How to test PostPolicy

Objective:

Explain how you can test PostPolicy with MinIO SDK and also explain what PostPolicy is.

PostPolicy

PostPolicy is a feature from Amazon, documented in https://docs.aws.amazon.com/AmazonS3/latest/API/sigv4-HTTPPOSTConstructPolicy.html the idea is to upload a file via HTML Form so that you can create a Web Page and upload file to s3.

Links:

• https://github.com/minio/minio-py/pull/1272
• https://docs.aws.amazon.com/AmazonS3/latest/API/sigv4-HTTPPOSTConstructPolicy.html
• https://min.io/docs/minio/linux/developers/java/minio-java.html

How to test PostPolicy with MinIO Java SDK

1. Get the JAR file from: https://min.io/docs/minio/linux/developers/java/minio-java.html#jar-download
2. Get file from: https://github.com/minio/minio-java/blob/master/examples/GetPresignedPostFormData.java
3. Then Compile file as in: https://min.io/docs/minio/linux/developers/java/minio-java.html#compile-fileuploader

javac -cp minio-8.5.2-all.jar GetPresignedPostFormData.java

4. Execute it:

java -cp minio-8.5.2-all.jar:. GetPresignedPostFormData

How to test PostPolicy with MinIO Python SDK

1. Get file: https://github.com/minio/minio-py/blob/master/examples/presigned_post_policy.py
2. With pip install MinIO module
3. Run it:

$ python3 presigned_post_policy.py 
curl -X POST https://play.min.io/my-bucket -F x-amz-algorithm=AWS4-HMAC-SHA256 -F x-amz-credential=Q3AM3UQ867SPQQA43P2F/20230330/us-east-1/s3/aws4_request -F x-amz-date=20230330T161038Z -F policy=eyJleHBpcmF0aW9uIjogIjIwMjMtMDQtMDlUMTY6MTA6MzguMjE1WiIsICJjb25kaXRpb25zIjogW1siZXEiLCAiJGJ1Y2tldCIsICJteS1idWNrZXQiXSwgWyJzdGFydHMtd2l0aCIsICIka2V5IiwgIm15L29iamVjdC9wcmVmaXgvIl0sIFsiY29udGVudC1sZW5ndGgtcmFuZ2UiLCAxMDQ4NTc2LCAxMDQ4NTc2MF0sIFsiZXEiLCAiJHgtYW16LWFsZ29yaXRobSIsICJBV1M0LUhNQUMtU0hBMjU2Il0sIFsiZXEiLCAiJHgtYW16LWNyZWRlbnRpYWwiLCAiUTNBTTNVUTg2N1NQUVFBNDNQMkYvMjAyMzAzMzAvdXMtZWFzdC0xL3MzL2F3czRfcmVxdWVzdCJdLCBbImVxIiwgIiR4LWFtei1kYXRlIiwgIjIwMjMwMzMwVDE2MTAzOFoiXV19 -F x-amz-signature=2e0e4930f065a22f50dbfdba95bc76ab5f65ee60ff69faf0940f0827a20a4ef6 -F file=@<FILE> -F key=<OBJECT-NAME>

4. Create a file of 1 MB and replace it under <FILE> and for the <OBJECT-NAME> replace it with my/object/prefix and add verbose output -v:

dd if=/dev/zero of=output.txt  bs=1M  count=1

curl -X POST https://play.min.io/my-bucket -F x-amz-algorithm=AWS4-HMAC-SHA256 -F x-amz-credential=Q3AM3UQ867SPQQA43P2F/20230330/us-east-1/s3/aws4_request -F x-amz-date=20230330T161038Z -F policy=eyJleHBpcmF0aW9uIjogIjIwMjMtMDQtMDlUMTY6MTA6MzguMjE1WiIsICJjb25kaXRpb25zIjogW1siZXEiLCAiJGJ1Y2tldCIsICJteS1idWNrZXQiXSwgWyJzdGFydHMtd2l0aCIsICIka2V5IiwgIm15L29iamVjdC9wcmVmaXgvIl0sIFsiY29udGVudC1sZW5ndGgtcmFuZ2UiLCAxMDQ4NTc2LCAxMDQ4NTc2MF0sIFsiZXEiLCAiJHgtYW16LWFsZ29yaXRobSIsICJBV1M0LUhNQUMtU0hBMjU2Il0sIFsiZXEiLCAiJHgtYW16LWNyZWRlbnRpYWwiLCAiUTNBTTNVUTg2N1NQUVFBNDNQMkYvMjAyMzAzMzAvdXMtZWFzdC0xL3MzL2F3czRfcmVxdWVzdCJdLCBbImVxIiwgIiR4LWFtei1kYXRlIiwgIjIwMjMwMzMwVDE2MTAzOFoiXV19 -F x-amz-signature=2e0e4930f065a22f50dbfdba95bc76ab5f65ee60ff69faf0940f0827a20a4ef6 -F [email protected] -F key=my/object/prefix/ -v

You should get 204

$ curl -X POST https://play.min.io/my-bucket -F x-amz-algorithm=AWS4-HMAC-SHA256 -F x-amz-cred/20230330/us-east-1/s3/aws4_request -F x-amz-date=20230330T161038Z -F policy=eyJleHBpcmF0aW9uIjogIjIwMjMtMDQtMDlUMTY6MTA6MzguMjE1WiIsICJjb25kaXRpb25zIjogW1siZXEiLCAiJGJ1Y2tldCIsICJteS1idWNrZXQiXSwgWyJzdGFydHMtd2l0aCIsICIka2V5IiwgIm15L29iamVjdC9wcmVmaXgvIl0sIFsiY29udGVudC1sZW5ndGgtcmFuZ2UiLCAxMDQ4NTc2LCAxMDQ4NTc2MF0sIFsiZXEiLCAiJHgtYW16LWFsZ29yaXRobSIsICJBV1M0LUhNQUMtU0hBMjU2Il0sIFsiZXEiLCAiJHgtYW16LWNyZWRlbnRpYWwiLCAiUTNBTTNVUTg2N1NQUVFBNDNQMkYvMjAyMzAzMzAvdXMtZWFzdC0xL3MzL2F3czRfcmVxdWVzdCJdLCBbImVxIiwgIiR4LWFtei1kYXRlIiwgIjIwMjMwMzMwVDE2MTAzOFoiXV19 -F x-amz-signature=2e0e4930f065a22f50dbfdba95bc76ab5f65ee60ff69faf0940f0827a20a4ef6 -F [email protected] -F key=my/object/prefix/ -v
Note: Unnecessary use of -X or --request, POST is already inferred.
*   Trying 65.49.37.6:443...
* Connected to play.min.io (65.49.37.6) port 443 (#0)
* ALPN: offers h2
* ALPN: offers http/1.1
*  CAfile: /etc/ssl/cert.pem
*  CApath: none
* (304) (OUT), TLS handshake, Client hello (1):
* (304) (IN), TLS handshake, Server hello (2):
* (304) (IN), TLS handshake, Unknown (8):
* (304) (IN), TLS handshake, Certificate (11):
* (304) (IN), TLS handshake, CERT verify (15):
* (304) (IN), TLS handshake, Finished (20):
* (304) (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / AEAD-AES256-GCM-SHA384
* ALPN: server accepted http/1.1
* Server certificate:
*  subject: CN=play.min.io
*  start date: Mar 20 23:03:54 2023 GMT
*  expire date: Jun 18 23:03:53 2023 GMT
*  subjectAltName: host "play.min.io" matched cert's "play.min.io"
*  issuer: C=US; O=Let's Encrypt; CN=R3
*  SSL certificate verify ok.
> POST /my-bucket HTTP/1.1
> Host: play.min.io
> User-Agent: curl/7.86.0
> Accept: */*
> Content-Length: 1050011
> Content-Type: multipart/form-data; boundary=------------------------cb8587e85b322d6b
> Expect: 100-continue
> 
* Mark bundle as not supporting multiuse
< HTTP/1.1 100 Continue
* We are completely uploaded and fine
* Mark bundle as not supporting multiuse
< HTTP/1.1 204 No Content
< Server: nginx/1.18.0 (Ubuntu)
< Date: Thu, 30 Mar 2023 16:14:16 GMT
< Connection: keep-alive
< Accept-Ranges: bytes
< Content-Security-Policy: block-all-mixed-content
< ETag: "b6d81b360a5672d80c27430f39153e2c"
< Location: https://play.min.io/my-bucket/my/object/prefix
< Strict-Transport-Security: max-age=31536000; includeSubDomains
< Vary: Origin
< Vary: Accept-Encoding
< X-Amz-Bucket-Region: us-east-1
< X-Amz-Id-2: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
< X-Amz-Request-Id: 17513E804CE04D52
< X-Content-Type-Options: nosniff
< X-Xss-Protection: 1; mode=block
< 
* Connection #0 to host play.min.io left intact

And object should be located at play:

$ mc cat play/my-bucket/my/object/prefix/ > output-2.txt
$ diff output.txt output-2.txt 

• Notice object is saved in play/my-bucket/my/object/prefix/ but you can put some name to the object but you will need to change the key in the policy and in the filled form added in curl, so two spots to add object name next to the prefix.