From 56f5bebef87881754ac590e7dfa372fc8ff0c478 Mon Sep 17 00:00:00 2001 From: Casey Bodley Date: Wed, 26 Feb 2025 16:47:03 -0500 Subject: [PATCH] s3: test bucket policy evaluation for CreateMultipartUpload test case for https://tracker.ceph.com/issues/70191 Signed-off-by: Casey Bodley --- s3tests_boto3/functional/test_s3.py | 34 +++++++++++++++++++++++++++++ 1 file changed, 34 insertions(+) diff --git a/s3tests_boto3/functional/test_s3.py b/s3tests_boto3/functional/test_s3.py index 40249fac..441716db 100644 --- a/s3tests_boto3/functional/test_s3.py +++ b/s3tests_boto3/functional/test_s3.py @@ -10822,6 +10822,40 @@ def test_bucket_policy_different_tenant(): assert len(response['Contents']) == 1 +@pytest.mark.bucket_policy +def test_bucket_policy_multipart(): + client = get_client() + alt_client = get_alt_client() + bucket_name = get_new_bucket(client) + key = 'mpobj' + + # alt user has no permission + assert_raises(ClientError, alt_client.create_multipart_upload, Bucket=bucket_name, Key=key) + + # grant permission on bucket ARN but not objects + client.put_bucket_policy(Bucket=bucket_name, Policy=json.dumps({ + "Version": "2012-10-17", + "Statement": [{ + "Effect": "Allow", + "Principal": {"AWS": "*"}, + "Action": "s3:PutObject", + "Resource": f"arn:aws:s3:::{bucket_name}" + }] + })) + assert_raises(ClientError, alt_client.create_multipart_upload, Bucket=bucket_name, Key=key) + + # grant permission on object ARN + client.put_bucket_policy(Bucket=bucket_name, Policy=json.dumps({ + "Version": "2012-10-17", + "Statement": [{ + "Effect": "Allow", + "Principal": {"AWS": "*"}, + "Action": "s3:PutObject", + "Resource": f"arn:aws:s3:::{bucket_name}/{key}" + }] + })) + alt_client.create_multipart_upload(Bucket=bucket_name, Key=key) + @pytest.mark.bucket_policy def test_bucket_policy_tenanted_bucket(): tenant_client = get_tenant_client() -- 2.47.3