* Fix STS identity authorization by populating PolicyNames (#7985)
This commit fixes GitHub issue #7985 where STS-assumed identities
received empty identity.Actions, causing all S3 operations to be denied
even when the role had valid IAM policies attached.
Changes:
1. Populate PolicyNames field from sessionInfo.Policies in
validateSTSSessionToken() to enable IAM-based authorization for
STS identities
2. Fix bucket+objectKey path construction in canDo() method to include
proper slash separator between bucket and object key
3. Add comprehensive test suite to validate the fix and prevent
regression
The fix ensures that STS-assumed identities are properly authorized
through the IAM path when iamIntegration is available, allowing roles
with valid IAM policies to perform S3 operations as expected.
* Update STS identity tests to be more rigorous and use actual implementation path
* Fix regression in canDo() path concatenation
The previous fix blindly added a slash separator, which caused double
slashes when objectKey already started with a slash (common in existing
tests and some code paths). This broke TestCanDo and
TestObjectLevelListPermissions.
This commit updates the logic to only add the slash separator if
objectKey is not empty and does not already start with a slash.
This fixes the regressions while maintaining the fix for issue #7985.
* Refactor STS identity tests: extract helpers and simplify redundant logic
- Extracted setupTestSTSService and newTestIdentity helper functions
- Removed redundant if-else verification blocks that were already covered by assertions
- Cleaned up test cases to improve maintainability as suggested in code review.
* Add canDo() verification to STS identity tests
Address code review suggestion: verify that identities with empty
Actions correctly return false for canDo() checks, which confirms the
behavior that forces authorization to fall back to the IAM path.
* Simplify TestCanDoPathConstruction variable names
Rename expectedPath to fullPath and simplify logging/assertion logic
based on code review feedback.
* Refactor path construction and logging in canDo()
- Compute fullPath early and use it for logging to prevent double slashes
- Update TestCanDoPathConstruction to use robust path verification
- Add test case for objectKey with leading slash to ensure correct handling
see https://blog.aqwari.net/xml-schema-go/
1. go get aqwari.net/xml/cmd/xsdgen
2. Add EncodingType element for ListBucketResult in AmazonS3.xsd
3. xsdgen -o s3api_xsd_generated.go -pkg s3api AmazonS3.xsd
4. Remove empty Grantee struct in s3api_xsd_generated.go
5. Remove xmlns: sed s'/http:\/\/s3.amazonaws.com\/doc\/2006-03-01\/\ //' s3api_xsd_generated.go
6432019d08