s3: enforce authentication and JSON error format for Iceberg REST Catalog (#8192)
* s3: enforce authentication and JSON error format for Iceberg REST Catalog * s3/iceberg: align error exception types with OpenAPI spec examples * s3api: refactor AuthenticateRequest to return identity object * s3/iceberg: propagate full identity object to request context * s3/iceberg: differentiate NotAuthorizedException and ForbiddenException * s3/iceberg: reject requests if authenticator is nil to prevent auth bypass * s3/iceberg: refactor Auth middleware to build context incrementally and use switch for error mapping * s3api: update misleading comment for authRequestWithAuthType * s3api: return ErrAccessDenied if IAM is not configured to prevent auth bypass * s3/iceberg: optimize context update in Auth middleware * s3api: export CanDo for external authorization use * s3/iceberg: enforce identity-based authorization in all API handlers * s3api: fix compilation errors by updating internal CanDo references * s3/iceberg: robust identity validation and consistent action usage in handlers * s3api: complete CanDo rename across tests and policy engine integration * s3api: fix integration tests by allowing admin access when auth is disabled and explicit gRPC ports * duckdb * create test bucket
This commit is contained in:
Chris Lu
@@ -78,9 +78,9 @@ func TestSTSIdentityPolicyNamesPopulation(t *testing.T) {
|
||||
// Verify that Actions is empty (STS identities should use IAM authorization, not legacy Actions)
|
||||
assert.Empty(t, identity.Actions, "STS identities should have empty Actions to trigger IAM authorization path")
|
||||
|
||||
// Verify legacy canDo returns false (forcing fallback to IAM)
|
||||
assert.False(t, identity.canDo("Read", "test-bucket", "/any/path"),
|
||||
"canDo should return false for STS identities with no Actions")
|
||||
// Verify legacy CanDo returns false (forcing fallback to IAM)
|
||||
assert.False(t, identity.CanDo("Read", "test-bucket", "/any/path"),
|
||||
"CanDo should return false for STS identities with no Actions")
|
||||
|
||||
// Verify authorization path selection
|
||||
// When identity.Actions is empty and iamIntegration is available, it should use IAM authorization
|
||||
@@ -143,15 +143,15 @@ func TestSTSIdentityAuthorizationFlow(t *testing.T) {
|
||||
assert.Empty(t, identity.Actions,
|
||||
"STS identities should have empty Actions to trigger the IAM authorization path")
|
||||
|
||||
// Test 2: Verify canDo returns false (legacy auth should be bypassed)
|
||||
// Test 2: Verify CanDo returns false (legacy auth should be bypassed)
|
||||
// This is important because it confirms that identity.Actions being empty
|
||||
// correctly forces the authorization logic to fall back to iam.authorizeWithIAM
|
||||
assert.False(t, identity.canDo("Read", "test-bucket", "/any/path"),
|
||||
"canDo should return false for STS identities with no Actions")
|
||||
assert.False(t, identity.CanDo("Read", "test-bucket", "/any/path"),
|
||||
"CanDo should return false for STS identities with no Actions")
|
||||
|
||||
// With empty Actions and populated PolicyNames, IAM authorization path will be used
|
||||
// as per auth_credentials.go:703-713
|
||||
t.Log("✓ Verified: STS identity correctly bypasses legacy canDo() to use IAM authorization path")
|
||||
t.Log("✓ Verified: STS identity correctly bypasses legacy CanDo() to use IAM authorization path")
|
||||
}
|
||||
|
||||
// TestSTSIdentityWithoutPolicyNames tests the bug scenario where PolicyNames is not populated
|
||||
@@ -237,7 +237,7 @@ func TestCanDoPathConstruction(t *testing.T) {
|
||||
|
||||
for _, tc := range testCases {
|
||||
t.Run(tc.name, func(t *testing.T) {
|
||||
result := identity.canDo(tc.action, tc.bucket, tc.objectKey)
|
||||
result := identity.CanDo(tc.action, tc.bucket, tc.objectKey)
|
||||
|
||||
// Robust path construction for verification
|
||||
fullPath := tc.bucket
|
||||
|
||||
Reference in New Issue
Block a user