ee3813787e
* feat: Add AWS IAM Policy Variables support to S3 API
Implements policy variables for dynamic access control in bucket policies.
Supported variables:
- aws:username - Extracted from principal ARN
- aws:userid - User identifier (same as username in SeaweedFS)
- aws:principaltype - IAMUser, IAMRole, or AssumedRole
- jwt:* - Any JWT claim (e.g., jwt:preferred_username, jwt:sub)
Key changes:
- Added PolicyVariableRegex to detect ${...} patterns
- Extended CompiledStatement with DynamicResourcePatterns, DynamicPrincipalPatterns, DynamicActionPatterns
- Added Claims field to PolicyEvaluationArgs for JWT claim access
- Implemented SubstituteVariables() for variable replacement from context and JWT claims
- Implemented extractPrincipalVariables() for ARN parsing
- Updated EvaluateConditions() to support variable substitution
- Comprehensive unit and integration tests
Resolves #8037
* feat: Add LDAP and PrincipalAccount variable support
Completes future enhancements for policy variables:
- Added ldap:* variable support for LDAP claims
- ldap:username - LDAP username from claims
- ldap:dn - LDAP distinguished name from claims
- ldap:* - Any LDAP claim
- Added aws:PrincipalAccount extraction from ARN
- Extracts account ID from principal ARN
- Available as ${aws:PrincipalAccount} in policies
Updated SubstituteVariables() to check LDAP claims
Updated extractPrincipalVariables() to extract account ID
Added comprehensive tests for new variables
* feat(s3api): implement IAM policy variables core logic and optimization
* feat(s3api): integrate policy variables with S3 authentication and handlers
* test(s3api): add integration tests for policy variables
* cleanup: remove unused policy conversion files
* Add S3 policy variables integration tests and path support
- Add comprehensive integration tests for policy variables
- Test username isolation, JWT claims, LDAP claims
- Add support for IAM paths in principal ARN parsing
- Add tests for principals with paths
* Fix IAM Role principal variable extraction
IAM Roles should not have aws:userid or aws:PrincipalAccount
according to AWS behavior. Only IAM Users and Assumed Roles
should have these variables.
Fixes TestExtractPrincipalVariables test failures.
* Security fixes and bug fixes for S3 policy variables
SECURITY FIXES:
- Prevent X-SeaweedFS-Principal header spoofing by clearing internal
headers at start of authentication (auth_credentials.go)
- Restrict policy variable substitution to safe allowlist to prevent
client header injection (iam/policy/policy_engine.go)
- Add core policy validation before storing bucket policies
BUG FIXES:
- Remove unused sid variable in evaluateStatement
- Fix LDAP claim lookup to check both prefixed and unprefixed keys
- Add ValidatePolicy call in PutBucketPolicyHandler
These fixes prevent privilege escalation via header injection and
ensure only validated identity claims are used in policy evaluation.
* Additional security fixes and code cleanup
SECURITY FIXES:
- Fixed X-Forwarded-For spoofing by only trusting proxy headers from
private/localhost IPs (s3_iam_middleware.go)
- Changed context key from "sourceIP" to "aws:SourceIp" for proper
policy variable substitution
CODE IMPROVEMENTS:
- Kept aws:PrincipalAccount for IAM Roles to support condition evaluations
- Removed redundant STS principaltype override
- Removed unused service variable
- Cleaned up commented-out debug logging statements
- Updated tests to reflect new IAM Role behavior
These changes prevent IP spoofing attacks and ensure policy variables
work correctly with the safe allowlist.
* Add security documentation for ParseJWTToken
Added comprehensive security comments explaining that ParseJWTToken
is safe despite parsing without verification because:
- It's only used for routing to the correct verification method
- All code paths perform cryptographic verification before trusting claims
- OIDC tokens: validated via validateExternalOIDCToken
- STS tokens: validated via ValidateSessionToken
Enhanced function documentation with clear security warnings about
proper usage to prevent future misuse.
* Fix IP condition evaluation to use aws:SourceIp key
Fixed evaluateIPCondition in IAM policy engine to use "aws:SourceIp"
instead of "sourceIP" to match the updated extractRequestContext.
This fixes the failing IP-restricted role test where IP-based policy
conditions were not being evaluated correctly.
Updated all test cases to use the correct "aws:SourceIp" key.
* Address code review feedback: optimize and clarify
PERFORMANCE IMPROVEMENT:
- Optimized expandPolicyVariables to use regexp.ReplaceAllStringFunc
for single-pass variable substitution instead of iterating through
all safe variables. This improves performance from O(n*m) to O(m)
where n is the number of safe variables and m is the pattern length.
CODE CLARITY:
- Added detailed comment explaining LDAP claim fallback mechanism
(checks both prefixed and unprefixed keys for compatibility)
- Enhanced TODO comment for trusted proxy configuration with rationale
and recommendations for supporting cloud load balancers, CDNs, and
complex network topologies
All tests passing.
* Address Copilot code review feedback
BUG FIXES:
- Fixed type switch for int/int32/int64 - separated into individual cases
since interface type switches only match the first type in multi-type cases
- Fixed grammatically incorrect error message in types.go
CODE QUALITY:
- Removed duplicate Resource/NotResource validation (already in ValidateStatement)
- Added comprehensive comment explaining isEnabled() logic and security implications
- Improved trusted proxy NOTE comment to be more concise while noting limitations
All tests passing.
* Fix test failures after extractSourceIP security changes
Updated tests to work with the security fix that only trusts
X-Forwarded-For/X-Real-IP headers from private IP addresses:
- Set RemoteAddr to 127.0.0.1 in tests to simulate trusted proxy
- Changed context key from "sourceIP" to "aws:SourceIp"
- Added test case for untrusted proxy (public RemoteAddr)
- Removed invalid ValidateStatement call (validation happens in ValidatePolicy)
All tests now passing.
* Address remaining Gemini code review feedback
CODE SAFETY:
- Deep clone Action field in CompileStatement to prevent potential data races
if the original policy document is modified after compilation
TEST CLEANUP:
- Remove debug logging (fmt.Fprintf) from engine_notresource_test.go
- Remove unused imports in engine_notresource_test.go
All tests passing.
* Fix insecure JWT parsing in IAM auth flow
SECURITY FIX:
- Renamed ParseJWTToken to ParseUnverifiedJWTToken with explicit security warnings.
- Refactored AuthenticateJWT to use the trusted SessionInfo returned by ValidateSessionToken
instead of relying on unverified claims from the initial parse.
- Refactored ValidatePresignedURLWithIAM to reuse the robust AuthenticateJWT logic, removing
duplicated and insecure manual token parsing.
This ensures all identity information (Role, Principal, Subject) used for authorization
decisions is derived solely from cryptographically verified tokens.
* Security: Fix insecure JWT claim extraction in policy engine
- Refactored EvaluatePolicy to accept trusted claims from verified Identity instead of parsing unverified tokens
- Updated AuthenticateJWT to populate Claims in IAMIdentity from verified sources (SessionInfo/ExternalIdentity)
- Updated s3api_server and handlers to pass claims correctly
- Improved isPrivateIP to support IPv6 loopback, link-local, and ULA
- Fixed flaky distributed_session_consistency test with retry logic
* fix(iam): populate Subject in STSSessionInfo to ensure correct identity propagation
This fixes the TestS3IAMAuthentication/valid_jwt_token_authentication failure by ensuring the session subject (sub) is correctly mapped to the internal SessionInfo struct, allowing bucket ownership validation to succeed.
* Optimized isPrivateIP
* Create s3-policy-tests.yml
* fix tests
* fix tests
* tests(s3/iam): simplify policy to resource-based \ (step 1)
* tests(s3/iam): add explicit Deny NotResource for isolation (step 2)
* fixes
* policy: skip resource matching for STS trust policies to allow AssumeRole evaluation
* refactor: remove debug logging and hoist policy variables for performance
* test: fix TestS3IAMBucketPolicyIntegration cleanup to handle per-subtest object lifecycle
* test: fix bucket name generation to comply with S3 63-char limit
* test: skip TestS3IAMPolicyEnforcement until role setup is implemented
* test: use weed mini for simpler test server deployment
Replace 'weed server' with 'weed mini' for IAM tests to avoid port binding issues
and simplify the all-in-one server deployment. This improves test reliability
and execution time.
* security: prevent allocation overflow in policy evaluation
Add maxPoliciesForEvaluation constant to cap the number of policies evaluated
in a single request. This prevents potential integer overflow when allocating
slices for policy lists that may be influenced by untrusted input.
Changes:
- Add const maxPoliciesForEvaluation = 1024 to set an upper bound
- Validate len(policies) < maxPoliciesForEvaluation before appending bucket policy
- Use append() instead of make([]string, len+1) to avoid arithmetic overflow
- Apply fix to both IsActionAllowed policy evaluation paths
506 lines
14 KiB
Go
506 lines
14 KiB
Go
package s3api
|
|
|
|
import (
|
|
"context"
|
|
"net/http"
|
|
"net/http/httptest"
|
|
"net/url"
|
|
"testing"
|
|
"time"
|
|
|
|
"github.com/seaweedfs/seaweedfs/weed/iam/integration"
|
|
"github.com/seaweedfs/seaweedfs/weed/iam/policy"
|
|
"github.com/seaweedfs/seaweedfs/weed/iam/sts"
|
|
"github.com/seaweedfs/seaweedfs/weed/iam/utils"
|
|
"github.com/seaweedfs/seaweedfs/weed/s3api/s3_constants"
|
|
"github.com/stretchr/testify/assert"
|
|
"github.com/stretchr/testify/require"
|
|
)
|
|
|
|
// TestS3IAMMiddleware tests the basic S3 IAM middleware functionality
|
|
func TestS3IAMMiddleware(t *testing.T) {
|
|
// Create IAM manager
|
|
iamManager := integration.NewIAMManager()
|
|
|
|
// Initialize with test configuration
|
|
config := &integration.IAMConfig{
|
|
STS: &sts.STSConfig{
|
|
TokenDuration: sts.FlexibleDuration{Duration: time.Hour},
|
|
MaxSessionLength: sts.FlexibleDuration{Duration: time.Hour * 12},
|
|
Issuer: "test-sts",
|
|
SigningKey: []byte("test-signing-key-32-characters-long"),
|
|
},
|
|
Policy: &policy.PolicyEngineConfig{
|
|
DefaultEffect: "Deny",
|
|
StoreType: "memory",
|
|
},
|
|
Roles: &integration.RoleStoreConfig{
|
|
StoreType: "memory",
|
|
},
|
|
}
|
|
|
|
err := iamManager.Initialize(config, func() string {
|
|
return "localhost:8888" // Mock filer address for testing
|
|
})
|
|
require.NoError(t, err)
|
|
|
|
// Create S3 IAM integration
|
|
s3IAMIntegration := NewS3IAMIntegration(iamManager, "localhost:8888")
|
|
|
|
// Test that integration is created successfully
|
|
assert.NotNil(t, s3IAMIntegration)
|
|
assert.True(t, s3IAMIntegration.enabled)
|
|
}
|
|
|
|
// TestS3IAMMiddlewareJWTAuth tests JWT authentication
|
|
func TestS3IAMMiddlewareJWTAuth(t *testing.T) {
|
|
// Skip for now since it requires full setup
|
|
t.Skip("JWT authentication test requires full IAM setup")
|
|
|
|
// Create IAM integration
|
|
s3iam := NewS3IAMIntegration(nil, "localhost:8888") // Disabled integration
|
|
|
|
// Create test request with JWT token
|
|
req := httptest.NewRequest("GET", "/test-bucket/test-object", http.NoBody)
|
|
req.Header.Set("Authorization", "Bearer test-token")
|
|
|
|
// Test authentication (should return not implemented when disabled)
|
|
ctx := context.Background()
|
|
identity, errCode := s3iam.AuthenticateJWT(ctx, req)
|
|
|
|
assert.Nil(t, identity)
|
|
assert.NotEqual(t, errCode, 0) // Should return an error
|
|
}
|
|
|
|
// TestBuildS3ResourceArn tests resource ARN building
|
|
func TestBuildS3ResourceArn(t *testing.T) {
|
|
tests := []struct {
|
|
name string
|
|
bucket string
|
|
object string
|
|
expected string
|
|
}{
|
|
{
|
|
name: "empty bucket and object",
|
|
bucket: "",
|
|
object: "",
|
|
expected: "arn:aws:s3:::*",
|
|
},
|
|
{
|
|
name: "bucket only",
|
|
bucket: "test-bucket",
|
|
object: "",
|
|
expected: "arn:aws:s3:::test-bucket",
|
|
},
|
|
{
|
|
name: "bucket and object",
|
|
bucket: "test-bucket",
|
|
object: "test-object.txt",
|
|
expected: "arn:aws:s3:::test-bucket/test-object.txt",
|
|
},
|
|
{
|
|
name: "bucket and object with leading slash",
|
|
bucket: "test-bucket",
|
|
object: "/test-object.txt",
|
|
expected: "arn:aws:s3:::test-bucket/test-object.txt",
|
|
},
|
|
{
|
|
name: "bucket and nested object",
|
|
bucket: "test-bucket",
|
|
object: "folder/subfolder/test-object.txt",
|
|
expected: "arn:aws:s3:::test-bucket/folder/subfolder/test-object.txt",
|
|
},
|
|
}
|
|
|
|
for _, tt := range tests {
|
|
t.Run(tt.name, func(t *testing.T) {
|
|
result := buildS3ResourceArn(tt.bucket, tt.object)
|
|
assert.Equal(t, tt.expected, result)
|
|
})
|
|
}
|
|
}
|
|
|
|
// TestDetermineGranularS3Action tests granular S3 action determination from HTTP requests
|
|
func TestDetermineGranularS3Action(t *testing.T) {
|
|
tests := []struct {
|
|
name string
|
|
method string
|
|
bucket string
|
|
objectKey string
|
|
queryParams map[string]string
|
|
fallbackAction Action
|
|
expected string
|
|
description string
|
|
}{
|
|
// Object-level operations
|
|
{
|
|
name: "get_object",
|
|
method: "GET",
|
|
bucket: "test-bucket",
|
|
objectKey: "test-object.txt",
|
|
queryParams: map[string]string{},
|
|
fallbackAction: s3_constants.ACTION_READ,
|
|
expected: "s3:GetObject",
|
|
description: "Basic object retrieval",
|
|
},
|
|
{
|
|
name: "get_object_acl",
|
|
method: "GET",
|
|
bucket: "test-bucket",
|
|
objectKey: "test-object.txt",
|
|
queryParams: map[string]string{"acl": ""},
|
|
fallbackAction: s3_constants.ACTION_READ_ACP,
|
|
expected: "s3:GetObjectAcl",
|
|
description: "Object ACL retrieval",
|
|
},
|
|
{
|
|
name: "get_object_tagging",
|
|
method: "GET",
|
|
bucket: "test-bucket",
|
|
objectKey: "test-object.txt",
|
|
queryParams: map[string]string{"tagging": ""},
|
|
fallbackAction: s3_constants.ACTION_TAGGING,
|
|
expected: "s3:GetObjectTagging",
|
|
description: "Object tagging retrieval",
|
|
},
|
|
{
|
|
name: "put_object",
|
|
method: "PUT",
|
|
bucket: "test-bucket",
|
|
objectKey: "test-object.txt",
|
|
queryParams: map[string]string{},
|
|
fallbackAction: s3_constants.ACTION_WRITE,
|
|
expected: "s3:PutObject",
|
|
description: "Basic object upload",
|
|
},
|
|
{
|
|
name: "put_object_acl",
|
|
method: "PUT",
|
|
bucket: "test-bucket",
|
|
objectKey: "test-object.txt",
|
|
queryParams: map[string]string{"acl": ""},
|
|
fallbackAction: s3_constants.ACTION_WRITE_ACP,
|
|
expected: "s3:PutObjectAcl",
|
|
description: "Object ACL modification",
|
|
},
|
|
{
|
|
name: "delete_object",
|
|
method: "DELETE",
|
|
bucket: "test-bucket",
|
|
objectKey: "test-object.txt",
|
|
queryParams: map[string]string{},
|
|
fallbackAction: s3_constants.ACTION_WRITE, // DELETE object uses WRITE fallback
|
|
expected: "s3:DeleteObject",
|
|
description: "Object deletion - correctly mapped to DeleteObject (not PutObject)",
|
|
},
|
|
{
|
|
name: "delete_object_tagging",
|
|
method: "DELETE",
|
|
bucket: "test-bucket",
|
|
objectKey: "test-object.txt",
|
|
queryParams: map[string]string{"tagging": ""},
|
|
fallbackAction: s3_constants.ACTION_TAGGING,
|
|
expected: "s3:DeleteObjectTagging",
|
|
description: "Object tag deletion",
|
|
},
|
|
|
|
// Multipart upload operations
|
|
{
|
|
name: "create_multipart_upload",
|
|
method: "POST",
|
|
bucket: "test-bucket",
|
|
objectKey: "large-file.txt",
|
|
queryParams: map[string]string{"uploads": ""},
|
|
fallbackAction: s3_constants.ACTION_WRITE,
|
|
expected: "s3:CreateMultipartUpload",
|
|
description: "Multipart upload initiation",
|
|
},
|
|
{
|
|
name: "upload_part",
|
|
method: "PUT",
|
|
bucket: "test-bucket",
|
|
objectKey: "large-file.txt",
|
|
queryParams: map[string]string{"uploadId": "12345", "partNumber": "1"},
|
|
fallbackAction: s3_constants.ACTION_WRITE,
|
|
expected: "s3:UploadPart",
|
|
description: "Multipart part upload",
|
|
},
|
|
{
|
|
name: "complete_multipart_upload",
|
|
method: "POST",
|
|
bucket: "test-bucket",
|
|
objectKey: "large-file.txt",
|
|
queryParams: map[string]string{"uploadId": "12345"},
|
|
fallbackAction: s3_constants.ACTION_WRITE,
|
|
expected: "s3:CompleteMultipartUpload",
|
|
description: "Multipart upload completion",
|
|
},
|
|
{
|
|
name: "abort_multipart_upload",
|
|
method: "DELETE",
|
|
bucket: "test-bucket",
|
|
objectKey: "large-file.txt",
|
|
queryParams: map[string]string{"uploadId": "12345"},
|
|
fallbackAction: s3_constants.ACTION_WRITE,
|
|
expected: "s3:AbortMultipartUpload",
|
|
description: "Multipart upload abort",
|
|
},
|
|
|
|
// Bucket-level operations
|
|
{
|
|
name: "list_bucket",
|
|
method: "GET",
|
|
bucket: "test-bucket",
|
|
objectKey: "",
|
|
queryParams: map[string]string{},
|
|
fallbackAction: s3_constants.ACTION_LIST,
|
|
expected: "s3:ListBucket",
|
|
description: "Bucket listing",
|
|
},
|
|
{
|
|
name: "get_bucket_acl",
|
|
method: "GET",
|
|
bucket: "test-bucket",
|
|
objectKey: "",
|
|
queryParams: map[string]string{"acl": ""},
|
|
fallbackAction: s3_constants.ACTION_READ_ACP,
|
|
expected: "s3:GetBucketAcl",
|
|
description: "Bucket ACL retrieval",
|
|
},
|
|
{
|
|
name: "put_bucket_policy",
|
|
method: "PUT",
|
|
bucket: "test-bucket",
|
|
objectKey: "",
|
|
queryParams: map[string]string{"policy": ""},
|
|
fallbackAction: s3_constants.ACTION_WRITE,
|
|
expected: "s3:PutBucketPolicy",
|
|
description: "Bucket policy modification",
|
|
},
|
|
{
|
|
name: "delete_bucket",
|
|
method: "DELETE",
|
|
bucket: "test-bucket",
|
|
objectKey: "",
|
|
queryParams: map[string]string{},
|
|
fallbackAction: s3_constants.ACTION_DELETE_BUCKET,
|
|
expected: "s3:DeleteBucket",
|
|
description: "Bucket deletion",
|
|
},
|
|
{
|
|
name: "list_multipart_uploads",
|
|
method: "GET",
|
|
bucket: "test-bucket",
|
|
objectKey: "",
|
|
queryParams: map[string]string{"uploads": ""},
|
|
fallbackAction: s3_constants.ACTION_LIST,
|
|
expected: "s3:ListBucketMultipartUploads",
|
|
description: "List multipart uploads in bucket",
|
|
},
|
|
|
|
// Fallback scenarios
|
|
{
|
|
name: "legacy_read_fallback",
|
|
method: "GET",
|
|
bucket: "",
|
|
objectKey: "",
|
|
queryParams: map[string]string{},
|
|
fallbackAction: s3_constants.ACTION_READ,
|
|
expected: "s3:GetObject",
|
|
description: "Legacy read action fallback",
|
|
},
|
|
{
|
|
name: "already_granular_action",
|
|
method: "GET",
|
|
bucket: "",
|
|
objectKey: "",
|
|
queryParams: map[string]string{},
|
|
fallbackAction: "s3:GetBucketLocation", // Already granular
|
|
expected: "s3:GetBucketLocation",
|
|
description: "Already granular action passed through",
|
|
},
|
|
}
|
|
|
|
for _, tt := range tests {
|
|
t.Run(tt.name, func(t *testing.T) {
|
|
// Create HTTP request with query parameters
|
|
req := &http.Request{
|
|
Method: tt.method,
|
|
URL: &url.URL{Path: "/" + tt.bucket + "/" + tt.objectKey},
|
|
}
|
|
|
|
// Add query parameters
|
|
query := req.URL.Query()
|
|
for key, value := range tt.queryParams {
|
|
query.Set(key, value)
|
|
}
|
|
req.URL.RawQuery = query.Encode()
|
|
|
|
// Test the action determination
|
|
result := ResolveS3Action(req, string(tt.fallbackAction), tt.bucket, tt.objectKey)
|
|
|
|
assert.Equal(t, tt.expected, result,
|
|
"Test %s failed: %s. Expected %s but got %s",
|
|
tt.name, tt.description, tt.expected, result)
|
|
})
|
|
}
|
|
}
|
|
|
|
// TestMapLegacyActionToIAM tests the legacy action fallback mapping
|
|
func TestMapLegacyActionToIAM(t *testing.T) {
|
|
tests := []struct {
|
|
name string
|
|
legacyAction Action
|
|
expected string
|
|
}{
|
|
{
|
|
name: "read_action_fallback",
|
|
legacyAction: s3_constants.ACTION_READ,
|
|
expected: "s3:GetObject",
|
|
},
|
|
{
|
|
name: "write_action_fallback",
|
|
legacyAction: s3_constants.ACTION_WRITE,
|
|
expected: "s3:PutObject",
|
|
},
|
|
{
|
|
name: "admin_action_fallback",
|
|
legacyAction: s3_constants.ACTION_ADMIN,
|
|
expected: "s3:*",
|
|
},
|
|
{
|
|
name: "granular_multipart_action",
|
|
legacyAction: s3_constants.ACTION_CREATE_MULTIPART_UPLOAD,
|
|
expected: "s3:CreateMultipartUpload",
|
|
},
|
|
{
|
|
name: "unknown_action_with_s3_prefix",
|
|
legacyAction: "s3:CustomAction",
|
|
expected: "s3:CustomAction",
|
|
},
|
|
{
|
|
name: "unknown_action_without_prefix",
|
|
legacyAction: "CustomAction",
|
|
expected: "s3:CustomAction",
|
|
},
|
|
}
|
|
|
|
for _, tt := range tests {
|
|
t.Run(tt.name, func(t *testing.T) {
|
|
result := mapLegacyActionToIAM(tt.legacyAction)
|
|
assert.Equal(t, tt.expected, result)
|
|
})
|
|
}
|
|
}
|
|
|
|
// TestExtractSourceIP tests source IP extraction from requests
|
|
func TestExtractSourceIP(t *testing.T) {
|
|
tests := []struct {
|
|
name string
|
|
setupReq func() *http.Request
|
|
expectedIP string
|
|
}{
|
|
{
|
|
name: "X-Forwarded-For header",
|
|
setupReq: func() *http.Request {
|
|
req := httptest.NewRequest("GET", "/test", http.NoBody)
|
|
req.Header.Set("X-Forwarded-For", "192.168.1.100, 10.0.0.1")
|
|
// Set RemoteAddr to private IP to simulate trusted proxy
|
|
req.RemoteAddr = "127.0.0.1:12345"
|
|
return req
|
|
},
|
|
expectedIP: "192.168.1.100",
|
|
},
|
|
{
|
|
name: "X-Real-IP header",
|
|
setupReq: func() *http.Request {
|
|
req := httptest.NewRequest("GET", "/test", http.NoBody)
|
|
req.Header.Set("X-Real-IP", "192.168.1.200")
|
|
// Set RemoteAddr to private IP to simulate trusted proxy
|
|
req.RemoteAddr = "127.0.0.1:12345"
|
|
return req
|
|
},
|
|
expectedIP: "192.168.1.200",
|
|
},
|
|
{
|
|
name: "RemoteAddr fallback",
|
|
setupReq: func() *http.Request {
|
|
req := httptest.NewRequest("GET", "/test", http.NoBody)
|
|
req.RemoteAddr = "192.168.1.300:12345"
|
|
return req
|
|
},
|
|
expectedIP: "192.168.1.300",
|
|
},
|
|
{
|
|
name: "Untrusted proxy - public RemoteAddr ignores X-Forwarded-For",
|
|
setupReq: func() *http.Request {
|
|
req := httptest.NewRequest("GET", "/test", http.NoBody)
|
|
req.Header.Set("X-Forwarded-For", "192.168.1.100")
|
|
// Public IP - headers should NOT be trusted
|
|
req.RemoteAddr = "8.8.8.8:12345"
|
|
return req
|
|
},
|
|
expectedIP: "8.8.8.8", // Should use RemoteAddr, not X-Forwarded-For
|
|
},
|
|
}
|
|
|
|
for _, tt := range tests {
|
|
t.Run(tt.name, func(t *testing.T) {
|
|
req := tt.setupReq()
|
|
result := extractSourceIP(req)
|
|
assert.Equal(t, tt.expectedIP, result)
|
|
})
|
|
}
|
|
}
|
|
|
|
// TestExtractRoleNameFromPrincipal tests role name extraction
|
|
func TestExtractRoleNameFromPrincipal(t *testing.T) {
|
|
tests := []struct {
|
|
name string
|
|
principal string
|
|
expected string
|
|
}{
|
|
{
|
|
name: "valid assumed role ARN",
|
|
principal: "arn:aws:sts::assumed-role/S3ReadOnlyRole/session-123",
|
|
expected: "S3ReadOnlyRole",
|
|
},
|
|
{
|
|
name: "invalid format",
|
|
principal: "invalid-principal",
|
|
expected: "", // Returns empty string to signal invalid format
|
|
},
|
|
{
|
|
name: "missing session name",
|
|
principal: "arn:aws:sts::assumed-role/TestRole",
|
|
expected: "TestRole", // Extracts role name even without session name
|
|
},
|
|
{
|
|
name: "empty principal",
|
|
principal: "",
|
|
expected: "",
|
|
},
|
|
}
|
|
|
|
for _, tt := range tests {
|
|
t.Run(tt.name, func(t *testing.T) {
|
|
result := utils.ExtractRoleNameFromPrincipal(tt.principal)
|
|
assert.Equal(t, tt.expected, result)
|
|
})
|
|
}
|
|
}
|
|
|
|
// TestIAMIdentityIsAdmin tests the IsAdmin method
|
|
func TestIAMIdentityIsAdmin(t *testing.T) {
|
|
identity := &IAMIdentity{
|
|
Name: "test-identity",
|
|
Principal: "arn:aws:sts::assumed-role/TestRole/session",
|
|
SessionToken: "test-token",
|
|
}
|
|
|
|
// In our implementation, IsAdmin always returns false since admin status
|
|
// is determined by policies, not identity
|
|
result := identity.IsAdmin()
|
|
assert.False(t, result)
|
|
}
|