gsh-digital-services/seaweedFS
5
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
995dfc4d5da024b318f217d8afcba087e6685418
seaweedFS/weed/iam/sts/credential_prefix_test.go
Chris Lu 25ea48227f Fix STS temporary credentials to use ASIA prefix instead of AKIA (#8326) 
Temporary credentials from STS AssumeRole were using "AKIA" prefix
(permanent IAM user credentials) instead of "ASIA" prefix (temporary
security credentials). This violates AWS conventions and may cause
compatibility issues with AWS SDKs that validate credential types.

Changes:
- Rename generateAccessKeyId to generateTemporaryAccessKeyId for clarity
- Update function to use ASIA prefix for temporary credentials
- Add unit tests to verify ASIA prefix format (weed/iam/sts/credential_prefix_test.go)
- Add integration test to verify ASIA prefix in S3 API (test/s3/iam/s3_sts_credential_prefix_test.go)
- Ensure AWS-compatible credential format (ASIA + 16 hex chars)

The credentials are already deterministic (SHA256-based from session ID)
and the SessionToken is correctly set to the JWT token, so this is just
a prefix fix to follow AWS standards.

Fixes #8312
2026-02-12 14:47:20 -08:00

69 lines
2.3 KiB
Go
Raw Blame History

package sts
import (
"encoding/base64"
"encoding/hex"
"strings"
"testing"
"time"
"github.com/stretchr/testify/assert"
)
// TestTemporaryCredentialPrefix verifies that temporary credentials use ASIA prefix
// (not AKIA which is for permanent IAM user credentials)
func TestTemporaryCredentialPrefix(t *testing.T) {
sessionId := "test-session-for-prefix"
expiration := time.Now().Add(time.Hour)
credGen := NewCredentialGenerator()
cred, err := credGen.GenerateTemporaryCredentials(sessionId, expiration)
assert.NoError(t, err)
assert.NotNil(t, cred)
// Verify ASIA prefix for temporary credentials
assert.True(t, strings.HasPrefix(cred.AccessKeyId, "ASIA"),
"Temporary credentials must use ASIA prefix, got: %s", cred.AccessKeyId)
// Verify it's NOT using AKIA (permanent credentials)
assert.False(t, strings.HasPrefix(cred.AccessKeyId, "AKIA"),
"Temporary credentials must NOT use AKIA prefix (that's for permanent IAM keys)")
}
// TestTemporaryCredentialFormat verifies the full format of temporary credentials
func TestTemporaryCredentialFormat(t *testing.T) {
sessionId := "format-test-session"
expiration := time.Now().Add(time.Hour)
credGen := NewCredentialGenerator()
cred, err := credGen.GenerateTemporaryCredentials(sessionId, expiration)
assert.NoError(t, err)
assert.NotNil(t, cred)
// AWS temporary access key format: ASIA + 16 hex characters = 20 chars total
assert.Equal(t, 20, len(cred.AccessKeyId),
"Access key ID should be 20 characters (ASIA + 16 hex chars)")
// Verify it starts with ASIA
assert.True(t, strings.HasPrefix(cred.AccessKeyId, "ASIA"),
"Access key must start with ASIA prefix")
// Verify the rest is hex (after ASIA prefix)
hexPart := cred.AccessKeyId[4:]
assert.Equal(t, 16, len(hexPart), "Hex part should be 16 characters")
_, err = hex.DecodeString(hexPart)
assert.NoError(t, err, "The part after ASIA prefix should be valid hex")
// Verify secret key is not empty and is a valid base64-encoded SHA256 hash
assert.NotEmpty(t, cred.SecretAccessKey)
assert.Equal(t, 44, len(cred.SecretAccessKey),
"SecretAccessKey should be 44 characters for a base64-encoded 32-byte hash")
_, err = base64.StdEncoding.DecodeString(cred.SecretAccessKey)
assert.NoError(t, err, "SecretAccessKey should be a valid base64 string")
// Verify session token is not empty
assert.NotEmpty(t, cred.SessionToken)
}
Reference in New Issue View Git Blame Copy Permalink