Skip to content

Commit 1bdb126

Browse files
cbodleycbodley
committed
sts: test get_object() before put_object() so there are no ACLs
some session policy tests try get_object() after put_object() to test differences between session- and role policy, but put_object() adds ACLs that already grant access for get_object() change the order and test get_object() first so there is no object ACL, and test for 403 vs 404 to see whether it was denied by policy Signed-off-by: Casey Bodley <[email protected]>
1 parent 5fe3107 commit 1bdb126

File tree

1 file changed

+10
-10
lines changed

1 file changed

+10
-10
lines changed

s3tests/functional/test_sts.py

Lines changed: 10 additions & 10 deletions
Original file line numberDiff line numberDiff line change
@@ -1080,16 +1080,15 @@ def test_session_policy_bucket_policy_role_arn():
10801080
endpoint_url=default_endpoint,
10811081
region_name='',
10821082
)
1083+
1084+
# GetObject for nonexistent object should be denied by session policy
1085+
e = assert_raises(ClientError, s3_client.get_object, Bucket=bucket_name_1, Key="test-1.txt")
1086+
assert (403, 'AccessDenied') == _get_status_and_error_code(e.response)
1087+
10831088
bucket_body = 'this is a test file'
10841089
s3_put_obj = s3_client.put_object(Body=bucket_body, Bucket=bucket_name_1, Key="test-1.txt")
10851090
assert s3_put_obj['ResponseMetadata']['HTTPStatusCode'] == 200
10861091

1087-
try:
1088-
obj = s3_client.get_object(Bucket=bucket_name_1, Key="test-1.txt")
1089-
except ClientError as e:
1090-
s3object_error = e.response.get("Error", {}).get("Code")
1091-
assert s3object_error == 'AccessDenied'
1092-
10931092
oidc_remove=iam_client.delete_open_id_connect_provider(
10941093
OpenIDConnectProviderArn=oidc_arn
10951094
)
@@ -1156,14 +1155,15 @@ def test_session_policy_bucket_policy_session_arn():
11561155
endpoint_url=default_endpoint,
11571156
region_name='',
11581157
)
1158+
1159+
# GetObject for nonexistent object should be allowed by bucket policy
1160+
e = assert_raises(ClientError, s3_client.get_object, Bucket=bucket_name_1, Key="test-1.txt")
1161+
assert (404, 'NoSuchKey') == _get_status_and_error_code(e.response)
1162+
11591163
bucket_body = 'this is a test file'
11601164
s3_put_obj = s3_client.put_object(Body=bucket_body, Bucket=bucket_name_1, Key="test-1.txt")
11611165
assert s3_put_obj['ResponseMetadata']['HTTPStatusCode'] == 200
11621166

1163-
1164-
s3_get_obj = s3_client.get_object(Bucket=bucket_name_1, Key="test-1.txt")
1165-
assert s3_get_obj['ResponseMetadata']['HTTPStatusCode'] == 200
1166-
11671167
oidc_remove=iam_client.delete_open_id_connect_provider(
11681168
OpenIDConnectProviderArn=oidc_arn
11691169
)

0 commit comments

Comments
 (0)