gsh-digital-services/seaweedFS
5
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
7b8df39cf7a3a809c74abc01dd92575c3426ce36
seaweedFS/test/s3/cors
History
Chris Lu 0d8588e3ae S3: Implement IAM defaults and STS signing key fallback (#8348) 
* S3: Implement IAM defaults and STS signing key fallback logic

* S3: Refactor startup order to init SSE-S3 key manager before IAM

* S3: Derive STS signing key from KEK using HKDF for security isolation

* S3: Document STS signing key fallback in security.toml

* fix(s3api): refine anonymous access logic and secure-by-default behavior

- Initialize anonymous identity by default in `NewIdentityAccessManagement` to prevent nil pointer exceptions.
- Ensure `ReplaceS3ApiConfiguration` preserves the anonymous identity if not present in the new configuration.
- Update `NewIdentityAccessManagement` signature to accept `filerClient`.
- In legacy mode (no policy engine), anonymous defaults to Deny (no actions), preserving secure-by-default behavior.
- Use specific `LookupAnonymous` method instead of generic map lookup.
- Update tests to accommodate signature changes and verify improved anonymous handling.

* feat(s3api): make IAM configuration optional

- Start S3 API server without a configuration file if `EnableIam` option is set.
- Default to `Allow` effect for policy engine when no configuration is provided (Zero-Config mode).
- Handle empty configuration path gracefully in `loadIAMManagerFromConfig`.
- Add integration test `iam_optional_test.go` to verify empty config behavior.

* fix(iamapi): fix signature mismatch in NewIdentityAccessManagementWithStore

* fix(iamapi): properly initialize FilerClient instead of passing nil

* fix(iamapi): properly initialize filer client for IAM management

- Instead of passing `nil`, construct a `wdclient.FilerClient` using the provided `Filers` addresses.
- Ensure `NewIdentityAccessManagementWithStore` receives a valid `filerClient` to avoid potential nil pointer dereferences or limited functionality.

* clean: remove dead code in s3api_server.go

* refactor(s3api): improve IAM initialization, safety and anonymous access security

* fix(s3api): ensure IAM config loads from filer after client init

* fix(s3): resolve test failures in integration, CORS, and tagging tests

- Fix CORS tests by providing explicit anonymous permissions config
- Fix S3 integration tests by setting admin credentials in init
- Align tagging test credentials in CI with IAM defaults
- Added goroutine to retry IAM config load in iamapi server

* fix(s3): allow anonymous access to health targets and S3 Tables when identities are present

* fix(ci): use /healthz for Caddy health check in awscli tests

* iam, s3api: expose DefaultAllow from IAM and Policy Engine

This allows checking the global "Open by Default" configuration from
other components like S3 Tables.

* s3api/s3tables: support DefaultAllow in permission logic and handler

Updated CheckPermissionWithContext to respect the DefaultAllow flag
in PolicyContext. This enables "Open by Default" behavior for
unauthenticated access in zero-config environments. Added a targeted
unit test to verify the logic.

* s3api/s3tables: propagate DefaultAllow through handlers

Propagated the DefaultAllow flag to individual handlers for
namespaces, buckets, tables, policies, and tagging. This ensures
consistent "Open by Default" behavior across all S3 Tables API
endpoints.

* s3api: wire up DefaultAllow for S3 Tables API initialization

Updated registerS3TablesRoutes to query the global IAM configuration
and set the DefaultAllow flag on the S3 Tables API server. This
completes the end-to-end propagation required for anonymous access in
zero-config environments. Added a SetDefaultAllow method to
S3TablesApiServer to facilitate this.

* s3api: fix tests by adding DefaultAllow to mock IAM integrations

The IAMIntegration interface was updated to include DefaultAllow(),
breaking several mock implementations in tests. This commit fixes
the build errors by adding the missing method to the mocks.

* env

* ensure ports

* env

* env

* fix default allow

* add one more test using non-anonymous user

* debug

* add more debug

* less logs
2026-02-16 13:59:13 -08:00
..
Makefile
S3: Implement IAM defaults and STS signing key fallback (#8348)
2026-02-16 13:59:13 -08:00
README.md
adding cors support (#6987)
2025-07-15 00:23:54 -07:00
s3_cors_http_test.go
S3: add fallback for CORS (#7404)
2025-10-29 13:43:27 -07:00
s3_cors_test.go
fix listing objects (#7008)
2025-07-22 01:07:15 -07:00
s3_test_config.json
S3: Implement IAM defaults and STS signing key fallback (#8348)
2026-02-16 13:59:13 -08:00

README.md

CORS Integration Tests for SeaweedFS S3 API

This directory contains comprehensive integration tests for the CORS (Cross-Origin Resource Sharing) functionality in SeaweedFS S3 API.

Overview

The CORS integration tests validate the complete CORS implementation including:

  • CORS configuration management (PUT/GET/DELETE)
  • CORS rule validation
  • CORS middleware behavior
  • Caching functionality
  • Error handling
  • Real-world CORS scenarios

Prerequisites

  1. Go 1.19+: For building SeaweedFS and running tests
  2. Network Access: Tests use localhost:8333 by default
  3. System Dependencies: curl and netstat for health checks

Quick Start

The tests now automatically start their own SeaweedFS server, so you don't need to manually start one.

1. Run All Tests with Managed Server

# Run all tests with automatic server management
make test-with-server

# Run core CORS tests only
make test-cors-quick

# Run comprehensive CORS tests
make test-cors-comprehensive

2. Manual Server Management

If you prefer to manage the server manually:

# Start server
make start-server

# Run tests (assuming server is running)
make test-cors-simple

# Stop server
make stop-server

3. Individual Test Categories

# Run specific test types
make test-basic-cors           # Basic CORS configuration
make test-preflight-cors       # Preflight OPTIONS requests
make test-actual-cors          # Actual CORS request handling
make test-origin-matching      # Origin matching logic
make test-header-matching      # Header matching logic
make test-method-matching      # Method matching logic
make test-multiple-rules       # Multiple CORS rules
make test-validation           # CORS validation
make test-caching              # CORS caching behavior
make test-error-handling       # Error handling

Test Server Management

The tests use a comprehensive server management system similar to other SeaweedFS integration tests:

Server Configuration

  • S3 Port: 8333 (configurable via S3_PORT)
  • Master Port: 9333
  • Volume Port: 8080
  • Filer Port: 8888
  • Metrics Port: 9324
  • Data Directory: ./test-volume-data (auto-created)
  • Log File: weed-test.log

Server Lifecycle

  1. Build: Automatically builds ../../../weed/weed_binary
  2. Start: Launches SeaweedFS with S3 API enabled
  3. Health Check: Waits up to 90 seconds for server to be ready
  4. Test: Runs the requested tests
  5. Stop: Gracefully shuts down the server
  6. Cleanup: Removes temporary files and data

Available Commands

# Server management
make start-server              # Start SeaweedFS server
make stop-server               # Stop SeaweedFS server
make health-check              # Check server health
make logs                      # View server logs

# Test execution
make test-with-server          # Full test cycle with server management
make test-cors-simple          # Run tests without server management
make test-cors-quick           # Run core tests only
make test-cors-comprehensive   # Run all tests

# Development
make dev-start                 # Start server for development
make dev-test                  # Run development tests
make build-weed                # Build SeaweedFS binary
make check-deps                # Check dependencies

# Maintenance
make clean                     # Clean up all artifacts
make coverage                  # Generate coverage report
make fmt                       # Format code
make lint                      # Run linter

Test Configuration

Default Configuration

The tests use these default settings (configurable via environment variables):

WEED_BINARY=../../../weed/weed_binary
S3_PORT=8333
TEST_TIMEOUT=10m
TEST_PATTERN=TestCORS

Configuration File

The test_config.json file contains S3 client configuration:

{
  "endpoint": "http://localhost:8333",
  "access_key": "some_access_key1",
  "secret_key": "some_secret_key1",
  "region": "us-east-1",
  "bucket_prefix": "test-cors-",
  "use_ssl": false,
  "skip_verify_ssl": true
}

Troubleshooting

Compilation Issues

If you encounter compilation errors, the most common issues are:

  1. AWS SDK v2 Type Mismatches: The MaxAgeSeconds field in types.CORSRule expects int32, not *int32. Use direct values like 3600 instead of aws.Int32(3600).

  2. Field Name Issues: The GetBucketCorsOutput type has a CORSRules field directly, not a CORSConfiguration field.

Example fix:

// ❌ Incorrect
MaxAgeSeconds: aws.Int32(3600),
assert.Len(t, getResp.CORSConfiguration.CORSRules, 1)

// ✅ Correct
MaxAgeSeconds: 3600,
assert.Len(t, getResp.CORSRules, 1)

Server Issues

  1. Server Won't Start

    # Check for port conflicts
netstat -tlnp | grep 8333

# View server logs
make logs

# Force cleanup
make clean

  2. Test Failures

    # Run with server management
make test-with-server

# Run specific test
make test-basic-cors

# Check server health
make health-check

  3. Connection Issues

    # Verify server is running
curl -s http://localhost:8333

# Check server logs
tail -f weed-test.log

Performance Issues

If tests are slow or timing out:

# Increase timeout
export TEST_TIMEOUT=30m
make test-with-server

# Run quick tests only
make test-cors-quick

# Check server resources
make debug-status

Test Coverage

Core Functionality Tests

1. CORS Configuration Management (TestCORSConfigurationManagement)

  • PUT CORS configuration
  • GET CORS configuration
  • DELETE CORS configuration
  • Configuration updates
  • Error handling for non-existent configurations

2. Multiple CORS Rules (TestCORSMultipleRules)

  • Multiple rules in single configuration
  • Rule precedence and ordering
  • Complex rule combinations

3. CORS Validation (TestCORSValidation)

  • Invalid HTTP methods
  • Empty origins validation
  • Negative MaxAge validation
  • Rule limit validation

4. Wildcard Support (TestCORSWithWildcards)

  • Wildcard origins (*, https://*.example.com)
  • Wildcard headers (*)
  • Wildcard expose headers

5. Rule Limits (TestCORSRuleLimit)

  • Maximum 100 rules per configuration
  • Rule limit enforcement
  • Large configuration handling

6. Error Handling (TestCORSErrorHandling)

  • Non-existent bucket operations
  • Invalid configurations
  • Malformed requests

HTTP-Level Tests

1. Preflight Requests (TestCORSPreflightRequest)

  • OPTIONS request handling
  • CORS headers in preflight responses
  • Access-Control-Request-Method validation
  • Access-Control-Request-Headers validation

2. Actual Requests (TestCORSActualRequest)

  • CORS headers in actual responses
  • Origin validation for real requests
  • Proper expose headers handling

3. Origin Matching (TestCORSOriginMatching)

  • Exact origin matching
  • Wildcard origin matching (*)
  • Subdomain wildcard matching (https://*.example.com)
  • Non-matching origins (should be rejected)

4. Header Matching (TestCORSHeaderMatching)

  • Wildcard header matching (*)
  • Specific header matching
  • Case-insensitive matching
  • Disallowed headers

5. Method Matching (TestCORSMethodMatching)

  • Allowed methods verification
  • Disallowed methods rejection
  • Method-specific CORS behavior

6. Multiple Rules (TestCORSMultipleRulesMatching)

  • Rule precedence and selection
  • Multiple rules with different configurations
  • Complex rule interactions

Integration Tests

1. Caching (TestCORSCaching)

  • CORS configuration caching
  • Cache invalidation
  • Cache performance

2. Object Operations (TestCORSObjectOperations)

  • CORS with actual S3 operations
  • PUT/GET/DELETE objects with CORS
  • CORS headers in object responses

3. Without Configuration (TestCORSWithoutConfiguration)

  • Behavior when no CORS configuration exists
  • Default CORS behavior
  • Graceful degradation

Development

Running Tests During Development

# Start server for development
make dev-start

# Run quick test
make dev-test

# View logs in real-time
make logs

Adding New Tests

  1. Follow the existing naming convention (TestCORSXxxYyy)
  2. Use the helper functions (getS3Client, createTestBucket, etc.)
  3. Add cleanup with defer cleanupTestBucket(t, client, bucketName)
  4. Include proper error checking with require.NoError(t, err)
  5. Use assertions with assert.Equal(t, expected, actual)
  6. Add the test to the appropriate Makefile target

Code Quality

# Format code
make fmt

# Run linter
make lint

# Generate coverage report
make coverage

Performance Notes

  • Tests create and destroy buckets for each test case
  • Large configuration tests may take several minutes
  • Server startup typically takes 15-30 seconds
  • Tests run in parallel where possible for efficiency

Integration with SeaweedFS

These tests validate the CORS implementation in:

  • weed/s3api/cors/ - Core CORS package
  • weed/s3api/s3api_bucket_cors_handlers.go - HTTP handlers
  • weed/s3api/s3api_server.go - Router integration
  • weed/s3api/s3api_bucket_config.go - Configuration management

The tests ensure AWS S3 API compatibility and proper CORS behavior across all supported scenarios.

Reference in New Issue View Git Blame Copy Permalink