gsh-digital-services/seaweedFS
5
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
1261e93ef2acfd6c6d618d67ed2cd110269b65ac
seaweedFS/weed/s3api/s3_jwt_auth_test.go
Chris Lu 1261e93ef2 fix: comprehensive go vet error fixes and add CI enforcement (#7861) 
* fix: use keyed fields in struct literals

- Replace unsafe reflect.StringHeader/SliceHeader with safe unsafe.String/Slice (weed/query/sqltypes/unsafe.go)
- Add field names to Type_ScalarType struct literals (weed/mq/schema/schema_builder.go)
- Add Duration field name to FlexibleDuration struct literals across test files
- Add field names to bson.D struct literals (weed/filer/mongodb/mongodb_store_kv.go)

Fixes go vet warnings about unkeyed struct literals.

* fix: remove unreachable code

- Remove unreachable return statements after infinite for loops
- Remove unreachable code after if/else blocks where all paths return
- Simplify recursive logic by removing unnecessary for loop (inode_to_path.go)
- Fix Type_ScalarType literal to use enum value directly (schema_builder.go)
- Call onCompletionFn on stream error (subscribe_session.go)

Files fixed:
- weed/query/sqltypes/unsafe.go
- weed/mq/schema/schema_builder.go
- weed/mq/client/sub_client/connect_to_sub_coordinator.go
- weed/filer/redis3/ItemList.go
- weed/mq/client/agent_client/subscribe_session.go
- weed/mq/broker/broker_grpc_pub_balancer.go
- weed/mount/inode_to_path.go
- weed/util/skiplist/name_list.go

* fix: avoid copying lock values in protobuf messages

- Use proto.Merge() instead of direct assignment to avoid copying sync.Mutex in S3ApiConfiguration (iamapi_server.go)
- Add explicit comments noting that channel-received values are already copies before taking addresses (volume_grpc_client_to_master.go)

The protobuf messages contain sync.Mutex fields from the message state, which should not be copied.
Using proto.Merge() properly merges messages without copying the embedded mutex.

* fix: correct byte array size for uint32 bit shift operations

The generateAccountId() function only needs 4 bytes to create a uint32 value.
Changed from allocating 8 bytes to 4 bytes to match the actual usage.

This fixes go vet warning about shifting 8-bit values (bytes) by more than 8 bits.

* fix: ensure context cancellation on all error paths

In broker_client_subscribe.go, ensure subscriberCancel() is called on all error return paths:
- When stream creation fails
- When partition assignment fails
- When sending initialization message fails

This prevents context leaks when an error occurs during subscriber creation.

* fix: ensure subscriberCancel called for CreateFreshSubscriber stream.Send error

Ensure subscriberCancel() is called when stream.Send fails in CreateFreshSubscriber.

* ci: add go vet step to prevent future lint regressions

- Add go vet step to GitHub Actions workflow
- Filter known protobuf lock warnings (MessageState sync.Mutex)
  These are expected in generated protobuf code and are safe
- Prevents accumulation of go vet errors in future PRs
- Step runs before build to catch issues early

* fix: resolve remaining syntax and logic errors in vet fixes

- Fixed syntax errors in filer_sync.go caused by missing closing braces
- Added missing closing brace for if block and function
- Synchronized fixes to match previous commits on branch

* fix: add missing return statements to daemon functions

- Add 'return false' after infinite loops in filer_backup.go and filer_meta_backup.go
- Satisfies declared bool return type signatures
- Maintains consistency with other daemon functions (runMaster, runFilerSynchronize, runWorker)
- While unreachable, explicitly declares the return satisfies function signature contract

* fix: add nil check for onCompletionFn in SubscribeMessageRecord

- Check if onCompletionFn is not nil before calling it
- Prevents potential panic if nil function is passed
- Matches pattern used in other callback functions

* docs: clarify unreachable return statements in daemon functions

- Add comments documenting that return statements satisfy function signature
- Explains that these returns follow infinite loops and are unreachable
- Improves code clarity for future maintainers
2025-12-23 14:48:50 -08:00

558 lines
16 KiB
Go
Raw Blame History

package s3api
import (
"context"
"net/http"
"net/http/httptest"
"testing"
"time"
"github.com/golang-jwt/jwt/v5"
"github.com/seaweedfs/seaweedfs/weed/iam/integration"
"github.com/seaweedfs/seaweedfs/weed/iam/ldap"
"github.com/seaweedfs/seaweedfs/weed/iam/oidc"
"github.com/seaweedfs/seaweedfs/weed/iam/policy"
"github.com/seaweedfs/seaweedfs/weed/iam/sts"
"github.com/seaweedfs/seaweedfs/weed/s3api/s3_constants"
"github.com/seaweedfs/seaweedfs/weed/s3api/s3err"
"github.com/stretchr/testify/assert"
"github.com/stretchr/testify/require"
)
// createTestJWTAuth creates a test JWT token with the specified issuer, subject and signing key
func createTestJWTAuth(t *testing.T, issuer, subject, signingKey string) string {
token := jwt.NewWithClaims(jwt.SigningMethodHS256, jwt.MapClaims{
"iss": issuer,
"sub": subject,
"aud": "test-client-id",
"exp": time.Now().Add(time.Hour).Unix(),
"iat": time.Now().Unix(),
// Add claims that trust policy validation expects
"idp": "test-oidc", // Identity provider claim for trust policy matching
})
tokenString, err := token.SignedString([]byte(signingKey))
require.NoError(t, err)
return tokenString
}
// TestJWTAuthenticationFlow tests the JWT authentication flow without full S3 server
func TestJWTAuthenticationFlow(t *testing.T) {
// Set up IAM system
iamManager := setupTestIAMManager(t)
// Create IAM integration
s3iam := NewS3IAMIntegration(iamManager, "localhost:8888")
// Create IAM server with integration
iamServer := setupIAMWithIntegration(t, iamManager, s3iam)
// Test scenarios
tests := []struct {
name string
roleArn string
setupRole func(ctx context.Context, mgr *integration.IAMManager)
testOperations []JWTTestOperation
}{
{
name: "Read-Only JWT Authentication",
roleArn: "arn:aws:iam::role/S3ReadOnlyRole",
setupRole: setupTestReadOnlyRole,
testOperations: []JWTTestOperation{
{Action: s3_constants.ACTION_READ, Bucket: "test-bucket", Object: "test-file.txt", ExpectedAllow: true},
{Action: s3_constants.ACTION_WRITE, Bucket: "test-bucket", Object: "new-file.txt", ExpectedAllow: false},
{Action: s3_constants.ACTION_LIST, Bucket: "test-bucket", Object: "", ExpectedAllow: true},
},
},
{
name: "Admin JWT Authentication",
roleArn: "arn:aws:iam::role/S3AdminRole",
setupRole: setupTestAdminRole,
testOperations: []JWTTestOperation{
{Action: s3_constants.ACTION_READ, Bucket: "admin-bucket", Object: "admin-file.txt", ExpectedAllow: true},
{Action: s3_constants.ACTION_WRITE, Bucket: "admin-bucket", Object: "new-admin-file.txt", ExpectedAllow: true},
{Action: s3_constants.ACTION_DELETE_BUCKET, Bucket: "admin-bucket", Object: "", ExpectedAllow: true},
},
},
}
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
ctx := context.Background()
// Set up role
tt.setupRole(ctx, iamManager)
// Create a valid JWT token for testing
validJWTToken := createTestJWTAuth(t, "https://test-issuer.com", "test-user-123", "test-signing-key")
// Assume role to get JWT
response, err := iamManager.AssumeRoleWithWebIdentity(ctx, &sts.AssumeRoleWithWebIdentityRequest{
RoleArn: tt.roleArn,
WebIdentityToken: validJWTToken,
RoleSessionName: "jwt-auth-test",
})
require.NoError(t, err)
jwtToken := response.Credentials.SessionToken
// Test each operation
for _, op := range tt.testOperations {
t.Run(string(op.Action), func(t *testing.T) {
// Test JWT authentication
identity, errCode := testJWTAuthentication(t, iamServer, jwtToken)
require.Equal(t, s3err.ErrNone, errCode, "JWT authentication should succeed")
require.NotNil(t, identity)
// Test authorization with appropriate role based on test case
var testRoleName string
if tt.name == "Read-Only JWT Authentication" {
testRoleName = "TestReadRole"
} else {
testRoleName = "TestAdminRole"
}
allowed := testJWTAuthorizationWithRole(t, iamServer, identity, op.Action, op.Bucket, op.Object, jwtToken, testRoleName)
assert.Equal(t, op.ExpectedAllow, allowed, "Operation %s should have expected result", op.Action)
})
}
})
}
}
// TestJWTTokenValidation tests JWT token validation edge cases
func TestJWTTokenValidation(t *testing.T) {
iamManager := setupTestIAMManager(t)
s3iam := NewS3IAMIntegration(iamManager, "localhost:8888")
iamServer := setupIAMWithIntegration(t, iamManager, s3iam)
tests := []struct {
name string
token string
expectedErr s3err.ErrorCode
}{
{
name: "Empty token",
token: "",
expectedErr: s3err.ErrAccessDenied,
},
{
name: "Invalid token format",
token: "invalid-token",
expectedErr: s3err.ErrAccessDenied,
},
{
name: "Expired token",
token: "expired-session-token",
expectedErr: s3err.ErrAccessDenied,
},
}
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
identity, errCode := testJWTAuthentication(t, iamServer, tt.token)
assert.Equal(t, tt.expectedErr, errCode)
assert.Nil(t, identity)
})
}
}
// TestRequestContextExtraction tests context extraction for policy conditions
func TestRequestContextExtraction(t *testing.T) {
tests := []struct {
name string
setupRequest func() *http.Request
expectedIP string
expectedUA string
}{
{
name: "Standard request with IP",
setupRequest: func() *http.Request {
req := httptest.NewRequest("GET", "/test-bucket/test-file.txt", http.NoBody)
req.Header.Set("X-Forwarded-For", "192.168.1.100")
req.Header.Set("User-Agent", "aws-sdk-go/1.0")
return req
},
expectedIP: "192.168.1.100",
expectedUA: "aws-sdk-go/1.0",
},
{
name: "Request with X-Real-IP",
setupRequest: func() *http.Request {
req := httptest.NewRequest("GET", "/test-bucket/test-file.txt", http.NoBody)
req.Header.Set("X-Real-IP", "10.0.0.1")
req.Header.Set("User-Agent", "boto3/1.0")
return req
},
expectedIP: "10.0.0.1",
expectedUA: "boto3/1.0",
},
}
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
req := tt.setupRequest()
// Extract request context
context := extractRequestContext(req)
if tt.expectedIP != "" {
assert.Equal(t, tt.expectedIP, context["sourceIP"])
}
if tt.expectedUA != "" {
assert.Equal(t, tt.expectedUA, context["userAgent"])
}
})
}
}
// TestIPBasedPolicyEnforcement tests IP-based conditional policies
func TestIPBasedPolicyEnforcement(t *testing.T) {
iamManager := setupTestIAMManager(t)
s3iam := NewS3IAMIntegration(iamManager, "localhost:8888")
ctx := context.Background()
// Set up IP-restricted role
setupTestIPRestrictedRole(ctx, iamManager)
// Create a valid JWT token for testing
validJWTToken := createTestJWTAuth(t, "https://test-issuer.com", "test-user-123", "test-signing-key")
// Assume role
response, err := iamManager.AssumeRoleWithWebIdentity(ctx, &sts.AssumeRoleWithWebIdentityRequest{
RoleArn: "arn:aws:iam::role/S3IPRestrictedRole",
WebIdentityToken: validJWTToken,
RoleSessionName: "ip-test-session",
})
require.NoError(t, err)
tests := []struct {
name string
sourceIP string
shouldAllow bool
}{
{
name: "Allow from office IP",
sourceIP: "192.168.1.100",
shouldAllow: true,
},
{
name: "Block from external IP",
sourceIP: "8.8.8.8",
shouldAllow: false,
},
{
name: "Allow from internal range",
sourceIP: "10.0.0.1",
shouldAllow: true,
},
}
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
// Create request with specific IP
req := httptest.NewRequest("GET", "/restricted-bucket/file.txt", http.NoBody)
req.Header.Set("Authorization", "Bearer "+response.Credentials.SessionToken)
req.Header.Set("X-Forwarded-For", tt.sourceIP)
// Create IAM identity for testing
identity := &IAMIdentity{
Name: "test-user",
Principal: response.AssumedRoleUser.Arn,
SessionToken: response.Credentials.SessionToken,
}
// Test authorization with IP condition
errCode := s3iam.AuthorizeAction(ctx, identity, s3_constants.ACTION_READ, "restricted-bucket", "file.txt", req)
if tt.shouldAllow {
assert.Equal(t, s3err.ErrNone, errCode, "Should allow access from IP %s", tt.sourceIP)
} else {
assert.Equal(t, s3err.ErrAccessDenied, errCode, "Should deny access from IP %s", tt.sourceIP)
}
})
}
}
// JWTTestOperation represents a test operation for JWT testing
type JWTTestOperation struct {
Action Action
Bucket string
Object string
ExpectedAllow bool
}
// Helper functions
func setupTestIAMManager(t *testing.T) *integration.IAMManager {
// Create IAM manager
manager := integration.NewIAMManager()
// Initialize with test configuration
config := &integration.IAMConfig{
STS: &sts.STSConfig{
TokenDuration: sts.FlexibleDuration{Duration: time.Hour},
MaxSessionLength: sts.FlexibleDuration{Duration: time.Hour * 12},
Issuer: "test-sts",
SigningKey: []byte("test-signing-key-32-characters-long"),
},
Policy: &policy.PolicyEngineConfig{
DefaultEffect: "Deny",
StoreType: "memory",
},
Roles: &integration.RoleStoreConfig{
StoreType: "memory",
},
}
err := manager.Initialize(config, func() string {
return "localhost:8888" // Mock filer address for testing
})
require.NoError(t, err)
// Set up test identity providers
setupTestIdentityProviders(t, manager)
return manager
}
func setupTestIdentityProviders(t *testing.T, manager *integration.IAMManager) {
// Set up OIDC provider
oidcProvider := oidc.NewMockOIDCProvider("test-oidc")
oidcConfig := &oidc.OIDCConfig{
Issuer: "https://test-issuer.com",
ClientID: "test-client-id",
}
err := oidcProvider.Initialize(oidcConfig)
require.NoError(t, err)
oidcProvider.SetupDefaultTestData()
// Set up LDAP provider
ldapProvider := ldap.NewMockLDAPProvider("test-ldap")
err = ldapProvider.Initialize(nil) // Mock doesn't need real config
require.NoError(t, err)
ldapProvider.SetupDefaultTestData()
// Register providers
err = manager.RegisterIdentityProvider(oidcProvider)
require.NoError(t, err)
err = manager.RegisterIdentityProvider(ldapProvider)
require.NoError(t, err)
}
func setupIAMWithIntegration(t *testing.T, iamManager *integration.IAMManager, s3iam *S3IAMIntegration) *IdentityAccessManagement {
// Create a minimal IdentityAccessManagement for testing
iam := &IdentityAccessManagement{
isAuthEnabled: true,
}
// Set IAM integration
iam.SetIAMIntegration(s3iam)
return iam
}
func setupTestReadOnlyRole(ctx context.Context, manager *integration.IAMManager) {
// Create read-only policy
readPolicy := &policy.PolicyDocument{
Version: "2012-10-17",
Statement: []policy.Statement{
{
Sid: "AllowS3Read",
Effect: "Allow",
Action: []string{"s3:GetObject", "s3:ListBucket"},
Resource: []string{
"arn:aws:s3:::*",
"arn:aws:s3:::*/*",
},
},
{
Sid: "AllowSTSSessionValidation",
Effect: "Allow",
Action: []string{"sts:ValidateSession"},
Resource: []string{"*"},
},
},
}
manager.CreatePolicy(ctx, "", "S3ReadOnlyPolicy", readPolicy)
// Create role
manager.CreateRole(ctx, "", "S3ReadOnlyRole", &integration.RoleDefinition{
RoleName: "S3ReadOnlyRole",
TrustPolicy: &policy.PolicyDocument{
Version: "2012-10-17",
Statement: []policy.Statement{
{
Effect: "Allow",
Principal: map[string]interface{}{
"Federated": "test-oidc",
},
Action: []string{"sts:AssumeRoleWithWebIdentity"},
},
},
},
AttachedPolicies: []string{"S3ReadOnlyPolicy"},
})
// Also create a TestReadRole for read-only authorization testing
manager.CreateRole(ctx, "", "TestReadRole", &integration.RoleDefinition{
RoleName: "TestReadRole",
TrustPolicy: &policy.PolicyDocument{
Version: "2012-10-17",
Statement: []policy.Statement{
{
Effect: "Allow",
Principal: map[string]interface{}{
"Federated": "test-oidc",
},
Action: []string{"sts:AssumeRoleWithWebIdentity"},
},
},
},
AttachedPolicies: []string{"S3ReadOnlyPolicy"},
})
}
func setupTestAdminRole(ctx context.Context, manager *integration.IAMManager) {
// Create admin policy
adminPolicy := &policy.PolicyDocument{
Version: "2012-10-17",
Statement: []policy.Statement{
{
Sid: "AllowAllS3",
Effect: "Allow",
Action: []string{"s3:*"},
Resource: []string{
"arn:aws:s3:::*",
"arn:aws:s3:::*/*",
},
},
{
Sid: "AllowSTSSessionValidation",
Effect: "Allow",
Action: []string{"sts:ValidateSession"},
Resource: []string{"*"},
},
},
}
manager.CreatePolicy(ctx, "", "S3AdminPolicy", adminPolicy)
// Create role
manager.CreateRole(ctx, "", "S3AdminRole", &integration.RoleDefinition{
RoleName: "S3AdminRole",
TrustPolicy: &policy.PolicyDocument{
Version: "2012-10-17",
Statement: []policy.Statement{
{
Effect: "Allow",
Principal: map[string]interface{}{
"Federated": "test-oidc",
},
Action: []string{"sts:AssumeRoleWithWebIdentity"},
},
},
},
AttachedPolicies: []string{"S3AdminPolicy"},
})
// Also create a TestAdminRole with admin policy for authorization testing
manager.CreateRole(ctx, "", "TestAdminRole", &integration.RoleDefinition{
RoleName: "TestAdminRole",
TrustPolicy: &policy.PolicyDocument{
Version: "2012-10-17",
Statement: []policy.Statement{
{
Effect: "Allow",
Principal: map[string]interface{}{
"Federated": "test-oidc",
},
Action: []string{"sts:AssumeRoleWithWebIdentity"},
},
},
},
AttachedPolicies: []string{"S3AdminPolicy"}, // Admin gets full access
})
}
func setupTestIPRestrictedRole(ctx context.Context, manager *integration.IAMManager) {
// Create IP-restricted policy
restrictedPolicy := &policy.PolicyDocument{
Version: "2012-10-17",
Statement: []policy.Statement{
{
Sid: "AllowFromOffice",
Effect: "Allow",
Action: []string{"s3:GetObject", "s3:ListBucket"},
Resource: []string{
"arn:aws:s3:::*",
"arn:aws:s3:::*/*",
},
Condition: map[string]map[string]interface{}{
"IpAddress": {
"seaweed:SourceIP": []string{"192.168.1.0/24", "10.0.0.0/8"},
},
},
},
},
}
manager.CreatePolicy(ctx, "", "S3IPRestrictedPolicy", restrictedPolicy)
// Create role
manager.CreateRole(ctx, "", "S3IPRestrictedRole", &integration.RoleDefinition{
RoleName: "S3IPRestrictedRole",
TrustPolicy: &policy.PolicyDocument{
Version: "2012-10-17",
Statement: []policy.Statement{
{
Effect: "Allow",
Principal: map[string]interface{}{
"Federated": "test-oidc",
},
Action: []string{"sts:AssumeRoleWithWebIdentity"},
},
},
},
AttachedPolicies: []string{"S3IPRestrictedPolicy"},
})
}
func testJWTAuthentication(t *testing.T, iam *IdentityAccessManagement, token string) (*Identity, s3err.ErrorCode) {
// Create test request with JWT
req := httptest.NewRequest("GET", "/test-bucket/test-object", http.NoBody)
req.Header.Set("Authorization", "Bearer "+token)
// Test authentication
if iam.iamIntegration == nil {
return nil, s3err.ErrNotImplemented
}
return iam.authenticateJWTWithIAM(req)
}
func testJWTAuthorization(t *testing.T, iam *IdentityAccessManagement, identity *Identity, action Action, bucket, object, token string) bool {
return testJWTAuthorizationWithRole(t, iam, identity, action, bucket, object, token, "TestRole")
}
func testJWTAuthorizationWithRole(t *testing.T, iam *IdentityAccessManagement, identity *Identity, action Action, bucket, object, token, roleName string) bool {
// Create test request
req := httptest.NewRequest("GET", "/"+bucket+"/"+object, http.NoBody)
req.Header.Set("Authorization", "Bearer "+token)
req.Header.Set("X-SeaweedFS-Session-Token", token)
// Use a proper principal ARN format that matches what STS would generate
principalArn := "arn:aws:sts::assumed-role/" + roleName + "/test-session"
req.Header.Set("X-SeaweedFS-Principal", principalArn)
// Test authorization
if iam.iamIntegration == nil {
return false
}
errCode := iam.authorizeWithIAM(req, identity, action, bucket, object)
return errCode == s3err.ErrNone
}
Reference in New Issue View Git Blame Copy Permalink