2022-01-18 20:10:22 +00:00
|
|
|
import boto3
|
|
|
|
|
2024-01-07 12:03:33 +00:00
|
|
|
from moto import mock_aws, settings
|
2022-08-13 09:49:43 +00:00
|
|
|
from moto.core import DEFAULT_ACCOUNT_ID as ACCOUNT_ID
|
2022-01-18 20:10:22 +00:00
|
|
|
|
2023-10-20 09:43:47 +00:00
|
|
|
REGION = "us-east-1"
|
|
|
|
|
|
|
|
|
2022-01-18 20:10:22 +00:00
|
|
|
if not settings.TEST_SERVER_MODE:
|
|
|
|
|
2024-01-07 12:03:33 +00:00
|
|
|
@mock_aws
|
2022-01-18 20:10:22 +00:00
|
|
|
def test_pab_are_kept_separate():
|
2023-10-20 09:43:47 +00:00
|
|
|
client = boto3.client("s3control", region_name=REGION)
|
|
|
|
s3_client = boto3.client("s3", region_name=REGION)
|
2023-08-04 21:51:28 +00:00
|
|
|
s3_client.create_bucket(Bucket="bucket")
|
2022-01-18 20:10:22 +00:00
|
|
|
|
|
|
|
client.put_public_access_block(
|
|
|
|
AccountId=ACCOUNT_ID,
|
|
|
|
PublicAccessBlockConfiguration={
|
|
|
|
"BlockPublicAcls": True,
|
|
|
|
"IgnorePublicAcls": True,
|
|
|
|
"BlockPublicPolicy": True,
|
|
|
|
"RestrictPublicBuckets": True,
|
|
|
|
},
|
|
|
|
)
|
|
|
|
|
2023-08-04 21:51:28 +00:00
|
|
|
s3_client.put_public_access_block(
|
2022-01-18 20:10:22 +00:00
|
|
|
Bucket="bucket",
|
|
|
|
PublicAccessBlockConfiguration={
|
|
|
|
"BlockPublicAcls": True,
|
|
|
|
"IgnorePublicAcls": False,
|
|
|
|
"BlockPublicPolicy": True,
|
|
|
|
"RestrictPublicBuckets": False,
|
|
|
|
},
|
|
|
|
)
|
|
|
|
|
|
|
|
pab_from_control = client.get_public_access_block(AccountId=ACCOUNT_ID)
|
2023-08-04 21:51:28 +00:00
|
|
|
assert pab_from_control["PublicAccessBlockConfiguration"] == {
|
|
|
|
"BlockPublicAcls": True,
|
|
|
|
"IgnorePublicAcls": True,
|
|
|
|
"BlockPublicPolicy": True,
|
|
|
|
"RestrictPublicBuckets": True,
|
|
|
|
}
|
2022-01-18 20:10:22 +00:00
|
|
|
|
2023-08-04 21:51:28 +00:00
|
|
|
pab_from_s3 = s3_client.get_public_access_block(Bucket="bucket")
|
|
|
|
assert pab_from_s3["PublicAccessBlockConfiguration"] == {
|
|
|
|
"BlockPublicAcls": True,
|
|
|
|
"IgnorePublicAcls": False,
|
|
|
|
"BlockPublicPolicy": True,
|
|
|
|
"RestrictPublicBuckets": False,
|
|
|
|
}
|
2022-01-18 20:10:22 +00:00
|
|
|
|
2024-01-07 12:03:33 +00:00
|
|
|
@mock_aws
|
2022-01-18 20:10:22 +00:00
|
|
|
def test_pab_are_kept_separate_with_inverse_mocks():
|
2023-10-20 09:43:47 +00:00
|
|
|
client = boto3.client("s3control", region_name=REGION)
|
|
|
|
s3_client = boto3.client("s3", region_name=REGION)
|
2023-08-04 21:51:28 +00:00
|
|
|
s3_client.create_bucket(Bucket="bucket")
|
2022-01-18 20:10:22 +00:00
|
|
|
|
|
|
|
client.put_public_access_block(
|
|
|
|
AccountId=ACCOUNT_ID,
|
|
|
|
PublicAccessBlockConfiguration={
|
|
|
|
"BlockPublicAcls": True,
|
|
|
|
"IgnorePublicAcls": True,
|
|
|
|
"BlockPublicPolicy": True,
|
|
|
|
"RestrictPublicBuckets": True,
|
|
|
|
},
|
|
|
|
)
|
|
|
|
|
2023-08-04 21:51:28 +00:00
|
|
|
s3_client.put_public_access_block(
|
2022-01-18 20:10:22 +00:00
|
|
|
Bucket="bucket",
|
|
|
|
PublicAccessBlockConfiguration={
|
|
|
|
"BlockPublicAcls": True,
|
|
|
|
"IgnorePublicAcls": False,
|
|
|
|
"BlockPublicPolicy": True,
|
|
|
|
"RestrictPublicBuckets": False,
|
|
|
|
},
|
|
|
|
)
|
|
|
|
|
|
|
|
pab_from_control = client.get_public_access_block(AccountId=ACCOUNT_ID)
|
2023-08-04 21:51:28 +00:00
|
|
|
assert pab_from_control["PublicAccessBlockConfiguration"] == {
|
|
|
|
"BlockPublicAcls": True,
|
|
|
|
"IgnorePublicAcls": True,
|
|
|
|
"BlockPublicPolicy": True,
|
|
|
|
"RestrictPublicBuckets": True,
|
|
|
|
}
|
2022-01-18 20:10:22 +00:00
|
|
|
|
2023-08-04 21:51:28 +00:00
|
|
|
pab_from_s3 = s3_client.get_public_access_block(Bucket="bucket")
|
|
|
|
assert pab_from_s3["PublicAccessBlockConfiguration"] == {
|
|
|
|
"BlockPublicAcls": True,
|
|
|
|
"IgnorePublicAcls": False,
|
|
|
|
"BlockPublicPolicy": True,
|
|
|
|
"RestrictPublicBuckets": False,
|
|
|
|
}
|
2023-10-20 09:43:47 +00:00
|
|
|
|
2024-01-07 12:03:33 +00:00
|
|
|
@mock_aws
|
2023-10-20 09:43:47 +00:00
|
|
|
def test_access_point_read_write():
|
|
|
|
# Setup
|
|
|
|
bucket = "test-bucket"
|
|
|
|
ap_client = boto3.client("s3control", region_name=REGION)
|
|
|
|
s3_client = boto3.client("s3", region_name=REGION)
|
|
|
|
s3_client.create_bucket(Bucket=bucket)
|
|
|
|
|
|
|
|
read_ap = ap_client.create_access_point(
|
|
|
|
AccountId=ACCOUNT_ID, Name="read-ap", Bucket=bucket
|
|
|
|
)
|
|
|
|
write_ap = ap_client.create_access_point(
|
|
|
|
AccountId=ACCOUNT_ID, Name="write-ap", Bucket=bucket
|
|
|
|
)
|
|
|
|
|
|
|
|
content = b"This is test content"
|
|
|
|
key = "test/object.txt"
|
|
|
|
|
|
|
|
# Execute
|
|
|
|
s3_client.put_object(
|
|
|
|
Bucket=write_ap["AccessPointArn"],
|
|
|
|
Key=key,
|
|
|
|
Body=content,
|
|
|
|
ContentType="text/plain",
|
|
|
|
)
|
|
|
|
|
|
|
|
# Verify
|
|
|
|
assert (
|
|
|
|
s3_client.get_object(Bucket=read_ap["AccessPointArn"], Key=key)[
|
|
|
|
"Body"
|
|
|
|
].read()
|
|
|
|
== content
|
|
|
|
)
|
|
|
|
assert s3_client.get_object(Bucket=bucket, Key=key)["Body"].read() == content
|