9984ce7dcb
* fix(s3): omit NotResource:null from bucket policy JSON response (#8657) Change NotResource from value type to pointer (*StringOrStringSlice) so that omitempty properly omits it when unset, matching the existing Principal field pattern. This prevents IaC tools (Terraform, Ansible) from detecting false configuration drift. Add bucket policy round-trip idempotency integration tests. * simplify JSON comparison in bucket policy idempotency test Use require.JSONEq directly on the raw JSON strings instead of round-tripping through unmarshal/marshal, since JSONEq already handles normalization internally. * fix bucket policy test cases that locked out the admin user The Deny+NotResource test cases used Action:"s3:*" which denied the admin's own GetBucketPolicy call. Scope deny to s3:GetObject only, and add an Allow+NotResource variant instead. * fix(s3): also make Resource a pointer to fix empty string in JSON Apply the same omitempty pointer fix to the Resource field, which was emitting "Resource":"" when only NotResource was set. Add NewStringOrStringSlicePtr helper, make Strings() nil-safe, and handle *StringOrStringSlice in normalizeToStringSliceWithError. * improve bucket policy integration tests per review feedback - Replace time.Sleep with waitForClusterReady using ListBuckets - Use structural hasKey check instead of brittle substring NotContains - Assert specific NoSuchBucketPolicy error code after delete - Handle single-statement policies in hasKey helper
148 lines
4.4 KiB
Go
148 lines
4.4 KiB
Go
package test
|
|
|
|
import (
|
|
"context"
|
|
"testing"
|
|
|
|
"github.com/seaweedfs/seaweedfs/weed/credential"
|
|
"github.com/seaweedfs/seaweedfs/weed/credential/memory"
|
|
"github.com/seaweedfs/seaweedfs/weed/s3api/policy_engine"
|
|
|
|
// Import all store implementations to register them
|
|
_ "github.com/seaweedfs/seaweedfs/weed/credential/filer_etc"
|
|
_ "github.com/seaweedfs/seaweedfs/weed/credential/memory"
|
|
_ "github.com/seaweedfs/seaweedfs/weed/credential/postgres"
|
|
)
|
|
|
|
// TestPolicyManagement tests policy management across all credential stores
|
|
func TestPolicyManagement(t *testing.T) {
|
|
ctx := context.Background()
|
|
|
|
// Test with memory store (easiest to test)
|
|
credentialManager, err := credential.NewCredentialManager(credential.StoreTypeMemory, nil, "")
|
|
if err != nil {
|
|
t.Fatalf("Failed to create credential manager: %v", err)
|
|
}
|
|
|
|
// Test policy operations
|
|
testPolicyOperations(t, ctx, credentialManager)
|
|
}
|
|
|
|
func testPolicyOperations(t *testing.T, ctx context.Context, credentialManager *credential.CredentialManager) {
|
|
store := credentialManager.GetStore()
|
|
|
|
// Cast to memory store to access policy methods
|
|
memoryStore, ok := store.(*memory.MemoryStore)
|
|
if !ok {
|
|
t.Skip("Store is not a memory store")
|
|
}
|
|
|
|
// Test GetPolicies (should be empty initially)
|
|
policies, err := memoryStore.GetPolicies(ctx)
|
|
if err != nil {
|
|
t.Fatalf("Failed to get policies: %v", err)
|
|
}
|
|
if len(policies) != 0 {
|
|
t.Errorf("Expected 0 policies, got %d", len(policies))
|
|
}
|
|
|
|
// Test CreatePolicy
|
|
testPolicy := policy_engine.PolicyDocument{
|
|
Version: "2012-10-17",
|
|
Statement: []policy_engine.PolicyStatement{
|
|
{
|
|
Effect: policy_engine.PolicyEffectAllow,
|
|
Action: policy_engine.NewStringOrStringSlice("s3:GetObject"),
|
|
Resource: policy_engine.NewStringOrStringSlicePtr("arn:aws:s3:::test-bucket/*"),
|
|
},
|
|
},
|
|
}
|
|
|
|
err = memoryStore.CreatePolicy(ctx, "test-policy", testPolicy)
|
|
if err != nil {
|
|
t.Fatalf("Failed to create policy: %v", err)
|
|
}
|
|
|
|
// Test GetPolicies (should have 1 policy now)
|
|
policies, err = memoryStore.GetPolicies(ctx)
|
|
if err != nil {
|
|
t.Fatalf("Failed to get policies: %v", err)
|
|
}
|
|
if len(policies) != 1 {
|
|
t.Errorf("Expected 1 policy, got %d", len(policies))
|
|
}
|
|
|
|
// Verify policy content
|
|
policy, exists := policies["test-policy"]
|
|
if !exists {
|
|
t.Error("test-policy not found")
|
|
}
|
|
if policy.Version != "2012-10-17" {
|
|
t.Errorf("Expected policy version '2012-10-17', got '%s'", policy.Version)
|
|
}
|
|
if len(policy.Statement) != 1 {
|
|
t.Errorf("Expected 1 statement, got %d", len(policy.Statement))
|
|
}
|
|
|
|
// Test UpdatePolicy
|
|
updatedPolicy := policy_engine.PolicyDocument{
|
|
Version: "2012-10-17",
|
|
Statement: []policy_engine.PolicyStatement{
|
|
{
|
|
Effect: policy_engine.PolicyEffectAllow,
|
|
Action: policy_engine.NewStringOrStringSlice("s3:GetObject", "s3:PutObject"),
|
|
Resource: policy_engine.NewStringOrStringSlicePtr("arn:aws:s3:::test-bucket/*"),
|
|
},
|
|
},
|
|
}
|
|
|
|
err = memoryStore.UpdatePolicy(ctx, "test-policy", updatedPolicy)
|
|
if err != nil {
|
|
t.Fatalf("Failed to update policy: %v", err)
|
|
}
|
|
|
|
// Verify the update
|
|
policies, err = memoryStore.GetPolicies(ctx)
|
|
if err != nil {
|
|
t.Fatalf("Failed to get policies after update: %v", err)
|
|
}
|
|
|
|
updatedPolicyResult, exists := policies["test-policy"]
|
|
if !exists {
|
|
t.Error("test-policy not found after update")
|
|
}
|
|
if len(updatedPolicyResult.Statement) != 1 {
|
|
t.Errorf("Expected 1 statement after update, got %d", len(updatedPolicyResult.Statement))
|
|
}
|
|
if len(updatedPolicyResult.Statement[0].Action.Strings()) != 2 {
|
|
t.Errorf("Expected 2 actions after update, got %d", len(updatedPolicyResult.Statement[0].Action.Strings()))
|
|
}
|
|
|
|
// Test DeletePolicy
|
|
err = memoryStore.DeletePolicy(ctx, "test-policy")
|
|
if err != nil {
|
|
t.Fatalf("Failed to delete policy: %v", err)
|
|
}
|
|
|
|
// Verify deletion
|
|
policies, err = memoryStore.GetPolicies(ctx)
|
|
if err != nil {
|
|
t.Fatalf("Failed to get policies after deletion: %v", err)
|
|
}
|
|
if len(policies) != 0 {
|
|
t.Errorf("Expected 0 policies after deletion, got %d", len(policies))
|
|
}
|
|
}
|
|
|
|
// TestPolicyManagementWithFilerEtc tests policy management with filer_etc store
|
|
func TestPolicyManagementWithFilerEtc(t *testing.T) {
|
|
// Skip this test if we can't connect to a filer
|
|
t.Skip("Filer connection required for filer_etc store testing")
|
|
}
|
|
|
|
// TestPolicyManagementWithPostgres tests policy management with postgres store
|
|
func TestPolicyManagementWithPostgres(t *testing.T) {
|
|
// Skip this test if we can't connect to PostgreSQL
|
|
t.Skip("PostgreSQL connection required for postgres store testing")
|
|
}
|