diff --git a/test/s3/iam/iam_config.json b/test/s3/iam/iam_config.json index ad2920fb5..35e9d28e3 100644 --- a/test/s3/iam/iam_config.json +++ b/test/s3/iam/iam_config.json @@ -5,6 +5,15 @@ "issuer": "seaweedfs-sts", "signingKey": "dGVzdC1zaWduaW5nLWtleS0zMi1jaGFyYWN0ZXJzLWxvbmc=" }, + "identityProviders": [ + { + "name": "test-oidc", + "type": "mock", + "config": { + "issuer": "test-oidc-issuer" + } + } + ], "policy": { "defaultEffect": "Deny", "storeType": "memory" @@ -57,6 +66,11 @@ "Effect": "Allow", "Action": "s3:*", "Resource": "*" + }, + { + "Effect": "Allow", + "Action": "sts:ValidateSession", + "Resource": "*" } ] } @@ -76,6 +90,11 @@ "arn:seaweed:s3:::*", "arn:seaweed:s3:::*/*" ] + }, + { + "Effect": "Allow", + "Action": "sts:ValidateSession", + "Resource": "*" } ] } diff --git a/test/s3/iam/s3_iam_framework.go b/test/s3/iam/s3_iam_framework.go index 1cd1c921e..0e4e5d7b8 100644 --- a/test/s3/iam/s3_iam_framework.go +++ b/test/s3/iam/s3_iam_framework.go @@ -305,12 +305,26 @@ func (f *S3IAMTestFramework) generateSTSSessionToken(username, roleName string, sessionId := fmt.Sprintf("test-session-%s-%s-%d", username, roleName, now.Unix()) // Create session token claims exactly as TokenGenerator does + roleArn := fmt.Sprintf("arn:seaweed:iam::role/%s", roleName) + sessionName := fmt.Sprintf("test-session-%s", username) + principalArn := fmt.Sprintf("arn:seaweed:sts::assumed-role/%s/%s", roleName, sessionName) + sessionClaims := jwt.MapClaims{ "iss": "seaweedfs-sts", "sub": sessionId, "iat": now.Unix(), "exp": now.Add(validDuration).Unix(), - "token_type": "session", + "nbf": now.Unix(), + "typ": "session", + "role": roleArn, + "snam": sessionName, + "principal": principalArn, + "assumed": principalArn, + "assumed_at": now.Format(time.RFC3339Nano), + "ext_uid": username, + "idp": "test-oidc", + "max_dur": int64(validDuration.Seconds()), + "sid": sessionId, } token := jwt.NewWithClaims(jwt.SigningMethodHS256, sessionClaims) diff --git a/test/s3/iam/test_jwt.go b/test/s3/iam/test_jwt.go new file mode 100644 index 000000000..7e796eb27 --- /dev/null +++ b/test/s3/iam/test_jwt.go @@ -0,0 +1,41 @@ +package main + +import ( + "fmt" + "time" + "encoding/base64" + "github.com/golang-jwt/jwt/v5" +) + +func main() { + now := time.Now() + signingKeyB64 := "dGVzdC1zaWduaW5nLWtleS0zMi1jaGFyYWN0ZXJzLWxvbmc=" + signingKey, _ := base64.StdEncoding.DecodeString(signingKeyB64) + + sessionId := fmt.Sprintf("test-session-admin-user-TestAdminRole-%d", now.Unix()) + roleArn := "arn:seaweed:iam::role/TestAdminRole" + sessionName := "test-session-admin-user" + principalArn := fmt.Sprintf("arn:seaweed:sts::assumed-role/TestAdminRole/%s", sessionName) + + sessionClaims := jwt.MapClaims{ + "iss": "seaweedfs-sts", + "sub": sessionId, + "iat": now.Unix(), + "exp": now.Add(time.Hour).Unix(), + "nbf": now.Unix(), + "typ": "session", + "role": roleArn, + "snam": sessionName, + "principal": principalArn, + "assumed": principalArn, + "assumed_at": now.Format(time.RFC3339Nano), + "ext_uid": "admin-user", + "idp": "test-oidc", + "max_dur": int64(time.Hour.Seconds()), + "sid": sessionId, + } + + token := jwt.NewWithClaims(jwt.SigningMethodHS256, sessionClaims) + tokenString, _ := token.SignedString(signingKey) + fmt.Println(tokenString) +}