test: REST acl public-read-write test, other acl test, cleanup

tests/commands/delete_object_tagging.sh

@@ -43,38 +43,12 @@ delete_object_tagging_rest() {
     log 2 "'delete_object_tagging' requires bucket, key"
     return 1
   fi
-
-  generate_hash_for_payload ""
-
-  current_date_time=$(date -u +"%Y%m%dT%H%M%SZ")
-  aws_endpoint_url_address=${AWS_ENDPOINT_URL#*//}
-  header=$(echo "$AWS_ENDPOINT_URL" | awk -F: '{print $1}')
-  # shellcheck disable=SC2154
-  canonical_request="DELETE
-/$1/$2
-tagging=
-host:$aws_endpoint_url_address
-x-amz-content-sha256:$payload_hash
-x-amz-date:$current_date_time
-
-host;x-amz-content-sha256;x-amz-date
-$payload_hash"
-
-  if ! generate_sts_string "$current_date_time" "$canonical_request"; then
-    log 2 "error generating sts string"
+  if ! result=$(BUCKET_NAME="$1" OBJECT_KEY="$2" OUTPUT_FILE="$TEST_FILE_FOLDER/response.txt" ./tests/rest_scripts/delete_object_tagging.sh); then
+    log 2 "error sending delete object tagging REST command: $result"
     return 1
   fi
-  get_signature
-  # shellcheck disable=SC2154
-  reply=$(send_command curl -ks -w "%{http_code}" -X DELETE "$header://$aws_endpoint_url_address/$1/$2?tagging" \
-    -H "Authorization: AWS4-HMAC-SHA256 Credential=$AWS_ACCESS_KEY_ID/$ymd/$AWS_REGION/s3/aws4_request,SignedHeaders=host;x-amz-content-sha256;x-amz-date,Signature=$signature" \
-    -H "x-amz-content-sha256: $payload_hash" \
-    -H "x-amz-date: $current_date_time" \
-    -d "$tagging" -o "$TEST_FILE_FOLDER"/delete_tagging_error.txt 2>&1)
-  log 5 "reply status code: $reply"
-  if [[ "$reply" != "204" ]]; then
-    log 2 "reply error: $reply"
-    log 2 "put object tagging command returned error: $(cat "$TEST_FILE_FOLDER"/delete_tagging_error.txt)"
+  if [ "$result" != "204" ]; then
+    log 2 "delete-object-tagging returned code $result (response: $(cat "$TEST_FILE_FOLDER/response.txt"))"
     return 1
   fi
   return 0

tests/env.sh

@@ -136,7 +136,7 @@ check_universal_vars() {
     exit 1
   fi
   if [ ! -d "$TEST_FILE_FOLDER" ]; then
-    if ! error=$(mkdir -p "$TEST_FILE_FOLDER"); then
+    if ! error=$(mkdir -p "$TEST_FILE_FOLDER" 2>&1); then
       log 2 "error creating test folder: $error"
       exit 1
     fi

tests/rest_scripts/delete_object_tagging.sh

@@ -0,0 +1,47 @@
+#!/usr/bin/env bash
+
+# Copyright 2024 Versity Software
+# This file is licensed under the Apache License, Version 2.0
+# (the "License"); you may not use this file except in compliance
+# with the License.  You may obtain a copy of the License at
+#
+#   http:#www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied.  See the License for the
+# specific language governing permissions and limitations
+# under the License.
+
+source ./tests/rest_scripts/rest.sh
+
+# Fields
+
+# shellcheck disable=SC2153
+bucket_name="$BUCKET_NAME"
+# shellcheck disable=SC2153
+key="$OBJECT_KEY"
+
+current_date_time=$(date -u +"%Y%m%dT%H%M%SZ")
+
+canonical_request="DELETE
+/$bucket_name/$key
+tagging=
+host:$host
+x-amz-content-sha256:UNSIGNED-PAYLOAD
+x-amz-date:$current_date_time
+
+host;x-amz-content-sha256;x-amz-date
+UNSIGNED-PAYLOAD"
+
+create_canonical_hash_sts_and_signature
+
+curl_command+=(curl -ks -w "\"%{http_code}\"" -X DELETE "$AWS_ENDPOINT_URL/$bucket_name/$key?tagging"
+-H "\"Authorization: AWS4-HMAC-SHA256 Credential=$aws_access_key_id/$year_month_day/$aws_region/s3/aws4_request,SignedHeaders=host;x-amz-content-sha256;x-amz-date,Signature=$signature\""
+-H "\"x-amz-content-sha256: UNSIGNED-PAYLOAD\""
+-H "\"x-amz-date: $current_date_time\""
+-o "$OUTPUT_FILE")
+
+# shellcheck disable=SC2154
+eval "${curl_command[*]}" 2>&1

tests/run.sh

@@ -141,7 +141,11 @@ run_suite() {
       ;;
     rest)
       echo "Running rest tests ..."
-      "$HOME"/bin/bats ./tests/test_rest.sh || exit_code=$?
+      if "$HOME"/bin/bats ./tests/test_rest.sh; then
+        "$HOME"/bin/bats ./tests/test_rest_acl.sh || exit_code=$?
+      else
+        exit_code=1
+      fi
       ;;
     s3api-user)
       echo "Running s3api user tests ..."

tests/test_rest.sh

@@ -437,90 +437,3 @@ export RUN_USERS=true
   run put_and_check_policy_rest "$BUCKET_ONE_NAME" "$TEST_FILE_FOLDER/policy_file.txt" "Allow" "$USERNAME_ONE" "s3:PutBucketTagging" "arn:aws:s3:::$BUCKET_ONE_NAME"
   assert_success
 }
-
-@test "REST - get ACL" {
-  if [ "$DIRECT" != "true" ]; then
-    skip "https://github.com/versity/versitygw/issues/971"
-  fi
-  run setup_bucket "s3api" "$BUCKET_ONE_NAME"
-  assert_success
-
-  run get_and_check_acl_rest "$BUCKET_ONE_NAME"
-  assert_success
-}
-
-@test "REST - put ACL" {
-  run setup_bucket "s3api" "$BUCKET_ONE_NAME"
-  assert_success
-
-  test_file="test_file"
-  run create_test_files "$test_file"
-  assert_success
-
-  run put_bucket_ownership_controls "$BUCKET_ONE_NAME" "BucketOwnerPreferred"
-  assert_success
-
-  run put_object "s3api" "$TEST_FILE_FOLDER/$test_file" "$BUCKET_ONE_NAME" "$test_file"
-  assert_success
-
-  run create_versitygw_acl_user_or_get_direct_user "$USERNAME_ONE" "$PASSWORD_ONE"
-  assert_success
-  canonical_id=${lines[0]}
-  user_canonical_id=${lines[1]}
-  username=${lines[2]}
-  password=${lines[3]}
-
-  run setup_acl "$TEST_FILE_FOLDER/acl-file.txt" "$user_canonical_id" "READ" "$canonical_id"
-  assert_success
-
-  run list_objects_with_user_rest_verify_access_denied "$BUCKET_ONE_NAME" "$username" "$password"
-  assert_success
-
-  run put_acl_rest "$BUCKET_ONE_NAME" "$TEST_FILE_FOLDER/acl-file.txt"
-  assert_success
-
-  if [ "$DIRECT" == "true" ]; then
-    sleep 5
-  fi
-
-  run list_objects_with_user_rest_verify_success "$BUCKET_ONE_NAME" "$username" "$password" "$test_file"
-  assert_success
-}
-
-@test "REST - put public-read canned acl" {
-  run setup_bucket "s3api" "$BUCKET_ONE_NAME"
-  assert_success
-
-  test_file="test_file"
-  run create_test_files "$test_file"
-  assert_success
-
-  run put_bucket_ownership_controls "$BUCKET_ONE_NAME" "BucketOwnerPreferred"
-  assert_success
-
-  run put_object "s3api" "$TEST_FILE_FOLDER/$test_file" "$BUCKET_ONE_NAME" "$test_file"
-  assert_success
-
-  run create_versitygw_acl_user_or_get_direct_user "$USERNAME_ONE" "$PASSWORD_ONE"
-  assert_success
-  canonical_id=${lines[0]}
-  user_canonical_id=${lines[1]}
-  username=${lines[2]}
-  password=${lines[3]}
-
-  run list_objects_with_user_rest_verify_access_denied "$BUCKET_ONE_NAME" "$username" "$password"
-  assert_success
-
-  run setup_acl "$TEST_FILE_FOLDER/acl-file.txt" "$user_canonical_id" "READ" "$canonical_id"
-  assert_success
-
-  if [ "$DIRECT" == "true" ]; then
-    run allow_public_access "$BUCKET_ONE_NAME"
-    assert_success
-  fi
-  run put_acl_rest "$BUCKET_ONE_NAME" "$TEST_FILE_FOLDER/acl-file.txt"
-  assert_success
-
-  run list_objects_with_user_rest_verify_success "$BUCKET_ONE_NAME" "$username" "$password" "$test_file"
-  assert_success
-}

tests/test_rest_acl.sh

@@ -0,0 +1,167 @@
+#!/usr/bin/env bats
+
+# Copyright 2024 Versity Software
+# This file is licensed under the Apache License, Version 2.0
+# (the "License"); you may not use this file except in compliance
+# with the License.  You may obtain a copy of the License at
+#
+#   http:#www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied.  See the License for the
+# specific language governing permissions and limitations
+# under the License.
+
+source ./tests/commands/put_object.sh
+source ./tests/logger.sh
+source ./tests/setup.sh
+source ./tests/util/util.sh
+source ./tests/util/util_acl.sh
+
+export RUN_USERS=true
+
+@test "REST - get ACL" {
+  if [ "$DIRECT" != "true" ]; then
+    skip "https://github.com/versity/versitygw/issues/971"
+  fi
+  run setup_bucket "s3api" "$BUCKET_ONE_NAME"
+  assert_success
+
+  run get_and_check_acl_rest "$BUCKET_ONE_NAME"
+  assert_success
+}
+
+@test "REST - put ACL" {
+  run setup_bucket "s3api" "$BUCKET_ONE_NAME"
+  assert_success
+
+  test_file="test_file"
+  run create_test_files "$test_file"
+  assert_success
+
+  run put_bucket_ownership_controls "$BUCKET_ONE_NAME" "BucketOwnerPreferred"
+  assert_success
+
+  run put_object "s3api" "$TEST_FILE_FOLDER/$test_file" "$BUCKET_ONE_NAME" "$test_file"
+  assert_success
+
+  run create_versitygw_acl_user_or_get_direct_user "$USERNAME_ONE" "$PASSWORD_ONE"
+  assert_success
+  canonical_id=${lines[0]}
+  user_canonical_id=${lines[1]}
+  username=${lines[2]}
+  password=${lines[3]}
+
+  run setup_acl "$TEST_FILE_FOLDER/acl-file.txt" "$user_canonical_id" "READ" "$canonical_id"
+  assert_success
+
+  run list_objects_with_user_rest_verify_access_denied "$BUCKET_ONE_NAME" "$username" "$password"
+  assert_success
+
+  run put_acl_rest "$BUCKET_ONE_NAME" "$TEST_FILE_FOLDER/acl-file.txt"
+  assert_success
+
+  if [ "$DIRECT" == "true" ]; then
+    sleep 5
+  fi
+
+  run list_objects_with_user_rest_verify_success "$BUCKET_ONE_NAME" "$username" "$password" "$test_file"
+  assert_success
+}
+
+@test "REST - put public-read canned acl" {
+  run setup_bucket "s3api" "$BUCKET_ONE_NAME"
+  assert_success
+
+  test_file="test_file"
+  run create_test_files "$test_file"
+  assert_success
+
+  run put_bucket_ownership_controls "$BUCKET_ONE_NAME" "BucketOwnerPreferred"
+  assert_success
+
+  run put_object "s3api" "$TEST_FILE_FOLDER/$test_file" "$BUCKET_ONE_NAME" "$test_file"
+  assert_success
+
+  run create_versitygw_acl_user_or_get_direct_user "$USERNAME_ONE" "$PASSWORD_ONE"
+  assert_success
+  canonical_id=${lines[0]}
+  user_canonical_id=${lines[1]}
+  username=${lines[2]}
+  password=${lines[3]}
+
+  run list_objects_with_user_rest_verify_access_denied "$BUCKET_ONE_NAME" "$username" "$password"
+  assert_success
+
+  if [ "$DIRECT" == "true" ]; then
+    run allow_public_access "$BUCKET_ONE_NAME"
+    assert_success
+  fi
+  run put_canned_acl_rest "$BUCKET_ONE_NAME" "public-read"
+  assert_success
+
+  run list_objects_with_user_rest_verify_success "$BUCKET_ONE_NAME" "$username" "$password" "$test_file"
+  assert_success
+}
+
+@test "REST - put invalid ACL" {
+  if [ "$DIRECT" != "true" ]; then
+    skip "https://github.com/versity/versitygw/issues/986"
+  fi
+  run setup_bucket "s3api" "$BUCKET_ONE_NAME"
+  assert_success
+
+   run put_bucket_ownership_controls "$BUCKET_ONE_NAME" "BucketOwnerPreferred"
+  assert_success
+
+  run create_versitygw_acl_user_or_get_direct_user "$USERNAME_ONE" "$PASSWORD_ONE"
+  assert_success
+  canonical_id=${lines[0]}
+  user_canonical_id=${lines[1]}
+  username=${lines[2]}
+  password=${lines[3]}
+
+  run setup_acl "$TEST_FILE_FOLDER/acl-file.txt" "$user_canonical_id" "READD" "$canonical_id"
+  assert_success
+
+  if [ "$DIRECT" == "true" ]; then
+    run allow_public_access "$BUCKET_ONE_NAME"
+    assert_success
+  fi
+  run put_invalid_acl_rest_verify_failure "$BUCKET_ONE_NAME" "$TEST_FILE_FOLDER/acl-file.txt"
+  assert_success
+}
+
+@test "REST - put public-read-write canned acl" {
+  run setup_bucket "s3api" "$BUCKET_ONE_NAME"
+  assert_success
+
+  test_file="test_file"
+  run create_test_files "$test_file"
+  assert_success
+
+  run put_bucket_ownership_controls "$BUCKET_ONE_NAME" "BucketOwnerPreferred"
+  assert_success
+
+  run create_versitygw_acl_user_or_get_direct_user "$USERNAME_ONE" "$PASSWORD_ONE"
+  assert_success
+  canonical_id=${lines[0]}
+  user_canonical_id=${lines[1]}
+  username=${lines[2]}
+  password=${lines[3]}
+
+  run put_object_with_user "s3api" "$TEST_FILE_FOLDER/$test_file" "$BUCKET_ONE_NAME" "$test_file" "$username" "$password"
+  assert_failure
+
+  if [ "$DIRECT" == "true" ]; then
+    run allow_public_access "$BUCKET_ONE_NAME"
+    assert_success
+  fi
+  run put_canned_acl_rest "$BUCKET_ONE_NAME" "public-read-write"
+  assert_success
+
+  run put_object_with_user "s3api" "$TEST_FILE_FOLDER/$test_file" "$BUCKET_ONE_NAME" "$test_file" "$username" "$password"
+  assert_success
+}

tests/util/util.sh

@@ -54,12 +54,6 @@ add_governance_bypass_policy() {
     log 2 "'add governance bypass policy' command requires bucket name"
     return 1
   fi
-  if [[ -z "$GITHUB_ACTIONS" ]]; then
-    if ! create_test_file_folder; then
-      log 2 "error creating test file folder"
-      return 1
-    fi
-  fi
   cat <<EOF > "$TEST_FILE_FOLDER/policy-bypass-governance.txt"
 {
   "Version": "2012-10-17",