s3: test bucket policy evaluation for CreateMultipartUpload

test case for https://tracker.ceph.com/issues/70191

Signed-off-by: Casey Bodley <cbodley@redhat.com>

diff --git a/s3tests_boto3/functional/test_s3.py b/s3tests_boto3/functional/test_s3.py
index 40249fac274d081cdfe2c341b9c0eee536df6021..441716db75f788438d8151f99e3f818057b86401 100644 (file)
--- a/s3tests_boto3/functional/test_s3.py
+++ b/s3tests_boto3/functional/test_s3.py
@@ -10822,6 +10822,40 @@ def test_bucket_policy_different_tenant():
 
     assert len(response['Contents']) == 1
 
+@pytest.mark.bucket_policy
+def test_bucket_policy_multipart():
+    client = get_client()
+    alt_client = get_alt_client()
+    bucket_name = get_new_bucket(client)
+    key = 'mpobj'
+
+    # alt user has no permission
+    assert_raises(ClientError, alt_client.create_multipart_upload, Bucket=bucket_name, Key=key)
+
+    # grant permission on bucket ARN but not objects
+    client.put_bucket_policy(Bucket=bucket_name, Policy=json.dumps({
+            "Version": "2012-10-17",
+            "Statement": [{
+                "Effect": "Allow",
+                "Principal": {"AWS": "*"},
+                "Action": "s3:PutObject",
+                "Resource": f"arn:aws:s3:::{bucket_name}"
+            }]
+        }))
+    assert_raises(ClientError, alt_client.create_multipart_upload, Bucket=bucket_name, Key=key)
+
+    # grant permission on object ARN
+    client.put_bucket_policy(Bucket=bucket_name, Policy=json.dumps({
+            "Version": "2012-10-17",
+            "Statement": [{
+                "Effect": "Allow",
+                "Principal": {"AWS": "*"},
+                "Action": "s3:PutObject",
+                "Resource": f"arn:aws:s3:::{bucket_name}/{key}"
+            }]
+        }))
+    alt_client.create_multipart_upload(Bucket=bucket_name, Key=key)
+
 @pytest.mark.bucket_policy
 def test_bucket_policy_tenanted_bucket():
     tenant_client = get_tenant_client()