gsh-digital-services/seaweedFS
5
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
d7c30fdb2bc41dbd1eba45bddc4b4424aa1a1bcb
seaweedFS/weed/s3api/s3_multipart_iam_test.go
Chris Lu d75162370c Fix trust policy wildcard principal handling (#7970) 
* Fix trust policy wildcard principal handling

This change fixes the trust policy validation to properly support
AWS-standard wildcard principals like {"Federated": "*"}.

Previously, the evaluatePrincipalValue() function would check for
context existence before evaluating wildcards, causing wildcard
principals to fail when the context key didn't exist. This forced
users to use the plain "*" workaround instead of the more specific
{"Federated": "*"} format.

Changes:
- Modified evaluatePrincipalValue() to check for "*" FIRST before
  validating against context
- Added support for wildcards in principal arrays
- Added comprehensive tests for wildcard principal handling
- All existing tests continue to pass (no regressions)

This matches AWS IAM behavior where "*" in a principal field means
"allow any value" without requiring context validation.

Fixes: https://github.com/seaweedfs/seaweedfs/issues/7917

* Refactor: Move Principal matching to PolicyEngine

This refactoring consolidates all policy evaluation logic into the
PolicyEngine, improving code organization and eliminating duplication.

Changes:
- Added matchesPrincipal() and evaluatePrincipalValue() to PolicyEngine
- Added EvaluateTrustPolicy() method for direct trust policy evaluation
- Updated statementMatches() to check Principal field when present
- Made resource matching optional (trust policies don't have Resources)
- Simplified evaluateTrustPolicy() in iam_manager.go to delegate to PolicyEngine
- Removed ~170 lines of duplicate code from iam_manager.go

Benefits:
- Single source of truth for all policy evaluation
- Better code reusability and maintainability
- Consistent evaluation rules for all policy types
- Easier to test and debug

All tests pass with no regressions.

* Make PolicyEngine AWS-compatible and add unit tests

Changes:
1. AWS-Compatible Context Keys:
   - Changed "seaweed:FederatedProvider" -> "aws:FederatedProvider"
   - Changed "seaweed:AWSPrincipal" -> "aws:PrincipalArn"
   - Changed "seaweed:ServicePrincipal" -> "aws:PrincipalServiceName"
   - This ensures 100% AWS compatibility for trust policies

2. Added Comprehensive Unit Tests:
   - TestPrincipalMatching: 8 test cases for Principal matching
   - TestEvaluatePrincipalValue: 7 test cases for value evaluation
   - TestTrustPolicyEvaluation: 6 test cases for trust policy evaluation
   - TestGetPrincipalContextKey: 4 test cases for context key mapping
   - Total: 25 new unit tests for PolicyEngine

All tests pass:
- Policy engine tests: 54 passed
- Integration tests: 9 passed
- Total: 63 tests passing

* Update context keys to standard AWS/OIDC formats

Replaced remaining seaweed: context keys with standard AWS and OIDC
keys to ensure 100% compatibility with AWS IAM policies.

Mappings:
- seaweed:TokenIssuer -> oidc:iss
- seaweed:Issuer -> oidc:iss
- seaweed:Subject -> oidc:sub
- seaweed:SourceIP -> aws:SourceIp

Also updated unit tests to reflect these changes.

All 63 tests pass successfully.

* Add advanced policy tests for variable substitution and conditions

Added comprehensive tests inspired by AWS IAM patterns:
- TestPolicyVariableSubstitution: Tests ${oidc:sub} variable in resources
- TestConditionWithNumericComparison: Tests sts:DurationSeconds condition
- TestMultipleConditionOperators: Tests combining StringEquals and StringLike

Results:
- TestMultipleConditionOperators:  All 3 subtests pass
- Other tests reveal need for sts:DurationSeconds context population

These tests validate the PolicyEngine's ability to handle complex
AWS-compatible policy scenarios.

* Fix federated provider context and add DurationSeconds support

Changes:
- Use iss claim as aws:FederatedProvider (AWS standard)
- Add sts:DurationSeconds to trust policy evaluation context
- TestPolicyVariableSubstitution now passes 

Remaining work:
- TestConditionWithNumericComparison partially works (1/3 pass)
- Need to investigate NumericLessThanEquals evaluation

* Update trust policies to use issuer URL for AWS compatibility

Changed trust policy from using provider name ("test-oidc") to
using the issuer URL ("https://test-issuer.com") to match AWS
standard behavior where aws:FederatedProvider contains the OIDC
issuer URL.

Test Results:
- 10/12 test suites passing
- TestFullOIDCWorkflow:  All subtests pass
- TestPolicyEnforcement:  All subtests pass
- TestSessionExpiration:  Pass
- TestPolicyVariableSubstitution:  Pass
- TestMultipleConditionOperators:  All subtests pass

Remaining work:
- TestConditionWithNumericComparison needs investigation
- One subtest in TestTrustPolicyValidation needs fix

* Fix S3 API tests for AWS compatibility

Updated all S3 API tests to use AWS-compatible context keys and
trust policy principals:

Changes:
- seaweed:SourceIP → aws:SourceIp (IP-based conditions)
- Federated: "test-oidc" → "https://test-issuer.com" (trust policies)

Test Results:
- TestS3EndToEndWithJWT:  All 13 subtests pass
- TestIPBasedPolicyEnforcement:  All 3 subtests pass

This ensures policies are 100% AWS-compatible and portable.

* Fix ValidateTrustPolicy for AWS compatibility

Updated ValidateTrustPolicy method to check for:
- OIDC: issuer URL ("https://test-issuer.com")
- LDAP: provider name ("test-ldap")
- Wildcard: "*"

Test Results:
- TestTrustPolicyValidation:  All 3 subtests pass

This ensures trust policy validation uses the same AWS-compatible
principals as the PolicyEngine.

* Fix multipart and presigned URL tests for AWS compatibility

Updated trust policies in:
- s3_multipart_iam_test.go
- s3_presigned_url_iam_test.go

Changed "Federated": "test-oidc" → "https://test-issuer.com"

Test Results:
- TestMultipartIAMValidation:  All 7 subtests pass
- TestPresignedURLIAMValidation:  All 4 subtests pass
- TestPresignedURLGeneration:  All 4 subtests pass
- TestPresignedURLExpiration:  All 4 subtests pass
- TestPresignedURLSecurityPolicy:  All 4 subtests pass

All S3 API tests now use AWS-compatible trust policies.

* Fix numeric condition evaluation and trust policy validation interface

Major updates to ensure robust AWS-compatible policy evaluation:
1.  **Policy Engine**: Added support for `int` and `int64` types in `evaluateNumericCondition`, fixing issues where raw numbers in policy documents caused evaluation failures.
2.  **Trust Policy Validation**: Updated `TrustPolicyValidator` interface and `STSService` to propagate `DurationSeconds` correctly during the double-validation flow (Validation -> STS -> Validation callback).
3.  **IAM Manager**: Updated implementation to match the new interface and correctly pass `sts:DurationSeconds` context key.

Test Results:
- TestConditionWithNumericComparison:  All 3 subtests pass
- All IAM and S3 integration tests pass (100%)

This resolves the final edge case with DurationSeconds numeric conditions.

* Fix MockTrustPolicyValidator interface and unreachable code warnings

Updates:
1. Updated MockTrustPolicyValidator.ValidateTrustPolicyForWebIdentity to match new interface signature with durationSeconds parameter
2. Removed unreachable code after infinite loops in filer_backup.go and filer_meta_backup.go to satisfy linter

Test Results:
- All STS tests pass 
- Build warnings resolved 

* Refactor matchesPrincipal to consolidate array handling logic

Consolidated duplicated logic for []interface{} and []string types by converting them to a unified []interface{} upfront.

* Fix malformed AWS docs URL in iam_manager.go comment

* dup

* Enhance IAM integration tests with negative cases and interface array support

Added test cases to TestTrustPolicyWildcardPrincipal to:
1. Verify rejection of roles when principal context does not match (negative test)
2. Verify support for principal arrays as []interface{} (simulating JSON unmarshaled roles)

* Fix syntax errors in filer_backup and filer_meta_backup

Restored missing closing braces for for-loops and re-added return statements.
The previous attempt to remove unreachable code accidentally broke the function structure.
Build now passes successfully.
2026-01-05 15:55:24 -08:00

615 lines
19 KiB
Go
Raw Blame History

package s3api
import (
"context"
"net/http"
"net/http/httptest"
"testing"
"time"
"github.com/golang-jwt/jwt/v5"
"github.com/seaweedfs/seaweedfs/weed/iam/integration"
"github.com/seaweedfs/seaweedfs/weed/iam/ldap"
"github.com/seaweedfs/seaweedfs/weed/iam/oidc"
"github.com/seaweedfs/seaweedfs/weed/iam/policy"
"github.com/seaweedfs/seaweedfs/weed/iam/sts"
"github.com/seaweedfs/seaweedfs/weed/s3api/s3_constants"
"github.com/seaweedfs/seaweedfs/weed/s3api/s3err"
"github.com/stretchr/testify/assert"
"github.com/stretchr/testify/require"
)
// createTestJWTMultipart creates a test JWT token with the specified issuer, subject and signing key
func createTestJWTMultipart(t *testing.T, issuer, subject, signingKey string) string {
token := jwt.NewWithClaims(jwt.SigningMethodHS256, jwt.MapClaims{
"iss": issuer,
"sub": subject,
"aud": "test-client-id",
"exp": time.Now().Add(time.Hour).Unix(),
"iat": time.Now().Unix(),
// Add claims that trust policy validation expects
"idp": "test-oidc", // Identity provider claim for trust policy matching
})
tokenString, err := token.SignedString([]byte(signingKey))
require.NoError(t, err)
return tokenString
}
// TestMultipartIAMValidation tests IAM validation for multipart operations
func TestMultipartIAMValidation(t *testing.T) {
// Set up IAM system
iamManager := setupTestIAMManagerForMultipart(t)
s3iam := NewS3IAMIntegration(iamManager, "localhost:8888")
s3iam.enabled = true
// Create IAM with integration
iam := &IdentityAccessManagement{
isAuthEnabled: true,
}
iam.SetIAMIntegration(s3iam)
// Set up roles
ctx := context.Background()
setupTestRolesForMultipart(ctx, iamManager)
// Create a valid JWT token for testing
validJWTToken := createTestJWTMultipart(t, "https://test-issuer.com", "test-user-123", "test-signing-key")
// Get session token
response, err := iamManager.AssumeRoleWithWebIdentity(ctx, &sts.AssumeRoleWithWebIdentityRequest{
RoleArn: "arn:aws:iam::role/S3WriteRole",
WebIdentityToken: validJWTToken,
RoleSessionName: "multipart-test-session",
})
require.NoError(t, err)
sessionToken := response.Credentials.SessionToken
tests := []struct {
name string
operation MultipartOperation
method string
path string
sessionToken string
expectedResult s3err.ErrorCode
}{
{
name: "Initiate multipart upload",
operation: MultipartOpInitiate,
method: "POST",
path: "/test-bucket/test-file.txt?uploads",
sessionToken: sessionToken,
expectedResult: s3err.ErrNone,
},
{
name: "Upload part",
operation: MultipartOpUploadPart,
method: "PUT",
path: "/test-bucket/test-file.txt?partNumber=1&uploadId=test-upload-id",
sessionToken: sessionToken,
expectedResult: s3err.ErrNone,
},
{
name: "Complete multipart upload",
operation: MultipartOpComplete,
method: "POST",
path: "/test-bucket/test-file.txt?uploadId=test-upload-id",
sessionToken: sessionToken,
expectedResult: s3err.ErrNone,
},
{
name: "Abort multipart upload",
operation: MultipartOpAbort,
method: "DELETE",
path: "/test-bucket/test-file.txt?uploadId=test-upload-id",
sessionToken: sessionToken,
expectedResult: s3err.ErrNone,
},
{
name: "List multipart uploads",
operation: MultipartOpList,
method: "GET",
path: "/test-bucket?uploads",
sessionToken: sessionToken,
expectedResult: s3err.ErrNone,
},
{
name: "Upload part without session token",
operation: MultipartOpUploadPart,
method: "PUT",
path: "/test-bucket/test-file.txt?partNumber=1&uploadId=test-upload-id",
sessionToken: "",
expectedResult: s3err.ErrNone, // Falls back to standard auth
},
{
name: "Upload part with invalid session token",
operation: MultipartOpUploadPart,
method: "PUT",
path: "/test-bucket/test-file.txt?partNumber=1&uploadId=test-upload-id",
sessionToken: "invalid-token",
expectedResult: s3err.ErrAccessDenied,
},
}
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
// Create request for multipart operation
req := createMultipartRequest(t, tt.method, tt.path, tt.sessionToken)
// Create identity for testing
identity := &Identity{
Name: "test-user",
Account: &AccountAdmin,
}
// Test validation
result := iam.ValidateMultipartOperationWithIAM(req, identity, tt.operation)
assert.Equal(t, tt.expectedResult, result, "Multipart IAM validation result should match expected")
})
}
}
// TestMultipartUploadPolicy tests multipart upload security policies
func TestMultipartUploadPolicy(t *testing.T) {
policy := &MultipartUploadPolicy{
MaxPartSize: 10 * 1024 * 1024, // 10MB for testing
MinPartSize: 5 * 1024 * 1024, // 5MB minimum
MaxParts: 100, // 100 parts max for testing
AllowedContentTypes: []string{"application/json", "text/plain"},
RequiredHeaders: []string{"Content-Type"},
}
tests := []struct {
name string
request *MultipartUploadRequest
expectedError string
}{
{
name: "Valid upload part request",
request: &MultipartUploadRequest{
Bucket: "test-bucket",
ObjectKey: "test-file.txt",
PartNumber: 1,
Operation: string(MultipartOpUploadPart),
ContentSize: 8 * 1024 * 1024, // 8MB
Headers: map[string]string{
"Content-Type": "application/json",
},
},
expectedError: "",
},
{
name: "Part size too large",
request: &MultipartUploadRequest{
Bucket: "test-bucket",
ObjectKey: "test-file.txt",
PartNumber: 1,
Operation: string(MultipartOpUploadPart),
ContentSize: 15 * 1024 * 1024, // 15MB exceeds limit
Headers: map[string]string{
"Content-Type": "application/json",
},
},
expectedError: "part size",
},
{
name: "Invalid part number (too high)",
request: &MultipartUploadRequest{
Bucket: "test-bucket",
ObjectKey: "test-file.txt",
PartNumber: 150, // Exceeds max parts
Operation: string(MultipartOpUploadPart),
ContentSize: 8 * 1024 * 1024,
Headers: map[string]string{
"Content-Type": "application/json",
},
},
expectedError: "part number",
},
{
name: "Invalid part number (too low)",
request: &MultipartUploadRequest{
Bucket: "test-bucket",
ObjectKey: "test-file.txt",
PartNumber: 0, // Must be >= 1
Operation: string(MultipartOpUploadPart),
ContentSize: 8 * 1024 * 1024,
Headers: map[string]string{
"Content-Type": "application/json",
},
},
expectedError: "part number",
},
{
name: "Content type not allowed",
request: &MultipartUploadRequest{
Bucket: "test-bucket",
ObjectKey: "test-file.txt",
PartNumber: 1,
Operation: string(MultipartOpUploadPart),
ContentSize: 8 * 1024 * 1024,
Headers: map[string]string{
"Content-Type": "video/mp4", // Not in allowed list
},
},
expectedError: "content type video/mp4 is not allowed",
},
{
name: "Missing required header",
request: &MultipartUploadRequest{
Bucket: "test-bucket",
ObjectKey: "test-file.txt",
PartNumber: 1,
Operation: string(MultipartOpUploadPart),
ContentSize: 8 * 1024 * 1024,
Headers: map[string]string{}, // Missing Content-Type
},
expectedError: "required header Content-Type is missing",
},
{
name: "Non-upload operation (should not validate size)",
request: &MultipartUploadRequest{
Bucket: "test-bucket",
ObjectKey: "test-file.txt",
Operation: string(MultipartOpInitiate),
Headers: map[string]string{
"Content-Type": "application/json",
},
},
expectedError: "",
},
}
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
err := policy.ValidateMultipartRequestWithPolicy(tt.request)
if tt.expectedError == "" {
assert.NoError(t, err, "Policy validation should succeed")
} else {
assert.Error(t, err, "Policy validation should fail")
assert.Contains(t, err.Error(), tt.expectedError, "Error message should contain expected text")
}
})
}
}
// TestMultipartS3ActionMapping tests the mapping of multipart operations to S3 actions
func TestMultipartS3ActionMapping(t *testing.T) {
tests := []struct {
operation MultipartOperation
expectedAction Action
}{
{MultipartOpInitiate, s3_constants.ACTION_CREATE_MULTIPART_UPLOAD},
{MultipartOpUploadPart, s3_constants.ACTION_UPLOAD_PART},
{MultipartOpComplete, s3_constants.ACTION_COMPLETE_MULTIPART},
{MultipartOpAbort, s3_constants.ACTION_ABORT_MULTIPART},
{MultipartOpList, s3_constants.ACTION_LIST_MULTIPART_UPLOADS},
{MultipartOpListParts, s3_constants.ACTION_LIST_PARTS},
{MultipartOperation("unknown"), "s3:InternalErrorUnknownMultipartAction"}, // Fail-closed for security
}
for _, tt := range tests {
t.Run(string(tt.operation), func(t *testing.T) {
action := determineMultipartS3Action(tt.operation)
assert.Equal(t, tt.expectedAction, action, "S3 action mapping should match expected")
})
}
}
// TestSessionTokenExtraction tests session token extraction from various sources
func TestSessionTokenExtraction(t *testing.T) {
tests := []struct {
name string
setupRequest func() *http.Request
expectedToken string
}{
{
name: "Bearer token in Authorization header",
setupRequest: func() *http.Request {
req := httptest.NewRequest("PUT", "/test-bucket/test-file.txt", nil)
req.Header.Set("Authorization", "Bearer test-session-token-123")
return req
},
expectedToken: "test-session-token-123",
},
{
name: "X-Amz-Security-Token header",
setupRequest: func() *http.Request {
req := httptest.NewRequest("PUT", "/test-bucket/test-file.txt", nil)
req.Header.Set("X-Amz-Security-Token", "security-token-456")
return req
},
expectedToken: "security-token-456",
},
{
name: "X-Amz-Security-Token query parameter",
setupRequest: func() *http.Request {
req := httptest.NewRequest("PUT", "/test-bucket/test-file.txt?X-Amz-Security-Token=query-token-789", nil)
return req
},
expectedToken: "query-token-789",
},
{
name: "No token present",
setupRequest: func() *http.Request {
return httptest.NewRequest("PUT", "/test-bucket/test-file.txt", nil)
},
expectedToken: "",
},
{
name: "Authorization header without Bearer",
setupRequest: func() *http.Request {
req := httptest.NewRequest("PUT", "/test-bucket/test-file.txt", nil)
req.Header.Set("Authorization", "AWS access_key:signature")
return req
},
expectedToken: "",
},
}
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
req := tt.setupRequest()
token := extractSessionTokenFromRequest(req)
assert.Equal(t, tt.expectedToken, token, "Extracted token should match expected")
})
}
}
// TestUploadPartValidation tests upload part request validation
func TestUploadPartValidation(t *testing.T) {
s3Server := &S3ApiServer{}
tests := []struct {
name string
setupRequest func() *http.Request
expectedError string
}{
{
name: "Valid upload part request",
setupRequest: func() *http.Request {
req := httptest.NewRequest("PUT", "/test-bucket/test-file.txt?partNumber=1&uploadId=test-123", nil)
req.Header.Set("Content-Type", "application/octet-stream")
req.ContentLength = 6 * 1024 * 1024 // 6MB
return req
},
expectedError: "",
},
{
name: "Missing partNumber parameter",
setupRequest: func() *http.Request {
req := httptest.NewRequest("PUT", "/test-bucket/test-file.txt?uploadId=test-123", nil)
req.Header.Set("Content-Type", "application/octet-stream")
req.ContentLength = 6 * 1024 * 1024
return req
},
expectedError: "missing partNumber parameter",
},
{
name: "Invalid partNumber format",
setupRequest: func() *http.Request {
req := httptest.NewRequest("PUT", "/test-bucket/test-file.txt?partNumber=abc&uploadId=test-123", nil)
req.Header.Set("Content-Type", "application/octet-stream")
req.ContentLength = 6 * 1024 * 1024
return req
},
expectedError: "invalid partNumber",
},
{
name: "Part size too large",
setupRequest: func() *http.Request {
req := httptest.NewRequest("PUT", "/test-bucket/test-file.txt?partNumber=1&uploadId=test-123", nil)
req.Header.Set("Content-Type", "application/octet-stream")
req.ContentLength = 6 * 1024 * 1024 * 1024 // 6GB exceeds 5GB limit
return req
},
expectedError: "part size",
},
}
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
req := tt.setupRequest()
err := s3Server.validateUploadPartRequest(req)
if tt.expectedError == "" {
assert.NoError(t, err, "Upload part validation should succeed")
} else {
assert.Error(t, err, "Upload part validation should fail")
assert.Contains(t, err.Error(), tt.expectedError, "Error message should contain expected text")
}
})
}
}
// TestDefaultMultipartUploadPolicy tests the default policy configuration
func TestDefaultMultipartUploadPolicy(t *testing.T) {
policy := DefaultMultipartUploadPolicy()
assert.Equal(t, int64(5*1024*1024*1024), policy.MaxPartSize, "Max part size should be 5GB")
assert.Equal(t, int64(5*1024*1024), policy.MinPartSize, "Min part size should be 5MB")
assert.Equal(t, 10000, policy.MaxParts, "Max parts should be 10,000")
assert.Equal(t, 7*24*time.Hour, policy.MaxUploadDuration, "Max upload duration should be 7 days")
assert.Empty(t, policy.AllowedContentTypes, "Should allow all content types by default")
assert.Empty(t, policy.RequiredHeaders, "Should have no required headers by default")
assert.Empty(t, policy.IPWhitelist, "Should have no IP restrictions by default")
}
// TestMultipartUploadSession tests multipart upload session structure
func TestMultipartUploadSession(t *testing.T) {
session := &MultipartUploadSession{
UploadID: "test-upload-123",
Bucket: "test-bucket",
ObjectKey: "test-file.txt",
Initiator: "arn:aws:iam::user/testuser",
Owner: "arn:aws:iam::user/testuser",
CreatedAt: time.Now(),
Parts: []MultipartUploadPart{
{
PartNumber: 1,
Size: 5 * 1024 * 1024,
ETag: "abc123",
LastModified: time.Now(),
Checksum: "sha256:def456",
},
},
Metadata: map[string]string{
"Content-Type": "application/octet-stream",
"x-amz-meta-custom": "value",
},
Policy: DefaultMultipartUploadPolicy(),
SessionToken: "session-token-789",
}
assert.NotEmpty(t, session.UploadID, "Upload ID should not be empty")
assert.NotEmpty(t, session.Bucket, "Bucket should not be empty")
assert.NotEmpty(t, session.ObjectKey, "Object key should not be empty")
assert.Len(t, session.Parts, 1, "Should have one part")
assert.Equal(t, 1, session.Parts[0].PartNumber, "Part number should be 1")
assert.NotNil(t, session.Policy, "Policy should not be nil")
}
// Helper functions for tests
func setupTestIAMManagerForMultipart(t *testing.T) *integration.IAMManager {
// Create IAM manager
manager := integration.NewIAMManager()
// Initialize with test configuration
config := &integration.IAMConfig{
STS: &sts.STSConfig{
TokenDuration: sts.FlexibleDuration{Duration: time.Hour},
MaxSessionLength: sts.FlexibleDuration{Duration: time.Hour * 12},
Issuer: "test-sts",
SigningKey: []byte("test-signing-key-32-characters-long"),
},
Policy: &policy.PolicyEngineConfig{
DefaultEffect: "Deny",
StoreType: "memory",
},
Roles: &integration.RoleStoreConfig{
StoreType: "memory",
},
}
err := manager.Initialize(config, func() string {
return "localhost:8888" // Mock filer address for testing
})
require.NoError(t, err)
// Set up test identity providers
setupTestProvidersForMultipart(t, manager)
return manager
}
func setupTestProvidersForMultipart(t *testing.T, manager *integration.IAMManager) {
// Set up OIDC provider
oidcProvider := oidc.NewMockOIDCProvider("test-oidc")
oidcConfig := &oidc.OIDCConfig{
Issuer: "https://test-issuer.com",
ClientID: "test-client-id",
}
err := oidcProvider.Initialize(oidcConfig)
require.NoError(t, err)
oidcProvider.SetupDefaultTestData()
// Set up LDAP provider
ldapProvider := ldap.NewMockLDAPProvider("test-ldap")
err = ldapProvider.Initialize(nil) // Mock doesn't need real config
require.NoError(t, err)
ldapProvider.SetupDefaultTestData()
// Register providers
err = manager.RegisterIdentityProvider(oidcProvider)
require.NoError(t, err)
err = manager.RegisterIdentityProvider(ldapProvider)
require.NoError(t, err)
}
func setupTestRolesForMultipart(ctx context.Context, manager *integration.IAMManager) {
// Create write policy for multipart operations
writePolicy := &policy.PolicyDocument{
Version: "2012-10-17",
Statement: []policy.Statement{
{
Sid: "AllowS3MultipartOperations",
Effect: "Allow",
Action: []string{
"s3:PutObject",
"s3:GetObject",
"s3:ListBucket",
"s3:DeleteObject",
"s3:CreateMultipartUpload",
"s3:UploadPart",
"s3:CompleteMultipartUpload",
"s3:AbortMultipartUpload",
"s3:ListBucketMultipartUploads",
"s3:ListMultipartUploadParts",
},
Resource: []string{
"arn:aws:s3:::*",
"arn:aws:s3:::*/*",
},
},
},
}
manager.CreatePolicy(ctx, "", "S3WritePolicy", writePolicy)
// Create write role
manager.CreateRole(ctx, "", "S3WriteRole", &integration.RoleDefinition{
RoleName: "S3WriteRole",
TrustPolicy: &policy.PolicyDocument{
Version: "2012-10-17",
Statement: []policy.Statement{
{
Effect: "Allow",
Principal: map[string]interface{}{
"Federated": "https://test-issuer.com",
},
Action: []string{"sts:AssumeRoleWithWebIdentity"},
},
},
},
AttachedPolicies: []string{"S3WritePolicy"},
})
// Create a role for multipart users
manager.CreateRole(ctx, "", "MultipartUser", &integration.RoleDefinition{
RoleName: "MultipartUser",
TrustPolicy: &policy.PolicyDocument{
Version: "2012-10-17",
Statement: []policy.Statement{
{
Effect: "Allow",
Principal: map[string]interface{}{
"Federated": "https://test-issuer.com",
},
Action: []string{"sts:AssumeRoleWithWebIdentity"},
},
},
},
AttachedPolicies: []string{"S3WritePolicy"},
})
}
func createMultipartRequest(t *testing.T, method, path, sessionToken string) *http.Request {
req := httptest.NewRequest(method, path, nil)
// Add session token if provided
if sessionToken != "" {
req.Header.Set("Authorization", "Bearer "+sessionToken)
// Set the principal ARN header that matches the assumed role from the test setup
// This corresponds to the role "arn:aws:iam::role/S3WriteRole" with session name "multipart-test-session"
req.Header.Set("X-SeaweedFS-Principal", "arn:aws:sts::assumed-role/S3WriteRole/multipart-test-session")
}
// Add common headers
req.Header.Set("Content-Type", "application/octet-stream")
return req
}
Reference in New Issue View Git Blame Copy Permalink