s3/iam: reuse one request id per request (#8538)

* request_id: add shared request middleware

* s3err: preserve request ids in responses and logs

* iam: reuse request ids in XML responses

* sts: reuse request ids in XML responses

* request_id: drop legacy header fallback

* request_id: use AWS-style request id format

* iam: fix AWS-compatible XML format for ErrorResponse and field ordering

- ErrorResponse uses bare <RequestId> at root level instead of
  <ResponseMetadata> wrapper, matching the AWS IAM error response spec
- Move CommonResponse to last field in success response structs so
  <ResponseMetadata> serializes after result elements
- Add randomness to request ID generation to avoid collisions
- Add tests for XML ordering and ErrorResponse format

* iam: remove duplicate error_response_test.go

Test is already covered by responses_test.go.

* address PR review comments

- Guard against typed nil pointers in SetResponseRequestID before
  interface assertion (CodeRabbit)
- Use regexp instead of strings.Index in test helpers for extracting
  request IDs (Gemini)

* request_id: prevent spoofing, fix nil-error branch, thread reqID to error writers

- Ensure() now always generates a server-side ID, ignoring client-sent
  x-amz-request-id headers to prevent request ID spoofing. Uses a
  private context key (contextKey{}) instead of the header string.
- writeIamErrorResponse in both iamapi and embedded IAM now accepts
  reqID as a parameter instead of calling Ensure() internally, ensuring
  a single request ID per request lifecycle.
- The nil-iamError branch in writeIamErrorResponse now writes a 500
  Internal Server Error response instead of returning silently.
- Updated tests to set request IDs via context (not headers) and added
  tests for spoofing prevention and context reuse.

* sts: add request-id consistency assertions to ActionInBody tests

* test: update admin test to expect server-generated request IDs

The test previously sent a client x-amz-request-id header and expected
it echoed back. Since Ensure() now ignores client headers to prevent
spoofing, update the test to verify the server returns a non-empty
server-generated request ID instead.

* iam: add generic WithRequestID helper alongside reflection-based fallback

Add WithRequestID[T] that uses generics to take the address of a value
type, satisfying the pointer receiver on SetRequestId without reflection.

The existing SetResponseRequestID is kept for the two call sites that
operate on interface{} (from large action switches where the concrete
type varies at runtime). Generics cannot replace reflection there since
Go cannot infer type parameters from interface{}.

* Remove reflection and generics from request ID setting

Call SetRequestId directly on concrete response types in each switch
branch before boxing into interface{}, eliminating the need for
WithRequestID (generics) and SetResponseRequestID (reflection).

* iam: return pointer responses in action dispatch

* Fix IAM error handling consistency and ensure request IDs on all responses

- UpdateUser/CreatePolicy error branches: use writeIamErrorResponse instead
  of s3err.WriteErrorResponse to preserve IAM formatting and request ID
- ExecuteAction: accept reqID parameter and generate one if empty, ensuring
  every response carries a RequestId regardless of caller

* Clean up inline policies on DeleteUser and UpdateUser rename

DeleteUser: remove InlinePolicies[userName] from policy storage before
removing the identity, so policies are not orphaned.

UpdateUser: move InlinePolicies[userName] to InlinePolicies[newUserName]
when renaming, so GetUserPolicy/DeleteUserPolicy work under the new name.

Both operations persist the updated policies and return an error if
the storage write fails, preventing partial state.

weed/iam/error_response_test.go

@@ -1,34 +0,0 @@
-package iam
-
-import (
-	"encoding/xml"
-	"strings"
-	"testing"
-
-	"github.com/stretchr/testify/assert"
-	"github.com/stretchr/testify/require"
-)
-
-func TestErrorResponseXMLUsesTopLevelRequestId(t *testing.T) {
-	errCode := "NoSuchEntity"
-	errMsg := "the requested IAM entity does not exist"
-
-	resp := ErrorResponse{
-		RequestId: "request-123",
-	}
-	resp.Error.Type = "Sender"
-	resp.Error.Code = &errCode
-	resp.Error.Message = &errMsg
-
-	output, err := xml.Marshal(resp)
-	require.NoError(t, err)
-
-	xmlString := string(output)
-	errorIndex := strings.Index(xmlString, "<Error>")
-	requestIDIndex := strings.Index(xmlString, "<RequestId>request-123</RequestId>")
-
-	assert.NotEqual(t, -1, errorIndex, "Error should be present")
-	assert.NotEqual(t, -1, requestIDIndex, "RequestId should be present")
-	assert.NotContains(t, xmlString, "<ResponseMetadata>")
-	assert.Less(t, errorIndex, requestIDIndex, "RequestId should appear after Error at the root level")
-}

weed/iam/responses.go

@@ -2,8 +2,6 @@ package iam
 
 import (
 	"encoding/xml"
-	"fmt"
-	"time"
 
 	"github.com/aws/aws-sdk-go/service/iam"
 )
@@ -15,9 +13,14 @@ type CommonResponse struct {
 	} `xml:"ResponseMetadata"`
 }
 
-// SetRequestId sets a unique request ID based on current timestamp.
-func (r *CommonResponse) SetRequestId() {
-	r.ResponseMetadata.RequestId = newRequestID()
+// SetRequestId stores the request ID generated for the current HTTP request.
+func (r *CommonResponse) SetRequestId(requestID string) {
+	r.ResponseMetadata.RequestId = requestID
+}
+
+// RequestIDSetter is implemented by IAM responses that can carry a RequestId.
+type RequestIDSetter interface {
+	SetRequestId(string)
 }
 
 // ListUsersResponse is the response for ListUsers action.
@@ -187,6 +190,7 @@ type GetUserPolicyResponse struct {
 }
 
 // ErrorResponse is the IAM error response format.
+// AWS IAM uses a bare <RequestId> at root level for errors, not <ResponseMetadata>.
 type ErrorResponse struct {
 	XMLName xml.Name `xml:"https://iam.amazonaws.com/doc/2010-05-08/ ErrorResponse"`
 	Error   struct {
@@ -196,13 +200,9 @@ type ErrorResponse struct {
 	RequestId string `xml:"RequestId"`
 }
 
-// SetRequestId sets a unique request ID based on current timestamp.
-func (r *ErrorResponse) SetRequestId() {
-	r.RequestId = newRequestID()
-}
-
-func newRequestID() string {
-	return fmt.Sprintf("%d", time.Now().UnixNano())
+// SetRequestId stores the request ID generated for the current HTTP request.
+func (r *ErrorResponse) SetRequestId(requestID string) {
+	r.RequestId = requestID
 }
 
 // Error represents an IAM API error with code and underlying error.

weed/iam/responses_test.go

@@ -11,7 +11,7 @@ import (
 
 func TestListUsersResponseXMLOrdering(t *testing.T) {
 	resp := ListUsersResponse{}
-	resp.SetRequestId()
+	resp.SetRequestId("test-req-id")
 
 	output, err := xml.Marshal(resp)
 	require.NoError(t, err)
@@ -22,5 +22,31 @@ func TestListUsersResponseXMLOrdering(t *testing.T) {
 
 	assert.NotEqual(t, -1, listUsersResultIndex, "ListUsersResult should be present")
 	assert.NotEqual(t, -1, responseMetadataIndex, "ResponseMetadata should be present")
-	assert.Less(t, listUsersResultIndex, responseMetadataIndex, "ListUsersResult should appear before ResponseMetadata")
+	assert.Less(t, listUsersResultIndex, responseMetadataIndex,
+		"ListUsersResult should appear before ResponseMetadata")
+}
+
+func TestErrorResponseXMLUsesTopLevelRequestId(t *testing.T) {
+	errCode := "NoSuchEntity"
+	errMsg := "the requested IAM entity does not exist"
+
+	resp := ErrorResponse{}
+	resp.Error.Type = "Sender"
+	resp.Error.Code = &errCode
+	resp.Error.Message = &errMsg
+	resp.SetRequestId("request-123")
+
+	output, err := xml.Marshal(resp)
+	require.NoError(t, err)
+
+	xmlString := string(output)
+	errorIndex := strings.Index(xmlString, "<Error>")
+	requestIDIndex := strings.Index(xmlString, "<RequestId>request-123</RequestId>")
+
+	assert.NotEqual(t, -1, errorIndex, "Error should be present")
+	assert.NotEqual(t, -1, requestIDIndex, "RequestId should be present")
+	assert.NotContains(t, xmlString, "<ResponseMetadata>",
+		"ErrorResponse should use bare RequestId, not ResponseMetadata wrapper")
+	assert.Less(t, errorIndex, requestIDIndex,
+		"RequestId should appear after Error at the root level")
 }