kqjy/MyFSIO
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases 33 Wiki Activity
Files
bd405cc2fe5915ec04f0986a1e3b6c45d54e078b
MyFSIO/crates/myfsio-server/tests/integration.rs

4460 lines
129 KiB
Rust
Raw Blame History

use axum::body::Body;
use axum::http::{Method, Request, StatusCode};
use base64::engine::general_purpose::URL_SAFE;
use base64::Engine;
use http_body_util::BodyExt;
use myfsio_storage::traits::{AsyncReadStream, StorageEngine};
use serde_json::Value;
use std::collections::HashMap;
use tower::ServiceExt;
const TEST_ACCESS_KEY: &str = "AKIAIOSFODNN7EXAMPLE";
const TEST_SECRET_KEY: &str = "wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY";
fn test_app_with_iam(iam_json: serde_json::Value) -> (axum::Router, tempfile::TempDir) {
let tmp = tempfile::TempDir::new().unwrap();
let iam_path = tmp.path().join(".myfsio.sys").join("config");
std::fs::create_dir_all(&iam_path).unwrap();
std::fs::write(iam_path.join("iam.json"), iam_json.to_string()).unwrap();
let config = myfsio_server::config::ServerConfig {
bind_addr: "127.0.0.1:0".parse().unwrap(),
ui_bind_addr: "127.0.0.1:0".parse().unwrap(),
storage_root: tmp.path().to_path_buf(),
region: "us-east-1".to_string(),
iam_config_path: iam_path.join("iam.json"),
sigv4_timestamp_tolerance_secs: 900,
presigned_url_min_expiry: 1,
presigned_url_max_expiry: 604800,
secret_key: None,
encryption_enabled: false,
kms_enabled: false,
gc_enabled: false,
integrity_enabled: false,
metrics_enabled: false,
metrics_history_enabled: false,
metrics_interval_minutes: 5,
metrics_retention_hours: 24,
metrics_history_interval_minutes: 5,
metrics_history_retention_hours: 24,
lifecycle_enabled: false,
website_hosting_enabled: false,
replication_connect_timeout_secs: 5,
replication_read_timeout_secs: 30,
replication_max_retries: 2,
replication_streaming_threshold_bytes: 10_485_760,
replication_max_failures_per_bucket: 50,
site_sync_enabled: false,
site_sync_interval_secs: 60,
site_sync_batch_size: 100,
site_sync_connect_timeout_secs: 10,
site_sync_read_timeout_secs: 120,
site_sync_max_retries: 2,
site_sync_clock_skew_tolerance: 1.0,
ui_enabled: false,
templates_dir: std::path::PathBuf::from("templates"),
static_dir: std::path::PathBuf::from("static"),
multipart_min_part_size: 1,
..myfsio_server::config::ServerConfig::default()
};
let state = myfsio_server::state::AppState::new(config);
let app = myfsio_server::create_router(state);
(app, tmp)
}
fn test_app() -> (axum::Router, tempfile::TempDir) {
test_app_with_iam(serde_json::json!({
"version": 2,
"users": [{
"user_id": "u-test1234",
"display_name": "admin",
"enabled": true,
"access_keys": [{
"access_key": TEST_ACCESS_KEY,
"secret_key": TEST_SECRET_KEY,
"status": "active"
}],
"policies": [{
"bucket": "*",
"actions": ["*"],
"prefix": "*"
}]
}]
}))
}
fn test_app_with_rate_limits(
default: myfsio_server::config::RateLimitSetting,
admin: myfsio_server::config::RateLimitSetting,
) -> (axum::Router, tempfile::TempDir) {
let tmp = tempfile::TempDir::new().unwrap();
let iam_path = tmp.path().join(".myfsio.sys").join("config");
std::fs::create_dir_all(&iam_path).unwrap();
std::fs::write(
iam_path.join("iam.json"),
serde_json::json!({
"version": 2,
"users": [{
"user_id": "u-test1234",
"display_name": "admin",
"enabled": true,
"access_keys": [{
"access_key": TEST_ACCESS_KEY,
"secret_key": TEST_SECRET_KEY,
"status": "active"
}],
"policies": [{
"bucket": "*",
"actions": ["*"],
"prefix": "*"
}]
}]
})
.to_string(),
)
.unwrap();
let config = myfsio_server::config::ServerConfig {
bind_addr: "127.0.0.1:0".parse().unwrap(),
ui_bind_addr: "127.0.0.1:0".parse().unwrap(),
storage_root: tmp.path().to_path_buf(),
iam_config_path: iam_path.join("iam.json"),
ratelimit_default: default,
ratelimit_list_buckets: default,
ratelimit_bucket_ops: default,
ratelimit_object_ops: default,
ratelimit_head_ops: default,
ratelimit_admin: admin,
ui_enabled: false,
..myfsio_server::config::ServerConfig::default()
};
let state = myfsio_server::state::AppState::new(config);
let app = myfsio_server::create_router(state);
(app, tmp)
}
#[tokio::test]
async fn rate_limit_default_and_admin_are_independent() {
let (app, _tmp) = test_app_with_rate_limits(
myfsio_server::config::RateLimitSetting::new(1, 60),
myfsio_server::config::RateLimitSetting::new(2, 60),
);
let first = app
.clone()
.oneshot(
Request::builder()
.uri("/myfsio/health")
.body(Body::empty())
.unwrap(),
)
.await
.unwrap();
assert_eq!(first.status(), StatusCode::OK);
let second = app
.clone()
.oneshot(
Request::builder()
.uri("/myfsio/health")
.body(Body::empty())
.unwrap(),
)
.await
.unwrap();
assert_eq!(second.status(), StatusCode::TOO_MANY_REQUESTS);
assert!(second.headers().contains_key("retry-after"));
let admin_first = app
.clone()
.oneshot(
Request::builder()
.uri("/admin/gc/status")
.body(Body::empty())
.unwrap(),
)
.await
.unwrap();
assert_eq!(admin_first.status(), StatusCode::FORBIDDEN);
let admin_second = app
.clone()
.oneshot(
Request::builder()
.uri("/admin/gc/status")
.body(Body::empty())
.unwrap(),
)
.await
.unwrap();
assert_eq!(admin_second.status(), StatusCode::FORBIDDEN);
let admin_third = app
.oneshot(
Request::builder()
.uri("/admin/gc/status")
.body(Body::empty())
.unwrap(),
)
.await
.unwrap();
assert_eq!(admin_third.status(), StatusCode::TOO_MANY_REQUESTS);
}
fn test_ui_state() -> (myfsio_server::state::AppState, tempfile::TempDir) {
let tmp = tempfile::TempDir::new().unwrap();
let iam_path = tmp.path().join(".myfsio.sys").join("config");
std::fs::create_dir_all(&iam_path).unwrap();
std::fs::write(
iam_path.join("iam.json"),
serde_json::json!({
"version": 2,
"users": [{
"user_id": "u-test1234",
"display_name": "admin",
"enabled": true,
"access_keys": [{
"access_key": TEST_ACCESS_KEY,
"secret_key": TEST_SECRET_KEY,
"status": "active"
}],
"policies": [{
"bucket": "*",
"actions": ["*"],
"prefix": "*"
}]
}]
})
.to_string(),
)
.unwrap();
let manifest_dir = std::path::PathBuf::from(env!("CARGO_MANIFEST_DIR"));
let config = myfsio_server::config::ServerConfig {
bind_addr: "127.0.0.1:0".parse().unwrap(),
ui_bind_addr: "127.0.0.1:0".parse().unwrap(),
storage_root: tmp.path().to_path_buf(),
region: "us-east-1".to_string(),
iam_config_path: iam_path.join("iam.json"),
sigv4_timestamp_tolerance_secs: 900,
presigned_url_min_expiry: 1,
presigned_url_max_expiry: 604800,
secret_key: None,
encryption_enabled: false,
kms_enabled: false,
gc_enabled: false,
integrity_enabled: false,
metrics_enabled: false,
metrics_history_enabled: false,
metrics_interval_minutes: 5,
metrics_retention_hours: 24,
metrics_history_interval_minutes: 5,
metrics_history_retention_hours: 24,
lifecycle_enabled: false,
website_hosting_enabled: false,
replication_connect_timeout_secs: 1,
replication_read_timeout_secs: 1,
replication_max_retries: 1,
replication_streaming_threshold_bytes: 10_485_760,
replication_max_failures_per_bucket: 50,
site_sync_enabled: false,
site_sync_interval_secs: 60,
site_sync_batch_size: 100,
site_sync_connect_timeout_secs: 10,
site_sync_read_timeout_secs: 120,
site_sync_max_retries: 2,
site_sync_clock_skew_tolerance: 1.0,
ui_enabled: true,
templates_dir: manifest_dir.join("templates"),
static_dir: manifest_dir.join("static"),
..myfsio_server::config::ServerConfig::default()
};
(myfsio_server::state::AppState::new(config), tmp)
}
fn authenticated_ui_session(state: &myfsio_server::state::AppState) -> (String, String) {
let (session_id, mut session) = state.sessions.create();
session.user_id = Some(TEST_ACCESS_KEY.to_string());
session.display_name = Some("admin".to_string());
let csrf = session.csrf_token.clone();
state.sessions.save(&session_id, session);
(session_id, csrf)
}
fn ui_request(method: Method, uri: &str, session_id: &str, csrf: Option<&str>) -> Request<Body> {
let mut builder = Request::builder().method(method).uri(uri).header(
"cookie",
format!(
"{}={}",
myfsio_server::session::SESSION_COOKIE_NAME,
session_id
),
);
if let Some(token) = csrf {
builder = builder.header(myfsio_server::session::CSRF_HEADER_NAME, token);
}
builder.body(Body::empty()).unwrap()
}
fn ui_form_request(
method: Method,
uri: &str,
session_id: &str,
csrf: &str,
body: &str,
) -> Request<Body> {
Request::builder()
.method(method)
.uri(uri)
.header(
"cookie",
format!(
"{}={}",
myfsio_server::session::SESSION_COOKIE_NAME,
session_id
),
)
.header("x-csrftoken", csrf)
.header("x-requested-with", "XMLHttpRequest")
.header("accept", "application/json")
.header("content-type", "application/x-www-form-urlencoded")
.body(Body::from(body.to_string()))
.unwrap()
}
fn ui_json_request(
method: Method,
uri: &str,
session_id: &str,
csrf: &str,
body: &str,
) -> Request<Body> {
Request::builder()
.method(method)
.uri(uri)
.header(
"cookie",
format!(
"{}={}",
myfsio_server::session::SESSION_COOKIE_NAME,
session_id
),
)
.header("x-csrftoken", csrf)
.header("x-requested-with", "XMLHttpRequest")
.header("accept", "application/json")
.header("content-type", "application/json")
.body(Body::from(body.to_string()))
.unwrap()
}
fn signed_request(method: Method, uri: &str, body: Body) -> Request<Body> {
Request::builder()
.method(method)
.uri(uri)
.header("x-access-key", TEST_ACCESS_KEY)
.header("x-secret-key", TEST_SECRET_KEY)
.body(body)
.unwrap()
}
fn test_website_state() -> (myfsio_server::state::AppState, tempfile::TempDir) {
let tmp = tempfile::TempDir::new().unwrap();
let iam_path = tmp.path().join(".myfsio.sys").join("config");
std::fs::create_dir_all(&iam_path).unwrap();
std::fs::write(
iam_path.join("iam.json"),
serde_json::json!({
"version": 2,
"users": [{
"user_id": "u-test1234",
"display_name": "admin",
"enabled": true,
"access_keys": [{
"access_key": TEST_ACCESS_KEY,
"secret_key": TEST_SECRET_KEY,
"status": "active"
}],
"policies": [{
"bucket": "*",
"actions": ["*"],
"prefix": "*"
}]
}]
})
.to_string(),
)
.unwrap();
let config = myfsio_server::config::ServerConfig {
bind_addr: "127.0.0.1:0".parse().unwrap(),
ui_bind_addr: "127.0.0.1:0".parse().unwrap(),
storage_root: tmp.path().to_path_buf(),
region: "us-east-1".to_string(),
iam_config_path: iam_path.join("iam.json"),
sigv4_timestamp_tolerance_secs: 900,
presigned_url_min_expiry: 1,
presigned_url_max_expiry: 604800,
secret_key: None,
encryption_enabled: false,
kms_enabled: false,
gc_enabled: false,
integrity_enabled: false,
metrics_enabled: false,
metrics_history_enabled: false,
metrics_interval_minutes: 5,
metrics_retention_hours: 24,
metrics_history_interval_minutes: 5,
metrics_history_retention_hours: 24,
lifecycle_enabled: false,
website_hosting_enabled: true,
replication_connect_timeout_secs: 5,
replication_read_timeout_secs: 30,
replication_max_retries: 2,
replication_streaming_threshold_bytes: 10_485_760,
replication_max_failures_per_bucket: 50,
site_sync_enabled: false,
site_sync_interval_secs: 60,
site_sync_batch_size: 100,
site_sync_connect_timeout_secs: 10,
site_sync_read_timeout_secs: 120,
site_sync_max_retries: 2,
site_sync_clock_skew_tolerance: 1.0,
ui_enabled: false,
templates_dir: std::path::PathBuf::from("templates"),
static_dir: std::path::PathBuf::from("static"),
..myfsio_server::config::ServerConfig::default()
};
(myfsio_server::state::AppState::new(config), tmp)
}
async fn put_website_object(
state: &myfsio_server::state::AppState,
bucket: &str,
key: &str,
body: &str,
content_type: &str,
) {
let mut metadata = HashMap::new();
metadata.insert("__content_type__".to_string(), content_type.to_string());
let reader: AsyncReadStream = Box::pin(std::io::Cursor::new(body.as_bytes().to_vec()));
state
.storage
.put_object(bucket, key, reader, Some(metadata))
.await
.unwrap();
}
async fn test_website_app(error_document: Option<&str>) -> (axum::Router, tempfile::TempDir) {
let (state, tmp) = test_website_state();
let bucket = "site-bucket";
state.storage.create_bucket(bucket).await.unwrap();
put_website_object(
&state,
bucket,
"index.html",
"<!doctype html><h1>Home</h1>",
"text/html",
)
.await;
if let Some(error_key) = error_document {
put_website_object(
&state,
bucket,
error_key,
"<!doctype html><h1>Bucket Not Found Page</h1>",
"text/html",
)
.await;
}
let mut config = state.storage.get_bucket_config(bucket).await.unwrap();
config.website = Some(match error_document {
Some(error_key) => serde_json::json!({
"index_document": "index.html",
"error_document": error_key,
}),
None => serde_json::json!({
"index_document": "index.html",
}),
});
state
.storage
.set_bucket_config(bucket, &config)
.await
.unwrap();
state
.website_domains
.as_ref()
.unwrap()
.set_mapping("site.example.com", bucket);
(myfsio_server::create_router(state), tmp)
}
fn website_request(method: Method, uri: &str) -> Request<Body> {
Request::builder()
.method(method)
.uri(uri)
.header("Host", "site.example.com")
.body(Body::empty())
.unwrap()
}
fn parse_select_events(body: &[u8]) -> Vec<(String, Vec<u8>)> {
let mut out = Vec::new();
let mut idx: usize = 0;
while idx + 16 <= body.len() {
let total_len =
u32::from_be_bytes([body[idx], body[idx + 1], body[idx + 2], body[idx + 3]]) as usize;
let headers_len =
u32::from_be_bytes([body[idx + 4], body[idx + 5], body[idx + 6], body[idx + 7]])
as usize;
if total_len < 16 || idx + total_len > body.len() {
break;
}
let headers_start = idx + 12;
let headers_end = headers_start + headers_len;
if headers_end > idx + total_len - 4 {
break;
}
let mut event_type: Option<String> = None;
let mut hidx = headers_start;
while hidx < headers_end {
let name_len = body[hidx] as usize;
hidx += 1;
if hidx + name_len + 3 > headers_end {
break;
}
let name = String::from_utf8_lossy(&body[hidx..hidx + name_len]).to_string();
hidx += name_len;
let value_type = body[hidx];
hidx += 1;
if value_type != 7 || hidx + 2 > headers_end {
break;
}
let value_len = u16::from_be_bytes([body[hidx], body[hidx + 1]]) as usize;
hidx += 2;
if hidx + value_len > headers_end {
break;
}
let value = String::from_utf8_lossy(&body[hidx..hidx + value_len]).to_string();
hidx += value_len;
if name == ":event-type" {
event_type = Some(value);
}
}
let payload_start = headers_end;
let payload_end = idx + total_len - 4;
let payload = body[payload_start..payload_end].to_vec();
out.push((event_type.unwrap_or_default(), payload));
idx += total_len;
}
out
}
#[tokio::test]
async fn test_ui_replication_endpoints_are_wired_and_operational() {
let (state, _tmp) = test_ui_state();
let bucket_name = "replicated-bucket";
state
.replication
.set_rule(myfsio_server::services::replication::ReplicationRule {
bucket_name: bucket_name.to_string(),
target_connection_id: "missing-connection".to_string(),
target_bucket: "remote-bucket".to_string(),
enabled: true,
mode: myfsio_server::services::replication::MODE_NEW_ONLY.to_string(),
created_at: Some(1_700_000_000.0),
stats: myfsio_server::services::replication::ReplicationStats {
objects_synced: 3,
objects_pending: 1,
objects_orphaned: 0,
bytes_synced: 123,
last_sync_at: Some(1_700_000_100.0),
last_sync_key: Some("folder/item.txt".to_string()),
},
sync_deletions: true,
last_pull_at: None,
filter_prefix: None,
});
state.replication.failures.add(
bucket_name,
myfsio_server::services::replication::ReplicationFailure {
object_key: "folder/item.txt".to_string(),
error_message: "temporary failure".to_string(),
timestamp: 1_700_000_200.0,
failure_count: 2,
bucket_name: bucket_name.to_string(),
action: "put".to_string(),
last_error_code: Some("SlowDown".to_string()),
},
);
state.replication.failures.add(
bucket_name,
myfsio_server::services::replication::ReplicationFailure {
object_key: "other.txt".to_string(),
error_message: "another failure".to_string(),
timestamp: 1_700_000_300.0,
failure_count: 1,
bucket_name: bucket_name.to_string(),
action: "put".to_string(),
last_error_code: None,
},
);
let (session_id, csrf) = authenticated_ui_session(&state);
let app = myfsio_server::create_ui_router(state.clone());
let status_resp = app
.clone()
.oneshot(ui_request(
Method::GET,
&format!("/ui/buckets/{}/replication/status", bucket_name),
&session_id,
None,
))
.await
.unwrap();
assert_eq!(status_resp.status(), StatusCode::OK);
let status_body: Value =
serde_json::from_slice(&status_resp.into_body().collect().await.unwrap().to_bytes())
.unwrap();
assert_eq!(status_body["objects_synced"], 3);
assert_eq!(status_body["objects_pending"], 1);
assert_eq!(status_body["endpoint_healthy"], false);
assert_eq!(status_body["endpoint_error"], "Target connection not found");
let failures_resp = app
.clone()
.oneshot(ui_request(
Method::GET,
&format!("/ui/buckets/{}/replication/failures?limit=10", bucket_name),
&session_id,
None,
))
.await
.unwrap();
assert_eq!(failures_resp.status(), StatusCode::OK);
let failures_body: Value = serde_json::from_slice(
&failures_resp
.into_body()
.collect()
.await
.unwrap()
.to_bytes(),
)
.unwrap();
assert_eq!(failures_body["total"], 2);
assert_eq!(failures_body["failures"].as_array().unwrap().len(), 2);
let retry_resp = app
.clone()
.oneshot(ui_request(
Method::POST,
&format!(
"/ui/buckets/{}/replication/failures/retry?object_key=folder%2Fitem.txt",
bucket_name
),
&session_id,
Some(&csrf),
))
.await
.unwrap();
assert_eq!(retry_resp.status(), StatusCode::BAD_REQUEST);
let dismiss_resp = app
.clone()
.oneshot(ui_request(
Method::DELETE,
&format!(
"/ui/buckets/{}/replication/failures/dismiss?object_key=folder%2Fitem.txt",
bucket_name
),
&session_id,
Some(&csrf),
))
.await
.unwrap();
assert_eq!(dismiss_resp.status(), StatusCode::OK);
let dismiss_body: Value =
serde_json::from_slice(&dismiss_resp.into_body().collect().await.unwrap().to_bytes())
.unwrap();
assert_eq!(dismiss_body["status"], "dismissed");
let clear_resp = app
.clone()
.oneshot(ui_request(
Method::DELETE,
&format!("/ui/buckets/{}/replication/failures/clear", bucket_name),
&session_id,
Some(&csrf),
))
.await
.unwrap();
assert_eq!(clear_resp.status(), StatusCode::OK);
let clear_body: Value =
serde_json::from_slice(&clear_resp.into_body().collect().await.unwrap().to_bytes())
.unwrap();
assert_eq!(clear_body["status"], "cleared");
let failures_after_clear = app
.oneshot(ui_request(
Method::GET,
&format!("/ui/buckets/{}/replication/failures?limit=10", bucket_name),
&session_id,
None,
))
.await
.unwrap();
assert_eq!(failures_after_clear.status(), StatusCode::OK);
let failures_after_clear_body: Value = serde_json::from_slice(
&failures_after_clear
.into_body()
.collect()
.await
.unwrap()
.to_bytes(),
)
.unwrap();
assert_eq!(failures_after_clear_body["total"], 0);
}
#[tokio::test]
async fn test_ui_replication_configuration_actions_work() {
let (state, _tmp) = test_ui_state();
let bucket_name = "config-bucket";
state.storage.create_bucket(bucket_name).await.unwrap();
state
.connections
.add(myfsio_server::stores::connections::RemoteConnection {
id: "conn-1".to_string(),
name: "Remote".to_string(),
endpoint_url: "http://127.0.0.1:1".to_string(),
access_key: "remote-key".to_string(),
secret_key: "remote-secret".to_string(),
region: "us-east-1".to_string(),
})
.unwrap();
let (session_id, csrf) = authenticated_ui_session(&state);
let app = myfsio_server::create_ui_router(state.clone());
let create_resp = app
.clone()
.oneshot(ui_form_request(
Method::POST,
&format!("/ui/buckets/{}/replication", bucket_name),
&session_id,
&csrf,
"action=create&target_connection_id=conn-1&target_bucket=remote-bucket&replication_mode=all&csrf_token=test",
))
.await
.unwrap();
assert_eq!(create_resp.status(), StatusCode::OK);
let create_body: Value =
serde_json::from_slice(&create_resp.into_body().collect().await.unwrap().to_bytes())
.unwrap();
assert_eq!(create_body["action"], "create");
assert_eq!(create_body["mode"], "all");
assert_eq!(create_body["enabled"], true);
let rule = state.replication.get_rule(bucket_name).unwrap();
assert_eq!(rule.target_connection_id, "conn-1");
assert_eq!(rule.target_bucket, "remote-bucket");
assert!(rule.enabled);
assert_eq!(rule.mode, "all");
let pause_resp = app
.clone()
.oneshot(ui_form_request(
Method::POST,
&format!("/ui/buckets/{}/replication", bucket_name),
&session_id,
&csrf,
"action=pause&csrf_token=test",
))
.await
.unwrap();
assert_eq!(pause_resp.status(), StatusCode::OK);
assert!(!state.replication.get_rule(bucket_name).unwrap().enabled);
let resume_resp = app
.clone()
.oneshot(ui_form_request(
Method::POST,
&format!("/ui/buckets/{}/replication", bucket_name),
&session_id,
&csrf,
"action=resume&csrf_token=test",
))
.await
.unwrap();
assert_eq!(resume_resp.status(), StatusCode::OK);
assert!(state.replication.get_rule(bucket_name).unwrap().enabled);
let delete_resp = app
.oneshot(ui_form_request(
Method::POST,
&format!("/ui/buckets/{}/replication", bucket_name),
&session_id,
&csrf,
"action=delete&csrf_token=test",
))
.await
.unwrap();
assert_eq!(delete_resp.status(), StatusCode::OK);
assert!(state.replication.get_rule(bucket_name).is_none());
}
#[tokio::test]
async fn test_ui_iam_user_actions_use_real_user_ids() {
let (state, _tmp) = test_ui_state();
let (session_id, csrf) = authenticated_ui_session(&state);
let app = myfsio_server::create_ui_router(state.clone());
let iam_page = app
.clone()
.oneshot(ui_request(Method::GET, "/ui/iam", &session_id, None))
.await
.unwrap();
assert_eq!(iam_page.status(), StatusCode::OK);
let iam_page_body = String::from_utf8(
iam_page
.into_body()
.collect()
.await
.unwrap()
.to_bytes()
.to_vec(),
)
.unwrap();
assert!(iam_page_body.contains("/ui/iam/users/u-test1234"));
assert!(!iam_page_body.contains("{user_id}"));
let update_resp = app
.clone()
.oneshot(ui_form_request(
Method::POST,
"/ui/iam/users/u-test1234",
&session_id,
&csrf,
"display_name=Updated+Admin&csrf_token=test",
))
.await
.unwrap();
assert_eq!(update_resp.status(), StatusCode::OK);
let update_body: Value =
serde_json::from_slice(&update_resp.into_body().collect().await.unwrap().to_bytes())
.unwrap();
assert_eq!(update_body["display_name"], "Updated Admin");
let policies_json = serde_json::json!([
{"bucket": "reports", "actions": ["list", "read"], "prefix": "*"}
]);
let policies_encoded = percent_encoding::utf8_percent_encode(
&policies_json.to_string(),
percent_encoding::NON_ALPHANUMERIC,
)
.to_string();
let policies_resp = app
.clone()
.oneshot(ui_form_request(
Method::POST,
"/ui/iam/users/u-test1234/policies",
&session_id,
&csrf,
&format!("policies={}&csrf_token=test", policies_encoded),
))
.await
.unwrap();
assert_eq!(policies_resp.status(), StatusCode::OK);
let policies_body: Value = serde_json::from_slice(
&policies_resp
.into_body()
.collect()
.await
.unwrap()
.to_bytes(),
)
.unwrap();
assert_eq!(policies_body["policies"][0]["bucket"], "reports");
let create_resp = app
.clone()
.oneshot(ui_form_request(
Method::POST,
"/ui/iam/users",
&session_id,
&csrf,
"display_name=Alice&access_key=ALICEKEY123&secret_key=alice-secret&csrf_token=test",
))
.await
.unwrap();
assert_eq!(create_resp.status(), StatusCode::OK);
let create_body: Value =
serde_json::from_slice(&create_resp.into_body().collect().await.unwrap().to_bytes())
.unwrap();
let created_user_id = create_body["user_id"].as_str().unwrap().to_string();
let delete_resp = app
.oneshot(ui_form_request(
Method::POST,
&format!("/ui/iam/users/{}/delete", created_user_id),
&session_id,
&csrf,
"csrf_token=test",
))
.await
.unwrap();
assert_eq!(delete_resp.status(), StatusCode::OK);
assert!(state.iam.get_user(&created_user_id).await.is_none());
}
#[tokio::test]
async fn test_ui_bucket_panels_and_history_endpoints_round_trip() {
let (state, _tmp) = test_ui_state();
let bucket_name = "ui-bucket";
state.storage.create_bucket(bucket_name).await.unwrap();
let (session_id, csrf) = authenticated_ui_session(&state);
let app = myfsio_server::create_ui_router(state.clone());
let policy_json = serde_json::json!({
"Version": "2012-10-17",
"Statement": [{
"Effect": "Allow",
"Principal": {"AWS": "*"},
"Action": ["s3:GetObject"],
"Resource": [format!("arn:aws:s3:::{}/*", bucket_name)]
}]
});
let policy_encoded = percent_encoding::utf8_percent_encode(
&policy_json.to_string(),
percent_encoding::NON_ALPHANUMERIC,
)
.to_string();
let policy_resp = app
.clone()
.oneshot(ui_form_request(
Method::POST,
&format!("/ui/buckets/{}/policy", bucket_name),
&session_id,
&csrf,
&format!(
"mode=upsert&policy_document={}&csrf_token=test",
policy_encoded
),
))
.await
.unwrap();
assert_eq!(policy_resp.status(), StatusCode::OK);
let policy_body: Value =
serde_json::from_slice(&policy_resp.into_body().collect().await.unwrap().to_bytes())
.unwrap();
assert_eq!(policy_body["ok"], true);
let bucket_config = state.storage.get_bucket_config(bucket_name).await.unwrap();
assert_eq!(bucket_config.policy.unwrap(), policy_json);
let cors_resp = app
.clone()
.oneshot(ui_json_request(
Method::POST,
&format!("/ui/buckets/{}/cors", bucket_name),
&session_id,
&csrf,
r#"{"rules":[{"AllowedOrigins":["https://example.com"],"AllowedMethods":["GET","PUT"],"AllowedHeaders":["*"],"ExposeHeaders":["ETag"],"MaxAgeSeconds":600}]}"#,
))
.await
.unwrap();
assert_eq!(cors_resp.status(), StatusCode::OK);
let cors_get = app
.clone()
.oneshot(ui_request(
Method::GET,
&format!("/ui/buckets/{}/cors", bucket_name),
&session_id,
None,
))
.await
.unwrap();
assert_eq!(cors_get.status(), StatusCode::OK);
let cors_body: Value =
serde_json::from_slice(&cors_get.into_body().collect().await.unwrap().to_bytes()).unwrap();
assert_eq!(cors_body["rules"].as_array().unwrap().len(), 1);
let lifecycle_resp = app
.clone()
.oneshot(ui_json_request(
Method::POST,
&format!("/ui/buckets/{}/lifecycle", bucket_name),
&session_id,
&csrf,
r#"{"rules":[{"ID":"expire-logs","Status":"Enabled","Filter":{"Prefix":"logs/"},"Expiration":{"Days":30}}]}"#,
))
.await
.unwrap();
assert_eq!(lifecycle_resp.status(), StatusCode::OK);
let lifecycle_get = app
.clone()
.oneshot(ui_request(
Method::GET,
&format!("/ui/buckets/{}/lifecycle", bucket_name),
&session_id,
None,
))
.await
.unwrap();
assert_eq!(lifecycle_get.status(), StatusCode::OK);
let lifecycle_body: Value = serde_json::from_slice(
&lifecycle_get
.into_body()
.collect()
.await
.unwrap()
.to_bytes(),
)
.unwrap();
assert_eq!(lifecycle_body["rules"].as_array().unwrap().len(), 1);
let gc_history = app
.clone()
.oneshot(ui_request(
Method::GET,
"/ui/system/gc/history",
&session_id,
None,
))
.await
.unwrap();
assert_eq!(gc_history.status(), StatusCode::OK);
let gc_body: Value =
serde_json::from_slice(&gc_history.into_body().collect().await.unwrap().to_bytes())
.unwrap();
assert!(gc_body["executions"].is_array());
let integrity_history = app
.oneshot(ui_request(
Method::GET,
"/ui/system/integrity/history",
&session_id,
None,
))
.await
.unwrap();
assert_eq!(integrity_history.status(), StatusCode::OK);
let integrity_body: Value = serde_json::from_slice(
&integrity_history
.into_body()
.collect()
.await
.unwrap()
.to_bytes(),
)
.unwrap();
assert!(integrity_body["executions"].is_array());
}
#[tokio::test]
async fn test_ui_bucket_policy_preset_reflects_private_and_public_states() {
let (state, _tmp) = test_ui_state();
let bucket_name = "preset-bucket";
state.storage.create_bucket(bucket_name).await.unwrap();
let (session_id, _csrf) = authenticated_ui_session(&state);
let app = myfsio_server::create_ui_router(state.clone());
let private_resp = app
.clone()
.oneshot(ui_request(
Method::GET,
&format!("/ui/buckets/{}?tab=permissions", bucket_name),
&session_id,
None,
))
.await
.unwrap();
assert_eq!(private_resp.status(), StatusCode::OK);
let private_html = String::from_utf8(
private_resp
.into_body()
.collect()
.await
.unwrap()
.to_bytes()
.to_vec(),
)
.unwrap();
assert!(private_html.contains(
"id=\"policyPreset\" name=\"preset\" value=\"private\" data-default=\"private\""
));
let public_policy = serde_json::json!({
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowList",
"Effect": "Allow",
"Principal": "*",
"Action": ["s3:ListBucket"],
"Resource": [format!("arn:aws:s3:::{}", bucket_name)],
},
{
"Sid": "AllowRead",
"Effect": "Allow",
"Principal": "*",
"Action": ["s3:GetObject"],
"Resource": [format!("arn:aws:s3:::{}/*", bucket_name)],
}
]
});
let mut config = state.storage.get_bucket_config(bucket_name).await.unwrap();
config.policy = Some(public_policy);
state
.storage
.set_bucket_config(bucket_name, &config)
.await
.unwrap();
let public_resp = app
.clone()
.oneshot(ui_request(
Method::GET,
&format!("/ui/buckets/{}?tab=permissions", bucket_name),
&session_id,
None,
))
.await
.unwrap();
assert_eq!(public_resp.status(), StatusCode::OK);
let public_html = String::from_utf8(
public_resp
.into_body()
.collect()
.await
.unwrap()
.to_bytes()
.to_vec(),
)
.unwrap();
assert!(public_html
.contains("id=\"policyPreset\" name=\"preset\" value=\"public\" data-default=\"public\""));
assert!(public_html.contains("Public Read"));
let overview_resp = app
.oneshot(ui_request(Method::GET, "/ui/buckets", &session_id, None))
.await
.unwrap();
assert_eq!(overview_resp.status(), StatusCode::OK);
let overview_html = String::from_utf8(
overview_resp
.into_body()
.collect()
.await
.unwrap()
.to_bytes()
.to_vec(),
)
.unwrap();
assert!(overview_html.contains("Public Read"));
}
#[tokio::test]
async fn test_ui_metrics_history_endpoint_reads_system_history() {
let tmp = tempfile::TempDir::new().unwrap();
let config_root = tmp.path().join(".myfsio.sys").join("config");
std::fs::create_dir_all(&config_root).unwrap();
std::fs::write(
config_root.join("iam.json"),
serde_json::json!({
"version": 2,
"users": [{
"user_id": "u-test1234",
"display_name": "admin",
"enabled": true,
"access_keys": [{
"access_key": TEST_ACCESS_KEY,
"secret_key": TEST_SECRET_KEY,
"status": "active"
}],
"policies": [{
"bucket": "*",
"actions": ["*"],
"prefix": "*"
}]
}]
})
.to_string(),
)
.unwrap();
std::fs::write(
config_root.join("metrics_history.json"),
serde_json::json!({
"history": [{
"timestamp": chrono::Utc::now().to_rfc3339(),
"cpu_percent": 12.5,
"memory_percent": 33.3,
"disk_percent": 44.4,
"storage_bytes": 1024
}]
})
.to_string(),
)
.unwrap();
let manifest_dir = std::path::PathBuf::from(env!("CARGO_MANIFEST_DIR"));
let config = myfsio_server::config::ServerConfig {
bind_addr: "127.0.0.1:0".parse().unwrap(),
ui_bind_addr: "127.0.0.1:0".parse().unwrap(),
storage_root: tmp.path().to_path_buf(),
region: "us-east-1".to_string(),
iam_config_path: config_root.join("iam.json"),
sigv4_timestamp_tolerance_secs: 900,
presigned_url_min_expiry: 1,
presigned_url_max_expiry: 604800,
secret_key: None,
encryption_enabled: false,
kms_enabled: false,
gc_enabled: false,
integrity_enabled: false,
metrics_enabled: false,
metrics_history_enabled: true,
metrics_interval_minutes: 5,
metrics_retention_hours: 24,
metrics_history_interval_minutes: 5,
metrics_history_retention_hours: 24,
lifecycle_enabled: false,
website_hosting_enabled: false,
replication_connect_timeout_secs: 1,
replication_read_timeout_secs: 1,
replication_max_retries: 1,
replication_streaming_threshold_bytes: 10_485_760,
replication_max_failures_per_bucket: 50,
site_sync_enabled: false,
site_sync_interval_secs: 60,
site_sync_batch_size: 100,
site_sync_connect_timeout_secs: 10,
site_sync_read_timeout_secs: 120,
site_sync_max_retries: 2,
site_sync_clock_skew_tolerance: 1.0,
ui_enabled: true,
templates_dir: manifest_dir.join("templates"),
static_dir: manifest_dir.join("static"),
..myfsio_server::config::ServerConfig::default()
};
let state = myfsio_server::state::AppState::new(config);
let (session_id, _csrf) = authenticated_ui_session(&state);
let app = myfsio_server::create_ui_router(state);
let resp = app
.oneshot(ui_request(
Method::GET,
"/ui/metrics/history?hours=24",
&session_id,
None,
))
.await
.unwrap();
assert_eq!(resp.status(), StatusCode::OK);
let body: Value =
serde_json::from_slice(&resp.into_body().collect().await.unwrap().to_bytes()).unwrap();
assert_eq!(body["enabled"], true);
assert_eq!(body["history"].as_array().unwrap().len(), 1);
}
#[tokio::test]
async fn test_unauthenticated_request_rejected() {
let (app, _tmp) = test_app();
let resp = app
.oneshot(Request::builder().uri("/").body(Body::empty()).unwrap())
.await
.unwrap();
assert_eq!(resp.status(), StatusCode::FORBIDDEN);
let body = String::from_utf8(
resp.into_body()
.collect()
.await
.unwrap()
.to_bytes()
.to_vec(),
)
.unwrap();
assert!(body.contains("<Code>AccessDenied</Code>"));
assert!(body.contains("<Message>Missing credentials</Message>"));
assert!(body.contains("<Resource>/</Resource>"));
assert!(body.contains("<RequestId>"));
assert!(!body.contains("<RequestId></RequestId>"));
}
#[tokio::test]
async fn test_unauthenticated_request_includes_requested_resource_path() {
let (app, _tmp) = test_app();
let resp = app
.oneshot(Request::builder().uri("/ui/").body(Body::empty()).unwrap())
.await
.unwrap();
assert_eq!(resp.status(), StatusCode::FORBIDDEN);
let body = String::from_utf8(
resp.into_body()
.collect()
.await
.unwrap()
.to_bytes()
.to_vec(),
)
.unwrap();
assert!(body.contains("<Code>AccessDenied</Code>"));
assert!(body.contains("<Message>Missing credentials</Message>"));
assert!(body.contains("<Resource>/ui/</Resource>"));
assert!(body.contains("<RequestId>"));
assert!(!body.contains("<RequestId></RequestId>"));
}
#[tokio::test]
async fn test_list_buckets_empty() {
let (app, _tmp) = test_app();
let resp = app
.oneshot(signed_request(Method::GET, "/", Body::empty()))
.await
.unwrap();
assert_eq!(resp.status(), StatusCode::OK);
let body = String::from_utf8(
resp.into_body()
.collect()
.await
.unwrap()
.to_bytes()
.to_vec(),
)
.unwrap();
assert!(body.contains("ListAllMyBucketsResult"));
}
#[tokio::test]
async fn test_create_and_list_bucket() {
let (app, _tmp) = test_app();
let resp = app
.clone()
.oneshot(signed_request(Method::PUT, "/test-bucket", Body::empty()))
.await
.unwrap();
assert_eq!(resp.status(), StatusCode::OK);
let resp = app
.oneshot(signed_request(Method::GET, "/", Body::empty()))
.await
.unwrap();
let body = String::from_utf8(
resp.into_body()
.collect()
.await
.unwrap()
.to_bytes()
.to_vec(),
)
.unwrap();
assert!(body.contains("<Name>test-bucket</Name>"));
}
#[tokio::test]
async fn test_head_bucket() {
let (app, _tmp) = test_app();
app.clone()
.oneshot(signed_request(Method::PUT, "/my-bucket", Body::empty()))
.await
.unwrap();
let resp = app
.clone()
.oneshot(signed_request(Method::HEAD, "/my-bucket", Body::empty()))
.await
.unwrap();
assert_eq!(resp.status(), StatusCode::OK);
assert_eq!(
resp.headers().get("x-amz-bucket-region").unwrap(),
"us-east-1"
);
let resp = app
.oneshot(signed_request(Method::HEAD, "/nonexistent", Body::empty()))
.await
.unwrap();
assert_eq!(resp.status(), StatusCode::NOT_FOUND);
}
#[tokio::test]
async fn test_delete_bucket() {
let (app, _tmp) = test_app();
app.clone()
.oneshot(signed_request(Method::PUT, "/del-bucket", Body::empty()))
.await
.unwrap();
let resp = app
.clone()
.oneshot(signed_request(Method::DELETE, "/del-bucket", Body::empty()))
.await
.unwrap();
assert_eq!(resp.status(), StatusCode::NO_CONTENT);
let resp = app
.oneshot(signed_request(Method::HEAD, "/del-bucket", Body::empty()))
.await
.unwrap();
assert_eq!(resp.status(), StatusCode::NOT_FOUND);
}
#[tokio::test]
async fn test_put_and_get_object() {
let (app, _tmp) = test_app();
app.clone()
.oneshot(signed_request(Method::PUT, "/data-bucket", Body::empty()))
.await
.unwrap();
let resp = app
.clone()
.oneshot(
Request::builder()
.method(Method::PUT)
.uri("/data-bucket/hello.txt")
.header("x-access-key", TEST_ACCESS_KEY)
.header("x-secret-key", TEST_SECRET_KEY)
.header("content-type", "text/plain")
.body(Body::from("Hello, World!"))
.unwrap(),
)
.await
.unwrap();
assert_eq!(resp.status(), StatusCode::OK);
assert!(resp.headers().get("etag").is_some());
let resp = app
.oneshot(signed_request(
Method::GET,
"/data-bucket/hello.txt",
Body::empty(),
))
.await
.unwrap();
assert_eq!(resp.status(), StatusCode::OK);
assert_eq!(resp.headers().get("content-type").unwrap(), "text/plain");
assert_eq!(resp.headers().get("content-length").unwrap(), "13");
let body = resp.into_body().collect().await.unwrap().to_bytes();
assert_eq!(&body[..], b"Hello, World!");
}
#[tokio::test]
async fn test_content_type_falls_back_to_extension() {
let (app, _tmp) = test_app();
app.clone()
.oneshot(signed_request(Method::PUT, "/img-bucket", Body::empty()))
.await
.unwrap();
let resp = app
.clone()
.oneshot(
Request::builder()
.method(Method::PUT)
.uri("/img-bucket/yum.jpg")
.header("x-access-key", TEST_ACCESS_KEY)
.header("x-secret-key", TEST_SECRET_KEY)
.body(Body::from(vec![0_u8, 1, 2, 3, 4]))
.unwrap(),
)
.await
.unwrap();
assert_eq!(resp.status(), StatusCode::OK);
let resp = app
.clone()
.oneshot(signed_request(
Method::GET,
"/img-bucket/yum.jpg",
Body::empty(),
))
.await
.unwrap();
assert_eq!(resp.status(), StatusCode::OK);
assert_eq!(resp.headers().get("content-type").unwrap(), "image/jpeg");
let resp = app
.oneshot(signed_request(
Method::HEAD,
"/img-bucket/yum.jpg",
Body::empty(),
))
.await
.unwrap();
assert_eq!(resp.status(), StatusCode::OK);
assert_eq!(resp.headers().get("content-type").unwrap(), "image/jpeg");
}
#[tokio::test]
async fn test_head_object() {
let (app, _tmp) = test_app();
app.clone()
.oneshot(signed_request(Method::PUT, "/hd-bucket", Body::empty()))
.await
.unwrap();
app.clone()
.oneshot(
Request::builder()
.method(Method::PUT)
.uri("/hd-bucket/file.bin")
.header("x-access-key", TEST_ACCESS_KEY)
.header("x-secret-key", TEST_SECRET_KEY)
.body(Body::from(vec![0u8; 256]))
.unwrap(),
)
.await
.unwrap();
let resp = app
.clone()
.oneshot(signed_request(
Method::HEAD,
"/hd-bucket/file.bin",
Body::empty(),
))
.await
.unwrap();
assert_eq!(resp.status(), StatusCode::OK);
assert_eq!(resp.headers().get("content-length").unwrap(), "256");
assert!(resp.headers().get("etag").is_some());
assert!(resp.headers().get("last-modified").is_some());
let resp = app
.oneshot(signed_request(
Method::HEAD,
"/hd-bucket/nonexistent.txt",
Body::empty(),
))
.await
.unwrap();
assert_eq!(resp.status(), StatusCode::NOT_FOUND);
}
#[tokio::test]
async fn test_delete_object() {
let (app, _tmp) = test_app();
app.clone()
.oneshot(signed_request(Method::PUT, "/rm-bucket", Body::empty()))
.await
.unwrap();
app.clone()
.oneshot(
Request::builder()
.method(Method::PUT)
.uri("/rm-bucket/removeme.txt")
.header("x-access-key", TEST_ACCESS_KEY)
.header("x-secret-key", TEST_SECRET_KEY)
.body(Body::from("bye"))
.unwrap(),
)
.await
.unwrap();
let resp = app
.clone()
.oneshot(signed_request(
Method::DELETE,
"/rm-bucket/removeme.txt",
Body::empty(),
))
.await
.unwrap();
assert_eq!(resp.status(), StatusCode::NO_CONTENT);
let resp = app
.oneshot(signed_request(
Method::HEAD,
"/rm-bucket/removeme.txt",
Body::empty(),
))
.await
.unwrap();
assert_eq!(resp.status(), StatusCode::NOT_FOUND);
}
#[tokio::test]
async fn test_list_objects_v2() {
let (app, _tmp) = test_app();
app.clone()
.oneshot(signed_request(Method::PUT, "/list-bucket", Body::empty()))
.await
.unwrap();
for name in ["a.txt", "b.txt", "dir/c.txt"] {
app.clone()
.oneshot(
Request::builder()
.method(Method::PUT)
.uri(format!("/list-bucket/{}", name))
.header("x-access-key", TEST_ACCESS_KEY)
.header("x-secret-key", TEST_SECRET_KEY)
.body(Body::from("data"))
.unwrap(),
)
.await
.unwrap();
}
let resp = app
.clone()
.oneshot(signed_request(
Method::GET,
"/list-bucket?list-type=2",
Body::empty(),
))
.await
.unwrap();
assert_eq!(resp.status(), StatusCode::OK);
let body = String::from_utf8(
resp.into_body()
.collect()
.await
.unwrap()
.to_bytes()
.to_vec(),
)
.unwrap();
assert!(body.contains("<Key>a.txt</Key>"));
assert!(body.contains("<Key>b.txt</Key>"));
assert!(body.contains("<Key>dir/c.txt</Key>"));
assert!(body.contains("<KeyCount>3</KeyCount>"));
let resp = app
.clone()
.oneshot(signed_request(
Method::GET,
"/list-bucket?list-type=2&delimiter=/",
Body::empty(),
))
.await
.unwrap();
let body = String::from_utf8(
resp.into_body()
.collect()
.await
.unwrap()
.to_bytes()
.to_vec(),
)
.unwrap();
assert!(body.contains("<Key>a.txt</Key>"));
assert!(body.contains("<Key>b.txt</Key>"));
assert!(body.contains("<Prefix>dir/</Prefix>"));
let resp = app
.oneshot(signed_request(
Method::GET,
"/list-bucket?list-type=2&prefix=dir/",
Body::empty(),
))
.await
.unwrap();
let body = String::from_utf8(
resp.into_body()
.collect()
.await
.unwrap()
.to_bytes()
.to_vec(),
)
.unwrap();
assert!(body.contains("<Key>dir/c.txt</Key>"));
assert!(!body.contains("<Key>a.txt</Key>"));
}
#[tokio::test]
async fn test_get_nonexistent_object_returns_404() {
let (app, _tmp) = test_app();
app.clone()
.oneshot(signed_request(Method::PUT, "/err-bucket", Body::empty()))
.await
.unwrap();
let resp = app
.oneshot(signed_request(
Method::GET,
"/err-bucket/nope.txt",
Body::empty(),
))
.await
.unwrap();
assert_eq!(resp.status(), StatusCode::NOT_FOUND);
let body = String::from_utf8(
resp.into_body()
.collect()
.await
.unwrap()
.to_bytes()
.to_vec(),
)
.unwrap();
assert!(body.contains("<Code>NoSuchKey</Code>"));
}
#[tokio::test]
async fn test_create_duplicate_bucket_returns_409() {
let (app, _tmp) = test_app();
app.clone()
.oneshot(signed_request(Method::PUT, "/dup-bucket", Body::empty()))
.await
.unwrap();
let resp = app
.oneshot(signed_request(Method::PUT, "/dup-bucket", Body::empty()))
.await
.unwrap();
assert_eq!(resp.status(), StatusCode::CONFLICT);
}
#[tokio::test]
async fn test_delete_nonempty_bucket_returns_409() {
let (app, _tmp) = test_app();
app.clone()
.oneshot(signed_request(Method::PUT, "/full-bucket", Body::empty()))
.await
.unwrap();
app.clone()
.oneshot(
Request::builder()
.method(Method::PUT)
.uri("/full-bucket/obj.txt")
.header("x-access-key", TEST_ACCESS_KEY)
.header("x-secret-key", TEST_SECRET_KEY)
.body(Body::from("data"))
.unwrap(),
)
.await
.unwrap();
let resp = app
.oneshot(signed_request(
Method::DELETE,
"/full-bucket",
Body::empty(),
))
.await
.unwrap();
assert_eq!(resp.status(), StatusCode::CONFLICT);
}
#[tokio::test]
async fn test_object_with_user_metadata() {
let (app, _tmp) = test_app();
app.clone()
.oneshot(signed_request(Method::PUT, "/meta-bucket", Body::empty()))
.await
.unwrap();
app.clone()
.oneshot(
Request::builder()
.method(Method::PUT)
.uri("/meta-bucket/tagged.txt")
.header("x-access-key", TEST_ACCESS_KEY)
.header("x-secret-key", TEST_SECRET_KEY)
.header("x-amz-meta-author", "test-user")
.header("x-amz-meta-version", "42")
.body(Body::from("content"))
.unwrap(),
)
.await
.unwrap();
let resp = app
.oneshot(signed_request(
Method::HEAD,
"/meta-bucket/tagged.txt",
Body::empty(),
))
.await
.unwrap();
assert_eq!(resp.status(), StatusCode::OK);
assert_eq!(
resp.headers().get("x-amz-meta-author").unwrap(),
"test-user"
);
assert_eq!(resp.headers().get("x-amz-meta-version").unwrap(), "42");
}
#[tokio::test]
async fn test_wrong_credentials_rejected() {
let (app, _tmp) = test_app();
let resp = app
.oneshot(
Request::builder()
.uri("/")
.header("x-access-key", "WRONGKEY")
.header("x-secret-key", "WRONGSECRET")
.body(Body::empty())
.unwrap(),
)
.await
.unwrap();
assert_eq!(resp.status(), StatusCode::FORBIDDEN);
}
#[tokio::test]
async fn test_server_header_present() {
let (app, _tmp) = test_app();
let resp = app
.oneshot(signed_request(Method::GET, "/", Body::empty()))
.await
.unwrap();
let server = resp.headers().get("server").unwrap().to_str().unwrap();
assert!(server.starts_with("MyFSIO-Rust/"));
}
#[tokio::test]
async fn test_range_request() {
let (app, _tmp) = test_app();
app.clone()
.oneshot(signed_request(Method::PUT, "/range-bucket", Body::empty()))
.await
.unwrap();
let data = "Hello, World! This is range test data.";
app.clone()
.oneshot(
Request::builder()
.method(Method::PUT)
.uri("/range-bucket/range.txt")
.header("x-access-key", TEST_ACCESS_KEY)
.header("x-secret-key", TEST_SECRET_KEY)
.body(Body::from(data))
.unwrap(),
)
.await
.unwrap();
let resp = app
.clone()
.oneshot(
Request::builder()
.uri("/range-bucket/range.txt")
.header("x-access-key", TEST_ACCESS_KEY)
.header("x-secret-key", TEST_SECRET_KEY)
.header("range", "bytes=0-4")
.body(Body::empty())
.unwrap(),
)
.await
.unwrap();
assert_eq!(resp.status(), StatusCode::PARTIAL_CONTENT);
assert_eq!(resp.headers().get("content-length").unwrap(), "5");
assert!(resp
.headers()
.get("content-range")
.unwrap()
.to_str()
.unwrap()
.starts_with("bytes 0-4/"));
let body = resp.into_body().collect().await.unwrap().to_bytes();
assert_eq!(&body[..], b"Hello");
let resp = app
.oneshot(
Request::builder()
.uri("/range-bucket/range.txt")
.header("x-access-key", TEST_ACCESS_KEY)
.header("x-secret-key", TEST_SECRET_KEY)
.header("range", "bytes=-5")
.body(Body::empty())
.unwrap(),
)
.await
.unwrap();
assert_eq!(resp.status(), StatusCode::PARTIAL_CONTENT);
let body = resp.into_body().collect().await.unwrap().to_bytes();
assert_eq!(&body[..], b"data.");
}
#[tokio::test]
async fn test_copy_object() {
let (app, _tmp) = test_app();
app.clone()
.oneshot(signed_request(Method::PUT, "/src-bucket", Body::empty()))
.await
.unwrap();
app.clone()
.oneshot(signed_request(Method::PUT, "/dst-bucket", Body::empty()))
.await
.unwrap();
app.clone()
.oneshot(
Request::builder()
.method(Method::PUT)
.uri("/src-bucket/original.txt")
.header("x-access-key", TEST_ACCESS_KEY)
.header("x-secret-key", TEST_SECRET_KEY)
.body(Body::from("copy me"))
.unwrap(),
)
.await
.unwrap();
let resp = app
.clone()
.oneshot(
Request::builder()
.method(Method::PUT)
.uri("/dst-bucket/copied.txt")
.header("x-access-key", TEST_ACCESS_KEY)
.header("x-secret-key", TEST_SECRET_KEY)
.header("x-amz-copy-source", "/src-bucket/original.txt")
.body(Body::empty())
.unwrap(),
)
.await
.unwrap();
assert_eq!(resp.status(), StatusCode::OK);
let body = String::from_utf8(
resp.into_body()
.collect()
.await
.unwrap()
.to_bytes()
.to_vec(),
)
.unwrap();
assert!(body.contains("CopyObjectResult"));
let resp = app
.oneshot(signed_request(
Method::GET,
"/dst-bucket/copied.txt",
Body::empty(),
))
.await
.unwrap();
assert_eq!(resp.status(), StatusCode::OK);
let body = resp.into_body().collect().await.unwrap().to_bytes();
assert_eq!(&body[..], b"copy me");
}
#[tokio::test]
async fn test_multipart_upload_http() {
let (app, _tmp) = test_app();
app.clone()
.oneshot(signed_request(Method::PUT, "/mp-bucket", Body::empty()))
.await
.unwrap();
let resp = app
.clone()
.oneshot(signed_request(
Method::POST,
"/mp-bucket/big-file.bin?uploads",
Body::empty(),
))
.await
.unwrap();
assert_eq!(resp.status(), StatusCode::OK);
let body = String::from_utf8(
resp.into_body()
.collect()
.await
.unwrap()
.to_bytes()
.to_vec(),
)
.unwrap();
assert!(body.contains("InitiateMultipartUploadResult"));
assert!(body.contains("<Key>big-file.bin</Key>"));
let upload_id = body
.split("<UploadId>")
.nth(1)
.unwrap()
.split("</UploadId>")
.next()
.unwrap();
let part1_data = vec![b'A'; 1024];
let resp = app
.clone()
.oneshot(
Request::builder()
.method(Method::PUT)
.uri(format!(
"/mp-bucket/big-file.bin?uploadId={}&partNumber=1",
upload_id
))
.header("x-access-key", TEST_ACCESS_KEY)
.header("x-secret-key", TEST_SECRET_KEY)
.body(Body::from(part1_data))
.unwrap(),
)
.await
.unwrap();
assert_eq!(resp.status(), StatusCode::OK);
let etag1 = resp
.headers()
.get("etag")
.unwrap()
.to_str()
.unwrap()
.trim_matches('"')
.to_string();
let part2_data = vec![b'B'; 512];
let resp = app
.clone()
.oneshot(
Request::builder()
.method(Method::PUT)
.uri(format!(
"/mp-bucket/big-file.bin?uploadId={}&partNumber=2",
upload_id
))
.header("x-access-key", TEST_ACCESS_KEY)
.header("x-secret-key", TEST_SECRET_KEY)
.body(Body::from(part2_data))
.unwrap(),
)
.await
.unwrap();
assert_eq!(resp.status(), StatusCode::OK);
let etag2 = resp
.headers()
.get("etag")
.unwrap()
.to_str()
.unwrap()
.trim_matches('"')
.to_string();
let complete_xml = format!(
"<CompleteMultipartUpload><Part><PartNumber>1</PartNumber><ETag>\"{etag1}\"</ETag></Part><Part><PartNumber>2</PartNumber><ETag>\"{etag2}\"</ETag></Part></CompleteMultipartUpload>"
);
let resp = app
.clone()
.oneshot(
Request::builder()
.method(Method::POST)
.uri(format!("/mp-bucket/big-file.bin?uploadId={}", upload_id))
.header("x-access-key", TEST_ACCESS_KEY)
.header("x-secret-key", TEST_SECRET_KEY)
.body(Body::from(complete_xml))
.unwrap(),
)
.await
.unwrap();
assert_eq!(resp.status(), StatusCode::OK);
let body = String::from_utf8(
resp.into_body()
.collect()
.await
.unwrap()
.to_bytes()
.to_vec(),
)
.unwrap();
assert!(body.contains("CompleteMultipartUploadResult"));
let resp = app
.oneshot(signed_request(
Method::HEAD,
"/mp-bucket/big-file.bin",
Body::empty(),
))
.await
.unwrap();
assert_eq!(resp.status(), StatusCode::OK);
assert_eq!(resp.headers().get("content-length").unwrap(), "1536");
}
#[tokio::test]
async fn test_delete_objects_batch() {
let (app, _tmp) = test_app();
app.clone()
.oneshot(signed_request(Method::PUT, "/batch-bucket", Body::empty()))
.await
.unwrap();
for name in ["a.txt", "b.txt", "c.txt"] {
app.clone()
.oneshot(
Request::builder()
.method(Method::PUT)
.uri(format!("/batch-bucket/{}", name))
.header("x-access-key", TEST_ACCESS_KEY)
.header("x-secret-key", TEST_SECRET_KEY)
.body(Body::from("data"))
.unwrap(),
)
.await
.unwrap();
}
let delete_xml =
r#"<Delete><Object><Key>a.txt</Key></Object><Object><Key>b.txt</Key></Object></Delete>"#;
let resp = app
.clone()
.oneshot(
Request::builder()
.method(Method::POST)
.uri("/batch-bucket?delete")
.header("x-access-key", TEST_ACCESS_KEY)
.header("x-secret-key", TEST_SECRET_KEY)
.body(Body::from(delete_xml))
.unwrap(),
)
.await
.unwrap();
assert_eq!(resp.status(), StatusCode::OK);
let body = String::from_utf8(
resp.into_body()
.collect()
.await
.unwrap()
.to_bytes()
.to_vec(),
)
.unwrap();
assert!(body.contains("DeleteResult"));
assert!(body.contains("<Key>a.txt</Key>"));
assert!(body.contains("<Key>b.txt</Key>"));
let resp = app
.clone()
.oneshot(signed_request(
Method::HEAD,
"/batch-bucket/a.txt",
Body::empty(),
))
.await
.unwrap();
assert_eq!(resp.status(), StatusCode::NOT_FOUND);
let resp = app
.oneshot(signed_request(
Method::HEAD,
"/batch-bucket/c.txt",
Body::empty(),
))
.await
.unwrap();
assert_eq!(resp.status(), StatusCode::OK);
}
#[tokio::test]
async fn test_bucket_versioning() {
let (app, _tmp) = test_app();
app.clone()
.oneshot(signed_request(Method::PUT, "/ver-bucket", Body::empty()))
.await
.unwrap();
let resp = app
.clone()
.oneshot(signed_request(
Method::GET,
"/ver-bucket?versioning",
Body::empty(),
))
.await
.unwrap();
assert_eq!(resp.status(), StatusCode::OK);
let body = String::from_utf8(
resp.into_body()
.collect()
.await
.unwrap()
.to_bytes()
.to_vec(),
)
.unwrap();
assert!(body.contains("VersioningConfiguration"));
assert!(body.contains("<Status>Suspended</Status>"));
app.clone()
.oneshot(
Request::builder()
.method(Method::PUT)
.uri("/ver-bucket?versioning")
.header("x-access-key", TEST_ACCESS_KEY)
.header("x-secret-key", TEST_SECRET_KEY)
.body(Body::from(
"<VersioningConfiguration><Status>Enabled</Status></VersioningConfiguration>",
))
.unwrap(),
)
.await
.unwrap();
let resp = app
.oneshot(signed_request(
Method::GET,
"/ver-bucket?versioning",
Body::empty(),
))
.await
.unwrap();
let body = String::from_utf8(
resp.into_body()
.collect()
.await
.unwrap()
.to_bytes()
.to_vec(),
)
.unwrap();
assert!(body.contains("<Status>Enabled</Status>"));
}
#[tokio::test]
async fn test_versioned_object_can_be_read_and_deleted_by_version_id() {
let (app, _tmp) = test_app();
app.clone()
.oneshot(signed_request(
Method::PUT,
"/versions-bucket",
Body::empty(),
))
.await
.unwrap();
app.clone()
.oneshot(
Request::builder()
.method(Method::PUT)
.uri("/versions-bucket?versioning")
.header("x-access-key", TEST_ACCESS_KEY)
.header("x-secret-key", TEST_SECRET_KEY)
.body(Body::from(
"<VersioningConfiguration><Status>Enabled</Status></VersioningConfiguration>",
))
.unwrap(),
)
.await
.unwrap();
app.clone()
.oneshot(signed_request(
Method::PUT,
"/versions-bucket/doc.txt",
Body::from("first"),
))
.await
.unwrap();
app.clone()
.oneshot(signed_request(
Method::PUT,
"/versions-bucket/doc.txt",
Body::from("second"),
))
.await
.unwrap();
let list_resp = app
.clone()
.oneshot(signed_request(
Method::GET,
"/versions-bucket?versions",
Body::empty(),
))
.await
.unwrap();
assert_eq!(list_resp.status(), StatusCode::OK);
let list_body = String::from_utf8(
list_resp
.into_body()
.collect()
.await
.unwrap()
.to_bytes()
.to_vec(),
)
.unwrap();
let archived_version_id = list_body
.split("<VersionId>")
.filter_map(|part| part.split_once("</VersionId>").map(|(id, _)| id))
.find(|id| *id != "null")
.expect("archived version id")
.to_string();
let version_resp = app
.clone()
.oneshot(signed_request(
Method::GET,
&format!("/versions-bucket/doc.txt?versionId={}", archived_version_id),
Body::empty(),
))
.await
.unwrap();
assert_eq!(version_resp.status(), StatusCode::OK);
assert_eq!(
version_resp.headers()["x-amz-version-id"].to_str().unwrap(),
archived_version_id
);
let version_body = version_resp.into_body().collect().await.unwrap().to_bytes();
assert_eq!(&version_body[..], b"first");
let traversal_resp = app
.clone()
.oneshot(signed_request(
Method::GET,
&format!(
"/versions-bucket/doc.txt?versionId=../other/{}",
archived_version_id
),
Body::empty(),
))
.await
.unwrap();
assert_eq!(traversal_resp.status(), StatusCode::NOT_FOUND);
app.clone()
.oneshot(signed_request(
Method::PUT,
"/versions-bucket/doc.txt",
Body::from("third"),
))
.await
.unwrap();
let limited_resp = app
.clone()
.oneshot(signed_request(
Method::GET,
"/versions-bucket?versions&max-keys=1",
Body::empty(),
))
.await
.unwrap();
assert_eq!(limited_resp.status(), StatusCode::OK);
let limited_body = String::from_utf8(
limited_resp
.into_body()
.collect()
.await
.unwrap()
.to_bytes()
.to_vec(),
)
.unwrap();
assert_eq!(limited_body.matches("<Version>").count(), 1);
assert!(limited_body.contains("<IsTruncated>true</IsTruncated>"));
let delete_resp = app
.clone()
.oneshot(signed_request(
Method::DELETE,
&format!("/versions-bucket/doc.txt?versionId={}", archived_version_id),
Body::empty(),
))
.await
.unwrap();
assert_eq!(delete_resp.status(), StatusCode::NO_CONTENT);
let missing_resp = app
.oneshot(signed_request(
Method::GET,
&format!("/versions-bucket/doc.txt?versionId={}", archived_version_id),
Body::empty(),
))
.await
.unwrap();
assert_eq!(missing_resp.status(), StatusCode::NOT_FOUND);
}
#[tokio::test]
async fn test_versioned_put_and_delete_emit_version_headers_and_delete_markers() {
let (app, _tmp) = test_app();
app.clone()
.oneshot(signed_request(Method::PUT, "/compat-bucket", Body::empty()))
.await
.unwrap();
app.clone()
.oneshot(
Request::builder()
.method(Method::PUT)
.uri("/compat-bucket?versioning")
.header("x-access-key", TEST_ACCESS_KEY)
.header("x-secret-key", TEST_SECRET_KEY)
.body(Body::from(
"<VersioningConfiguration><Status>Enabled</Status></VersioningConfiguration>",
))
.unwrap(),
)
.await
.unwrap();
let put_resp = app
.clone()
.oneshot(signed_request(
Method::PUT,
"/compat-bucket/doc.txt",
Body::from("first"),
))
.await
.unwrap();
assert_eq!(put_resp.status(), StatusCode::OK);
let first_version = put_resp
.headers()
.get("x-amz-version-id")
.expect("PUT on versioned bucket must emit x-amz-version-id")
.to_str()
.unwrap()
.to_string();
assert!(!first_version.is_empty());
let overwrite_resp = app
.clone()
.oneshot(signed_request(
Method::PUT,
"/compat-bucket/doc.txt",
Body::from("second"),
))
.await
.unwrap();
assert_eq!(overwrite_resp.status(), StatusCode::OK);
let second_version = overwrite_resp
.headers()
.get("x-amz-version-id")
.expect("overwrite on versioned bucket must emit a new x-amz-version-id")
.to_str()
.unwrap()
.to_string();
assert_ne!(first_version, second_version);
let delete_resp = app
.clone()
.oneshot(signed_request(
Method::DELETE,
"/compat-bucket/doc.txt",
Body::empty(),
))
.await
.unwrap();
assert_eq!(delete_resp.status(), StatusCode::NO_CONTENT);
assert_eq!(
delete_resp
.headers()
.get("x-amz-delete-marker")
.and_then(|v| v.to_str().ok()),
Some("true")
);
assert!(delete_resp.headers().contains_key("x-amz-version-id"));
let versions_resp = app
.oneshot(signed_request(
Method::GET,
"/compat-bucket?versions",
Body::empty(),
))
.await
.unwrap();
let versions_body = String::from_utf8(
versions_resp
.into_body()
.collect()
.await
.unwrap()
.to_bytes()
.to_vec(),
)
.unwrap();
assert!(
versions_body.contains("<DeleteMarker>"),
"expected DeleteMarker entry in ListObjectVersions output, got: {}",
versions_body
);
}
#[tokio::test]
async fn test_retention_is_enforced_when_deleting_archived_version() {
let (app, _tmp) = test_app();
app.clone()
.oneshot(signed_request(
Method::PUT,
"/locked-versions",
Body::empty(),
))
.await
.unwrap();
app.clone()
.oneshot(
Request::builder()
.method(Method::PUT)
.uri("/locked-versions?versioning")
.header("x-access-key", TEST_ACCESS_KEY)
.header("x-secret-key", TEST_SECRET_KEY)
.body(Body::from(
"<VersioningConfiguration><Status>Enabled</Status></VersioningConfiguration>",
))
.unwrap(),
)
.await
.unwrap();
app.clone()
.oneshot(
Request::builder()
.method(Method::PUT)
.uri("/locked-versions/doc.txt")
.header("x-access-key", TEST_ACCESS_KEY)
.header("x-secret-key", TEST_SECRET_KEY)
.header("x-amz-object-lock-mode", "GOVERNANCE")
.header(
"x-amz-object-lock-retain-until-date",
"2099-01-01T00:00:00Z",
)
.body(Body::from("locked"))
.unwrap(),
)
.await
.unwrap();
app.clone()
.oneshot(
Request::builder()
.method(Method::PUT)
.uri("/locked-versions/doc.txt")
.header("x-access-key", TEST_ACCESS_KEY)
.header("x-secret-key", TEST_SECRET_KEY)
.header("x-amz-bypass-governance-retention", "true")
.body(Body::from("replacement"))
.unwrap(),
)
.await
.unwrap();
let list_resp = app
.clone()
.oneshot(signed_request(
Method::GET,
"/locked-versions?versions",
Body::empty(),
))
.await
.unwrap();
assert_eq!(list_resp.status(), StatusCode::OK);
let list_body = String::from_utf8(
list_resp
.into_body()
.collect()
.await
.unwrap()
.to_bytes()
.to_vec(),
)
.unwrap();
let archived_version_id = list_body
.split("<VersionId>")
.filter_map(|part| part.split_once("</VersionId>").map(|(id, _)| id))
.find(|id| *id != "null")
.expect("archived version id")
.to_string();
let denied = app
.clone()
.oneshot(signed_request(
Method::DELETE,
&format!("/locked-versions/doc.txt?versionId={}", archived_version_id),
Body::empty(),
))
.await
.unwrap();
assert_eq!(denied.status(), StatusCode::FORBIDDEN);
let allowed = app
.oneshot(
Request::builder()
.method(Method::DELETE)
.uri(format!(
"/locked-versions/doc.txt?versionId={}",
archived_version_id
))
.header("x-access-key", TEST_ACCESS_KEY)
.header("x-secret-key", TEST_SECRET_KEY)
.header("x-amz-bypass-governance-retention", "true")
.body(Body::empty())
.unwrap(),
)
.await
.unwrap();
assert_eq!(allowed.status(), StatusCode::NO_CONTENT);
}
#[tokio::test]
async fn test_put_object_validates_content_md5() {
let (app, _tmp) = test_app();
app.clone()
.oneshot(signed_request(Method::PUT, "/md5-bucket", Body::empty()))
.await
.unwrap();
let bad_resp = app
.clone()
.oneshot(
Request::builder()
.method(Method::PUT)
.uri("/md5-bucket/object.txt")
.header("x-access-key", TEST_ACCESS_KEY)
.header("x-secret-key", TEST_SECRET_KEY)
.header("content-md5", "AAAAAAAAAAAAAAAAAAAAAA==")
.body(Body::from("hello"))
.unwrap(),
)
.await
.unwrap();
assert_eq!(bad_resp.status(), StatusCode::BAD_REQUEST);
let bad_body = String::from_utf8(
bad_resp
.into_body()
.collect()
.await
.unwrap()
.to_bytes()
.to_vec(),
)
.unwrap();
assert!(bad_body.contains("<Code>BadDigest</Code>"));
let good_resp = app
.oneshot(
Request::builder()
.method(Method::PUT)
.uri("/md5-bucket/object.txt")
.header("x-access-key", TEST_ACCESS_KEY)
.header("x-secret-key", TEST_SECRET_KEY)
.header("content-md5", "XUFAKrxLKna5cZ2REBfFkg==")
.body(Body::from("hello"))
.unwrap(),
)
.await
.unwrap();
assert_eq!(good_resp.status(), StatusCode::OK);
}
#[tokio::test]
async fn test_x_amz_content_sha256_mismatch_returns_bad_digest() {
let (app, _tmp) = test_app();
app.clone()
.oneshot(signed_request(Method::PUT, "/sha256-bucket", Body::empty()))
.await
.unwrap();
let bad_resp = app
.oneshot(
Request::builder()
.method(Method::PUT)
.uri("/sha256-bucket/object.txt")
.header("x-access-key", TEST_ACCESS_KEY)
.header("x-secret-key", TEST_SECRET_KEY)
.header(
"x-amz-content-sha256",
"0000000000000000000000000000000000000000000000000000000000000000",
)
.body(Body::from("hello"))
.unwrap(),
)
.await
.unwrap();
assert_eq!(bad_resp.status(), StatusCode::BAD_REQUEST);
let bad_body = String::from_utf8(
bad_resp
.into_body()
.collect()
.await
.unwrap()
.to_bytes()
.to_vec(),
)
.unwrap();
assert!(bad_body.contains("<Code>BadDigest</Code>"));
assert!(bad_body.contains("x-amz-content-sha256"));
}
#[tokio::test]
async fn test_max_keys_zero_respects_marker_and_v2_cursors() {
let (app, _tmp) = test_app();
app.clone()
.oneshot(signed_request(Method::PUT, "/cursor-bucket", Body::empty()))
.await
.unwrap();
for key in ["a.txt", "b.txt"] {
app.clone()
.oneshot(signed_request(
Method::PUT,
&format!("/cursor-bucket/{}", key),
Body::from(key.to_string()),
))
.await
.unwrap();
}
let marker_resp = app
.clone()
.oneshot(signed_request(
Method::GET,
"/cursor-bucket?max-keys=0&marker=b.txt",
Body::empty(),
))
.await
.unwrap();
let marker_body = String::from_utf8(
marker_resp
.into_body()
.collect()
.await
.unwrap()
.to_bytes()
.to_vec(),
)
.unwrap();
assert!(marker_body.contains("<IsTruncated>false</IsTruncated>"));
let start_after_resp = app
.clone()
.oneshot(signed_request(
Method::GET,
"/cursor-bucket?list-type=2&max-keys=0&start-after=b.txt",
Body::empty(),
))
.await
.unwrap();
let start_after_body = String::from_utf8(
start_after_resp
.into_body()
.collect()
.await
.unwrap()
.to_bytes()
.to_vec(),
)
.unwrap();
assert!(start_after_body.contains("<IsTruncated>false</IsTruncated>"));
let token = URL_SAFE.encode("b.txt");
let token_resp = app
.oneshot(signed_request(
Method::GET,
&format!(
"/cursor-bucket?list-type=2&max-keys=0&continuation-token={}",
token
),
Body::empty(),
))
.await
.unwrap();
let token_body = String::from_utf8(
token_resp
.into_body()
.collect()
.await
.unwrap()
.to_bytes()
.to_vec(),
)
.unwrap();
assert!(token_body.contains("<IsTruncated>false</IsTruncated>"));
}
#[tokio::test]
async fn test_put_object_tagging_and_standard_headers_are_persisted() {
let (app, _tmp) = test_app();
app.clone()
.oneshot(signed_request(
Method::PUT,
"/headers-bucket",
Body::empty(),
))
.await
.unwrap();
let put_resp = app
.clone()
.oneshot(
Request::builder()
.method(Method::PUT)
.uri("/headers-bucket/report.txt")
.header("x-access-key", TEST_ACCESS_KEY)
.header("x-secret-key", TEST_SECRET_KEY)
.header("x-amz-tagging", "env=prod&name=quarter%201")
.header("cache-control", "max-age=60")
.header("content-disposition", "attachment")
.header("content-language", "en-US")
.header("x-amz-storage-class", "STANDARD_IA")
.body(Body::from("report"))
.unwrap(),
)
.await
.unwrap();
assert_eq!(put_resp.status(), StatusCode::OK);
let head_resp = app
.clone()
.oneshot(signed_request(
Method::HEAD,
"/headers-bucket/report.txt",
Body::empty(),
))
.await
.unwrap();
assert_eq!(head_resp.status(), StatusCode::OK);
assert_eq!(head_resp.headers()["cache-control"], "max-age=60");
assert_eq!(head_resp.headers()["content-disposition"], "attachment");
assert_eq!(head_resp.headers()["content-language"], "en-US");
assert_eq!(head_resp.headers()["x-amz-storage-class"], "STANDARD_IA");
let tags_resp = app
.oneshot(signed_request(
Method::GET,
"/headers-bucket/report.txt?tagging",
Body::empty(),
))
.await
.unwrap();
assert_eq!(tags_resp.status(), StatusCode::OK);
let tags_body = String::from_utf8(
tags_resp
.into_body()
.collect()
.await
.unwrap()
.to_bytes()
.to_vec(),
)
.unwrap();
assert!(tags_body.contains("<Key>env</Key>"));
assert!(tags_body.contains("<Value>prod</Value>"));
assert!(tags_body.contains("<Key>name</Key>"));
assert!(tags_body.contains("<Value>quarter 1</Value>"));
}
#[tokio::test]
async fn test_virtual_host_bucket_routes_to_s3_object_handlers() {
let (app, _tmp) = test_app();
app.clone()
.oneshot(signed_request(Method::PUT, "/vh-bucket", Body::empty()))
.await
.unwrap();
let put_resp = app
.clone()
.oneshot(
Request::builder()
.method(Method::PUT)
.uri("/hello.txt")
.header("host", "vh-bucket.localhost")
.header("x-access-key", TEST_ACCESS_KEY)
.header("x-secret-key", TEST_SECRET_KEY)
.body(Body::from("virtual host body"))
.unwrap(),
)
.await
.unwrap();
assert_eq!(put_resp.status(), StatusCode::OK);
let get_resp = app
.oneshot(
Request::builder()
.method(Method::GET)
.uri("/hello.txt")
.header("host", "vh-bucket.localhost")
.header("x-access-key", TEST_ACCESS_KEY)
.header("x-secret-key", TEST_SECRET_KEY)
.body(Body::empty())
.unwrap(),
)
.await
.unwrap();
assert_eq!(get_resp.status(), StatusCode::OK);
let body = get_resp.into_body().collect().await.unwrap().to_bytes();
assert_eq!(&body[..], b"virtual host body");
}
#[tokio::test]
async fn test_bucket_tagging() {
let (app, _tmp) = test_app();
app.clone()
.oneshot(signed_request(Method::PUT, "/tag-bucket", Body::empty()))
.await
.unwrap();
app.clone()
.oneshot(
Request::builder()
.method(Method::PUT)
.uri("/tag-bucket?tagging")
.header("x-access-key", TEST_ACCESS_KEY)
.header("x-secret-key", TEST_SECRET_KEY)
.body(Body::from(
"<Tagging><TagSet><Tag><Key>env</Key><Value>prod</Value></Tag></TagSet></Tagging>",
))
.unwrap(),
)
.await
.unwrap();
let resp = app
.clone()
.oneshot(signed_request(
Method::GET,
"/tag-bucket?tagging",
Body::empty(),
))
.await
.unwrap();
assert_eq!(resp.status(), StatusCode::OK);
let body = String::from_utf8(
resp.into_body()
.collect()
.await
.unwrap()
.to_bytes()
.to_vec(),
)
.unwrap();
assert!(body.contains("<Key>env</Key>"));
assert!(body.contains("<Value>prod</Value>"));
let resp = app
.oneshot(signed_request(
Method::DELETE,
"/tag-bucket?tagging",
Body::empty(),
))
.await
.unwrap();
assert_eq!(resp.status(), StatusCode::NO_CONTENT);
}
#[tokio::test]
async fn test_bucket_location() {
let (app, _tmp) = test_app();
app.clone()
.oneshot(signed_request(Method::PUT, "/loc-bucket", Body::empty()))
.await
.unwrap();
let resp = app
.oneshot(signed_request(
Method::GET,
"/loc-bucket?location",
Body::empty(),
))
.await
.unwrap();
assert_eq!(resp.status(), StatusCode::OK);
let body = String::from_utf8(
resp.into_body()
.collect()
.await
.unwrap()
.to_bytes()
.to_vec(),
)
.unwrap();
assert!(body.contains("LocationConstraint"));
assert!(body.contains("us-east-1"));
}
#[tokio::test]
async fn test_bucket_cors() {
let (app, _tmp) = test_app();
app.clone()
.oneshot(signed_request(Method::PUT, "/cors-bucket", Body::empty()))
.await
.unwrap();
let resp = app
.clone()
.oneshot(signed_request(
Method::GET,
"/cors-bucket?cors",
Body::empty(),
))
.await
.unwrap();
assert_eq!(resp.status(), StatusCode::NOT_FOUND);
app.clone()
.oneshot(
Request::builder()
.method(Method::PUT)
.uri("/cors-bucket?cors")
.header("x-access-key", TEST_ACCESS_KEY)
.header("x-secret-key", TEST_SECRET_KEY)
.body(Body::from("<CORSConfiguration><CORSRule><AllowedOrigin>*</AllowedOrigin></CORSRule></CORSConfiguration>"))
.unwrap(),
)
.await
.unwrap();
let resp = app
.clone()
.oneshot(signed_request(
Method::GET,
"/cors-bucket?cors",
Body::empty(),
))
.await
.unwrap();
assert_eq!(resp.status(), StatusCode::OK);
let resp = app
.oneshot(signed_request(
Method::DELETE,
"/cors-bucket?cors",
Body::empty(),
))
.await
.unwrap();
assert_eq!(resp.status(), StatusCode::NO_CONTENT);
}
#[tokio::test]
async fn test_bucket_acl() {
let (app, _tmp) = test_app();
app.clone()
.oneshot(signed_request(Method::PUT, "/acl-bucket", Body::empty()))
.await
.unwrap();
let resp = app
.oneshot(signed_request(
Method::GET,
"/acl-bucket?acl",
Body::empty(),
))
.await
.unwrap();
assert_eq!(resp.status(), StatusCode::OK);
let body = String::from_utf8(
resp.into_body()
.collect()
.await
.unwrap()
.to_bytes()
.to_vec(),
)
.unwrap();
assert!(body.contains("AccessControlPolicy"));
assert!(body.contains("FULL_CONTROL"));
}
#[tokio::test]
async fn test_object_tagging() {
let (app, _tmp) = test_app();
let app = app.into_service();
let resp = tower::ServiceExt::oneshot(
app.clone(),
signed_request(Method::PUT, "/tag-bucket", Body::empty()),
)
.await
.unwrap();
assert_eq!(resp.status(), StatusCode::OK);
let resp = tower::ServiceExt::oneshot(
app.clone(),
signed_request(
Method::PUT,
"/tag-bucket/myfile.txt",
Body::from("file content"),
),
)
.await
.unwrap();
assert_eq!(resp.status(), StatusCode::OK);
let resp = tower::ServiceExt::oneshot(
app.clone(),
signed_request(Method::GET, "/tag-bucket/myfile.txt?tagging", Body::empty()),
)
.await
.unwrap();
assert_eq!(resp.status(), StatusCode::OK);
let body = String::from_utf8(
resp.into_body()
.collect()
.await
.unwrap()
.to_bytes()
.to_vec(),
)
.unwrap();
assert!(body.contains("<TagSet>"));
assert!(body.contains("</TagSet>"));
let tag_xml =
r#"<Tagging><TagSet><Tag><Key>env</Key><Value>prod</Value></Tag></TagSet></Tagging>"#;
let resp = tower::ServiceExt::oneshot(
app.clone(),
signed_request(
Method::PUT,
"/tag-bucket/myfile.txt?tagging",
Body::from(tag_xml),
),
)
.await
.unwrap();
assert_eq!(resp.status(), StatusCode::OK);
let resp = tower::ServiceExt::oneshot(
app.clone(),
signed_request(Method::GET, "/tag-bucket/myfile.txt?tagging", Body::empty()),
)
.await
.unwrap();
assert_eq!(resp.status(), StatusCode::OK);
let body = String::from_utf8(
resp.into_body()
.collect()
.await
.unwrap()
.to_bytes()
.to_vec(),
)
.unwrap();
assert!(body.contains("<Key>env</Key>"));
assert!(body.contains("<Value>prod</Value>"));
let resp = tower::ServiceExt::oneshot(
app.clone(),
signed_request(
Method::DELETE,
"/tag-bucket/myfile.txt?tagging",
Body::empty(),
),
)
.await
.unwrap();
assert_eq!(resp.status(), StatusCode::NO_CONTENT);
let resp = tower::ServiceExt::oneshot(
app.clone(),
signed_request(Method::GET, "/tag-bucket/myfile.txt?tagging", Body::empty()),
)
.await
.unwrap();
assert_eq!(resp.status(), StatusCode::OK);
let body = String::from_utf8(
resp.into_body()
.collect()
.await
.unwrap()
.to_bytes()
.to_vec(),
)
.unwrap();
assert!(!body.contains("<Key>env</Key>"));
}
#[tokio::test]
async fn test_object_acl() {
let (app, _tmp) = test_app();
let app = app.into_service();
let resp = tower::ServiceExt::oneshot(
app.clone(),
signed_request(Method::PUT, "/acl-obj-bucket", Body::empty()),
)
.await
.unwrap();
assert_eq!(resp.status(), StatusCode::OK);
let resp = tower::ServiceExt::oneshot(
app.clone(),
signed_request(
Method::PUT,
"/acl-obj-bucket/myfile.txt",
Body::from("content"),
),
)
.await
.unwrap();
assert_eq!(resp.status(), StatusCode::OK);
let resp = tower::ServiceExt::oneshot(
app.clone(),
signed_request(Method::GET, "/acl-obj-bucket/myfile.txt?acl", Body::empty()),
)
.await
.unwrap();
assert_eq!(resp.status(), StatusCode::OK);
let body = String::from_utf8(
resp.into_body()
.collect()
.await
.unwrap()
.to_bytes()
.to_vec(),
)
.unwrap();
assert!(body.contains("AccessControlPolicy"));
assert!(body.contains("FULL_CONTROL"));
}
#[tokio::test]
async fn test_object_legal_hold() {
let (app, _tmp) = test_app();
let app = app.into_service();
let resp = tower::ServiceExt::oneshot(
app.clone(),
signed_request(Method::PUT, "/lh-bucket", Body::empty()),
)
.await
.unwrap();
assert_eq!(resp.status(), StatusCode::OK);
let resp = tower::ServiceExt::oneshot(
app.clone(),
signed_request(Method::PUT, "/lh-bucket/obj.txt", Body::from("data")),
)
.await
.unwrap();
assert_eq!(resp.status(), StatusCode::OK);
let resp = tower::ServiceExt::oneshot(
app.clone(),
signed_request(Method::GET, "/lh-bucket/obj.txt?legal-hold", Body::empty()),
)
.await
.unwrap();
assert_eq!(resp.status(), StatusCode::OK);
let body = String::from_utf8(
resp.into_body()
.collect()
.await
.unwrap()
.to_bytes()
.to_vec(),
)
.unwrap();
assert!(body.contains("<Status>OFF</Status>"));
}
#[tokio::test]
async fn test_list_objects_v1_marker_flow() {
let (app, _tmp) = test_app();
app.clone()
.oneshot(signed_request(Method::PUT, "/v1-bucket", Body::empty()))
.await
.unwrap();
for name in ["a.txt", "b.txt", "c.txt"] {
app.clone()
.oneshot(
Request::builder()
.method(Method::PUT)
.uri(format!("/v1-bucket/{}", name))
.header("x-access-key", TEST_ACCESS_KEY)
.header("x-secret-key", TEST_SECRET_KEY)
.body(Body::from("data"))
.unwrap(),
)
.await
.unwrap();
}
let resp = app
.clone()
.oneshot(signed_request(
Method::GET,
"/v1-bucket?max-keys=2",
Body::empty(),
))
.await
.unwrap();
assert_eq!(resp.status(), StatusCode::OK);
let body = String::from_utf8(
resp.into_body()
.collect()
.await
.unwrap()
.to_bytes()
.to_vec(),
)
.unwrap();
assert!(body.contains("<Marker></Marker>"));
assert!(
body.contains("<IsTruncated>true</IsTruncated>")
|| body.contains("<IsTruncated>false</IsTruncated>")
);
}
#[tokio::test]
async fn test_bucket_quota_roundtrip() {
let (app, _tmp) = test_app();
app.clone()
.oneshot(signed_request(Method::PUT, "/quota-bucket", Body::empty()))
.await
.unwrap();
let resp = app
.clone()
.oneshot(
Request::builder()
.method(Method::PUT)
.uri("/quota-bucket?quota")
.header("x-access-key", TEST_ACCESS_KEY)
.header("x-secret-key", TEST_SECRET_KEY)
.header("content-type", "application/json")
.body(Body::from(r#"{"max_size_bytes": 1024, "max_objects": 10}"#))
.unwrap(),
)
.await
.unwrap();
assert_eq!(resp.status(), StatusCode::OK);
let resp = app
.clone()
.oneshot(signed_request(
Method::GET,
"/quota-bucket?quota",
Body::empty(),
))
.await
.unwrap();
assert_eq!(resp.status(), StatusCode::OK);
let body: serde_json::Value =
serde_json::from_slice(&resp.into_body().collect().await.unwrap().to_bytes()).unwrap();
assert_eq!(body["quota"]["max_size_bytes"], 1024);
assert_eq!(body["quota"]["max_objects"], 10);
let resp = app
.oneshot(signed_request(
Method::DELETE,
"/quota-bucket?quota",
Body::empty(),
))
.await
.unwrap();
assert_eq!(resp.status(), StatusCode::NO_CONTENT);
}
#[tokio::test]
async fn test_bucket_policy_and_status_roundtrip() {
let (app, _tmp) = test_app();
app.clone()
.oneshot(signed_request(Method::PUT, "/policy-bucket", Body::empty()))
.await
.unwrap();
let policy = r#"{
"Version": "2012-10-17",
"Statement": [{
"Effect": "Allow",
"Principal": "*",
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::policy-bucket/*"
}]
}"#;
let resp = app
.clone()
.oneshot(
Request::builder()
.method(Method::PUT)
.uri("/policy-bucket?policy")
.header("x-access-key", TEST_ACCESS_KEY)
.header("x-secret-key", TEST_SECRET_KEY)
.header("content-type", "application/json")
.body(Body::from(policy))
.unwrap(),
)
.await
.unwrap();
assert_eq!(resp.status(), StatusCode::NO_CONTENT);
let resp = app
.clone()
.oneshot(signed_request(
Method::GET,
"/policy-bucket?policy",
Body::empty(),
))
.await
.unwrap();
assert_eq!(resp.status(), StatusCode::OK);
let body: serde_json::Value =
serde_json::from_slice(&resp.into_body().collect().await.unwrap().to_bytes()).unwrap();
assert!(body.get("Statement").is_some());
let resp = app
.clone()
.oneshot(signed_request(
Method::GET,
"/policy-bucket?policyStatus",
Body::empty(),
))
.await
.unwrap();
assert_eq!(resp.status(), StatusCode::OK);
let body = String::from_utf8(
resp.into_body()
.collect()
.await
.unwrap()
.to_bytes()
.to_vec(),
)
.unwrap();
assert!(body.contains("<IsPublic>TRUE</IsPublic>"));
let resp = app
.oneshot(signed_request(
Method::DELETE,
"/policy-bucket?policy",
Body::empty(),
))
.await
.unwrap();
assert_eq!(resp.status(), StatusCode::NO_CONTENT);
}
#[tokio::test]
async fn test_public_bucket_policy_allows_anonymous_reads() {
let (app, _tmp) = test_app();
app.clone()
.oneshot(signed_request(Method::PUT, "/public-bucket", Body::empty()))
.await
.unwrap();
let put_object = Request::builder()
.method(Method::PUT)
.uri("/public-bucket/hello.txt")
.header("x-access-key", TEST_ACCESS_KEY)
.header("x-secret-key", TEST_SECRET_KEY)
.body(Body::from("hello world"))
.unwrap();
let put_resp = app.clone().oneshot(put_object).await.unwrap();
assert_eq!(put_resp.status(), StatusCode::OK);
let policy = r#"{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": "*",
"Action": "s3:ListBucket",
"Resource": "arn:aws:s3:::public-bucket"
},
{
"Effect": "Allow",
"Principal": "*",
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::public-bucket/*"
}
]
}"#;
let policy_resp = app
.clone()
.oneshot(
Request::builder()
.method(Method::PUT)
.uri("/public-bucket?policy")
.header("x-access-key", TEST_ACCESS_KEY)
.header("x-secret-key", TEST_SECRET_KEY)
.header("content-type", "application/json")
.body(Body::from(policy))
.unwrap(),
)
.await
.unwrap();
assert_eq!(policy_resp.status(), StatusCode::NO_CONTENT);
let object_resp = app
.clone()
.oneshot(
Request::builder()
.method(Method::GET)
.uri("/public-bucket/hello.txt")
.body(Body::empty())
.unwrap(),
)
.await
.unwrap();
assert_eq!(object_resp.status(), StatusCode::OK);
let object_body = object_resp.into_body().collect().await.unwrap().to_bytes();
assert_eq!(object_body.as_ref(), b"hello world");
let list_resp = app
.oneshot(
Request::builder()
.method(Method::GET)
.uri("/public-bucket")
.body(Body::empty())
.unwrap(),
)
.await
.unwrap();
assert_eq!(list_resp.status(), StatusCode::OK);
let list_body = String::from_utf8(
list_resp
.into_body()
.collect()
.await
.unwrap()
.to_bytes()
.to_vec(),
)
.unwrap();
assert!(list_body.contains("hello.txt"));
}
#[tokio::test]
async fn test_bucket_root_with_trailing_slash_works() {
let (app, _tmp) = test_app();
app.clone()
.oneshot(signed_request(Method::PUT, "/slash-bucket", Body::empty()))
.await
.unwrap();
let resp = app
.oneshot(signed_request(Method::GET, "/slash-bucket/", Body::empty()))
.await
.unwrap();
assert_eq!(resp.status(), StatusCode::OK);
}
#[tokio::test]
async fn test_bucket_replication_roundtrip() {
let (app, _tmp) = test_app();
app.clone()
.oneshot(signed_request(Method::PUT, "/repl-bucket", Body::empty()))
.await
.unwrap();
let repl_xml = "<ReplicationConfiguration><Role>arn:aws:iam::123456789012:role/s3-repl</Role><Rule><ID>rule-1</ID></Rule></ReplicationConfiguration>";
let resp = app
.clone()
.oneshot(
Request::builder()
.method(Method::PUT)
.uri("/repl-bucket?replication")
.header("x-access-key", TEST_ACCESS_KEY)
.header("x-secret-key", TEST_SECRET_KEY)
.header("content-type", "application/xml")
.body(Body::from(repl_xml))
.unwrap(),
)
.await
.unwrap();
assert_eq!(resp.status(), StatusCode::OK);
let resp = app
.clone()
.oneshot(signed_request(
Method::GET,
"/repl-bucket?replication",
Body::empty(),
))
.await
.unwrap();
assert_eq!(resp.status(), StatusCode::OK);
let body = String::from_utf8(
resp.into_body()
.collect()
.await
.unwrap()
.to_bytes()
.to_vec(),
)
.unwrap();
assert!(body.contains("ReplicationConfiguration"));
let resp = app
.oneshot(signed_request(
Method::DELETE,
"/repl-bucket?replication",
Body::empty(),
))
.await
.unwrap();
assert_eq!(resp.status(), StatusCode::NO_CONTENT);
}
#[tokio::test]
async fn test_list_parts_via_get_upload_id() {
let (app, _tmp) = test_app();
app.clone()
.oneshot(signed_request(Method::PUT, "/parts-bucket", Body::empty()))
.await
.unwrap();
let resp = app
.clone()
.oneshot(signed_request(
Method::POST,
"/parts-bucket/large.bin?uploads",
Body::empty(),
))
.await
.unwrap();
assert_eq!(resp.status(), StatusCode::OK);
let body = String::from_utf8(
resp.into_body()
.collect()
.await
.unwrap()
.to_bytes()
.to_vec(),
)
.unwrap();
let upload_id = body
.split("<UploadId>")
.nth(1)
.unwrap()
.split("</UploadId>")
.next()
.unwrap();
let resp = app
.clone()
.oneshot(
Request::builder()
.method(Method::PUT)
.uri(format!(
"/parts-bucket/large.bin?uploadId={}&partNumber=1",
upload_id
))
.header("x-access-key", TEST_ACCESS_KEY)
.header("x-secret-key", TEST_SECRET_KEY)
.body(Body::from(vec![1_u8, 2, 3, 4]))
.unwrap(),
)
.await
.unwrap();
assert_eq!(resp.status(), StatusCode::OK);
let resp = app
.oneshot(signed_request(
Method::GET,
&format!("/parts-bucket/large.bin?uploadId={}", upload_id),
Body::empty(),
))
.await
.unwrap();
assert_eq!(resp.status(), StatusCode::OK);
let body = String::from_utf8(
resp.into_body()
.collect()
.await
.unwrap()
.to_bytes()
.to_vec(),
)
.unwrap();
assert!(body.contains("ListPartsResult"));
assert!(body.contains("<PartNumber>1</PartNumber>"));
}
#[tokio::test]
async fn test_conditional_get_and_head() {
let (app, _tmp) = test_app();
app.clone()
.oneshot(signed_request(Method::PUT, "/cond-bucket", Body::empty()))
.await
.unwrap();
let put_resp = app
.clone()
.oneshot(
Request::builder()
.method(Method::PUT)
.uri("/cond-bucket/item.txt")
.header("x-access-key", TEST_ACCESS_KEY)
.header("x-secret-key", TEST_SECRET_KEY)
.body(Body::from("abc"))
.unwrap(),
)
.await
.unwrap();
let etag = put_resp
.headers()
.get("etag")
.unwrap()
.to_str()
.unwrap()
.to_string();
let resp = app
.clone()
.oneshot(
Request::builder()
.method(Method::GET)
.uri("/cond-bucket/item.txt")
.header("x-access-key", TEST_ACCESS_KEY)
.header("x-secret-key", TEST_SECRET_KEY)
.header("if-none-match", etag.as_str())
.body(Body::empty())
.unwrap(),
)
.await
.unwrap();
assert_eq!(resp.status(), StatusCode::NOT_MODIFIED);
let resp = app
.clone()
.oneshot(
Request::builder()
.method(Method::GET)
.uri("/cond-bucket/item.txt")
.header("x-access-key", TEST_ACCESS_KEY)
.header("x-secret-key", TEST_SECRET_KEY)
.header("if-match", "\"does-not-match\"")
.body(Body::empty())
.unwrap(),
)
.await
.unwrap();
assert_eq!(resp.status(), StatusCode::PRECONDITION_FAILED);
let resp = app
.oneshot(
Request::builder()
.method(Method::HEAD)
.uri("/cond-bucket/item.txt")
.header("x-access-key", TEST_ACCESS_KEY)
.header("x-secret-key", TEST_SECRET_KEY)
.header("if-none-match", etag.as_str())
.body(Body::empty())
.unwrap(),
)
.await
.unwrap();
assert_eq!(resp.status(), StatusCode::NOT_MODIFIED);
}
#[tokio::test]
async fn test_copy_source_preconditions() {
let (app, _tmp) = test_app();
app.clone()
.oneshot(signed_request(Method::PUT, "/src-pre", Body::empty()))
.await
.unwrap();
app.clone()
.oneshot(signed_request(Method::PUT, "/dst-pre", Body::empty()))
.await
.unwrap();
let put_resp = app
.clone()
.oneshot(
Request::builder()
.method(Method::PUT)
.uri("/src-pre/original.txt")
.header("x-access-key", TEST_ACCESS_KEY)
.header("x-secret-key", TEST_SECRET_KEY)
.body(Body::from("copy source"))
.unwrap(),
)
.await
.unwrap();
let etag = put_resp
.headers()
.get("etag")
.unwrap()
.to_str()
.unwrap()
.to_string();
let resp = app
.clone()
.oneshot(
Request::builder()
.method(Method::PUT)
.uri("/dst-pre/copied.txt")
.header("x-access-key", TEST_ACCESS_KEY)
.header("x-secret-key", TEST_SECRET_KEY)
.header("x-amz-copy-source", "/src-pre/original.txt")
.header("x-amz-copy-source-if-match", "\"bad-etag\"")
.body(Body::empty())
.unwrap(),
)
.await
.unwrap();
assert_eq!(resp.status(), StatusCode::PRECONDITION_FAILED);
let resp = app
.oneshot(
Request::builder()
.method(Method::PUT)
.uri("/dst-pre/copied.txt")
.header("x-access-key", TEST_ACCESS_KEY)
.header("x-secret-key", TEST_SECRET_KEY)
.header("x-amz-copy-source", "/src-pre/original.txt")
.header("x-amz-copy-source-if-match", etag.as_str())
.body(Body::empty())
.unwrap(),
)
.await
.unwrap();
assert_eq!(resp.status(), StatusCode::OK);
}
#[tokio::test]
async fn test_select_object_content_csv_to_json_events() {
let (app, _tmp) = test_app();
app.clone()
.oneshot(signed_request(Method::PUT, "/sel-bucket", Body::empty()))
.await
.unwrap();
app.clone()
.oneshot(
Request::builder()
.method(Method::PUT)
.uri("/sel-bucket/people.csv")
.header("x-access-key", TEST_ACCESS_KEY)
.header("x-secret-key", TEST_SECRET_KEY)
.header("content-type", "text/csv")
.body(Body::from("name,age\nalice,30\nbob,40\n"))
.unwrap(),
)
.await
.unwrap();
let select_xml = r#"
<SelectObjectContentRequest>
<Expression>SELECT name, age FROM S3Object WHERE CAST(age AS INTEGER) &gt;= 35</Expression>
<ExpressionType>SQL</ExpressionType>
<InputSerialization>
<CSV>
<FileHeaderInfo>USE</FileHeaderInfo>
</CSV>
</InputSerialization>
<OutputSerialization>
<JSON>
<RecordDelimiter>\n</RecordDelimiter>
</JSON>
</OutputSerialization>
</SelectObjectContentRequest>
"#;
let resp = app
.oneshot(
Request::builder()
.method(Method::POST)
.uri("/sel-bucket/people.csv?select&select-type=2")
.header("x-access-key", TEST_ACCESS_KEY)
.header("x-secret-key", TEST_SECRET_KEY)
.header("content-type", "application/xml")
.body(Body::from(select_xml))
.unwrap(),
)
.await
.unwrap();
assert_eq!(resp.status(), StatusCode::OK);
assert_eq!(
resp.headers().get("content-type").unwrap(),
"application/octet-stream"
);
assert_eq!(
resp.headers().get("x-amz-request-charged").unwrap(),
"requester"
);
let body = resp.into_body().collect().await.unwrap().to_bytes();
let events = parse_select_events(&body);
assert!(events.iter().any(|(name, _)| name == "Records"));
assert!(events.iter().any(|(name, _)| name == "Stats"));
assert!(events.iter().any(|(name, _)| name == "End"));
let mut records = String::new();
for (name, payload) in events {
if name == "Records" {
records.push_str(&String::from_utf8_lossy(&payload));
}
}
assert!(records.contains("bob"));
assert!(!records.contains("alice"));
}
#[tokio::test]
async fn test_select_object_content_requires_expression() {
let (app, _tmp) = test_app();
app.clone()
.oneshot(signed_request(
Method::PUT,
"/sel-missing-exp",
Body::empty(),
))
.await
.unwrap();
app.clone()
.oneshot(
Request::builder()
.method(Method::PUT)
.uri("/sel-missing-exp/file.csv")
.header("x-access-key", TEST_ACCESS_KEY)
.header("x-secret-key", TEST_SECRET_KEY)
.body(Body::from("a,b\n1,2\n"))
.unwrap(),
)
.await
.unwrap();
let select_xml = r#"
<SelectObjectContentRequest>
<ExpressionType>SQL</ExpressionType>
<InputSerialization><CSV><FileHeaderInfo>USE</FileHeaderInfo></CSV></InputSerialization>
<OutputSerialization><CSV /></OutputSerialization>
</SelectObjectContentRequest>
"#;
let resp = app
.oneshot(
Request::builder()
.method(Method::POST)
.uri("/sel-missing-exp/file.csv?select")
.header("x-access-key", TEST_ACCESS_KEY)
.header("x-secret-key", TEST_SECRET_KEY)
.header("content-type", "application/xml")
.body(Body::from(select_xml))
.unwrap(),
)
.await
.unwrap();
assert_eq!(resp.status(), StatusCode::BAD_REQUEST);
let body = String::from_utf8(
resp.into_body()
.collect()
.await
.unwrap()
.to_bytes()
.to_vec(),
)
.unwrap();
assert!(body.contains("<Code>InvalidRequest</Code>"));
assert!(body.contains("Expression is required"));
}
#[tokio::test]
async fn test_select_object_content_rejects_non_xml_content_type() {
let (app, _tmp) = test_app();
app.clone()
.oneshot(signed_request(Method::PUT, "/sel-ct", Body::empty()))
.await
.unwrap();
app.clone()
.oneshot(
Request::builder()
.method(Method::PUT)
.uri("/sel-ct/file.csv")
.header("x-access-key", TEST_ACCESS_KEY)
.header("x-secret-key", TEST_SECRET_KEY)
.body(Body::from("a,b\n1,2\n"))
.unwrap(),
)
.await
.unwrap();
let select_xml = r#"
<SelectObjectContentRequest>
<Expression>SELECT * FROM S3Object</Expression>
<ExpressionType>SQL</ExpressionType>
<InputSerialization><CSV><FileHeaderInfo>USE</FileHeaderInfo></CSV></InputSerialization>
<OutputSerialization><CSV /></OutputSerialization>
</SelectObjectContentRequest>
"#;
let resp = app
.oneshot(
Request::builder()
.method(Method::POST)
.uri("/sel-ct/file.csv?select")
.header("x-access-key", TEST_ACCESS_KEY)
.header("x-secret-key", TEST_SECRET_KEY)
.header("content-type", "application/json")
.body(Body::from(select_xml))
.unwrap(),
)
.await
.unwrap();
assert_eq!(resp.status(), StatusCode::BAD_REQUEST);
let body = String::from_utf8(
resp.into_body()
.collect()
.await
.unwrap()
.to_bytes()
.to_vec(),
)
.unwrap();
assert!(body.contains("<Code>InvalidRequest</Code>"));
assert!(body.contains("Content-Type must be application/xml or text/xml"));
}
#[tokio::test]
async fn test_static_website_serves_configured_error_document() {
let (app, _tmp) = test_website_app(Some("404.html")).await;
let resp = app
.oneshot(website_request(Method::GET, "/missing.html"))
.await
.unwrap();
assert_eq!(resp.status(), StatusCode::NOT_FOUND);
assert!(resp
.headers()
.get("content-type")
.unwrap()
.to_str()
.unwrap()
.starts_with("text/html"));
let body = String::from_utf8(
resp.into_body()
.collect()
.await
.unwrap()
.to_bytes()
.to_vec(),
)
.unwrap();
assert!(body.contains("Bucket Not Found Page"));
}
#[tokio::test]
async fn test_static_website_default_404_returns_html_body() {
let (app, _tmp) = test_website_app(None).await;
let resp = app
.clone()
.oneshot(website_request(Method::GET, "/missing.html"))
.await
.unwrap();
assert_eq!(resp.status(), StatusCode::NOT_FOUND);
assert!(resp
.headers()
.get("content-type")
.unwrap()
.to_str()
.unwrap()
.starts_with("text/html"));
let content_length = resp
.headers()
.get("content-length")
.unwrap()
.to_str()
.unwrap()
.parse::<usize>()
.unwrap();
let body = String::from_utf8(
resp.into_body()
.collect()
.await
.unwrap()
.to_bytes()
.to_vec(),
)
.unwrap();
assert_eq!(body.len(), content_length);
assert_eq!(body, "<h1>404 page not found</h1>");
let head_resp = app
.oneshot(website_request(Method::HEAD, "/missing.html"))
.await
.unwrap();
assert_eq!(head_resp.status(), StatusCode::NOT_FOUND);
let head_content_length = head_resp
.headers()
.get("content-length")
.unwrap()
.to_str()
.unwrap()
.parse::<usize>()
.unwrap();
let head_body = head_resp
.into_body()
.collect()
.await
.unwrap()
.to_bytes()
.to_vec();
assert_eq!(head_content_length, content_length);
assert!(head_body.is_empty());
}
#[tokio::test]
async fn test_non_admin_authorization_enforced() {
let iam_json = serde_json::json!({
"version": 2,
"users": [{
"user_id": "u-limited",
"display_name": "limited",
"enabled": true,
"access_keys": [{
"access_key": TEST_ACCESS_KEY,
"secret_key": TEST_SECRET_KEY,
"status": "active"
}],
"policies": [{
"bucket": "authz-bucket",
"actions": ["list", "read"],
"prefix": "*"
}]
}]
});
let tmp = tempfile::TempDir::new().unwrap();
let iam_path = tmp.path().join(".myfsio.sys").join("config");
std::fs::create_dir_all(&iam_path).unwrap();
std::fs::write(iam_path.join("iam.json"), iam_json.to_string()).unwrap();
let config = myfsio_server::config::ServerConfig {
bind_addr: "127.0.0.1:0".parse().unwrap(),
ui_bind_addr: "127.0.0.1:0".parse().unwrap(),
storage_root: tmp.path().to_path_buf(),
region: "us-east-1".to_string(),
iam_config_path: iam_path.join("iam.json"),
sigv4_timestamp_tolerance_secs: 900,
presigned_url_min_expiry: 1,
presigned_url_max_expiry: 604800,
secret_key: None,
encryption_enabled: false,
kms_enabled: false,
gc_enabled: false,
integrity_enabled: false,
metrics_enabled: false,
metrics_history_enabled: false,
metrics_interval_minutes: 5,
metrics_retention_hours: 24,
metrics_history_interval_minutes: 5,
metrics_history_retention_hours: 24,
lifecycle_enabled: false,
website_hosting_enabled: false,
replication_connect_timeout_secs: 5,
replication_read_timeout_secs: 30,
replication_max_retries: 2,
replication_streaming_threshold_bytes: 10_485_760,
replication_max_failures_per_bucket: 50,
site_sync_enabled: false,
site_sync_interval_secs: 60,
site_sync_batch_size: 100,
site_sync_connect_timeout_secs: 10,
site_sync_read_timeout_secs: 120,
site_sync_max_retries: 2,
site_sync_clock_skew_tolerance: 1.0,
ui_enabled: false,
templates_dir: std::path::PathBuf::from("templates"),
static_dir: std::path::PathBuf::from("static"),
..myfsio_server::config::ServerConfig::default()
};
let state = myfsio_server::state::AppState::new(config);
state.storage.create_bucket("authz-bucket").await.unwrap();
let app = myfsio_server::create_router(state);
let resp = app
.clone()
.oneshot(signed_request(Method::PUT, "/denied-bucket", Body::empty()))
.await
.unwrap();
assert_eq!(resp.status(), StatusCode::FORBIDDEN);
let resp = app
.oneshot(signed_request(Method::GET, "/authz-bucket", Body::empty()))
.await
.unwrap();
assert_eq!(resp.status(), StatusCode::OK);
}
async fn test_app_encrypted() -> (axum::Router, tempfile::TempDir) {
let tmp = tempfile::TempDir::new().unwrap();
let iam_path = tmp.path().join(".myfsio.sys").join("config");
std::fs::create_dir_all(&iam_path).unwrap();
let iam_json = serde_json::json!({
"version": 2,
"users": [{
"user_id": "u-test1234",
"display_name": "admin",
"enabled": true,
"access_keys": [{
"access_key": TEST_ACCESS_KEY,
"secret_key": TEST_SECRET_KEY,
"status": "active"
}],
"policies": [{
"bucket": "*",
"actions": ["*"],
"prefix": "*"
}]
}]
});
std::fs::write(iam_path.join("iam.json"), iam_json.to_string()).unwrap();
let config = myfsio_server::config::ServerConfig {
bind_addr: "127.0.0.1:0".parse().unwrap(),
ui_bind_addr: "127.0.0.1:0".parse().unwrap(),
storage_root: tmp.path().to_path_buf(),
region: "us-east-1".to_string(),
iam_config_path: iam_path.join("iam.json"),
sigv4_timestamp_tolerance_secs: 900,
presigned_url_min_expiry: 1,
presigned_url_max_expiry: 604800,
secret_key: None,
encryption_enabled: true,
kms_enabled: true,
gc_enabled: false,
integrity_enabled: false,
metrics_enabled: false,
metrics_history_enabled: false,
metrics_interval_minutes: 5,
metrics_retention_hours: 24,
metrics_history_interval_minutes: 5,
metrics_history_retention_hours: 24,
lifecycle_enabled: false,
website_hosting_enabled: false,
replication_connect_timeout_secs: 5,
replication_read_timeout_secs: 30,
replication_max_retries: 2,
replication_streaming_threshold_bytes: 10_485_760,
replication_max_failures_per_bucket: 50,
site_sync_enabled: false,
site_sync_interval_secs: 60,
site_sync_batch_size: 100,
site_sync_connect_timeout_secs: 10,
site_sync_read_timeout_secs: 120,
site_sync_max_retries: 2,
site_sync_clock_skew_tolerance: 1.0,
ui_enabled: false,
templates_dir: std::path::PathBuf::from("templates"),
static_dir: std::path::PathBuf::from("static"),
..myfsio_server::config::ServerConfig::default()
};
let state = myfsio_server::state::AppState::new_with_encryption(config).await;
let app = myfsio_server::create_router(state);
(app, tmp)
}
#[tokio::test]
async fn test_sse_s3_encrypt_decrypt_roundtrip() {
let (app, _tmp) = test_app_encrypted().await;
let app = app.into_service();
let resp = tower::ServiceExt::oneshot(
app.clone(),
signed_request(Method::PUT, "/enc-bucket", Body::empty()),
)
.await
.unwrap();
assert_eq!(resp.status(), StatusCode::OK);
let plaintext = "This is secret data that should be encrypted at rest!";
let req = Request::builder()
.method(Method::PUT)
.uri("/enc-bucket/secret.txt")
.header("x-access-key", TEST_ACCESS_KEY)
.header("x-secret-key", TEST_SECRET_KEY)
.header("x-amz-server-side-encryption", "AES256")
.header("content-type", "text/plain")
.body(Body::from(plaintext))
.unwrap();
let resp = tower::ServiceExt::oneshot(app.clone(), req).await.unwrap();
assert_eq!(resp.status(), StatusCode::OK);
assert_eq!(
resp.headers().get("x-amz-server-side-encryption").unwrap(),
"AES256"
);
let resp = tower::ServiceExt::oneshot(
app.clone(),
signed_request(Method::GET, "/enc-bucket/secret.txt", Body::empty()),
)
.await
.unwrap();
assert_eq!(resp.status(), StatusCode::OK);
assert_eq!(
resp.headers().get("x-amz-server-side-encryption").unwrap(),
"AES256"
);
let body = resp
.into_body()
.collect()
.await
.unwrap()
.to_bytes()
.to_vec();
assert_eq!(String::from_utf8(body).unwrap(), plaintext);
}
#[tokio::test]
async fn test_kms_key_crud() {
let (app, _tmp) = test_app_encrypted().await;
let app = app.into_service();
let req = Request::builder()
.method(Method::POST)
.uri("/kms/keys")
.header("x-access-key", TEST_ACCESS_KEY)
.header("x-secret-key", TEST_SECRET_KEY)
.header("content-type", "application/json")
.body(Body::from(r#"{"Description": "test key"}"#))
.unwrap();
let resp = tower::ServiceExt::oneshot(app.clone(), req).await.unwrap();
assert_eq!(resp.status(), StatusCode::OK);
let body: serde_json::Value =
serde_json::from_slice(&resp.into_body().collect().await.unwrap().to_bytes()).unwrap();
let key_id = body["KeyId"].as_str().unwrap().to_string();
assert!(!key_id.is_empty());
let resp = tower::ServiceExt::oneshot(
app.clone(),
signed_request(Method::GET, "/kms/keys", Body::empty()),
)
.await
.unwrap();
assert_eq!(resp.status(), StatusCode::OK);
let body: serde_json::Value =
serde_json::from_slice(&resp.into_body().collect().await.unwrap().to_bytes()).unwrap();
assert_eq!(body["keys"].as_array().unwrap().len(), 1);
let resp = tower::ServiceExt::oneshot(
app.clone(),
signed_request(Method::GET, &format!("/kms/keys/{}", key_id), Body::empty()),
)
.await
.unwrap();
assert_eq!(resp.status(), StatusCode::OK);
let resp = tower::ServiceExt::oneshot(
app.clone(),
signed_request(
Method::DELETE,
&format!("/kms/keys/{}", key_id),
Body::empty(),
),
)
.await
.unwrap();
assert_eq!(resp.status(), StatusCode::NO_CONTENT);
}
#[tokio::test]
async fn test_kms_encrypt_decrypt() {
let (app, _tmp) = test_app_encrypted().await;
let app = app.into_service();
let req = Request::builder()
.method(Method::POST)
.uri("/kms/keys")
.header("x-access-key", TEST_ACCESS_KEY)
.header("x-secret-key", TEST_SECRET_KEY)
.body(Body::from(r#"{"Description": "enc key"}"#))
.unwrap();
let resp = tower::ServiceExt::oneshot(app.clone(), req).await.unwrap();
let body: serde_json::Value =
serde_json::from_slice(&resp.into_body().collect().await.unwrap().to_bytes()).unwrap();
let key_id = body["KeyId"].as_str().unwrap().to_string();
use base64::engine::general_purpose::STANDARD as B64;
use base64::Engine;
let plaintext = b"Hello KMS!";
let enc_req = serde_json::json!({
"KeyId": key_id,
"Plaintext": B64.encode(plaintext),
});
let req = Request::builder()
.method(Method::POST)
.uri("/kms/encrypt")
.header("x-access-key", TEST_ACCESS_KEY)
.header("x-secret-key", TEST_SECRET_KEY)
.body(Body::from(enc_req.to_string()))
.unwrap();
let resp = tower::ServiceExt::oneshot(app.clone(), req).await.unwrap();
assert_eq!(resp.status(), StatusCode::OK);
let body: serde_json::Value =
serde_json::from_slice(&resp.into_body().collect().await.unwrap().to_bytes()).unwrap();
let ct_b64 = body["CiphertextBlob"].as_str().unwrap().to_string();
let dec_req = serde_json::json!({
"KeyId": key_id,
"CiphertextBlob": ct_b64,
});
let req = Request::builder()
.method(Method::POST)
.uri("/kms/decrypt")
.header("x-access-key", TEST_ACCESS_KEY)
.header("x-secret-key", TEST_SECRET_KEY)
.body(Body::from(dec_req.to_string()))
.unwrap();
let resp = tower::ServiceExt::oneshot(app.clone(), req).await.unwrap();
assert_eq!(resp.status(), StatusCode::OK);
let body: serde_json::Value =
serde_json::from_slice(&resp.into_body().collect().await.unwrap().to_bytes()).unwrap();
let pt_b64 = body["Plaintext"].as_str().unwrap();
let result = B64.decode(pt_b64).unwrap();
assert_eq!(result, plaintext);
}
Reference in New Issue View Git Blame Copy Permalink