delta/openstack/swift.git/test/functional, branch master opendev.org: openstack/swift.git tests: Skip s3api functional tests when no s3api user configured 2023-03-10T22:07:21+00:00 Tim Burke tim.burke@gmail.com 2023-03-10T21:58:02+00:00 052bcadb27d602c2b81ed8ac1a415c54b054a43c Change-Id: I61f141a71eddcac600058d66ddf802306df455c1 
Change-Id: I61f141a71eddcac600058d66ddf802306df455c1
tests: Let func tests run with test users 1 and 2 but not 3 2023-03-10T22:07:21+00:00 Tim Burke tim.burke@gmail.com 2023-03-10T21:56:34+00:00 78f13be75c651814adc4f8fa23e3548737cd1005 Change-Id: Ia564f2ee70f5d04acab1c38e17d1936642a01447 
Change-Id: Ia564f2ee70f5d04acab1c38e17d1936642a01447
Merge "tests: Get rid of test.unit.SkipTest" 2023-02-28T02:20:04+00:00 Zuul zuul@review.opendev.org 2023-02-28T02:20:04+00:00 bba3a3145dc73a1fc7a4c77cdafc3c40e1ea1548 






Merge "Skip S3 versioning test when versioning is not enabled"
2023-02-25T07:27:09+00:00

Zuul
zuul@review.opendev.org

2023-02-25T07:27:09+00:00

e21766cf6415097a5d8b2ba612baec07e86d5c8e












encryption: Expose decrypted metadata via CORS
2023-02-24T21:24:16+00:00

Tim Burke
tim.burke@gmail.com

2020-03-09T20:45:58+00:00

cd693e519e71dfc95a0de389293a2df2523a7d70

Normally, the proxy object controller would be adding these, but when
encrypted, there won't be any headers in the x-object-meta-* namespace.

Closes-Bug: #1868045
Change-Id: I8e708a60ee63f679056300fc9d68227e46d605e8





Normally, the proxy object controller would be adding these, but when
encrypted, there won't be any headers in the x-object-meta-* namespace.

Closes-Bug: #1868045
Change-Id: I8e708a60ee63f679056300fc9d68227e46d605e8







Skip S3 versioning test when versioning is not enabled
2023-02-24T19:48:13+00:00

Tim Burke
tim.burke@gmail.com

2023-02-24T19:48:13+00:00

8dd2d010ac789a752da60aa72b289e9b275c4863

Change-Id: I36e42f459a74ed71a1cc57570a564e5562abbae3





Change-Id: I36e42f459a74ed71a1cc57570a564e5562abbae3







tests: Get rid of test.unit.SkipTest
2023-02-17T07:59:53+00:00

Tim Burke
tim.burke@gmail.com

2023-02-17T07:57:08+00:00

be16d6c4fd7b61cee7c947fad9ef0473cb6661dc

unittest.SkipTest suffices.

Change-Id: I11eb73f7dc4a8598fae85d1efca721f69067fb4f





unittest.SkipTest suffices.

Change-Id: I11eb73f7dc4a8598fae85d1efca721f69067fb4f







tests: Fix some func tests to do with metadata maximums
2023-02-02T23:34:00+00:00

Tim Burke
tim.burke@gmail.com

2023-02-02T23:33:54+00:00

488f8c839f034172d20b3f28ca851d83b7a3bfff

Previously, if a cluster's combined configured max_meta_name_length and
max_meta_value_length constraints were larger than the configured
max_meta_overall_size, we would accidentally go over the overall size
while intending to just test being exactly at the value length-limit.

Change-Id: I42a5287011509e5b43959aab060f9ec7405ae5b9





Previously, if a cluster's combined configured max_meta_name_length and
max_meta_value_length constraints were larger than the configured
max_meta_overall_size, we would accidentally go over the overall size
while intending to just test being exactly at the value length-limit.

Change-Id: I42a5287011509e5b43959aab060f9ec7405ae5b9







tests: Ensure XXE injection tests have config loaded
2023-01-19T19:24:34+00:00

Tim Burke
tim.burke@gmail.com

2023-01-18T23:14:54+00:00

3550e00dd9e380ba655e19047f8042bb9ae60098

Depending on test order (and possibly whether there were earlier
failures?) the new tests may trip KeyErrors when trying to get
s3_access_key values. Solution seems to be defining
setUpModule() / tearDownModule() like other functional tests.

Also fix up some Content-MD5 handling; if we're using pre-signed URLs,
we can't provide a Content-MD5.

Change-Id: Ifce72ec255b1b618b9914ce5785d04ee0ebd3b8c
Related-Change: I84494123cfc85e234098c554ecd3e77981f8a096





Depending on test order (and possibly whether there were earlier
failures?) the new tests may trip KeyErrors when trying to get
s3_access_key values. Solution seems to be defining
setUpModule() / tearDownModule() like other functional tests.

Also fix up some Content-MD5 handling; if we're using pre-signed URLs,
we can't provide a Content-MD5.

Change-Id: Ifce72ec255b1b618b9914ce5785d04ee0ebd3b8c
Related-Change: I84494123cfc85e234098c554ecd3e77981f8a096







s3api: Prevent XXE injections
2023-01-17T15:03:41+00:00

Aymeric Ducroquetz
aymeric.ducroquetz@ovhcloud.com

2022-10-25T20:07:53+00:00

b8467e190f6fc67fd8fb6a8c5e32b2aa6a10fd8e

Previously, clients could use XML external entities (XXEs) to read
arbitrary files from proxy-servers and inject the content into the
request. Since many S3 APIs reflect request content back to the user,
this could be used to extract any secrets that the swift user could
read, such as tempauth credentials, keymaster secrets, etc.

Now, disable entity resolution -- any unknown entities will be replaced
with an empty string. Without resolving the entities, the request is
still processed.

[CVE-2022-47950]

Closes-Bug: #1998625
Co-Authored-By: Romain de Joux <romain.de-joux@ovhcloud.com>
Change-Id: I84494123cfc85e234098c554ecd3e77981f8a096





Previously, clients could use XML external entities (XXEs) to read
arbitrary files from proxy-servers and inject the content into the
request. Since many S3 APIs reflect request content back to the user,
this could be used to extract any secrets that the swift user could
read, such as tempauth credentials, keymaster secrets, etc.

Now, disable entity resolution -- any unknown entities will be replaced
with an empty string. Without resolving the entities, the request is
still processed.

[CVE-2022-47950]

Closes-Bug: #1998625
Co-Authored-By: Romain de Joux <romain.de-joux@ovhcloud.com>
Change-Id: I84494123cfc85e234098c554ecd3e77981f8a096