Browse Source

fix tests

pull/8388/head
Chris Lu 2 days ago
parent
commit
380ae3cb54
  1. 39
      weed/s3api/identity_reflection_test.go
  2. 17
      weed/s3api/s3tables/handler_bucket_create.go

39
weed/s3api/identity_reflection_test.go

@ -0,0 +1,39 @@
package s3api
import (
"reflect"
"testing"
)
// TestIdentityFieldsForS3TablesReflection ensures the identity struct keeps the
// fields relied on by s3tables.getIdentityPrincipalArn, getIdentityPolicyNames,
// and getIdentityClaims via reflection.
func TestIdentityFieldsForS3TablesReflection(t *testing.T) {
typ := reflect.TypeOf(Identity{})
checkField(t, typ, "PrincipalArn", reflect.String)
field, ok := typ.FieldByName("PolicyNames")
if !ok {
t.Fatalf("Identity.PolicyNames missing")
}
if field.Type.Kind() != reflect.Slice {
t.Fatalf("Identity.PolicyNames must be a slice, got %s", field.Type.Kind())
}
field, ok = typ.FieldByName("Claims")
if !ok {
t.Fatalf("Identity.Claims missing")
}
if field.Type.Kind() != reflect.Map || field.Type.Key().Kind() != reflect.String {
t.Fatalf("Identity.Claims must be map[string]..., got %s/%s", field.Type.Kind(), field.Type.Key().Kind())
}
}
func checkField(t *testing.T, typ reflect.Type, name string, kind reflect.Kind) {
t.Helper()
field, ok := typ.FieldByName(name)
if !ok {
t.Fatalf("Identity.%s missing", name)
}
if field.Type.Kind() != kind {
t.Fatalf("Identity.%s must be %s, got %s", name, kind, field.Type.Kind())
}
}

17
weed/s3api/s3tables/handler_bucket_create.go

@ -29,13 +29,24 @@ func (h *S3TablesHandler) handleCreateTableBucket(w http.ResponseWriter, r *http
principal := h.getAccountID(r) principal := h.getAccountID(r)
identityActions := getIdentityActions(r) identityActions := getIdentityActions(r)
identityPolicyNames := getIdentityPolicyNames(r) identityPolicyNames := getIdentityPolicyNames(r)
if h.shouldUseIAM(r, identityActions, identityPolicyNames) {
useIAM := h.shouldUseIAM(r, identityActions, identityPolicyNames)
useLegacy := !useIAM
if useIAM {
allowed, err := h.authorizeIAMAction(r, identityPolicyNames, "CreateTableBucket", h.generateTableBucketARN(principal, req.Name), fmt.Sprintf("arn:aws:s3:::%s", req.Name)) allowed, err := h.authorizeIAMAction(r, identityPolicyNames, "CreateTableBucket", h.generateTableBucketARN(principal, req.Name), fmt.Sprintf("arn:aws:s3:::%s", req.Name))
if err != nil || !allowed {
if err != nil {
h.writeError(w, http.StatusForbidden, ErrCodeAccessDenied, "not authorized to create table buckets") h.writeError(w, http.StatusForbidden, ErrCodeAccessDenied, "not authorized to create table buckets")
return NewAuthError("CreateTableBucket", principal, "not authorized to create table buckets") return NewAuthError("CreateTableBucket", principal, "not authorized to create table buckets")
} }
} else {
if !allowed {
if h.defaultAllow && len(identityActions) == 0 && len(identityPolicyNames) == 0 {
useLegacy = true
} else {
h.writeError(w, http.StatusForbidden, ErrCodeAccessDenied, "not authorized to create table buckets")
return NewAuthError("CreateTableBucket", principal, "not authorized to create table buckets")
}
}
}
if useLegacy {
owner := h.accountID owner := h.accountID
if owner == "" { if owner == "" {
owner = DefaultAccountID owner = DefaultAccountID

Loading…
Cancel
Save