Refactor: Extract common IAM logic into shared weed/iam package (#7747)

This resolves GitHub issue #7747 by extracting duplicated IAM code into a shared package that both the embedded S3 IAM and standalone IAM use. New shared package (weed/iam/): - constants.go: Common constants (charsets, action strings, error messages) - helpers.go: Shared helper functions (Hash, GenerateRandomString, GenerateAccessKeyId, GenerateSecretAccessKey, StringSlicesEqual, MapToStatementAction, MapToIdentitiesAction, MaskAccessKey) - responses.go: Common IAM response structs (CommonResponse, ListUsersResponse, CreateUserResponse, etc.) - helpers_test.go: Unit tests for shared helpers Updated files: - weed/s3api/s3api_embedded_iam.go: Use type aliases and function wrappers to the shared package, removing ~200 lines of duplicated code - weed/iamapi/iamapi_management_handlers.go: Use shared package for constants and helper functions, removing ~100 lines of duplicated code - weed/iamapi/iamapi_response.go: Re-export types from shared package for backwards compatibility Benefits: - Single source of truth for IAM constants and helpers - Easier maintenance - changes only need to be made in one place - Reduced risk of inconsistencies between embedded and standalone IAM - Better test coverage through shared test suite
2025-12-14 16:08:56 -08:00
parent f41925b60b
commit f734b2d4bf
7 changed files with 509 additions and 430 deletions
--- a/weed/iamapi/iamapi_management_handlers.go
+++ b/weed/iamapi/iamapi_management_handlers.go
@@ -1,45 +1,40 @@
 package iamapi

 // This file provides IAM API handlers for the standalone IAM server.
-// NOTE: There is code duplication with weed/s3api/s3api_embedded_iam.go.
-// See GitHub issue #7747 for the planned refactoring to extract common IAM logic
-// into a shared package.
+// Common IAM types and helpers are imported from the shared weed/iam package.

 import (
-	"crypto/rand"
-	"crypto/sha1"
 	"encoding/json"
 	"errors"
 	"fmt"
-	"math/big"
 	"net/http"
 	"net/url"
-	"sort"
 	"strings"
 	"sync"

+	"github.com/aws/aws-sdk-go/service/iam"
 	"github.com/seaweedfs/seaweedfs/weed/glog"
+	iamlib "github.com/seaweedfs/seaweedfs/weed/iam"
 	"github.com/seaweedfs/seaweedfs/weed/pb/filer_pb"
 	"github.com/seaweedfs/seaweedfs/weed/pb/iam_pb"
 	"github.com/seaweedfs/seaweedfs/weed/s3api/policy_engine"
-	"github.com/seaweedfs/seaweedfs/weed/s3api/s3_constants"
 	"github.com/seaweedfs/seaweedfs/weed/s3api/s3err"
-
-	"github.com/aws/aws-sdk-go/service/iam"
 )

+// Constants from shared package
 const (
-	charsetUpper            = "ABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789"
-	charset                 = charsetUpper + "abcdefghijklmnopqrstuvwxyz/"
-	policyDocumentVersion   = "2012-10-17"
-	StatementActionAdmin    = "*"
-	StatementActionWrite    = "Put*"
-	StatementActionWriteAcp = "PutBucketAcl"
-	StatementActionRead     = "Get*"
-	StatementActionReadAcp  = "GetBucketAcl"
-	StatementActionList     = "List*"
-	StatementActionTagging  = "Tagging*"
-	StatementActionDelete   = "DeleteBucket*"
+	charsetUpper            = iamlib.CharsetUpper
+	charset                 = iamlib.Charset
+	policyDocumentVersion   = iamlib.PolicyDocumentVersion
+	StatementActionAdmin    = iamlib.StatementActionAdmin
+	StatementActionWrite    = iamlib.StatementActionWrite
+	StatementActionWriteAcp = iamlib.StatementActionWriteAcp
+	StatementActionRead     = iamlib.StatementActionRead
+	StatementActionReadAcp  = iamlib.StatementActionReadAcp
+	StatementActionList     = iamlib.StatementActionList
+	StatementActionTagging  = iamlib.StatementActionTagging
+	StatementActionDelete   = iamlib.StatementActionDelete
+	USER_DOES_NOT_EXIST     = iamlib.UserDoesNotExist
 )

 var (
@@ -47,105 +42,29 @@ var (
 	policyLock      = sync.RWMutex{}
 )

+// Helper function wrappers using shared package
 func MapToStatementAction(action string) string {
-	switch action {
-	case StatementActionAdmin:
-		return s3_constants.ACTION_ADMIN
-	case StatementActionWrite:
-		return s3_constants.ACTION_WRITE
-	case StatementActionWriteAcp:
-		return s3_constants.ACTION_WRITE_ACP
-	case StatementActionRead:
-		return s3_constants.ACTION_READ
-	case StatementActionReadAcp:
-		return s3_constants.ACTION_READ_ACP
-	case StatementActionList:
-		return s3_constants.ACTION_LIST
-	case StatementActionTagging:
-		return s3_constants.ACTION_TAGGING
-	case StatementActionDelete:
-		return s3_constants.ACTION_DELETE_BUCKET
-	default:
-		return ""
-	}
+	return iamlib.MapToStatementAction(action)
 }

 func MapToIdentitiesAction(action string) string {
-	switch action {
-	case s3_constants.ACTION_ADMIN:
-		return StatementActionAdmin
-	case s3_constants.ACTION_WRITE:
-		return StatementActionWrite
-	case s3_constants.ACTION_WRITE_ACP:
-		return StatementActionWriteAcp
-	case s3_constants.ACTION_READ:
-		return StatementActionRead
-	case s3_constants.ACTION_READ_ACP:
-		return StatementActionReadAcp
-	case s3_constants.ACTION_LIST:
-		return StatementActionList
-	case s3_constants.ACTION_TAGGING:
-		return StatementActionTagging
-	case s3_constants.ACTION_DELETE_BUCKET:
-		return StatementActionDelete
-	default:
-		return ""
-	}
+	return iamlib.MapToIdentitiesAction(action)
 }

-const (
-	USER_DOES_NOT_EXIST = "the user with name %s cannot be found."
-)
-
 type Policies struct {
 	Policies map[string]policy_engine.PolicyDocument `json:"policies"`
 }

 func Hash(s *string) string {
-	h := sha1.New()
-	h.Write([]byte(*s))
-	return fmt.Sprintf("%x", h.Sum(nil))
+	return iamlib.Hash(s)
 }

-// StringWithCharset generates a cryptographically secure random string.
-// Uses crypto/rand for security-sensitive credential generation.
 func StringWithCharset(length int, charset string) (string, error) {
-	if length <= 0 {
-		return "", fmt.Errorf("length must be positive, got %d", length)
-	}
-	if charset == "" {
-		return "", fmt.Errorf("charset must not be empty")
-	}
-	b := make([]byte, length)
-	for i := range b {
-		n, err := rand.Int(rand.Reader, big.NewInt(int64(len(charset))))
-		if err != nil {
-			return "", fmt.Errorf("failed to generate random index: %w", err)
-		}
-		b[i] = charset[n.Int64()]
-	}
-	return string(b), nil
+	return iamlib.GenerateRandomString(length, charset)
 }

-// stringSlicesEqual compares two string slices for equality, ignoring order.
-// This is used instead of reflect.DeepEqual to avoid order-dependent comparisons.
 func stringSlicesEqual(a, b []string) bool {
-	if len(a) != len(b) {
-		return false
-	}
-	// Make copies to avoid modifying the originals
-	aCopy := make([]string, len(a))
-	bCopy := make([]string, len(b))
-	copy(aCopy, a)
-	copy(bCopy, b)
-	sort.Strings(aCopy)
-	sort.Strings(bCopy)
-	for i := range aCopy {
-		if aCopy[i] != bCopy[i] {
-			return false
-		}
-	}
-	return true
+	return iamlib.StringSlicesEqual(a, b)
 }

 func (iama *IamApiServer) ListUsers(s3cfg *iam_pb.S3ApiConfiguration, values url.Values) (resp ListUsersResponse) {
--- a/weed/iamapi/iamapi_response.go
+++ b/weed/iamapi/iamapi_response.go
@@ -1,113 +1,26 @@
 package iamapi

-import (
-	"encoding/xml"
-	"fmt"
-	"time"
+// This file re-exports IAM response types from the shared weed/iam package
+// for backwards compatibility with existing code.

-	"github.com/aws/aws-sdk-go/service/iam"
+import (
+	iamlib "github.com/seaweedfs/seaweedfs/weed/iam"
 )

-type CommonResponse struct {
-	ResponseMetadata struct {
-		RequestId string `xml:"RequestId"`
-	} `xml:"ResponseMetadata"`
-}
-
-type ListUsersResponse struct {
-	CommonResponse
-	XMLName         xml.Name `xml:"https://iam.amazonaws.com/doc/2010-05-08/ ListUsersResponse"`
-	ListUsersResult struct {
-		Users       []*iam.User `xml:"Users>member"`
-		IsTruncated bool        `xml:"IsTruncated"`
-	} `xml:"ListUsersResult"`
-}
-
-type ListAccessKeysResponse struct {
-	CommonResponse
-	XMLName              xml.Name `xml:"https://iam.amazonaws.com/doc/2010-05-08/ ListAccessKeysResponse"`
-	ListAccessKeysResult struct {
-		AccessKeyMetadata []*iam.AccessKeyMetadata `xml:"AccessKeyMetadata>member"`
-		IsTruncated       bool                     `xml:"IsTruncated"`
-	} `xml:"ListAccessKeysResult"`
-}
-
-type DeleteAccessKeyResponse struct {
-	CommonResponse
-	XMLName xml.Name `xml:"https://iam.amazonaws.com/doc/2010-05-08/ DeleteAccessKeyResponse"`
-}
-
-type CreatePolicyResponse struct {
-	CommonResponse
-	XMLName            xml.Name `xml:"https://iam.amazonaws.com/doc/2010-05-08/ CreatePolicyResponse"`
-	CreatePolicyResult struct {
-		Policy iam.Policy `xml:"Policy"`
-	} `xml:"CreatePolicyResult"`
-}
-
-type CreateUserResponse struct {
-	CommonResponse
-	XMLName          xml.Name `xml:"https://iam.amazonaws.com/doc/2010-05-08/ CreateUserResponse"`
-	CreateUserResult struct {
-		User iam.User `xml:"User"`
-	} `xml:"CreateUserResult"`
-}
-
-type DeleteUserResponse struct {
-	CommonResponse
-	XMLName xml.Name `xml:"https://iam.amazonaws.com/doc/2010-05-08/ DeleteUserResponse"`
-}
-
-type GetUserResponse struct {
-	CommonResponse
-	XMLName       xml.Name `xml:"https://iam.amazonaws.com/doc/2010-05-08/ GetUserResponse"`
-	GetUserResult struct {
-		User iam.User `xml:"User"`
-	} `xml:"GetUserResult"`
-}
-
-type UpdateUserResponse struct {
-	CommonResponse
-	XMLName xml.Name `xml:"https://iam.amazonaws.com/doc/2010-05-08/ UpdateUserResponse"`
-}
-
-type CreateAccessKeyResponse struct {
-	CommonResponse
-	XMLName               xml.Name `xml:"https://iam.amazonaws.com/doc/2010-05-08/ CreateAccessKeyResponse"`
-	CreateAccessKeyResult struct {
-		AccessKey iam.AccessKey `xml:"AccessKey"`
-	} `xml:"CreateAccessKeyResult"`
-}
-
-type PutUserPolicyResponse struct {
-	CommonResponse
-	XMLName xml.Name `xml:"https://iam.amazonaws.com/doc/2010-05-08/ PutUserPolicyResponse"`
-}
-
-type DeleteUserPolicyResponse struct {
-	CommonResponse
-	XMLName xml.Name `xml:"https://iam.amazonaws.com/doc/2010-05-08/ DeleteUserPolicyResponse"`
-}
-
-type GetUserPolicyResponse struct {
-	CommonResponse
-	XMLName             xml.Name `xml:"https://iam.amazonaws.com/doc/2010-05-08/ GetUserPolicyResponse"`
-	GetUserPolicyResult struct {
-		UserName       string `xml:"UserName"`
-		PolicyName     string `xml:"PolicyName"`
-		PolicyDocument string `xml:"PolicyDocument"`
-	} `xml:"GetUserPolicyResult"`
-}
-
-type ErrorResponse struct {
-	CommonResponse
-	XMLName xml.Name `xml:"https://iam.amazonaws.com/doc/2010-05-08/ ErrorResponse"`
-	Error   struct {
-		iam.ErrorDetails
-		Type string `xml:"Type"`
-	} `xml:"Error"`
-}
-
-func (r *CommonResponse) SetRequestId() {
-	r.ResponseMetadata.RequestId = fmt.Sprintf("%d", time.Now().UnixNano())
-}
+// Type aliases for IAM response types from shared package
+type (
+	CommonResponse          = iamlib.CommonResponse
+	ListUsersResponse       = iamlib.ListUsersResponse
+	ListAccessKeysResponse  = iamlib.ListAccessKeysResponse
+	DeleteAccessKeyResponse = iamlib.DeleteAccessKeyResponse
+	CreatePolicyResponse    = iamlib.CreatePolicyResponse
+	CreateUserResponse      = iamlib.CreateUserResponse
+	DeleteUserResponse      = iamlib.DeleteUserResponse
+	GetUserResponse         = iamlib.GetUserResponse
+	UpdateUserResponse      = iamlib.UpdateUserResponse
+	CreateAccessKeyResponse = iamlib.CreateAccessKeyResponse
+	PutUserPolicyResponse   = iamlib.PutUserPolicyResponse
+	DeleteUserPolicyResponse = iamlib.DeleteUserPolicyResponse
+	GetUserPolicyResponse   = iamlib.GetUserPolicyResponse
+	ErrorResponse           = iamlib.ErrorResponse
+)