services/keep-web/s3_test.go

   1 // Copyright (C) The Arvados Authors. All rights reserved.
   2 //
   3 // SPDX-License-Identifier: AGPL-3.0
   4
   5 package main
   6
   7 import (
   8         "bytes"
   9         "crypto/rand"
  10         "crypto/sha256"
  11         "fmt"
  12         "io/ioutil"
  13         "net/http"
  14         "net/http/httptest"
  15         "net/url"
  16         "os"
  17         "os/exec"
  18         "strings"
  19         "sync"
  20         "time"
  21
  22         "git.arvados.org/arvados.git/sdk/go/arvados"
  23         "git.arvados.org/arvados.git/sdk/go/arvadosclient"
  24         "git.arvados.org/arvados.git/sdk/go/arvadostest"
  25         "git.arvados.org/arvados.git/sdk/go/keepclient"
  26         "github.com/AdRoll/goamz/aws"
  27         "github.com/AdRoll/goamz/s3"
  28         check "gopkg.in/check.v1"
  29 )
  30
  31 type s3stage struct {
  32         arv        *arvados.Client
  33         ac         *arvadosclient.ArvadosClient
  34         kc         *keepclient.KeepClient
  35         proj       arvados.Group
  36         projbucket *s3.Bucket
  37         coll       arvados.Collection
  38         collbucket *s3.Bucket
  39 }
  40
  41 func (s *IntegrationSuite) s3setup(c *check.C) s3stage {
  42         var proj arvados.Group
  43         var coll arvados.Collection
  44         arv := arvados.NewClientFromEnv()
  45         arv.AuthToken = arvadostest.ActiveToken
  46         err := arv.RequestAndDecode(&proj, "POST", "arvados/v1/groups", nil, map[string]interface{}{
  47                 "group": map[string]interface{}{
  48                         "group_class": "project",
  49                         "name":        "keep-web s3 test",
  50                 },
  51                 "ensure_unique_name": true,
  52         })
  53         c.Assert(err, check.IsNil)
  54         err = arv.RequestAndDecode(&coll, "POST", "arvados/v1/collections", nil, map[string]interface{}{"collection": map[string]interface{}{
  55                 "owner_uuid":    proj.UUID,
  56                 "name":          "keep-web s3 test collection",
  57                 "manifest_text": ". d41d8cd98f00b204e9800998ecf8427e+0 0:0:emptyfile\n./emptydir d41d8cd98f00b204e9800998ecf8427e+0 0:0:.\n",
  58         }})
  59         c.Assert(err, check.IsNil)
  60         ac, err := arvadosclient.New(arv)
  61         c.Assert(err, check.IsNil)
  62         kc, err := keepclient.MakeKeepClient(ac)
  63         c.Assert(err, check.IsNil)
  64         fs, err := coll.FileSystem(arv, kc)
  65         c.Assert(err, check.IsNil)
  66         f, err := fs.OpenFile("sailboat.txt", os.O_CREATE|os.O_WRONLY, 0644)
  67         c.Assert(err, check.IsNil)
  68         _, err = f.Write([]byte("⛵\n"))
  69         c.Assert(err, check.IsNil)
  70         err = f.Close()
  71         c.Assert(err, check.IsNil)
  72         err = fs.Sync()
  73         c.Assert(err, check.IsNil)
  74         err = arv.RequestAndDecode(&coll, "GET", "arvados/v1/collections/"+coll.UUID, nil, nil)
  75         c.Assert(err, check.IsNil)
  76
  77         auth := aws.NewAuth(arvadostest.ActiveTokenUUID, arvadostest.ActiveToken, "", time.Now().Add(time.Hour))
  78         region := aws.Region{
  79                 Name:       "zzzzz",
  80                 S3Endpoint: "http://" + s.testServer.Addr,
  81         }
  82         client := s3.New(*auth, region)
  83         client.Signature = aws.V4Signature
  84         return s3stage{
  85                 arv:  arv,
  86                 ac:   ac,
  87                 kc:   kc,
  88                 proj: proj,
  89                 projbucket: &s3.Bucket{
  90                         S3:   client,
  91                         Name: proj.UUID,
  92                 },
  93                 coll: coll,
  94                 collbucket: &s3.Bucket{
  95                         S3:   client,
  96                         Name: coll.UUID,
  97                 },
  98         }
  99 }
 100
 101 func (stage s3stage) teardown(c *check.C) {
 102         if stage.coll.UUID != "" {
 103                 err := stage.arv.RequestAndDecode(&stage.coll, "DELETE", "arvados/v1/collections/"+stage.coll.UUID, nil, nil)
 104                 c.Check(err, check.IsNil)
 105         }
 106         if stage.proj.UUID != "" {
 107                 err := stage.arv.RequestAndDecode(&stage.proj, "DELETE", "arvados/v1/groups/"+stage.proj.UUID, nil, nil)
 108                 c.Check(err, check.IsNil)
 109         }
 110 }
 111
 112 func (s *IntegrationSuite) TestS3Signatures(c *check.C) {
 113         stage := s.s3setup(c)
 114         defer stage.teardown(c)
 115
 116         bucket := stage.collbucket
 117         for _, trial := range []struct {
 118                 success   bool
 119                 signature int
 120                 accesskey string
 121                 secretkey string
 122         }{
 123                 {true, aws.V2Signature, arvadostest.ActiveToken, "none"},
 124                 {true, aws.V2Signature, url.QueryEscape(arvadostest.ActiveTokenV2), "none"},
 125                 {true, aws.V2Signature, strings.Replace(arvadostest.ActiveTokenV2, "/", "_", -1), "none"},
 126                 {false, aws.V2Signature, "none", "none"},
 127                 {false, aws.V2Signature, "none", arvadostest.ActiveToken},
 128
 129                 {true, aws.V4Signature, arvadostest.ActiveTokenUUID, arvadostest.ActiveToken},
 130                 {true, aws.V4Signature, arvadostest.ActiveToken, arvadostest.ActiveToken},
 131                 {true, aws.V4Signature, url.QueryEscape(arvadostest.ActiveTokenV2), url.QueryEscape(arvadostest.ActiveTokenV2)},
 132                 {true, aws.V4Signature, strings.Replace(arvadostest.ActiveTokenV2, "/", "_", -1), strings.Replace(arvadostest.ActiveTokenV2, "/", "_", -1)},
 133                 {false, aws.V4Signature, arvadostest.ActiveToken, ""},
 134                 {false, aws.V4Signature, arvadostest.ActiveToken, "none"},
 135                 {false, aws.V4Signature, "none", arvadostest.ActiveToken},
 136                 {false, aws.V4Signature, "none", "none"},
 137         } {
 138                 c.Logf("%#v", trial)
 139                 bucket.S3.Auth = *(aws.NewAuth(trial.accesskey, trial.secretkey, "", time.Now().Add(time.Hour)))
 140                 bucket.S3.Signature = trial.signature
 141                 _, err := bucket.GetReader("emptyfile")
 142                 if trial.success {
 143                         c.Check(err, check.IsNil)
 144                 } else {
 145                         c.Check(err, check.NotNil)
 146                 }
 147         }
 148 }
 149
 150 func (s *IntegrationSuite) TestS3HeadBucket(c *check.C) {
 151         stage := s.s3setup(c)
 152         defer stage.teardown(c)
 153
 154         for _, bucket := range []*s3.Bucket{stage.collbucket, stage.projbucket} {
 155                 c.Logf("bucket %s", bucket.Name)
 156                 exists, err := bucket.Exists("")
 157                 c.Check(err, check.IsNil)
 158                 c.Check(exists, check.Equals, true)
 159         }
 160 }
 161
 162 func (s *IntegrationSuite) TestS3CollectionGetObject(c *check.C) {
 163         stage := s.s3setup(c)
 164         defer stage.teardown(c)
 165         s.testS3GetObject(c, stage.collbucket, "")
 166 }
 167 func (s *IntegrationSuite) TestS3ProjectGetObject(c *check.C) {
 168         stage := s.s3setup(c)
 169         defer stage.teardown(c)
 170         s.testS3GetObject(c, stage.projbucket, stage.coll.Name+"/")
 171 }
 172 func (s *IntegrationSuite) testS3GetObject(c *check.C, bucket *s3.Bucket, prefix string) {
 173         rdr, err := bucket.GetReader(prefix + "emptyfile")
 174         c.Assert(err, check.IsNil)
 175         buf, err := ioutil.ReadAll(rdr)
 176         c.Check(err, check.IsNil)
 177         c.Check(len(buf), check.Equals, 0)
 178         err = rdr.Close()
 179         c.Check(err, check.IsNil)
 180
 181         // GetObject
 182         rdr, err = bucket.GetReader(prefix + "missingfile")
 183         c.Check(err.(*s3.Error).StatusCode, check.Equals, 404)
 184         c.Check(err.(*s3.Error).Code, check.Equals, `NoSuchKey`)
 185         c.Check(err, check.ErrorMatches, `The specified key does not exist.`)
 186
 187         // HeadObject
 188         exists, err := bucket.Exists(prefix + "missingfile")
 189         c.Check(err, check.IsNil)
 190         c.Check(exists, check.Equals, false)
 191
 192         // GetObject
 193         rdr, err = bucket.GetReader(prefix + "sailboat.txt")
 194         c.Assert(err, check.IsNil)
 195         buf, err = ioutil.ReadAll(rdr)
 196         c.Check(err, check.IsNil)
 197         c.Check(buf, check.DeepEquals, []byte("⛵\n"))
 198         err = rdr.Close()
 199         c.Check(err, check.IsNil)
 200
 201         // HeadObject
 202         resp, err := bucket.Head(prefix+"sailboat.txt", nil)
 203         c.Check(err, check.IsNil)
 204         c.Check(resp.StatusCode, check.Equals, http.StatusOK)
 205         c.Check(resp.ContentLength, check.Equals, int64(4))
 206
 207         // HeadObject with superfluous leading slashes
 208         exists, err = bucket.Exists(prefix + "//sailboat.txt")
 209         c.Check(err, check.IsNil)
 210         c.Check(exists, check.Equals, true)
 211 }
 212
 213 func (s *IntegrationSuite) TestS3CollectionPutObjectSuccess(c *check.C) {
 214         stage := s.s3setup(c)
 215         defer stage.teardown(c)
 216         s.testS3PutObjectSuccess(c, stage.collbucket, "")
 217 }
 218 func (s *IntegrationSuite) TestS3ProjectPutObjectSuccess(c *check.C) {
 219         stage := s.s3setup(c)
 220         defer stage.teardown(c)
 221         s.testS3PutObjectSuccess(c, stage.projbucket, stage.coll.Name+"/")
 222 }
 223 func (s *IntegrationSuite) testS3PutObjectSuccess(c *check.C, bucket *s3.Bucket, prefix string) {
 224         for _, trial := range []struct {
 225                 path        string
 226                 size        int
 227                 contentType string
 228         }{
 229                 {
 230                         path:        "newfile",
 231                         size:        128000000,
 232                         contentType: "application/octet-stream",
 233                 }, {
 234                         path:        "newdir/newfile",
 235                         size:        1 << 26,
 236                         contentType: "application/octet-stream",
 237                 }, {
 238                         path:        "/aaa",
 239                         size:        2,
 240                         contentType: "application/octet-stream",
 241                 }, {
 242                         path:        "//bbb",
 243                         size:        2,
 244                         contentType: "application/octet-stream",
 245                 }, {
 246                         path:        "ccc//",
 247                         size:        0,
 248                         contentType: "application/x-directory",
 249                 }, {
 250                         path:        "newdir1/newdir2/newfile",
 251                         size:        0,
 252                         contentType: "application/octet-stream",
 253                 }, {
 254                         path:        "newdir1/newdir2/newdir3/",
 255                         size:        0,
 256                         contentType: "application/x-directory",
 257                 },
 258         } {
 259                 c.Logf("=== %v", trial)
 260
 261                 objname := prefix + trial.path
 262
 263                 _, err := bucket.GetReader(objname)
 264                 if !c.Check(err, check.NotNil) {
 265                         continue
 266                 }
 267                 c.Check(err.(*s3.Error).StatusCode, check.Equals, 404)
 268                 c.Check(err.(*s3.Error).Code, check.Equals, `NoSuchKey`)
 269                 if !c.Check(err, check.ErrorMatches, `The specified key does not exist.`) {
 270                         continue
 271                 }
 272
 273                 buf := make([]byte, trial.size)
 274                 rand.Read(buf)
 275
 276                 err = bucket.PutReader(objname, bytes.NewReader(buf), int64(len(buf)), trial.contentType, s3.Private, s3.Options{})
 277                 c.Check(err, check.IsNil)
 278
 279                 rdr, err := bucket.GetReader(objname)
 280                 if strings.HasSuffix(trial.path, "/") && !s.testServer.Config.cluster.Collections.S3FolderObjects {
 281                         c.Check(err, check.NotNil)
 282                         continue
 283                 } else if !c.Check(err, check.IsNil) {
 284                         continue
 285                 }
 286                 buf2, err := ioutil.ReadAll(rdr)
 287                 c.Check(err, check.IsNil)
 288                 c.Check(buf2, check.HasLen, len(buf))
 289                 c.Check(bytes.Equal(buf, buf2), check.Equals, true)
 290         }
 291 }
 292
 293 func (s *IntegrationSuite) TestS3ProjectPutObjectNotSupported(c *check.C) {
 294         stage := s.s3setup(c)
 295         defer stage.teardown(c)
 296         bucket := stage.projbucket
 297
 298         for _, trial := range []struct {
 299                 path        string
 300                 size        int
 301                 contentType string
 302         }{
 303                 {
 304                         path:        "newfile",
 305                         size:        1234,
 306                         contentType: "application/octet-stream",
 307                 }, {
 308                         path:        "newdir/newfile",
 309                         size:        1234,
 310                         contentType: "application/octet-stream",
 311                 }, {
 312                         path:        "newdir2/",
 313                         size:        0,
 314                         contentType: "application/x-directory",
 315                 },
 316         } {
 317                 c.Logf("=== %v", trial)
 318
 319                 _, err := bucket.GetReader(trial.path)
 320                 c.Check(err.(*s3.Error).StatusCode, check.Equals, 404)
 321                 c.Check(err.(*s3.Error).Code, check.Equals, `NoSuchKey`)
 322                 c.Assert(err, check.ErrorMatches, `The specified key does not exist.`)
 323
 324                 buf := make([]byte, trial.size)
 325                 rand.Read(buf)
 326
 327                 err = bucket.PutReader(trial.path, bytes.NewReader(buf), int64(len(buf)), trial.contentType, s3.Private, s3.Options{})
 328                 c.Check(err.(*s3.Error).StatusCode, check.Equals, 400)
 329                 c.Check(err.(*s3.Error).Code, check.Equals, `InvalidArgument`)
 330                 c.Check(err, check.ErrorMatches, `(mkdir "/by_id/zzzzz-j7d0g-[a-z0-9]{15}/newdir2?"|open "/zzzzz-j7d0g-[a-z0-9]{15}/newfile") failed: invalid argument`)
 331
 332                 _, err = bucket.GetReader(trial.path)
 333                 c.Check(err.(*s3.Error).StatusCode, check.Equals, 404)
 334                 c.Check(err.(*s3.Error).Code, check.Equals, `NoSuchKey`)
 335                 c.Assert(err, check.ErrorMatches, `The specified key does not exist.`)
 336         }
 337 }
 338
 339 func (s *IntegrationSuite) TestS3CollectionDeleteObject(c *check.C) {
 340         stage := s.s3setup(c)
 341         defer stage.teardown(c)
 342         s.testS3DeleteObject(c, stage.collbucket, "")
 343 }
 344 func (s *IntegrationSuite) TestS3ProjectDeleteObject(c *check.C) {
 345         stage := s.s3setup(c)
 346         defer stage.teardown(c)
 347         s.testS3DeleteObject(c, stage.projbucket, stage.coll.Name+"/")
 348 }
 349 func (s *IntegrationSuite) testS3DeleteObject(c *check.C, bucket *s3.Bucket, prefix string) {
 350         s.testServer.Config.cluster.Collections.S3FolderObjects = true
 351         for _, trial := range []struct {
 352                 path string
 353         }{
 354                 {"/"},
 355                 {"nonexistentfile"},
 356                 {"emptyfile"},
 357                 {"sailboat.txt"},
 358                 {"sailboat.txt/"},
 359                 {"emptydir"},
 360                 {"emptydir/"},
 361         } {
 362                 objname := prefix + trial.path
 363                 comment := check.Commentf("objname %q", objname)
 364
 365                 err := bucket.Del(objname)
 366                 if trial.path == "/" {
 367                         c.Check(err, check.NotNil)
 368                         continue
 369                 }
 370                 c.Check(err, check.IsNil, comment)
 371                 _, err = bucket.GetReader(objname)
 372                 c.Check(err, check.NotNil, comment)
 373         }
 374 }
 375
 376 func (s *IntegrationSuite) TestS3CollectionPutObjectFailure(c *check.C) {
 377         stage := s.s3setup(c)
 378         defer stage.teardown(c)
 379         s.testS3PutObjectFailure(c, stage.collbucket, "")
 380 }
 381 func (s *IntegrationSuite) TestS3ProjectPutObjectFailure(c *check.C) {
 382         stage := s.s3setup(c)
 383         defer stage.teardown(c)
 384         s.testS3PutObjectFailure(c, stage.projbucket, stage.coll.Name+"/")
 385 }
 386 func (s *IntegrationSuite) testS3PutObjectFailure(c *check.C, bucket *s3.Bucket, prefix string) {
 387         s.testServer.Config.cluster.Collections.S3FolderObjects = false
 388
 389         var wg sync.WaitGroup
 390         for _, trial := range []struct {
 391                 path string
 392         }{
 393                 {
 394                         path: "emptyfile/newname", // emptyfile exists, see s3setup()
 395                 }, {
 396                         path: "emptyfile/", // emptyfile exists, see s3setup()
 397                 }, {
 398                         path: "emptydir", // dir already exists, see s3setup()
 399                 }, {
 400                         path: "emptydir/",
 401                 }, {
 402                         path: "emptydir//",
 403                 }, {
 404                         path: "newdir/",
 405                 }, {
 406                         path: "newdir//",
 407                 }, {
 408                         path: "/",
 409                 }, {
 410                         path: "//",
 411                 }, {
 412                         path: "",
 413                 },
 414         } {
 415                 trial := trial
 416                 wg.Add(1)
 417                 go func() {
 418                         defer wg.Done()
 419                         c.Logf("=== %v", trial)
 420
 421                         objname := prefix + trial.path
 422
 423                         buf := make([]byte, 1234)
 424                         rand.Read(buf)
 425
 426                         err := bucket.PutReader(objname, bytes.NewReader(buf), int64(len(buf)), "application/octet-stream", s3.Private, s3.Options{})
 427                         if !c.Check(err, check.ErrorMatches, `(invalid object name.*|open ".*" failed.*|object name conflicts with existing object|Missing object name in PUT request.)`, check.Commentf("PUT %q should fail", objname)) {
 428                                 return
 429                         }
 430
 431                         if objname != "" && objname != "/" {
 432                                 _, err = bucket.GetReader(objname)
 433                                 c.Check(err.(*s3.Error).StatusCode, check.Equals, 404)
 434                                 c.Check(err.(*s3.Error).Code, check.Equals, `NoSuchKey`)
 435                                 c.Check(err, check.ErrorMatches, `The specified key does not exist.`, check.Commentf("GET %q should return 404", objname))
 436                         }
 437                 }()
 438         }
 439         wg.Wait()
 440 }
 441
 442 func (stage *s3stage) writeBigDirs(c *check.C, dirs int, filesPerDir int) {
 443         fs, err := stage.coll.FileSystem(stage.arv, stage.kc)
 444         c.Assert(err, check.IsNil)
 445         for d := 0; d < dirs; d++ {
 446                 dir := fmt.Sprintf("dir%d", d)
 447                 c.Assert(fs.Mkdir(dir, 0755), check.IsNil)
 448                 for i := 0; i < filesPerDir; i++ {
 449                         f, err := fs.OpenFile(fmt.Sprintf("%s/file%d.txt", dir, i), os.O_CREATE|os.O_WRONLY, 0644)
 450                         c.Assert(err, check.IsNil)
 451                         c.Assert(f.Close(), check.IsNil)
 452                 }
 453         }
 454         c.Assert(fs.Sync(), check.IsNil)
 455 }
 456
 457 func (s *IntegrationSuite) sign(c *check.C, req *http.Request, key, secret string) {
 458         scope := "20200202/zzzzz/service/aws4_request"
 459         signedHeaders := "date"
 460         req.Header.Set("Date", time.Now().UTC().Format(time.RFC1123))
 461         stringToSign, err := s3stringToSign(s3SignAlgorithm, scope, signedHeaders, req)
 462         c.Assert(err, check.IsNil)
 463         sig, err := s3signature(secret, scope, signedHeaders, stringToSign)
 464         c.Assert(err, check.IsNil)
 465         req.Header.Set("Authorization", s3SignAlgorithm+" Credential="+key+"/"+scope+", SignedHeaders="+signedHeaders+", Signature="+sig)
 466 }
 467
 468 func (s *IntegrationSuite) TestS3VirtualHostStyleRequests(c *check.C) {
 469         stage := s.s3setup(c)
 470         defer stage.teardown(c)
 471         for _, trial := range []struct {
 472                 url            string
 473                 method         string
 474                 body           string
 475                 responseCode   int
 476                 responseRegexp []string
 477         }{
 478                 {
 479                         url:            "https://" + stage.collbucket.Name + ".example.com/",
 480                         method:         "GET",
 481                         responseCode:   http.StatusOK,
 482                         responseRegexp: []string{`(?ms).*sailboat\.txt.*`},
 483                 },
 484                 {
 485                         url:            "https://" + strings.Replace(stage.coll.PortableDataHash, "+", "-", -1) + ".example.com/",
 486                         method:         "GET",
 487                         responseCode:   http.StatusOK,
 488                         responseRegexp: []string{`(?ms).*sailboat\.txt.*`},
 489                 },
 490                 {
 491                         url:            "https://" + stage.projbucket.Name + ".example.com/?prefix=" + stage.coll.Name + "/&delimiter=/",
 492                         method:         "GET",
 493                         responseCode:   http.StatusOK,
 494                         responseRegexp: []string{`(?ms).*sailboat\.txt.*`},
 495                 },
 496                 {
 497                         url:            "https://" + stage.projbucket.Name + ".example.com/" + stage.coll.Name + "/sailboat.txt",
 498                         method:         "GET",
 499                         responseCode:   http.StatusOK,
 500                         responseRegexp: []string{`⛵\n`},
 501                 },
 502                 {
 503                         url:          "https://" + stage.projbucket.Name + ".example.com/" + stage.coll.Name + "/beep",
 504                         method:       "PUT",
 505                         body:         "boop",
 506                         responseCode: http.StatusOK,
 507                 },
 508                 {
 509                         url:            "https://" + stage.projbucket.Name + ".example.com/" + stage.coll.Name + "/beep",
 510                         method:         "GET",
 511                         responseCode:   http.StatusOK,
 512                         responseRegexp: []string{`boop`},
 513                 },
 514                 {
 515                         url:          "https://" + stage.projbucket.Name + ".example.com/" + stage.coll.Name + "//boop",
 516                         method:       "GET",
 517                         responseCode: http.StatusNotFound,
 518                 },
 519                 {
 520                         url:          "https://" + stage.projbucket.Name + ".example.com/" + stage.coll.Name + "//boop",
 521                         method:       "PUT",
 522                         body:         "boop",
 523                         responseCode: http.StatusOK,
 524                 },
 525                 {
 526                         url:            "https://" + stage.projbucket.Name + ".example.com/" + stage.coll.Name + "//boop",
 527                         method:         "GET",
 528                         responseCode:   http.StatusOK,
 529                         responseRegexp: []string{`boop`},
 530                 },
 531         } {
 532                 url, err := url.Parse(trial.url)
 533                 c.Assert(err, check.IsNil)
 534                 req, err := http.NewRequest(trial.method, url.String(), bytes.NewReader([]byte(trial.body)))
 535                 c.Assert(err, check.IsNil)
 536                 s.sign(c, req, arvadostest.ActiveTokenUUID, arvadostest.ActiveToken)
 537                 rr := httptest.NewRecorder()
 538                 s.testServer.Server.Handler.ServeHTTP(rr, req)
 539                 resp := rr.Result()
 540                 c.Check(resp.StatusCode, check.Equals, trial.responseCode)
 541                 body, err := ioutil.ReadAll(resp.Body)
 542                 c.Assert(err, check.IsNil)
 543                 for _, re := range trial.responseRegexp {
 544                         c.Check(string(body), check.Matches, re)
 545                 }
 546         }
 547 }
 548
 549 func (s *IntegrationSuite) TestS3NormalizeURIForSignature(c *check.C) {
 550         stage := s.s3setup(c)
 551         defer stage.teardown(c)
 552         for _, trial := range []struct {
 553                 rawPath        string
 554                 normalizedPath string
 555         }{
 556                 {"/foo", "/foo"},             // boring case
 557                 {"/foo%5fbar", "/foo_bar"},   // _ must not be escaped
 558                 {"/foo%2fbar", "/foo/bar"},   // / must not be escaped
 559                 {"/(foo)", "/%28foo%29"},     // () must be escaped
 560                 {"/foo%5bbar", "/foo%5Bbar"}, // %XX must be uppercase
 561         } {
 562                 date := time.Now().UTC().Format("20060102T150405Z")
 563                 scope := "20200202/zzzzz/S3/aws4_request"
 564                 canonicalRequest := fmt.Sprintf("%s\n%s\n%s\n%s\n%s\n%s", "GET", trial.normalizedPath, "", "host:host.example.com\n", "host", "")
 565                 c.Logf("canonicalRequest %q", canonicalRequest)
 566                 expect := fmt.Sprintf("%s\n%s\n%s\n%s", s3SignAlgorithm, date, scope, hashdigest(sha256.New(), canonicalRequest))
 567                 c.Logf("expected stringToSign %q", expect)
 568
 569                 req, err := http.NewRequest("GET", "https://host.example.com"+trial.rawPath, nil)
 570                 req.Header.Set("X-Amz-Date", date)
 571                 req.Host = "host.example.com"
 572                 c.Assert(err, check.IsNil)
 573
 574                 obtained, err := s3stringToSign(s3SignAlgorithm, scope, "host", req)
 575                 if !c.Check(err, check.IsNil) {
 576                         continue
 577                 }
 578                 c.Check(obtained, check.Equals, expect)
 579         }
 580 }
 581
 582 func (s *IntegrationSuite) TestS3GetBucketLocation(c *check.C) {
 583         stage := s.s3setup(c)
 584         defer stage.teardown(c)
 585         for _, bucket := range []*s3.Bucket{stage.collbucket, stage.projbucket} {
 586                 req, err := http.NewRequest("GET", bucket.URL("/"), nil)
 587                 c.Check(err, check.IsNil)
 588                 req.Header.Set("Authorization", "AWS "+arvadostest.ActiveTokenV2+":none")
 589                 req.URL.RawQuery = "location"
 590                 resp, err := http.DefaultClient.Do(req)
 591                 c.Assert(err, check.IsNil)
 592                 c.Check(resp.Header.Get("Content-Type"), check.Equals, "application/xml")
 593                 buf, err := ioutil.ReadAll(resp.Body)
 594                 c.Assert(err, check.IsNil)
 595                 c.Check(string(buf), check.Equals, "<?xml version=\"1.0\" encoding=\"UTF-8\"?>\n<LocationConstraint><LocationConstraint xmlns=\"http://s3.amazonaws.com/doc/2006-03-01/\">zzzzz</LocationConstraint></LocationConstraint>\n")
 596         }
 597 }
 598
 599 func (s *IntegrationSuite) TestS3GetBucketVersioning(c *check.C) {
 600         stage := s.s3setup(c)
 601         defer stage.teardown(c)
 602         for _, bucket := range []*s3.Bucket{stage.collbucket, stage.projbucket} {
 603                 req, err := http.NewRequest("GET", bucket.URL("/"), nil)
 604                 c.Check(err, check.IsNil)
 605                 req.Header.Set("Authorization", "AWS "+arvadostest.ActiveTokenV2+":none")
 606                 req.URL.RawQuery = "versioning"
 607                 resp, err := http.DefaultClient.Do(req)
 608                 c.Assert(err, check.IsNil)
 609                 c.Check(resp.Header.Get("Content-Type"), check.Equals, "application/xml")
 610                 buf, err := ioutil.ReadAll(resp.Body)
 611                 c.Assert(err, check.IsNil)
 612                 c.Check(string(buf), check.Equals, "<?xml version=\"1.0\" encoding=\"UTF-8\"?>\n<VersioningConfiguration xmlns=\"http://s3.amazonaws.com/doc/2006-03-01/\"/>\n")
 613         }
 614 }
 615
 616 func (s *IntegrationSuite) TestS3UnsupportedAPIs(c *check.C) {
 617         stage := s.s3setup(c)
 618         defer stage.teardown(c)
 619         for _, trial := range []struct {
 620                 method   string
 621                 path     string
 622                 rawquery string
 623         }{
 624                 {"GET", "/", "acl&versionId=1234"},    // GetBucketAcl
 625                 {"GET", "/foo", "acl&versionId=1234"}, // GetObjectAcl
 626                 {"PUT", "/", "acl"},                   // PutBucketAcl
 627                 {"PUT", "/foo", "acl"},                // PutObjectAcl
 628                 {"DELETE", "/", "tagging"},            // DeleteBucketTagging
 629                 {"DELETE", "/foo", "tagging"},         // DeleteObjectTagging
 630         } {
 631                 for _, bucket := range []*s3.Bucket{stage.collbucket, stage.projbucket} {
 632                         c.Logf("trial %v bucket %v", trial, bucket)
 633                         req, err := http.NewRequest(trial.method, bucket.URL(trial.path), nil)
 634                         c.Check(err, check.IsNil)
 635                         req.Header.Set("Authorization", "AWS "+arvadostest.ActiveTokenV2+":none")
 636                         req.URL.RawQuery = trial.rawquery
 637                         resp, err := http.DefaultClient.Do(req)
 638                         c.Assert(err, check.IsNil)
 639                         c.Check(resp.Header.Get("Content-Type"), check.Equals, "application/xml")
 640                         buf, err := ioutil.ReadAll(resp.Body)
 641                         c.Assert(err, check.IsNil)
 642                         c.Check(string(buf), check.Matches, "(?ms).*InvalidRequest.*API not supported.*")
 643                 }
 644         }
 645 }
 646
 647 // If there are no CommonPrefixes entries, the CommonPrefixes XML tag
 648 // should not appear at all.
 649 func (s *IntegrationSuite) TestS3ListNoCommonPrefixes(c *check.C) {
 650         stage := s.s3setup(c)
 651         defer stage.teardown(c)
 652
 653         req, err := http.NewRequest("GET", stage.collbucket.URL("/"), nil)
 654         c.Assert(err, check.IsNil)
 655         req.Header.Set("Authorization", "AWS "+arvadostest.ActiveTokenV2+":none")
 656         req.URL.RawQuery = "prefix=asdfasdfasdf&delimiter=/"
 657         resp, err := http.DefaultClient.Do(req)
 658         c.Assert(err, check.IsNil)
 659         buf, err := ioutil.ReadAll(resp.Body)
 660         c.Assert(err, check.IsNil)
 661         c.Check(string(buf), check.Not(check.Matches), `(?ms).*CommonPrefixes.*`)
 662 }
 663
 664 // If there is no delimiter in the request, or the results are not
 665 // truncated, the NextMarker XML tag should not appear in the response
 666 // body.
 667 func (s *IntegrationSuite) TestS3ListNoNextMarker(c *check.C) {
 668         stage := s.s3setup(c)
 669         defer stage.teardown(c)
 670
 671         for _, query := range []string{"prefix=e&delimiter=/", ""} {
 672                 req, err := http.NewRequest("GET", stage.collbucket.URL("/"), nil)
 673                 c.Assert(err, check.IsNil)
 674                 req.Header.Set("Authorization", "AWS "+arvadostest.ActiveTokenV2+":none")
 675                 req.URL.RawQuery = query
 676                 resp, err := http.DefaultClient.Do(req)
 677                 c.Assert(err, check.IsNil)
 678                 buf, err := ioutil.ReadAll(resp.Body)
 679                 c.Assert(err, check.IsNil)
 680                 c.Check(string(buf), check.Not(check.Matches), `(?ms).*NextMarker.*`)
 681         }
 682 }
 683
 684 // List response should include KeyCount field.
 685 func (s *IntegrationSuite) TestS3ListKeyCount(c *check.C) {
 686         stage := s.s3setup(c)
 687         defer stage.teardown(c)
 688
 689         req, err := http.NewRequest("GET", stage.collbucket.URL("/"), nil)
 690         c.Assert(err, check.IsNil)
 691         req.Header.Set("Authorization", "AWS "+arvadostest.ActiveTokenV2+":none")
 692         req.URL.RawQuery = "prefix=&delimiter=/"
 693         resp, err := http.DefaultClient.Do(req)
 694         c.Assert(err, check.IsNil)
 695         buf, err := ioutil.ReadAll(resp.Body)
 696         c.Assert(err, check.IsNil)
 697         c.Check(string(buf), check.Matches, `(?ms).*<KeyCount>2</KeyCount>.*`)
 698 }
 699
 700 func (s *IntegrationSuite) TestS3CollectionList(c *check.C) {
 701         stage := s.s3setup(c)
 702         defer stage.teardown(c)
 703
 704         var markers int
 705         for markers, s.testServer.Config.cluster.Collections.S3FolderObjects = range []bool{false, true} {
 706                 dirs := 2
 707                 filesPerDir := 1001
 708                 stage.writeBigDirs(c, dirs, filesPerDir)
 709                 // Total # objects is:
 710                 //                 2 file entries from s3setup (emptyfile and sailboat.txt)
 711                 //                +1 fake "directory" marker from s3setup (emptydir) (if enabled)
 712                 //             +dirs fake "directory" marker from writeBigDirs (dir0/, dir1/) (if enabled)
 713                 // +filesPerDir*dirs file entries from writeBigDirs (dir0/file0.txt, etc.)
 714                 s.testS3List(c, stage.collbucket, "", 4000, markers+2+(filesPerDir+markers)*dirs)
 715                 s.testS3List(c, stage.collbucket, "", 131, markers+2+(filesPerDir+markers)*dirs)
 716                 s.testS3List(c, stage.collbucket, "dir0/", 71, filesPerDir+markers)
 717         }
 718 }
 719 func (s *IntegrationSuite) testS3List(c *check.C, bucket *s3.Bucket, prefix string, pageSize, expectFiles int) {
 720         c.Logf("testS3List: prefix=%q pageSize=%d S3FolderObjects=%v", prefix, pageSize, s.testServer.Config.cluster.Collections.S3FolderObjects)
 721         expectPageSize := pageSize
 722         if expectPageSize > 1000 {
 723                 expectPageSize = 1000
 724         }
 725         gotKeys := map[string]s3.Key{}
 726         nextMarker := ""
 727         pages := 0
 728         for {
 729                 resp, err := bucket.List(prefix, "", nextMarker, pageSize)
 730                 if !c.Check(err, check.IsNil) {
 731                         break
 732                 }
 733                 c.Check(len(resp.Contents) <= expectPageSize, check.Equals, true)
 734                 if pages++; !c.Check(pages <= (expectFiles/expectPageSize)+1, check.Equals, true) {
 735                         break
 736                 }
 737                 for _, key := range resp.Contents {
 738                         gotKeys[key.Key] = key
 739                         if strings.Contains(key.Key, "sailboat.txt") {
 740                                 c.Check(key.Size, check.Equals, int64(4))
 741                         }
 742                 }
 743                 if !resp.IsTruncated {
 744                         c.Check(resp.NextMarker, check.Equals, "")
 745                         break
 746                 }
 747                 if !c.Check(resp.NextMarker, check.Not(check.Equals), "") {
 748                         break
 749                 }
 750                 nextMarker = resp.NextMarker
 751         }
 752         c.Check(len(gotKeys), check.Equals, expectFiles)
 753 }
 754
 755 func (s *IntegrationSuite) TestS3CollectionListRollup(c *check.C) {
 756         for _, s.testServer.Config.cluster.Collections.S3FolderObjects = range []bool{false, true} {
 757                 s.testS3CollectionListRollup(c)
 758         }
 759 }
 760
 761 func (s *IntegrationSuite) testS3CollectionListRollup(c *check.C) {
 762         stage := s.s3setup(c)
 763         defer stage.teardown(c)
 764
 765         dirs := 2
 766         filesPerDir := 500
 767         stage.writeBigDirs(c, dirs, filesPerDir)
 768         err := stage.collbucket.PutReader("dingbats", &bytes.Buffer{}, 0, "application/octet-stream", s3.Private, s3.Options{})
 769         c.Assert(err, check.IsNil)
 770         var allfiles []string
 771         for marker := ""; ; {
 772                 resp, err := stage.collbucket.List("", "", marker, 20000)
 773                 c.Check(err, check.IsNil)
 774                 for _, key := range resp.Contents {
 775                         if len(allfiles) == 0 || allfiles[len(allfiles)-1] != key.Key {
 776                                 allfiles = append(allfiles, key.Key)
 777                         }
 778                 }
 779                 marker = resp.NextMarker
 780                 if marker == "" {
 781                         break
 782                 }
 783         }
 784         markers := 0
 785         if s.testServer.Config.cluster.Collections.S3FolderObjects {
 786                 markers = 1
 787         }
 788         c.Check(allfiles, check.HasLen, dirs*(filesPerDir+markers)+3+markers)
 789
 790         gotDirMarker := map[string]bool{}
 791         for _, name := range allfiles {
 792                 isDirMarker := strings.HasSuffix(name, "/")
 793                 if markers == 0 {
 794                         c.Check(isDirMarker, check.Equals, false, check.Commentf("name %q", name))
 795                 } else if isDirMarker {
 796                         gotDirMarker[name] = true
 797                 } else if i := strings.LastIndex(name, "/"); i >= 0 {
 798                         c.Check(gotDirMarker[name[:i+1]], check.Equals, true, check.Commentf("name %q", name))
 799                         gotDirMarker[name[:i+1]] = true // skip redundant complaints about this dir marker
 800                 }
 801         }
 802
 803         for _, trial := range []struct {
 804                 prefix    string
 805                 delimiter string
 806                 marker    string
 807         }{
 808                 {"", "", ""},
 809                 {"di", "/", ""},
 810                 {"di", "r", ""},
 811                 {"di", "n", ""},
 812                 {"dir0", "/", ""},
 813                 {"dir0/", "/", ""},
 814                 {"dir0/f", "/", ""},
 815                 {"dir0", "", ""},
 816                 {"dir0/", "", ""},
 817                 {"dir0/f", "", ""},
 818                 {"dir0", "/", "dir0/file14.txt"},       // no commonprefixes
 819                 {"", "", "dir0/file14.txt"},            // middle page, skip walking dir1
 820                 {"", "", "dir1/file14.txt"},            // middle page, skip walking dir0
 821                 {"", "", "dir1/file498.txt"},           // last page of results
 822                 {"dir1/file", "", "dir1/file498.txt"},  // last page of results, with prefix
 823                 {"dir1/file", "/", "dir1/file498.txt"}, // last page of results, with prefix + delimiter
 824                 {"dir1", "Z", "dir1/file498.txt"},      // delimiter "Z" never appears
 825                 {"dir2", "/", ""},                      // prefix "dir2" does not exist
 826                 {"", "/", ""},
 827         } {
 828                 c.Logf("\n\n=== trial %+v markers=%d", trial, markers)
 829
 830                 maxKeys := 20
 831                 resp, err := stage.collbucket.List(trial.prefix, trial.delimiter, trial.marker, maxKeys)
 832                 c.Check(err, check.IsNil)
 833                 if resp.IsTruncated && trial.delimiter == "" {
 834                         // goamz List method fills in the missing
 835                         // NextMarker field if resp.IsTruncated, so
 836                         // now we can't really tell whether it was
 837                         // sent by the server or by goamz. In cases
 838                         // where it should be empty but isn't, assume
 839                         // it's goamz's fault.
 840                         resp.NextMarker = ""
 841                 }
 842
 843                 var expectKeys []string
 844                 var expectPrefixes []string
 845                 var expectNextMarker string
 846                 var expectTruncated bool
 847                 for _, key := range allfiles {
 848                         full := len(expectKeys)+len(expectPrefixes) >= maxKeys
 849                         if !strings.HasPrefix(key, trial.prefix) || key < trial.marker {
 850                                 continue
 851                         } else if idx := strings.Index(key[len(trial.prefix):], trial.delimiter); trial.delimiter != "" && idx >= 0 {
 852                                 prefix := key[:len(trial.prefix)+idx+1]
 853                                 if len(expectPrefixes) > 0 && expectPrefixes[len(expectPrefixes)-1] == prefix {
 854                                         // same prefix as previous key
 855                                 } else if full {
 856                                         expectNextMarker = key
 857                                         expectTruncated = true
 858                                 } else {
 859                                         expectPrefixes = append(expectPrefixes, prefix)
 860                                 }
 861                         } else if full {
 862                                 if trial.delimiter != "" {
 863                                         expectNextMarker = key
 864                                 }
 865                                 expectTruncated = true
 866                                 break
 867                         } else {
 868                                 expectKeys = append(expectKeys, key)
 869                         }
 870                 }
 871
 872                 var gotKeys []string
 873                 for _, key := range resp.Contents {
 874                         gotKeys = append(gotKeys, key.Key)
 875                 }
 876                 var gotPrefixes []string
 877                 for _, prefix := range resp.CommonPrefixes {
 878                         gotPrefixes = append(gotPrefixes, prefix)
 879                 }
 880                 commentf := check.Commentf("trial %+v markers=%d", trial, markers)
 881                 c.Check(gotKeys, check.DeepEquals, expectKeys, commentf)
 882                 c.Check(gotPrefixes, check.DeepEquals, expectPrefixes, commentf)
 883                 c.Check(resp.NextMarker, check.Equals, expectNextMarker, commentf)
 884                 c.Check(resp.IsTruncated, check.Equals, expectTruncated, commentf)
 885                 c.Logf("=== trial %+v keys %q prefixes %q nextMarker %q", trial, gotKeys, gotPrefixes, resp.NextMarker)
 886         }
 887 }
 888
 889 // TestS3cmd checks compatibility with the s3cmd command line tool, if
 890 // it's installed. As of Debian buster, s3cmd is only in backports, so
 891 // `arvados-server install` don't install it, and this test skips if
 892 // it's not installed.
 893 func (s *IntegrationSuite) TestS3cmd(c *check.C) {
 894         if _, err := exec.LookPath("s3cmd"); err != nil {
 895                 c.Skip("s3cmd not found")
 896                 return
 897         }
 898
 899         stage := s.s3setup(c)
 900         defer stage.teardown(c)
 901
 902         cmd := exec.Command("s3cmd", "--no-ssl", "--host="+s.testServer.Addr, "--host-bucket="+s.testServer.Addr, "--access_key="+arvadostest.ActiveTokenUUID, "--secret_key="+arvadostest.ActiveToken, "ls", "s3://"+arvadostest.FooCollection)
 903         buf, err := cmd.CombinedOutput()
 904         c.Check(err, check.IsNil)
 905         c.Check(string(buf), check.Matches, `.* 3 +s3://`+arvadostest.FooCollection+`/foo\n`)
 906 }
 907
 908 func (s *IntegrationSuite) TestS3BucketInHost(c *check.C) {
 909         stage := s.s3setup(c)
 910         defer stage.teardown(c)
 911
 912         hdr, body, _ := s.runCurl(c, "AWS "+arvadostest.ActiveTokenV2+":none", stage.coll.UUID+".collections.example.com", "/sailboat.txt")
 913         c.Check(hdr, check.Matches, `(?s)HTTP/1.1 200 OK\r\n.*`)
 914         c.Check(body, check.Equals, "⛵\n")
 915 }