From: Casey Bodley Date: Wed, 26 Feb 2025 21:47:03 +0000 (-0500) Subject: s3: test bucket policy evaluation for CreateMultipartUpload X-Git-Url: http://git-server-git.apps.pok.os.sepia.ceph.com/?a=commitdiff_plain;h=refs%2Fpull%2F625%2Fhead;p=s3-tests.git s3: test bucket policy evaluation for CreateMultipartUpload test case for https://tracker.ceph.com/issues/70191 Signed-off-by: Casey Bodley --- diff --git a/s3tests_boto3/functional/test_s3.py b/s3tests_boto3/functional/test_s3.py index 40249fac..441716db 100644 --- a/s3tests_boto3/functional/test_s3.py +++ b/s3tests_boto3/functional/test_s3.py @@ -10822,6 +10822,40 @@ def test_bucket_policy_different_tenant(): assert len(response['Contents']) == 1 +@pytest.mark.bucket_policy +def test_bucket_policy_multipart(): + client = get_client() + alt_client = get_alt_client() + bucket_name = get_new_bucket(client) + key = 'mpobj' + + # alt user has no permission + assert_raises(ClientError, alt_client.create_multipart_upload, Bucket=bucket_name, Key=key) + + # grant permission on bucket ARN but not objects + client.put_bucket_policy(Bucket=bucket_name, Policy=json.dumps({ + "Version": "2012-10-17", + "Statement": [{ + "Effect": "Allow", + "Principal": {"AWS": "*"}, + "Action": "s3:PutObject", + "Resource": f"arn:aws:s3:::{bucket_name}" + }] + })) + assert_raises(ClientError, alt_client.create_multipart_upload, Bucket=bucket_name, Key=key) + + # grant permission on object ARN + client.put_bucket_policy(Bucket=bucket_name, Policy=json.dumps({ + "Version": "2012-10-17", + "Statement": [{ + "Effect": "Allow", + "Principal": {"AWS": "*"}, + "Action": "s3:PutObject", + "Resource": f"arn:aws:s3:::{bucket_name}/{key}" + }] + })) + alt_client.create_multipart_upload(Bucket=bucket_name, Key=key) + @pytest.mark.bucket_policy def test_bucket_policy_tenanted_bucket(): tenant_client = get_tenant_client()