gsh-digital-services/seaweedFS
5
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
8ec9ff4a12124ae63de179aa3ebdcb1fe7c19492
seaweedFS/weed/s3api/sts_params_test.go
Chris Lu 0d8588e3ae S3: Implement IAM defaults and STS signing key fallback (#8348) 
* S3: Implement IAM defaults and STS signing key fallback logic

* S3: Refactor startup order to init SSE-S3 key manager before IAM

* S3: Derive STS signing key from KEK using HKDF for security isolation

* S3: Document STS signing key fallback in security.toml

* fix(s3api): refine anonymous access logic and secure-by-default behavior

- Initialize anonymous identity by default in `NewIdentityAccessManagement` to prevent nil pointer exceptions.
- Ensure `ReplaceS3ApiConfiguration` preserves the anonymous identity if not present in the new configuration.
- Update `NewIdentityAccessManagement` signature to accept `filerClient`.
- In legacy mode (no policy engine), anonymous defaults to Deny (no actions), preserving secure-by-default behavior.
- Use specific `LookupAnonymous` method instead of generic map lookup.
- Update tests to accommodate signature changes and verify improved anonymous handling.

* feat(s3api): make IAM configuration optional

- Start S3 API server without a configuration file if `EnableIam` option is set.
- Default to `Allow` effect for policy engine when no configuration is provided (Zero-Config mode).
- Handle empty configuration path gracefully in `loadIAMManagerFromConfig`.
- Add integration test `iam_optional_test.go` to verify empty config behavior.

* fix(iamapi): fix signature mismatch in NewIdentityAccessManagementWithStore

* fix(iamapi): properly initialize FilerClient instead of passing nil

* fix(iamapi): properly initialize filer client for IAM management

- Instead of passing `nil`, construct a `wdclient.FilerClient` using the provided `Filers` addresses.
- Ensure `NewIdentityAccessManagementWithStore` receives a valid `filerClient` to avoid potential nil pointer dereferences or limited functionality.

* clean: remove dead code in s3api_server.go

* refactor(s3api): improve IAM initialization, safety and anonymous access security

* fix(s3api): ensure IAM config loads from filer after client init

* fix(s3): resolve test failures in integration, CORS, and tagging tests

- Fix CORS tests by providing explicit anonymous permissions config
- Fix S3 integration tests by setting admin credentials in init
- Align tagging test credentials in CI with IAM defaults
- Added goroutine to retry IAM config load in iamapi server

* fix(s3): allow anonymous access to health targets and S3 Tables when identities are present

* fix(ci): use /healthz for Caddy health check in awscli tests

* iam, s3api: expose DefaultAllow from IAM and Policy Engine

This allows checking the global "Open by Default" configuration from
other components like S3 Tables.

* s3api/s3tables: support DefaultAllow in permission logic and handler

Updated CheckPermissionWithContext to respect the DefaultAllow flag
in PolicyContext. This enables "Open by Default" behavior for
unauthenticated access in zero-config environments. Added a targeted
unit test to verify the logic.

* s3api/s3tables: propagate DefaultAllow through handlers

Propagated the DefaultAllow flag to individual handlers for
namespaces, buckets, tables, policies, and tagging. This ensures
consistent "Open by Default" behavior across all S3 Tables API
endpoints.

* s3api: wire up DefaultAllow for S3 Tables API initialization

Updated registerS3TablesRoutes to query the global IAM configuration
and set the DefaultAllow flag on the S3 Tables API server. This
completes the end-to-end propagation required for anonymous access in
zero-config environments. Added a SetDefaultAllow method to
S3TablesApiServer to facilitate this.

* s3api: fix tests by adding DefaultAllow to mock IAM integrations

The IAMIntegration interface was updated to include DefaultAllow(),
breaking several mock implementations in tests. This commit fixes
the build errors by adding the missing method to the mocks.

* env

* ensure ports

* env

* env

* fix default allow

* add one more test using non-anonymous user

* debug

* add more debug

* less logs
2026-02-16 13:59:13 -08:00

204 lines
8.0 KiB
Go
Raw Blame History

package s3api
import (
"context"
"net/http"
"net/http/httptest"
"net/url"
"strings"
"sync"
"testing"
"github.com/gorilla/mux"
"github.com/seaweedfs/seaweedfs/weed/iam/sts"
"github.com/seaweedfs/seaweedfs/weed/pb"
"github.com/seaweedfs/seaweedfs/weed/pb/iam_pb"
"github.com/seaweedfs/seaweedfs/weed/s3api/s3err"
"github.com/stretchr/testify/assert"
)
// Minimal mock implementation of AuthenticateJWT needed for testing
type mockIAMIntegration struct{}
func (m *mockIAMIntegration) AuthenticateJWT(ctx context.Context, r *http.Request) (*IAMIdentity, s3err.ErrorCode) {
return &IAMIdentity{
Name: "test-user",
Account: &Account{
Id: "test-account",
DisplayName: "test-account",
EmailAddress: "test@example.com",
},
Principal: "arn:aws:iam::test-account:user/test-user",
SessionToken: "mock-session-token",
}, s3err.ErrNone
}
func (m *mockIAMIntegration) AuthorizeAction(ctx context.Context, identity *IAMIdentity, action Action, bucket, object string, r *http.Request) s3err.ErrorCode {
return s3err.ErrNone
}
func (m *mockIAMIntegration) ValidateTrustPolicyForPrincipal(ctx context.Context, roleArn, principalArn string) error {
return nil
}
func (m *mockIAMIntegration) ValidateSessionToken(ctx context.Context, token string) (*sts.SessionInfo, error) {
return nil, nil
}
func (m *mockIAMIntegration) DefaultAllow() bool {
return true
}
func TestSTSAssumeRolePostBody(t *testing.T) {
// Setup S3ApiServer with IAM enabled
option := &S3ApiServerOption{
DomainName: "localhost",
EnableIam: true,
Filers: []pb.ServerAddress{"localhost:8888"},
}
// Create IAM instance that we can control
// We need to bypass the file/store loading logic in NewIdentityAccessManagement
// So we construct it manually similarly to how it's done for tests
iam := &IdentityAccessManagement{
identities: []*Identity{{Name: "test-user"}},
isAuthEnabled: true,
accessKeyIdent: make(map[string]*Identity),
nameToIdentity: make(map[string]*Identity),
iamIntegration: &mockIAMIntegration{},
}
// Pre-populate an identity for testing
ident := &Identity{
Name: "test-user",
Credentials: []*Credential{
{AccessKey: "test", SecretKey: "test", Status: "Active"},
},
Actions: nil, // Admin
IsStatic: true,
}
iam.identities[0] = ident
iam.accessKeyIdent["test"] = ident
iam.nameToIdentity["test-user"] = ident
s3a := &S3ApiServer{
option: option,
iam: iam,
embeddedIam: &EmbeddedIamApi{iam: iam, getS3ApiConfigurationFunc: func(cfg *iam_pb.S3ApiConfiguration) error { return nil }},
stsHandlers: NewSTSHandlers(nil, iam), // STS service nil -> will return STSErrSTSNotReady (503)
credentialManager: nil, // Not needed for this test as we pre-populated IAM
cb: &CircuitBreaker{
counters: make(map[string]*int64),
limitations: make(map[string]int64),
},
}
s3a.cb.s3a = s3a
s3a.inFlightDataLimitCond = sync.NewCond(&sync.Mutex{})
// Create router and register routes
router := mux.NewRouter()
s3a.registerRouter(router)
// Test Case 1: STS Action in Query String (Should work - routed to STS)
t.Run("ActionInQuery", func(t *testing.T) {
req := httptest.NewRequest("POST", "/?Action=AssumeRole", nil)
// We aren't signing requests, so we expect STSErrAccessDenied (403) from STS handler
// due to invalid signature, OR STSErrSTSNotReady (503) if it gets past auth.
// The key is it should NOT be 501 Not Implemented (which comes from IAM handler)
rr := httptest.NewRecorder()
router.ServeHTTP(rr, req)
// If routed to STS, we expect 400 (Bad Request) - MissingParameter
// because we didn't provide RoleArn/RoleSessionName etc.
// Or 503 if it checks STS service readiness first.
// Let's see what we get. The STS handler checks parameters first.
// "RoleArn is required" -> 400 Bad Request
assert.NotEqual(t, http.StatusNotImplemented, rr.Code, "Should not return 501 (IAM handler)")
assert.Equal(t, http.StatusBadRequest, rr.Code, "Should return 400 (STS handler) for missing params")
})
// Test Case 2: STS Action in Body (Should FAIL current implementation - routed to IAM)
t.Run("ActionInBody", func(t *testing.T) {
form := url.Values{}
form.Add("Action", "AssumeRole")
form.Add("RoleArn", "arn:aws:iam::123:role/test")
form.Add("RoleSessionName", "session")
req := httptest.NewRequest("POST", "/", strings.NewReader(form.Encode()))
req.Header.Set("Content-Type", "application/x-www-form-urlencoded")
// We need an Authorization header to trigger the IAM matcher
// The matcher checks: getRequestAuthType(r) != authTypeAnonymous
// So we provide a dummy auth header
req.Header.Set("Authorization", "Bearer test-token")
rr := httptest.NewRecorder()
router.ServeHTTP(rr, req)
// CURRENT BEHAVIOR:
// The Router does not match "/" for STS because Action is not in query.
// The Router matches "/" for IAM because it has Authorization header.
// IAM handler (AuthIam) calls DoActions.
// DoActions switches on "AssumeRole" -> default -> Not Implemented (501).
// DESIRED BEHAVIOR (after fix):
// Should be routed to UnifiedPostHandler (or similar), detected as STS action,
// and routed to STS handler.
// STS handler should return 403 Forbidden (Access Denied) or 400 Bad Request
// because of signature mismatch (since we provided dummy auth).
// It should NOT be 501.
// For verification of fix, we assert it IS 503 (STS Service Not Initialized).
// This confirms it was routed to STS handler.
if rr.Code != http.StatusServiceUnavailable {
t.Logf("Unexpected status code: %d", rr.Code)
t.Logf("Response body: %s", rr.Body.String())
}
// Confirm it routed to STS
assert.Equal(t, http.StatusServiceUnavailable, rr.Code, "Fixed behavior: Should return 503 from STS handler (service not ready)")
})
// Test Case 3: STS Action in Body with SigV4-style Authorization (Real-world scenario)
// This test validates that requests with AWS SigV4 Authorization headers and POST body
// parameters are correctly routed to the STS handler.
t.Run("ActionInBodyWithSigV4Style", func(t *testing.T) {
form := url.Values{}
form.Add("Action", "AssumeRole")
form.Add("RoleArn", "arn:aws:iam::123:role/test")
form.Add("RoleSessionName", "session")
bodyContent := form.Encode()
req := httptest.NewRequest("POST", "/", strings.NewReader(bodyContent))
req.Header.Set("Content-Type", "application/x-www-form-urlencoded")
// Set AWS SigV4-style Authorization header
// This simulates a real SigV4-signed request without needing perfect signature
// The key is to validate that UnifiedPostHandler correctly routes based on Action
req.Header.Set("Authorization", "AWS4-HMAC-SHA256 Credential=test/20260212/us-east-1/sts/aws4_request, SignedHeaders=content-type;host;x-amz-date, Signature=dummy")
req.Header.Set("x-amz-date", "20260212T000000Z")
rr := httptest.NewRecorder()
router.ServeHTTP(rr, req)
// With SigV4-style Authorization header, the request should:
// 1. Be recognized as authenticated (not anonymous)
// 2. Be routed to UnifiedPostHandler
// 3. UnifiedPostHandler should parse Action=AssumeRole from body
// 4. Route to STS handler (which returns 503 because stsService is nil)
// OR return 403 if signature validation fails (which is acceptable)
// The key validation is that it should NOT return 501 (IAM handler's "Not Implemented")
// This confirms the routing fix works for SigV4-signed requests with POST body params
if rr.Code != http.StatusServiceUnavailable && rr.Code != http.StatusForbidden {
t.Logf("Unexpected status code: %d", rr.Code)
t.Logf("Response body: %s", rr.Body.String())
}
// Accept either 503 (routed to STS, service unavailable) or 403 (signature failed)
// Both indicate correct routing to STS handler, not IAM handler
assert.NotEqual(t, http.StatusNotImplemented, rr.Code, "Should not return 501 (IAM handler)")
assert.Contains(t, []int{http.StatusServiceUnavailable, http.StatusForbidden}, rr.Code,
"Should return 503 (STS unavailable) or 403 (auth failed), confirming STS routing")
})
}
Reference in New Issue View Git Blame Copy Permalink