Add s3tables shell and admin UI (#8172)
* Add shared s3tables manager * Add s3tables shell commands * Add s3tables admin API * Add s3tables admin UI * Fix admin s3tables namespace create * Rename table buckets menu * Centralize s3tables tag validation * Reuse s3tables manager in admin * Extract s3tables list limit * Add s3tables bucket ARN helper * Remove write middleware from s3tables APIs * Fix bucket link and policy hint * Fix table tag parsing and nav link * Disable namespace table link on invalid ARN * Improve s3tables error decode * Return flag parse errors for s3tables tag * Accept query params for namespace create * Bind namespace create form data * Read s3tables JS data from DOM * s3tables: allow empty region ARN * shell: pass s3tables account id * shell: require account for table buckets * shell: use bucket name for namespaces * shell: use bucket name for tables * shell: use bucket name for tags * admin: add table buckets links in file browser * s3api: reuse s3tables tag validation * admin: harden s3tables UI handlers * fix admin list table buckets * allow admin s3tables access * validate s3tables bucket tags * log s3tables bucket metadata errors * rollback table bucket on owner failure * show s3tables bucket owner * add s3tables iam conditions * Add s3tables user permissions UI * Authorize s3tables using identity actions * Add s3tables permissions to user modal * Disambiguate bucket scope in user permissions * Block table bucket names that match S3 buckets * Pretty-print IAM identity JSON * Include tags in s3tables permission context * admin: refactor S3 Tables inline JavaScript into a separate file * s3tables: extend IAM policy condition operators support * shell: use LookupEntry wrapper for s3tables bucket conflict check * admin: handle buildBucketPermissions validation in create/update flows
This commit is contained in:
Chris Lu
@@ -1,6 +1,9 @@
|
||||
package s3tables
|
||||
|
||||
import "testing"
|
||||
import (
|
||||
"encoding/json"
|
||||
"testing"
|
||||
)
|
||||
|
||||
func TestMatchesActionPattern(t *testing.T) {
|
||||
tests := []struct {
|
||||
@@ -88,3 +91,118 @@ func TestMatchesPrincipal(t *testing.T) {
|
||||
})
|
||||
}
|
||||
}
|
||||
|
||||
func TestEvaluatePolicyWithConditions(t *testing.T) {
|
||||
policy := &PolicyDocument{
|
||||
Statement: []Statement{
|
||||
{
|
||||
Effect: "Allow",
|
||||
Principal: "*",
|
||||
Action: "s3tables:GetTable",
|
||||
Condition: map[string]map[string]interface{}{
|
||||
"StringEquals": {
|
||||
"s3tables:namespace": "default",
|
||||
},
|
||||
"StringLike": {
|
||||
"s3tables:tableName": "test_*",
|
||||
},
|
||||
"NumericGreaterThan": {
|
||||
"aws:RequestTag/priority": "10",
|
||||
},
|
||||
"Bool": {
|
||||
"aws:ResourceTag/is_public": "true",
|
||||
},
|
||||
},
|
||||
},
|
||||
},
|
||||
}
|
||||
policyBytes, _ := json.Marshal(policy)
|
||||
policyStr := string(policyBytes)
|
||||
|
||||
tests := []struct {
|
||||
name string
|
||||
ctx *PolicyContext
|
||||
expected bool
|
||||
}{
|
||||
{
|
||||
"all conditions match",
|
||||
&PolicyContext{
|
||||
Namespace: "default",
|
||||
TableName: "test_table",
|
||||
RequestTags: map[string]string{
|
||||
"priority": "15",
|
||||
},
|
||||
ResourceTags: map[string]string{
|
||||
"is_public": "true",
|
||||
},
|
||||
},
|
||||
true,
|
||||
},
|
||||
{
|
||||
"namespace mismatch",
|
||||
&PolicyContext{
|
||||
Namespace: "other",
|
||||
TableName: "test_table",
|
||||
RequestTags: map[string]string{
|
||||
"priority": "15",
|
||||
},
|
||||
ResourceTags: map[string]string{
|
||||
"is_public": "true",
|
||||
},
|
||||
},
|
||||
false,
|
||||
},
|
||||
{
|
||||
"table name mismatch",
|
||||
&PolicyContext{
|
||||
Namespace: "default",
|
||||
TableName: "other_table",
|
||||
RequestTags: map[string]string{
|
||||
"priority": "15",
|
||||
},
|
||||
ResourceTags: map[string]string{
|
||||
"is_public": "true",
|
||||
},
|
||||
},
|
||||
false,
|
||||
},
|
||||
{
|
||||
"numeric condition failure",
|
||||
&PolicyContext{
|
||||
Namespace: "default",
|
||||
TableName: "test_table",
|
||||
RequestTags: map[string]string{
|
||||
"priority": "5",
|
||||
},
|
||||
ResourceTags: map[string]string{
|
||||
"is_public": "true",
|
||||
},
|
||||
},
|
||||
false,
|
||||
},
|
||||
{
|
||||
"bool condition failure",
|
||||
&PolicyContext{
|
||||
Namespace: "default",
|
||||
TableName: "test_table",
|
||||
RequestTags: map[string]string{
|
||||
"priority": "15",
|
||||
},
|
||||
ResourceTags: map[string]string{
|
||||
"is_public": "false",
|
||||
},
|
||||
},
|
||||
false,
|
||||
},
|
||||
}
|
||||
|
||||
for _, tt := range tests {
|
||||
t.Run(tt.name, func(t *testing.T) {
|
||||
// principal="user123", owner="owner123"
|
||||
result := CheckPermissionWithContext("s3tables:GetTable", "user123", "owner123", policyStr, "", tt.ctx)
|
||||
if result != tt.expected {
|
||||
t.Errorf("CheckPermissionWithContext() = %v, want %v", result, tt.expected)
|
||||
}
|
||||
})
|
||||
}
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user