summaryrefslogtreecommitdiffstats
path: root/vendor/github.com/minio/minio-go/pkg/policy/bucket-policy_test.go
diff options
context:
space:
mode:
Diffstat (limited to 'vendor/github.com/minio/minio-go/pkg/policy/bucket-policy_test.go')
-rw-r--r--vendor/github.com/minio/minio-go/pkg/policy/bucket-policy_test.go1822
1 files changed, 1822 insertions, 0 deletions
diff --git a/vendor/github.com/minio/minio-go/pkg/policy/bucket-policy_test.go b/vendor/github.com/minio/minio-go/pkg/policy/bucket-policy_test.go
new file mode 100644
index 000000000..b1862c639
--- /dev/null
+++ b/vendor/github.com/minio/minio-go/pkg/policy/bucket-policy_test.go
@@ -0,0 +1,1822 @@
+/*
+ * Minio Go Library for Amazon S3 Compatible Cloud Storage (C) 2015 Minio, Inc.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package policy
+
+import (
+ "encoding/json"
+ "fmt"
+ "reflect"
+ "testing"
+
+ "github.com/minio/minio-go/pkg/set"
+)
+
+// isValidStatement() is called and the result is validated.
+func TestIsValidStatement(t *testing.T) {
+ testCases := []struct {
+ statement Statement
+ bucketName string
+ expectedResult bool
+ }{
+ // Empty statement and bucket name.
+ {Statement{}, "", false},
+ // Empty statement.
+ {Statement{}, "mybucket", false},
+ // Empty bucket name.
+ {Statement{
+ Actions: readOnlyBucketActions,
+ Effect: "Allow",
+ Principal: User{AWS: set.CreateStringSet("*")},
+ Resources: set.CreateStringSet("arn:aws:s3:::mybucket"),
+ }, "", false},
+ // Statement with unknown actions.
+ {Statement{
+ Actions: set.CreateStringSet("s3:ListBucketVersions"),
+ Effect: "Allow",
+ Principal: User{AWS: set.CreateStringSet("*")},
+ Resources: set.CreateStringSet("arn:aws:s3:::mybucket"),
+ }, "mybucket", false},
+ // Statement with unknown effect.
+ {Statement{
+ Actions: readOnlyBucketActions,
+ Effect: "Deny",
+ Principal: User{AWS: set.CreateStringSet("*")},
+ Resources: set.CreateStringSet("arn:aws:s3:::mybucket"),
+ }, "mybucket", false},
+ // Statement with nil Principal.AWS.
+ {Statement{
+ Actions: readOnlyBucketActions,
+ Effect: "Allow",
+ Resources: set.CreateStringSet("arn:aws:s3:::mybucket"),
+ }, "mybucket", false},
+ // Statement with unknown Principal.AWS.
+ {Statement{
+ Actions: readOnlyBucketActions,
+ Effect: "Allow",
+ Principal: User{AWS: set.CreateStringSet("arn:aws:iam::AccountNumberWithoutHyphens:root")},
+ Resources: set.CreateStringSet("arn:aws:s3:::mybucket"),
+ }, "mybucket", false},
+ // Statement with different bucket name.
+ {Statement{
+ Actions: readOnlyBucketActions,
+ Effect: "Allow",
+ Principal: User{AWS: set.CreateStringSet("*")},
+ Resources: set.CreateStringSet("arn:aws:s3:::testbucket"),
+ }, "mybucket", false},
+ // Statement with bucket name with suffixed string.
+ {Statement{
+ Actions: readOnlyBucketActions,
+ Effect: "Allow",
+ Principal: User{AWS: set.CreateStringSet("*")},
+ Resources: set.CreateStringSet("arn:aws:s3:::mybuckettest/myobject"),
+ }, "mybucket", false},
+ // Statement with bucket name and object name.
+ {Statement{
+ Actions: readOnlyBucketActions,
+ Effect: "Allow",
+ Principal: User{AWS: set.CreateStringSet("*")},
+ Resources: set.CreateStringSet("arn:aws:s3:::mybucket/myobject"),
+ }, "mybucket", true},
+ // Statement with condition, bucket name and object name.
+ {Statement{
+ Actions: readOnlyBucketActions,
+ Effect: "Allow",
+ Principal: User{AWS: set.CreateStringSet("*")},
+ Conditions: make(ConditionMap),
+ Resources: set.CreateStringSet("arn:aws:s3:::mybucket/myobject"),
+ }, "mybucket", true},
+ }
+
+ for _, testCase := range testCases {
+ if result := isValidStatement(testCase.statement, testCase.bucketName); result != testCase.expectedResult {
+ t.Fatalf("%+v: expected: %t, got: %t", testCase, testCase.expectedResult, result)
+ }
+ }
+}
+
+// newStatements() is called and the result is validated.
+func TestNewStatements(t *testing.T) {
+ testCases := []struct {
+ policy BucketPolicy
+ bucketName string
+ prefix string
+ expectedResult string
+ }{
+ // BucketPolicyNone: with empty bucket name and prefix.
+ {BucketPolicyNone, "", "", `[]`},
+ // BucketPolicyNone: with bucket name and empty prefix.
+ {BucketPolicyNone, "mybucket", "", `[]`},
+ // BucketPolicyNone: with empty bucket name empty prefix.
+ {BucketPolicyNone, "", "hello", `[]`},
+ // BucketPolicyNone: with bucket name prefix.
+ {BucketPolicyNone, "mybucket", "hello", `[]`},
+ // BucketPolicyReadOnly: with empty bucket name and prefix.
+ {BucketPolicyReadOnly, "", "", `[]`},
+ // BucketPolicyReadOnly: with bucket name and empty prefix.
+ {BucketPolicyReadOnly, "mybucket", "", `[{"Action":["s3:GetBucketLocation"],"Effect":"Allow","Principal":{"AWS":["*"]},"Resource":["arn:aws:s3:::mybucket"],"Sid":""},{"Action":["s3:ListBucket"],"Effect":"Allow","Principal":{"AWS":["*"]},"Resource":["arn:aws:s3:::mybucket"],"Sid":""},{"Action":["s3:GetObject"],"Effect":"Allow","Principal":{"AWS":["*"]},"Resource":["arn:aws:s3:::mybucket/*"],"Sid":""}]`},
+ // BucketPolicyReadOnly: with empty bucket name empty prefix.
+ {BucketPolicyReadOnly, "", "hello", `[]`},
+ // BucketPolicyReadOnly: with bucket name prefix.
+ {BucketPolicyReadOnly, "mybucket", "hello", `[{"Action":["s3:GetBucketLocation"],"Effect":"Allow","Principal":{"AWS":["*"]},"Resource":["arn:aws:s3:::mybucket"],"Sid":""},{"Action":["s3:ListBucket"],"Condition":{"StringEquals":{"s3:prefix":["hello"]}},"Effect":"Allow","Principal":{"AWS":["*"]},"Resource":["arn:aws:s3:::mybucket"],"Sid":""},{"Action":["s3:GetObject"],"Effect":"Allow","Principal":{"AWS":["*"]},"Resource":["arn:aws:s3:::mybucket/hello*"],"Sid":""}]`},
+ // BucketPolicyReadWrite: with empty bucket name and prefix.
+ {BucketPolicyReadWrite, "", "", `[]`},
+ // BucketPolicyReadWrite: with bucket name and empty prefix.
+ {BucketPolicyReadWrite, "mybucket", "", `[{"Action":["s3:GetBucketLocation"],"Effect":"Allow","Principal":{"AWS":["*"]},"Resource":["arn:aws:s3:::mybucket"],"Sid":""},{"Action":["s3:ListBucket"],"Effect":"Allow","Principal":{"AWS":["*"]},"Resource":["arn:aws:s3:::mybucket"],"Sid":""},{"Action":["s3:ListBucketMultipartUploads"],"Effect":"Allow","Principal":{"AWS":["*"]},"Resource":["arn:aws:s3:::mybucket"],"Sid":""},{"Action":["s3:AbortMultipartUpload","s3:DeleteObject","s3:GetObject","s3:ListMultipartUploadParts","s3:PutObject"],"Effect":"Allow","Principal":{"AWS":["*"]},"Resource":["arn:aws:s3:::mybucket/*"],"Sid":""}]`},
+ // BucketPolicyReadWrite: with empty bucket name empty prefix.
+ {BucketPolicyReadWrite, "", "hello", `[]`},
+ // BucketPolicyReadWrite: with bucket name prefix.
+ {BucketPolicyReadWrite, "mybucket", "hello", `[{"Action":["s3:GetBucketLocation"],"Effect":"Allow","Principal":{"AWS":["*"]},"Resource":["arn:aws:s3:::mybucket"],"Sid":""},{"Action":["s3:ListBucket"],"Condition":{"StringEquals":{"s3:prefix":["hello"]}},"Effect":"Allow","Principal":{"AWS":["*"]},"Resource":["arn:aws:s3:::mybucket"],"Sid":""},{"Action":["s3:ListBucketMultipartUploads"],"Effect":"Allow","Principal":{"AWS":["*"]},"Resource":["arn:aws:s3:::mybucket"],"Sid":""},{"Action":["s3:AbortMultipartUpload","s3:DeleteObject","s3:GetObject","s3:ListMultipartUploadParts","s3:PutObject"],"Effect":"Allow","Principal":{"AWS":["*"]},"Resource":["arn:aws:s3:::mybucket/hello*"],"Sid":""}]`},
+ // BucketPolicyWriteOnly: with empty bucket name and prefix.
+ {BucketPolicyWriteOnly, "", "", `[]`},
+ // BucketPolicyWriteOnly: with bucket name and empty prefix.
+ {BucketPolicyWriteOnly, "mybucket", "", `[{"Action":["s3:GetBucketLocation"],"Effect":"Allow","Principal":{"AWS":["*"]},"Resource":["arn:aws:s3:::mybucket"],"Sid":""},{"Action":["s3:ListBucketMultipartUploads"],"Effect":"Allow","Principal":{"AWS":["*"]},"Resource":["arn:aws:s3:::mybucket"],"Sid":""},{"Action":["s3:AbortMultipartUpload","s3:DeleteObject","s3:ListMultipartUploadParts","s3:PutObject"],"Effect":"Allow","Principal":{"AWS":["*"]},"Resource":["arn:aws:s3:::mybucket/*"],"Sid":""}]`},
+ // BucketPolicyWriteOnly: with empty bucket name empty prefix.
+ {BucketPolicyWriteOnly, "", "hello", `[]`},
+ // BucketPolicyWriteOnly: with bucket name prefix.
+ {BucketPolicyWriteOnly, "mybucket", "hello", `[{"Action":["s3:GetBucketLocation"],"Effect":"Allow","Principal":{"AWS":["*"]},"Resource":["arn:aws:s3:::mybucket"],"Sid":""},{"Action":["s3:ListBucketMultipartUploads"],"Effect":"Allow","Principal":{"AWS":["*"]},"Resource":["arn:aws:s3:::mybucket"],"Sid":""},{"Action":["s3:AbortMultipartUpload","s3:DeleteObject","s3:ListMultipartUploadParts","s3:PutObject"],"Effect":"Allow","Principal":{"AWS":["*"]},"Resource":["arn:aws:s3:::mybucket/hello*"],"Sid":""}]`},
+ }
+
+ for _, testCase := range testCases {
+ statements := newStatements(testCase.policy, testCase.bucketName, testCase.prefix)
+ if data, err := json.Marshal(statements); err == nil {
+ if string(data) != testCase.expectedResult {
+ t.Fatalf("%+v: expected: %s, got: %s", testCase, testCase.expectedResult, string(data))
+ }
+ }
+ }
+}
+
+// getInUsePolicy() is called and the result is validated.
+func TestGetInUsePolicy(t *testing.T) {
+ testCases := []struct {
+ statements []Statement
+ bucketName string
+ prefix string
+ expectedResult1 bool
+ expectedResult2 bool
+ }{
+ // All empty statements, bucket name and prefix.
+ {[]Statement{}, "", "", false, false},
+ // Non-empty statements, empty bucket name and empty prefix.
+ {[]Statement{{
+ Actions: readOnlyBucketActions,
+ Effect: "Allow",
+ Principal: User{AWS: set.CreateStringSet("*")},
+ Conditions: make(ConditionMap),
+ Resources: set.CreateStringSet("arn:aws:s3:::mybucket"),
+ }}, "", "", false, false},
+ // Non-empty statements, non-empty bucket name and empty prefix.
+ {[]Statement{{
+ Actions: readOnlyBucketActions,
+ Effect: "Allow",
+ Principal: User{AWS: set.CreateStringSet("*")},
+ Conditions: make(ConditionMap),
+ Resources: set.CreateStringSet("arn:aws:s3:::mybucket"),
+ }}, "mybucket", "", false, false},
+ // Non-empty statements, empty bucket name and non-empty prefix.
+ {[]Statement{{
+ Actions: readOnlyBucketActions,
+ Effect: "Allow",
+ Principal: User{AWS: set.CreateStringSet("*")},
+ Conditions: make(ConditionMap),
+ Resources: set.CreateStringSet("arn:aws:s3:::mybucket"),
+ }}, "", "hello", false, false},
+ // Empty statements, non-empty bucket name and empty prefix.
+ {[]Statement{}, "mybucket", "", false, false},
+ // Empty statements, non-empty bucket name non-empty prefix.
+ {[]Statement{}, "mybucket", "hello", false, false},
+ // Empty statements, empty bucket name and non-empty prefix.
+ {[]Statement{}, "", "hello", false, false},
+ // Non-empty statements, non-empty bucket name, non-empty prefix.
+ {[]Statement{{
+ Actions: readOnlyBucketActions,
+ Effect: "Allow",
+ Principal: User{AWS: set.CreateStringSet("*")},
+ Conditions: make(ConditionMap),
+ Resources: set.CreateStringSet("arn:aws:s3:::mybucket"),
+ }}, "mybucket", "hello", false, false},
+ // different bucket statements and empty prefix.
+ {[]Statement{{
+ Actions: readOnlyBucketActions,
+ Effect: "Allow",
+ Principal: User{AWS: set.CreateStringSet("*")},
+ Conditions: make(ConditionMap),
+ Resources: set.CreateStringSet("arn:aws:s3:::testbucket"),
+ }}, "mybucket", "", false, false},
+ // different bucket statements.
+ {[]Statement{{
+ Actions: readOnlyBucketActions,
+ Effect: "Allow",
+ Principal: User{AWS: set.CreateStringSet("*")},
+ Conditions: make(ConditionMap),
+ Resources: set.CreateStringSet("arn:aws:s3:::testbucket"),
+ }}, "mybucket", "hello", false, false},
+ // different bucket multi-statements and empty prefix.
+ {[]Statement{{
+ Actions: readOnlyBucketActions,
+ Effect: "Allow",
+ Principal: User{AWS: set.CreateStringSet("*")},
+ Conditions: make(ConditionMap),
+ Resources: set.CreateStringSet("arn:aws:s3:::testbucket"),
+ }, {
+ Actions: readOnlyBucketActions,
+ Effect: "Allow",
+ Principal: User{AWS: set.CreateStringSet("*")},
+ Conditions: make(ConditionMap),
+ Resources: set.CreateStringSet("arn:aws:s3:::testbucket/world"),
+ }}, "mybucket", "", false, false},
+ // different bucket multi-statements.
+ {[]Statement{{
+ Actions: readOnlyBucketActions,
+ Effect: "Allow",
+ Principal: User{AWS: set.CreateStringSet("*")},
+ Conditions: make(ConditionMap),
+ Resources: set.CreateStringSet("arn:aws:s3:::testbucket"),
+ }, {
+ Actions: readOnlyBucketActions,
+ Effect: "Allow",
+ Principal: User{AWS: set.CreateStringSet("*")},
+ Conditions: make(ConditionMap),
+ Resources: set.CreateStringSet("arn:aws:s3:::testbucket/world"),
+ }}, "mybucket", "hello", false, false},
+ // read-only in use.
+ {[]Statement{{
+ Actions: readOnlyObjectActions,
+ Effect: "Allow",
+ Principal: User{AWS: set.CreateStringSet("*")},
+ Conditions: make(ConditionMap),
+ Resources: set.CreateStringSet("arn:aws:s3:::mybucket/world"),
+ }}, "mybucket", "hello", true, false},
+ // write-only in use.
+ {[]Statement{{
+ Actions: writeOnlyObjectActions,
+ Effect: "Allow",
+ Principal: User{AWS: set.CreateStringSet("*")},
+ Conditions: make(ConditionMap),
+ Resources: set.CreateStringSet("arn:aws:s3:::mybucket/world"),
+ }}, "mybucket", "hello", false, true},
+ // read-write in use.
+ {[]Statement{{
+ Actions: readWriteObjectActions,
+ Effect: "Allow",
+ Principal: User{AWS: set.CreateStringSet("*")},
+ Conditions: make(ConditionMap),
+ Resources: set.CreateStringSet("arn:aws:s3:::mybucket/world"),
+ }}, "mybucket", "hello", true, true},
+ // read-write multi-statements.
+ {[]Statement{{
+ Actions: readOnlyObjectActions,
+ Effect: "Allow",
+ Principal: User{AWS: set.CreateStringSet("*")},
+ Conditions: make(ConditionMap),
+ Resources: set.CreateStringSet("arn:aws:s3:::mybucket/world"),
+ }, {
+ Actions: writeOnlyObjectActions,
+ Effect: "Allow",
+ Principal: User{AWS: set.CreateStringSet("*")},
+ Conditions: make(ConditionMap),
+ Resources: set.CreateStringSet("arn:aws:s3:::mybucket/ground"),
+ }}, "mybucket", "hello", true, true},
+ }
+
+ for _, testCase := range testCases {
+ result1, result2 := getInUsePolicy(testCase.statements, testCase.bucketName, testCase.prefix)
+ if !(result1 == testCase.expectedResult1 && result2 == testCase.expectedResult2) {
+ t.Fatalf("%+v: expected: [%t,%t], got: [%t,%t]", testCase,
+ testCase.expectedResult1, testCase.expectedResult2,
+ result1, result2)
+ }
+ }
+}
+
+// removeStatements() is called and the result is validated.
+func TestRemoveStatements(t *testing.T) {
+ unknownCondMap1 := make(ConditionMap)
+ unknownCondKeyMap1 := make(ConditionKeyMap)
+ unknownCondKeyMap1.Add("s3:prefix", set.CreateStringSet("hello"))
+ unknownCondMap1.Add("StringNotEquals", unknownCondKeyMap1)
+
+ unknownCondMap11 := make(ConditionMap)
+ unknownCondKeyMap11 := make(ConditionKeyMap)
+ unknownCondKeyMap11.Add("s3:prefix", set.CreateStringSet("hello"))
+ unknownCondMap11.Add("StringNotEquals", unknownCondKeyMap11)
+
+ unknownCondMap12 := make(ConditionMap)
+ unknownCondKeyMap12 := make(ConditionKeyMap)
+ unknownCondKeyMap12.Add("s3:prefix", set.CreateStringSet("hello"))
+ unknownCondMap12.Add("StringNotEquals", unknownCondKeyMap12)
+
+ knownCondMap1 := make(ConditionMap)
+ knownCondKeyMap1 := make(ConditionKeyMap)
+ knownCondKeyMap1.Add("s3:prefix", set.CreateStringSet("hello"))
+ knownCondMap1.Add("StringEquals", knownCondKeyMap1)
+
+ knownCondMap11 := make(ConditionMap)
+ knownCondKeyMap11 := make(ConditionKeyMap)
+ knownCondKeyMap11.Add("s3:prefix", set.CreateStringSet("hello"))
+ knownCondMap11.Add("StringEquals", knownCondKeyMap11)
+
+ knownCondMap12 := make(ConditionMap)
+ knownCondKeyMap12 := make(ConditionKeyMap)
+ knownCondKeyMap12.Add("s3:prefix", set.CreateStringSet("hello"))
+ knownCondMap12.Add("StringEquals", knownCondKeyMap12)
+
+ knownCondMap13 := make(ConditionMap)
+ knownCondKeyMap13 := make(ConditionKeyMap)
+ knownCondKeyMap13.Add("s3:prefix", set.CreateStringSet("hello"))
+ knownCondMap13.Add("StringEquals", knownCondKeyMap13)
+
+ knownCondMap14 := make(ConditionMap)
+ knownCondKeyMap14 := make(ConditionKeyMap)
+ knownCondKeyMap14.Add("s3:prefix", set.CreateStringSet("hello"))
+ knownCondMap14.Add("StringEquals", knownCondKeyMap14)
+
+ knownCondMap2 := make(ConditionMap)
+ knownCondKeyMap2 := make(ConditionKeyMap)
+ knownCondKeyMap2.Add("s3:prefix", set.CreateStringSet("hello", "world"))
+ knownCondMap2.Add("StringEquals", knownCondKeyMap2)
+
+ testCases := []struct {
+ statements []Statement
+ bucketName string
+ prefix string
+ expectedResult string
+ }{
+ // All empty statements, bucket name and prefix.
+ {[]Statement{}, "", "", `[]`},
+ // Non-empty statements, empty bucket name and empty prefix.
+ {[]Statement{{
+ Actions: readOnlyBucketActions,
+ Effect: "Allow",
+ Principal: User{AWS: set.CreateStringSet("*")},
+ Conditions: make(ConditionMap),
+ Resources: set.CreateStringSet("arn:aws:s3:::mybucket"),
+ }}, "", "", `[{"Action":["s3:ListBucket"],"Effect":"Allow","Principal":{"AWS":["*"]},"Resource":["arn:aws:s3:::mybucket"],"Sid":""}]`},
+ // Non-empty statements, non-empty bucket name and empty prefix.
+ {[]Statement{{
+ Actions: readOnlyBucketActions,
+ Effect: "Allow",
+ Principal: User{AWS: set.CreateStringSet("*")},
+ Conditions: make(ConditionMap),
+ Resources: set.CreateStringSet("arn:aws:s3:::mybucket"),
+ }}, "mybucket", "", `[{"Action":["s3:ListBucket"],"Effect":"Allow","Principal":{"AWS":["*"]},"Resource":["arn:aws:s3:::mybucket"],"Sid":""}]`},
+ // Non-empty statements, empty bucket name and non-empty prefix.
+ {[]Statement{{
+ Actions: readOnlyBucketActions,
+ Effect: "Allow",
+ Principal: User{AWS: set.CreateStringSet("*")},
+ Conditions: make(ConditionMap),
+ Resources: set.CreateStringSet("arn:aws:s3:::mybucket"),
+ }}, "", "hello", `[{"Action":["s3:ListBucket"],"Effect":"Allow","Principal":{"AWS":["*"]},"Resource":["arn:aws:s3:::mybucket"],"Sid":""}]`},
+ // Empty statements, non-empty bucket name and empty prefix.
+ {[]Statement{}, "mybucket", "", `[]`},
+ // Empty statements, non-empty bucket name non-empty prefix.
+ {[]Statement{}, "mybucket", "hello", `[]`},
+ // Empty statements, empty bucket name and non-empty prefix.
+ {[]Statement{}, "", "hello", `[]`},
+ // Statement with unknown Actions with empty prefix.
+ {[]Statement{{
+ Actions: set.CreateStringSet("s3:ListBucketVersions", "s3:ListAllMyBuckets"),
+ Effect: "Allow",
+ Principal: User{AWS: set.CreateStringSet("*")},
+ Resources: set.CreateStringSet("arn:aws:s3:::mybucket"),
+ }}, "mybucket", "", `[{"Action":["s3:ListAllMyBuckets","s3:ListBucketVersions"],"Effect":"Allow","Principal":{"AWS":["*"]},"Resource":["arn:aws:s3:::mybucket"],"Sid":""}]`},
+ // Statement with unknown Actions.
+ {[]Statement{{
+ Actions: set.CreateStringSet("s3:ListBucketVersions", "s3:ListAllMyBuckets"),
+ Effect: "Allow",
+ Principal: User{AWS: set.CreateStringSet("*")},
+ Resources: set.CreateStringSet("arn:aws:s3:::mybucket"),
+ }}, "mybucket", "hello", `[{"Action":["s3:ListAllMyBuckets","s3:ListBucketVersions"],"Effect":"Allow","Principal":{"AWS":["*"]},"Resource":["arn:aws:s3:::mybucket"],"Sid":""}]`},
+ // Statement with unknown Effect with empty prefix.
+ {[]Statement{{
+ Actions: readOnlyBucketActions,
+ Effect: "Deny",
+ Principal: User{AWS: set.CreateStringSet("*")},
+ Conditions: make(ConditionMap),
+ Resources: set.CreateStringSet("arn:aws:s3:::mybucket"),
+ }}, "mybucket", "", `[{"Action":["s3:ListBucket"],"Effect":"Deny","Principal":{"AWS":["*"]},"Resource":["arn:aws:s3:::mybucket"],"Sid":""}]`},
+ // Statement with unknown Effect.
+ {[]Statement{{
+ Actions: readOnlyBucketActions,
+ Effect: "Deny",
+ Principal: User{AWS: set.CreateStringSet("*")},
+ Conditions: make(ConditionMap),
+ Resources: set.CreateStringSet("arn:aws:s3:::mybucket"),
+ }}, "mybucket", "hello", `[{"Action":["s3:ListBucket"],"Effect":"Deny","Principal":{"AWS":["*"]},"Resource":["arn:aws:s3:::mybucket"],"Sid":""}]`},
+ // Statement with unknown Principal.User.AWS with empty prefix.
+ {[]Statement{{
+ Actions: readOnlyBucketActions,
+ Effect: "Allow",
+ Principal: User{AWS: set.CreateStringSet("arn:aws:iam::AccountNumberWithoutHyphens:root")},
+ Conditions: make(ConditionMap),
+ Resources: set.CreateStringSet("arn:aws:s3:::mybucket"),
+ }}, "mybucket", "", `[{"Action":["s3:ListBucket"],"Effect":"Allow","Principal":{"AWS":["arn:aws:iam::AccountNumberWithoutHyphens:root"]},"Resource":["arn:aws:s3:::mybucket"],"Sid":""}]`},
+ // Statement with unknown Principal.User.AWS.
+ {[]Statement{{
+ Actions: readOnlyBucketActions,
+ Effect: "Allow",
+ Principal: User{AWS: set.CreateStringSet("arn:aws:iam::AccountNumberWithoutHyphens:root")},
+ Conditions: make(ConditionMap),
+ Resources: set.CreateStringSet("arn:aws:s3:::mybucket"),
+ }}, "mybucket", "hello", `[{"Action":["s3:ListBucket"],"Effect":"Allow","Principal":{"AWS":["arn:aws:iam::AccountNumberWithoutHyphens:root"]},"Resource":["arn:aws:s3:::mybucket"],"Sid":""}]`},
+ // Statement with unknown Principal.User.CanonicalUser with empty prefix.
+ {[]Statement{{
+ Actions: readOnlyBucketActions,
+ Effect: "Allow",
+ Principal: User{CanonicalUser: set.CreateStringSet("649262f44b8145cb")},
+ Conditions: make(ConditionMap),
+ Resources: set.CreateStringSet("arn:aws:s3:::mybucket"),
+ }}, "mybucket", "", `[{"Action":["s3:ListBucket"],"Effect":"Allow","Principal":{"CanonicalUser":["649262f44b8145cb"]},"Resource":["arn:aws:s3:::mybucket"],"Sid":""}]`},
+ // Statement with unknown Principal.User.CanonicalUser.
+ {[]Statement{{
+ Actions: readOnlyBucketActions,
+ Effect: "Allow",
+ Principal: User{CanonicalUser: set.CreateStringSet("649262f44b8145cb")},
+ Conditions: make(ConditionMap),
+ Resources: set.CreateStringSet("arn:aws:s3:::mybucket"),
+ }}, "mybucket", "hello", `[{"Action":["s3:ListBucket"],"Effect":"Allow","Principal":{"CanonicalUser":["649262f44b8145cb"]},"Resource":["arn:aws:s3:::mybucket"],"Sid":""}]`},
+ // Statement with unknown Conditions with empty prefix.
+ {[]Statement{{
+ Actions: readOnlyBucketActions,
+ Effect: "Allow",
+ Principal: User{AWS: set.CreateStringSet("*")},
+ Conditions: unknownCondMap1,
+ Resources: set.CreateStringSet("arn:aws:s3:::mybucket"),
+ }}, "mybucket", "", `[{"Action":["s3:ListBucket"],"Condition":{"StringNotEquals":{"s3:prefix":["hello"]}},"Effect":"Allow","Principal":{"AWS":["*"]},"Resource":["arn:aws:s3:::mybucket"],"Sid":""}]`},
+ // Statement with unknown Conditions.
+ {[]Statement{{
+ Actions: readOnlyBucketActions,
+ Effect: "Allow",
+ Principal: User{AWS: set.CreateStringSet("*")},
+ Conditions: unknownCondMap1,
+ Resources: set.CreateStringSet("arn:aws:s3:::mybucket"),
+ }}, "mybucket", "hello", `[{"Action":["s3:ListBucket"],"Condition":{"StringNotEquals":{"s3:prefix":["hello"]}},"Effect":"Allow","Principal":{"AWS":["*"]},"Resource":["arn:aws:s3:::mybucket"],"Sid":""}]`},
+ // Statement with unknown Resource and empty prefix.
+ {[]Statement{{
+ Actions: readOnlyBucketActions,
+ Effect: "Allow",
+ Principal: User{AWS: set.CreateStringSet("*")},
+ Conditions: make(ConditionMap),
+ Resources: set.CreateStringSet("arn:aws:s3:::testbucket"),
+ }}, "mybucket", "", `[{"Action":["s3:ListBucket"],"Effect":"Allow","Principal":{"AWS":["*"]},"Resource":["arn:aws:s3:::testbucket"],"Sid":""}]`},
+ // Statement with unknown Resource.
+ {[]Statement{{
+ Actions: readOnlyBucketActions,
+ Effect: "Allow",
+ Principal: User{AWS: set.CreateStringSet("*")},
+ Conditions: make(ConditionMap),
+ Resources: set.CreateStringSet("arn:aws:s3:::testbucket"),
+ }}, "mybucket", "hello", `[{"Action":["s3:ListBucket"],"Effect":"Allow","Principal":{"AWS":["*"]},"Resource":["arn:aws:s3:::testbucket"],"Sid":""}]`},
+ // Statement with known Actions with empty prefix.
+ {[]Statement{{
+ Actions: readOnlyBucketActions,
+ Effect: "Allow",
+ Principal: User{AWS: set.CreateStringSet("*")},
+ Resources: set.CreateStringSet("arn:aws:s3:::mybucket"),
+ }}, "mybucket", "", `[]`},
+ // Statement with known Actions.
+ {[]Statement{{
+ Actions: readOnlyBucketActions,
+ Effect: "Allow",
+ Principal: User{AWS: set.CreateStringSet("*")},
+ Resources: set.CreateStringSet("arn:aws:s3:::mybucket"),
+ }}, "mybucket", "hello", `[]`},
+ // Statement with known multiple Actions with empty prefix.
+ {[]Statement{{
+ Actions: readOnlyBucketActions.Union(writeOnlyBucketActions).Union(commonBucketActions),
+ Effect: "Allow",
+ Principal: User{AWS: set.CreateStringSet("*")},
+ Resources: set.CreateStringSet("arn:aws:s3:::mybucket"),
+ }}, "mybucket", "", `[]`},
+ // Statement with known multiple Actions.
+ {[]Statement{{
+ Actions: readOnlyBucketActions.Union(writeOnlyBucketActions).Union(commonBucketActions),
+ Effect: "Allow",
+ Principal: User{AWS: set.CreateStringSet("*")},
+ Resources: set.CreateStringSet("arn:aws:s3:::mybucket"),
+ }}, "mybucket", "hello", `[]`},
+ // RemoveBucketActions with readOnlyInUse.
+ {[]Statement{{
+ Actions: readOnlyBucketActions,
+ Effect: "Allow",
+ Principal: User{AWS: set.CreateStringSet("*")},
+ Resources: set.CreateStringSet("arn:aws:s3:::mybucket"),
+ }, {
+ Actions: readOnlyObjectActions,
+ Effect: "Allow",
+ Principal: User{AWS: set.CreateStringSet("*")},
+ Resources: set.CreateStringSet("arn:aws:s3:::mybucket/world"),
+ }}, "mybucket", "", `[{"Action":["s3:ListBucket"],"Effect":"Allow","Principal":{"AWS":["*"]},"Resource":["arn:aws:s3:::mybucket"],"Sid":""},{"Action":["s3:GetObject"],"Effect":"Allow","Principal":{"AWS":["*"]},"Resource":["arn:aws:s3:::mybucket/world"],"Sid":""}]`},
+ // RemoveBucketActions with prefix, readOnlyInUse.
+ {[]Statement{{
+ Actions: readOnlyBucketActions,
+ Effect: "Allow",
+ Principal: User{AWS: set.CreateStringSet("*")},
+ Resources: set.CreateStringSet("arn:aws:s3:::mybucket"),
+ }, {
+ Actions: readOnlyObjectActions,
+ Effect: "Allow",
+ Principal: User{AWS: set.CreateStringSet("*")},
+ Resources: set.CreateStringSet("arn:aws:s3:::mybucket/world"),
+ }}, "mybucket", "hello", `[{"Action":["s3:ListBucket"],"Effect":"Allow","Principal":{"AWS":["*"]},"Resource":["arn:aws:s3:::mybucket"],"Sid":""},{"Action":["s3:GetObject"],"Effect":"Allow","Principal":{"AWS":["*"]},"Resource":["arn:aws:s3:::mybucket/world"],"Sid":""}]`},
+ // RemoveBucketActions with writeOnlyInUse.
+ {[]Statement{{
+ Actions: writeOnlyBucketActions,
+ Effect: "Allow",
+ Principal: User{AWS: set.CreateStringSet("*")},
+ Resources: set.CreateStringSet("arn:aws:s3:::mybucket"),
+ }, {
+ Actions: writeOnlyObjectActions,
+ Effect: "Allow",
+ Principal: User{AWS: set.CreateStringSet("*")},
+ Resources: set.CreateStringSet("arn:aws:s3:::mybucket/world"),
+ }}, "mybucket", "", `[{"Action":["s3:ListBucketMultipartUploads"],"Effect":"Allow","Principal":{"AWS":["*"]},"Resource":["arn:aws:s3:::mybucket"],"Sid":""},{"Action":["s3:AbortMultipartUpload","s3:DeleteObject","s3:ListMultipartUploadParts","s3:PutObject"],"Effect":"Allow","Principal":{"AWS":["*"]},"Resource":["arn:aws:s3:::mybucket/world"],"Sid":""}]`},
+ // RemoveBucketActions with prefix, writeOnlyInUse.
+ {[]Statement{{
+ Actions: writeOnlyBucketActions,
+ Effect: "Allow",
+ Principal: User{AWS: set.CreateStringSet("*")},
+ Resources: set.CreateStringSet("arn:aws:s3:::mybucket"),
+ }, {
+ Actions: writeOnlyObjectActions,
+ Effect: "Allow",
+ Principal: User{AWS: set.CreateStringSet("*")},
+ Resources: set.CreateStringSet("arn:aws:s3:::mybucket/world"),
+ }}, "mybucket", "hello", `[{"Action":["s3:ListBucketMultipartUploads"],"Effect":"Allow","Principal":{"AWS":["*"]},"Resource":["arn:aws:s3:::mybucket"],"Sid":""},{"Action":["s3:AbortMultipartUpload","s3:DeleteObject","s3:ListMultipartUploadParts","s3:PutObject"],"Effect":"Allow","Principal":{"AWS":["*"]},"Resource":["arn:aws:s3:::mybucket/world"],"Sid":""}]`},
+ // RemoveBucketActions with readOnlyInUse and writeOnlyInUse.
+ {[]Statement{{
+ Actions: readOnlyBucketActions.Union(writeOnlyBucketActions),
+ Effect: "Allow",
+ Principal: User{AWS: set.CreateStringSet("*")},
+ Resources: set.CreateStringSet("arn:aws:s3:::mybucket"),
+ }, {
+ Actions: readWriteObjectActions,
+ Effect: "Allow",
+ Principal: User{AWS: set.CreateStringSet("*")},
+ Resources: set.CreateStringSet("arn:aws:s3:::mybucket/world"),
+ }}, "mybucket", "", `[{"Action":["s3:ListBucket","s3:ListBucketMultipartUploads"],"Effect":"Allow","Principal":{"AWS":["*"]},"Resource":["arn:aws:s3:::mybucket"],"Sid":""},{"Action":["s3:AbortMultipartUpload","s3:DeleteObject","s3:GetObject","s3:ListMultipartUploadParts","s3:PutObject"],"Effect":"Allow","Principal":{"AWS":["*"]},"Resource":["arn:aws:s3:::mybucket/world"],"Sid":""}]`},
+ // RemoveBucketActions with prefix, readOnlyInUse and writeOnlyInUse.
+ {[]Statement{{
+ Actions: readOnlyBucketActions.Union(writeOnlyBucketActions),
+ Effect: "Allow",
+ Principal: User{AWS: set.CreateStringSet("*")},
+ Resources: set.CreateStringSet("arn:aws:s3:::mybucket"),
+ }, {
+ Actions: readWriteObjectActions,
+ Effect: "Allow",
+ Principal: User{AWS: set.CreateStringSet("*")},
+ Resources: set.CreateStringSet("arn:aws:s3:::mybucket/world"),
+ }}, "mybucket", "hello", `[{"Action":["s3:ListBucket","s3:ListBucketMultipartUploads"],"Effect":"Allow","Principal":{"AWS":["*"]},"Resource":["arn:aws:s3:::mybucket"],"Sid":""},{"Action":["s3:AbortMultipartUpload","s3:DeleteObject","s3:GetObject","s3:ListMultipartUploadParts","s3:PutObject"],"Effect":"Allow","Principal":{"AWS":["*"]},"Resource":["arn:aws:s3:::mybucket/world"],"Sid":""}]`},
+ // RemoveBucketActions with known Conditions, readOnlyInUse.
+ {[]Statement{{
+ Actions: readOnlyBucketActions,
+ Effect: "Allow",
+ Principal: User{AWS: set.CreateStringSet("*")},
+ Conditions: knownCondMap1,
+ Resources: set.CreateStringSet("arn:aws:s3:::mybucket"),
+ }, {
+ Actions: readOnlyObjectActions,
+ Effect: "Allow",
+ Principal: User{AWS: set.CreateStringSet("*")},
+ Resources: set.CreateStringSet("arn:aws:s3:::mybucket/world"),
+ }}, "mybucket", "", `[{"Action":["s3:ListBucket"],"Condition":{"StringEquals":{"s3:prefix":["hello"]}},"Effect":"Allow","Principal":{"AWS":["*"]},"Resource":["arn:aws:s3:::mybucket"],"Sid":""},{"Action":["s3:GetObject"],"Effect":"Allow","Principal":{"AWS":["*"]},"Resource":["arn:aws:s3:::mybucket/world"],"Sid":""}]`},
+ // RemoveBucketActions with prefix, known Conditions, readOnlyInUse.
+ {[]Statement{{
+ Actions: readOnlyBucketActions,
+ Effect: "Allow",
+ Principal: User{AWS: set.CreateStringSet("*")},
+ Conditions: knownCondMap1,
+ Resources: set.CreateStringSet("arn:aws:s3:::mybucket"),
+ }, {
+ Actions: readOnlyObjectActions,
+ Effect: "Allow",
+ Principal: User{AWS: set.CreateStringSet("*")},
+ Resources: set.CreateStringSet("arn:aws:s3:::mybucket/world"),
+ }}, "mybucket", "hello", `[{"Action":["s3:GetObject"],"Effect":"Allow","Principal":{"AWS":["*"]},"Resource":["arn:aws:s3:::mybucket/world"],"Sid":""}]`},
+ // RemoveBucketActions with prefix, known Conditions contains other object prefix, readOnlyInUse.
+ {[]Statement{{
+ Actions: readOnlyBucketActions,
+ Effect: "Allow",
+ Principal: User{AWS: set.CreateStringSet("*")},
+ Conditions: knownCondMap2,
+ Resources: set.CreateStringSet("arn:aws:s3:::mybucket"),
+ }, {
+ Actions: readOnlyObjectActions,
+ Effect: "Allow",
+ Principal: User{AWS: set.CreateStringSet("*")},
+ Resources: set.CreateStringSet("arn:aws:s3:::mybucket/world"),
+ }}, "mybucket", "hello", `[{"Action":["s3:ListBucket"],"Condition":{"StringEquals":{"s3:prefix":["world"]}},"Effect":"Allow","Principal":{"AWS":["*"]},"Resource":["arn:aws:s3:::mybucket"],"Sid":""},{"Action":["s3:GetObject"],"Effect":"Allow","Principal":{"AWS":["*"]},"Resource":["arn:aws:s3:::mybucket/world"],"Sid":""}]`},
+ // RemoveBucketActions with unknown Conditions, readOnlyInUse.
+ {[]Statement{{
+ Actions: readOnlyBucketActions,
+ Effect: "Allow",
+ Principal: User{AWS: set.CreateStringSet("*")},
+ Conditions: unknownCondMap1,
+ Resources: set.CreateStringSet("arn:aws:s3:::mybucket"),
+ }, {
+ Actions: readOnlyObjectActions,
+ Effect: "Allow",
+ Principal: User{AWS: set.CreateStringSet("*")},
+ Resources: set.CreateStringSet("arn:aws:s3:::mybucket/world"),
+ }}, "mybucket", "", `[{"Action":["s3:ListBucket"],"Condition":{"StringNotEquals":{"s3:prefix":["hello"]}},"Effect":"Allow","Principal":{"AWS":["*"]},"Resource":["arn:aws:s3:::mybucket"],"Sid":""},{"Action":["s3:GetObject"],"Effect":"Allow","Principal":{"AWS":["*"]},"Resource":["arn:aws:s3:::mybucket/world"],"Sid":""}]`},
+ // RemoveBucketActions with prefix, unknown Conditions, readOnlyInUse.
+ {[]Statement{{
+ Actions: readOnlyBucketActions,
+ Effect: "Allow",
+ Principal: User{AWS: set.CreateStringSet("*")},
+ Conditions: unknownCondMap1,
+ Resources: set.CreateStringSet("arn:aws:s3:::mybucket"),
+ }, {
+ Actions: readOnlyObjectActions,
+ Effect: "Allow",
+ Principal: User{AWS: set.CreateStringSet("*")},
+ Resources: set.CreateStringSet("arn:aws:s3:::mybucket/world"),
+ }}, "mybucket", "hello", `[{"Action":["s3:ListBucket"],"Condition":{"StringNotEquals":{"s3:prefix":["hello"]}},"Effect":"Allow","Principal":{"AWS":["*"]},"Resource":["arn:aws:s3:::mybucket"],"Sid":""},{"Action":["s3:GetObject"],"Effect":"Allow","Principal":{"AWS":["*"]},"Resource":["arn:aws:s3:::mybucket/world"],"Sid":""}]`},
+ // RemoveBucketActions with known Conditions, writeOnlyInUse.
+ {[]Statement{{
+ Actions: writeOnlyBucketActions,
+ Effect: "Allow",
+ Principal: User{AWS: set.CreateStringSet("*")},
+ Conditions: knownCondMap11,
+ Resources: set.CreateStringSet("arn:aws:s3:::mybucket"),
+ }, {
+ Actions: writeOnlyObjectActions,
+ Effect: "Allow",
+ Principal: User{AWS: set.CreateStringSet("*")},
+ Resources: set.CreateStringSet("arn:aws:s3:::mybucket/world"),
+ }}, "mybucket", "", `[{"Action":["s3:ListBucketMultipartUploads"],"Condition":{"StringEquals":{"s3:prefix":["hello"]}},"Effect":"Allow","Principal":{"AWS":["*"]},"Resource":["arn:aws:s3:::mybucket"],"Sid":""},{"Action":["s3:AbortMultipartUpload","s3:DeleteObject","s3:ListMultipartUploadParts","s3:PutObject"],"Effect":"Allow","Principal":{"AWS":["*"]},"Resource":["arn:aws:s3:::mybucket/world"],"Sid":""}]`},
+ // RemoveBucketActions with prefix, known Conditions, writeOnlyInUse.
+ {[]Statement{{
+ Actions: writeOnlyBucketActions,
+ Effect: "Allow",
+ Principal: User{AWS: set.CreateStringSet("*")},
+ Conditions: knownCondMap11,
+ Resources: set.CreateStringSet("arn:aws:s3:::mybucket"),
+ }, {
+ Actions: writeOnlyObjectActions,
+ Effect: "Allow",
+ Principal: User{AWS: set.CreateStringSet("*")},
+ Resources: set.CreateStringSet("arn:aws:s3:::mybucket/world"),
+ }}, "mybucket", "hello", `[{"Action":["s3:ListBucketMultipartUploads"],"Condition":{"StringEquals":{"s3:prefix":["hello"]}},"Effect":"Allow","Principal":{"AWS":["*"]},"Resource":["arn:aws:s3:::mybucket"],"Sid":""},{"Action":["s3:AbortMultipartUpload","s3:DeleteObject","s3:ListMultipartUploadParts","s3:PutObject"],"Effect":"Allow","Principal":{"AWS":["*"]},"Resource":["arn:aws:s3:::mybucket/world"],"Sid":""}]`},
+ // RemoveBucketActions with unknown Conditions, writeOnlyInUse.
+ {[]Statement{{
+ Actions: writeOnlyBucketActions,
+ Effect: "Allow",
+ Principal: User{AWS: set.CreateStringSet("*")},
+ Conditions: unknownCondMap11,
+ Resources: set.CreateStringSet("arn:aws:s3:::mybucket"),
+ }, {
+ Actions: writeOnlyObjectActions,
+ Effect: "Allow",
+ Principal: User{AWS: set.CreateStringSet("*")},
+ Resources: set.CreateStringSet("arn:aws:s3:::mybucket/world"),
+ }}, "mybucket", "", `[{"Action":["s3:ListBucketMultipartUploads"],"Condition":{"StringNotEquals":{"s3:prefix":["hello"]}},"Effect":"Allow","Principal":{"AWS":["*"]},"Resource":["arn:aws:s3:::mybucket"],"Sid":""},{"Action":["s3:AbortMultipartUpload","s3:DeleteObject","s3:ListMultipartUploadParts","s3:PutObject"],"Effect":"Allow","Principal":{"AWS":["*"]},"Resource":["arn:aws:s3:::mybucket/world"],"Sid":""}]`},
+ // RemoveBucketActions with prefix, unknown Conditions, writeOnlyInUse.
+ {[]Statement{{
+ Actions: writeOnlyBucketActions,
+ Effect: "Allow",
+ Principal: User{AWS: set.CreateStringSet("*")},
+ Conditions: unknownCondMap11,
+ Resources: set.CreateStringSet("arn:aws:s3:::mybucket"),
+ }, {
+ Actions: writeOnlyObjectActions,
+ Effect: "Allow",
+ Principal: User{AWS: set.CreateStringSet("*")},
+ Resources: set.CreateStringSet("arn:aws:s3:::mybucket/world"),
+ }}, "mybucket", "hello", `[{"Action":["s3:ListBucketMultipartUploads"],"Condition":{"StringNotEquals":{"s3:prefix":["hello"]}},"Effect":"Allow","Principal":{"AWS":["*"]},"Resource":["arn:aws:s3:::mybucket"],"Sid":""},{"Action":["s3:AbortMultipartUpload","s3:DeleteObject","s3:ListMultipartUploadParts","s3:PutObject"],"Effect":"Allow","Principal":{"AWS":["*"]},"Resource":["arn:aws:s3:::mybucket/world"],"Sid":""}]`},
+ // RemoveBucketActions with known Conditions, readOnlyInUse and writeOnlyInUse.
+ {[]Statement{{
+ Actions: readOnlyBucketActions.Union(writeOnlyBucketActions),
+ Effect: "Allow",
+ Principal: User{AWS: set.CreateStringSet("*")},
+ Conditions: knownCondMap12,
+ Resources: set.CreateStringSet("arn:aws:s3:::mybucket"),
+ }, {
+ Actions: readOnlyObjectActions.Union(writeOnlyObjectActions),
+ Effect: "Allow",
+ Principal: User{AWS: set.CreateStringSet("*")},
+ Resources: set.CreateStringSet("arn:aws:s3:::mybucket/world"),
+ }}, "mybucket", "", `[{"Action":["s3:ListBucket","s3:ListBucketMultipartUploads"],"Condition":{"StringEquals":{"s3:prefix":["hello"]}},"Effect":"Allow","Principal":{"AWS":["*"]},"Resource":["arn:aws:s3:::mybucket"],"Sid":""},{"Action":["s3:AbortMultipartUpload","s3:DeleteObject","s3:GetObject","s3:ListMultipartUploadParts","s3:PutObject"],"Effect":"Allow","Principal":{"AWS":["*"]},"Resource":["arn:aws:s3:::mybucket/world"],"Sid":""}]`},
+ // RemoveBucketActions with prefix, known Conditions, readOnlyInUse and writeOnlyInUse.
+ {[]Statement{{
+ Actions: readOnlyBucketActions.Union(writeOnlyBucketActions),
+ Effect: "Allow",
+ Principal: User{AWS: set.CreateStringSet("*")},
+ Conditions: knownCondMap12,
+ Resources: set.CreateStringSet("arn:aws:s3:::mybucket"),
+ }, {
+ Actions: readOnlyObjectActions.Union(writeOnlyObjectActions),
+ Effect: "Allow",
+ Principal: User{AWS: set.CreateStringSet("*")},
+ Resources: set.CreateStringSet("arn:aws:s3:::mybucket/world"),
+ }}, "mybucket", "hello", `[{"Action":["s3:AbortMultipartUpload","s3:DeleteObject","s3:GetObject","s3:ListMultipartUploadParts","s3:PutObject"],"Effect":"Allow","Principal":{"AWS":["*"]},"Resource":["arn:aws:s3:::mybucket/world"],"Sid":""}]`},
+ // RemoveBucketActions with unknown Conditions, readOnlyInUse and writeOnlyInUse.
+ {[]Statement{{
+ Actions: readOnlyBucketActions.Union(writeOnlyBucketActions),
+ Effect: "Allow",
+ Principal: User{AWS: set.CreateStringSet("*")},
+ Conditions: unknownCondMap12,
+ Resources: set.CreateStringSet("arn:aws:s3:::mybucket"),
+ }, {
+ Actions: readOnlyObjectActions.Union(writeOnlyObjectActions),
+ Effect: "Allow",
+ Principal: User{AWS: set.CreateStringSet("*")},
+ Resources: set.CreateStringSet("arn:aws:s3:::mybucket/world"),
+ }}, "mybucket", "", `[{"Action":["s3:ListBucket","s3:ListBucketMultipartUploads"],"Condition":{"StringNotEquals":{"s3:prefix":["hello"]}},"Effect":"Allow","Principal":{"AWS":["*"]},"Resource":["arn:aws:s3:::mybucket"],"Sid":""},{"Action":["s3:AbortMultipartUpload","s3:DeleteObject","s3:GetObject","s3:ListMultipartUploadParts","s3:PutObject"],"Effect":"Allow","Principal":{"AWS":["*"]},"Resource":["arn:aws:s3:::mybucket/world"],"Sid":""}]`},
+ // RemoveBucketActions with prefix, unknown Conditions, readOnlyInUse and writeOnlyInUse.
+ {[]Statement{{
+ Actions: readOnlyBucketActions.Union(writeOnlyBucketActions),
+ Effect: "Allow",
+ Principal: User{AWS: set.CreateStringSet("*")},
+ Conditions: unknownCondMap12,
+ Resources: set.CreateStringSet("arn:aws:s3:::mybucket"),
+ }, {
+ Actions: readOnlyObjectActions.Union(writeOnlyObjectActions),
+ Effect: "Allow",
+ Principal: User{AWS: set.CreateStringSet("*")},
+ Resources: set.CreateStringSet("arn:aws:s3:::mybucket/world"),
+ }}, "mybucket", "hello", `[{"Action":["s3:ListBucket","s3:ListBucketMultipartUploads"],"Condition":{"StringNotEquals":{"s3:prefix":["hello"]}},"Effect":"Allow","Principal":{"AWS":["*"]},"Resource":["arn:aws:s3:::mybucket"],"Sid":""},{"Action":["s3:AbortMultipartUpload","s3:DeleteObject","s3:GetObject","s3:ListMultipartUploadParts","s3:PutObject"],"Effect":"Allow","Principal":{"AWS":["*"]},"Resource":["arn:aws:s3:::mybucket/world"],"Sid":""}]`},
+ // readOnlyObjectActions - RemoveObjectActions with known condition.
+ {[]Statement{{
+ Actions: readOnlyBucketActions,
+ Effect: "Allow",
+ Principal: User{AWS: set.CreateStringSet("*")},
+ Conditions: knownCondMap1,
+ Resources: set.CreateStringSet("arn:aws:s3:::mybucket"),
+ }, {
+ Actions: readOnlyObjectActions,
+ Effect: "Allow",
+ Principal: User{AWS: set.CreateStringSet("*")},
+ Resources: set.CreateStringSet("arn:aws:s3:::mybucket/hello*"),
+ }}, "mybucket", "", `[{"Action":["s3:ListBucket"],"Effect":"Allow","Principal":{"AWS":["*"]},"Resource":["arn:aws:s3:::mybucket"],"Sid":""},{"Action":["s3:GetObject"],"Effect":"Allow","Principal":{"AWS":["*"]},"Resource":["arn:aws:s3:::mybucket/hello*"],"Sid":""}]`},
+ // readOnlyObjectActions - RemoveObjectActions with prefix, known condition.
+ {[]Statement{{
+ Actions: readOnlyBucketActions,
+ Effect: "Allow",
+ Principal: User{AWS: set.CreateStringSet("*")},
+ Conditions: knownCondMap1,
+ Resources: set.CreateStringSet("arn:aws:s3:::mybucket"),
+ }, {
+ Actions: readOnlyObjectActions,
+ Effect: "Allow",
+ Principal: User{AWS: set.CreateStringSet("*")},
+ Resources: set.CreateStringSet("arn:aws:s3:::mybucket/hello*"),
+ }}, "mybucket", "hello", `[]`},
+ // readOnlyObjectActions - RemoveObjectActions with unknown condition.
+ {[]Statement{{
+ Actions: readOnlyBucketActions,
+ Effect: "Allow",
+ Principal: User{AWS: set.CreateStringSet("*")},
+ Conditions: unknownCondMap1,
+ Resources: set.CreateStringSet("arn:aws:s3:::mybucket"),
+ }, {
+ Actions: readOnlyObjectActions,
+ Effect: "Allow",
+ Principal: User{AWS: set.CreateStringSet("*")},
+ Resources: set.CreateStringSet("arn:aws:s3:::mybucket/hello*"),
+ }}, "mybucket", "", `[{"Action":["s3:ListBucket"],"Condition":{"StringNotEquals":{"s3:prefix":["hello"]}},"Effect":"Allow","Principal":{"AWS":["*"]},"Resource":["arn:aws:s3:::mybucket"],"Sid":""},{"Action":["s3:GetObject"],"Effect":"Allow","Principal":{"AWS":["*"]},"Resource":["arn:aws:s3:::mybucket/hello*"],"Sid":""}]`},
+ // readOnlyObjectActions - RemoveObjectActions with prefix, unknown condition.
+ {[]Statement{{
+ Actions: readOnlyBucketActions,
+ Effect: "Allow",
+ Principal: User{AWS: set.CreateStringSet("*")},
+ Conditions: unknownCondMap1,
+ Resources: set.CreateStringSet("arn:aws:s3:::mybucket"),
+ }, {
+ Actions: readOnlyObjectActions,
+ Effect: "Allow",
+ Principal: User{AWS: set.CreateStringSet("*")},
+ Resources: set.CreateStringSet("arn:aws:s3:::mybucket/hello*"),
+ }}, "mybucket", "hello", `[{"Action":["s3:ListBucket"],"Condition":{"StringNotEquals":{"s3:prefix":["hello"]}},"Effect":"Allow","Principal":{"AWS":["*"]},"Resource":["arn:aws:s3:::mybucket"],"Sid":""}]`},
+ // writeOnlyObjectActions - RemoveObjectActions with known condition.
+ {[]Statement{{
+ Actions: writeOnlyBucketActions,
+ Effect: "Allow",
+ Principal: User{AWS: set.CreateStringSet("*")},
+ Conditions: knownCondMap13,
+ Resources: set.CreateStringSet("arn:aws:s3:::mybucket"),
+ }, {
+ Actions: writeOnlyObjectActions,
+ Effect: "Allow",
+ Principal: User{AWS: set.CreateStringSet("*")},
+ Resources: set.CreateStringSet("arn:aws:s3:::mybucket/hello*"),
+ }}, "mybucket", "", `[{"Action":["s3:ListBucketMultipartUploads"],"Condition":{"StringEquals":{"s3:prefix":["hello"]}},"Effect":"Allow","Principal":{"AWS":["*"]},"Resource":["arn:aws:s3:::mybucket"],"Sid":""},{"Action":["s3:AbortMultipartUpload","s3:DeleteObject","s3:ListMultipartUploadParts","s3:PutObject"],"Effect":"Allow","Principal":{"AWS":["*"]},"Resource":["arn:aws:s3:::mybucket/hello*"],"Sid":""}]`},
+ // writeOnlyObjectActions - RemoveObjectActions with prefix, known condition.
+ {[]Statement{{
+ Actions: writeOnlyBucketActions,
+ Effect: "Allow",
+ Principal: User{AWS: set.CreateStringSet("*")},
+ Conditions: knownCondMap13,
+ Resources: set.CreateStringSet("arn:aws:s3:::mybucket"),
+ }, {
+ Actions: writeOnlyObjectActions,
+ Effect: "Allow",
+ Principal: User{AWS: set.CreateStringSet("*")},
+ Resources: set.CreateStringSet("arn:aws:s3:::mybucket/hello*"),
+ }}, "mybucket", "hello", `[{"Action":["s3:ListBucketMultipartUploads"],"Condition":{"StringEquals":{"s3:prefix":["hello"]}},"Effect":"Allow","Principal":{"AWS":["*"]},"Resource":["arn:aws:s3:::mybucket"],"Sid":""}]`},
+ // writeOnlyObjectActions - RemoveObjectActions with unknown condition.
+ {[]Statement{{
+ Actions: writeOnlyBucketActions,
+ Effect: "Allow",
+ Principal: User{AWS: set.CreateStringSet("*")},
+ Conditions: unknownCondMap1,
+ Resources: set.CreateStringSet("arn:aws:s3:::mybucket"),
+ }, {
+ Actions: writeOnlyObjectActions,
+ Effect: "Allow",
+ Principal: User{AWS: set.CreateStringSet("*")},
+ Resources: set.CreateStringSet("arn:aws:s3:::mybucket/hello*"),
+ }}, "mybucket", "", `[{"Action":["s3:ListBucketMultipartUploads"],"Condition":{"StringNotEquals":{"s3:prefix":["hello"]}},"Effect":"Allow","Principal":{"AWS":["*"]},"Resource":["arn:aws:s3:::mybucket"],"Sid":""},{"Action":["s3:AbortMultipartUpload","s3:DeleteObject","s3:ListMultipartUploadParts","s3:PutObject"],"Effect":"Allow","Principal":{"AWS":["*"]},"Resource":["arn:aws:s3:::mybucket/hello*"],"Sid":""}]`},
+ // writeOnlyObjectActions - RemoveObjectActions with prefix, unknown condition.
+ {[]Statement{{
+ Actions: writeOnlyBucketActions,
+ Effect: "Allow",
+ Principal: User{AWS: set.CreateStringSet("*")},
+ Conditions: unknownCondMap1,
+ Resources: set.CreateStringSet("arn:aws:s3:::mybucket"),
+ }, {
+ Actions: writeOnlyObjectActions,
+ Effect: "Allow",
+ Principal: User{AWS: set.CreateStringSet("*")},
+ Resources: set.CreateStringSet("arn:aws:s3:::mybucket/hello*"),
+ }}, "mybucket", "hello", `[{"Action":["s3:ListBucketMultipartUploads"],"Condition":{"StringNotEquals":{"s3:prefix":["hello"]}},"Effect":"Allow","Principal":{"AWS":["*"]},"Resource":["arn:aws:s3:::mybucket"],"Sid":""}]`},
+ // readWriteObjectActions - RemoveObjectActions with known condition.
+ {[]Statement{{
+ Actions: readOnlyBucketActions.Union(writeOnlyBucketActions),
+ Effect: "Allow",
+ Principal: User{AWS: set.CreateStringSet("*")},
+ Conditions: knownCondMap14,
+ Resources: set.CreateStringSet("arn:aws:s3:::mybucket"),
+ }, {
+ Actions: readOnlyObjectActions.Union(writeOnlyObjectActions),
+ Effect: "Allow",
+ Principal: User{AWS: set.CreateStringSet("*")},
+ Resources: set.CreateStringSet("arn:aws:s3:::mybucket/hello*"),
+ }}, "mybucket", "", `[{"Action":["s3:ListBucket","s3:ListBucketMultipartUploads"],"Condition":{"StringEquals":{"s3:prefix":["hello"]}},"Effect":"Allow","Principal":{"AWS":["*"]},"Resource":["arn:aws:s3:::mybucket"],"Sid":""},{"Action":["s3:AbortMultipartUpload","s3:DeleteObject","s3:GetObject","s3:ListMultipartUploadParts","s3:PutObject"],"Effect":"Allow","Principal":{"AWS":["*"]},"Resource":["arn:aws:s3:::mybucket/hello*"],"Sid":""}]`},
+ // readWriteObjectActions - RemoveObjectActions with prefix, known condition.
+ {[]Statement{{
+ Actions: readOnlyBucketActions.Union(writeOnlyBucketActions),
+ Effect: "Allow",
+ Principal: User{AWS: set.CreateStringSet("*")},
+ Conditions: knownCondMap13,
+ Resources: set.CreateStringSet("arn:aws:s3:::mybucket"),
+ }, {
+ Actions: readOnlyObjectActions.Union(writeOnlyObjectActions),
+ Effect: "Allow",
+ Principal: User{AWS: set.CreateStringSet("*")},
+ Resources: set.CreateStringSet("arn:aws:s3:::mybucket/hello*"),
+ }}, "mybucket", "hello", `[]`},
+ // readWriteObjectActions - RemoveObjectActions with unknown condition.
+ {[]Statement{{
+ Actions: readOnlyBucketActions.Union(writeOnlyBucketActions),
+ Effect: "Allow",
+ Principal: User{AWS: set.CreateStringSet("*")},
+ Conditions: unknownCondMap1,
+ Resources: set.CreateStringSet("arn:aws:s3:::mybucket"),
+ }, {
+ Actions: readOnlyObjectActions.Union(writeOnlyObjectActions),
+ Effect: "Allow",
+ Principal: User{AWS: set.CreateStringSet("*")},
+ Resources: set.CreateStringSet("arn:aws:s3:::mybucket/hello*"),
+ }}, "mybucket", "", `[{"Action":["s3:ListBucket","s3:ListBucketMultipartUploads"],"Condition":{"StringNotEquals":{"s3:prefix":["hello"]}},"Effect":"Allow","Principal":{"AWS":["*"]},"Resource":["arn:aws:s3:::mybucket"],"Sid":""},{"Action":["s3:AbortMultipartUpload","s3:DeleteObject","s3:GetObject","s3:ListMultipartUploadParts","s3:PutObject"],"Effect":"Allow","Principal":{"AWS":["*"]},"Resource":["arn:aws:s3:::mybucket/hello*"],"Sid":""}]`},
+ // readWriteObjectActions - RemoveObjectActions with prefix, unknown condition.
+ {[]Statement{{
+ Actions: readOnlyBucketActions.Union(writeOnlyBucketActions),
+ Effect: "Allow",
+ Principal: User{AWS: set.CreateStringSet("*")},
+ Conditions: unknownCondMap1,
+ Resources: set.CreateStringSet("arn:aws:s3:::mybucket"),
+ }, {
+ Actions: readOnlyObjectActions.Union(writeOnlyObjectActions),
+ Effect: "Allow",
+ Principal: User{AWS: set.CreateStringSet("*")},
+ Resources: set.CreateStringSet("arn:aws:s3:::mybucket/hello*"),
+ }}, "mybucket", "hello", `[{"Action":["s3:ListBucket","s3:ListBucketMultipartUploads"],"Condition":{"StringNotEquals":{"s3:prefix":["hello"]}},"Effect":"Allow","Principal":{"AWS":["*"]},"Resource":["arn:aws:s3:::mybucket"],"Sid":""}]`},
+ }
+
+ for _, testCase := range testCases {
+ statements := removeStatements(testCase.statements, testCase.bucketName, testCase.prefix)
+ if data, err := json.Marshal(statements); err != nil {
+ t.Fatalf("unable encoding to json, %s", err)
+ } else if string(data) != testCase.expectedResult {
+ t.Fatalf("%+v: expected: %s, got: %s", testCase, testCase.expectedResult, string(data))
+ }
+ }
+}
+
+// appendStatement() is called and the result is validated.
+func TestAppendStatement(t *testing.T) {
+ condMap := make(ConditionMap)
+ condKeyMap := make(ConditionKeyMap)
+ condKeyMap.Add("s3:prefix", set.CreateStringSet("hello"))
+ condMap.Add("StringEquals", condKeyMap)
+
+ condMap1 := make(ConditionMap)
+ condKeyMap1 := make(ConditionKeyMap)
+ condKeyMap1.Add("s3:prefix", set.CreateStringSet("world"))
+ condMap1.Add("StringEquals", condKeyMap1)
+
+ unknownCondMap1 := make(ConditionMap)
+ unknownCondKeyMap1 := make(ConditionKeyMap)
+ unknownCondKeyMap1.Add("s3:prefix", set.CreateStringSet("world"))
+ unknownCondMap1.Add("StringNotEquals", unknownCondKeyMap1)
+
+ testCases := []struct {
+ statements []Statement
+ statement Statement
+ expectedResult string
+ }{
+ // Empty statements and empty new statement.
+ {[]Statement{}, Statement{}, `[]`},
+ // Non-empty statements and empty new statement.
+ {[]Statement{{
+ Actions: readOnlyBucketActions,
+ Effect: "Allow",
+ Principal: User{AWS: set.CreateStringSet("*")},
+ Resources: set.CreateStringSet("arn:aws:s3:::mybucket"),
+ }}, Statement{}, `[{"Action":["s3:ListBucket"],"Effect":"Allow","Principal":{"AWS":["*"]},"Resource":["arn:aws:s3:::mybucket"],"Sid":""}]`},
+ // Empty statements and non-empty new statement.
+ {[]Statement{}, Statement{
+ Actions: readOnlyBucketActions,
+ Effect: "Allow",
+ Principal: User{AWS: set.CreateStringSet("*")},
+ Resources: set.CreateStringSet("arn:aws:s3:::mybucket"),
+ }, `[{"Action":["s3:ListBucket"],"Effect":"Allow","Principal":{"AWS":["*"]},"Resource":["arn:aws:s3:::mybucket"],"Sid":""}]`},
+ // Append existing statement.
+ {[]Statement{{
+ Actions: readOnlyBucketActions,
+ Effect: "Allow",
+ Principal: User{AWS: set.CreateStringSet("*")},
+ Resources: set.CreateStringSet("arn:aws:s3:::mybucket"),
+ }}, Statement{
+ Actions: readOnlyBucketActions,
+ Effect: "Allow",
+ Principal: User{AWS: set.CreateStringSet("*")},
+ Resources: set.CreateStringSet("arn:aws:s3:::mybucket"),
+ }, `[{"Action":["s3:ListBucket"],"Effect":"Allow","Principal":{"AWS":["*"]},"Resource":["arn:aws:s3:::mybucket"],"Sid":""}]`},
+ // Append same statement with different resource.
+ {[]Statement{{
+ Actions: readOnlyBucketActions,
+ Effect: "Allow",
+ Principal: User{AWS: set.CreateStringSet("*")},
+ Resources: set.CreateStringSet("arn:aws:s3:::mybucket"),
+ }}, Statement{
+ Actions: readOnlyBucketActions,
+ Effect: "Allow",
+ Principal: User{AWS: set.CreateStringSet("*")},
+ Resources: set.CreateStringSet("arn:aws:s3:::testbucket"),
+ }, `[{"Action":["s3:ListBucket"],"Effect":"Allow","Principal":{"AWS":["*"]},"Resource":["arn:aws:s3:::mybucket","arn:aws:s3:::testbucket"],"Sid":""}]`},
+ // Append same statement with different actions.
+ {[]Statement{{
+ Actions: readOnlyBucketActions,
+ Effect: "Allow",
+ Principal: User{AWS: set.CreateStringSet("*")},
+ Resources: set.CreateStringSet("arn:aws:s3:::mybucket"),
+ }}, Statement{
+ Actions: writeOnlyBucketActions,
+ Effect: "Allow",
+ Principal: User{AWS: set.CreateStringSet("*")},
+ Resources: set.CreateStringSet("arn:aws:s3:::mybucket"),
+ }, `[{"Action":["s3:ListBucket","s3:ListBucketMultipartUploads"],"Effect":"Allow","Principal":{"AWS":["*"]},"Resource":["arn:aws:s3:::mybucket"],"Sid":""}]`},
+ // Elements of new statement contains elements in statements.
+ {[]Statement{{
+ Actions: readOnlyBucketActions.Union(writeOnlyBucketActions),
+ Effect: "Allow",
+ Principal: User{AWS: set.CreateStringSet("*")},
+ Resources: set.CreateStringSet("arn:aws:s3:::mybucket", "arn:aws:s3:::testbucket"),
+ }}, Statement{
+ Actions: writeOnlyBucketActions,
+ Effect: "Allow",
+ Principal: User{AWS: set.CreateStringSet("*")},
+ Resources: set.CreateStringSet("arn:aws:s3:::mybucket"),
+ }, `[{"Action":["s3:ListBucket","s3:ListBucketMultipartUploads"],"Effect":"Allow","Principal":{"AWS":["*"]},"Resource":["arn:aws:s3:::mybucket","arn:aws:s3:::testbucket"],"Sid":""}]`},
+ // Elements of new statement with conditions contains elements in statements.
+ {[]Statement{{
+ Actions: readOnlyBucketActions.Union(writeOnlyBucketActions),
+ Effect: "Allow",
+ Principal: User{AWS: set.CreateStringSet("*")},
+ Conditions: condMap,
+ Resources: set.CreateStringSet("arn:aws:s3:::mybucket", "arn:aws:s3:::testbucket"),
+ }}, Statement{
+ Actions: writeOnlyBucketActions,
+ Effect: "Allow",
+ Principal: User{AWS: set.CreateStringSet("*")},
+ Conditions: condMap,
+ Resources: set.CreateStringSet("arn:aws:s3:::mybucket"),
+ }, `[{"Action":["s3:ListBucket","s3:ListBucketMultipartUploads"],"Condition":{"StringEquals":{"s3:prefix":["hello"]}},"Effect":"Allow","Principal":{"AWS":["*"]},"Resource":["arn:aws:s3:::mybucket","arn:aws:s3:::testbucket"],"Sid":""}]`},
+ // Statements with condition and new statement with condition.
+ {[]Statement{{
+ Actions: readOnlyBucketActions.Union(writeOnlyBucketActions),
+ Effect: "Allow",
+ Principal: User{AWS: set.CreateStringSet("*")},
+ Conditions: condMap,
+ Resources: set.CreateStringSet("arn:aws:s3:::mybucket", "arn:aws:s3:::testbucket"),
+ }}, Statement{
+ Actions: writeOnlyBucketActions,
+ Effect: "Allow",
+ Principal: User{AWS: set.CreateStringSet("*")},
+ Conditions: condMap1,
+ Resources: set.CreateStringSet("arn:aws:s3:::mybucket"),
+ }, `[{"Action":["s3:ListBucket","s3:ListBucketMultipartUploads"],"Condition":{"StringEquals":{"s3:prefix":["hello"]}},"Effect":"Allow","Principal":{"AWS":["*"]},"Resource":["arn:aws:s3:::mybucket","arn:aws:s3:::testbucket"],"Sid":""},{"Action":["s3:ListBucketMultipartUploads"],"Condition":{"StringEquals":{"s3:prefix":["world"]}},"Effect":"Allow","Principal":{"AWS":["*"]},"Resource":["arn:aws:s3:::mybucket"],"Sid":""}]`},
+ // Statements with condition and same resources, and new statement with condition.
+ {[]Statement{{
+ Actions: readOnlyBucketActions.Union(writeOnlyBucketActions),
+ Effect: "Allow",
+ Principal: User{AWS: set.CreateStringSet("*")},
+ Conditions: condMap,
+ Resources: set.CreateStringSet("arn:aws:s3:::mybucket"),
+ }}, Statement{
+ Actions: writeOnlyBucketActions,
+ Effect: "Allow",
+ Principal: User{AWS: set.CreateStringSet("*")},
+ Conditions: condMap1,
+ Resources: set.CreateStringSet("arn:aws:s3:::mybucket"),
+ }, `[{"Action":["s3:ListBucket","s3:ListBucketMultipartUploads"],"Condition":{"StringEquals":{"s3:prefix":["hello","world"]}},"Effect":"Allow","Principal":{"AWS":["*"]},"Resource":["arn:aws:s3:::mybucket"],"Sid":""}]`},
+ // Statements with unknown condition and same resources, and new statement with known condition.
+ {[]Statement{{
+ Actions: readOnlyBucketActions.Union(writeOnlyBucketActions),
+ Effect: "Allow",
+ Principal: User{AWS: set.CreateStringSet("*")},
+ Conditions: unknownCondMap1,
+ Resources: set.CreateStringSet("arn:aws:s3:::mybucket"),
+ }}, Statement{
+ Actions: writeOnlyBucketActions,
+ Effect: "Allow",
+ Principal: User{AWS: set.CreateStringSet("*")},
+ Conditions: condMap1,
+ Resources: set.CreateStringSet("arn:aws:s3:::mybucket"),
+ }, `[{"Action":["s3:ListBucket","s3:ListBucketMultipartUploads"],"Condition":{"StringEquals":{"s3:prefix":["world"]},"StringNotEquals":{"s3:prefix":["world"]}},"Effect":"Allow","Principal":{"AWS":["*"]},"Resource":["arn:aws:s3:::mybucket"],"Sid":""}]`},
+ // Statements without condition and new statement with condition.
+ {[]Statement{{
+ Actions: readOnlyBucketActions.Union(writeOnlyBucketActions),
+ Effect: "Allow",
+ Principal: User{AWS: set.CreateStringSet("*")},
+ Resources: set.CreateStringSet("arn:aws:s3:::mybucket", "arn:aws:s3:::testbucket"),
+ }}, Statement{
+ Actions: writeOnlyBucketActions,
+ Effect: "Allow",
+ Principal: User{AWS: set.CreateStringSet("*")},
+ Conditions: condMap,
+ Resources: set.CreateStringSet("arn:aws:s3:::mybucket"),
+ }, `[{"Action":["s3:ListBucket","s3:ListBucketMultipartUploads"],"Effect":"Allow","Principal":{"AWS":["*"]},"Resource":["arn:aws:s3:::mybucket","arn:aws:s3:::testbucket"],"Sid":""},{"Action":["s3:ListBucketMultipartUploads"],"Condition":{"StringEquals":{"s3:prefix":["hello"]}},"Effect":"Allow","Principal":{"AWS":["*"]},"Resource":["arn:aws:s3:::mybucket"],"Sid":""}]`},
+ // Statements with condition and new statement without condition.
+ {[]Statement{{
+ Actions: readOnlyBucketActions.Union(writeOnlyBucketActions),
+ Effect: "Allow",
+ Principal: User{AWS: set.CreateStringSet("*")},
+ Conditions: condMap,
+ Resources: set.CreateStringSet("arn:aws:s3:::mybucket", "arn:aws:s3:::testbucket"),
+ }}, Statement{
+ Actions: writeOnlyBucketActions,
+ Effect: "Allow",
+ Principal: User{AWS: set.CreateStringSet("*")},
+ Resources: set.CreateStringSet("arn:aws:s3:::mybucket"),
+ }, `[{"Action":["s3:ListBucket","s3:ListBucketMultipartUploads"],"Condition":{"StringEquals":{"s3:prefix":["hello"]}},"Effect":"Allow","Principal":{"AWS":["*"]},"Resource":["arn:aws:s3:::mybucket","arn:aws:s3:::testbucket"],"Sid":""},{"Action":["s3:ListBucketMultipartUploads"],"Effect":"Allow","Principal":{"AWS":["*"]},"Resource":["arn:aws:s3:::mybucket"],"Sid":""}]`},
+ // Statements and new statement are different.
+ {[]Statement{{
+ Actions: readOnlyBucketActions,
+ Effect: "Allow",
+ Principal: User{AWS: set.CreateStringSet("*")},
+ Resources: set.CreateStringSet("arn:aws:s3:::mybucket"),
+ }}, Statement{
+ Actions: readOnlyObjectActions,
+ Effect: "Allow",
+ Principal: User{AWS: set.CreateStringSet("*")},
+ Resources: set.CreateStringSet("arn:aws:s3:::mybucket/hello*"),
+ }, `[{"Action":["s3:ListBucket"],"Effect":"Allow","Principal":{"AWS":["*"]},"Resource":["arn:aws:s3:::mybucket"],"Sid":""},{"Action":["s3:GetObject"],"Effect":"Allow","Principal":{"AWS":["*"]},"Resource":["arn:aws:s3:::mybucket/hello*"],"Sid":""}]`},
+ }
+
+ for _, testCase := range testCases {
+ statements := appendStatement(testCase.statements, testCase.statement)
+ if data, err := json.Marshal(statements); err != nil {
+ t.Fatalf("unable encoding to json, %s", err)
+ } else if string(data) != testCase.expectedResult {
+ t.Fatalf("%+v: expected: %s, got: %s", testCase, testCase.expectedResult, string(data))
+ }
+ }
+}
+
+// getBucketPolicy() is called and the result is validated.
+func TestGetBucketPolicy(t *testing.T) {
+ helloCondMap := make(ConditionMap)
+ helloCondKeyMap := make(ConditionKeyMap)
+ helloCondKeyMap.Add("s3:prefix", set.CreateStringSet("hello"))
+ helloCondMap.Add("StringEquals", helloCondKeyMap)
+
+ worldCondMap := make(ConditionMap)
+ worldCondKeyMap := make(ConditionKeyMap)
+ worldCondKeyMap.Add("s3:prefix", set.CreateStringSet("world"))
+ worldCondMap.Add("StringEquals", worldCondKeyMap)
+
+ notHelloCondMap := make(ConditionMap)
+ notHelloCondMap.Add("StringNotEquals", worldCondKeyMap)
+
+ testCases := []struct {
+ statement Statement
+ prefix string
+ expectedResult1 bool
+ expectedResult2 bool
+ expectedResult3 bool
+ }{
+ // Statement with invalid Effect.
+ {Statement{
+ Actions: readOnlyBucketActions,
+ Effect: "Deny",
+ Principal: User{AWS: set.CreateStringSet("*")},
+ Resources: set.CreateStringSet("arn:aws:s3:::mybucket"),
+ }, "", false, false, false},
+ // Statement with invalid Effect with prefix.
+ {Statement{
+ Actions: readOnlyBucketActions,
+ Effect: "Deny",
+ Principal: User{AWS: set.CreateStringSet("*")},
+ Resources: set.CreateStringSet("arn:aws:s3:::mybucket"),
+ }, "hello", false, false, false},
+ // Statement with invalid Principal.AWS.
+ {Statement{
+ Actions: readOnlyBucketActions,
+ Effect: "Allow",
+ Principal: User{AWS: set.CreateStringSet("arn:aws:iam::AccountNumberWithoutHyphens:root")},
+ Resources: set.CreateStringSet("arn:aws:s3:::mybucket"),
+ }, "", false, false, false},
+ // Statement with invalid Principal.AWS with prefix.
+ {Statement{
+ Actions: readOnlyBucketActions,
+ Effect: "Allow",
+ Principal: User{AWS: set.CreateStringSet("arn:aws:iam::AccountNumberWithoutHyphens:root")},
+ Resources: set.CreateStringSet("arn:aws:s3:::mybucket"),
+ }, "hello", false, false, false},
+
+ // Statement with commonBucketActions.
+ {Statement{
+ Actions: commonBucketActions,
+ Effect: "Allow",
+ Principal: User{AWS: set.CreateStringSet("*")},
+ Resources: set.CreateStringSet("arn:aws:s3:::mybucket"),
+ }, "", true, false, false},
+ // Statement with commonBucketActions.
+ {Statement{
+ Actions: commonBucketActions,
+ Effect: "Allow",
+ Principal: User{AWS: set.CreateStringSet("*")},
+ Resources: set.CreateStringSet("arn:aws:s3:::mybucket"),
+ }, "hello", true, false, false},
+
+ // Statement with commonBucketActions and condition.
+ {Statement{
+ Actions: commonBucketActions,
+ Effect: "Allow",
+ Principal: User{AWS: set.CreateStringSet("*")},
+ Conditions: make(ConditionMap),
+ Resources: set.CreateStringSet("arn:aws:s3:::mybucket"),
+ }, "", false, false, false},
+ // Statement with commonBucketActions and condition.
+ {Statement{
+ Actions: commonBucketActions,
+ Effect: "Allow",
+ Principal: User{AWS: set.CreateStringSet("*")},
+ Conditions: make(ConditionMap),
+ Resources: set.CreateStringSet("arn:aws:s3:::mybucket"),
+ }, "hello", false, false, false},
+ // Statement with writeOnlyBucketActions.
+ {Statement{
+ Actions: writeOnlyBucketActions,
+ Effect: "Allow",
+ Principal: User{AWS: set.CreateStringSet("*")},
+ Resources: set.CreateStringSet("arn:aws:s3:::mybucket"),
+ }, "", false, false, true},
+ // Statement with writeOnlyBucketActions.
+ {Statement{
+ Actions: writeOnlyBucketActions,
+ Effect: "Allow",
+ Principal: User{AWS: set.CreateStringSet("*")},
+ Resources: set.CreateStringSet("arn:aws:s3:::mybucket"),
+ }, "hello", false, false, true},
+ // Statement with writeOnlyBucketActions and condition
+ {Statement{
+ Actions: writeOnlyBucketActions,
+ Effect: "Allow",
+ Principal: User{AWS: set.CreateStringSet("*")},
+ Conditions: make(ConditionMap),
+ Resources: set.CreateStringSet("arn:aws:s3:::mybucket"),
+ }, "", false, false, false},
+ // Statement with writeOnlyBucketActions and condition.
+ {Statement{
+ Actions: writeOnlyBucketActions,
+ Effect: "Allow",
+ Principal: User{AWS: set.CreateStringSet("*")},
+ Conditions: make(ConditionMap),
+ Resources: set.CreateStringSet("arn:aws:s3:::mybucket"),
+ }, "hello", false, false, false},
+ // Statement with readOnlyBucketActions.
+ {Statement{
+ Actions: readOnlyBucketActions,
+ Effect: "Allow",
+ Principal: User{AWS: set.CreateStringSet("*")},
+ Resources: set.CreateStringSet("arn:aws:s3:::mybucket"),
+ }, "", false, true, false},
+ // Statement with readOnlyBucketActions.
+ {Statement{
+ Actions: readOnlyBucketActions,
+ Effect: "Allow",
+ Principal: User{AWS: set.CreateStringSet("*")},
+ Resources: set.CreateStringSet("arn:aws:s3:::mybucket"),
+ }, "hello", false, true, false},
+ // Statement with readOnlyBucketActions with empty condition.
+ {Statement{
+ Actions: readOnlyBucketActions,
+ Effect: "Allow",
+ Principal: User{AWS: set.CreateStringSet("*")},
+ Conditions: make(ConditionMap),
+ Resources: set.CreateStringSet("arn:aws:s3:::mybucket"),
+ }, "", false, false, false},
+ // Statement with readOnlyBucketActions with empty condition.
+ {Statement{
+ Actions: readOnlyBucketActions,
+ Effect: "Allow",
+ Principal: User{AWS: set.CreateStringSet("*")},
+ Conditions: make(ConditionMap),
+ Resources: set.CreateStringSet("arn:aws:s3:::mybucket"),
+ }, "hello", false, false, false},
+ // Statement with readOnlyBucketActions with matching condition.
+ {Statement{
+ Actions: readOnlyBucketActions,
+ Effect: "Allow",
+ Principal: User{AWS: set.CreateStringSet("*")},
+ Conditions: helloCondMap,
+ Resources: set.CreateStringSet("arn:aws:s3:::mybucket"),
+ }, "", false, false, false},
+ // Statement with readOnlyBucketActions with matching condition.
+ {Statement{
+ Actions: readOnlyBucketActions,
+ Effect: "Allow",
+ Principal: User{AWS: set.CreateStringSet("*")},
+ Conditions: helloCondMap,
+ Resources: set.CreateStringSet("arn:aws:s3:::mybucket"),
+ }, "hello", false, true, false},
+
+ // Statement with readOnlyBucketActions with different condition.
+ {Statement{
+ Actions: readOnlyBucketActions,
+ Effect: "Allow",
+ Principal: User{AWS: set.CreateStringSet("*")},
+ Conditions: worldCondMap,
+ Resources: set.CreateStringSet("arn:aws:s3:::mybucket"),
+ }, "", false, false, false},
+ // Statement with readOnlyBucketActions with different condition.
+ {Statement{
+ Actions: readOnlyBucketActions,
+ Effect: "Allow",
+ Principal: User{AWS: set.CreateStringSet("*")},
+ Conditions: worldCondMap,
+ Resources: set.CreateStringSet("arn:aws:s3:::mybucket"),
+ }, "hello", false, false, false},
+
+ // Statement with readOnlyBucketActions with StringNotEquals condition.
+ {Statement{
+ Actions: readOnlyBucketActions,
+ Effect: "Allow",
+ Principal: User{AWS: set.CreateStringSet("*")},
+ Conditions: notHelloCondMap,
+ Resources: set.CreateStringSet("arn:aws:s3:::mybucket"),
+ }, "", false, false, false},
+ // Statement with readOnlyBucketActions with StringNotEquals condition.
+ {Statement{
+ Actions: readOnlyBucketActions,
+ Effect: "Allow",
+ Principal: User{AWS: set.CreateStringSet("*")},
+ Conditions: notHelloCondMap,
+ Resources: set.CreateStringSet("arn:aws:s3:::mybucket"),
+ }, "hello", false, true, false},
+ }
+
+ for _, testCase := range testCases {
+ commonFound, readOnly, writeOnly := getBucketPolicy(testCase.statement, testCase.prefix)
+ if !(testCase.expectedResult1 == commonFound && testCase.expectedResult2 == readOnly && testCase.expectedResult3 == writeOnly) {
+ t.Fatalf("%+v: expected: [%t,%t,%t], got: [%t,%t,%t]", testCase,
+ testCase.expectedResult1, testCase.expectedResult2, testCase.expectedResult3,
+ commonFound, readOnly, writeOnly)
+ }
+ }
+}
+
+// getObjectPolicy() is called and the result is validated.
+func TestGetObjectPolicy(t *testing.T) {
+ testCases := []struct {
+ statement Statement
+ expectedResult1 bool
+ expectedResult2 bool
+ }{
+ // Statement with invalid Effect.
+ {Statement{
+ Actions: readOnlyObjectActions,
+ Effect: "Deny",
+ Principal: User{AWS: set.CreateStringSet("*")},
+ Resources: set.CreateStringSet("arn:aws:s3:::mybucket/hello*"),
+ }, false, false},
+ // Statement with invalid Principal.AWS.
+ {Statement{
+ Actions: readOnlyObjectActions,
+ Effect: "Allow",
+ Principal: User{AWS: set.CreateStringSet("arn:aws:iam::AccountNumberWithoutHyphens:root")},
+ Resources: set.CreateStringSet("arn:aws:s3:::mybucket/hello*"),
+ }, false, false},
+ // Statement with condition.
+ {Statement{
+ Actions: readOnlyObjectActions,
+ Effect: "Allow",
+ Principal: User{AWS: set.CreateStringSet("*")},
+ Conditions: make(ConditionMap),
+ Resources: set.CreateStringSet("arn:aws:s3:::mybucket/hello*"),
+ }, false, false},
+ // Statement with readOnlyObjectActions.
+ {Statement{
+ Actions: readOnlyObjectActions,
+ Effect: "Allow",
+ Principal: User{AWS: set.CreateStringSet("*")},
+ Resources: set.CreateStringSet("arn:aws:s3:::mybucket/hello*"),
+ }, true, false},
+ // Statement with writeOnlyObjectActions.
+ {Statement{
+ Actions: writeOnlyObjectActions,
+ Effect: "Allow",
+ Principal: User{AWS: set.CreateStringSet("*")},
+ Resources: set.CreateStringSet("arn:aws:s3:::mybucket/hello*"),
+ }, false, true},
+ // Statement with readOnlyObjectActions and writeOnlyObjectActions.
+ {Statement{
+ Actions: readOnlyObjectActions.Union(writeOnlyObjectActions),
+ Effect: "Allow",
+ Principal: User{AWS: set.CreateStringSet("*")},
+ Resources: set.CreateStringSet("arn:aws:s3:::mybucket/hello*"),
+ }, true, true},
+ }
+
+ for _, testCase := range testCases {
+ readOnly, writeOnly := getObjectPolicy(testCase.statement)
+ if !(testCase.expectedResult1 == readOnly && testCase.expectedResult2 == writeOnly) {
+ t.Fatalf("%+v: expected: [%t,%t], got: [%t,%t]", testCase,
+ testCase.expectedResult1, testCase.expectedResult2,
+ readOnly, writeOnly)
+ }
+ }
+}
+
+// GetPolicyRules is called and the result is validated
+func TestListBucketPolicies(t *testing.T) {
+
+ // Condition for read objects
+ downloadCondMap := make(ConditionMap)
+ downloadCondKeyMap := make(ConditionKeyMap)
+ downloadCondKeyMap.Add("s3:prefix", set.CreateStringSet("download"))
+ downloadCondMap.Add("StringEquals", downloadCondKeyMap)
+
+ // Condition for readwrite objects
+ downloadUploadCondMap := make(ConditionMap)
+ downloadUploadCondKeyMap := make(ConditionKeyMap)
+ downloadUploadCondKeyMap.Add("s3:prefix", set.CreateStringSet("both"))
+ downloadUploadCondMap.Add("StringEquals", downloadUploadCondKeyMap)
+
+ testCases := []struct {
+ statements []Statement
+ bucketName string
+ prefix string
+ expectedResult map[string]BucketPolicy
+ }{
+ // Empty statements, bucket name and prefix.
+ {[]Statement{}, "", "", map[string]BucketPolicy{}},
+ // Non-empty statements, empty bucket name and empty prefix.
+ {[]Statement{{
+ Actions: readOnlyBucketActions,
+ Effect: "Allow",
+ Principal: User{AWS: set.CreateStringSet("*")},
+ Resources: set.CreateStringSet("arn:aws:s3:::mybucket"),
+ }}, "", "", map[string]BucketPolicy{}},
+ // Empty statements, non-empty bucket name and empty prefix.
+ {[]Statement{}, "mybucket", "", map[string]BucketPolicy{}},
+ // Readonly object statement
+ {[]Statement{
+ {
+ Actions: commonBucketActions,
+ Effect: "Allow",
+ Principal: User{AWS: set.CreateStringSet("*")},
+ Resources: set.CreateStringSet("arn:aws:s3:::mybucket"),
+ },
+ {
+ Actions: readOnlyBucketActions,
+ Effect: "Allow",
+ Principal: User{AWS: set.CreateStringSet("*")},
+ Conditions: downloadCondMap,
+ Resources: set.CreateStringSet("arn:aws:s3:::mybucket"),
+ },
+ {
+ Actions: readOnlyObjectActions,
+ Effect: "Allow",
+ Principal: User{AWS: set.CreateStringSet("*")},
+ Resources: set.CreateStringSet("arn:aws:s3:::mybucket/download*"),
+ }}, "mybucket", "", map[string]BucketPolicy{"mybucket/download*": BucketPolicyReadOnly}},
+ // Write Only
+ {[]Statement{
+ {
+ Actions: commonBucketActions.Union(writeOnlyBucketActions),
+ Effect: "Allow",
+ Principal: User{AWS: set.CreateStringSet("*")},
+ Resources: set.CreateStringSet("arn:aws:s3:::mybucket"),
+ },
+ {
+ Actions: writeOnlyObjectActions,
+ Effect: "Allow",
+ Principal: User{AWS: set.CreateStringSet("*")},
+ Resources: set.CreateStringSet("arn:aws:s3:::mybucket/upload*"),
+ }}, "mybucket", "", map[string]BucketPolicy{"mybucket/upload*": BucketPolicyWriteOnly}},
+ // Readwrite
+ {[]Statement{
+ {
+ Actions: commonBucketActions.Union(writeOnlyBucketActions),
+ Effect: "Allow",
+ Principal: User{AWS: set.CreateStringSet("*")},
+ Resources: set.CreateStringSet("arn:aws:s3:::mybucket"),
+ },
+ {
+ Actions: readOnlyBucketActions,
+ Effect: "Allow",
+ Principal: User{AWS: set.CreateStringSet("*")},
+ Conditions: downloadUploadCondMap,
+ Resources: set.CreateStringSet("arn:aws:s3:::mybucket"),
+ },
+ {
+ Actions: writeOnlyObjectActions.Union(readOnlyObjectActions),
+ Effect: "Allow",
+ Principal: User{AWS: set.CreateStringSet("*")},
+ Resources: set.CreateStringSet("arn:aws:s3:::mybucket/both*"),
+ }}, "mybucket", "", map[string]BucketPolicy{"mybucket/both*": BucketPolicyReadWrite}},
+ }
+
+ for _, testCase := range testCases {
+ policyRules := GetPolicies(testCase.statements, testCase.bucketName)
+ if !reflect.DeepEqual(testCase.expectedResult, policyRules) {
+ t.Fatalf("%+v:\n expected: %+v, got: %+v", testCase, testCase.expectedResult, policyRules)
+ }
+ }
+}
+
+// GetPolicy() is called and the result is validated.
+func TestGetPolicy(t *testing.T) {
+ helloCondMap := make(ConditionMap)
+ helloCondKeyMap := make(ConditionKeyMap)
+ helloCondKeyMap.Add("s3:prefix", set.CreateStringSet("hello"))
+ helloCondMap.Add("StringEquals", helloCondKeyMap)
+
+ testCases := []struct {
+ statements []Statement
+ bucketName string
+ prefix string
+ expectedResult BucketPolicy
+ }{
+ // Empty statements, bucket name and prefix.
+ {[]Statement{}, "", "", BucketPolicyNone},
+ // Non-empty statements, empty bucket name and empty prefix.
+ {[]Statement{{
+ Actions: readOnlyBucketActions,
+ Effect: "Allow",
+ Principal: User{AWS: set.CreateStringSet("*")},
+ Resources: set.CreateStringSet("arn:aws:s3:::mybucket"),
+ }}, "", "", BucketPolicyNone},
+ // Empty statements, non-empty bucket name and empty prefix.
+ {[]Statement{}, "mybucket", "", BucketPolicyNone},
+ // not-matching Statements.
+ {[]Statement{{
+ Actions: readOnlyBucketActions,
+ Effect: "Allow",
+ Principal: User{AWS: set.CreateStringSet("*")},
+ Resources: set.CreateStringSet("arn:aws:s3:::testbucket"),
+ }}, "mybucket", "", BucketPolicyNone},
+ // not-matching Statements with prefix.
+ {[]Statement{{
+ Actions: readOnlyBucketActions,
+ Effect: "Allow",
+ Principal: User{AWS: set.CreateStringSet("*")},
+ Resources: set.CreateStringSet("arn:aws:s3:::testbucket"),
+ }}, "mybucket", "hello", BucketPolicyNone},
+ // Statements with only commonBucketActions.
+ {[]Statement{{
+ Actions: commonBucketActions,
+ Effect: "Allow",
+ Principal: User{AWS: set.CreateStringSet("*")},
+ Resources: set.CreateStringSet("arn:aws:s3:::mybucket"),
+ }}, "mybucket", "", BucketPolicyNone},
+ // Statements with only commonBucketActions with prefix.
+ {[]Statement{{
+ Actions: commonBucketActions,
+ Effect: "Allow",
+ Principal: User{AWS: set.CreateStringSet("*")},
+ Resources: set.CreateStringSet("arn:aws:s3:::mybucket"),
+ }}, "mybucket", "hello", BucketPolicyNone},
+ // Statements with only readOnlyBucketActions.
+ {[]Statement{{
+ Actions: readOnlyBucketActions,
+ Effect: "Allow",
+ Principal: User{AWS: set.CreateStringSet("*")},
+ Resources: set.CreateStringSet("arn:aws:s3:::mybucket"),
+ }}, "mybucket", "", BucketPolicyNone},
+ // Statements with only readOnlyBucketActions with prefix.
+ {[]Statement{{
+ Actions: readOnlyBucketActions,
+ Effect: "Allow",
+ Principal: User{AWS: set.CreateStringSet("*")},
+ Resources: set.CreateStringSet("arn:aws:s3:::mybucket"),
+ }}, "mybucket", "hello", BucketPolicyNone},
+ // Statements with only readOnlyBucketActions with conditions.
+ {[]Statement{{
+ Actions: readOnlyBucketActions,
+ Effect: "Allow",
+ Principal: User{AWS: set.CreateStringSet("*")},
+ Conditions: helloCondMap,
+ Resources: set.CreateStringSet("arn:aws:s3:::mybucket"),
+ }}, "mybucket", "", BucketPolicyNone},
+ // Statements with only readOnlyBucketActions with prefix with conditons.
+ {[]Statement{{
+ Actions: readOnlyBucketActions,
+ Effect: "Allow",
+ Principal: User{AWS: set.CreateStringSet("*")},
+ Conditions: helloCondMap,
+ Resources: set.CreateStringSet("arn:aws:s3:::mybucket"),
+ }}, "mybucket", "hello", BucketPolicyNone},
+ // Statements with only writeOnlyBucketActions.
+ {[]Statement{{
+ Actions: writeOnlyBucketActions,
+ Effect: "Allow",
+ Principal: User{AWS: set.CreateStringSet("*")},
+ Resources: set.CreateStringSet("arn:aws:s3:::mybucket"),
+ }}, "mybucket", "", BucketPolicyNone},
+ // Statements with only writeOnlyBucketActions with prefix.
+ {[]Statement{{
+ Actions: writeOnlyBucketActions,
+ Effect: "Allow",
+ Principal: User{AWS: set.CreateStringSet("*")},
+ Resources: set.CreateStringSet("arn:aws:s3:::mybucket"),
+ }}, "mybucket", "hello", BucketPolicyNone},
+ // Statements with only readOnlyBucketActions + writeOnlyBucketActions.
+ {[]Statement{{
+ Actions: readOnlyBucketActions.Union(writeOnlyBucketActions),
+ Effect: "Allow",
+ Principal: User{AWS: set.CreateStringSet("*")},
+ Resources: set.CreateStringSet("arn:aws:s3:::mybucket"),
+ }}, "mybucket", "", BucketPolicyNone},
+ // Statements with only readOnlyBucketActions + writeOnlyBucketActions with prefix.
+ {[]Statement{{
+ Actions: readOnlyBucketActions.Union(writeOnlyBucketActions),
+ Effect: "Allow",
+ Principal: User{AWS: set.CreateStringSet("*")},
+ Resources: set.CreateStringSet("arn:aws:s3:::mybucket"),
+ }}, "mybucket", "hello", BucketPolicyNone},
+ // Statements with only readOnlyBucketActions + writeOnlyBucketActions and conditions.
+ {[]Statement{{
+ Actions: readOnlyBucketActions.Union(writeOnlyBucketActions),
+ Effect: "Allow",
+ Principal: User{AWS: set.CreateStringSet("*")},
+ Conditions: helloCondMap,
+ Resources: set.CreateStringSet("arn:aws:s3:::mybucket"),
+ }}, "mybucket", "", BucketPolicyNone},
+ // Statements with only readOnlyBucketActions + writeOnlyBucketActions and conditions with prefix.
+ {[]Statement{{
+ Actions: readOnlyBucketActions.Union(writeOnlyBucketActions),
+ Effect: "Allow",
+ Principal: User{AWS: set.CreateStringSet("*")},
+ Conditions: helloCondMap,
+ Resources: set.CreateStringSet("arn:aws:s3:::mybucket"),
+ }}, "mybucket", "hello", BucketPolicyNone},
+ }
+
+ for _, testCase := range testCases {
+ policy := GetPolicy(testCase.statements, testCase.bucketName, testCase.prefix)
+ if testCase.expectedResult != policy {
+ t.Fatalf("%+v: expected: %s, got: %s", testCase, testCase.expectedResult, policy)
+ }
+ }
+}
+
+// SetPolicy() is called and the result is validated.
+func TestSetPolicy(t *testing.T) {
+ helloCondMap := make(ConditionMap)
+ helloCondKeyMap := make(ConditionKeyMap)
+ helloCondKeyMap.Add("s3:prefix", set.CreateStringSet("hello"))
+ helloCondMap.Add("StringEquals", helloCondKeyMap)
+
+ testCases := []struct {
+ statements []Statement
+ policy BucketPolicy
+ bucketName string
+ prefix string
+ expectedResult string
+ }{
+ // BucketPolicyNone - empty statements, bucket name and prefix.
+ {[]Statement{}, BucketPolicyNone, "", "", `[]`},
+ // BucketPolicyNone - non-empty statements, bucket name and prefix.
+ {[]Statement{{
+ Actions: readOnlyBucketActions,
+ Effect: "Allow",
+ Principal: User{AWS: set.CreateStringSet("*")},
+ Resources: set.CreateStringSet("arn:aws:s3:::mybucket"),
+ }}, BucketPolicyNone, "", "", `[{"Action":["s3:ListBucket"],"Effect":"Allow","Principal":{"AWS":["*"]},"Resource":["arn:aws:s3:::mybucket"],"Sid":""}]`},
+ // BucketPolicyNone - empty statements, non-empty bucket name and prefix.
+ {[]Statement{}, BucketPolicyNone, "mybucket", "", `[]`},
+ // BucketPolicyNone - empty statements, bucket name and non-empty prefix.
+ {[]Statement{}, BucketPolicyNone, "", "hello", `[]`},
+ // BucketPolicyReadOnly - empty statements, bucket name and prefix.
+ {[]Statement{}, BucketPolicyReadOnly, "", "", `[]`},
+ // BucketPolicyReadOnly - non-empty statements, bucket name and prefix.
+ {[]Statement{{
+ Actions: readOnlyBucketActions,
+ Effect: "Allow",
+ Principal: User{AWS: set.CreateStringSet("*")},
+ Resources: set.CreateStringSet("arn:aws:s3:::testbucket"),
+ }}, BucketPolicyReadOnly, "", "", `[{"Action":["s3:ListBucket"],"Effect":"Allow","Principal":{"AWS":["*"]},"Resource":["arn:aws:s3:::testbucket"],"Sid":""}]`},
+ // BucketPolicyReadOnly - empty statements, non-empty bucket name and prefix.
+ {[]Statement{}, BucketPolicyReadOnly, "mybucket", "", `[{"Action":["s3:GetBucketLocation","s3:ListBucket"],"Effect":"Allow","Principal":{"AWS":["*"]},"Resource":["arn:aws:s3:::mybucket"],"Sid":""},{"Action":["s3:GetObject"],"Effect":"Allow","Principal":{"AWS":["*"]},"Resource":["arn:aws:s3:::mybucket/*"],"Sid":""}]`},
+ // BucketPolicyReadOnly - empty statements, bucket name and non-empty prefix.
+ {[]Statement{}, BucketPolicyReadOnly, "", "hello", `[]`},
+ // BucketPolicyReadOnly - empty statements, non-empty bucket name and non-empty prefix.
+ {[]Statement{}, BucketPolicyReadOnly, "mybucket", "hello", `[{"Action":["s3:GetBucketLocation"],"Effect":"Allow","Principal":{"AWS":["*"]},"Resource":["arn:aws:s3:::mybucket"],"Sid":""},{"Action":["s3:ListBucket"],"Condition":{"StringEquals":{"s3:prefix":["hello"]}},"Effect":"Allow","Principal":{"AWS":["*"]},"Resource":["arn:aws:s3:::mybucket"],"Sid":""},{"Action":["s3:GetObject"],"Effect":"Allow","Principal":{"AWS":["*"]},"Resource":["arn:aws:s3:::mybucket/hello*"],"Sid":""}]`},
+ // BucketPolicyWriteOnly - empty statements, bucket name and prefix.
+ {[]Statement{}, BucketPolicyReadOnly, "", "", `[]`},
+ // BucketPolicyWriteOnly - non-empty statements, bucket name and prefix.
+ {[]Statement{{
+ Actions: readOnlyBucketActions,
+ Effect: "Allow",
+ Principal: User{AWS: set.CreateStringSet("*")},
+ Resources: set.CreateStringSet("arn:aws:s3:::testbucket"),
+ }}, BucketPolicyWriteOnly, "", "", `[{"Action":["s3:ListBucket"],"Effect":"Allow","Principal":{"AWS":["*"]},"Resource":["arn:aws:s3:::testbucket"],"Sid":""}]`},
+ // BucketPolicyWriteOnly - empty statements, non-empty bucket name and prefix.
+ {[]Statement{}, BucketPolicyWriteOnly, "mybucket", "", `[{"Action":["s3:GetBucketLocation","s3:ListBucketMultipartUploads"],"Effect":"Allow","Principal":{"AWS":["*"]},"Resource":["arn:aws:s3:::mybucket"],"Sid":""},{"Action":["s3:AbortMultipartUpload","s3:DeleteObject","s3:ListMultipartUploadParts","s3:PutObject"],"Effect":"Allow","Principal":{"AWS":["*"]},"Resource":["arn:aws:s3:::mybucket/*"],"Sid":""}]`},
+ // BucketPolicyWriteOnly - empty statements, bucket name and non-empty prefix.
+ {[]Statement{}, BucketPolicyWriteOnly, "", "hello", `[]`},
+ // BucketPolicyWriteOnly - empty statements, non-empty bucket name and non-empty prefix.
+ {[]Statement{}, BucketPolicyWriteOnly, "mybucket", "hello", `[{"Action":["s3:GetBucketLocation","s3:ListBucketMultipartUploads"],"Effect":"Allow","Principal":{"AWS":["*"]},"Resource":["arn:aws:s3:::mybucket"],"Sid":""},{"Action":["s3:AbortMultipartUpload","s3:DeleteObject","s3:ListMultipartUploadParts","s3:PutObject"],"Effect":"Allow","Principal":{"AWS":["*"]},"Resource":["arn:aws:s3:::mybucket/hello*"],"Sid":""}]`},
+ // BucketPolicyReadWrite - empty statements, bucket name and prefix.
+ {[]Statement{}, BucketPolicyReadWrite, "", "", `[]`},
+ // BucketPolicyReadWrite - non-empty statements, bucket name and prefix.
+ {[]Statement{{
+ Actions: readOnlyBucketActions,
+ Effect: "Allow",
+ Principal: User{AWS: set.CreateStringSet("*")},
+ Resources: set.CreateStringSet("arn:aws:s3:::testbucket"),
+ }}, BucketPolicyReadWrite, "", "", `[{"Action":["s3:ListBucket"],"Effect":"Allow","Principal":{"AWS":["*"]},"Resource":["arn:aws:s3:::testbucket"],"Sid":""}]`},
+ // BucketPolicyReadWrite - empty statements, non-empty bucket name and prefix.
+ {[]Statement{}, BucketPolicyReadWrite, "mybucket", "", `[{"Action":["s3:GetBucketLocation","s3:ListBucket","s3:ListBucketMultipartUploads"],"Effect":"Allow","Principal":{"AWS":["*"]},"Resource":["arn:aws:s3:::mybucket"],"Sid":""},{"Action":["s3:AbortMultipartUpload","s3:DeleteObject","s3:GetObject","s3:ListMultipartUploadParts","s3:PutObject"],"Effect":"Allow","Principal":{"AWS":["*"]},"Resource":["arn:aws:s3:::mybucket/*"],"Sid":""}]`},
+ // BucketPolicyReadWrite - empty statements, bucket name and non-empty prefix.
+ {[]Statement{}, BucketPolicyReadWrite, "", "hello", `[]`},
+ // BucketPolicyReadWrite - empty statements, non-empty bucket name and non-empty prefix.
+ {[]Statement{}, BucketPolicyReadWrite, "mybucket", "hello", `[{"Action":["s3:GetBucketLocation","s3:ListBucketMultipartUploads"],"Effect":"Allow","Principal":{"AWS":["*"]},"Resource":["arn:aws:s3:::mybucket"],"Sid":""},{"Action":["s3:ListBucket"],"Condition":{"StringEquals":{"s3:prefix":["hello"]}},"Effect":"Allow","Principal":{"AWS":["*"]},"Resource":["arn:aws:s3:::mybucket"],"Sid":""},{"Action":["s3:AbortMultipartUpload","s3:DeleteObject","s3:GetObject","s3:ListMultipartUploadParts","s3:PutObject"],"Effect":"Allow","Principal":{"AWS":["*"]},"Resource":["arn:aws:s3:::mybucket/hello*"],"Sid":""}]`},
+ // Set readonly.
+ {[]Statement{{
+ Actions: writeOnlyBucketActions,
+ Effect: "Allow",
+ Principal: User{AWS: set.CreateStringSet("*")},
+ Resources: set.CreateStringSet("arn:aws:s3:::mybucket"),
+ }}, BucketPolicyReadOnly, "mybucket", "", `[{"Action":["s3:GetBucketLocation","s3:ListBucket"],"Effect":"Allow","Principal":{"AWS":["*"]},"Resource":["arn:aws:s3:::mybucket"],"Sid":""},{"Action":["s3:GetObject"],"Effect":"Allow","Principal":{"AWS":["*"]},"Resource":["arn:aws:s3:::mybucket/*"],"Sid":""}]`},
+ // Set readonly with prefix.
+ {[]Statement{{
+ Actions: writeOnlyBucketActions,
+ Effect: "Allow",
+ Principal: User{AWS: set.CreateStringSet("*")},
+ Resources: set.CreateStringSet("arn:aws:s3:::mybucket"),
+ }}, BucketPolicyReadOnly, "mybucket", "hello", `[{"Action":["s3:GetBucketLocation"],"Effect":"Allow","Principal":{"AWS":["*"]},"Resource":["arn:aws:s3:::mybucket"],"Sid":""},{"Action":["s3:ListBucket"],"Condition":{"StringEquals":{"s3:prefix":["hello"]}},"Effect":"Allow","Principal":{"AWS":["*"]},"Resource":["arn:aws:s3:::mybucket"],"Sid":""},{"Action":["s3:GetObject"],"Effect":"Allow","Principal":{"AWS":["*"]},"Resource":["arn:aws:s3:::mybucket/hello*"],"Sid":""}]`},
+ // Set writeonly.
+ {[]Statement{{
+ Actions: readOnlyBucketActions,
+ Effect: "Allow",
+ Principal: User{AWS: set.CreateStringSet("*")},
+ Resources: set.CreateStringSet("arn:aws:s3:::mybucket"),
+ }}, BucketPolicyWriteOnly, "mybucket", "", `[{"Action":["s3:GetBucketLocation","s3:ListBucketMultipartUploads"],"Effect":"Allow","Principal":{"AWS":["*"]},"Resource":["arn:aws:s3:::mybucket"],"Sid":""},{"Action":["s3:AbortMultipartUpload","s3:DeleteObject","s3:ListMultipartUploadParts","s3:PutObject"],"Effect":"Allow","Principal":{"AWS":["*"]},"Resource":["arn:aws:s3:::mybucket/*"],"Sid":""}]`},
+ // Set writeonly with prefix.
+ {[]Statement{{
+ Actions: readOnlyBucketActions,
+ Effect: "Allow",
+ Principal: User{AWS: set.CreateStringSet("*")},
+ Conditions: helloCondMap,
+ Resources: set.CreateStringSet("arn:aws:s3:::mybucket"),
+ }}, BucketPolicyWriteOnly, "mybucket", "hello", `[{"Action":["s3:GetBucketLocation","s3:ListBucketMultipartUploads"],"Effect":"Allow","Principal":{"AWS":["*"]},"Resource":["arn:aws:s3:::mybucket"],"Sid":""},{"Action":["s3:AbortMultipartUpload","s3:DeleteObject","s3:ListMultipartUploadParts","s3:PutObject"],"Effect":"Allow","Principal":{"AWS":["*"]},"Resource":["arn:aws:s3:::mybucket/hello*"],"Sid":""}]`},
+
+ // Set readwrite.
+ {[]Statement{{
+ Actions: readOnlyBucketActions,
+ Effect: "Allow",
+ Principal: User{AWS: set.CreateStringSet("*")},
+ Resources: set.CreateStringSet("arn:aws:s3:::mybucket"),
+ }}, BucketPolicyReadWrite, "mybucket", "", `[{"Action":["s3:GetBucketLocation","s3:ListBucket","s3:ListBucketMultipartUploads"],"Effect":"Allow","Principal":{"AWS":["*"]},"Resource":["arn:aws:s3:::mybucket"],"Sid":""},{"Action":["s3:AbortMultipartUpload","s3:DeleteObject","s3:GetObject","s3:ListMultipartUploadParts","s3:PutObject"],"Effect":"Allow","Principal":{"AWS":["*"]},"Resource":["arn:aws:s3:::mybucket/*"],"Sid":""}]`},
+ // Set readwrite with prefix.
+ {[]Statement{{
+ Actions: readOnlyBucketActions,
+ Effect: "Allow",
+ Principal: User{AWS: set.CreateStringSet("*")},
+ Conditions: helloCondMap,
+ Resources: set.CreateStringSet("arn:aws:s3:::mybucket"),
+ }}, BucketPolicyReadWrite, "mybucket", "hello", `[{"Action":["s3:GetBucketLocation","s3:ListBucketMultipartUploads"],"Effect":"Allow","Principal":{"AWS":["*"]},"Resource":["arn:aws:s3:::mybucket"],"Sid":""},{"Action":["s3:ListBucket"],"Condition":{"StringEquals":{"s3:prefix":["hello"]}},"Effect":"Allow","Principal":{"AWS":["*"]},"Resource":["arn:aws:s3:::mybucket"],"Sid":""},{"Action":["s3:AbortMultipartUpload","s3:DeleteObject","s3:GetObject","s3:ListMultipartUploadParts","s3:PutObject"],"Effect":"Allow","Principal":{"AWS":["*"]},"Resource":["arn:aws:s3:::mybucket/hello*"],"Sid":""}]`},
+ }
+
+ for _, testCase := range testCases {
+ statements := SetPolicy(testCase.statements, testCase.policy, testCase.bucketName, testCase.prefix)
+ if data, err := json.Marshal(statements); err != nil {
+ t.Fatalf("unable encoding to json, %s", err)
+ } else if string(data) != testCase.expectedResult {
+ t.Fatalf("%+v: expected: %s, got: %s", testCase, testCase.expectedResult, string(data))
+ }
+ }
+}
+
+// Validates bucket policy string.
+func TestIsValidBucketPolicy(t *testing.T) {
+ testCases := []struct {
+ inputPolicy BucketPolicy
+ expectedResult bool
+ }{
+ // valid inputs.
+ {BucketPolicy("none"), true},
+ {BucketPolicy("readonly"), true},
+ {BucketPolicy("readwrite"), true},
+ {BucketPolicy("writeonly"), true},
+ // invalid input.
+ {BucketPolicy("readwriteonly"), false},
+ {BucketPolicy("writeread"), false},
+ }
+
+ for i, testCase := range testCases {
+ actualResult := testCase.inputPolicy.IsValidBucketPolicy()
+ if testCase.expectedResult != actualResult {
+ t.Errorf("Test %d: Expected IsValidBucket policy to be '%v' for policy \"%s\", but instead found it to be '%v'", i+1, testCase.expectedResult, testCase.inputPolicy, actualResult)
+ }
+ }
+}
+
+// Tests validate Bucket policy resource matcher.
+func TestBucketPolicyResourceMatch(t *testing.T) {
+
+ // generates\ statement with given resource..
+ generateStatement := func(resource string) Statement {
+ statement := Statement{}
+ statement.Resources = set.CreateStringSet(resource)
+ return statement
+ }
+
+ // generates resource prefix.
+ generateResource := func(bucketName, objectName string) string {
+ return awsResourcePrefix + bucketName + "/" + objectName
+ }
+
+ testCases := []struct {
+ resourceToMatch string
+ statement Statement
+ expectedResourceMatch bool
+ }{
+ // Test case 1-4.
+ // Policy with resource ending with bucket/* allows access to all objects inside the given bucket.
+ {generateResource("minio-bucket", ""), generateStatement(fmt.Sprintf("%s%s", awsResourcePrefix, "minio-bucket"+"/*")), true},
+ {generateResource("minio-bucket", ""), generateStatement(fmt.Sprintf("%s%s", awsResourcePrefix, "minio-bucket"+"/*")), true},
+ {generateResource("minio-bucket", ""), generateStatement(fmt.Sprintf("%s%s", awsResourcePrefix, "minio-bucket"+"/*")), true},
+ {generateResource("minio-bucket", ""), generateStatement(fmt.Sprintf("%s%s", awsResourcePrefix, "minio-bucket"+"/*")), true},
+ // Test case - 5.
+ // Policy with resource ending with bucket/oo* should not allow access to bucket/output.txt.
+ {generateResource("minio-bucket", "output.txt"), generateStatement(fmt.Sprintf("%s%s", awsResourcePrefix, "minio-bucket"+"/oo*")), false},
+ // Test case - 6.
+ // Policy with resource ending with bucket/oo* should allow access to bucket/ootput.txt.
+ {generateResource("minio-bucket", "ootput.txt"), generateStatement(fmt.Sprintf("%s%s", awsResourcePrefix, "minio-bucket"+"/oo*")), true},
+ // Test case - 7.
+ // Policy with resource ending with bucket/oo* allows access to all subfolders starting with "oo" inside given bucket.
+ {generateResource("minio-bucket", "oop-bucket/my-file"), generateStatement(fmt.Sprintf("%s%s", awsResourcePrefix, "minio-bucket"+"/oo*")), true},
+ // Test case - 8.
+ {generateResource("minio-bucket", "Asia/India/1.pjg"), generateStatement(fmt.Sprintf("%s%s", awsResourcePrefix, "minio-bucket"+"/Asia/Japan/*")), false},
+ // Test case - 9.
+ {generateResource("minio-bucket", "Asia/India/1.pjg"), generateStatement(fmt.Sprintf("%s%s", awsResourcePrefix, "minio-bucket"+"/Asia/Japan/*")), false},
+ // Test case - 10.
+ // Proves that the name space is flat.
+ {generateResource("minio-bucket", "Africa/Bihar/India/design_info.doc/Bihar"), generateStatement(fmt.Sprintf("%s%s", awsResourcePrefix,
+ "minio-bucket"+"/*/India/*/Bihar")), true},
+ // Test case - 11.
+ // Proves that the name space is flat.
+ {generateResource("minio-bucket", "Asia/China/India/States/Bihar/output.txt"), generateStatement(fmt.Sprintf("%s%s", awsResourcePrefix,
+ "minio-bucket"+"/*/India/*/Bihar/*")), true},
+ }
+ for i, testCase := range testCases {
+ resources := testCase.statement.Resources.FuncMatch(resourceMatch, testCase.resourceToMatch)
+ actualResourceMatch := resources.Equals(testCase.statement.Resources)
+ if testCase.expectedResourceMatch != actualResourceMatch {
+ t.Errorf("Test %d: Expected Resource match to be `%v`, but instead found it to be `%v`", i+1, testCase.expectedResourceMatch, actualResourceMatch)
+ }
+ }
+}
generated by cgit v1.2.3-1-g7c22 (git 2.25.1) at 2024-06-01 08:29:19 +0000