gsh-digital-services/seaweedFS
5
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
b8fc99a9cd1166aef43987366597f7fee705f6d6
seaweedFS/weed/iam/policy/aws_iam_compliance_test.go
Chris Lu b8fc99a9cd fix(s3): apply PutObject multipart expansion to STS session policies (#8932) 
* fix(s3): apply PutObject multipart expansion to STS session policy evaluation (#8929)

PR #8445 added logic to implicitly grant multipart upload actions when
s3:PutObject is authorized, but only in the S3 API policy engine's
CompiledStatement.MatchesAction(). STS session policies are evaluated
through the IAM policy engine's matchesActions() -> awsIAMMatch() path,
which did plain pattern matching without the multipart expansion.

Add the same multipart expansion logic to the IAM policy engine's
matchesActions() so that session policies containing s3:PutObject
correctly allow multipart upload operations.

* fix: make multipart action set lookup case-insensitive and optimize

Address PR review feedback:
- Lowercase multipartActionSet keys and use strings.ToLower for lookup,
  since AWS IAM actions are case-insensitive
- Only check for s3:PutObject permission when the requested action is
  actually a multipart action, avoiding unnecessary awsIAMMatch calls
- Add test case for case-insensitive multipart action matching
2026-04-05 14:06:50 -07:00

294 lines
7.3 KiB
Go
Raw Blame History

package policy
import (
"testing"
"github.com/stretchr/testify/assert"
)
func TestAWSIAMMatch(t *testing.T) {
evalCtx := &EvaluationContext{
RequestContext: map[string]interface{}{
"aws:username": "testuser",
"saml:username": "john.doe",
"oidc:sub": "user123",
"aws:userid": "AIDACKCEVSQ6C2EXAMPLE",
"aws:principaltype": "User",
},
}
tests := []struct {
name string
pattern string
value string
evalCtx *EvaluationContext
expected bool
}{
// Case insensitivity tests
{
name: "case insensitive exact match",
pattern: "S3:GetObject",
value: "s3:getobject",
evalCtx: evalCtx,
expected: true,
},
{
name: "case insensitive wildcard match",
pattern: "S3:Get*",
value: "s3:getobject",
evalCtx: evalCtx,
expected: true,
},
// Policy variable expansion tests
{
name: "AWS username variable expansion",
pattern: "arn:aws:s3:::mybucket/${aws:username}/*",
value: "arn:aws:s3:::mybucket/testuser/document.pdf",
evalCtx: evalCtx,
expected: true,
},
{
name: "SAML username variable expansion",
pattern: "home/${saml:username}/*",
value: "home/john.doe/private.txt",
evalCtx: evalCtx,
expected: true,
},
{
name: "OIDC subject variable expansion",
pattern: "users/${oidc:sub}/data",
value: "users/user123/data",
evalCtx: evalCtx,
expected: true,
},
// Mixed case and variable tests
{
name: "case insensitive with variable",
pattern: "S3:GetObject/${aws:username}/*",
value: "s3:getobject/testuser/file.txt",
evalCtx: evalCtx,
expected: true,
},
// Universal wildcard
{
name: "universal wildcard",
pattern: "*",
value: "anything",
evalCtx: evalCtx,
expected: true,
},
// Question mark wildcard
{
name: "question mark wildcard",
pattern: "file?.txt",
value: "file1.txt",
evalCtx: evalCtx,
expected: true,
},
// No match cases
{
name: "no match different pattern",
pattern: "s3:PutObject",
value: "s3:GetObject",
evalCtx: evalCtx,
expected: false,
},
{
name: "variable not expanded due to missing context",
pattern: "users/${aws:username}/data",
value: "users/${aws:username}/data",
evalCtx: nil,
expected: true, // Should match literally when no context
},
}
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
result := awsIAMMatch(tt.pattern, tt.value, tt.evalCtx)
assert.Equal(t, tt.expected, result, "AWS IAM match result should match expected")
})
}
}
func TestMatchesActionsMultipartExpansion(t *testing.T) {
engine := &PolicyEngine{initialized: true}
evalCtx := &EvaluationContext{}
tests := []struct {
name string
actions []string
requestedAction string
expected bool
}{
{
name: "PutObject directly matches PutObject",
actions: []string{"s3:PutObject"},
requestedAction: "s3:PutObject",
expected: true,
},
{
name: "PutObject implicitly allows CreateMultipartUpload",
actions: []string{"s3:PutObject"},
requestedAction: "s3:CreateMultipartUpload",
expected: true,
},
{
name: "PutObject implicitly allows UploadPart",
actions: []string{"s3:PutObject"},
requestedAction: "s3:UploadPart",
expected: true,
},
{
name: "PutObject implicitly allows CompleteMultipartUpload",
actions: []string{"s3:PutObject"},
requestedAction: "s3:CompleteMultipartUpload",
expected: true,
},
{
name: "PutObject implicitly allows AbortMultipartUpload",
actions: []string{"s3:PutObject"},
requestedAction: "s3:AbortMultipartUpload",
expected: true,
},
{
name: "PutObject implicitly allows ListMultipartUploadParts",
actions: []string{"s3:PutObject"},
requestedAction: "s3:ListMultipartUploadParts",
expected: true,
},
{
name: "PutObject implicitly allows ListBucketMultipartUploads",
actions: []string{"s3:PutObject"},
requestedAction: "s3:ListBucketMultipartUploads",
expected: true,
},
{
name: "PutObject does not allow GetObject",
actions: []string{"s3:PutObject"},
requestedAction: "s3:GetObject",
expected: false,
},
{
name: "GetObject does not allow CreateMultipartUpload",
actions: []string{"s3:GetObject"},
requestedAction: "s3:CreateMultipartUpload",
expected: false,
},
{
name: "wildcard s3:Put* implicitly allows multipart via PutObject match",
actions: []string{"s3:Put*"},
requestedAction: "s3:CreateMultipartUpload",
expected: true,
},
{
name: "case-insensitive multipart action lookup",
actions: []string{"s3:PutObject"},
requestedAction: "S3:CREATEMULTIPARTUPLOAD",
expected: true,
},
}
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
result := engine.matchesActions(tt.actions, tt.requestedAction, evalCtx)
assert.Equal(t, tt.expected, result)
})
}
}
func TestExpandPolicyVariables(t *testing.T) {
evalCtx := &EvaluationContext{
RequestContext: map[string]interface{}{
"aws:username": "alice",
"saml:username": "alice.smith",
"oidc:sub": "sub123",
},
}
tests := []struct {
name string
pattern string
evalCtx *EvaluationContext
expected string
}{
{
name: "expand aws username",
pattern: "home/${aws:username}/documents/*",
evalCtx: evalCtx,
expected: "home/alice/documents/*",
},
{
name: "expand multiple variables",
pattern: "${aws:username}/${oidc:sub}/data",
evalCtx: evalCtx,
expected: "alice/sub123/data",
},
{
name: "no variables to expand",
pattern: "static/path/file.txt",
evalCtx: evalCtx,
expected: "static/path/file.txt",
},
{
name: "nil context",
pattern: "home/${aws:username}/file",
evalCtx: nil,
expected: "home/${aws:username}/file",
},
{
name: "missing variable in context",
pattern: "home/${aws:nonexistent}/file",
evalCtx: evalCtx,
expected: "home/${aws:nonexistent}/file", // Should remain unchanged
},
}
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
result := expandPolicyVariables(tt.pattern, tt.evalCtx)
assert.Equal(t, tt.expected, result, "Policy variable expansion should match expected")
})
}
}
func TestAWSWildcardMatch(t *testing.T) {
tests := []struct {
name string
pattern string
value string
expected bool
}{
{
name: "case insensitive asterisk",
pattern: "S3:Get*",
value: "s3:getobject",
expected: true,
},
{
name: "case insensitive question mark",
pattern: "file?.TXT",
value: "file1.txt",
expected: true,
},
{
name: "mixed wildcards",
pattern: "S3:*Object?",
value: "s3:getobjects",
expected: true,
},
{
name: "no match",
pattern: "s3:Put*",
value: "s3:GetObject",
expected: false,
},
}
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
result := AwsWildcardMatch(tt.pattern, tt.value)
assert.Equal(t, tt.expected, result, "AWS wildcard match should match expected")
})
}
}
Reference in New Issue View Git Blame Copy Permalink