540fc97e00
* request_id: add shared request middleware
* s3err: preserve request ids in responses and logs
* iam: reuse request ids in XML responses
* sts: reuse request ids in XML responses
* request_id: drop legacy header fallback
* request_id: use AWS-style request id format
* iam: fix AWS-compatible XML format for ErrorResponse and field ordering
- ErrorResponse uses bare <RequestId> at root level instead of
<ResponseMetadata> wrapper, matching the AWS IAM error response spec
- Move CommonResponse to last field in success response structs so
<ResponseMetadata> serializes after result elements
- Add randomness to request ID generation to avoid collisions
- Add tests for XML ordering and ErrorResponse format
* iam: remove duplicate error_response_test.go
Test is already covered by responses_test.go.
* address PR review comments
- Guard against typed nil pointers in SetResponseRequestID before
interface assertion (CodeRabbit)
- Use regexp instead of strings.Index in test helpers for extracting
request IDs (Gemini)
* request_id: prevent spoofing, fix nil-error branch, thread reqID to error writers
- Ensure() now always generates a server-side ID, ignoring client-sent
x-amz-request-id headers to prevent request ID spoofing. Uses a
private context key (contextKey{}) instead of the header string.
- writeIamErrorResponse in both iamapi and embedded IAM now accepts
reqID as a parameter instead of calling Ensure() internally, ensuring
a single request ID per request lifecycle.
- The nil-iamError branch in writeIamErrorResponse now writes a 500
Internal Server Error response instead of returning silently.
- Updated tests to set request IDs via context (not headers) and added
tests for spoofing prevention and context reuse.
* sts: add request-id consistency assertions to ActionInBody tests
* test: update admin test to expect server-generated request IDs
The test previously sent a client x-amz-request-id header and expected
it echoed back. Since Ensure() now ignores client headers to prevent
spoofing, update the test to verify the server returns a non-empty
server-generated request ID instead.
* iam: add generic WithRequestID helper alongside reflection-based fallback
Add WithRequestID[T] that uses generics to take the address of a value
type, satisfying the pointer receiver on SetRequestId without reflection.
The existing SetResponseRequestID is kept for the two call sites that
operate on interface{} (from large action switches where the concrete
type varies at runtime). Generics cannot replace reflection there since
Go cannot infer type parameters from interface{}.
* Remove reflection and generics from request ID setting
Call SetRequestId directly on concrete response types in each switch
branch before boxing into interface{}, eliminating the need for
WithRequestID (generics) and SetResponseRequestID (reflection).
* iam: return pointer responses in action dispatch
* Fix IAM error handling consistency and ensure request IDs on all responses
- UpdateUser/CreatePolicy error branches: use writeIamErrorResponse instead
of s3err.WriteErrorResponse to preserve IAM formatting and request ID
- ExecuteAction: accept reqID parameter and generate one if empty, ensuring
every response carries a RequestId regardless of caller
* Clean up inline policies on DeleteUser and UpdateUser rename
DeleteUser: remove InlinePolicies[userName] from policy storage before
removing the identity, so policies are not orphaned.
UpdateUser: move InlinePolicies[userName] to InlinePolicies[newUserName]
when renaming, so GetUserPolicy/DeleteUserPolicy work under the new name.
Both operations persist the updated policies and return an error if
the storage write fails, preventing partial state.
172 lines
6.9 KiB
Go
172 lines
6.9 KiB
Go
package volume_server_http_test
|
|
|
|
import (
|
|
"encoding/json"
|
|
"net/http"
|
|
"strings"
|
|
"testing"
|
|
|
|
"github.com/seaweedfs/seaweedfs/test/volume_server/framework"
|
|
"github.com/seaweedfs/seaweedfs/test/volume_server/matrix"
|
|
"github.com/seaweedfs/seaweedfs/weed/util/request_id"
|
|
)
|
|
|
|
func TestAdminStatusAndHealthz(t *testing.T) {
|
|
if testing.Short() {
|
|
t.Skip("skipping integration test in short mode")
|
|
}
|
|
|
|
cluster := framework.StartSingleVolumeCluster(t, matrix.P1())
|
|
client := framework.NewHTTPClient()
|
|
|
|
statusReq, err := http.NewRequest(http.MethodGet, cluster.VolumeAdminURL()+"/status", nil)
|
|
if err != nil {
|
|
t.Fatalf("create status request: %v", err)
|
|
}
|
|
statusResp := framework.DoRequest(t, client, statusReq)
|
|
statusBody := framework.ReadAllAndClose(t, statusResp)
|
|
|
|
if statusResp.StatusCode != http.StatusOK {
|
|
t.Fatalf("expected /status code 200, got %d, body: %s", statusResp.StatusCode, string(statusBody))
|
|
}
|
|
if got := statusResp.Header.Get("Server"); !strings.Contains(got, "SeaweedFS Volume") {
|
|
t.Fatalf("expected /status Server header to contain SeaweedFS Volume, got %q", got)
|
|
}
|
|
if got := statusResp.Header.Get(request_id.AmzRequestIDHeader); got == "" {
|
|
t.Fatal("expected server-generated request id in response header")
|
|
}
|
|
|
|
var payload map[string]interface{}
|
|
if err := json.Unmarshal(statusBody, &payload); err != nil {
|
|
t.Fatalf("decode status response: %v", err)
|
|
}
|
|
for _, field := range []string{"Version", "DiskStatuses", "Volumes"} {
|
|
if _, found := payload[field]; !found {
|
|
t.Fatalf("status payload missing field %q", field)
|
|
}
|
|
}
|
|
|
|
healthReq := mustNewRequest(t, http.MethodGet, cluster.VolumeAdminURL()+"/healthz")
|
|
healthResp := framework.DoRequest(t, client, healthReq)
|
|
_ = framework.ReadAllAndClose(t, healthResp)
|
|
if healthResp.StatusCode != http.StatusOK {
|
|
t.Fatalf("expected /healthz code 200, got %d", healthResp.StatusCode)
|
|
}
|
|
if got := healthResp.Header.Get("Server"); !strings.Contains(got, "SeaweedFS Volume") {
|
|
t.Fatalf("expected /healthz Server header to contain SeaweedFS Volume, got %q", got)
|
|
}
|
|
if got := healthResp.Header.Get(request_id.AmzRequestIDHeader); got == "" {
|
|
t.Fatal("expected /healthz server-generated request id in response header")
|
|
}
|
|
|
|
uiResp := framework.DoRequest(t, client, mustNewRequest(t, http.MethodGet, cluster.VolumeAdminURL()+"/ui/index.html"))
|
|
uiBody := framework.ReadAllAndClose(t, uiResp)
|
|
if uiResp.StatusCode != http.StatusOK {
|
|
t.Fatalf("expected /ui/index.html code 200, got %d, body: %s", uiResp.StatusCode, string(uiBody))
|
|
}
|
|
if !strings.Contains(strings.ToLower(string(uiBody)), "volume") {
|
|
t.Fatalf("ui page does not look like volume status page")
|
|
}
|
|
}
|
|
|
|
func TestOptionsMethodsByPort(t *testing.T) {
|
|
if testing.Short() {
|
|
t.Skip("skipping integration test in short mode")
|
|
}
|
|
|
|
cluster := framework.StartSingleVolumeCluster(t, matrix.P2())
|
|
client := framework.NewHTTPClient()
|
|
|
|
adminResp := framework.DoRequest(t, client, mustNewRequest(t, http.MethodOptions, cluster.VolumeAdminURL()+"/"))
|
|
_ = framework.ReadAllAndClose(t, adminResp)
|
|
if adminResp.StatusCode != http.StatusOK {
|
|
t.Fatalf("admin OPTIONS expected 200, got %d", adminResp.StatusCode)
|
|
}
|
|
adminAllowed := adminResp.Header.Get("Access-Control-Allow-Methods")
|
|
for _, expected := range []string{"PUT", "POST", "GET", "DELETE", "OPTIONS"} {
|
|
if !strings.Contains(adminAllowed, expected) {
|
|
t.Fatalf("admin allow methods missing %q, got %q", expected, adminAllowed)
|
|
}
|
|
}
|
|
if adminResp.Header.Get("Access-Control-Allow-Headers") != "*" {
|
|
t.Fatalf("admin allow headers expected '*', got %q", adminResp.Header.Get("Access-Control-Allow-Headers"))
|
|
}
|
|
|
|
publicResp := framework.DoRequest(t, client, mustNewRequest(t, http.MethodOptions, cluster.VolumePublicURL()+"/"))
|
|
_ = framework.ReadAllAndClose(t, publicResp)
|
|
if publicResp.StatusCode != http.StatusOK {
|
|
t.Fatalf("public OPTIONS expected 200, got %d", publicResp.StatusCode)
|
|
}
|
|
publicAllowed := publicResp.Header.Get("Access-Control-Allow-Methods")
|
|
if !strings.Contains(publicAllowed, "GET") || !strings.Contains(publicAllowed, "OPTIONS") {
|
|
t.Fatalf("public allow methods expected GET and OPTIONS, got %q", publicAllowed)
|
|
}
|
|
if strings.Contains(publicAllowed, "POST") {
|
|
t.Fatalf("public allow methods should not include POST, got %q", publicAllowed)
|
|
}
|
|
if publicResp.Header.Get("Access-Control-Allow-Headers") != "*" {
|
|
t.Fatalf("public allow headers expected '*', got %q", publicResp.Header.Get("Access-Control-Allow-Headers"))
|
|
}
|
|
}
|
|
|
|
func TestOptionsWithOriginIncludesCorsHeaders(t *testing.T) {
|
|
if testing.Short() {
|
|
t.Skip("skipping integration test in short mode")
|
|
}
|
|
|
|
cluster := framework.StartSingleVolumeCluster(t, matrix.P2())
|
|
client := framework.NewHTTPClient()
|
|
|
|
adminReq := mustNewRequest(t, http.MethodOptions, cluster.VolumeAdminURL()+"/")
|
|
adminReq.Header.Set("Origin", "https://example.com")
|
|
adminResp := framework.DoRequest(t, client, adminReq)
|
|
_ = framework.ReadAllAndClose(t, adminResp)
|
|
if adminResp.StatusCode != http.StatusOK {
|
|
t.Fatalf("admin OPTIONS expected 200, got %d", adminResp.StatusCode)
|
|
}
|
|
if adminResp.Header.Get("Access-Control-Allow-Origin") != "*" {
|
|
t.Fatalf("admin OPTIONS expected Access-Control-Allow-Origin=*, got %q", adminResp.Header.Get("Access-Control-Allow-Origin"))
|
|
}
|
|
if adminResp.Header.Get("Access-Control-Allow-Credentials") != "true" {
|
|
t.Fatalf("admin OPTIONS expected Access-Control-Allow-Credentials=true, got %q", adminResp.Header.Get("Access-Control-Allow-Credentials"))
|
|
}
|
|
|
|
publicReq := mustNewRequest(t, http.MethodOptions, cluster.VolumePublicURL()+"/")
|
|
publicReq.Header.Set("Origin", "https://example.com")
|
|
publicResp := framework.DoRequest(t, client, publicReq)
|
|
_ = framework.ReadAllAndClose(t, publicResp)
|
|
if publicResp.StatusCode != http.StatusOK {
|
|
t.Fatalf("public OPTIONS expected 200, got %d", publicResp.StatusCode)
|
|
}
|
|
if publicResp.Header.Get("Access-Control-Allow-Origin") != "*" {
|
|
t.Fatalf("public OPTIONS expected Access-Control-Allow-Origin=*, got %q", publicResp.Header.Get("Access-Control-Allow-Origin"))
|
|
}
|
|
if publicResp.Header.Get("Access-Control-Allow-Credentials") != "true" {
|
|
t.Fatalf("public OPTIONS expected Access-Control-Allow-Credentials=true, got %q", publicResp.Header.Get("Access-Control-Allow-Credentials"))
|
|
}
|
|
}
|
|
|
|
func TestUiIndexNotExposedWhenJwtSigningEnabled(t *testing.T) {
|
|
if testing.Short() {
|
|
t.Skip("skipping integration test in short mode")
|
|
}
|
|
|
|
cluster := framework.StartSingleVolumeCluster(t, matrix.P3())
|
|
client := framework.NewHTTPClient()
|
|
|
|
resp := framework.DoRequest(t, client, mustNewRequest(t, http.MethodGet, cluster.VolumeAdminURL()+"/ui/index.html"))
|
|
body := framework.ReadAllAndClose(t, resp)
|
|
if resp.StatusCode != http.StatusUnauthorized {
|
|
t.Fatalf("expected /ui/index.html to be gated by auth under JWT profile (401), got %d body=%s", resp.StatusCode, string(body))
|
|
}
|
|
}
|
|
|
|
func mustNewRequest(t testing.TB, method, url string) *http.Request {
|
|
t.Helper()
|
|
req, err := http.NewRequest(method, url, nil)
|
|
if err != nil {
|
|
t.Fatalf("create request %s %s: %v", method, url, err)
|
|
}
|
|
return req
|
|
}
|