1 // Copyright (C) The Arvados Authors. All rights reserved.
3 // SPDX-License-Identifier: AGPL-3.0
27 "git.arvados.org/arvados.git/sdk/go/arvados"
28 "git.arvados.org/arvados.git/sdk/go/arvadosclient"
29 "git.arvados.org/arvados.git/sdk/go/arvadostest"
30 "git.arvados.org/arvados.git/sdk/go/keepclient"
31 "github.com/AdRoll/goamz/aws"
32 "github.com/AdRoll/goamz/s3"
33 aws_aws "github.com/aws/aws-sdk-go/aws"
34 aws_credentials "github.com/aws/aws-sdk-go/aws/credentials"
35 aws_session "github.com/aws/aws-sdk-go/aws/session"
36 aws_s3 "github.com/aws/aws-sdk-go/service/s3"
37 check "gopkg.in/check.v1"
40 type CachedS3SecretSuite struct{}
42 var _ = check.Suite(&CachedS3SecretSuite{})
44 func (s *CachedS3SecretSuite) activeACA(expiresAt time.Time) *arvados.APIClientAuthorization {
45 return &arvados.APIClientAuthorization{
46 UUID: arvadostest.ActiveTokenUUID,
47 APIToken: arvadostest.ActiveToken,
52 func (s *CachedS3SecretSuite) TestNewCachedS3SecretExpiresBeforeTTL(c *check.C) {
53 expected := time.Unix(1<<29, 0)
54 aca := s.activeACA(expected)
55 actual := newCachedS3Secret(aca, time.Unix(1<<30, 0))
56 c.Check(actual.expiry, check.Equals, expected)
59 func (s *CachedS3SecretSuite) TestNewCachedS3SecretExpiresAfterTTL(c *check.C) {
60 expected := time.Unix(1<<29, 0)
61 aca := s.activeACA(time.Unix(1<<30, 0))
62 actual := newCachedS3Secret(aca, expected)
63 c.Check(actual.expiry, check.Equals, expected)
66 func (s *CachedS3SecretSuite) TestNewCachedS3SecretWithoutExpiry(c *check.C) {
67 expected := time.Unix(1<<29, 0)
68 aca := s.activeACA(time.Time{})
69 actual := newCachedS3Secret(aca, expected)
70 c.Check(actual.expiry, check.Equals, expected)
73 func (s *CachedS3SecretSuite) cachedSecretWithExpiry(expiry time.Time) *cachedS3Secret {
74 return &cachedS3Secret{
75 auth: s.activeACA(expiry),
80 func (s *CachedS3SecretSuite) TestIsValidAtEmpty(c *check.C) {
81 cache := &cachedS3Secret{}
82 c.Check(cache.isValidAt(time.Unix(0, 0)), check.Equals, false)
83 c.Check(cache.isValidAt(time.Unix(1<<31, 0)), check.Equals, false)
86 func (s *CachedS3SecretSuite) TestIsValidAtNoAuth(c *check.C) {
87 cache := &cachedS3Secret{expiry: time.Unix(3, 0)}
88 c.Check(cache.isValidAt(time.Unix(2, 0)), check.Equals, false)
89 c.Check(cache.isValidAt(time.Unix(4, 0)), check.Equals, false)
92 func (s *CachedS3SecretSuite) TestIsValidAtNoExpiry(c *check.C) {
93 cache := &cachedS3Secret{auth: s.activeACA(time.Unix(3, 0))}
94 c.Check(cache.isValidAt(time.Unix(2, 0)), check.Equals, false)
95 c.Check(cache.isValidAt(time.Unix(4, 0)), check.Equals, false)
98 func (s *CachedS3SecretSuite) TestIsValidAtTimeAfterExpiry(c *check.C) {
99 expiry := time.Unix(10, 0)
100 cache := s.cachedSecretWithExpiry(expiry)
101 c.Check(cache.isValidAt(expiry), check.Equals, false)
102 c.Check(cache.isValidAt(time.Unix(1<<25, 0)), check.Equals, false)
103 c.Check(cache.isValidAt(time.Unix(1<<30, 0)), check.Equals, false)
106 func (s *CachedS3SecretSuite) TestIsValidAtTimeBeforeExpiry(c *check.C) {
107 cache := s.cachedSecretWithExpiry(time.Unix(1<<30, 0))
108 c.Check(cache.isValidAt(time.Unix(1<<25, 0)), check.Equals, true)
109 c.Check(cache.isValidAt(time.Unix(1<<27, 0)), check.Equals, true)
110 c.Check(cache.isValidAt(time.Unix(1<<29, 0)), check.Equals, true)
113 func (s *CachedS3SecretSuite) TestIsValidAtZeroTime(c *check.C) {
114 cache := s.cachedSecretWithExpiry(time.Unix(10, 0))
115 c.Check(cache.isValidAt(time.Time{}), check.Equals, false)
118 type s3stage struct {
120 ac *arvadosclient.ArvadosClient
121 kc *keepclient.KeepClient
123 projbucket *s3.Bucket
124 subproj arvados.Group
125 coll arvados.Collection
126 collbucket *s3.Bucket
129 func (s *IntegrationSuite) s3setup(c *check.C) s3stage {
130 var proj, subproj arvados.Group
131 var coll arvados.Collection
132 arv := arvados.NewClientFromEnv()
133 arv.AuthToken = arvadostest.ActiveToken
134 err := arv.RequestAndDecode(&proj, "POST", "arvados/v1/groups", nil, map[string]interface{}{
135 "group": map[string]interface{}{
136 "group_class": "project",
137 "name": "keep-web s3 test",
138 "properties": map[string]interface{}{
139 "project-properties-key": "project properties value",
142 "ensure_unique_name": true,
144 c.Assert(err, check.IsNil)
145 err = arv.RequestAndDecode(&subproj, "POST", "arvados/v1/groups", nil, map[string]interface{}{
146 "group": map[string]interface{}{
147 "owner_uuid": proj.UUID,
148 "group_class": "project",
149 "name": "keep-web s3 test subproject",
150 "properties": map[string]interface{}{
151 "subproject_properties_key": "subproject properties value",
152 "invalid header key": "this value will not be returned because key contains spaces",
156 c.Assert(err, check.IsNil)
157 err = arv.RequestAndDecode(&coll, "POST", "arvados/v1/collections", nil, map[string]interface{}{"collection": map[string]interface{}{
158 "owner_uuid": proj.UUID,
159 "name": "keep-web s3 test collection",
160 "manifest_text": ". d41d8cd98f00b204e9800998ecf8427e+0 0:0:emptyfile\n./emptydir d41d8cd98f00b204e9800998ecf8427e+0 0:0:.\n",
161 "properties": map[string]interface{}{
162 "string": "string value",
163 "array": []string{"element1", "element2"},
164 "object": map[string]interface{}{"key": map[string]interface{}{"key2": "value⛵"}},
166 "newline": "foo\r\nX-Bad: header",
167 // This key cannot be expressed as a MIME
168 // header key, so it will be silently skipped
169 // (see "Inject" in PropertiesAsMetadata test)
170 "a: a\r\nInject": "bogus",
173 c.Assert(err, check.IsNil)
174 ac, err := arvadosclient.New(arv)
175 c.Assert(err, check.IsNil)
176 kc, err := keepclient.MakeKeepClient(ac)
177 c.Assert(err, check.IsNil)
178 fs, err := coll.FileSystem(arv, kc)
179 c.Assert(err, check.IsNil)
180 f, err := fs.OpenFile("sailboat.txt", os.O_CREATE|os.O_WRONLY, 0644)
181 c.Assert(err, check.IsNil)
182 _, err = f.Write([]byte("⛵\n"))
183 c.Assert(err, check.IsNil)
185 c.Assert(err, check.IsNil)
187 c.Assert(err, check.IsNil)
188 err = arv.RequestAndDecode(&coll, "GET", "arvados/v1/collections/"+coll.UUID, nil, nil)
189 c.Assert(err, check.IsNil)
191 auth := aws.NewAuth(arvadostest.ActiveTokenUUID, arvadostest.ActiveToken, "", time.Now().Add(time.Hour))
192 region := aws.Region{
194 S3Endpoint: s.testServer.URL,
196 client := s3.New(*auth, region)
197 client.Signature = aws.V4Signature
203 projbucket: &s3.Bucket{
209 collbucket: &s3.Bucket{
216 func (stage s3stage) teardown(c *check.C) {
217 if stage.coll.UUID != "" {
218 err := stage.arv.RequestAndDecode(&stage.coll, "DELETE", "arvados/v1/collections/"+stage.coll.UUID, nil, nil)
219 c.Check(err, check.IsNil)
221 if stage.proj.UUID != "" {
222 err := stage.arv.RequestAndDecode(&stage.proj, "DELETE", "arvados/v1/groups/"+stage.proj.UUID, nil, nil)
223 c.Check(err, check.IsNil)
227 func (s *IntegrationSuite) TestS3Signatures(c *check.C) {
228 stage := s.s3setup(c)
229 defer stage.teardown(c)
231 bucket := stage.collbucket
232 for _, trial := range []struct {
238 {true, aws.V2Signature, arvadostest.ActiveToken, "none"},
239 {true, aws.V2Signature, url.QueryEscape(arvadostest.ActiveTokenV2), "none"},
240 {true, aws.V2Signature, strings.Replace(arvadostest.ActiveTokenV2, "/", "_", -1), "none"},
241 {false, aws.V2Signature, "none", "none"},
242 {false, aws.V2Signature, "none", arvadostest.ActiveToken},
244 {true, aws.V4Signature, arvadostest.ActiveTokenUUID, arvadostest.ActiveToken},
245 {true, aws.V4Signature, arvadostest.ActiveToken, arvadostest.ActiveToken},
246 {true, aws.V4Signature, url.QueryEscape(arvadostest.ActiveTokenV2), url.QueryEscape(arvadostest.ActiveTokenV2)},
247 {true, aws.V4Signature, strings.Replace(arvadostest.ActiveTokenV2, "/", "_", -1), strings.Replace(arvadostest.ActiveTokenV2, "/", "_", -1)},
248 {false, aws.V4Signature, arvadostest.ActiveToken, ""},
249 {false, aws.V4Signature, arvadostest.ActiveToken, "none"},
250 {false, aws.V4Signature, "none", arvadostest.ActiveToken},
251 {false, aws.V4Signature, "none", "none"},
254 bucket.S3.Auth = *(aws.NewAuth(trial.accesskey, trial.secretkey, "", time.Now().Add(time.Hour)))
255 bucket.S3.Signature = trial.signature
256 _, err := bucket.GetReader("emptyfile")
258 c.Check(err, check.IsNil)
260 c.Check(err, check.NotNil)
265 func (s *IntegrationSuite) TestS3SecretCacheUpdates(c *check.C) {
266 stage := s.s3setup(c)
267 defer stage.teardown(c)
268 reqUrl, err := url.Parse("https://" + stage.collbucket.Name + ".example.com/")
269 c.Assert(err, check.IsNil)
271 for trialName, trialAuth := range map[string]string{
272 "v1 token": arvadostest.ActiveToken,
273 "token UUID": arvadostest.ActiveTokenUUID,
274 "v2 token query escaped": url.QueryEscape(arvadostest.ActiveTokenV2),
275 "v2 token underscore escaped": strings.Replace(arvadostest.ActiveTokenV2, "/", "_", -1),
277 s.handler.s3SecretCache = nil
278 req, err := http.NewRequest("GET", reqUrl.String(), bytes.NewReader(nil))
279 if !c.Check(err, check.IsNil) {
283 if secret[5:12] == "-gj3su-" {
284 secret = arvadostest.ActiveToken
286 s.sign(c, req, trialAuth, secret)
287 rec := httptest.NewRecorder()
288 s.handler.ServeHTTP(rec, req)
289 if !c.Check(rec.Result().StatusCode, check.Equals, http.StatusOK,
290 check.Commentf("%s auth did not get 200 OK response: %v", trialName, req)) {
294 for name, key := range map[string]string{
295 "v1 token": arvadostest.ActiveToken,
296 "token UUID": arvadostest.ActiveTokenUUID,
297 "v2 token": arvadostest.ActiveTokenV2,
299 actual, ok := s.handler.s3SecretCache[key]
300 if c.Check(ok, check.Equals, true, check.Commentf("%s not cached from %s", name, trialName)) {
301 c.Check(actual.auth.UUID, check.Equals, arvadostest.ActiveTokenUUID)
307 func (s *IntegrationSuite) TestS3SecretCacheUsed(c *check.C) {
308 stage := s.s3setup(c)
309 defer stage.teardown(c)
311 token := arvadostest.ActiveToken
312 // Step 1: Make a request to get the active token in the cache.
313 reqUrl, err := url.Parse("https://" + stage.collbucket.Name + ".example.com/")
314 c.Assert(err, check.IsNil)
315 req, err := http.NewRequest("GET", reqUrl.String(), bytes.NewReader(nil))
316 s.sign(c, req, token, token)
317 rec := httptest.NewRecorder()
318 s.handler.ServeHTTP(rec, req)
320 c.Assert(resp.StatusCode, check.Equals, http.StatusOK,
321 check.Commentf("first request did not get 200 OK response"))
323 // Step 2: Remove some cache keys our request doesn't rely upon.
324 c.Assert(s.handler.s3SecretCache[arvadostest.ActiveTokenUUID], check.NotNil)
325 delete(s.handler.s3SecretCache, arvadostest.ActiveTokenUUID)
326 c.Assert(s.handler.s3SecretCache[arvadostest.ActiveTokenV2], check.NotNil)
327 delete(s.handler.s3SecretCache, arvadostest.ActiveTokenV2)
329 // Step 3: Repeat the original request.
330 rec = httptest.NewRecorder()
331 s.handler.ServeHTTP(rec, req)
333 c.Assert(resp.StatusCode, check.Equals, http.StatusOK,
334 check.Commentf("cached auth request did not get 200 OK response"))
336 // Step 4: Confirm the deleted cache keys were not re-added
337 // (which would imply the authorization was re-requested and cached).
338 c.Check(s.handler.s3SecretCache[arvadostest.ActiveTokenUUID], check.IsNil,
339 check.Commentf("token UUID re-added to cache after removal"))
340 c.Check(s.handler.s3SecretCache[arvadostest.ActiveTokenV2], check.IsNil,
341 check.Commentf("v2 token re-added to cache after removal"))
344 func (s *IntegrationSuite) TestS3SecretCacheCleanup(c *check.C) {
345 stage := s.s3setup(c)
346 defer stage.teardown(c)
347 td := -2 * s3SecretCacheTidyInterval
348 startTidied := time.Now().Add(td)
349 s.handler.s3SecretCacheNextTidy = startTidied
350 s.handler.s3SecretCache = make(map[string]*cachedS3Secret)
351 s.handler.s3SecretCache["old"] = &cachedS3Secret{expiry: startTidied.Add(td)}
353 reqUrl, err := url.Parse("https://" + stage.collbucket.Name + ".example.com/")
354 c.Assert(err, check.IsNil)
355 req, err := http.NewRequest("GET", reqUrl.String(), bytes.NewReader(nil))
356 token := arvadostest.ActiveToken
357 s.sign(c, req, token, token)
358 rec := httptest.NewRecorder()
359 s.handler.ServeHTTP(rec, req)
361 c.Check(s.handler.s3SecretCache["old"], check.IsNil,
362 check.Commentf("expired token not removed from cache"))
363 c.Check(s.handler.s3SecretCacheNextTidy.After(startTidied), check.Equals, true,
364 check.Commentf("s3SecretCacheNextTidy not updated"))
365 c.Check(s.handler.s3SecretCache[token], check.NotNil,
366 check.Commentf("just-used token not found in cache"))
369 func (s *IntegrationSuite) TestS3HeadBucket(c *check.C) {
370 stage := s.s3setup(c)
371 defer stage.teardown(c)
373 for _, bucket := range []*s3.Bucket{stage.collbucket, stage.projbucket} {
374 c.Logf("bucket %s", bucket.Name)
375 exists, err := bucket.Exists("")
376 c.Check(err, check.IsNil)
377 c.Check(exists, check.Equals, true)
381 func (s *IntegrationSuite) TestS3CollectionGetObject(c *check.C) {
382 stage := s.s3setup(c)
383 defer stage.teardown(c)
384 s.testS3GetObject(c, stage.collbucket, "")
386 func (s *IntegrationSuite) TestS3ProjectGetObject(c *check.C) {
387 stage := s.s3setup(c)
388 defer stage.teardown(c)
389 s.testS3GetObject(c, stage.projbucket, stage.coll.Name+"/")
391 func (s *IntegrationSuite) testS3GetObject(c *check.C, bucket *s3.Bucket, prefix string) {
392 rdr, err := bucket.GetReader(prefix + "emptyfile")
393 c.Assert(err, check.IsNil)
394 buf, err := ioutil.ReadAll(rdr)
395 c.Check(err, check.IsNil)
396 c.Check(len(buf), check.Equals, 0)
398 c.Check(err, check.IsNil)
401 rdr, err = bucket.GetReader(prefix + "missingfile")
402 c.Check(err.(*s3.Error).StatusCode, check.Equals, 404)
403 c.Check(err.(*s3.Error).Code, check.Equals, `NoSuchKey`)
404 c.Check(err, check.ErrorMatches, `The specified key does not exist.`)
407 exists, err := bucket.Exists(prefix + "missingfile")
408 c.Check(err, check.IsNil)
409 c.Check(exists, check.Equals, false)
412 rdr, err = bucket.GetReader(prefix + "sailboat.txt")
413 c.Assert(err, check.IsNil)
414 buf, err = ioutil.ReadAll(rdr)
415 c.Check(err, check.IsNil)
416 c.Check(buf, check.DeepEquals, []byte("⛵\n"))
418 c.Check(err, check.IsNil)
421 resp, err := bucket.Head(prefix+"sailboat.txt", nil)
422 c.Check(err, check.IsNil)
423 c.Check(resp.StatusCode, check.Equals, http.StatusOK)
424 c.Check(resp.ContentLength, check.Equals, int64(4))
426 // HeadObject with superfluous leading slashes
427 exists, err = bucket.Exists(prefix + "//sailboat.txt")
428 c.Check(err, check.IsNil)
429 c.Check(exists, check.Equals, false)
432 func (s *IntegrationSuite) checkMetaEquals(c *check.C, hdr http.Header, expect map[string]string) {
433 got := map[string]string{}
434 for hk, hv := range hdr {
435 if k := strings.TrimPrefix(hk, "X-Amz-Meta-"); k != hk && len(hv) == 1 {
439 c.Check(got, check.DeepEquals, expect)
442 func (s *IntegrationSuite) TestS3PropertiesAsMetadata(c *check.C) {
443 stage := s.s3setup(c)
444 defer stage.teardown(c)
446 expectCollectionTags := map[string]string{
447 "String": "string value",
448 "Array": `["element1","element2"]`,
449 "Object": mime.BEncoding.Encode("UTF-8", `{"key":{"key2":"value⛵"}}`),
450 "Nonascii": "=?UTF-8?b?4pu1?=",
451 "Newline": mime.BEncoding.Encode("UTF-8", "foo\r\nX-Bad: header"),
453 expectSubprojectTags := map[string]string{
454 "Subproject_properties_key": "subproject properties value",
456 expectProjectTags := map[string]string{
457 "Project-Properties-Key": "project properties value",
460 c.Log("HEAD object with metadata from collection")
461 resp, err := stage.collbucket.Head("sailboat.txt", nil)
462 c.Assert(err, check.IsNil)
463 s.checkMetaEquals(c, resp.Header, expectCollectionTags)
465 c.Log("GET object with metadata from collection")
466 rdr, hdr, err := stage.collbucket.GetReaderWithHeaders("sailboat.txt")
467 c.Assert(err, check.IsNil)
468 content, err := ioutil.ReadAll(rdr)
469 c.Check(err, check.IsNil)
471 c.Check(content, check.HasLen, 4)
472 s.checkMetaEquals(c, hdr, expectCollectionTags)
473 c.Check(hdr["Inject"], check.IsNil)
475 c.Log("HEAD bucket with metadata from collection")
476 resp, err = stage.collbucket.Head("/", nil)
477 c.Assert(err, check.IsNil)
478 s.checkMetaEquals(c, resp.Header, expectCollectionTags)
480 c.Log("HEAD directory placeholder with metadata from collection")
481 resp, err = stage.projbucket.Head("keep-web s3 test collection/", nil)
482 c.Assert(err, check.IsNil)
483 s.checkMetaEquals(c, resp.Header, expectCollectionTags)
485 c.Log("HEAD file with metadata from collection")
486 resp, err = stage.projbucket.Head("keep-web s3 test collection/sailboat.txt", nil)
487 c.Assert(err, check.IsNil)
488 s.checkMetaEquals(c, resp.Header, expectCollectionTags)
490 c.Log("HEAD directory placeholder with metadata from subproject")
491 resp, err = stage.projbucket.Head("keep-web s3 test subproject/", nil)
492 c.Assert(err, check.IsNil)
493 s.checkMetaEquals(c, resp.Header, expectSubprojectTags)
495 c.Log("HEAD bucket with metadata from project")
496 resp, err = stage.projbucket.Head("/", nil)
497 c.Assert(err, check.IsNil)
498 s.checkMetaEquals(c, resp.Header, expectProjectTags)
501 func (s *IntegrationSuite) TestS3CollectionPutObjectSuccess(c *check.C) {
502 stage := s.s3setup(c)
503 defer stage.teardown(c)
504 s.testS3PutObjectSuccess(c, stage.collbucket, "", stage.coll.UUID)
506 func (s *IntegrationSuite) TestS3ProjectPutObjectSuccess(c *check.C) {
507 stage := s.s3setup(c)
508 defer stage.teardown(c)
509 s.testS3PutObjectSuccess(c, stage.projbucket, stage.coll.Name+"/", stage.coll.UUID)
511 func (s *IntegrationSuite) testS3PutObjectSuccess(c *check.C, bucket *s3.Bucket, prefix string, collUUID string) {
512 // We insert a delay between test cases to ensure we exercise
513 // rollover of expired sessions.
514 sleep := time.Second / 100
515 s.handler.Cluster.Collections.WebDAVCache.TTL = arvados.Duration(sleep * 3)
517 for _, trial := range []struct {
525 contentType: "application/octet-stream",
527 path: "newdir/newfile",
529 contentType: "application/octet-stream",
533 contentType: "application/x-directory",
535 path: "newdir1/newdir2/newfile",
537 contentType: "application/octet-stream",
539 path: "newdir1/newdir2/newdir3/",
541 contentType: "application/x-directory",
545 c.Logf("=== %v", trial)
547 objname := prefix + trial.path
549 _, err := bucket.GetReader(objname)
550 if !c.Check(err, check.NotNil) {
553 c.Check(err.(*s3.Error).StatusCode, check.Equals, http.StatusNotFound)
554 c.Check(err.(*s3.Error).Code, check.Equals, `NoSuchKey`)
555 if !c.Check(err, check.ErrorMatches, `The specified key does not exist.`) {
559 buf := make([]byte, trial.size)
562 err = bucket.PutReader(objname, bytes.NewReader(buf), int64(len(buf)), trial.contentType, s3.Private, s3.Options{})
563 c.Check(err, check.IsNil)
565 rdr, err := bucket.GetReader(objname)
566 if strings.HasSuffix(trial.path, "/") && !s.handler.Cluster.Collections.S3FolderObjects {
567 c.Check(err, check.NotNil)
569 } else if !c.Check(err, check.IsNil) {
572 buf2, err := ioutil.ReadAll(rdr)
573 c.Check(err, check.IsNil)
574 c.Check(buf2, check.HasLen, len(buf))
575 c.Check(bytes.Equal(buf, buf2), check.Equals, true)
577 // Check that the change is immediately visible via
578 // (non-S3) webdav request.
579 _, resp := s.do("GET", "http://"+collUUID+".keep-web.example/"+trial.path, arvadostest.ActiveTokenV2, nil, nil)
580 c.Check(resp.StatusCode, check.Equals, http.StatusOK)
581 if !strings.HasSuffix(trial.path, "/") {
582 buf, _ := io.ReadAll(resp.Body)
583 c.Check(len(buf), check.Equals, trial.size)
588 func (s *IntegrationSuite) TestS3ProjectPutObjectNotSupported(c *check.C) {
589 stage := s.s3setup(c)
590 defer stage.teardown(c)
591 bucket := stage.projbucket
593 for _, trial := range []struct {
602 contentType: "application/octet-stream",
603 errorMatches: `invalid argument: path is not in a collection`,
605 path: "newdir/newfile",
607 contentType: "application/octet-stream",
608 errorMatches: `invalid argument: path is not in a collection`,
612 contentType: "application/x-directory",
613 errorMatches: `mkdir "/by_id/zzzzz-j7d0g-[a-z0-9]{15}/newdir2" failed: invalid operation`,
616 c.Logf("=== %v", trial)
618 _, err := bucket.GetReader(trial.path)
619 c.Check(err.(*s3.Error).StatusCode, check.Equals, 404)
620 c.Check(err.(*s3.Error).Code, check.Equals, `NoSuchKey`)
621 c.Assert(err, check.ErrorMatches, `The specified key does not exist.`)
623 buf := make([]byte, trial.size)
626 err = bucket.PutReader(trial.path, bytes.NewReader(buf), int64(len(buf)), trial.contentType, s3.Private, s3.Options{})
627 c.Check(err.(*s3.Error).StatusCode, check.Equals, 400)
628 c.Check(err.(*s3.Error).Code, check.Equals, `InvalidArgument`)
629 c.Check(err, check.ErrorMatches, trial.errorMatches)
631 _, err = bucket.GetReader(trial.path)
632 c.Check(err.(*s3.Error).StatusCode, check.Equals, 404)
633 c.Check(err.(*s3.Error).Code, check.Equals, `NoSuchKey`)
634 c.Assert(err, check.ErrorMatches, `The specified key does not exist.`)
638 func (s *IntegrationSuite) TestS3CollectionDeleteObject(c *check.C) {
639 stage := s.s3setup(c)
640 defer stage.teardown(c)
641 s.testS3DeleteObject(c, stage.collbucket, "")
643 func (s *IntegrationSuite) TestS3ProjectDeleteObject(c *check.C) {
644 stage := s.s3setup(c)
645 defer stage.teardown(c)
646 s.testS3DeleteObject(c, stage.projbucket, stage.coll.Name+"/")
648 func (s *IntegrationSuite) testS3DeleteObject(c *check.C, bucket *s3.Bucket, prefix string) {
649 s.handler.Cluster.Collections.S3FolderObjects = true
650 for _, trial := range []struct {
661 objname := prefix + trial.path
662 comment := check.Commentf("objname %q", objname)
664 err := bucket.Del(objname)
665 if trial.path == "/" {
666 c.Check(err, check.NotNil)
669 c.Check(err, check.IsNil, comment)
670 _, err = bucket.GetReader(objname)
671 c.Check(err, check.NotNil, comment)
675 func (s *IntegrationSuite) TestS3CollectionPutObjectFailure(c *check.C) {
676 stage := s.s3setup(c)
677 defer stage.teardown(c)
678 s.testS3PutObjectFailure(c, stage.collbucket, "")
680 func (s *IntegrationSuite) TestS3ProjectPutObjectFailure(c *check.C) {
681 stage := s.s3setup(c)
682 defer stage.teardown(c)
683 s.testS3PutObjectFailure(c, stage.projbucket, stage.coll.Name+"/")
685 func (s *IntegrationSuite) testS3PutObjectFailure(c *check.C, bucket *s3.Bucket, prefix string) {
686 s.handler.Cluster.Collections.S3FolderObjects = false
688 var wg sync.WaitGroup
689 for _, trial := range []struct {
693 path: "emptyfile/newname", // emptyfile exists, see s3setup()
695 path: "emptyfile/", // emptyfile exists, see s3setup()
697 path: "emptydir", // dir already exists, see s3setup()
710 c.Logf("=== %v", trial)
712 objname := prefix + trial.path
714 buf := make([]byte, 1234)
717 err := bucket.PutReader(objname, bytes.NewReader(buf), int64(len(buf)), "application/octet-stream", s3.Private, s3.Options{})
718 if !c.Check(err, check.ErrorMatches, `(invalid object name.*|open ".*" failed.*|object name conflicts with existing (directory|object)|Missing object name in PUT request.)`, check.Commentf("PUT %q should fail", objname)) {
722 if objname != "" && objname != "/" {
723 _, err = bucket.GetReader(objname)
724 c.Check(err.(*s3.Error).StatusCode, check.Equals, 404)
725 c.Check(err.(*s3.Error).Code, check.Equals, `NoSuchKey`)
726 c.Check(err, check.ErrorMatches, `The specified key does not exist.`, check.Commentf("GET %q should return 404", objname))
733 func (stage *s3stage) writeBigDirs(c *check.C, dirs int, filesPerDir int) {
734 fs, err := stage.coll.FileSystem(stage.arv, stage.kc)
735 c.Assert(err, check.IsNil)
736 for d := 0; d < dirs; d++ {
737 dir := fmt.Sprintf("dir%d", d)
738 c.Assert(fs.Mkdir(dir, 0755), check.IsNil)
739 for i := 0; i < filesPerDir; i++ {
740 f, err := fs.OpenFile(fmt.Sprintf("%s/file%d.txt", dir, i), os.O_CREATE|os.O_WRONLY, 0644)
741 c.Assert(err, check.IsNil)
742 c.Assert(f.Close(), check.IsNil)
745 c.Assert(fs.Sync(), check.IsNil)
748 func (s *IntegrationSuite) sign(c *check.C, req *http.Request, key, secret string) {
749 scope := "20200202/zzzzz/service/aws4_request"
750 signedHeaders := "date"
751 req.Header.Set("Date", time.Now().UTC().Format(time.RFC1123))
752 stringToSign, err := s3stringToSign(s3SignAlgorithm, scope, signedHeaders, req)
753 c.Assert(err, check.IsNil)
754 sig, err := s3signature(secret, scope, signedHeaders, stringToSign)
755 c.Assert(err, check.IsNil)
756 req.Header.Set("Authorization", s3SignAlgorithm+" Credential="+key+"/"+scope+", SignedHeaders="+signedHeaders+", Signature="+sig)
759 func (s *IntegrationSuite) TestS3VirtualHostStyleRequests(c *check.C) {
760 stage := s.s3setup(c)
761 defer stage.teardown(c)
762 for _, trial := range []struct {
767 responseRegexp []string
771 url: "https://" + stage.collbucket.Name + ".example.com/",
773 responseCode: http.StatusOK,
774 responseRegexp: []string{`(?ms).*sailboat\.txt.*`},
777 url: "https://" + strings.Replace(stage.coll.PortableDataHash, "+", "-", -1) + ".example.com/",
779 responseCode: http.StatusOK,
780 responseRegexp: []string{`(?ms).*sailboat\.txt.*`},
783 url: "https://" + stage.projbucket.Name + ".example.com/?prefix=" + stage.coll.Name + "/&delimiter=/",
785 responseCode: http.StatusOK,
786 responseRegexp: []string{`(?ms).*sailboat\.txt.*`},
789 url: "https://" + stage.projbucket.Name + ".example.com/" + stage.coll.Name + "/sailboat.txt",
791 responseCode: http.StatusOK,
792 responseRegexp: []string{`⛵\n`},
796 url: "https://" + stage.projbucket.Name + ".example.com/" + stage.coll.Name + "/beep",
799 responseCode: http.StatusOK,
802 url: "https://" + stage.projbucket.Name + ".example.com/" + stage.coll.Name + "/beep",
804 responseCode: http.StatusOK,
805 responseRegexp: []string{`boop`},
809 url: "https://" + stage.projbucket.Name + ".example.com/" + stage.coll.Name + "//boop",
811 responseCode: http.StatusNotFound,
814 url: "https://" + stage.projbucket.Name + ".example.com/" + stage.coll.Name + "//boop",
817 responseCode: http.StatusOK,
820 url: "https://" + stage.projbucket.Name + ".example.com/" + stage.coll.Name + "//boop",
822 responseCode: http.StatusOK,
823 responseRegexp: []string{`boop`},
827 c.Logf("=== %s %s", trial.method, trial.url)
828 url, err := url.Parse(trial.url)
829 c.Assert(err, check.IsNil)
830 req, err := http.NewRequest(trial.method, url.String(), bytes.NewReader([]byte(trial.body)))
831 c.Assert(err, check.IsNil)
832 s.sign(c, req, arvadostest.ActiveTokenUUID, arvadostest.ActiveToken)
833 rr := httptest.NewRecorder()
834 s.handler.ServeHTTP(rr, req)
836 c.Check(resp.StatusCode, check.Equals, trial.responseCode)
837 body, err := ioutil.ReadAll(resp.Body)
838 c.Assert(err, check.IsNil)
839 for _, re := range trial.responseRegexp {
840 c.Check(string(body), check.Matches, re)
843 c.Check(resp.Header.Get("Etag"), check.Matches, `"[\da-f]{32}\+\d+"`)
848 func (s *IntegrationSuite) TestS3NormalizeURIForSignature(c *check.C) {
849 stage := s.s3setup(c)
850 defer stage.teardown(c)
851 for _, trial := range []struct {
853 normalizedPath string
855 {"/foo", "/foo"}, // boring case
856 {"/foo%5fbar", "/foo_bar"}, // _ must not be escaped
857 {"/foo%2fbar", "/foo/bar"}, // / must not be escaped
858 {"/(foo)/[];,", "/%28foo%29/%5B%5D%3B%2C"}, // ()[];, must be escaped
859 {"/foo%5bbar", "/foo%5Bbar"}, // %XX must be uppercase
860 // unicode chars must be UTF-8 encoded and escaped
861 {"/\u26f5", "/%E2%9B%B5"},
862 // "//" and "///" must not be squashed -- see example,
863 // https://docs.aws.amazon.com/AmazonS3/latest/API/sig-v4-header-based-auth.html
864 {"//foo///.bar", "//foo///.bar"},
866 c.Logf("trial %q", trial)
868 date := time.Now().UTC().Format("20060102T150405Z")
869 scope := "20200202/zzzzz/S3/aws4_request"
870 canonicalRequest := fmt.Sprintf("%s\n%s\n%s\n%s\n%s\n%s", "GET", trial.normalizedPath, "", "host:host.example.com\n", "host", "")
871 c.Logf("canonicalRequest %q", canonicalRequest)
872 expect := fmt.Sprintf("%s\n%s\n%s\n%s", s3SignAlgorithm, date, scope, hashdigest(sha256.New(), canonicalRequest))
873 c.Logf("expected stringToSign %q", expect)
875 req, err := http.NewRequest("GET", "https://host.example.com"+trial.rawPath, nil)
876 req.Header.Set("X-Amz-Date", date)
877 req.Host = "host.example.com"
878 c.Assert(err, check.IsNil)
880 obtained, err := s3stringToSign(s3SignAlgorithm, scope, "host", req)
881 if !c.Check(err, check.IsNil) {
884 c.Check(obtained, check.Equals, expect)
888 func (s *IntegrationSuite) TestS3GetBucketLocation(c *check.C) {
889 stage := s.s3setup(c)
890 defer stage.teardown(c)
891 for _, bucket := range []*s3.Bucket{stage.collbucket, stage.projbucket} {
892 req, err := http.NewRequest("GET", bucket.URL("/"), nil)
893 c.Check(err, check.IsNil)
894 req.Header.Set("Authorization", "AWS "+arvadostest.ActiveTokenV2+":none")
895 req.URL.RawQuery = "location"
896 resp, err := http.DefaultClient.Do(req)
897 c.Assert(err, check.IsNil)
898 c.Check(resp.Header.Get("Content-Type"), check.Equals, "application/xml")
899 buf, err := ioutil.ReadAll(resp.Body)
900 c.Assert(err, check.IsNil)
901 c.Check(string(buf), check.Equals, "<?xml version=\"1.0\" encoding=\"UTF-8\"?>\n<LocationConstraint><LocationConstraint xmlns=\"http://s3.amazonaws.com/doc/2006-03-01/\">zzzzz</LocationConstraint></LocationConstraint>\n")
905 func (s *IntegrationSuite) TestS3GetBucketVersioning(c *check.C) {
906 stage := s.s3setup(c)
907 defer stage.teardown(c)
908 for _, bucket := range []*s3.Bucket{stage.collbucket, stage.projbucket} {
909 req, err := http.NewRequest("GET", bucket.URL("/"), nil)
910 c.Check(err, check.IsNil)
911 req.Header.Set("Authorization", "AWS "+arvadostest.ActiveTokenV2+":none")
912 req.URL.RawQuery = "versioning"
913 resp, err := http.DefaultClient.Do(req)
914 c.Assert(err, check.IsNil)
915 c.Check(resp.Header.Get("Content-Type"), check.Equals, "application/xml")
916 buf, err := ioutil.ReadAll(resp.Body)
917 c.Assert(err, check.IsNil)
918 c.Check(string(buf), check.Equals, "<?xml version=\"1.0\" encoding=\"UTF-8\"?>\n<VersioningConfiguration xmlns=\"http://s3.amazonaws.com/doc/2006-03-01/\"/>\n")
922 func (s *IntegrationSuite) TestS3UnsupportedAPIs(c *check.C) {
923 stage := s.s3setup(c)
924 defer stage.teardown(c)
925 for _, trial := range []struct {
930 {"GET", "/", "acl&versionId=1234"}, // GetBucketAcl
931 {"GET", "/foo", "acl&versionId=1234"}, // GetObjectAcl
932 {"PUT", "/", "acl"}, // PutBucketAcl
933 {"PUT", "/foo", "acl"}, // PutObjectAcl
934 {"DELETE", "/", "tagging"}, // DeleteBucketTagging
935 {"DELETE", "/foo", "tagging"}, // DeleteObjectTagging
937 for _, bucket := range []*s3.Bucket{stage.collbucket, stage.projbucket} {
938 c.Logf("trial %v bucket %v", trial, bucket)
939 req, err := http.NewRequest(trial.method, bucket.URL(trial.path), nil)
940 c.Check(err, check.IsNil)
941 req.Header.Set("Authorization", "AWS "+arvadostest.ActiveTokenV2+":none")
942 req.URL.RawQuery = trial.rawquery
943 resp, err := http.DefaultClient.Do(req)
944 c.Assert(err, check.IsNil)
945 c.Check(resp.Header.Get("Content-Type"), check.Equals, "application/xml")
946 buf, err := ioutil.ReadAll(resp.Body)
947 c.Assert(err, check.IsNil)
948 c.Check(string(buf), check.Matches, "(?ms).*InvalidRequest.*API not supported.*")
953 // If there are no CommonPrefixes entries, the CommonPrefixes XML tag
954 // should not appear at all.
955 func (s *IntegrationSuite) TestS3ListNoCommonPrefixes(c *check.C) {
956 stage := s.s3setup(c)
957 defer stage.teardown(c)
959 req, err := http.NewRequest("GET", stage.collbucket.URL("/"), nil)
960 c.Assert(err, check.IsNil)
961 req.Header.Set("Authorization", "AWS "+arvadostest.ActiveTokenV2+":none")
962 req.URL.RawQuery = "prefix=asdfasdfasdf&delimiter=/"
963 resp, err := http.DefaultClient.Do(req)
964 c.Assert(err, check.IsNil)
965 buf, err := ioutil.ReadAll(resp.Body)
966 c.Assert(err, check.IsNil)
967 c.Check(string(buf), check.Not(check.Matches), `(?ms).*CommonPrefixes.*`)
970 // If there is no delimiter in the request, or the results are not
971 // truncated, the NextMarker XML tag should not appear in the response
973 func (s *IntegrationSuite) TestS3ListNoNextMarker(c *check.C) {
974 stage := s.s3setup(c)
975 defer stage.teardown(c)
977 for _, query := range []string{"prefix=e&delimiter=/", ""} {
978 req, err := http.NewRequest("GET", stage.collbucket.URL("/"), nil)
979 c.Assert(err, check.IsNil)
980 req.Header.Set("Authorization", "AWS "+arvadostest.ActiveTokenV2+":none")
981 req.URL.RawQuery = query
982 resp, err := http.DefaultClient.Do(req)
983 c.Assert(err, check.IsNil)
984 buf, err := ioutil.ReadAll(resp.Body)
985 c.Assert(err, check.IsNil)
986 c.Check(string(buf), check.Not(check.Matches), `(?ms).*NextMarker.*`)
990 // List response should include KeyCount field.
991 func (s *IntegrationSuite) TestS3ListKeyCount(c *check.C) {
992 stage := s.s3setup(c)
993 defer stage.teardown(c)
995 req, err := http.NewRequest("GET", stage.collbucket.URL("/"), nil)
996 c.Assert(err, check.IsNil)
997 req.Header.Set("Authorization", "AWS "+arvadostest.ActiveTokenV2+":none")
998 req.URL.RawQuery = "prefix=&delimiter=/"
999 resp, err := http.DefaultClient.Do(req)
1000 c.Assert(err, check.IsNil)
1001 buf, err := ioutil.ReadAll(resp.Body)
1002 c.Assert(err, check.IsNil)
1003 c.Check(string(buf), check.Matches, `(?ms).*<KeyCount>2</KeyCount>.*`)
1006 func (s *IntegrationSuite) TestS3CollectionList(c *check.C) {
1007 stage := s.s3setup(c)
1008 defer stage.teardown(c)
1011 for markers, s.handler.Cluster.Collections.S3FolderObjects = range []bool{false, true} {
1014 stage.writeBigDirs(c, dirs, filesPerDir)
1015 // Total # objects is:
1016 // 2 file entries from s3setup (emptyfile and sailboat.txt)
1017 // +1 fake "directory" marker from s3setup (emptydir) (if enabled)
1018 // +dirs fake "directory" marker from writeBigDirs (dir0/, dir1/) (if enabled)
1019 // +filesPerDir*dirs file entries from writeBigDirs (dir0/file0.txt, etc.)
1020 s.testS3List(c, stage.collbucket, "", 4000, markers+2+(filesPerDir+markers)*dirs)
1021 s.testS3List(c, stage.collbucket, "", 131, markers+2+(filesPerDir+markers)*dirs)
1022 s.testS3List(c, stage.collbucket, "", 51, markers+2+(filesPerDir+markers)*dirs)
1023 s.testS3List(c, stage.collbucket, "dir0/", 71, filesPerDir+markers)
1026 func (s *IntegrationSuite) testS3List(c *check.C, bucket *s3.Bucket, prefix string, pageSize, expectFiles int) {
1027 c.Logf("testS3List: prefix=%q pageSize=%d S3FolderObjects=%v", prefix, pageSize, s.handler.Cluster.Collections.S3FolderObjects)
1028 expectPageSize := pageSize
1029 if expectPageSize > 1000 {
1030 expectPageSize = 1000
1032 gotKeys := map[string]s3.Key{}
1036 resp, err := bucket.List(prefix, "", nextMarker, pageSize)
1037 if !c.Check(err, check.IsNil) {
1040 c.Check(len(resp.Contents) <= expectPageSize, check.Equals, true)
1041 if pages++; !c.Check(pages <= (expectFiles/expectPageSize)+1, check.Equals, true) {
1044 for _, key := range resp.Contents {
1045 if _, dup := gotKeys[key.Key]; dup {
1046 c.Errorf("got duplicate key %q on page %d", key.Key, pages)
1048 gotKeys[key.Key] = key
1049 if strings.Contains(key.Key, "sailboat.txt") {
1050 c.Check(key.Size, check.Equals, int64(4))
1053 if !resp.IsTruncated {
1054 c.Check(resp.NextMarker, check.Equals, "")
1057 if !c.Check(resp.NextMarker, check.Not(check.Equals), "") {
1060 nextMarker = resp.NextMarker
1062 if !c.Check(len(gotKeys), check.Equals, expectFiles) {
1064 for k := range gotKeys {
1065 sorted = append(sorted, k)
1067 sort.Strings(sorted)
1068 for _, k := range sorted {
1074 func (s *IntegrationSuite) TestS3CollectionListRollup(c *check.C) {
1075 for _, s.handler.Cluster.Collections.S3FolderObjects = range []bool{false, true} {
1076 s.testS3CollectionListRollup(c)
1080 func (s *IntegrationSuite) testS3CollectionListRollup(c *check.C) {
1081 stage := s.s3setup(c)
1082 defer stage.teardown(c)
1086 stage.writeBigDirs(c, dirs, filesPerDir)
1087 err := stage.collbucket.PutReader("dingbats", &bytes.Buffer{}, 0, "application/octet-stream", s3.Private, s3.Options{})
1088 c.Assert(err, check.IsNil)
1089 var allfiles []string
1090 for marker := ""; ; {
1091 resp, err := stage.collbucket.List("", "", marker, 20000)
1092 c.Check(err, check.IsNil)
1093 for _, key := range resp.Contents {
1094 if len(allfiles) == 0 || allfiles[len(allfiles)-1] != key.Key {
1095 allfiles = append(allfiles, key.Key)
1098 marker = resp.NextMarker
1104 if s.handler.Cluster.Collections.S3FolderObjects {
1107 c.Check(allfiles, check.HasLen, dirs*(filesPerDir+markers)+3+markers)
1109 gotDirMarker := map[string]bool{}
1110 for _, name := range allfiles {
1111 isDirMarker := strings.HasSuffix(name, "/")
1113 c.Check(isDirMarker, check.Equals, false, check.Commentf("name %q", name))
1114 } else if isDirMarker {
1115 gotDirMarker[name] = true
1116 } else if i := strings.LastIndex(name, "/"); i >= 0 {
1117 c.Check(gotDirMarker[name[:i+1]], check.Equals, true, check.Commentf("name %q", name))
1118 gotDirMarker[name[:i+1]] = true // skip redundant complaints about this dir marker
1122 for _, trial := range []struct {
1133 {"dir0/f", "/", ""},
1137 {"dir0", "/", "dir0/file14.txt"}, // one commonprefix, "dir0/"
1138 {"dir0", "/", "dir0/zzzzfile.txt"}, // no commonprefixes
1139 {"", "", "dir0/file14.txt"}, // middle page, skip walking dir1
1140 {"", "", "dir1/file14.txt"}, // middle page, skip walking dir0
1141 {"", "", "dir1/file498.txt"}, // last page of results
1142 {"dir1/file", "", "dir1/file498.txt"}, // last page of results, with prefix
1143 {"dir1/file", "/", "dir1/file498.txt"}, // last page of results, with prefix + delimiter
1144 {"dir1", "Z", "dir1/file498.txt"}, // delimiter "Z" never appears
1145 {"dir2", "/", ""}, // prefix "dir2" does not exist
1148 c.Logf("\n\n=== trial %+v markers=%d", trial, markers)
1151 resp, err := stage.collbucket.List(trial.prefix, trial.delimiter, trial.marker, maxKeys)
1152 c.Check(err, check.IsNil)
1153 if resp.IsTruncated && trial.delimiter == "" {
1154 // goamz List method fills in the missing
1155 // NextMarker field if resp.IsTruncated, so
1156 // now we can't really tell whether it was
1157 // sent by the server or by goamz. In cases
1158 // where it should be empty but isn't, assume
1159 // it's goamz's fault.
1160 resp.NextMarker = ""
1163 var expectKeys []string
1164 var expectPrefixes []string
1165 var expectNextMarker string
1166 var expectTruncated bool
1167 for _, key := range allfiles {
1168 full := len(expectKeys)+len(expectPrefixes) >= maxKeys
1169 if !strings.HasPrefix(key, trial.prefix) || key <= trial.marker {
1171 } else if idx := strings.Index(key[len(trial.prefix):], trial.delimiter); trial.delimiter != "" && idx >= 0 {
1172 prefix := key[:len(trial.prefix)+idx+1]
1173 if len(expectPrefixes) > 0 && expectPrefixes[len(expectPrefixes)-1] == prefix {
1174 // same prefix as previous key
1176 expectTruncated = true
1178 expectPrefixes = append(expectPrefixes, prefix)
1179 expectNextMarker = prefix
1182 expectTruncated = true
1185 expectKeys = append(expectKeys, key)
1186 if trial.delimiter != "" {
1187 expectNextMarker = key
1191 if !expectTruncated {
1192 expectNextMarker = ""
1195 var gotKeys []string
1196 for _, key := range resp.Contents {
1197 gotKeys = append(gotKeys, key.Key)
1199 var gotPrefixes []string
1200 for _, prefix := range resp.CommonPrefixes {
1201 gotPrefixes = append(gotPrefixes, prefix)
1203 commentf := check.Commentf("trial %+v markers=%d", trial, markers)
1204 c.Check(gotKeys, check.DeepEquals, expectKeys, commentf)
1205 c.Check(gotPrefixes, check.DeepEquals, expectPrefixes, commentf)
1206 c.Check(resp.NextMarker, check.Equals, expectNextMarker, commentf)
1207 c.Check(resp.IsTruncated, check.Equals, expectTruncated, commentf)
1208 c.Logf("=== trial %+v keys %q prefixes %q nextMarker %q", trial, gotKeys, gotPrefixes, resp.NextMarker)
1212 func (s *IntegrationSuite) TestS3ListObjectsV2ManySubprojects(c *check.C) {
1213 stage := s.s3setup(c)
1214 defer stage.teardown(c)
1216 collectionsPerProject := 2
1217 for i := 0; i < projects; i++ {
1218 var subproj arvados.Group
1219 err := stage.arv.RequestAndDecode(&subproj, "POST", "arvados/v1/groups", nil, map[string]interface{}{
1220 "group": map[string]interface{}{
1221 "owner_uuid": stage.subproj.UUID,
1222 "group_class": "project",
1223 "name": fmt.Sprintf("keep-web s3 test subproject %d", i),
1226 c.Assert(err, check.IsNil)
1227 for j := 0; j < collectionsPerProject; j++ {
1228 err = stage.arv.RequestAndDecode(nil, "POST", "arvados/v1/collections", nil, map[string]interface{}{"collection": map[string]interface{}{
1229 "owner_uuid": subproj.UUID,
1230 "name": fmt.Sprintf("keep-web s3 test collection %d", j),
1231 "manifest_text": ". d41d8cd98f00b204e9800998ecf8427e+0 0:0:emptyfile\n./emptydir d41d8cd98f00b204e9800998ecf8427e+0 0:0:.\n",
1233 c.Assert(err, check.IsNil)
1236 c.Logf("setup complete")
1238 sess := aws_session.Must(aws_session.NewSession(&aws_aws.Config{
1239 Region: aws_aws.String("auto"),
1240 Endpoint: aws_aws.String(s.testServer.URL),
1241 Credentials: aws_credentials.NewStaticCredentials(url.QueryEscape(arvadostest.ActiveTokenV2), url.QueryEscape(arvadostest.ActiveTokenV2), ""),
1242 S3ForcePathStyle: aws_aws.Bool(true),
1244 client := aws_s3.New(sess)
1245 ctx := context.Background()
1246 params := aws_s3.ListObjectsV2Input{
1247 Bucket: aws_aws.String(stage.proj.UUID),
1248 Delimiter: aws_aws.String("/"),
1249 Prefix: aws_aws.String("keep-web s3 test subproject/"),
1250 MaxKeys: aws_aws.Int64(int64(projects / 2)),
1252 for page := 1; ; page++ {
1254 result, err := client.ListObjectsV2WithContext(ctx, ¶ms)
1255 if !c.Check(err, check.IsNil) {
1258 c.Logf("got page %d in %v with len(Contents) == %d, len(CommonPrefixes) == %d", page, time.Since(t0), len(result.Contents), len(result.CommonPrefixes))
1259 if !*result.IsTruncated {
1262 params.ContinuationToken = result.NextContinuationToken
1263 *params.MaxKeys = *params.MaxKeys/2 + 1
1267 func (s *IntegrationSuite) TestS3ListObjectsV2(c *check.C) {
1268 stage := s.s3setup(c)
1269 defer stage.teardown(c)
1272 stage.writeBigDirs(c, dirs, filesPerDir)
1274 sess := aws_session.Must(aws_session.NewSession(&aws_aws.Config{
1275 Region: aws_aws.String("auto"),
1276 Endpoint: aws_aws.String(s.testServer.URL),
1277 Credentials: aws_credentials.NewStaticCredentials(url.QueryEscape(arvadostest.ActiveTokenV2), url.QueryEscape(arvadostest.ActiveTokenV2), ""),
1278 S3ForcePathStyle: aws_aws.Bool(true),
1281 stringOrNil := func(s string) *string {
1289 client := aws_s3.New(sess)
1290 ctx := context.Background()
1292 for _, trial := range []struct {
1298 expectCommonPrefixes map[string]bool
1301 // Expect {filesPerDir plus the dir itself}
1302 // for each dir, plus emptydir, emptyfile, and
1304 expectKeys: (filesPerDir+1)*dirs + 3,
1308 expectKeys: (filesPerDir+1)*dirs + 3,
1311 startAfter: "dir0/z",
1313 // Expect {filesPerDir plus the dir itself}
1314 // for each dir except dir0, plus emptydir,
1315 // emptyfile, and sailboat.txt.
1316 expectKeys: (filesPerDir+1)*(dirs-1) + 3,
1321 expectKeys: 2, // emptyfile, sailboat.txt
1322 expectCommonPrefixes: map[string]bool{"dir0/": true, "dir1/": true, "emptydir/": true},
1325 startAfter: "dir0/z",
1328 expectKeys: 2, // emptyfile, sailboat.txt
1329 expectCommonPrefixes: map[string]bool{"dir1/": true, "emptydir/": true},
1332 startAfter: "dir0/file10.txt",
1336 expectCommonPrefixes: map[string]bool{"dir0/": true, "dir1/": true, "emptydir/": true},
1339 startAfter: "dir0/file10.txt",
1344 expectCommonPrefixes: map[string]bool{"dir0/": true, "dir1/": true},
1347 c.Logf("[trial %+v]", trial)
1348 params := aws_s3.ListObjectsV2Input{
1349 Bucket: aws_aws.String(stage.collbucket.Name),
1350 Prefix: stringOrNil(trial.prefix),
1351 Delimiter: stringOrNil(trial.delimiter),
1352 StartAfter: stringOrNil(trial.startAfter),
1353 MaxKeys: aws_aws.Int64(int64(trial.maxKeys)),
1355 keySeen := map[string]bool{}
1356 prefixSeen := map[string]bool{}
1358 result, err := client.ListObjectsV2WithContext(ctx, ¶ms)
1359 if !c.Check(err, check.IsNil) {
1362 c.Check(result.Name, check.DeepEquals, aws_aws.String(stage.collbucket.Name))
1363 c.Check(result.Prefix, check.DeepEquals, aws_aws.String(trial.prefix))
1364 c.Check(result.Delimiter, check.DeepEquals, aws_aws.String(trial.delimiter))
1365 // The following two fields are expected to be
1366 // nil (i.e., no tag in XML response) rather
1367 // than "" when the corresponding request
1368 // field was empty or nil.
1369 c.Check(result.StartAfter, check.DeepEquals, stringOrNil(trial.startAfter))
1370 c.Check(result.ContinuationToken, check.DeepEquals, params.ContinuationToken)
1372 if trial.maxKeys > 0 {
1373 c.Check(result.MaxKeys, check.DeepEquals, aws_aws.Int64(int64(trial.maxKeys)))
1374 c.Check(len(result.Contents)+len(result.CommonPrefixes) <= trial.maxKeys, check.Equals, true)
1376 c.Check(result.MaxKeys, check.DeepEquals, aws_aws.Int64(int64(s3MaxKeys)))
1379 for _, ent := range result.Contents {
1380 c.Assert(ent.Key, check.NotNil)
1381 c.Check(*ent.Key > trial.startAfter, check.Equals, true)
1382 c.Check(keySeen[*ent.Key], check.Equals, false, check.Commentf("dup key %q", *ent.Key))
1383 keySeen[*ent.Key] = true
1385 for _, ent := range result.CommonPrefixes {
1386 c.Assert(ent.Prefix, check.NotNil)
1387 c.Check(strings.HasSuffix(*ent.Prefix, trial.delimiter), check.Equals, true, check.Commentf("bad CommonPrefix %q", *ent.Prefix))
1388 if strings.HasPrefix(trial.startAfter, *ent.Prefix) {
1390 // startAfter=dir0/file10.txt,
1391 // we expect dir0/ to be
1392 // returned as a common prefix
1394 c.Check(*ent.Prefix > trial.startAfter, check.Equals, true)
1396 c.Check(prefixSeen[*ent.Prefix], check.Equals, false, check.Commentf("dup common prefix %q", *ent.Prefix))
1397 prefixSeen[*ent.Prefix] = true
1399 if *result.IsTruncated && c.Check(result.NextContinuationToken, check.Not(check.Equals), "") {
1400 params.ContinuationToken = aws_aws.String(*result.NextContinuationToken)
1405 c.Check(keySeen, check.HasLen, trial.expectKeys)
1406 c.Check(prefixSeen, check.HasLen, len(trial.expectCommonPrefixes))
1407 if len(trial.expectCommonPrefixes) > 0 {
1408 c.Check(prefixSeen, check.DeepEquals, trial.expectCommonPrefixes)
1413 func (s *IntegrationSuite) TestS3ListObjectsV2EncodingTypeURL(c *check.C) {
1414 stage := s.s3setup(c)
1415 defer stage.teardown(c)
1418 stage.writeBigDirs(c, dirs, filesPerDir)
1420 sess := aws_session.Must(aws_session.NewSession(&aws_aws.Config{
1421 Region: aws_aws.String("auto"),
1422 Endpoint: aws_aws.String(s.testServer.URL),
1423 Credentials: aws_credentials.NewStaticCredentials(url.QueryEscape(arvadostest.ActiveTokenV2), url.QueryEscape(arvadostest.ActiveTokenV2), ""),
1424 S3ForcePathStyle: aws_aws.Bool(true),
1427 client := aws_s3.New(sess)
1428 ctx := context.Background()
1430 result, err := client.ListObjectsV2WithContext(ctx, &aws_s3.ListObjectsV2Input{
1431 Bucket: aws_aws.String(stage.collbucket.Name),
1432 Prefix: aws_aws.String("dir0/"),
1433 Delimiter: aws_aws.String("/"),
1434 StartAfter: aws_aws.String("dir0/"),
1435 EncodingType: aws_aws.String("url"),
1437 c.Assert(err, check.IsNil)
1438 c.Check(*result.Prefix, check.Equals, "dir0%2F")
1439 c.Check(*result.Delimiter, check.Equals, "%2F")
1440 c.Check(*result.StartAfter, check.Equals, "dir0%2F")
1441 for _, ent := range result.Contents {
1442 c.Check(*ent.Key, check.Matches, "dir0%2F.*")
1444 result, err = client.ListObjectsV2WithContext(ctx, &aws_s3.ListObjectsV2Input{
1445 Bucket: aws_aws.String(stage.collbucket.Name),
1446 Delimiter: aws_aws.String("/"),
1447 EncodingType: aws_aws.String("url"),
1449 c.Assert(err, check.IsNil)
1450 c.Check(*result.Delimiter, check.Equals, "%2F")
1451 c.Check(result.CommonPrefixes, check.HasLen, dirs+1)
1452 for _, ent := range result.CommonPrefixes {
1453 c.Check(*ent.Prefix, check.Matches, ".*%2F")
1457 // TestS3cmd checks compatibility with the s3cmd command line tool, if
1458 // it's installed (run-tests normally takes care of that).
1459 func (s *IntegrationSuite) TestS3cmd(c *check.C) {
1460 if _, err := exec.LookPath("s3cmd"); err != nil {
1461 c.Skip("s3cmd not found")
1465 stage := s.s3setup(c)
1466 defer stage.teardown(c)
1468 cmd := exec.Command("s3cmd", "--no-ssl", "--host="+s.testServer.URL[7:], "--host-bucket="+s.testServer.URL[7:], "--access_key="+arvadostest.ActiveTokenUUID, "--secret_key="+arvadostest.ActiveToken, "ls", "s3://"+arvadostest.FooCollection)
1469 buf, err := cmd.CombinedOutput()
1470 c.Check(err, check.IsNil)
1471 c.Check(string(buf), check.Matches, `.* 3 +s3://`+arvadostest.FooCollection+`/foo\n`)
1473 // This tests whether s3cmd's path normalization agrees with
1474 // keep-web's signature verification wrt chars like "|"
1475 // (neither reserved nor unreserved) and "," (not normally
1476 // percent-encoded in a path).
1477 tmpfile := c.MkDir() + "/dstfile"
1478 cmd = exec.Command("s3cmd", "--no-ssl", "--host="+s.testServer.URL[7:], "--host-bucket="+s.testServer.URL[7:], "--access_key="+arvadostest.ActiveTokenUUID, "--secret_key="+arvadostest.ActiveToken, "get", "s3://"+arvadostest.FooCollection+"/foo,;$[|]bar", tmpfile)
1479 buf, err = cmd.CombinedOutput()
1480 c.Check(err, check.NotNil)
1481 // As of commit b7520e5c25e1bf25c1a8bf5aa2eadb299be8f606
1482 // (between debian bullseye and bookworm versions), s3cmd
1483 // started catching the NoSuchKey error code and replacing it
1484 // with "Source object '%s' does not exist.".
1485 c.Check(string(buf), check.Matches, `(?ms).*(NoSuchKey|Source object.*does not exist).*\n`)
1487 tmpfile = c.MkDir() + "/foo"
1488 cmd = exec.Command("s3cmd", "--no-ssl", "--host="+s.testServer.URL[7:], "--host-bucket="+s.testServer.URL[7:], "--access_key="+arvadostest.ActiveTokenUUID, "--secret_key="+arvadostest.ActiveToken, "get", "s3://"+arvadostest.FooCollection+"/foo", tmpfile)
1489 buf, err = cmd.CombinedOutput()
1491 if c.Check(err, check.IsNil) {
1492 checkcontent, err := os.ReadFile(tmpfile)
1493 c.Check(err, check.IsNil)
1494 c.Check(string(checkcontent), check.Equals, "foo")
1498 func (s *IntegrationSuite) TestS3BucketInHost(c *check.C) {
1499 stage := s.s3setup(c)
1500 defer stage.teardown(c)
1502 hdr, body, _ := s.runCurl(c, "AWS "+arvadostest.ActiveTokenV2+":none", stage.coll.UUID+".collections.example.com", "/sailboat.txt")
1503 c.Check(hdr, check.Matches, `(?s)HTTP/1.1 200 OK\r\n.*`)
1504 c.Check(body, check.Equals, "⛵\n")
1507 func (s *IntegrationSuite) TestS3ConcurrentPUT(c *check.C) {
1508 stage := s.s3setup(c)
1509 defer stage.teardown(c)
1510 ndirs, nfiles := 5, 5
1511 var wg sync.WaitGroup
1512 for di := 0; di < ndirs; di++ {
1517 for fi := 0; fi < nfiles; fi++ {
1522 s.checkPut(c, stage, fmt.Sprintf("dir%d/file%d", di, fi), []byte("acbde"))
1528 for di := 0; di < ndirs; di++ {
1529 for fi := 0; fi < nfiles; fi++ {
1530 s.checkGet(c, stage, fmt.Sprintf("dir%d/file%d", di, fi), 5)
1534 c.Log("preserved files:")
1535 var saved arvados.Collection
1536 err := stage.arv.RequestAndDecode(&saved, "GET", "arvados/v1/collections/"+stage.coll.UUID, nil, arvados.GetOptions{
1537 Select: []string{"uuid", "manifest_text"}})
1538 c.Assert(err, check.IsNil)
1539 cfs, err := saved.FileSystem(stage.arv, stage.kc)
1540 c.Assert(err, check.IsNil)
1541 fs.WalkDir(arvados.FS(cfs), "", func(path string, _ fs.DirEntry, _ error) error {
1548 func (s *IntegrationSuite) checkPut(c *check.C, stage s3stage, path string, data []byte) {
1549 url, err := url.Parse("https://" + stage.projbucket.Name + ".example.com/" + stage.coll.Name + "/" + path)
1550 c.Assert(err, check.IsNil)
1551 req, err := http.NewRequest(http.MethodPut, url.String(), bytes.NewReader([]byte(data)))
1552 c.Assert(err, check.IsNil)
1553 s.sign(c, req, arvadostest.ActiveTokenUUID, arvadostest.ActiveToken)
1554 rr := httptest.NewRecorder()
1555 s.handler.ServeHTTP(rr, req)
1557 c.Check(resp.StatusCode, check.Equals, http.StatusOK)
1560 func (s *IntegrationSuite) checkGet(c *check.C, stage s3stage, path string, expectLength int) {
1561 url, err := url.Parse("https://" + stage.projbucket.Name + ".example.com/" + stage.coll.Name + "/" + path)
1562 c.Assert(err, check.IsNil)
1563 req, err := http.NewRequest(http.MethodGet, url.String(), nil)
1564 c.Assert(err, check.IsNil)
1565 s.sign(c, req, arvadostest.ActiveTokenUUID, arvadostest.ActiveToken)
1566 rr := httptest.NewRecorder()
1567 s.handler.ServeHTTP(rr, req)
1569 if !c.Check(resp.StatusCode, check.Equals, http.StatusOK, check.Commentf("%s", path)) {
1572 body, err := ioutil.ReadAll(resp.Body)
1573 c.Assert(err, check.IsNil)
1574 c.Check(string(body), check.HasLen, expectLength)
projects / arvados.git / blob