gsh-digital-services/seaweedFS
5
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
82dac3df03a82e8de1763ca95da2cab87b983436
seaweedFS/weed/s3api/s3api_embedded_iam_test.go
Chris Lu 99a2e79efc fix: authenticate before parsing form in IAM API (#7803) 
fix: authenticate before parsing form in IAM API (#7802)

The AuthIam middleware was calling ParseForm() before AuthSignatureOnly(),
which consumed the request body before signature verification could hash it.

For IAM requests (service != 's3'), the signature verification needs to hash
the request body. When ParseForm() was called first, the body was already
consumed, resulting in an empty body hash and SignatureDoesNotMatch error.

The fix moves authentication before form parsing. The streamHashRequestBody
function preserves the body after reading, so ParseForm() works correctly
after authentication.

Fixes #7802
2025-12-17 01:06:43 -08:00

1665 lines
52 KiB
Go
Raw Blame History

package s3api
import (
"encoding/json"
"encoding/xml"
"fmt"
"net/http"
"net/http/httptest"
"net/url"
"strings"
"sync"
"testing"
"time"
"github.com/aws/aws-sdk-go/aws"
"github.com/aws/aws-sdk-go/aws/session"
"github.com/aws/aws-sdk-go/service/iam"
"github.com/gorilla/mux"
"github.com/seaweedfs/seaweedfs/weed/pb/iam_pb"
. "github.com/seaweedfs/seaweedfs/weed/s3api/s3_constants"
"github.com/seaweedfs/seaweedfs/weed/s3api/s3err"
"github.com/stretchr/testify/assert"
"google.golang.org/protobuf/proto"
)
// EmbeddedIamApiForTest is a testable version of EmbeddedIamApi
type EmbeddedIamApiForTest struct {
*EmbeddedIamApi
mockConfig *iam_pb.S3ApiConfiguration
}
func NewEmbeddedIamApiForTest() *EmbeddedIamApiForTest {
e := &EmbeddedIamApiForTest{
EmbeddedIamApi: &EmbeddedIamApi{
iam: &IdentityAccessManagement{},
},
mockConfig: &iam_pb.S3ApiConfiguration{},
}
return e
}
// Override GetS3ApiConfiguration for testing
func (e *EmbeddedIamApiForTest) GetS3ApiConfiguration(s3cfg *iam_pb.S3ApiConfiguration) error {
// Use proto.Clone for proper deep copy semantics
if e.mockConfig != nil {
cloned := proto.Clone(e.mockConfig).(*iam_pb.S3ApiConfiguration)
proto.Merge(s3cfg, cloned)
}
return nil
}
// Override PutS3ApiConfiguration for testing
func (e *EmbeddedIamApiForTest) PutS3ApiConfiguration(s3cfg *iam_pb.S3ApiConfiguration) error {
// Use proto.Clone for proper deep copy semantics
e.mockConfig = proto.Clone(s3cfg).(*iam_pb.S3ApiConfiguration)
return nil
}
// DoActions handles IAM API actions for testing
func (e *EmbeddedIamApiForTest) DoActions(w http.ResponseWriter, r *http.Request) {
if err := r.ParseForm(); err != nil {
http.Error(w, "Invalid request", http.StatusBadRequest)
return
}
values := r.PostForm
s3cfg := &iam_pb.S3ApiConfiguration{}
if err := e.GetS3ApiConfiguration(s3cfg); err != nil {
http.Error(w, "Internal error", http.StatusInternalServerError)
return
}
var response interface{}
var iamErr *iamError
changed := true
switch r.Form.Get("Action") {
case "ListUsers":
response = e.ListUsers(s3cfg, values)
changed = false
case "ListAccessKeys":
e.handleImplicitUsername(r, values)
response = e.ListAccessKeys(s3cfg, values)
changed = false
case "CreateUser":
response, iamErr = e.CreateUser(s3cfg, values)
if iamErr != nil {
e.writeIamErrorResponse(w, r, iamErr)
return
}
case "GetUser":
userName := values.Get("UserName")
response, iamErr = e.GetUser(s3cfg, userName)
if iamErr != nil {
e.writeIamErrorResponse(w, r, iamErr)
return
}
changed = false
case "UpdateUser":
response, iamErr = e.UpdateUser(s3cfg, values)
if iamErr != nil {
http.Error(w, "Invalid request", http.StatusBadRequest)
return
}
case "DeleteUser":
userName := values.Get("UserName")
response, iamErr = e.DeleteUser(s3cfg, userName)
if iamErr != nil {
e.writeIamErrorResponse(w, r, iamErr)
return
}
case "CreateAccessKey":
e.handleImplicitUsername(r, values)
response, iamErr = e.CreateAccessKey(s3cfg, values)
if iamErr != nil {
http.Error(w, "Internal error", http.StatusInternalServerError)
return
}
case "DeleteAccessKey":
e.handleImplicitUsername(r, values)
response = e.DeleteAccessKey(s3cfg, values)
case "CreatePolicy":
response, iamErr = e.CreatePolicy(s3cfg, values)
if iamErr != nil {
http.Error(w, "Invalid request", http.StatusBadRequest)
return
}
case "PutUserPolicy":
response, iamErr = e.PutUserPolicy(s3cfg, values)
if iamErr != nil {
e.writeIamErrorResponse(w, r, iamErr)
return
}
case "GetUserPolicy":
response, iamErr = e.GetUserPolicy(s3cfg, values)
if iamErr != nil {
e.writeIamErrorResponse(w, r, iamErr)
return
}
changed = false
case "DeleteUserPolicy":
response, iamErr = e.DeleteUserPolicy(s3cfg, values)
if iamErr != nil {
e.writeIamErrorResponse(w, r, iamErr)
return
}
case "SetUserStatus":
response, iamErr = e.SetUserStatus(s3cfg, values)
if iamErr != nil {
e.writeIamErrorResponse(w, r, iamErr)
return
}
case "UpdateAccessKey":
e.handleImplicitUsername(r, values)
response, iamErr = e.UpdateAccessKey(s3cfg, values)
if iamErr != nil {
e.writeIamErrorResponse(w, r, iamErr)
return
}
default:
http.Error(w, "Not implemented", http.StatusNotImplemented)
return
}
if changed {
if err := e.PutS3ApiConfiguration(s3cfg); err != nil {
http.Error(w, "Internal error", http.StatusInternalServerError)
return
}
}
w.Header().Set("Content-Type", "application/xml")
w.WriteHeader(http.StatusOK)
xmlBytes, err := xml.Marshal(response)
if err != nil {
// This should not happen in tests, but log it for debugging
http.Error(w, "Internal error: failed to marshal response", http.StatusInternalServerError)
return
}
_, _ = w.Write(xmlBytes)
}
// executeEmbeddedIamRequest executes an IAM request against the given API instance.
// If v is non-nil, the response body is unmarshalled into it.
func executeEmbeddedIamRequest(api *EmbeddedIamApiForTest, req *http.Request, v interface{}) (*httptest.ResponseRecorder, error) {
rr := httptest.NewRecorder()
apiRouter := mux.NewRouter().SkipClean(true)
apiRouter.Path("/").Methods(http.MethodPost).HandlerFunc(api.DoActions)
apiRouter.ServeHTTP(rr, req)
if v != nil {
if err := xml.Unmarshal(rr.Body.Bytes(), v); err != nil {
return rr, err
}
}
return rr, nil
}
// embeddedIamErrorResponseForTest is used for parsing IAM error responses in tests
type embeddedIamErrorResponseForTest struct {
Error struct {
Code string `xml:"Code"`
Message string `xml:"Message"`
} `xml:"Error"`
}
func extractEmbeddedIamErrorCodeAndMessage(response *httptest.ResponseRecorder) (string, string) {
var er embeddedIamErrorResponseForTest
if err := xml.Unmarshal(response.Body.Bytes(), &er); err != nil {
return "", ""
}
return er.Error.Code, er.Error.Message
}
// TestEmbeddedIamCreateUser tests creating a user via the embedded IAM API
func TestEmbeddedIamCreateUser(t *testing.T) {
api := NewEmbeddedIamApiForTest()
api.mockConfig = &iam_pb.S3ApiConfiguration{}
userName := aws.String("TestUser")
params := &iam.CreateUserInput{UserName: userName}
req, _ := iam.New(session.New()).CreateUserRequest(params)
_ = req.Build()
out := iamCreateUserResponse{}
response, err := executeEmbeddedIamRequest(api, req.HTTPRequest, &out)
assert.NoError(t, err)
assert.Equal(t, http.StatusOK, response.Code)
// Verify response contains correct username
assert.NotNil(t, out.CreateUserResult.User.UserName)
assert.Equal(t, "TestUser", *out.CreateUserResult.User.UserName)
// Verify user was persisted in config
assert.Len(t, api.mockConfig.Identities, 1)
assert.Equal(t, "TestUser", api.mockConfig.Identities[0].Name)
}
// TestEmbeddedIamListUsers tests listing users via the embedded IAM API
func TestEmbeddedIamListUsers(t *testing.T) {
api := NewEmbeddedIamApiForTest()
api.mockConfig = &iam_pb.S3ApiConfiguration{
Identities: []*iam_pb.Identity{
{Name: "User1"},
{Name: "User2"},
},
}
params := &iam.ListUsersInput{}
req, _ := iam.New(session.New()).ListUsersRequest(params)
_ = req.Build()
out := iamListUsersResponse{}
response, err := executeEmbeddedIamRequest(api, req.HTTPRequest, &out)
assert.NoError(t, err)
assert.Equal(t, http.StatusOK, response.Code)
// Verify response contains the users
assert.Len(t, out.ListUsersResult.Users, 2)
}
// TestEmbeddedIamListAccessKeys tests listing access keys via the embedded IAM API
func TestEmbeddedIamListAccessKeys(t *testing.T) {
api := NewEmbeddedIamApiForTest()
svc := iam.New(session.New())
params := &iam.ListAccessKeysInput{}
req, _ := svc.ListAccessKeysRequest(params)
_ = req.Build()
out := iamListAccessKeysResponse{}
response, err := executeEmbeddedIamRequest(api, req.HTTPRequest, &out)
assert.NoError(t, err)
assert.Equal(t, http.StatusOK, response.Code)
}
// TestEmbeddedIamGetUser tests getting a user via the embedded IAM API
func TestEmbeddedIamGetUser(t *testing.T) {
api := NewEmbeddedIamApiForTest()
api.mockConfig = &iam_pb.S3ApiConfiguration{
Identities: []*iam_pb.Identity{
{Name: "TestUser"},
},
}
userName := aws.String("TestUser")
params := &iam.GetUserInput{UserName: userName}
req, _ := iam.New(session.New()).GetUserRequest(params)
_ = req.Build()
out := iamGetUserResponse{}
response, err := executeEmbeddedIamRequest(api, req.HTTPRequest, &out)
assert.NoError(t, err)
assert.Equal(t, http.StatusOK, response.Code)
// Verify response contains correct username
assert.NotNil(t, out.GetUserResult.User.UserName)
assert.Equal(t, "TestUser", *out.GetUserResult.User.UserName)
}
// TestEmbeddedIamCreatePolicy tests creating a policy via the embedded IAM API
func TestEmbeddedIamCreatePolicy(t *testing.T) {
api := NewEmbeddedIamApiForTest()
params := &iam.CreatePolicyInput{
PolicyName: aws.String("S3-read-only-example-bucket"),
PolicyDocument: aws.String(`
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:Get*",
"s3:List*"
],
"Resource": [
"arn:aws:s3:::EXAMPLE-BUCKET",
"arn:aws:s3:::EXAMPLE-BUCKET/*"
]
}
]
}`),
}
req, _ := iam.New(session.New()).CreatePolicyRequest(params)
_ = req.Build()
out := iamCreatePolicyResponse{}
response, err := executeEmbeddedIamRequest(api, req.HTTPRequest, &out)
assert.NoError(t, err)
assert.Equal(t, http.StatusOK, response.Code)
// Verify response contains policy metadata
assert.NotNil(t, out.CreatePolicyResult.Policy.PolicyName)
assert.Equal(t, "S3-read-only-example-bucket", *out.CreatePolicyResult.Policy.PolicyName)
assert.NotNil(t, out.CreatePolicyResult.Policy.Arn)
assert.NotNil(t, out.CreatePolicyResult.Policy.PolicyId)
}
// TestEmbeddedIamPutUserPolicy tests attaching a policy to a user
func TestEmbeddedIamPutUserPolicy(t *testing.T) {
api := NewEmbeddedIamApiForTest()
api.mockConfig = &iam_pb.S3ApiConfiguration{
Identities: []*iam_pb.Identity{
{Name: "TestUser"},
},
}
userName := aws.String("TestUser")
params := &iam.PutUserPolicyInput{
UserName: userName,
PolicyName: aws.String("S3-read-only-example-bucket"),
PolicyDocument: aws.String(
`{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:Get*",
"s3:List*"
],
"Resource": [
"arn:aws:s3:::EXAMPLE-BUCKET",
"arn:aws:s3:::EXAMPLE-BUCKET/*"
]
}
]
}`),
}
req, _ := iam.New(session.New()).PutUserPolicyRequest(params)
_ = req.Build()
out := iamPutUserPolicyResponse{}
response, err := executeEmbeddedIamRequest(api, req.HTTPRequest, &out)
assert.NoError(t, err)
assert.Equal(t, http.StatusOK, response.Code)
// Verify policy was attached to the user (actions should be set)
assert.Len(t, api.mockConfig.Identities, 1)
assert.NotEmpty(t, api.mockConfig.Identities[0].Actions)
}
// TestEmbeddedIamPutUserPolicyError tests error handling when user doesn't exist
func TestEmbeddedIamPutUserPolicyError(t *testing.T) {
api := NewEmbeddedIamApiForTest()
api.mockConfig = &iam_pb.S3ApiConfiguration{}
userName := aws.String("InvalidUser")
params := &iam.PutUserPolicyInput{
UserName: userName,
PolicyName: aws.String("S3-read-only-example-bucket"),
PolicyDocument: aws.String(
`{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:Get*",
"s3:List*"
],
"Resource": [
"arn:aws:s3:::EXAMPLE-BUCKET",
"arn:aws:s3:::EXAMPLE-BUCKET/*"
]
}
]
}`),
}
req, _ := iam.New(session.New()).PutUserPolicyRequest(params)
_ = req.Build()
response, err := executeEmbeddedIamRequest(api, req.HTTPRequest, nil)
assert.NoError(t, err)
assert.Equal(t, http.StatusNotFound, response.Code)
expectedCode := "NoSuchEntity"
code, _ := extractEmbeddedIamErrorCodeAndMessage(response)
assert.Equal(t, expectedCode, code)
}
// TestEmbeddedIamGetUserPolicy tests getting a user's policy
func TestEmbeddedIamGetUserPolicy(t *testing.T) {
api := NewEmbeddedIamApiForTest()
api.mockConfig = &iam_pb.S3ApiConfiguration{
Identities: []*iam_pb.Identity{
{
Name: "TestUser",
Actions: []string{"Read", "List"},
},
},
}
userName := aws.String("TestUser")
params := &iam.GetUserPolicyInput{
UserName: userName,
PolicyName: aws.String("S3-read-only-example-bucket"),
}
req, _ := iam.New(session.New()).GetUserPolicyRequest(params)
_ = req.Build()
out := iamGetUserPolicyResponse{}
response, err := executeEmbeddedIamRequest(api, req.HTTPRequest, &out)
assert.NoError(t, err)
assert.Equal(t, http.StatusOK, response.Code)
}
// TestEmbeddedIamDeleteUserPolicy tests deleting a user's policy (clears actions)
func TestEmbeddedIamDeleteUserPolicy(t *testing.T) {
api := NewEmbeddedIamApiForTest()
api.mockConfig = &iam_pb.S3ApiConfiguration{
Identities: []*iam_pb.Identity{
{
Name: "TestUser",
Actions: []string{"Read", "Write", "List"},
Credentials: []*iam_pb.Credential{
{AccessKey: "AKIATEST12345", SecretKey: "secret"},
},
},
},
}
// Use direct form post for DeleteUserPolicy
form := url.Values{}
form.Set("Action", "DeleteUserPolicy")
form.Set("UserName", "TestUser")
form.Set("PolicyName", "TestPolicy")
req, _ := http.NewRequest("POST", "/", nil)
req.PostForm = form
req.Form = form
req.Header.Set("Content-Type", "application/x-www-form-urlencoded")
rr := httptest.NewRecorder()
apiRouter := mux.NewRouter().SkipClean(true)
apiRouter.Path("/").Methods(http.MethodPost).HandlerFunc(api.DoActions)
apiRouter.ServeHTTP(rr, req)
assert.Equal(t, http.StatusOK, rr.Code)
// CRITICAL: Verify user still exists (was NOT deleted)
assert.Len(t, api.mockConfig.Identities, 1, "User should NOT be deleted")
assert.Equal(t, "TestUser", api.mockConfig.Identities[0].Name)
// Verify credentials are still intact
assert.Len(t, api.mockConfig.Identities[0].Credentials, 1, "Credentials should NOT be deleted")
assert.Equal(t, "AKIATEST12345", api.mockConfig.Identities[0].Credentials[0].AccessKey)
// Verify actions/policy was cleared
assert.Nil(t, api.mockConfig.Identities[0].Actions, "Actions should be cleared")
}
// TestEmbeddedIamDeleteUserPolicyUserNotFound tests error when user doesn't exist
func TestEmbeddedIamDeleteUserPolicyUserNotFound(t *testing.T) {
api := NewEmbeddedIamApiForTest()
api.mockConfig = &iam_pb.S3ApiConfiguration{}
form := url.Values{}
form.Set("Action", "DeleteUserPolicy")
form.Set("UserName", "NonExistentUser")
form.Set("PolicyName", "TestPolicy")
req, _ := http.NewRequest("POST", "/", nil)
req.PostForm = form
req.Form = form
req.Header.Set("Content-Type", "application/x-www-form-urlencoded")
rr := httptest.NewRecorder()
apiRouter := mux.NewRouter().SkipClean(true)
apiRouter.Path("/").Methods(http.MethodPost).HandlerFunc(api.DoActions)
apiRouter.ServeHTTP(rr, req)
assert.Equal(t, http.StatusNotFound, rr.Code)
}
// TestEmbeddedIamUpdateUser tests updating a user
func TestEmbeddedIamUpdateUser(t *testing.T) {
api := NewEmbeddedIamApiForTest()
api.mockConfig = &iam_pb.S3ApiConfiguration{
Identities: []*iam_pb.Identity{
{Name: "TestUser"},
},
}
userName := aws.String("TestUser")
newUserName := aws.String("TestUser-New")
params := &iam.UpdateUserInput{NewUserName: newUserName, UserName: userName}
req, _ := iam.New(session.New()).UpdateUserRequest(params)
_ = req.Build()
out := iamUpdateUserResponse{}
response, err := executeEmbeddedIamRequest(api, req.HTTPRequest, &out)
assert.NoError(t, err)
assert.Equal(t, http.StatusOK, response.Code)
}
// TestEmbeddedIamDeleteUser tests deleting a user
func TestEmbeddedIamDeleteUser(t *testing.T) {
api := NewEmbeddedIamApiForTest()
api.mockConfig = &iam_pb.S3ApiConfiguration{
Identities: []*iam_pb.Identity{
{Name: "TestUser-New"},
},
}
userName := aws.String("TestUser-New")
params := &iam.DeleteUserInput{UserName: userName}
req, _ := iam.New(session.New()).DeleteUserRequest(params)
_ = req.Build()
out := iamDeleteUserResponse{}
response, err := executeEmbeddedIamRequest(api, req.HTTPRequest, &out)
assert.NoError(t, err)
assert.Equal(t, http.StatusOK, response.Code)
}
// TestEmbeddedIamCreateAccessKey tests creating an access key
func TestEmbeddedIamCreateAccessKey(t *testing.T) {
api := NewEmbeddedIamApiForTest()
api.mockConfig = &iam_pb.S3ApiConfiguration{
Identities: []*iam_pb.Identity{
{Name: "TestUser"},
},
}
userName := aws.String("TestUser")
params := &iam.CreateAccessKeyInput{UserName: userName}
req, _ := iam.New(session.New()).CreateAccessKeyRequest(params)
_ = req.Build()
out := iamCreateAccessKeyResponse{}
response, err := executeEmbeddedIamRequest(api, req.HTTPRequest, &out)
assert.NoError(t, err)
assert.Equal(t, http.StatusOK, response.Code)
// Verify response contains access key credentials
assert.NotNil(t, out.CreateAccessKeyResult.AccessKey.AccessKeyId)
assert.NotEmpty(t, *out.CreateAccessKeyResult.AccessKey.AccessKeyId)
assert.NotNil(t, out.CreateAccessKeyResult.AccessKey.SecretAccessKey)
assert.NotEmpty(t, *out.CreateAccessKeyResult.AccessKey.SecretAccessKey)
assert.NotNil(t, out.CreateAccessKeyResult.AccessKey.UserName)
assert.Equal(t, "TestUser", *out.CreateAccessKeyResult.AccessKey.UserName)
// Verify credentials were persisted
assert.Len(t, api.mockConfig.Identities[0].Credentials, 1)
}
// TestEmbeddedIamDeleteAccessKey tests deleting an access key via direct form post
func TestEmbeddedIamDeleteAccessKey(t *testing.T) {
api := NewEmbeddedIamApiForTest()
api.mockConfig = &iam_pb.S3ApiConfiguration{
Identities: []*iam_pb.Identity{
{
Name: "TestUser",
Credentials: []*iam_pb.Credential{
{AccessKey: "AKIATEST12345", SecretKey: "secret"},
},
},
},
}
// Use direct form post since AWS SDK may format differently
form := url.Values{}
form.Set("Action", "DeleteAccessKey")
form.Set("UserName", "TestUser")
form.Set("AccessKeyId", "AKIATEST12345")
req, _ := http.NewRequest("POST", "/", nil)
req.PostForm = form
req.Form = form
req.Header.Set("Content-Type", "application/x-www-form-urlencoded")
rr := httptest.NewRecorder()
apiRouter := mux.NewRouter().SkipClean(true)
apiRouter.Path("/").Methods(http.MethodPost).HandlerFunc(api.DoActions)
apiRouter.ServeHTTP(rr, req)
assert.Equal(t, http.StatusOK, rr.Code)
// Verify the access key was deleted
assert.Len(t, api.mockConfig.Identities[0].Credentials, 0)
}
// TestEmbeddedIamHandleImplicitUsername tests implicit username extraction from authorization header
func TestEmbeddedIamHandleImplicitUsername(t *testing.T) {
// Create IAM with test credentials - the handleImplicitUsername function now looks
// up the username from the credential store based on AccessKeyId
// Note: Using obviously fake access keys to avoid secret scanner false positives
iam := &IdentityAccessManagement{}
testConfig := &iam_pb.S3ApiConfiguration{
Identities: []*iam_pb.Identity{
{
Name: "testuser1",
Credentials: []*iam_pb.Credential{
{AccessKey: "AKIATESTFAKEKEY000001", SecretKey: "testsecretfake"},
},
},
},
}
err := iam.LoadS3ApiConfigurationFromBytes(mustMarshalJSON(testConfig))
if err != nil {
t.Fatalf("Failed to load test config: %v", err)
}
embeddedApi := &EmbeddedIamApi{
iam: iam,
}
var tests = []struct {
r *http.Request
values url.Values
userName string
}{
// No authorization header - should not set username
{&http.Request{}, url.Values{}, ""},
// Valid auth header with known access key - should look up and find "testuser1"
{&http.Request{Header: http.Header{"Authorization": []string{"AWS4-HMAC-SHA256 Credential=AKIATESTFAKEKEY000001/20220420/us-east-1/iam/aws4_request, SignedHeaders=content-type;host;x-amz-date, Signature=fakesignature0123456789abcdef"}}}, url.Values{}, "testuser1"},
// Malformed auth header (no Credential=) - should not set username
{&http.Request{Header: http.Header{"Authorization": []string{"AWS4-HMAC-SHA256 =AKIATESTFAKEKEY000001/20220420/test1/iam/aws4_request, SignedHeaders=content-type;host;x-amz-date, Signature=fakesignature0123456789abcdef"}}}, url.Values{}, ""},
// Unknown access key - should not set username
{&http.Request{Header: http.Header{"Authorization": []string{"AWS4-HMAC-SHA256 Credential=AKIATESTUNKNOWN000000/20220420/us-east-1/iam/aws4_request, SignedHeaders=content-type;host;x-amz-date, Signature=fakesignature0123456789abcdef"}}}, url.Values{}, ""},
}
for i, test := range tests {
embeddedApi.handleImplicitUsername(test.r, test.values)
if un := test.values.Get("UserName"); un != test.userName {
t.Errorf("No.%d: Got: %v, Expected: %v", i, un, test.userName)
}
}
}
func mustMarshalJSON(v interface{}) []byte {
data, err := json.Marshal(v)
if err != nil {
panic(err)
}
return data
}
// TestEmbeddedIamFullWorkflow tests a complete user lifecycle
func TestEmbeddedIamFullWorkflow(t *testing.T) {
api := NewEmbeddedIamApiForTest()
api.mockConfig = &iam_pb.S3ApiConfiguration{}
// 1. Create user
t.Run("CreateUser", func(t *testing.T) {
userName := aws.String("WorkflowUser")
params := &iam.CreateUserInput{UserName: userName}
req, _ := iam.New(session.New()).CreateUserRequest(params)
_ = req.Build()
response, err := executeEmbeddedIamRequest(api, req.HTTPRequest, nil)
assert.NoError(t, err)
assert.Equal(t, http.StatusOK, response.Code)
})
// 2. Create access key for user
t.Run("CreateAccessKey", func(t *testing.T) {
userName := aws.String("WorkflowUser")
params := &iam.CreateAccessKeyInput{UserName: userName}
req, _ := iam.New(session.New()).CreateAccessKeyRequest(params)
_ = req.Build()
response, err := executeEmbeddedIamRequest(api, req.HTTPRequest, nil)
assert.NoError(t, err)
assert.Equal(t, http.StatusOK, response.Code)
})
// 3. Attach policy to user
t.Run("PutUserPolicy", func(t *testing.T) {
params := &iam.PutUserPolicyInput{
UserName: aws.String("WorkflowUser"),
PolicyName: aws.String("ReadWritePolicy"),
PolicyDocument: aws.String(`{
"Version": "2012-10-17",
"Statement": [{
"Effect": "Allow",
"Action": ["s3:Get*", "s3:Put*"],
"Resource": ["arn:aws:s3:::*"]
}]
}`),
}
req, _ := iam.New(session.New()).PutUserPolicyRequest(params)
_ = req.Build()
response, err := executeEmbeddedIamRequest(api, req.HTTPRequest, nil)
assert.NoError(t, err)
assert.Equal(t, http.StatusOK, response.Code)
})
// 4. List users to verify
t.Run("ListUsers", func(t *testing.T) {
params := &iam.ListUsersInput{}
req, _ := iam.New(session.New()).ListUsersRequest(params)
_ = req.Build()
response, err := executeEmbeddedIamRequest(api, req.HTTPRequest, nil)
assert.NoError(t, err)
assert.Equal(t, http.StatusOK, response.Code)
})
// 5. Delete user
t.Run("DeleteUser", func(t *testing.T) {
params := &iam.DeleteUserInput{UserName: aws.String("WorkflowUser")}
req, _ := iam.New(session.New()).DeleteUserRequest(params)
_ = req.Build()
response, err := executeEmbeddedIamRequest(api, req.HTTPRequest, nil)
assert.NoError(t, err)
assert.Equal(t, http.StatusOK, response.Code)
})
}
// TestIamStringSlicesEqual tests the iamStringSlicesEqual helper function
func TestIamStringSlicesEqual(t *testing.T) {
tests := []struct {
name string
a []string
b []string
expected bool
}{
{"both empty", []string{}, []string{}, true},
{"both nil", nil, nil, true},
{"same elements same order", []string{"a", "b", "c"}, []string{"a", "b", "c"}, true},
{"same elements different order", []string{"c", "a", "b"}, []string{"a", "b", "c"}, true},
{"different lengths", []string{"a", "b"}, []string{"a", "b", "c"}, false},
{"different elements", []string{"a", "b", "c"}, []string{"a", "b", "d"}, false},
{"one empty one not", []string{}, []string{"a"}, false},
{"duplicates same", []string{"a", "a", "b"}, []string{"a", "b", "a"}, true},
}
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
result := iamStringSlicesEqual(tt.a, tt.b)
assert.Equal(t, tt.expected, result)
})
}
}
// TestIamHash tests the iamHash function
func TestIamHash(t *testing.T) {
input := "test-policy-document"
hash := iamHash(&input)
// Hash should be non-empty
assert.NotEmpty(t, hash)
// Same input should produce same hash
hash2 := iamHash(&input)
assert.Equal(t, hash, hash2)
// Different input should produce different hash
input2 := "different-policy"
hash3 := iamHash(&input2)
assert.NotEqual(t, hash, hash3)
}
// TestIamStringWithCharset tests the cryptographically secure random string generator
func TestIamStringWithCharset(t *testing.T) {
charset := "ABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789"
length := 20
str, err := iamStringWithCharset(length, charset)
assert.NoError(t, err)
assert.Len(t, str, length)
// All characters should be from the charset
for _, c := range str {
assert.Contains(t, charset, string(c))
}
// Two calls should produce different strings (with very high probability)
str2, err := iamStringWithCharset(length, charset)
assert.NoError(t, err)
assert.NotEqual(t, str, str2)
}
// TestIamMapToStatementAction tests action mapping
func TestIamMapToStatementAction(t *testing.T) {
// iamMapToStatementAction maps IAM statement action patterns to internal action names
tests := []struct {
input string
expected string
}{
{"*", "Admin"},
{"Get*", "Read"},
{"Put*", "Write"},
{"List*", "List"},
{"Tagging*", "Tagging"},
{"DeleteBucket*", "DeleteBucket"},
{"PutBucketAcl", "WriteAcp"},
{"GetBucketAcl", "ReadAcp"},
{"InvalidAction", ""},
}
for _, tt := range tests {
t.Run(tt.input, func(t *testing.T) {
result := iamMapToStatementAction(tt.input)
assert.Equal(t, tt.expected, result)
})
}
}
// TestIamMapToIdentitiesAction tests reverse action mapping
func TestIamMapToIdentitiesAction(t *testing.T) {
// iamMapToIdentitiesAction maps internal action names to IAM statement action patterns
tests := []struct {
input string
expected string
}{
{"Admin", "*"},
{"Read", "Get*"},
{"Write", "Put*"},
{"List", "List*"},
{"Tagging", "Tagging*"},
{"Unknown", ""},
}
for _, tt := range tests {
t.Run(tt.input, func(t *testing.T) {
result := iamMapToIdentitiesAction(tt.input)
assert.Equal(t, tt.expected, result)
})
}
}
// TestEmbeddedIamGetUserNotFound tests GetUser with non-existent user
func TestEmbeddedIamGetUserNotFound(t *testing.T) {
api := NewEmbeddedIamApiForTest()
api.mockConfig = &iam_pb.S3ApiConfiguration{
Identities: []*iam_pb.Identity{
{Name: "ExistingUser"},
},
}
userName := aws.String("NonExistentUser")
params := &iam.GetUserInput{UserName: userName}
req, _ := iam.New(session.New()).GetUserRequest(params)
_ = req.Build()
response, _ := executeEmbeddedIamRequest(api, req.HTTPRequest, nil)
assert.Equal(t, http.StatusNotFound, response.Code)
}
// TestEmbeddedIamDeleteUserNotFound tests DeleteUser with non-existent user
func TestEmbeddedIamDeleteUserNotFound(t *testing.T) {
api := NewEmbeddedIamApiForTest()
api.mockConfig = &iam_pb.S3ApiConfiguration{}
userName := aws.String("NonExistentUser")
params := &iam.DeleteUserInput{UserName: userName}
req, _ := iam.New(session.New()).DeleteUserRequest(params)
_ = req.Build()
response, _ := executeEmbeddedIamRequest(api, req.HTTPRequest, nil)
assert.Equal(t, http.StatusNotFound, response.Code)
}
// TestEmbeddedIamUpdateUserNotFound tests UpdateUser with non-existent user
func TestEmbeddedIamUpdateUserNotFound(t *testing.T) {
api := NewEmbeddedIamApiForTest()
api.mockConfig = &iam_pb.S3ApiConfiguration{}
params := &iam.UpdateUserInput{
UserName: aws.String("NonExistentUser"),
NewUserName: aws.String("NewName"),
}
req, _ := iam.New(session.New()).UpdateUserRequest(params)
_ = req.Build()
response, _ := executeEmbeddedIamRequest(api, req.HTTPRequest, nil)
assert.Equal(t, http.StatusBadRequest, response.Code)
}
// TestEmbeddedIamCreateAccessKeyForExistingUser tests CreateAccessKey creates credentials for existing user
func TestEmbeddedIamCreateAccessKeyForExistingUser(t *testing.T) {
api := NewEmbeddedIamApiForTest()
api.mockConfig = &iam_pb.S3ApiConfiguration{
Identities: []*iam_pb.Identity{
{Name: "ExistingUser"},
},
}
// Use direct form post
form := url.Values{}
form.Set("Action", "CreateAccessKey")
form.Set("UserName", "ExistingUser")
req, _ := http.NewRequest("POST", "/", nil)
req.PostForm = form
req.Form = form
req.Header.Set("Content-Type", "application/x-www-form-urlencoded")
rr := httptest.NewRecorder()
apiRouter := mux.NewRouter().SkipClean(true)
apiRouter.Path("/").Methods(http.MethodPost).HandlerFunc(api.DoActions)
apiRouter.ServeHTTP(rr, req)
assert.Equal(t, http.StatusOK, rr.Code)
// Verify credentials were created
assert.Len(t, api.mockConfig.Identities[0].Credentials, 1)
}
// TestEmbeddedIamGetUserPolicyUserNotFound tests GetUserPolicy with non-existent user
func TestEmbeddedIamGetUserPolicyUserNotFound(t *testing.T) {
api := NewEmbeddedIamApiForTest()
api.mockConfig = &iam_pb.S3ApiConfiguration{}
params := &iam.GetUserPolicyInput{
UserName: aws.String("NonExistentUser"),
PolicyName: aws.String("TestPolicy"),
}
req, _ := iam.New(session.New()).GetUserPolicyRequest(params)
_ = req.Build()
response, _ := executeEmbeddedIamRequest(api, req.HTTPRequest, nil)
assert.Equal(t, http.StatusNotFound, response.Code)
}
// TestEmbeddedIamCreatePolicyMalformed tests CreatePolicy with invalid policy document
func TestEmbeddedIamCreatePolicyMalformed(t *testing.T) {
api := NewEmbeddedIamApiForTest()
params := &iam.CreatePolicyInput{
PolicyName: aws.String("TestPolicy"),
PolicyDocument: aws.String("invalid json"),
}
req, _ := iam.New(session.New()).CreatePolicyRequest(params)
_ = req.Build()
response, _ := executeEmbeddedIamRequest(api, req.HTTPRequest, nil)
assert.Equal(t, http.StatusBadRequest, response.Code)
}
// TestEmbeddedIamListAccessKeysForUser tests listing access keys for a specific user
func TestEmbeddedIamListAccessKeysForUser(t *testing.T) {
api := NewEmbeddedIamApiForTest()
api.mockConfig = &iam_pb.S3ApiConfiguration{
Identities: []*iam_pb.Identity{
{
Name: "TestUser",
Credentials: []*iam_pb.Credential{
{AccessKey: "AKIATEST1", SecretKey: "secret1"},
{AccessKey: "AKIATEST2", SecretKey: "secret2"},
},
},
},
}
params := &iam.ListAccessKeysInput{UserName: aws.String("TestUser")}
req, _ := iam.New(session.New()).ListAccessKeysRequest(params)
_ = req.Build()
out := iamListAccessKeysResponse{}
response, err := executeEmbeddedIamRequest(api, req.HTTPRequest, &out)
assert.NoError(t, err)
assert.Equal(t, http.StatusOK, response.Code)
// Verify both access keys are listed
assert.Len(t, out.ListAccessKeysResult.AccessKeyMetadata, 2)
}
// TestEmbeddedIamNotImplementedAction tests handling of unimplemented actions
func TestEmbeddedIamNotImplementedAction(t *testing.T) {
api := NewEmbeddedIamApiForTest()
form := url.Values{}
form.Set("Action", "SomeUnknownAction")
req, _ := http.NewRequest("POST", "/", nil)
req.PostForm = form
req.Form = form
req.Header.Set("Content-Type", "application/x-www-form-urlencoded")
rr := httptest.NewRecorder()
apiRouter := mux.NewRouter().SkipClean(true)
apiRouter.Path("/").Methods(http.MethodPost).HandlerFunc(api.DoActions)
apiRouter.ServeHTTP(rr, req)
assert.Equal(t, http.StatusNotImplemented, rr.Code)
}
// TestGetPolicyDocument tests parsing of policy documents
func TestGetPolicyDocument(t *testing.T) {
api := NewEmbeddedIamApiForTest()
validPolicy := `{
"Version": "2012-10-17",
"Statement": [{
"Effect": "Allow",
"Action": ["s3:GetObject"],
"Resource": ["arn:aws:s3:::bucket/*"]
}]
}`
doc, err := api.GetPolicyDocument(&validPolicy)
assert.NoError(t, err)
assert.Equal(t, "2012-10-17", doc.Version)
assert.Len(t, doc.Statement, 1)
// Test invalid JSON
invalidPolicy := "not valid json"
_, err = api.GetPolicyDocument(&invalidPolicy)
assert.Error(t, err)
}
// TestEmbeddedIamGetActionsFromPolicy tests action extraction from policy documents
func TestEmbeddedIamGetActionsFromPolicy(t *testing.T) {
api := NewEmbeddedIamApiForTest()
// Actions must use wildcards (Get*, Put*, List*, etc.) as expected by the mapper
policyDoc := `{
"Version": "2012-10-17",
"Statement": [{
"Effect": "Allow",
"Action": ["s3:Get*", "s3:Put*"],
"Resource": ["arn:aws:s3:::mybucket/*"]
}]
}`
policy, err := api.GetPolicyDocument(&policyDoc)
assert.NoError(t, err)
actions, err := api.getActions(&policy)
assert.NoError(t, err)
assert.NotEmpty(t, actions)
// Should have Read and Write actions for the bucket
// arn:aws:s3:::mybucket/* means all objects in mybucket, represented as "Action:mybucket"
assert.Contains(t, actions, "Read:mybucket")
assert.Contains(t, actions, "Write:mybucket")
}
// TestEmbeddedIamSetUserStatus tests enabling/disabling a user
func TestEmbeddedIamSetUserStatus(t *testing.T) {
api := NewEmbeddedIamApiForTest()
t.Run("DisableUser", func(t *testing.T) {
// Reset state for test isolation
api.mockConfig = &iam_pb.S3ApiConfiguration{
Identities: []*iam_pb.Identity{
{Name: "TestUser", Disabled: false},
},
}
form := url.Values{}
form.Set("Action", "SetUserStatus")
form.Set("UserName", "TestUser")
form.Set("Status", "Inactive")
req, _ := http.NewRequest("POST", "/", nil)
req.PostForm = form
req.Form = form
req.Header.Set("Content-Type", "application/x-www-form-urlencoded")
rr := httptest.NewRecorder()
apiRouter := mux.NewRouter().SkipClean(true)
apiRouter.Path("/").Methods(http.MethodPost).HandlerFunc(api.DoActions)
apiRouter.ServeHTTP(rr, req)
assert.Equal(t, http.StatusOK, rr.Code)
// Verify user is now disabled
assert.True(t, api.mockConfig.Identities[0].Disabled)
})
t.Run("EnableUser", func(t *testing.T) {
// Reset state for test isolation - start with disabled user
api.mockConfig = &iam_pb.S3ApiConfiguration{
Identities: []*iam_pb.Identity{
{Name: "TestUser", Disabled: true},
},
}
form := url.Values{}
form.Set("Action", "SetUserStatus")
form.Set("UserName", "TestUser")
form.Set("Status", "Active")
req, _ := http.NewRequest("POST", "/", nil)
req.PostForm = form
req.Form = form
req.Header.Set("Content-Type", "application/x-www-form-urlencoded")
rr := httptest.NewRecorder()
apiRouter := mux.NewRouter().SkipClean(true)
apiRouter.Path("/").Methods(http.MethodPost).HandlerFunc(api.DoActions)
apiRouter.ServeHTTP(rr, req)
assert.Equal(t, http.StatusOK, rr.Code)
// Verify user is now enabled
assert.False(t, api.mockConfig.Identities[0].Disabled)
})
}
// TestEmbeddedIamSetUserStatusErrors tests error handling for SetUserStatus
func TestEmbeddedIamSetUserStatusErrors(t *testing.T) {
api := NewEmbeddedIamApiForTest()
api.mockConfig = &iam_pb.S3ApiConfiguration{
Identities: []*iam_pb.Identity{
{Name: "TestUser"},
},
}
t.Run("UserNotFound", func(t *testing.T) {
form := url.Values{}
form.Set("Action", "SetUserStatus")
form.Set("UserName", "NonExistentUser")
form.Set("Status", "Inactive")
req, _ := http.NewRequest("POST", "/", nil)
req.PostForm = form
req.Form = form
req.Header.Set("Content-Type", "application/x-www-form-urlencoded")
rr := httptest.NewRecorder()
apiRouter := mux.NewRouter().SkipClean(true)
apiRouter.Path("/").Methods(http.MethodPost).HandlerFunc(api.DoActions)
apiRouter.ServeHTTP(rr, req)
assert.Equal(t, http.StatusNotFound, rr.Code)
})
t.Run("InvalidStatus", func(t *testing.T) {
form := url.Values{}
form.Set("Action", "SetUserStatus")
form.Set("UserName", "TestUser")
form.Set("Status", "InvalidStatus")
req, _ := http.NewRequest("POST", "/", nil)
req.PostForm = form
req.Form = form
req.Header.Set("Content-Type", "application/x-www-form-urlencoded")
rr := httptest.NewRecorder()
apiRouter := mux.NewRouter().SkipClean(true)
apiRouter.Path("/").Methods(http.MethodPost).HandlerFunc(api.DoActions)
apiRouter.ServeHTTP(rr, req)
assert.Equal(t, http.StatusBadRequest, rr.Code)
})
t.Run("MissingUserName", func(t *testing.T) {
form := url.Values{}
form.Set("Action", "SetUserStatus")
form.Set("Status", "Inactive")
req, _ := http.NewRequest("POST", "/", nil)
req.PostForm = form
req.Form = form
req.Header.Set("Content-Type", "application/x-www-form-urlencoded")
rr := httptest.NewRecorder()
apiRouter := mux.NewRouter().SkipClean(true)
apiRouter.Path("/").Methods(http.MethodPost).HandlerFunc(api.DoActions)
apiRouter.ServeHTTP(rr, req)
assert.Equal(t, http.StatusBadRequest, rr.Code)
})
t.Run("MissingStatus", func(t *testing.T) {
form := url.Values{}
form.Set("Action", "SetUserStatus")
form.Set("UserName", "TestUser")
req, _ := http.NewRequest("POST", "/", nil)
req.PostForm = form
req.Form = form
req.Header.Set("Content-Type", "application/x-www-form-urlencoded")
rr := httptest.NewRecorder()
apiRouter := mux.NewRouter().SkipClean(true)
apiRouter.Path("/").Methods(http.MethodPost).HandlerFunc(api.DoActions)
apiRouter.ServeHTTP(rr, req)
assert.Equal(t, http.StatusBadRequest, rr.Code)
})
}
// TestEmbeddedIamUpdateAccessKey tests updating access key status
func TestEmbeddedIamUpdateAccessKey(t *testing.T) {
api := NewEmbeddedIamApiForTest()
t.Run("DeactivateAccessKey", func(t *testing.T) {
// Reset state for test isolation
api.mockConfig = &iam_pb.S3ApiConfiguration{
Identities: []*iam_pb.Identity{
{
Name: "TestUser",
Credentials: []*iam_pb.Credential{
{AccessKey: "AKIATEST12345", SecretKey: "secret", Status: "Active"},
},
},
},
}
form := url.Values{}
form.Set("Action", "UpdateAccessKey")
form.Set("UserName", "TestUser")
form.Set("AccessKeyId", "AKIATEST12345")
form.Set("Status", "Inactive")
req, _ := http.NewRequest("POST", "/", nil)
req.PostForm = form
req.Form = form
req.Header.Set("Content-Type", "application/x-www-form-urlencoded")
rr := httptest.NewRecorder()
apiRouter := mux.NewRouter().SkipClean(true)
apiRouter.Path("/").Methods(http.MethodPost).HandlerFunc(api.DoActions)
apiRouter.ServeHTTP(rr, req)
assert.Equal(t, http.StatusOK, rr.Code)
// Verify access key is now inactive
assert.Equal(t, "Inactive", api.mockConfig.Identities[0].Credentials[0].Status)
})
t.Run("ActivateAccessKey", func(t *testing.T) {
// Reset state for test isolation - start with inactive key
api.mockConfig = &iam_pb.S3ApiConfiguration{
Identities: []*iam_pb.Identity{
{
Name: "TestUser",
Credentials: []*iam_pb.Credential{
{AccessKey: "AKIATEST12345", SecretKey: "secret", Status: "Inactive"},
},
},
},
}
form := url.Values{}
form.Set("Action", "UpdateAccessKey")
form.Set("UserName", "TestUser")
form.Set("AccessKeyId", "AKIATEST12345")
form.Set("Status", "Active")
req, _ := http.NewRequest("POST", "/", nil)
req.PostForm = form
req.Form = form
req.Header.Set("Content-Type", "application/x-www-form-urlencoded")
rr := httptest.NewRecorder()
apiRouter := mux.NewRouter().SkipClean(true)
apiRouter.Path("/").Methods(http.MethodPost).HandlerFunc(api.DoActions)
apiRouter.ServeHTTP(rr, req)
assert.Equal(t, http.StatusOK, rr.Code)
// Verify access key is now active
assert.Equal(t, "Active", api.mockConfig.Identities[0].Credentials[0].Status)
})
}
// TestEmbeddedIamUpdateAccessKeyErrors tests error handling for UpdateAccessKey
func TestEmbeddedIamUpdateAccessKeyErrors(t *testing.T) {
api := NewEmbeddedIamApiForTest()
api.mockConfig = &iam_pb.S3ApiConfiguration{
Identities: []*iam_pb.Identity{
{
Name: "TestUser",
Credentials: []*iam_pb.Credential{
{AccessKey: "AKIATEST12345", SecretKey: "secret"},
},
},
},
}
t.Run("AccessKeyNotFound", func(t *testing.T) {
form := url.Values{}
form.Set("Action", "UpdateAccessKey")
form.Set("UserName", "TestUser")
form.Set("AccessKeyId", "NONEXISTENT123")
form.Set("Status", "Inactive")
req, _ := http.NewRequest("POST", "/", nil)
req.PostForm = form
req.Form = form
req.Header.Set("Content-Type", "application/x-www-form-urlencoded")
rr := httptest.NewRecorder()
apiRouter := mux.NewRouter().SkipClean(true)
apiRouter.Path("/").Methods(http.MethodPost).HandlerFunc(api.DoActions)
apiRouter.ServeHTTP(rr, req)
assert.Equal(t, http.StatusNotFound, rr.Code)
})
t.Run("InvalidStatus", func(t *testing.T) {
form := url.Values{}
form.Set("Action", "UpdateAccessKey")
form.Set("UserName", "TestUser")
form.Set("AccessKeyId", "AKIATEST12345")
form.Set("Status", "InvalidStatus")
req, _ := http.NewRequest("POST", "/", nil)
req.PostForm = form
req.Form = form
req.Header.Set("Content-Type", "application/x-www-form-urlencoded")
rr := httptest.NewRecorder()
apiRouter := mux.NewRouter().SkipClean(true)
apiRouter.Path("/").Methods(http.MethodPost).HandlerFunc(api.DoActions)
apiRouter.ServeHTTP(rr, req)
assert.Equal(t, http.StatusBadRequest, rr.Code)
})
t.Run("MissingUserName", func(t *testing.T) {
form := url.Values{}
form.Set("Action", "UpdateAccessKey")
form.Set("AccessKeyId", "AKIATEST12345")
form.Set("Status", "Inactive")
req, _ := http.NewRequest("POST", "/", nil)
req.PostForm = form
req.Form = form
req.Header.Set("Content-Type", "application/x-www-form-urlencoded")
rr := httptest.NewRecorder()
apiRouter := mux.NewRouter().SkipClean(true)
apiRouter.Path("/").Methods(http.MethodPost).HandlerFunc(api.DoActions)
apiRouter.ServeHTTP(rr, req)
assert.Equal(t, http.StatusBadRequest, rr.Code)
})
t.Run("MissingAccessKeyId", func(t *testing.T) {
form := url.Values{}
form.Set("Action", "UpdateAccessKey")
form.Set("UserName", "TestUser")
form.Set("Status", "Inactive")
req, _ := http.NewRequest("POST", "/", nil)
req.PostForm = form
req.Form = form
req.Header.Set("Content-Type", "application/x-www-form-urlencoded")
rr := httptest.NewRecorder()
apiRouter := mux.NewRouter().SkipClean(true)
apiRouter.Path("/").Methods(http.MethodPost).HandlerFunc(api.DoActions)
apiRouter.ServeHTTP(rr, req)
assert.Equal(t, http.StatusBadRequest, rr.Code)
})
t.Run("UserNotFound", func(t *testing.T) {
form := url.Values{}
form.Set("Action", "UpdateAccessKey")
form.Set("UserName", "NonExistentUser")
form.Set("AccessKeyId", "AKIATEST12345")
form.Set("Status", "Inactive")
req, _ := http.NewRequest("POST", "/", nil)
req.PostForm = form
req.Form = form
req.Header.Set("Content-Type", "application/x-www-form-urlencoded")
rr := httptest.NewRecorder()
apiRouter := mux.NewRouter().SkipClean(true)
apiRouter.Path("/").Methods(http.MethodPost).HandlerFunc(api.DoActions)
apiRouter.ServeHTTP(rr, req)
assert.Equal(t, http.StatusNotFound, rr.Code)
})
t.Run("MissingStatus", func(t *testing.T) {
form := url.Values{}
form.Set("Action", "UpdateAccessKey")
form.Set("UserName", "TestUser")
form.Set("AccessKeyId", "AKIATEST12345")
req, _ := http.NewRequest("POST", "/", nil)
req.PostForm = form
req.Form = form
req.Header.Set("Content-Type", "application/x-www-form-urlencoded")
rr := httptest.NewRecorder()
apiRouter := mux.NewRouter().SkipClean(true)
apiRouter.Path("/").Methods(http.MethodPost).HandlerFunc(api.DoActions)
apiRouter.ServeHTTP(rr, req)
assert.Equal(t, http.StatusBadRequest, rr.Code)
})
}
// TestEmbeddedIamListAccessKeysShowsStatus tests that ListAccessKeys returns the access key status
func TestEmbeddedIamListAccessKeysShowsStatus(t *testing.T) {
api := NewEmbeddedIamApiForTest()
api.mockConfig = &iam_pb.S3ApiConfiguration{
Identities: []*iam_pb.Identity{
{
Name: "TestUser",
Credentials: []*iam_pb.Credential{
{AccessKey: "AKIAACTIVE123", SecretKey: "secret1", Status: "Active"},
{AccessKey: "AKIAINACTIVE1", SecretKey: "secret2", Status: "Inactive"},
{AccessKey: "AKIADEFAULT12", SecretKey: "secret3"}, // No status set, should default to Active
},
},
},
}
params := &iam.ListAccessKeysInput{UserName: aws.String("TestUser")}
req, _ := iam.New(session.New()).ListAccessKeysRequest(params)
_ = req.Build()
out := iamListAccessKeysResponse{}
response, err := executeEmbeddedIamRequest(api, req.HTTPRequest, &out)
assert.NoError(t, err)
assert.Equal(t, http.StatusOK, response.Code)
// Verify all three access keys are listed with correct status
assert.Len(t, out.ListAccessKeysResult.AccessKeyMetadata, 3)
// Find each key and verify status
statusMap := make(map[string]string)
for _, meta := range out.ListAccessKeysResult.AccessKeyMetadata {
statusMap[*meta.AccessKeyId] = *meta.Status
}
assert.Equal(t, "Active", statusMap["AKIAACTIVE123"])
assert.Equal(t, "Inactive", statusMap["AKIAINACTIVE1"])
assert.Equal(t, "Active", statusMap["AKIADEFAULT12"]) // Default to Active
}
// TestDisabledUserLookupFails tests that disabled users cannot authenticate
func TestDisabledUserLookupFails(t *testing.T) {
iam := &IdentityAccessManagement{}
testConfig := &iam_pb.S3ApiConfiguration{
Identities: []*iam_pb.Identity{
{
Name: "enabledUser",
Disabled: false,
Credentials: []*iam_pb.Credential{
{AccessKey: "AKIAENABLED123", SecretKey: "secret1"},
},
},
{
Name: "disabledUser",
Disabled: true,
Credentials: []*iam_pb.Credential{
{AccessKey: "AKIADISABLED12", SecretKey: "secret2"},
},
},
},
}
err := iam.LoadS3ApiConfigurationFromBytes(mustMarshalJSON(testConfig))
assert.NoError(t, err)
// Enabled user should be found
identity, cred, found := iam.LookupByAccessKey("AKIAENABLED123")
assert.True(t, found)
assert.NotNil(t, identity)
assert.NotNil(t, cred)
assert.Equal(t, "enabledUser", identity.Name)
// Disabled user should NOT be found
identity, cred, found = iam.LookupByAccessKey("AKIADISABLED12")
assert.False(t, found)
assert.Nil(t, identity)
assert.Nil(t, cred)
}
// TestInactiveAccessKeyLookupFails tests that inactive access keys cannot authenticate
func TestInactiveAccessKeyLookupFails(t *testing.T) {
iam := &IdentityAccessManagement{}
testConfig := &iam_pb.S3ApiConfiguration{
Identities: []*iam_pb.Identity{
{
Name: "testUser",
Credentials: []*iam_pb.Credential{
{AccessKey: "AKIAACTIVE123", SecretKey: "secret1", Status: "Active"},
{AccessKey: "AKIAINACTIVE1", SecretKey: "secret2", Status: "Inactive"},
{AccessKey: "AKIADEFAULT12", SecretKey: "secret3"}, // No status = Active
},
},
},
}
err := iam.LoadS3ApiConfigurationFromBytes(mustMarshalJSON(testConfig))
assert.NoError(t, err)
// Active key should be found
identity, cred, found := iam.LookupByAccessKey("AKIAACTIVE123")
assert.True(t, found)
assert.NotNil(t, identity)
assert.NotNil(t, cred)
// Inactive key should NOT be found
identity, cred, found = iam.LookupByAccessKey("AKIAINACTIVE1")
assert.False(t, found)
assert.Nil(t, identity)
assert.Nil(t, cred)
// Key with no status (default Active) should be found
identity, cred, found = iam.LookupByAccessKey("AKIADEFAULT12")
assert.True(t, found)
assert.NotNil(t, identity)
assert.NotNil(t, cred)
}
// TestAuthIamAuthenticatesBeforeParseForm verifies that AuthIam authenticates the request
// BEFORE parsing the form. This is critical because ParseForm() consumes the request body,
// but IAM signature verification needs to hash the body.
// This test reproduces the bug described in GitHub issue #7802.
func TestAuthIamAuthenticatesBeforeParseForm(t *testing.T) {
// Create IAM with test credentials
iam := &IdentityAccessManagement{
hashes: make(map[string]*sync.Pool),
hashCounters: make(map[string]*int32),
}
testConfig := &iam_pb.S3ApiConfiguration{
Identities: []*iam_pb.Identity{
{
Name: "admin",
Credentials: []*iam_pb.Credential{
{
AccessKey: "admin_access_key",
SecretKey: "admin_secret_key",
Status: "Active",
},
},
Actions: []string{"Admin"},
},
},
}
err := iam.loadS3ApiConfiguration(testConfig)
assert.NoError(t, err)
embeddedApi := &EmbeddedIamApi{
iam: iam,
}
// Create a properly signed IAM request
payload := "Action=CreateUser&Version=2010-05-08&UserName=bob"
// Use current time to avoid clock skew
now := time.Now().UTC()
amzDate := now.Format(iso8601Format)
dateStamp := now.Format(yyyymmdd)
credentialScope := dateStamp + "/us-east-1/iam/aws4_request"
req, err := http.NewRequest("POST", "http://localhost:8333/", strings.NewReader(payload))
assert.NoError(t, err)
req.Header.Set("Content-Type", "application/x-www-form-urlencoded; charset=utf-8")
req.Header.Set("Host", "localhost:8333")
req.Header.Set("X-Amz-Date", amzDate)
// Calculate the correct signature using IAM service
payloadHash := getSHA256Hash([]byte(payload))
canonicalRequest := fmt.Sprintf("POST\n/\n\ncontent-type:application/x-www-form-urlencoded; charset=utf-8\nhost:localhost:8333\nx-amz-date:%s\n\ncontent-type;host;x-amz-date\n%s", amzDate, payloadHash)
canonicalRequestHash := getSHA256Hash([]byte(canonicalRequest))
stringToSign := fmt.Sprintf("AWS4-HMAC-SHA256\n%s\n%s\n%s", amzDate, credentialScope, canonicalRequestHash)
signingKey := getSigningKey("admin_secret_key", dateStamp, "us-east-1", "iam")
signature := getSignature(signingKey, stringToSign)
authHeader := fmt.Sprintf("AWS4-HMAC-SHA256 Credential=admin_access_key/%s, SignedHeaders=content-type;host;x-amz-date, Signature=%s",
credentialScope, signature)
req.Header.Set("Authorization", authHeader)
// Create a test handler that just returns OK
handlerCalled := false
testHandler := http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
handlerCalled = true
w.WriteHeader(http.StatusOK)
})
// Wrap with AuthIam
authHandler := embeddedApi.AuthIam(testHandler, ACTION_WRITE)
// Execute the request
rr := httptest.NewRecorder()
authHandler.ServeHTTP(rr, req)
// The handler should be called (authentication succeeded)
// Before the fix, this would fail with SignatureDoesNotMatch because
// ParseForm was called before authentication, consuming the body
assert.True(t, handlerCalled, "Handler was not called - authentication failed")
assert.Equal(t, http.StatusOK, rr.Code, "Expected OK status, got %d", rr.Code)
}
// TestOldCodeOrderWouldFail demonstrates why the old code order was broken.
// This test shows that ParseForm() before signature verification causes auth failure.
func TestOldCodeOrderWouldFail(t *testing.T) {
// Create IAM with test credentials
iam := &IdentityAccessManagement{
hashes: make(map[string]*sync.Pool),
hashCounters: make(map[string]*int32),
}
testConfig := &iam_pb.S3ApiConfiguration{
Identities: []*iam_pb.Identity{
{
Name: "admin",
Credentials: []*iam_pb.Credential{
{
AccessKey: "admin_access_key",
SecretKey: "admin_secret_key",
Status: "Active",
},
},
Actions: []string{"Admin"},
},
},
}
err := iam.loadS3ApiConfiguration(testConfig)
assert.NoError(t, err)
// Create a properly signed IAM request
payload := "Action=CreateUser&Version=2010-05-08&UserName=bob"
now := time.Now().UTC()
amzDate := now.Format(iso8601Format)
dateStamp := now.Format(yyyymmdd)
credentialScope := dateStamp + "/us-east-1/iam/aws4_request"
req, err := http.NewRequest("POST", "http://localhost:8333/", strings.NewReader(payload))
assert.NoError(t, err)
req.Header.Set("Content-Type", "application/x-www-form-urlencoded; charset=utf-8")
req.Header.Set("Host", "localhost:8333")
req.Header.Set("X-Amz-Date", amzDate)
// Calculate the correct signature using IAM service
payloadHash := getSHA256Hash([]byte(payload))
canonicalRequest := fmt.Sprintf("POST\n/\n\ncontent-type:application/x-www-form-urlencoded; charset=utf-8\nhost:localhost:8333\nx-amz-date:%s\n\ncontent-type;host;x-amz-date\n%s", amzDate, payloadHash)
canonicalRequestHash := getSHA256Hash([]byte(canonicalRequest))
stringToSign := fmt.Sprintf("AWS4-HMAC-SHA256\n%s\n%s\n%s", amzDate, credentialScope, canonicalRequestHash)
signingKey := getSigningKey("admin_secret_key", dateStamp, "us-east-1", "iam")
signature := getSignature(signingKey, stringToSign)
authHeader := fmt.Sprintf("AWS4-HMAC-SHA256 Credential=admin_access_key/%s, SignedHeaders=content-type;host;x-amz-date, Signature=%s",
credentialScope, signature)
req.Header.Set("Authorization", authHeader)
// Simulate OLD buggy code: ParseForm BEFORE authentication
// This consumes the request body!
err = req.ParseForm()
assert.NoError(t, err)
assert.Equal(t, "CreateUser", req.Form.Get("Action")) // Form parsing works
// Now try to authenticate - this should FAIL because body is consumed
identity, errCode := iam.AuthSignatureOnly(req)
// With old code order, this would fail with SignatureDoesNotMatch
// because the body is empty when signature verification tries to hash it
assert.Equal(t, s3err.ErrSignatureDoesNotMatch, errCode,
"Expected SignatureDoesNotMatch when ParseForm is called before auth")
assert.Nil(t, identity)
t.Log("This demonstrates the bug: ParseForm before auth causes SignatureDoesNotMatch")
}
Reference in New Issue View Git Blame Copy Permalink