test: tagging, more run/assert changes, dockerfile, test split-ups

Author: lrm25

.github/workflows/docker-bats.yaml

@@ -25,4 +25,4 @@ jobs:
         run: sudo apt-get install -y docker-compose
 
       - name: Run Docker Container
-        run: docker-compose -f tests/docker-compose-bats.yml up --exit-code-from s3api_only s3api_only
+        run: docker-compose -f tests/docker-compose-bats.yml up --exit-code-from s3api_np_only s3api_np_only

.github/workflows/system.yml

@@ -30,7 +30,7 @@ jobs:
             RECREATE_BUCKETS: "true"
             PORT: 7071
             BACKEND: "posix"
-          - set: "s3api, posix"
+          - set: "s3api non-policy, posix"
             LOCAL_FOLDER: /tmp/gw3
             BUCKET_ONE_NAME: versity-gwtest-bucket-one-3
             BUCKET_TWO_NAME: versity-gwtest-bucket-two-3
@@ -74,7 +74,7 @@ jobs:
             RECREATE_BUCKETS: "false"
             PORT: 7075
             BACKEND: "posix"
-          - set: "s3api, s3 backend"
+          - set: "s3api non-policy, s3 backend"
             LOCAL_FOLDER: /tmp/gw7
             BUCKET_ONE_NAME: versity-gwtest-bucket-one-7
             BUCKET_TWO_NAME: versity-gwtest-bucket-two-7
@@ -118,6 +118,28 @@ jobs:
             RECREATE_BUCKETS: "false"
             PORT: 7079
             BACKEND: "posix"
+          - set: "s3api policy and user, posix"
+            LOCAL_FOLDER: /tmp/gw11
+            BUCKET_ONE_NAME: versity-gwtest-bucket-one-10
+            BUCKET_TWO_NAME: versity-gwtest-bucket-two-10
+            IAM_TYPE: folder
+            USERS_FOLDER: /tmp/iam11
+            AWS_ENDPOINT_URL: https://127.0.0.1:7080
+            RUN_SET: "s3api-policy,s3api-user"
+            RECREATE_BUCKETS: "true"
+            PORT: 7080
+            BACKEND: "posix"
+          - set: "s3api policy and user, s3 backend"
+            LOCAL_FOLDER: /tmp/gw12
+            BUCKET_ONE_NAME: versity-gwtest-bucket-one-11
+            BUCKET_TWO_NAME: versity-gwtest-bucket-two-11
+            IAM_TYPE: folder
+            USERS_FOLDER: /tmp/iam12
+            AWS_ENDPOINT_URL: https://127.0.0.1:7081
+            RUN_SET: "s3api-policy,s3api-user"
+            RECREATE_BUCKETS: "true"
+            PORT: 7081
+            BACKEND: "s3"
     steps:
       - name: Check out code into the Go module directory
         uses: actions/checkout@v4
@@ -152,7 +174,7 @@ jobs:
         run: |
           sudo apt-get install libxml2-utils
 
-      - name: Build and run, posix backend
+      - name: Build and run
         env:
           LOCAL_FOLDER: ${{ matrix.LOCAL_FOLDER }}
           BUCKET_ONE_NAME: ${{ matrix.BUCKET_ONE_NAME }}

tests/commands/delete_object_tagging.sh

@@ -20,10 +20,13 @@ delete_object_tagging() {
     echo "delete object tagging command missing command type, bucket, key"
     return 1
   fi
+  delete_result=0
   if [[ $1 == 'aws' ]]; then
     error=$(aws --no-verify-ssl s3api delete-object-tagging --bucket "$2" --key "$3" 2>&1) || delete_result=$?
   elif [[ $1 == 'mc' ]]; then
     error=$(mc --insecure tag remove "$MC_ALIAS/$2/$3") || delete_result=$?
+  elif [ "$1" == 'rest' ]; then
+    delete_object_tagging_rest "$2" "$3" || delete_result=$?
   else
     echo "delete-object-tagging command not implemented for '$1'"
     return 1
@@ -33,4 +36,46 @@ delete_object_tagging() {
     return 1
   fi
   return 0
-}
+}
+
+delete_object_tagging_rest() {
+  if [ $# -ne 2 ]; then
+    log 2 "'delete_object_tagging' requires bucket, key"
+    return 1
+  fi
+
+  generate_hash_for_payload ""
+
+  current_date_time=$(date -u +"%Y%m%dT%H%M%SZ")
+  aws_endpoint_url_address=${AWS_ENDPOINT_URL#*//}
+  header=$(echo "$AWS_ENDPOINT_URL" | awk -F: '{print $1}')
+  # shellcheck disable=SC2154
+  canonical_request="DELETE
+/$1/$2
+tagging=
+host:$aws_endpoint_url_address
+x-amz-content-sha256:$payload_hash
+x-amz-date:$current_date_time
+
+host;x-amz-content-sha256;x-amz-date
+$payload_hash"
+
+  if ! generate_sts_string "$current_date_time" "$canonical_request"; then
+    log 2 "error generating sts string"
+    return 1
+  fi
+  get_signature
+  # shellcheck disable=SC2154
+  reply=$(curl -ks -w "%{http_code}" -X DELETE "$header://$aws_endpoint_url_address/$1/$2?tagging" \
+    -H "Authorization: AWS4-HMAC-SHA256 Credential=$AWS_ACCESS_KEY_ID/$ymd/$AWS_REGION/s3/aws4_request,SignedHeaders=host;x-amz-content-sha256;x-amz-date,Signature=$signature" \
+    -H "x-amz-content-sha256: $payload_hash" \
+    -H "x-amz-date: $current_date_time" \
+    -d "$tagging" -o "$TEST_FILE_FOLDER"/delete_tagging_error.txt 2>&1)
+  log 5 "reply status code: $reply"
+  if [[ "$reply" != "204" ]]; then
+    log 2 "reply error: $reply"
+    log 2 "put object tagging command returned error: $(cat "$TEST_FILE_FOLDER"/delete_tagging_error.txt)"
+    return 1
+  fi
+  return 0
+}

tests/commands/get_object.sh

@@ -50,8 +50,7 @@ get_object_with_range() {
     log 2 "'get object with range' requires bucket, key, range, outfile"
     return 1
   fi
-  get_object_error=$(aws --no-verify-ssl s3api get-object --bucket "$1" --key "$2" --range "$3" "$4" 2>&1) || local exit_code=$?
-  if [[ $exit_code -ne 0 ]]; then
+  if ! get_object_error=$(aws --no-verify-ssl s3api get-object --bucket "$1" --key "$2" --range "$3" "$4" 2>&1); then
     log 2 "error getting object with range: $get_object_error"
     return 1
   fi

tests/commands/get_object_tagging.sh

@@ -21,10 +21,12 @@ get_object_tagging() {
     return 1
   fi
   local result
-  if [[ $1 == 'aws' ]] || [[ $1 == 's3api' ]]; then
+  if [[ "$1" == 'aws' ]] || [[ $1 == 's3api' ]]; then
     tags=$(aws --no-verify-ssl s3api get-object-tagging --bucket "$2" --key "$3" 2>&1) || result=$?
-  elif [[ $1 == 'mc' ]]; then
+  elif [[ "$1" == 'mc' ]]; then
     tags=$(mc --insecure tag list "$MC_ALIAS"/"$2"/"$3" 2>&1) || result=$?
+  elif [ "$1" == 'rest' ]; then
+    get_object_tagging_rest "$2" "$3" || result=$?
   else
     log 2 "invalid command type $1"
     return 1
@@ -41,4 +43,50 @@ get_object_tagging() {
     tags=$(echo "$tags" | grep -v "InsecureRequestWarning")
   fi
   export tags
+}
+
+get_object_tagging_rest() {
+  if [ $# -ne 2 ]; then
+    log 2 "'get_object_tagging' requires bucket, key"
+    return 1
+  fi
+
+  generate_hash_for_payload ""
+
+  current_date_time=$(date -u +"%Y%m%dT%H%M%SZ")
+  aws_endpoint_url_address=${AWS_ENDPOINT_URL#*//}
+  header=$(echo "$AWS_ENDPOINT_URL" | awk -F: '{print $1}')
+  # shellcheck disable=SC2154
+  canonical_request="GET
+/$1/$2
+tagging=
+host:$aws_endpoint_url_address
+x-amz-content-sha256:$payload_hash
+x-amz-date:$current_date_time
+
+host;x-amz-content-sha256;x-amz-date
+$payload_hash"
+
+  if ! generate_sts_string "$current_date_time" "$canonical_request"; then
+    log 2 "error generating sts string"
+    return 1
+  fi
+  get_signature
+  # shellcheck disable=SC2154
+  reply=$(curl -ks -w "%{http_code}" "$header://$aws_endpoint_url_address/$1/$2?tagging" \
+    -H "Authorization: AWS4-HMAC-SHA256 Credential=$AWS_ACCESS_KEY_ID/$ymd/$AWS_REGION/s3/aws4_request,SignedHeaders=host;x-amz-content-sha256;x-amz-date,Signature=$signature" \
+    -H "x-amz-content-sha256: $payload_hash" \
+    -H "x-amz-date: $current_date_time" \
+    -o "$TEST_FILE_FOLDER"/object_tags.txt 2>&1)
+  log 5 "reply status code: $reply"
+  if [[ "$reply" != "200" ]]; then
+    if [ "$reply" == "404" ]; then
+      return 1
+    fi
+    log 2 "reply error: $reply"
+    log 2 "get object tagging command returned error: $(cat "$TEST_FILE_FOLDER"/object_tags.txt)"
+    return 2
+  fi
+  log 5 "object tags:  $(cat "$TEST_FILE_FOLDER"/object_tags.txt)"
+  return 0
 }

tests/commands/put_object_tagging.sh

@@ -16,7 +16,7 @@
 
 put_object_tagging() {
   if [ $# -ne 5 ]; then
-    log 2 "'put-object-tagging' command missing command type, object name, file, key, and/or value"
+    log 2 "'put-object-tagging' command missing command type, bucket, object name, file, key, and/or value"
     return 1
   fi
   local error
@@ -26,6 +26,8 @@ put_object_tagging() {
     error=$(aws --no-verify-ssl s3api put-object-tagging --bucket "$2" --key "$3" --tagging "TagSet=[{Key=$4,Value=$5}]" 2>&1) || result=$?
   elif [[ $1 == 'mc' ]]; then
     error=$(mc --insecure tag set "$MC_ALIAS"/"$2"/"$3" "$4=$5" 2>&1) || result=$?
+  elif [[ $1 == 'rest' ]]; then
+    put_object_tagging_rest "$2" "$3" "$4" "$5" || result=$?
   else
     log 2 "invalid command type $1"
     return 1
@@ -35,4 +37,56 @@ put_object_tagging() {
     return 1
   fi
   return 0
-}
+}
+
+put_object_tagging_rest() {
+  if [ $# -ne 4 ]; then
+    log 2 "'put_object_tagging' requires bucket, key, tag key, tag value"
+    return 1
+  fi
+
+  tagging="<?xml version=\"1.0\" encoding=\"UTF-8\"?>
+<Tagging xmlns=\"http://s3.amazonaws.com/doc/2006-03-01/\">
+  <TagSet>
+    <Tag>
+      <Key>$3</Key>
+      <Value>$4</Value>
+    </Tag>
+  </TagSet>
+</Tagging>"
+
+  generate_hash_for_payload "$tagging"
+
+  current_date_time=$(date -u +"%Y%m%dT%H%M%SZ")
+  aws_endpoint_url_address=${AWS_ENDPOINT_URL#*//}
+  header=$(echo "$AWS_ENDPOINT_URL" | awk -F: '{print $1}')
+  # shellcheck disable=SC2154
+  canonical_request="PUT
+/$1/$2
+tagging=
+host:$aws_endpoint_url_address
+x-amz-content-sha256:$payload_hash
+x-amz-date:$current_date_time
+
+host;x-amz-content-sha256;x-amz-date
+$payload_hash"
+
+  if ! generate_sts_string "$current_date_time" "$canonical_request"; then
+    log 2 "error generating sts string"
+    return 1
+  fi
+  get_signature
+  # shellcheck disable=SC2154
+  reply=$(curl -ks -w "%{http_code}" -X PUT "$header://$aws_endpoint_url_address/$1/$2?tagging" \
+    -H "Authorization: AWS4-HMAC-SHA256 Credential=$AWS_ACCESS_KEY_ID/$ymd/$AWS_REGION/s3/aws4_request,SignedHeaders=host;x-amz-content-sha256;x-amz-date,Signature=$signature" \
+    -H "x-amz-content-sha256: $payload_hash" \
+    -H "x-amz-date: $current_date_time" \
+    -d "$tagging" -o "$TEST_FILE_FOLDER"/put_tagging_error.txt 2>&1)
+  log 5 "reply status code: $reply"
+  if [[ "$reply" != "200" ]]; then
+    log 2 "reply error: $reply"
+    log 2 "put object tagging command returned error: $(cat "$TEST_FILE_FOLDER"/put_tagging_error.txt)"
+    return 1
+  fi
+  return 0
+}

tests/docker-compose-bats.yml

@@ -25,14 +25,14 @@ services:
       args:
         - CONFIG_FILE=tests/.env.s3
         - SECRETS_FILE=tests/.secrets.s3
-  s3api_only:
+  s3api_np_only:
     build:
       context: ../
       dockerfile: tests/Dockerfile_test_bats
       args:
         - CONFIG_FILE=tests/.env.default
     image: bats_test
-    command: ["s3api"]
+    command: ["s3api-non-policy"]
   direct:
     build:
       context: ../

tests/logger.sh

@@ -49,29 +49,40 @@ log_mask() {
     echo "mask and log requires level, string"
     return 1
   fi
-  local masked_args=()  # Initialize an array to hold the masked arguments
+  masked_args=()  # Initialize an array to hold the masked arguments
 
   IFS=' ' read -r -a array <<< "$2"
 
   mask_next=false
   for arg in "${array[@]}"; do
-    if [[ $mask_next == true ]]; then
-      masked_args+=("********")
-      mask_next=false
-    elif [[ "$arg" == --secret_key=* ]]; then
-      masked_args+=("--secret_key=********")
-    elif [[ "$arg" == --secret=* ]]; then
-      masked_args+=("--secret=********")
-    else
-      if [[ "$arg" == "--secret_key" ]] || [[ "$arg" == "--secret" ]] || [[ "$arg" == "--s3-iam-secret" ]]; then
-        mask_next=true
-      fi
-      masked_args+=("$arg")
+    if ! check_arg_for_mask "$arg"; then
+      echo "error checking arg for mask"
+      return 1
     fi
   done
   log_message "$log_level" "${masked_args[*]}"
 }
 
+check_arg_for_mask() {
+  if [ $# -ne 1 ]; then
+    echo "'check_arg_for_mask' requires arg"
+    return 1
+  fi
+  if [[ $mask_next == true ]]; then
+    masked_args+=("********")
+    mask_next=false
+  elif [[ "$arg" == --secret_key=* ]]; then
+    masked_args+=("--secret_key=********")
+  elif [[ "$arg" == --secret=* ]]; then
+    masked_args+=("--secret=********")
+  else
+    if [[ "$arg" == "--secret_key" ]] || [[ "$arg" == "--secret" ]] || [[ "$arg" == "--s3-iam-secret" ]]; then
+      mask_next=true
+    fi
+    masked_args+=("$arg")
+  fi
+}
+
 log_message() {
   if [[ $# -ne 2 ]]; then
     echo "log message requires level, message"