Apache
/
jclouds
mirror of https://github.com/apache/jclouds.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Issue 47: corrected acl tests to work when james isn't running them :) 

git-svn-id: http://jclouds.googlecode.com/svn/trunk@1436 3d8758e0-26b5-11de-8745-db77d3ebf521
This commit is contained in:
adrian.f.cole 2009-06-17 17:12:23 +00:00
parent e09669ca7b
commit 703606cb79
2 changed files with 160 additions and 131 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

133
aws/s3/core/src/main/java/org/jclouds/aws/s3/domain/AccessControlList.java
View File

@ -41,10 +41,10 @@ import com.google.common.collect.Collections2;
/**
* An Access Control List (ACL) describes the access control settings for a bucket or object in S3.
*
* ACL settings comprise a set of {@link Grant}s, each of which specifies a {@link Permission}
* that has been granted to a specific {@link Grantee}. If an entity tries to access or modify an
* item in S3, the operation will be denied unless the item has ACL settings that explicitly
* permit that entity to perform that action.
* ACL settings comprise a set of {@link Grant}s, each of which specifies a {@link Permission} that
* has been granted to a specific {@link Grantee}. If an entity tries to access or modify an item in
* S3, the operation will be denied unless the item has ACL settings that explicitly permit that
* entity to perform that action.
*
*
* @author James Murty
@ -56,9 +56,6 @@ public class AccessControlList {
private CanonicalUser owner;
private final List<Grant> grants = new ArrayList<Grant>();
public AccessControlList() {
}
public void setOwner(CanonicalUser owner) {
this.owner = owner;
}
@ -113,11 +110,11 @@ public class AccessControlList {
* Revoke a permission for the given grantee, if this specific permission was granted.
*
* Note that you must be very explicit about the permissions you revoke, you cannot revoke
* partial permissions and expect this class to determine the implied remaining permissions.
* For example, if you revoke the {@link Permission#READ} permission from a grantee with
* {@link Permission#FULL_CONTROL} access, <strong>the revocation will do nothing</strong>
* and the grantee will retain full access. To change the access settings for this grantee,
* you must first remove the {@link Permission#FULL_CONTROL} permission the add back the
* partial permissions and expect this class to determine the implied remaining permissions. For
* example, if you revoke the {@link Permission#READ} permission from a grantee with
* {@link Permission#FULL_CONTROL} access, <strong>the revocation will do nothing</strong> and
* the grantee will retain full access. To change the access settings for this grantee, you must
* first remove the {@link Permission#FULL_CONTROL} permission the add back the
* {@link Permission#READ} permission.
*
* @param grantee
@ -138,19 +135,18 @@ public class AccessControlList {
* Revoke a permission for the given group grantee, if this specific permission was granted.
*
* Note that you must be very explicit about the permissions you revoke, you cannot revoke
* partial permissions and expect this class to determine the implied remaining permissions.
* For example, if you revoke the {@link Permission#READ} permission from a grantee with
* {@link Permission#FULL_CONTROL} access, <strong>the revocation will do nothing</strong>
* and the grantee will retain full access. To change the access settings for this grantee,
* you must first remove the {@link Permission#FULL_CONTROL} permission the add back the
* partial permissions and expect this class to determine the implied remaining permissions. For
* example, if you revoke the {@link Permission#READ} permission from a grantee with
* {@link Permission#FULL_CONTROL} access, <strong>the revocation will do nothing</strong> and
* the grantee will retain full access. To change the access settings for this grantee, you must
* first remove the {@link Permission#FULL_CONTROL} permission the add back the
* {@link Permission#READ} permission.
*
* @param groupGranteeURI
* @param permission
* @return
*/
public AccessControlList revokePermission(GroupGranteeURI groupGranteeURI, Permission permission)
{
public AccessControlList revokePermission(GroupGranteeURI groupGranteeURI, Permission permission) {
return revokePermission(new GroupGrantee(groupGranteeURI), permission);
}
@ -168,22 +164,20 @@ public class AccessControlList {
/**
* @param granteeId
* @return
* the permissions assigned to a grantee, as identified by the given ID.
* @return the permissions assigned to a grantee, as identified by the given ID.
*/
public Collection<Permission> getPermissions(String granteeId) {
Collection<Grant> grantsForGrantee = findGrantsForGrantee(granteeId);
return Collections2.transform(grantsForGrantee, new Function<Grant, Permission>() {
public Permission apply(Grant g) {
return g.getPermission();
}
});
public Permission apply(Grant g) {
return g.getPermission();
}
});
}
/**
* @param grantee
* @return
* the permissions assigned to a grantee.
* @return the permissions assigned to a grantee.
*/
public Collection<Permission> getPermissions(Grantee grantee) {
return getPermissions(grantee.getIdentifier());
@ -191,8 +185,7 @@ public class AccessControlList {
/**
* @param granteeURI
* @return
* the permissions assigned to a group grantee.
* @return the permissions assigned to a group grantee.
*/
public Collection<Permission> getPermissions(GroupGranteeURI granteeURI) {
return getPermissions(granteeURI.getIdentifier());
@ -201,8 +194,7 @@ public class AccessControlList {
/**
* @param granteeId
* @param permission
* @return
* true if the grantee has the given permission.
* @return true if the grantee has the given permission.
*/
public boolean hasPermission(String granteeId, Permission permission) {
return getPermissions(granteeId).contains(permission);
@ -211,38 +203,35 @@ public class AccessControlList {
/**
* @param grantee
* @param permission
* @return
* true if the grantee has the given permission.
* @return true if the grantee has the given permission.
*/
public boolean hasPermission(Grantee grantee, Permission permission) {
return hasPermission(grantee.getIdentifier(), permission);
}
/**
* @param granteeURI
* @param permission
* @return
* true if the grantee has the given permission.
* @return true if the grantee has the given permission.
*/
public boolean hasPermission(GroupGranteeURI granteeURI, Permission permission) {
return getPermissions(granteeURI.getIdentifier()).contains(permission);
}
/**
* Find all the grants for a given grantee, identified by an ID which allows all Grantee
* types to be searched.
* Find all the grants for a given grantee, identified by an ID which allows all Grantee types to
* be searched.
*
* @param granteeId
* identifier of a canonical user, email address user, or group.
* identifier of a canonical user, email address user, or group.
* @return
*/
protected Collection<Grant> findGrantsForGrantee(final String granteeId) {
return Collections2.filter(grants, new Predicate<Grant>() {
public boolean apply(Grant g) {
return g.getGrantee().getIdentifier().equals(granteeId);
}
});
return Collections2.filter(grants, new Predicate<Grant>() {
public boolean apply(Grant g) {
return g.getGrantee().getIdentifier().equals(granteeId);
}
});
}
/**
@ -252,9 +241,8 @@ public class AccessControlList {
* @param ownerId
* @return
*/
public static AccessControlList fromCannedAccessPolicy(
CannedAccessPolicy cannedAP, String ownerId)
{
public static AccessControlList fromCannedAccessPolicy(CannedAccessPolicy cannedAP,
String ownerId) {
AccessControlList acl = new AccessControlList();
acl.setOwner(new CanonicalUser(ownerId));
@ -274,15 +262,16 @@ public class AccessControlList {
return acl;
}
///////////////////////////////////////////////////////////////////////////////
// /////////////////////////////////////////////////////////////////////////////
// Class and Enum declarations to represent Grants, Grantees and Permissions //
///////////////////////////////////////////////////////////////////////////////
// /////////////////////////////////////////////////////////////////////////////
public static enum Permission {
READ, WRITE, READ_ACP, WRITE_ACP, FULL_CONTROL;
};
public static class Grant implements Comparable<Grant> {
private Grantee grantee;
private final Permission permission;
@ -304,6 +293,16 @@ public class AccessControlList {
return permission;
}
@Override
public String toString() {
final StringBuilder sb = new StringBuilder();
sb.append("Grant");
sb.append("{grantee=").append(grantee);
sb.append(", permission=").append(permission);
sb.append('}');
return sb.toString();
}
public int compareTo(org.jclouds.aws.s3.domain.AccessControlList.Grant o) {
if (this == o) {
return 0;
@ -326,6 +325,15 @@ public class AccessControlList {
return identifier;
}
@Override
public String toString() {
final StringBuilder sb = new StringBuilder();
sb.append("Grantee");
sb.append("{identifier='").append(identifier).append('\'');
sb.append('}');
return sb.toString();
}
public int compareTo(org.jclouds.aws.s3.domain.AccessControlList.Grantee o) {
return (this == o) ? 0 : getIdentifier().compareTo(o.getIdentifier());
}
@ -356,12 +364,22 @@ public class AccessControlList {
public String getDisplayName() {
return displayName;
}
public String toString() {
final StringBuilder sb = new StringBuilder();
sb.append("CanonicalUserGrantee");
sb.append("{displayName='").append(displayName).append('\'');
sb.append(", identifier='").append(getIdentifier()).append('\'');
sb.append('}');
return sb.toString();
}
}
public enum GroupGranteeURI {
ALL_USERS ("http://acs.amazonaws.com/groups/global/AllUsers"),
AUTHENTICATED_USERS ("http://acs.amazonaws.com/groups/global/AuthenticatedUsers"),
LOG_DELIVERY ("http://acs.amazonaws.com/groups/s3/LogDelivery");
ALL_USERS("http://acs.amazonaws.com/groups/global/AllUsers"), AUTHENTICATED_USERS(
"http://acs.amazonaws.com/groups/global/AuthenticatedUsers"), LOG_DELIVERY(
"http://acs.amazonaws.com/groups/s3/LogDelivery");
private final String uri;
@ -386,7 +404,6 @@ public class AccessControlList {
}
}
public static class GroupGrantee extends Grantee {
public GroupGrantee(GroupGranteeURI groupURI) {
@ -394,5 +411,13 @@ public class AccessControlList {
}
}
@Override
public String toString() {
final StringBuilder sb = new StringBuilder();
sb.append("AccessControlList");
sb.append("{owner=").append(owner);
sb.append(", grants=").append(grants);
sb.append('}');
return sb.toString();
}
}

64
aws/s3/core/src/test/java/org/jclouds/aws/s3/commands/PutAccessControlListIntegrationTest.java
View File

@ -44,13 +44,13 @@ import org.testng.annotations.Test;
*
* @author James Murty
*/
@Test(groups = {"integration", "live"}, testName = "s3.PutAccessControlListIntegrationTest")
@Test(groups = { "integration", "live" }, testName = "s3.PutAccessControlListIntegrationTest")
public class PutAccessControlListIntegrationTest extends S3IntegrationTest {
String jamesId = "1a405254c932b52e5b5caaa88186bc431a1bacb9ece631f835daddaf0c47677c";
@Test
void testUpdateBucketACL() throws InterruptedException, ExecutionException,
TimeoutException, IOException, Exception
{
void testUpdateBucketACL() throws InterruptedException, ExecutionException, TimeoutException,
IOException, Exception {
bucketName = bucketPrefix + ".testPrivateBucketACL".toLowerCase();
// Create default (private) bucket
@ -62,29 +62,20 @@ public class PutAccessControlListIntegrationTest extends S3IntegrationTest {
assertEquals(acl.getGrants().size(), 1);
assertTrue(acl.hasPermission(ownerId, Permission.FULL_CONTROL));
// Update the bucket's ACL by adding grants.
acl.addPermission(GroupGranteeURI.ALL_USERS, Permission.READ);
acl.addPermission(new EmailAddressGrantee("james@misterm.org"), Permission.READ_ACP);
acl.addPermission(new CanonicalUserGrantee(ownerId), Permission.WRITE_ACP);
addGrantsToACL(acl);
assertEquals(acl.getGrants().size(), 4);
assertTrue(client.putBucketACL(bucketName, acl).get(10, TimeUnit.SECONDS));
// Confirm that the updated ACL has stuck.
acl = client.getBucketACL(bucketName).get(10, TimeUnit.SECONDS);
assertEquals(acl.getGrants().size(), 4);
assertTrue(acl.hasPermission(ownerId, Permission.FULL_CONTROL));
assertTrue(acl.hasPermission(GroupGranteeURI.ALL_USERS, Permission.READ));
assertTrue(acl.hasPermission(ownerId, Permission.WRITE_ACP));
// EmailAddressGrantee is replaced by a CanonicalUserGrantee, so we cannot test by email addr
assertTrue(acl.hasPermission(ownerId, Permission.READ_ACP));
checkGrants(acl);
emptyBucket(bucketName);
}
@Test
void testUpdateObjectACL() throws InterruptedException, ExecutionException,
TimeoutException, IOException
{
void testUpdateObjectACL() throws InterruptedException, ExecutionException, TimeoutException,
IOException {
bucketName = bucketPrefix + ".testObjectACL".toLowerCase();
createBucketAndEnsureEmpty(bucketName);
@ -92,32 +83,26 @@ public class PutAccessControlListIntegrationTest extends S3IntegrationTest {
// Private object
addObjectToBucket(bucketName, objectKey);
AccessControlList acl = client.getObjectACL(bucketName, objectKey)
.get(10, TimeUnit.SECONDS);
AccessControlList acl = client.getObjectACL(bucketName, objectKey).get(10, TimeUnit.SECONDS);
String ownerId = acl.getOwner().getId();
assertEquals(acl.getGrants().size(), 1);
assertTrue(acl.hasPermission(ownerId, Permission.FULL_CONTROL));
// Update the object's ACL by adding grants.
acl.addPermission(GroupGranteeURI.ALL_USERS, Permission.READ);
acl.addPermission(new EmailAddressGrantee("james@misterm.org"), Permission.READ_ACP);
acl.addPermission(new CanonicalUserGrantee(ownerId), Permission.WRITE_ACP);
addGrantsToACL(acl);
assertEquals(acl.getGrants().size(), 4);
assertTrue(client.putObjectACL(bucketName, objectKey, acl).get(10, TimeUnit.SECONDS));
// Confirm that the updated ACL has stuck.
acl = client.getObjectACL(bucketName, objectKey).get(10, TimeUnit.SECONDS);
assertEquals(acl.getGrants().size(), 4);
assertTrue(acl.hasPermission(ownerId, Permission.FULL_CONTROL));
assertTrue(acl.hasPermission(GroupGranteeURI.ALL_USERS, Permission.READ));
assertTrue(acl.hasPermission(ownerId, Permission.WRITE_ACP));
// EmailAddressGrantee is replaced by a CanonicalUserGrantee, so we cannot test by email addr
assertTrue(acl.hasPermission(ownerId, Permission.READ_ACP));
checkGrants(acl);
/*
* Revoke all of owner's permissions!
* Revoke all of owner's permissions!
*/
acl.revokeAllPermissions(new CanonicalUserGrantee(ownerId));
if (!ownerId.equals(jamesId))
acl.revokeAllPermissions(new CanonicalUserGrantee(jamesId));
assertEquals(acl.getGrants().size(), 1);
// Only public read permission should remain...
assertTrue(acl.hasPermission(GroupGranteeURI.ALL_USERS, Permission.READ));
@ -134,4 +119,23 @@ public class PutAccessControlListIntegrationTest extends S3IntegrationTest {
emptyBucket(bucketName);
}
private void checkGrants(AccessControlList acl) {
String ownerId = acl.getOwner().getId();
assertEquals(acl.getGrants().size(), 4);
assertTrue(acl.hasPermission(ownerId, Permission.FULL_CONTROL));
assertTrue(acl.hasPermission(GroupGranteeURI.ALL_USERS, Permission.READ));
assertTrue(acl.hasPermission(ownerId, Permission.WRITE_ACP));
// EmailAddressGrantee is replaced by a CanonicalUserGrantee, so we cannot test by email addr
assertTrue(acl.hasPermission(jamesId, Permission.READ_ACP));
}
private void addGrantsToACL(AccessControlList acl) {
String ownerId = acl.getOwner().getId();
acl.addPermission(GroupGranteeURI.ALL_USERS, Permission.READ);
acl.addPermission(new EmailAddressGrantee("james@misterm.org"), Permission.READ_ACP);
acl.addPermission(new CanonicalUserGrantee(ownerId), Permission.WRITE_ACP);
}
}