eq(status, 400)
+
+ # with Principal
+ policy_document = json.dumps(
+ {"Version": "2012-10-17",
+ "Statement": [{
+ "Effect": "Allow",
+ "Action": "*",
+ "Resource": "*",
+ "Principal": "arn:aws:iam:::username"}]
+ }
+ )
+ e = assert_raises(ClientError, client.put_user_policy, PolicyDocument=policy_document,
+ PolicyName='AllAccessPolicy', UserName=get_alt_user_id())
+ status = _get_status(e.response)
+ eq(status, 400)
+
+
+@attr(resource='user-policy')
+@attr(method='put')
+@attr(operation='Verify Put a policy that already exists')
+@attr(assertion='succeeds')
+@attr('user-policy')
+@attr('test_of_iam')
+def test_put_existing_user_policy():
+ client = get_iam_client()
+
+ policy_document = json.dumps(
+ {"Version": "2012-10-17",
+ "Statement": {
+ "Effect": "Allow",
+ "Action": "*",
+ "Resource": "*"}
+ }
+ )
+ response = client.put_user_policy(PolicyDocument=policy_document, PolicyName='AllAccessPolicy',
+ UserName=get_alt_user_id())
+ eq(response['ResponseMetadata']['HTTPStatusCode'], 200)
+ client.put_user_policy(PolicyDocument=policy_document, PolicyName='AllAccessPolicy',
+ UserName=get_alt_user_id())
+ client.delete_user_policy(PolicyName='AllAccessPolicy', UserName=get_alt_user_id())
+
+
+@attr(resource='user-policy')
+@attr(method='put')
+@attr(operation='Verify List User policies')
+@attr(assertion='succeeds')
+@attr('user-policy')
+@attr('test_of_iam')
+def test_list_user_policy():
+ client = get_iam_client()
+
+ policy_document = json.dumps(
+ {"Version": "2012-10-17",
+ "Statement": {
+ "Effect": "Allow",
+ "Action": "*",
+ "Resource": "*"}
+ }
+ )
+ response = client.put_user_policy(PolicyDocument=policy_document, PolicyName='AllAccessPolicy',
+ UserName=get_alt_user_id())
+ eq(response['ResponseMetadata']['HTTPStatusCode'], 200)
+ response = client.list_user_policies(UserName=get_alt_user_id())
+ eq(response['ResponseMetadata']['HTTPStatusCode'], 200)
+ client.delete_user_policy(PolicyName='AllAccessPolicy', UserName=get_alt_user_id())
+
+
+@attr(resource='user-policy')
+@attr(method='put')
+@attr(operation='Verify List User policies with invalid user')
+@attr(assertion='succeeds')
+@attr('user-policy')
+@attr('test_of_iam')
+def test_list_user_policy_invalid_user():
+ client = get_iam_client()
+ e = assert_raises(ClientError, client.list_user_policies, UserName="some-non-existing-user-id")
+ status = _get_status(e.response)
+ eq(status, 404)
+
+
+@attr(resource='user-policy')
+@attr(method='get')
+@attr(operation='Verify Get User policy')
+@attr(assertion='succeeds')
+@attr('user-policy')
+@attr('test_of_iam')
+def test_get_user_policy():
+ client = get_iam_client()
+
+ policy_document = json.dumps(
+ {"Version": "2012-10-17",
+ "Statement": {
+ "Effect": "Allow",
+ "Action": "*",
+ "Resource": "*"}}
+ )
+ response = client.put_user_policy(PolicyDocument=policy_document, PolicyName='AllAccessPolicy',
+ UserName=get_alt_user_id())
+ eq(response['ResponseMetadata']['HTTPStatusCode'], 200)
+ response = client.get_user_policy(PolicyName='AllAccessPolicy', UserName=get_alt_user_id())
+ eq(response['ResponseMetadata']['HTTPStatusCode'], 200)
+
+ response = client.delete_user_policy(PolicyName='AllAccessPolicy',
+ UserName=get_alt_user_id())
+ eq(response['ResponseMetadata']['HTTPStatusCode'], 200)
+
+
+@attr(resource='user-policy')
+@attr(method='get')
+@attr(operation='Verify Get User Policy with invalid user')
+@attr(assertion='succeeds')
+@attr('user-policy')
+@attr('test_of_iam')
+def test_get_user_policy_invalid_user():
+ client = get_iam_client()
+
+ policy_document = json.dumps(
+ {"Version": "2012-10-17",
+ "Statement": {
+ "Effect": "Allow",
+ "Action": "*",
+ "Resource": "*"}}
+ )
+ response = client.put_user_policy(PolicyDocument=policy_document, PolicyName='AllAccessPolicy',
+ UserName=get_alt_user_id())
+ eq(response['ResponseMetadata']['HTTPStatusCode'], 200)
+ e = assert_raises(ClientError, client.get_user_policy, PolicyName='AllAccessPolicy',
+ UserName="some-non-existing-user-id")
+ status = _get_status(e.response)
+ eq(status, 404)
+ client.delete_user_policy(PolicyName='AllAccessPolicy', UserName=get_alt_user_id())
+
+
+@attr(resource='user-policy')
+@attr(method='get')
+@attr(operation='Verify Get User Policy with invalid policy name')
+@attr(assertion='succeeds')
+@attr('user-policy')
+@attr('test_of_iam')
+@attr('fails_on_rgw')
+def test_get_user_policy_invalid_policy_name():
+ client = get_iam_client()
+
+ policy_document = json.dumps(
+ {"Version": "2012-10-17",
+ "Statement": {
+ "Effect": "Allow",
+ "Action": "*",
+ "Resource": "*"}}
+ )
+ client.put_user_policy(PolicyDocument=policy_document, PolicyName='AllAccessPolicy',
+ UserName=get_alt_user_id())
+ e = assert_raises(ClientError, client.get_user_policy, PolicyName='non-existing-policy-name',
+ UserName=get_alt_user_id())
+ status = _get_status(e.response)
+ eq(status, 404)
+ client.delete_user_policy(PolicyName='AllAccessPolicy', UserName=get_alt_user_id())
+
+
+@attr(resource='user-policy')
+@attr(method='get')
+@attr(operation='Verify Get Deleted User Policy')
+@attr(assertion='succeeds')
+@attr('user-policy')
+@attr('test_of_iam')
+@attr('fails_on_rgw')
+def test_get_deleted_user_policy():
+ client = get_iam_client()
+
+ policy_document = json.dumps(
+ {"Version": "2012-10-17",
+ "Statement": {
+ "Effect": "Allow",
+ "Action": "*",
+ "Resource": "*"}}
+ )
+ client.put_user_policy(PolicyDocument=policy_document, PolicyName='AllAccessPolicy',
+ UserName=get_alt_user_id())
+ client.delete_user_policy(PolicyName='AllAccessPolicy', UserName=get_alt_user_id())
+ e = assert_raises(ClientError, client.get_user_policy, PolicyName='AllAccessPolicy',
+ UserName=get_alt_user_id())
+ status = _get_status(e.response)
+ eq(status, 404)
+
+
+@attr(resource='user-policy')
+@attr(method='get')
+@attr(operation='Verify Get a policy from multiple policies for a user')
+@attr(assertion='succeeds')
+@attr('user-policy')
+@attr('test_of_iam')
+def test_get_user_policy_from_multiple_policies():
+ client = get_iam_client()
+
+ policy_document_allow = json.dumps(
+ {"Version": "2012-10-17",
+ "Statement": {
+ "Effect": "Allow",
+ "Action": "*",
+ "Resource": "*"}}
+ )
+
+ response = client.put_user_policy(PolicyDocument=policy_document_allow,
+ PolicyName='AllowAccessPolicy1',
+ UserName=get_alt_user_id())
+ eq(response['ResponseMetadata']['HTTPStatusCode'], 200)
+ response = client.put_user_policy(PolicyDocument=policy_document_allow,
+ PolicyName='AllowAccessPolicy2',
+ UserName=get_alt_user_id())
+ eq(response['ResponseMetadata']['HTTPStatusCode'], 200)
+ response = client.get_user_policy(PolicyName='AllowAccessPolicy2',
+ UserName=get_alt_user_id())
+ eq(response['ResponseMetadata']['HTTPStatusCode'], 200)
+
+ response = client.delete_user_policy(PolicyName='AllowAccessPolicy1',
+ UserName=get_alt_user_id())
+ eq(response['ResponseMetadata']['HTTPStatusCode'], 200)
+ response = client.delete_user_policy(PolicyName='AllowAccessPolicy2',
+ UserName=get_alt_user_id())
+ eq(response['ResponseMetadata']['HTTPStatusCode'], 200)
+
+
+@attr(resource='user-policy')
+@attr(method='delete')
+@attr(operation='Verify Delete User Policy')
+@attr(assertion='succeeds')
+@attr('user-policy')
+@attr('test_of_iam')
+def test_delete_user_policy():
+ client = get_iam_client()
+
+ policy_document_allow = json.dumps(
+ {"Version": "2012-10-17",
+ "Statement": {
+ "Effect": "Allow",
+ "Action": "*",
+ "Resource": "*"}}
+ )
+
+ response = client.put_user_policy(PolicyDocument=policy_document_allow,
+ PolicyName='AllowAccessPolicy',
+ UserName=get_alt_user_id())
+ eq(response['ResponseMetadata']['HTTPStatusCode'], 200)
+ response = client.delete_user_policy(PolicyName='AllowAccessPolicy',
+ UserName=get_alt_user_id())
+ eq(response['ResponseMetadata']['HTTPStatusCode'], 200)
+
+
+@attr(resource='user-policy')
+@attr(method='delete')
+@attr(operation='Verify Delete User Policy with invalid user')
+@attr(assertion='succeeds')
+@attr('user-policy')
+@attr('test_of_iam')
+def test_delete_user_policy_invalid_user():
+ client = get_iam_client()
+
+ policy_document_allow = json.dumps(
+ {"Version": "2012-10-17",
+ "Statement": {
+ "Effect": "Allow",
+ "Action": "*",
+ "Resource": "*"}}
+ )
+
+ response = client.put_user_policy(PolicyDocument=policy_document_allow,
+ PolicyName='AllowAccessPolicy',
+ UserName=get_alt_user_id())
+ eq(response['ResponseMetadata']['HTTPStatusCode'], 200)
+ e = assert_raises(ClientError, client.delete_user_policy, PolicyName='AllAccessPolicy',
+ UserName="some-non-existing-user-id")
+ status = _get_status(e.response)
+ eq(status, 404)
+ response = client.delete_user_policy(PolicyName='AllowAccessPolicy',
+ UserName=get_alt_user_id())
+ eq(response['ResponseMetadata']['HTTPStatusCode'], 200)
+
+
+@attr(resource='user-policy')
+@attr(method='delete')
+@attr(operation='Verify Delete User Policy with invalid policy name')
+@attr(assertion='succeeds')
+@attr('user-policy')
+@attr('test_of_iam')
+def test_delete_user_policy_invalid_policy_name():
+ client = get_iam_client()
+
+ policy_document_allow = json.dumps(
+ {"Version": "2012-10-17",
+ "Statement": {
+ "Effect": "Allow",
+ "Action": "*",
+ "Resource": "*"}}
+ )
+
+ response = client.put_user_policy(PolicyDocument=policy_document_allow,
+ PolicyName='AllowAccessPolicy',
+ UserName=get_alt_user_id())
+ eq(response['ResponseMetadata']['HTTPStatusCode'], 200)
+ e = assert_raises(ClientError, client.delete_user_policy, PolicyName='non-existing-policy-name',
+ UserName=get_alt_user_id())
+ status = _get_status(e.response)
+ eq(status, 404)
+ response = client.delete_user_policy(PolicyName='AllowAccessPolicy',
+ UserName=get_alt_user_id())
+ eq(response['ResponseMetadata']['HTTPStatusCode'], 200)
+
+
+@attr(resource='user-policy')
+@attr(method='delete')
+@attr(operation='Verify Delete multiple User policies for a user')
+@attr(assertion='succeeds')
+@attr('user-policy')
+@attr('test_of_iam')
+def test_delete_user_policy_from_multiple_policies():
+ client = get_iam_client()
+
+ policy_document_allow = json.dumps(
+ {"Version": "2012-10-17",
+ "Statement": {
+ "Effect": "Allow",
+ "Action": "*",
+ "Resource": "*"}}
+ )
+
+ response = client.put_user_policy(PolicyDocument=policy_document_allow,
+ PolicyName='AllowAccessPolicy1',
+ UserName=get_alt_user_id())
+ eq(response['ResponseMetadata']['HTTPStatusCode'], 200)
+ response = client.put_user_policy(PolicyDocument=policy_document_allow,
+ PolicyName='AllowAccessPolicy2',
+ UserName=get_alt_user_id())
+ eq(response['ResponseMetadata']['HTTPStatusCode'], 200)
+ response = client.put_user_policy(PolicyDocument=policy_document_allow,
+ PolicyName='AllowAccessPolicy3',
+ UserName=get_alt_user_id())
+ eq(response['ResponseMetadata']['HTTPStatusCode'], 200)
+ response = client.delete_user_policy(PolicyName='AllowAccessPolicy1',
+ UserName=get_alt_user_id())
+ eq(response['ResponseMetadata']['HTTPStatusCode'], 200)
+ response = client.delete_user_policy(PolicyName='AllowAccessPolicy2',
+ UserName=get_alt_user_id())
+ eq(response['ResponseMetadata']['HTTPStatusCode'], 200)
+ response = client.get_user_policy(PolicyName='AllowAccessPolicy3',
+ UserName=get_alt_user_id())
+ eq(response['ResponseMetadata']['HTTPStatusCode'], 200)
+
+ response = client.delete_user_policy(PolicyName='AllowAccessPolicy3',
+ UserName=get_alt_user_id())
+ eq(response['ResponseMetadata']['HTTPStatusCode'], 200)
+
+
+@attr(resource='user-policy')
+@attr(method='s3 Actions')
+@attr(operation='Verify Allow Bucket Actions in user Policy')
+@attr(assertion='succeeds')
+@attr('user-policy')
+@attr('test_of_iam')
+def test_allow_bucket_actions_in_user_policy():
+ client = get_iam_client()
+ s3_client_alt = get_alt_client()
+
+ s3_client_iam = get_iam_s3client()
+ bucket = get_new_bucket(client=s3_client_iam)
+ s3_client_iam.put_object(Bucket=bucket, Key='foo', Body='bar')
+
+ policy_document_allow = json.dumps(
+ {"Version": "2012-10-17",
+ "Statement": {
+ "Effect": "Allow",
+ "Action": ["s3:ListBucket", "s3:DeleteBucket"],
+ "Resource": f"arn:aws:s3:::{bucket}"}}
+ )
+
+ response = client.put_user_policy(PolicyDocument=policy_document_allow,
+ PolicyName='AllowAccessPolicy', UserName=get_alt_user_id())
+ eq(response['ResponseMetadata']['HTTPStatusCode'], 200)
+
+ response = s3_client_alt.list_objects(Bucket=bucket)
+ object_found = False
+ for object_received in response['Contents']:
+ if "foo" == object_received['Key']:
+ object_found = True
+ break
+ if not object_found:
+ raise AssertionError("Object is not listed")
+
+ response = s3_client_iam.delete_object(Bucket=bucket, Key='foo')
+ eq(response['ResponseMetadata']['HTTPStatusCode'], 204)
+
+ response = s3_client_alt.delete_bucket(Bucket=bucket)
+ eq(response['ResponseMetadata']['HTTPStatusCode'], 204)
+
+ response = s3_client_iam.list_buckets()
+ for bucket in response['Buckets']:
+ if bucket == bucket['Name']:
+ raise AssertionError("deleted bucket is getting listed")
+
+ response = client.delete_user_policy(PolicyName='AllowAccessPolicy',
+ UserName=get_alt_user_id())
+ eq(response['ResponseMetadata']['HTTPStatusCode'], 200)
+
+
+@attr(resource='user-policy')
+@attr(method='s3 Actions')
+@attr(operation='Verify Deny Bucket Actions in user Policy')
+@attr(assertion='succeeds')
+@attr('user-policy')
+@attr('test_of_iam')
+def test_deny_bucket_actions_in_user_policy():
+ client = get_iam_client()
+ s3_client = get_alt_client()
+ bucket = get_new_bucket(client=s3_client)
+
+ policy_document_deny = json.dumps(
+ {"Version": "2012-10-17",
+ "Statement": {
+ "Effect": "Deny",
+ "Action": ["s3:ListAllMyBuckets", "s3:DeleteBucket"],
+ "Resource": "arn:aws:s3:::*"}}
+ )
+
+ response = client.put_user_policy(PolicyDocument=policy_document_deny,
+ PolicyName='DenyAccessPolicy',
+ UserName=get_alt_user_id())
+ eq(response['ResponseMetadata']['HTTPStatusCode'], 200)
+
+ e = assert_raises(ClientError, s3_client.list_buckets, Bucket=bucket)
+ status, error_code = _get_status_and_error_code(e.response)
+ eq(status, 403)
+ eq(error_code, 'AccessDenied')
+ e = assert_raises(ClientError, s3_client.delete_bucket, Bucket=bucket)
+ status, error_code = _get_status_and_error_code(e.response)
+ eq(status, 403)
+ eq(error_code, 'AccessDenied')
+ response = client.delete_user_policy(PolicyName='DenyAccessPolicy',
+ UserName=get_alt_user_id())
+ eq(response['ResponseMetadata']['HTTPStatusCode'], 200)
+ response = s3_client.delete_bucket(Bucket=bucket)
+ eq(response['ResponseMetadata']['HTTPStatusCode'], 204)
+
+
+@attr(resource='user-policy')
+@attr(method='s3 Actions')
+@attr(operation='Verify Allow Object Actions in user Policy')
+@attr(assertion='succeeds')
+@attr('user-policy')
+@attr('test_of_iam')
+def test_allow_object_actions_in_user_policy():
+ client = get_iam_client()
+ s3_client_alt = get_alt_client()
+ s3_client_iam = get_iam_s3client()
+ bucket = get_new_bucket(client=s3_client_iam)
+
+ policy_document_allow = json.dumps(
+ {"Version": "2012-10-17",
+ "Statement": {
+ "Effect": "Allow",
+ "Action": ["s3:PutObject", "s3:GetObject", "s3:DeleteObject"],
+ "Resource": f"arn:aws:s3:::{bucket}/*"}}
+ )
+ response = client.put_user_policy(PolicyDocument=policy_document_allow,
+ PolicyName='AllowAccessPolicy', UserName=get_alt_user_id())
+ eq(response['ResponseMetadata']['HTTPStatusCode'], 200)
+
+ s3_client_alt.put_object(Bucket=bucket, Key='foo', Body='bar')
+ response = s3_client_alt.get_object(Bucket=bucket, Key='foo')
+ body = response['Body'].read()
+ if type(body) is bytes:
+ body = body.decode()
+ eq(body, "bar")
+ response = s3_client_alt.delete_object(Bucket=bucket, Key='foo')
+ eq(response['ResponseMetadata']['HTTPStatusCode'], 204)
+
+ e = assert_raises(ClientError, s3_client_iam.get_object, Bucket=bucket, Key='foo')
+ status, error_code = _get_status_and_error_code(e.response)
+ eq(status, 404)
+ eq(error_code, 'NoSuchKey')
+ response = s3_client_iam.delete_bucket(Bucket=bucket)
+ eq(response['ResponseMetadata']['HTTPStatusCode'], 204)
+ response = client.delete_user_policy(PolicyName='AllowAccessPolicy',
+ UserName=get_alt_user_id())
+ eq(response['ResponseMetadata']['HTTPStatusCode'], 200)
+
+
+@attr(resource='user-policy')
+@attr(method='s3 Actions')
+@attr(operation='Verify Deny Object Actions in user Policy')
+@attr(assertion='succeeds')
+@attr('user-policy')
+@attr('test_of_iam')
+def test_deny_object_actions_in_user_policy():
+ client = get_iam_client()
+ s3_client_alt = get_alt_client()
+ bucket = get_new_bucket(client=s3_client_alt)
+ s3_client_alt.put_object(Bucket=bucket, Key='foo', Body='bar')
+
+ policy_document_deny = json.dumps(
+ {"Version": "2012-10-17",
+ "Statement": [{
+ "Effect": "Deny",
+ "Action": ["s3:PutObject", "s3:GetObject", "s3:DeleteObject"],
+ "Resource": f"arn:aws:s3:::{bucket}/*"}, {
+ "Effect": "Allow",
+ "Action": ["s3:DeleteBucket"],
+ "Resource": f"arn:aws:s3:::{bucket}"}]}
+ )
+ client.put_user_policy(PolicyDocument=policy_document_deny, PolicyName='DenyAccessPolicy',
+ UserName=get_alt_user_id())
+
+ e = assert_raises(ClientError, s3_client_alt.put_object, Bucket=bucket, Key='foo')
+ status, error_code = _get_status_and_error_code(e.response)
+ eq(status, 403)
+ eq(error_code, 'AccessDenied')
+ e = assert_raises(ClientError, s3_client_alt.get_object, Bucket=bucket, Key='foo')
+ status, error_code = _get_status_and_error_code(e.response)
+ eq(status, 403)
+ eq(error_code, 'AccessDenied')
+ e = assert_raises(ClientError, s3_client_alt.delete_object, Bucket=bucket, Key='foo')
+ status, error_code = _get_status_and_error_code(e.response)
+ eq(status, 403)
+ eq(error_code, 'AccessDenied')
+
+ response = client.delete_user_policy(PolicyName='DenyAccessPolicy',
+ UserName=get_alt_user_id())
+ eq(response['ResponseMetadata']['HTTPStatusCode'], 200)
+
+
+@attr(resource='user-policy')
+@attr(method='s3 Actions')
+@attr(operation='Verify Allow Multipart Actions in user Policy')
+@attr(assertion='succeeds')
+@attr('user-policy')
+@attr('test_of_iam')
+def test_allow_multipart_actions_in_user_policy():
+ client = get_iam_client()
+ s3_client_alt = get_alt_client()
+ s3_client_iam = get_iam_s3client()
+ bucket = get_new_bucket(client=s3_client_iam)
+
+ policy_document_allow = json.dumps(
+ {"Version": "2012-10-17",
+ "Statement": {
+ "Effect": "Allow",
+ "Action": ["s3:ListBucketMultipartUploads", "s3:AbortMultipartUpload"],
+ "Resource": "arn:aws:s3:::*"}}
+ )
+ response = client.put_user_policy(PolicyDocument=policy_document_allow,
+ PolicyName='AllowAccessPolicy', UserName=get_alt_user_id())
+ eq(response['ResponseMetadata']['HTTPStatusCode'], 200)
+ key = "mymultipart"
+ mb = 1024 * 1024
+
+ (upload_id, _, _) = _multipart_upload(client=s3_client_iam, bucket_name=bucket, key=key,
+ size=5 * mb)
+ response = s3_client_alt.list_multipart_uploads(Bucket=bucket)
+ eq(response['ResponseMetadata']['HTTPStatusCode'], 200)
+ response = s3_client_alt.abort_multipart_upload(Bucket=bucket, Key=key, UploadId=upload_id)
+ eq(response['ResponseMetadata']['HTTPStatusCode'], 204)
+
+ response = s3_client_iam.delete_bucket(Bucket=bucket)
+ eq(response['ResponseMetadata']['HTTPStatusCode'], 204)
+ response = client.delete_user_policy(PolicyName='AllowAccessPolicy',
+ UserName=get_alt_user_id())
+ eq(response['ResponseMetadata']['HTTPStatusCode'], 200)
+
+
+@attr(resource='user-policy')
+@attr(method='s3 Actions')
+@attr(operation='Verify Deny Multipart Actions in user Policy')
+@attr(assertion='succeeds')
+@attr('user-policy')
+@attr('test_of_iam')
+def test_deny_multipart_actions_in_user_policy():
+ client = get_iam_client()
+ s3_client = get_alt_client()
+ bucket = get_new_bucket(client=s3_client)
+
+ policy_document_deny = json.dumps(
+ {"Version": "2012-10-17",
+ "Statement": {
+ "Effect": "Deny",
+ "Action": ["s3:ListBucketMultipartUploads", "s3:AbortMultipartUpload"],
+ "Resource": "arn:aws:s3:::*"}}
+ )
+ response = client.put_user_policy(PolicyDocument=policy_document_deny,
+ PolicyName='DenyAccessPolicy',
+ UserName=get_alt_user_id())
+ eq(response['ResponseMetadata']['HTTPStatusCode'], 200)
+ key = "mymultipart"
+ mb = 1024 * 1024
+
+ (upload_id, _, _) = _multipart_upload(client=s3_client, bucket_name=bucket, key=key,
+ size=5 * mb)
+
+ e = assert_raises(ClientError, s3_client.list_multipart_uploads, Bucket=bucket)
+ status, error_code = _get_status_and_error_code(e.response)
+ eq(status, 403)
+ eq(error_code, 'AccessDenied')
+
+ e = assert_raises(ClientError, s3_client.abort_multipart_upload, Bucket=bucket,
+ Key=key, UploadId=upload_id)
+ status, error_code = _get_status_and_error_code(e.response)
+ eq(status, 403)
+ eq(error_code, 'AccessDenied')
+
+ response = s3_client.delete_bucket(Bucket=bucket)
+ eq(response['ResponseMetadata']['HTTPStatusCode'], 204)
+ response = client.delete_user_policy(PolicyName='DenyAccessPolicy',
+ UserName=get_alt_user_id())
+ eq(response['ResponseMetadata']['HTTPStatusCode'], 200)
+
+
+@attr(resource='user-policy')
+@attr(method='s3 Actions')
+@attr(operation='Verify Allow Tagging Actions in user Policy')
+@attr(assertion='succeeds')
+@attr('user-policy')
+@attr('test_of_iam')
+def test_allow_tagging_actions_in_user_policy():
+ client = get_iam_client()
+ s3_client_alt = get_alt_client()
+ s3_client_iam = get_iam_s3client()
+ bucket = get_new_bucket(client=s3_client_iam)
+
+ policy_document_allow = json.dumps(
+ {"Version": "2012-10-17",
+ "Statement": {
+ "Effect": "Allow",
+ "Action": ["s3:PutBucketTagging", "s3:GetBucketTagging",
+ "s3:PutObjectTagging", "s3:GetObjectTagging"],
+ "Resource": f"arn:aws:s3:::*"}}
+ )
+ client.put_user_policy(PolicyDocument=policy_document_allow, PolicyName='AllowAccessPolicy',
+ UserName=get_alt_user_id())
+ tags = {'TagSet': [{'Key': 'Hello', 'Value': 'World'}, ]}
+
+ response = s3_client_alt.put_bucket_tagging(Bucket=bucket, Tagging=tags)
+ eq(response['ResponseMetadata']['HTTPStatusCode'], 200)
+ response = s3_client_alt.get_bucket_tagging(Bucket=bucket)
+ eq(response['ResponseMetadata']['HTTPStatusCode'], 200)
+ eq(response['TagSet'][0]['Key'], 'Hello')
+ eq(response['TagSet'][0]['Value'], 'World')
+
+ obj_key = 'obj'
+ response = s3_client_iam.put_object(Bucket=bucket, Key=obj_key, Body='obj_body')
+ eq(response['ResponseMetadata']['HTTPStatusCode'], 200)
+ response = s3_client_alt.put_object_tagging(Bucket=bucket, Key=obj_key, Tagging=tags)
+ eq(response['ResponseMetadata']['HTTPStatusCode'], 200)
+ response = s3_client_alt.get_object_tagging(Bucket=bucket, Key=obj_key)
+ eq(response['ResponseMetadata']['HTTPStatusCode'], 200)
+ eq(response['TagSet'], tags['TagSet'])
+
+ response = s3_client_iam.delete_object(Bucket=bucket, Key=obj_key)
+ eq(response['ResponseMetadata']['HTTPStatusCode'], 204)
+ response = s3_client_iam.delete_bucket(Bucket=bucket)
+ eq(response['ResponseMetadata']['HTTPStatusCode'], 204)
+ response = client.delete_user_policy(PolicyName='AllowAccessPolicy',
+ UserName=get_alt_user_id())
+ eq(response['ResponseMetadata']['HTTPStatusCode'], 200)
+
+
+@attr(resource='user-policy')
+@attr(method='s3 Actions')
+@attr(operation='Verify Deny Tagging Actions in user Policy')
+@attr(assertion='succeeds')
+@attr('user-policy')
+@attr('test_of_iam')
+def test_deny_tagging_actions_in_user_policy():
+ client = get_iam_client()
+ s3_client = get_alt_client()
+ bucket = get_new_bucket(client=s3_client)
+
+ policy_document_deny = json.dumps(
+ {"Version": "2012-10-17",
+ "Statement": {
+ "Effect": "Deny",
+ "Action": ["s3:PutBucketTagging", "s3:GetBucketTagging",
+ "s3:PutObjectTagging", "s3:DeleteObjectTagging"],
+ "Resource": "arn:aws:s3:::*"}}
+ )
+ client.put_user_policy(PolicyDocument=policy_document_deny, PolicyName='DenyAccessPolicy',
+ UserName=get_alt_user_id())
+ tags = {'TagSet': [{'Key': 'Hello', 'Value': 'World'}, ]}
+
+ e = assert_raises(ClientError, s3_client.put_bucket_tagging, Bucket=bucket, Tagging=tags)
+ status, error_code = _get_status_and_error_code(e.response)
+ eq(status, 403)
+ eq(error_code, 'AccessDenied')
+ e = assert_raises(ClientError, s3_client.get_bucket_tagging, Bucket=bucket)
+ status, error_code = _get_status_and_error_code(e.response)
+ eq(status, 403)
+ eq(error_code, 'AccessDenied')
+
+ obj_key = 'obj'
+ response = s3_client.put_object(Bucket=bucket, Key=obj_key, Body='obj_body')
+ eq(response['ResponseMetadata']['HTTPStatusCode'], 200)
+
+ e = assert_raises(ClientError, s3_client.put_object_tagging, Bucket=bucket, Key=obj_key,
+ Tagging=tags)
+ status, error_code = _get_status_and_error_code(e.response)
+ eq(status, 403)
+ eq(error_code, 'AccessDenied')
+ e = assert_raises(ClientError, s3_client.delete_object_tagging, Bucket=bucket, Key=obj_key)
+ status, error_code = _get_status_and_error_code(e.response)
+ eq(status, 403)
+ eq(error_code, 'AccessDenied')
+
+ response = s3_client.delete_object(Bucket=bucket, Key=obj_key)
+ eq(response['ResponseMetadata']['HTTPStatusCode'], 204)
+ response = s3_client.delete_bucket(Bucket=bucket)
+ eq(response['ResponseMetadata']['HTTPStatusCode'], 204)
+ response = client.delete_user_policy(PolicyName='DenyAccessPolicy',
+ UserName=get_alt_user_id())
+ eq(response['ResponseMetadata']['HTTPStatusCode'], 200)
+
+
+@attr(resource='user-policy')
+@attr(method='put')
+@attr(operation='Verify conflicting user policy statements')
+@attr(assertion='succeeds')
+@attr('user-policy')
+@attr('test_of_iam')
+def test_verify_conflicting_user_policy_statements():
+ s3client = get_alt_client()
+ bucket = get_new_bucket(client=s3client)
+ policy_document = json.dumps(
+ {"Version": "2012-10-17",
+ "Statement": [
+ {"Sid": "98AB54CG",
+ "Effect": "Allow",
+ "Action": "s3:ListBucket",
+ "Resource": f"arn:aws:s3:::{bucket}"},
+ {"Sid": "98AB54CA",
+ "Effect": "Deny",
+ "Action": "s3:ListBucket",
+ "Resource": f"arn:aws:s3:::{bucket}"}
+ ]}
+ )
+ client = get_iam_client()
+ response = client.put_user_policy(PolicyDocument=policy_document, PolicyName='DenyAccessPolicy',
+ UserName=get_alt_user_id())
+ eq(response['ResponseMetadata']['HTTPStatusCode'], 200)
+ e = assert_raises(ClientError, s3client.list_objects, Bucket=bucket)
+ status, error_code = _get_status_and_error_code(e.response)
+ eq(status, 403)
+ eq(error_code, 'AccessDenied')
+ response = client.delete_user_policy(PolicyName='DenyAccessPolicy',
+ UserName=get_alt_user_id())
+ eq(response['ResponseMetadata']['HTTPStatusCode'], 200)
+
+
+@attr(resource='user-policy')
+@attr(method='put')
+@attr(operation='Verify conflicting user policies')
+@attr(assertion='succeeds')
+@attr('user-policy')
+@attr('test_of_iam')
+def test_verify_conflicting_user_policies():
+ s3client = get_alt_client()
+ bucket = get_new_bucket(client=s3client)
+ policy_allow = json.dumps(
+ {"Version": "2012-10-17",
+ "Statement": {"Sid": "98AB54CG",
+ "Effect": "Allow",
+ "Action": "s3:ListBucket",
+ "Resource": f"arn:aws:s3:::{bucket}"}}
+ )
+ policy_deny = json.dumps(
+ {"Version": "2012-10-17",
+ "Statement": {"Sid": "98AB54CGZ",
+ "Effect": "Deny",
+ "Action": "s3:ListBucket",
+ "Resource": f"arn:aws:s3:::{bucket}"}}
+ )
+ client = get_iam_client()
+ response = client.put_user_policy(PolicyDocument=policy_allow, PolicyName='AllowAccessPolicy',
+ UserName=get_alt_user_id())
+ eq(response['ResponseMetadata']['HTTPStatusCode'], 200)
+ response = client.put_user_policy(PolicyDocument=policy_deny, PolicyName='DenyAccessPolicy',
+ UserName=get_alt_user_id())
+ eq(response['ResponseMetadata']['HTTPStatusCode'], 200)
+ e = assert_raises(ClientError, s3client.list_objects, Bucket=bucket)
+ status, error_code = _get_status_and_error_code(e.response)
+ eq(status, 403)
+ eq(error_code, 'AccessDenied')
+ response = client.delete_user_policy(PolicyName='AllowAccessPolicy',
+ UserName=get_alt_user_id())
+ eq(response['ResponseMetadata']['HTTPStatusCode'], 200)
+ response = client.delete_user_policy(PolicyName='DenyAccessPolicy',
+ UserName=get_alt_user_id())
+ eq(response['ResponseMetadata']['HTTPStatusCode'], 200)
+
+
+@attr(resource='user-policy')
+@attr(operation='Verify Allow Actions for IAM user policies')
+@attr(assertion='succeeds')
+@attr('user-policy')
+@attr('test_of_iam')
+def test_verify_allow_iam_actions():
+ policy1 = json.dumps(
+ {"Version": "2012-10-17",
+ "Statement": {"Sid": "98AB54CGA",
+ "Effect": "Allow",
+ "Action": ["iam:PutUserPolicy", "iam:GetUserPolicy",
+ "iam:ListUserPolicies", "iam:DeleteUserPolicy"],
+ "Resource": f"arn:aws:iam:::user/{get_alt_user_id()}"}}
+ )
+ client1 = get_iam_client()
+ iam_client_alt = get_alt_iam_client()
+
+ response = client1.put_user_policy(PolicyDocument=policy1, PolicyName='AllowAccessPolicy',
+ UserName=get_alt_user_id())
+ eq(response['ResponseMetadata']['HTTPStatusCode'], 200)
+ response = iam_client_alt.get_user_policy(PolicyName='AllowAccessPolicy',
+ UserName=get_alt_user_id())
+ eq(response['ResponseMetadata']['HTTPStatusCode'], 200)
+ response = iam_client_alt.list_user_policies(UserName=get_alt_user_id())
+ eq(response['ResponseMetadata']['HTTPStatusCode'], 200)
+ response = iam_client_alt.delete_user_policy(PolicyName='AllowAccessPolicy',
+ UserName=get_alt_user_id())
+ eq(response['ResponseMetadata']['HTTPStatusCode'], 200)
projects / s3-tests.git / commitdiff