gsh-digital-services/seaweedFS
5
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
49a64f50f1f67f6d69133167cc1339052d3f4c92
seaweedFS/weed/s3api/s3api_server_routing_test.go
Chris Lu 551a31e156 Implement IAM propagation to S3 servers (#8130) 
* Implement IAM propagation to S3 servers

- Add PropagatingCredentialStore to propagate IAM changes to S3 servers via gRPC
- Add Policy management RPCs to S3 proto and S3ApiServer
- Update CredentialManager to use PropagatingCredentialStore when MasterClient is available
- Wire FilerServer to enable propagation

* Implement parallel IAM propagation and fix S3 cluster registration

- Parallelized IAM change propagation with 10s timeout.
- Refined context usage in PropagatingCredentialStore.
- Added S3Type support to cluster node management.
- Enabled S3 servers to register with gRPC address to the master.
- Ensured IAM configuration reload after policy updates via gRPC.

* Optimize IAM propagation with direct in-memory cache updates

* Secure IAM propagation: Use metadata to skip persistence only on propagation

* pb: refactor IAM and S3 services for unidirectional IAM propagation

- Move SeaweedS3IamCache service from iam.proto to s3.proto.
- Remove legacy IAM management RPCs and empty SeaweedS3 service from s3.proto.
- Enforce that S3 servers only use the synchronization interface.

* pb: regenerate Go code for IAM and S3 services

Updated generated code following the proto refactoring of IAM synchronization services.

* s3api: implement read-only mode for Embedded IAM API

- Add readOnly flag to EmbeddedIamApi to reject write operations via HTTP.
- Enable read-only mode by default in S3ApiServer.
- Handle AccessDenied error in writeIamErrorResponse.
- Embed SeaweedS3IamCacheServer in S3ApiServer.

* credential: refactor PropagatingCredentialStore for unidirectional IAM flow

- Update to use s3_pb.SeaweedS3IamCacheClient for propagation to S3 servers.
- Propagate full Identity object via PutIdentity for consistency.
- Remove redundant propagation of specific user/account/policy management RPCs.
- Add timeout context for propagation calls.

* s3api: implement SeaweedS3IamCacheServer for unidirectional sync

- Update S3ApiServer to implement the cache synchronization gRPC interface.
- Methods (PutIdentity, RemoveIdentity, etc.) now perform direct in-memory cache updates.
- Register SeaweedS3IamCacheServer in command/s3.go.
- Remove registration for the legacy and now empty SeaweedS3 service.

* s3api: update tests for read-only IAM and propagation

- Added TestEmbeddedIamReadOnly to verify rejection of write operations in read-only mode.
- Update test setup to pass readOnly=false to NewEmbeddedIamApi in routing tests.
- Updated EmbeddedIamApiForTest helper with read-only checks matching production behavior.

* s3api: add back temporary debug logs for IAM updates

Log IAM updates received via:
- gRPC propagation (PutIdentity, PutPolicy, etc.)
- Metadata configuration reloads (LoadS3ApiConfigurationFromCredentialManager)
- Core identity management (UpsertIdentity, RemoveIdentity)

* IAM: finalize propagation fix with reduced logging and clarified architecture

* Allow configuring IAM read-only mode for S3 server integration tests

* s3api: add defensive validation to UpsertIdentity

* s3api: fix log message to reference correct IAM read-only flag

* test/s3/iam: ensure WaitForS3Service checks for IAM write permissions

* test: enable writable IAM in Makefile for integration tests

* IAM: add GetPolicy/ListPolicies RPCs to s3.proto

* S3: add GetBucketPolicy and ListBucketPolicies helpers

* S3: support storing generic IAM policies in IdentityAccessManagement

* S3: implement IAM policy RPCs using IdentityAccessManagement

* IAM: fix stale user identity on rename propagation
2026-01-26 22:59:43 -08:00

196 lines
6.6 KiB
Go
Raw Blame History

package s3api
import (
"net/http"
"net/http/httptest"
"net/url"
"strings"
"testing"
"github.com/gorilla/mux"
"github.com/seaweedfs/seaweedfs/weed/credential"
"github.com/seaweedfs/seaweedfs/weed/util"
"github.com/stretchr/testify/assert"
)
// setupRoutingTestServer creates a minimal S3ApiServer for routing tests
func setupRoutingTestServer(t *testing.T) *S3ApiServer {
opt := &S3ApiServerOption{EnableIam: true}
iam := NewIdentityAccessManagementWithStore(opt, "memory")
iam.isAuthEnabled = true
if iam.credentialManager == nil {
cm, err := credential.NewCredentialManager("memory", util.GetViper(), "")
if err != nil {
t.Fatalf("Failed to create credential manager: %v", err)
}
iam.credentialManager = cm
}
server := &S3ApiServer{
option: opt,
iam: iam,
credentialManager: iam.credentialManager,
embeddedIam: NewEmbeddedIamApi(iam.credentialManager, iam, false),
stsHandlers: &STSHandlers{},
}
return server
}
// TestRouting_STSWithQueryParams verifies that AssumeRoleWithWebIdentity with query params routes to STS
func TestRouting_STSWithQueryParams(t *testing.T) {
router := mux.NewRouter()
s3a := setupRoutingTestServer(t)
s3a.registerRouter(router)
// Create request with Action in query params (no auth header)
req, _ := http.NewRequest("POST", "/?Action=AssumeRoleWithWebIdentity&WebIdentityToken=test-token&RoleArn=arn:aws:iam::123:role/test&RoleSessionName=test-session", nil)
req.Header.Set("Content-Type", "application/x-www-form-urlencoded")
rr := httptest.NewRecorder()
router.ServeHTTP(rr, req)
// Should route to STS handler -> 503 (service not initialized) or 400 (validation error)
assert.Contains(t, []int{http.StatusBadRequest, http.StatusServiceUnavailable}, rr.Code, "Should route to STS handler")
}
// TestRouting_STSWithBodyParams verifies that AssumeRoleWithWebIdentity with body params routes to STS fallback
func TestRouting_STSWithBodyParams(t *testing.T) {
router := mux.NewRouter()
s3a := setupRoutingTestServer(t)
s3a.registerRouter(router)
// Create request with Action in POST body (no auth header)
data := url.Values{}
data.Set("Action", "AssumeRoleWithWebIdentity")
data.Set("WebIdentityToken", "test-token")
data.Set("RoleArn", "arn:aws:iam::123:role/test")
data.Set("RoleSessionName", "test-session")
req, _ := http.NewRequest("POST", "/", strings.NewReader(data.Encode()))
req.Header.Set("Content-Type", "application/x-www-form-urlencoded")
rr := httptest.NewRecorder()
router.ServeHTTP(rr, req)
// Should route to STS fallback handler -> 503 (service not initialized in test)
assert.Equal(t, http.StatusServiceUnavailable, rr.Code, "Should route to STS fallback handler (503 because STS not initialized)")
}
// TestRouting_AuthenticatedIAM verifies that authenticated IAM requests route to IAM handler
func TestRouting_AuthenticatedIAM(t *testing.T) {
router := mux.NewRouter()
s3a := setupRoutingTestServer(t)
s3a.registerRouter(router)
// Create IAM request with Authorization header
data := url.Values{}
data.Set("Action", "CreateUser")
data.Set("UserName", "testuser")
req, _ := http.NewRequest("POST", "/", strings.NewReader(data.Encode()))
req.Header.Set("Content-Type", "application/x-www-form-urlencoded")
req.Header.Set("Authorization", "AWS4-HMAC-SHA256 Credential=AKIA.../...")
rr := httptest.NewRecorder()
router.ServeHTTP(rr, req)
// Should route to IAM handler -> 400/403 (invalid signature)
// NOT 503 (which would indicate STS handler)
assert.NotEqual(t, http.StatusServiceUnavailable, rr.Code, "Should NOT route to STS handler")
assert.Contains(t, []int{http.StatusBadRequest, http.StatusForbidden}, rr.Code, "Should route to IAM handler (400/403 due to invalid signature)")
}
// TestRouting_IAMMatcherLogic verifies the iamMatcher correctly distinguishes auth types
func TestRouting_IAMMatcherLogic(t *testing.T) {
tests := []struct {
name string
authHeader string
queryParams string
expectsIAM bool
description string
}{
{
name: "No auth - anonymous",
authHeader: "",
queryParams: "",
expectsIAM: false,
description: "Request with no auth should NOT match IAM",
},
{
name: "AWS4 signature",
authHeader: "AWS4-HMAC-SHA256 Credential=AKIA.../...",
queryParams: "",
expectsIAM: true,
description: "Request with AWS4 signature should match IAM",
},
{
name: "AWS2 signature",
authHeader: "AWS AKIA...:signature",
queryParams: "",
expectsIAM: true,
description: "Request with AWS2 signature should match IAM",
},
{
name: "Presigned V4",
authHeader: "",
queryParams: "?X-Amz-Credential=AKIA...",
expectsIAM: true,
description: "Request with presigned V4 params should match IAM",
},
{
name: "Presigned V2",
authHeader: "",
queryParams: "?AWSAccessKeyId=AKIA...",
expectsIAM: true,
description: "Request with presigned V2 params should match IAM",
},
{
name: "AWS4 signature with STS action in body",
authHeader: "AWS4-HMAC-SHA256 Credential=AKIA.../...",
queryParams: "",
expectsIAM: false,
description: "Authenticated STS action should route to STS handler (STS handlers handle their own auth)",
},
}
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
router := mux.NewRouter()
s3a := setupRoutingTestServer(t)
s3a.registerRouter(router)
data := url.Values{}
// For the authenticated STS action test, set the STS action
// For other tests, don't set Action to avoid STS validation errors
if tt.name == "AWS4 signature with STS action in body" {
data.Set("Action", "AssumeRoleWithWebIdentity")
data.Set("WebIdentityToken", "test-token")
data.Set("RoleArn", "arn:aws:iam::123:role/test")
data.Set("RoleSessionName", "test-session")
}
req, _ := http.NewRequest("POST", "/"+tt.queryParams, strings.NewReader(data.Encode()))
req.Header.Set("Content-Type", "application/x-www-form-urlencoded")
if tt.authHeader != "" {
req.Header.Set("Authorization", tt.authHeader)
}
rr := httptest.NewRecorder()
router.ServeHTTP(rr, req)
if tt.expectsIAM {
// Should route to IAM (400/403 for invalid sig)
// NOT 400 from STS (which would be missing Action parameter)
// We distinguish by checking it's NOT a generic 400 with empty body
assert.NotEqual(t, http.StatusServiceUnavailable, rr.Code, tt.description)
} else {
// Should route to STS fallback
// Can be 503 (service not initialized) or 400 (missing/invalid Action parameter)
assert.Contains(t, []int{http.StatusBadRequest, http.StatusServiceUnavailable}, rr.Code, tt.description)
}
})
}
}
Reference in New Issue View Git Blame Copy Permalink