gsh-digital-services/seaweedFS
5
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Add AWS IAM integration tests and refactor admin authorization (#8098)

Browse Source 
* Add AWS IAM integration tests and refactor admin authorization
- Added AWS IAM management integration tests (User, AccessKey, Policy)
- Updated test framework to support IAM client creation with JWT/OIDC
- Refactored s3api authorization to be policy-driven for IAM actions
- Removed hardcoded role name checks for admin privileges
- Added new tests to GitHub Actions basic test matrix

* test(s3/iam): add UpdateUser and UpdateAccessKey tests and fix nil pointer dereference

* feat(s3api): add DeletePolicy and update tests with cleanup logic

* test(s3/iam): use t.Cleanup for managed policy deletion in CreatePolicy test
This commit is contained in:
Chris Lu
2026-01-23 16:41:51 -08:00
committed by GitHub
parent 25a4691135
commit 535be3096b
9 changed files with 396 additions and 52 deletions
Download Patch File Download Diff File Expand all files Collapse all files

107
test/s3/iam/test_config.json
View File

@@ -8,27 +8,33 @@
"secretKey": "test-secret-key"
}
],
"actions": ["Admin"]
"actions": [
"Admin"
]
},
{
"name": "readonlyuser",
"name": "readonlyuser",
"credentials": [
{
"accessKey": "readonly-access-key",
"secretKey": "readonly-secret-key"
}
],
"actions": ["Read"]
"actions": [
"Read"
]
},
{
"name": "writeonlyuser",
"credentials": [
{
"accessKey": "writeonly-access-key",
"accessKey": "writeonly-access-key",
"secretKey": "writeonly-secret-key"
}
],
"actions": ["Write"]
"actions": [
"Write"
]
}
],
"iam": {
@@ -52,7 +58,7 @@
"rules": [
{
"claim": "groups",
"claimValue": "admins",
"claimValue": "admins",
"roleName": "S3AdminRole"
},
{
@@ -78,13 +84,13 @@
"test-ldap": {
"server": "ldap://localhost:389",
"baseDN": "dc=example,dc=com",
"bindDN": "cn=admin,dc=example,dc=com",
"bindDN": "cn=admin,dc=example,dc=com",
"bindPassword": "admin-password",
"userFilter": "(uid=%s)",
"groupFilter": "(memberUid=%s)",
"attributes": {
"email": "mail",
"displayName": "cn",
"displayName": "cn",
"groups": "memberOf"
},
"roleMapping": {
@@ -95,7 +101,7 @@
"roleName": "S3AdminRole"
},
{
"claim": "groups",
"claim": "groups",
"claimValue": "cn=users,ou=groups,dc=example,dc=com",
"roleName": "S3ReadOnlyRole"
}
@@ -114,13 +120,18 @@
{
"Effect": "Allow",
"Principal": {
"Federated": ["test-oidc", "test-ldap"]
"Federated": [
"test-oidc",
"test-ldap"
]
},
"Action": "sts:AssumeRoleWithWebIdentity"
}
]
},
"attachedPolicies": ["S3AdminPolicy"],
"attachedPolicies": [
"S3AdminPolicy"
],
"description": "Full administrative access to S3 resources"
},
"S3ReadOnlyRole": {
@@ -128,15 +139,20 @@
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Effect": "Allow",
"Principal": {
"Federated": ["test-oidc", "test-ldap"]
"Federated": [
"test-oidc",
"test-ldap"
]
},
"Action": "sts:AssumeRoleWithWebIdentity"
}
]
},
"attachedPolicies": ["S3ReadOnlyPolicy"],
"attachedPolicies": [
"S3ReadOnlyPolicy"
],
"description": "Read-only access to S3 resources"
},
"S3WriteOnlyRole": {
@@ -146,13 +162,18 @@
{
"Effect": "Allow",
"Principal": {
"Federated": ["test-oidc", "test-ldap"]
"Federated": [
"test-oidc",
"test-ldap"
]
},
"Action": "sts:AssumeRoleWithWebIdentity"
}
]
},
"attachedPolicies": ["S3WriteOnlyPolicy"],
"attachedPolicies": [
"S3WriteOnlyPolicy"
],
"description": "Write-only access to S3 resources"
}
},
@@ -162,22 +183,26 @@
"Statement": [
{
"Effect": "Allow",
"Action": ["s3:*"],
"Action": [
"s3:*",
"iam:*"
],
"Resource": [
"arn:aws:s3:::*",
"arn:aws:s3:::*/*"
"arn:aws:s3:::*/*",
"arn:aws:iam:::*"
]
}
]
},
"S3ReadOnlyPolicy": {
"Version": "2012-10-17",
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:GetObject",
"s3:GetObjectVersion",
"s3:GetObjectVersion",
"s3:ListBucket",
"s3:ListBucketVersions",
"s3:GetBucketLocation",
@@ -201,7 +226,7 @@
"s3:DeleteObject",
"s3:DeleteObjectVersion",
"s3:InitiateMultipartUpload",
"s3:UploadPart",
"s3:UploadPart",
"s3:CompleteMultipartUpload",
"s3:AbortMultipartUpload",
"s3:ListMultipartUploadParts"
@@ -219,7 +244,7 @@
"Effect": "Allow",
"Action": [
"s3:CreateBucket",
"s3:DeleteBucket",
"s3:DeleteBucket",
"s3:GetBucketPolicy",
"s3:PutBucketPolicy",
"s3:DeleteBucketPolicy",
@@ -237,14 +262,19 @@
"Statement": [
{
"Effect": "Allow",
"Action": ["s3:*"],
"Action": [
"s3:*"
],
"Resource": [
"arn:aws:s3:::*",
"arn:aws:s3:::*/*"
],
"Condition": {
"IpAddress": {
"aws:SourceIp": ["192.168.1.0/24", "10.0.0.0/8"]
"aws:SourceIp": [
"192.168.1.0/24",
"10.0.0.0/8"
]
}
}
}
@@ -254,8 +284,11 @@
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": ["s3:GetObject", "s3:ListBucket"],
"Effect": "Allow",
"Action": [
"s3:GetObject",
"s3:ListBucket"
],
"Resource": [
"arn:aws:s3:::*",
"arn:aws:s3:::*/*"
@@ -265,7 +298,7 @@
"aws:CurrentTime": "2023-01-01T00:00:00Z"
},
"DateLessThan": {
"aws:CurrentTime": "2025-12-31T23:59:59Z"
"aws:CurrentTime": "2025-12-31T23:59:59Z"
}
}
}
@@ -280,7 +313,7 @@
"Sid": "PublicReadGetObject",
"Effect": "Allow",
"Principal": "*",
"Action": "s3:GetObject",
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::example-bucket/*"
}
]
@@ -292,7 +325,10 @@
"Sid": "DenyDeleteOperations",
"Effect": "Deny",
"Principal": "*",
"Action": ["s3:DeleteObject", "s3:DeleteBucket"],
"Action": [
"s3:DeleteObject",
"s3:DeleteBucket"
],
"Resource": [
"arn:aws:s3:::example-bucket",
"arn:aws:s3:::example-bucket/*"
@@ -305,17 +341,22 @@
"Statement": [
{
"Sid": "IPRestrictedAccess",
"Effect": "Allow",
"Effect": "Allow",
"Principal": "*",
"Action": ["s3:GetObject", "s3:PutObject"],
"Action": [
"s3:GetObject",
"s3:PutObject"
],
"Resource": "arn:aws:s3:::example-bucket/*",
"Condition": {
"IpAddress": {
"aws:SourceIp": ["203.0.113.0/24"]
"aws:SourceIp": [
"203.0.113.0/24"
]
}
}
}
]
}
}
}
}