fix(s3): allow deleting the anonymous user from admin webui (#8706)
Remove the block that prevented deleting the "anonymous" identity and stop auto-creating it when absent. If no anonymous identity exists (or it is disabled), LookupAnonymous returns not-found and both auth paths return ErrAccessDenied for anonymous requests. To enable anonymous access, explicitly create the "anonymous" user. To revoke it, delete the user like any other identity. Closes #8694
This commit is contained in:
Chris Lu
@@ -4,36 +4,21 @@ import (
|
||||
"testing"
|
||||
|
||||
"github.com/stretchr/testify/assert"
|
||||
"github.com/stretchr/testify/require"
|
||||
)
|
||||
|
||||
func TestLoadIAMManagerFromConfig_OptionalConfig(t *testing.T) {
|
||||
// Mock dependencies
|
||||
filerAddressProvider := func() string { return "localhost:8888" }
|
||||
getFilerSigningKey := func() string { return "test-signing-key" }
|
||||
|
||||
// Test Case 1: Empty config path should load defaults
|
||||
iamManager, err := loadIAMManagerFromConfig("", filerAddressProvider, getFilerSigningKey)
|
||||
require.NoError(t, err)
|
||||
require.NotNil(t, iamManager)
|
||||
|
||||
// Verify STS Service is initialized with defaults
|
||||
stsService := iamManager.GetSTSService()
|
||||
assert.NotNil(t, stsService)
|
||||
|
||||
// Verify defaults are applied
|
||||
// Since we can't easily access the internal config of stsService,
|
||||
// we rely on the fact that initialization succeeded without error.
|
||||
// We can also verify that the policy engine uses memory store by default.
|
||||
|
||||
// Verify Policy Engine is initialized with defaults (Memory store, Deny effect)
|
||||
// Again, internal state might be hard to access directly, but successful init implies defaults worked.
|
||||
func TestLoadIAMManagerWithNoConfig(t *testing.T) {
|
||||
// Verify that IAM can be initialized without any config
|
||||
option := &S3ApiServerOption{
|
||||
Config: "",
|
||||
}
|
||||
iamManager := NewIdentityAccessManagementWithStore(option, nil, "memory")
|
||||
assert.NotNil(t, iamManager)
|
||||
// Internal state might be hard to access directly, but successful init implies defaults worked.
|
||||
}
|
||||
|
||||
func TestLoadIAMManagerFromConfig_EmptyConfigWithFallbackKey(t *testing.T) {
|
||||
// Mock dependencies where getFilerSigningKey returns empty, forcing fallback logic
|
||||
// Initialize IAM with empty config (should trigger defaults)
|
||||
// We pass empty string for config file path
|
||||
// Initialize IAM with empty config — no anonymous identity is configured,
|
||||
// so LookupAnonymous should return not-found.
|
||||
option := &S3ApiServerOption{
|
||||
Config: "",
|
||||
IamConfig: "",
|
||||
@@ -41,10 +26,6 @@ func TestLoadIAMManagerFromConfig_EmptyConfigWithFallbackKey(t *testing.T) {
|
||||
}
|
||||
iamManager := NewIdentityAccessManagementWithStore(option, nil, "memory")
|
||||
|
||||
// Verify identityAnonymous is initialized
|
||||
// This confirms the fix for anonymous access in zero-config mode
|
||||
anonIdentity, found := iamManager.LookupAnonymous()
|
||||
assert.True(t, found, "Anonymous identity should be found by default")
|
||||
assert.NotNil(t, anonIdentity, "Anonymous identity should not be nil")
|
||||
assert.Equal(t, "anonymous", anonIdentity.Name)
|
||||
_, found := iamManager.LookupAnonymous()
|
||||
assert.False(t, found, "Anonymous identity should not be found when not explicitly configured")
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user