Revert "Fix IAM defaults and s3tables identities"

This reverts commit bf71fe0039.
2026-02-18 16:23:13 -08:00
parent bf71fe0039
commit eda4a000cc
5 changed files with 12 additions and 260 deletions
--- a/weed/s3api/iam_defaults_test.go
+++ b/weed/s3api/iam_defaults_test.go
@@ -1,12 +1,10 @@
 package s3api

 import (
-	"context"
 	"os"
 	"path/filepath"
 	"testing"

-	"github.com/seaweedfs/seaweedfs/weed/iam/integration"
 	"github.com/stretchr/testify/assert"
 )

@@ -156,124 +154,3 @@ func TestLoadIAMManagerFromConfig_MissingKeyError(t *testing.T) {
 	assert.Error(t, err)
 	assert.Contains(t, err.Error(), "no signing key found for STS service")
 }
-
-func TestLoadIAMManagerFromConfig_ExplicitFileDefaultsToDeny(t *testing.T) {
-	tmpDir := t.TempDir()
-	configPath := filepath.Join(tmpDir, "iam_config_implicit_policy_defaults.json")
-
-	// Explicit config file with no policy.defaultEffect should default to Deny.
-	configContent := `{
-		"sts": {
-			"issuer": "explicit-config"
-		}
-	}`
-
-	err := os.WriteFile(configPath, []byte(configContent), 0644)
-	assert.NoError(t, err)
-
-	filerProvider := func() string { return "localhost:8888" }
-	defaultSigningKeyProvider := func() string { return "fallback-key-for-explicit-config" }
-
-	manager, err := loadIAMManagerFromConfig(configPath, filerProvider, defaultSigningKeyProvider)
-	assert.NoError(t, err)
-	assert.NotNil(t, manager)
-	assert.False(t, manager.DefaultAllow())
-}
-
-func TestLoadIAMManagerFromConfig_NoFileDefaultsToAllow(t *testing.T) {
-	// No explicit IAM file should preserve zero-config startup behavior.
-	filerProvider := func() string { return "localhost:8888" }
-	defaultSigningKeyProvider := func() string { return "fallback-key-for-zero-config" }
-
-	manager, err := loadIAMManagerFromConfig("", filerProvider, defaultSigningKeyProvider)
-	assert.NoError(t, err)
-	assert.NotNil(t, manager)
-	assert.True(t, manager.DefaultAllow())
-}
-
-func TestLoadIAMManagerFromConfig_ExplicitFileEnforcesUserScopedPolicy(t *testing.T) {
-	tmpDir := t.TempDir()
-	configPath := filepath.Join(tmpDir, "iam_regression_8366.json")
-
-	// Regression coverage for #8366:
-	// with explicit IAM config and omitted policy.defaultEffect, unrestricted bucket creation
-	// must NOT be allowed.
-	configContent := `{
-		"sts": {
-			"issuer": "seaweedfs-sts"
-		},
-		"policies": [
-			{
-				"name": "S3UserPolicy",
-				"document": {
-					"Version": "2012-10-17",
-					"Statement": [
-						{
-							"Effect": "Allow",
-							"Action": ["s3:ListAllMyBuckets"],
-							"Resource": ["arn:aws:s3:::*"]
-						},
-						{
-							"Effect": "Allow",
-							"Action": ["s3:*"],
-							"Resource": [
-								"arn:aws:s3:::user-${jwt:preferred_username}",
-								"arn:aws:s3:::user-${jwt:preferred_username}/*"
-							]
-						}
-					]
-				}
-			}
-		],
-		"roles": [
-			{
-				"roleName": "S3UserRole",
-				"roleArn": "arn:aws:iam::role/S3UserRole",
-				"attachedPolicies": ["S3UserPolicy"],
-				"trustPolicy": {
-					"Version": "2012-10-17",
-					"Statement": [
-						{
-							"Effect": "Allow",
-							"Principal": {"Federated": "*"},
-							"Action": ["sts:AssumeRoleWithWebIdentity"]
-						}
-					]
-				}
-			}
-		]
-	}`
-
-	err := os.WriteFile(configPath, []byte(configContent), 0644)
-	assert.NoError(t, err)
-
-	filerProvider := func() string { return "localhost:8888" }
-	defaultSigningKeyProvider := func() string { return "fallback-key-for-regression-8366" }
-
-	manager, err := loadIAMManagerFromConfig(configPath, filerProvider, defaultSigningKeyProvider)
-	assert.NoError(t, err)
-	assert.NotNil(t, manager)
-	assert.False(t, manager.DefaultAllow())
-
-	ctx := context.Background()
-	principal := "arn:aws:sts::000000000000:assumed-role/S3UserRole/alice-session"
-	reqCtx := map[string]interface{}{"jwt:preferred_username": "alice"}
-
-	allowed, err := manager.IsActionAllowed(ctx, &integration.ActionRequest{
-		Principal:      principal,
-		Action:         "s3:CreateBucket",
-		Resource:       "arn:aws:s3:::arbitrary-bucket",
-		RequestContext: reqCtx,
-	})
-	assert.NoError(t, err)
-	assert.False(t, allowed, "arbitrary bucket creation should be denied")
-
-	allowed, err = manager.IsActionAllowed(ctx, &integration.ActionRequest{
-		Principal:      principal,
-		Action:         "s3:CreateBucket",
-		Resource:       "arn:aws:s3:::user-alice",
-		RequestContext: reqCtx,
-	})
-	assert.NoError(t, err)
-	assert.True(t, allowed, "user-scoped bucket creation should be allowed")
-}