feat(auth,policy): add AWS SigV4 authentication and S3 bucket policy support

2026-02-17 16:28:50 +00:00
parent 0b9d8c4a72
commit eb232b6e8e
18 changed files with 2616 additions and 55 deletions
--- a/test/test.policy-crud.node.ts
+++ b/test/test.policy-crud.node.ts
@@ -0,0 +1,252 @@
+import { expect, tap } from '@git.zone/tstest/tapbundle';
+import {
+  S3Client,
+  CreateBucketCommand,
+  DeleteBucketCommand,
+  PutBucketPolicyCommand,
+  GetBucketPolicyCommand,
+  DeleteBucketPolicyCommand,
+} from '@aws-sdk/client-s3';
+import * as smarts3 from '../ts/index.js';
+
+let testSmarts3Instance: smarts3.Smarts3;
+let authClient: S3Client;
+
+const TEST_PORT = 3345;
+const ACCESS_KEY = 'TESTAKID';
+const SECRET_KEY = 'TESTSECRETKEY123';
+const BUCKET = 'policy-crud-bucket';
+
+function makePolicy(statements: any[]) {
+  return JSON.stringify({ Version: '2012-10-17', Statement: statements });
+}
+
+const validStatement = {
+  Sid: 'Test1',
+  Effect: 'Allow',
+  Principal: '*',
+  Action: ['s3:GetObject'],
+  Resource: [`arn:aws:s3:::${BUCKET}/*`],
+};
+
+// ============================
+// Server setup
+// ============================
+
+tap.test('setup: start S3 server with auth enabled', async () => {
+  testSmarts3Instance = await smarts3.Smarts3.createAndStart({
+    server: { port: TEST_PORT, silent: true, region: 'us-east-1' },
+    storage: { cleanSlate: true },
+    auth: {
+      enabled: true,
+      credentials: [{ accessKeyId: ACCESS_KEY, secretAccessKey: SECRET_KEY }],
+    },
+  });
+
+  authClient = new S3Client({
+    endpoint: `http://localhost:${TEST_PORT}`,
+    region: 'us-east-1',
+    credentials: { accessKeyId: ACCESS_KEY, secretAccessKey: SECRET_KEY },
+    forcePathStyle: true,
+  });
+});
+
+tap.test('setup: create bucket', async () => {
+  await authClient.send(new CreateBucketCommand({ Bucket: BUCKET }));
+});
+
+// ============================
+// CRUD tests
+// ============================
+
+tap.test('GET policy on bucket with no policy → throws (NoSuchBucketPolicy)', async () => {
+  await expect(
+    authClient.send(new GetBucketPolicyCommand({ Bucket: BUCKET }))
+  ).rejects.toThrow();
+});
+
+tap.test('PUT valid policy → 204', async () => {
+  const response = await authClient.send(
+    new PutBucketPolicyCommand({
+      Bucket: BUCKET,
+      Policy: makePolicy([validStatement]),
+    })
+  );
+  expect(response.$metadata.httpStatusCode).toEqual(204);
+});
+
+tap.test('GET policy back → returns matching JSON', async () => {
+  const response = await authClient.send(
+    new GetBucketPolicyCommand({ Bucket: BUCKET })
+  );
+  expect(response.$metadata.httpStatusCode).toEqual(200);
+  const policy = JSON.parse(response.Policy!);
+  expect(policy.Version).toEqual('2012-10-17');
+  expect(policy.Statement[0].Sid).toEqual('Test1');
+  expect(policy.Statement[0].Effect).toEqual('Allow');
+});
+
+tap.test('PUT updated policy (overwrite) → 204, GET returns new version', async () => {
+  const updatedStatement = {
+    Sid: 'Updated',
+    Effect: 'Deny',
+    Principal: '*',
+    Action: ['s3:DeleteObject'],
+    Resource: [`arn:aws:s3:::${BUCKET}/*`],
+  };
+
+  const putResp = await authClient.send(
+    new PutBucketPolicyCommand({
+      Bucket: BUCKET,
+      Policy: makePolicy([updatedStatement]),
+    })
+  );
+  expect(putResp.$metadata.httpStatusCode).toEqual(204);
+
+  const getResp = await authClient.send(
+    new GetBucketPolicyCommand({ Bucket: BUCKET })
+  );
+  const policy = JSON.parse(getResp.Policy!);
+  expect(policy.Statement[0].Sid).toEqual('Updated');
+  expect(policy.Statement[0].Effect).toEqual('Deny');
+});
+
+tap.test('DELETE policy → 204', async () => {
+  const response = await authClient.send(
+    new DeleteBucketPolicyCommand({ Bucket: BUCKET })
+  );
+  expect(response.$metadata.httpStatusCode).toEqual(204);
+});
+
+tap.test('DELETE policy again (idempotent) → 204', async () => {
+  const response = await authClient.send(
+    new DeleteBucketPolicyCommand({ Bucket: BUCKET })
+  );
+  expect(response.$metadata.httpStatusCode).toEqual(204);
+});
+
+tap.test('GET policy after delete → throws', async () => {
+  await expect(
+    authClient.send(new GetBucketPolicyCommand({ Bucket: BUCKET }))
+  ).rejects.toThrow();
+});
+
+tap.test('PUT policy on non-existent bucket → throws (NoSuchBucket)', async () => {
+  await expect(
+    authClient.send(
+      new PutBucketPolicyCommand({
+        Bucket: 'nonexistent-bucket-xyz',
+        Policy: makePolicy([validStatement]),
+      })
+    )
+  ).rejects.toThrow();
+});
+
+tap.test('PUT invalid JSON → throws (MalformedPolicy)', async () => {
+  await expect(
+    authClient.send(
+      new PutBucketPolicyCommand({
+        Bucket: BUCKET,
+        Policy: '{not valid json!!!',
+      })
+    )
+  ).rejects.toThrow();
+});
+
+tap.test('PUT policy with wrong version → throws (MalformedPolicy)', async () => {
+  await expect(
+    authClient.send(
+      new PutBucketPolicyCommand({
+        Bucket: BUCKET,
+        Policy: JSON.stringify({
+          Version: '2023-01-01',
+          Statement: [validStatement],
+        }),
+      })
+    )
+  ).rejects.toThrow();
+});
+
+tap.test('PUT policy with empty statements array → throws (MalformedPolicy)', async () => {
+  await expect(
+    authClient.send(
+      new PutBucketPolicyCommand({
+        Bucket: BUCKET,
+        Policy: JSON.stringify({
+          Version: '2012-10-17',
+          Statement: [],
+        }),
+      })
+    )
+  ).rejects.toThrow();
+});
+
+tap.test('PUT policy with action missing s3: prefix → throws (MalformedPolicy)', async () => {
+  await expect(
+    authClient.send(
+      new PutBucketPolicyCommand({
+        Bucket: BUCKET,
+        Policy: makePolicy([
+          {
+            Sid: 'BadAction',
+            Effect: 'Allow',
+            Principal: '*',
+            Action: ['GetObject'],
+            Resource: [`arn:aws:s3:::${BUCKET}/*`],
+          },
+        ]),
+      })
+    )
+  ).rejects.toThrow();
+});
+
+tap.test('PUT policy with resource missing arn:aws:s3::: prefix → throws (MalformedPolicy)', async () => {
+  await expect(
+    authClient.send(
+      new PutBucketPolicyCommand({
+        Bucket: BUCKET,
+        Policy: makePolicy([
+          {
+            Sid: 'BadResource',
+            Effect: 'Allow',
+            Principal: '*',
+            Action: ['s3:GetObject'],
+            Resource: ['policy-crud-bucket/*'],
+          },
+        ]),
+      })
+    )
+  ).rejects.toThrow();
+});
+
+tap.test('Bucket deletion cleans up associated policy', async () => {
+  // PUT a policy
+  await authClient.send(
+    new PutBucketPolicyCommand({
+      Bucket: BUCKET,
+      Policy: makePolicy([validStatement]),
+    })
+  );
+
+  // Delete the bucket
+  await authClient.send(new DeleteBucketCommand({ Bucket: BUCKET }));
+
+  // Re-create the bucket
+  await authClient.send(new CreateBucketCommand({ Bucket: BUCKET }));
+
+  // GET policy should now be gone
+  await expect(
+    authClient.send(new GetBucketPolicyCommand({ Bucket: BUCKET }))
+  ).rejects.toThrow();
+});
+
+// ============================
+// Teardown
+// ============================
+
+tap.test('teardown: delete bucket and stop server', async () => {
+  await authClient.send(new DeleteBucketCommand({ Bucket: BUCKET }));
+  await testSmarts3Instance.stop();
+});
+
+export default tap.start();