feat: integrate MinIO-backed user filesystem

scripts/check-minio-prefix-policy.py

@@ -0,0 +1,50 @@
+#!/usr/bin/env python3
+"""Check that a provisioned MinIO user can access only its own prefix."""
+
+from __future__ import annotations
+
+import os
+import sys
+from io import BytesIO
+
+from minio import Minio
+from minio.error import S3Error
+
+
+def main() -> int:
+    endpoint = _require("BEAVER_CHECK_MINIO_ENDPOINT")
+    bucket = os.getenv("BEAVER_CHECK_MINIO_BUCKET", "beaver-user-files").strip()
+    access_key = _require("BEAVER_CHECK_MINIO_ACCESS_KEY")
+    secret_key = _require("BEAVER_CHECK_MINIO_SECRET_KEY")
+    own_backend = _require("BEAVER_CHECK_MINIO_BACKEND_ID")
+    other_backend = os.getenv("BEAVER_CHECK_MINIO_OTHER_BACKEND_ID", "policy-denied-other").strip()
+    secure = os.getenv("BEAVER_CHECK_MINIO_SECURE", "0").strip().lower() in {"1", "true", "yes", "on"}
+
+    client = Minio(endpoint, access_key=access_key, secret_key=secret_key, secure=secure)
+    own_object = f"users/{own_backend}/uploads/policy-check.txt"
+    other_object = f"users/{other_backend}/uploads/policy-check.txt"
+
+    client.put_object(bucket, own_object, BytesIO(b"ok"), length=2, content_type="text/plain")
+    client.stat_object(bucket, own_object)
+
+    try:
+        client.put_object(bucket, other_object, BytesIO(b"no"), length=2, content_type="text/plain")
+    except S3Error as exc:
+        if exc.code in {"AccessDenied", "AccessDeniedException"}:
+            print(f"ok: {access_key} can access {own_object} and is denied for {other_object}")
+            return 0
+        raise
+
+    print(f"error: {access_key} unexpectedly wrote {other_object}", file=sys.stderr)
+    return 1
+
+
+def _require(name: str) -> str:
+    value = os.getenv(name, "").strip()
+    if not value:
+        raise SystemExit(f"{name} is required")
+    return value
+
+
+if __name__ == "__main__":
+    raise SystemExit(main())