From 4545eb08f3498df4bc528fa306ffc09f1a98772b Mon Sep 17 00:00:00 2001 From: chrislu Date: Tue, 26 Aug 2025 22:33:43 -0700 Subject: [PATCH] fmt --- .../policy/policy_variable_matching_test.go | 66 +++++++++---------- 1 file changed, 33 insertions(+), 33 deletions(-) diff --git a/weed/iam/policy/policy_variable_matching_test.go b/weed/iam/policy/policy_variable_matching_test.go index ad2305603..6b9827dff 100644 --- a/weed/iam/policy/policy_variable_matching_test.go +++ b/weed/iam/policy/policy_variable_matching_test.go @@ -8,7 +8,7 @@ import ( "github.com/stretchr/testify/require" ) -// TestPolicyVariableMatchingInActionsAndResources tests that Actions and Resources +// TestPolicyVariableMatchingInActionsAndResources tests that Actions and Resources // now support policy variables like ${aws:username} just like string conditions do func TestPolicyVariableMatchingInActionsAndResources(t *testing.T) { engine := NewPolicyEngine() @@ -16,7 +16,7 @@ func TestPolicyVariableMatchingInActionsAndResources(t *testing.T) { DefaultEffect: "Deny", StoreType: "memory", } - + err := engine.Initialize(config) require.NoError(t, err) @@ -31,12 +31,12 @@ func TestPolicyVariableMatchingInActionsAndResources(t *testing.T) { Sid: "AllowUserSpecificActions", Effect: "Allow", Action: []string{ - "s3:Get*", // Regular wildcard - "s3:${aws:principaltype}*", // Policy variable in action + "s3:Get*", // Regular wildcard + "s3:${aws:principaltype}*", // Policy variable in action }, Resource: []string{ - "arn:aws:s3:::user-${aws:username}/*", // Policy variable in resource - "arn:aws:s3:::shared/${saml:username}/*", // Different policy variable + "arn:aws:s3:::user-${aws:username}/*", // Policy variable in resource + "arn:aws:s3:::shared/${saml:username}/*", // Different policy variable }, }, }, @@ -46,13 +46,13 @@ func TestPolicyVariableMatchingInActionsAndResources(t *testing.T) { require.NoError(t, err) tests := []struct { - name string - principal string - action string - resource string - requestContext map[string]interface{} - expectedEffect Effect - description string + name string + principal string + action string + resource string + requestContext map[string]interface{} + expectedEffect Effect + description string }{ { name: "policy_variable_in_action_matches", @@ -91,7 +91,7 @@ func TestPolicyVariableMatchingInActionsAndResources(t *testing.T) { { name: "policy_variable_no_match_wrong_user", principal: "charlie", - action: "s3:GetObject", + action: "s3:GetObject", resource: "arn:aws:s3:::user-alice/file.txt", // charlie trying to access alice's files requestContext: map[string]interface{}{ "aws:username": "charlie", @@ -100,10 +100,10 @@ func TestPolicyVariableMatchingInActionsAndResources(t *testing.T) { description: "Policy variable should prevent access when username doesn't match", }, { - name: "missing_policy_variable_context", - principal: "dave", - action: "s3:GetObject", - resource: "arn:aws:s3:::user-dave/file.txt", + name: "missing_policy_variable_context", + principal: "dave", + action: "s3:GetObject", + resource: "arn:aws:s3:::user-dave/file.txt", requestContext: map[string]interface{}{ // Missing aws:username context }, @@ -123,15 +123,15 @@ func TestPolicyVariableMatchingInActionsAndResources(t *testing.T) { result, err := engine.Evaluate(ctx, filerAddress, evalCtx, []string{"user-specific-policy"}) require.NoError(t, err, "Policy evaluation should not error") - - assert.Equal(t, tt.expectedEffect, result.Effect, - "Test %s: %s. Expected %s but got %s", + + assert.Equal(t, tt.expectedEffect, result.Effect, + "Test %s: %s. Expected %s but got %s", tt.name, tt.description, tt.expectedEffect, result.Effect) }) } } -// TestActionResourceConsistencyWithStringConditions verifies that Actions, Resources, +// TestActionResourceConsistencyWithStringConditions verifies that Actions, Resources, // and string conditions all use the same AWS IAM-compliant matching logic func TestActionResourceConsistencyWithStringConditions(t *testing.T) { engine := NewPolicyEngine() @@ -139,7 +139,7 @@ func TestActionResourceConsistencyWithStringConditions(t *testing.T) { DefaultEffect: "Deny", StoreType: "memory", } - + err := engine.Initialize(config) require.NoError(t, err) @@ -151,9 +151,9 @@ func TestActionResourceConsistencyWithStringConditions(t *testing.T) { Version: "2012-10-17", Statement: []Statement{ { - Sid: "CaseInsensitiveMatching", - Effect: "Allow", - Action: []string{"S3:GET*"}, // Uppercase action pattern + Sid: "CaseInsensitiveMatching", + Effect: "Allow", + Action: []string{"S3:GET*"}, // Uppercase action pattern Resource: []string{"arn:aws:s3:::TEST-BUCKET/*"}, // Uppercase resource pattern Condition: map[string]map[string]interface{}{ "StringLike": { @@ -169,8 +169,8 @@ func TestActionResourceConsistencyWithStringConditions(t *testing.T) { evalCtx := &EvaluationContext{ Principal: "test-user", - Action: "s3:getobject", // lowercase action - Resource: "arn:aws:s3:::test-bucket/file.txt", // lowercase resource + Action: "s3:getobject", // lowercase action + Resource: "arn:aws:s3:::test-bucket/file.txt", // lowercase resource RequestContext: map[string]interface{}{ "s3:RequestedRegion": "us-east-1", // lowercase condition value }, @@ -178,14 +178,14 @@ func TestActionResourceConsistencyWithStringConditions(t *testing.T) { result, err := engine.Evaluate(ctx, filerAddress, evalCtx, []string{"case-insensitive-policy"}) require.NoError(t, err) - + // All should match due to case-insensitive AWS IAM-compliant matching - assert.Equal(t, EffectAllow, result.Effect, + assert.Equal(t, EffectAllow, result.Effect, "Actions, Resources, and Conditions should all use case-insensitive AWS IAM matching") - + // Verify that matching statements were found - assert.Len(t, result.MatchingStatements, 1, + assert.Len(t, result.MatchingStatements, 1, "Should have exactly one matching statement") - assert.Equal(t, "Allow", string(result.MatchingStatements[0].Effect), + assert.Equal(t, "Allow", string(result.MatchingStatements[0].Effect), "Matching statement should have Allow effect") }