From 5012a1b7160acbd278dead8166fb206abbad5614 Mon Sep 17 00:00:00 2001
From: Chris Lu <chris.lu@gmail.com>
Date: Sun, 8 Mar 2026 15:58:14 -0700
Subject: [PATCH] iam: add input validation and persist groups during migration

- Validate nil/empty group name in CreateGroup and UpdateGroup
- Save groups in migrateToMultiFile so they survive legacy migration
---
 weed/credential/filer_etc/filer_etc_group.go    | 6 ++++++
 weed/credential/filer_etc/filer_etc_identity.go | 9 ++++++++-
 2 files changed, 14 insertions(+), 1 deletion(-)

diff --git a/weed/credential/filer_etc/filer_etc_group.go b/weed/credential/filer_etc/filer_etc_group.go
index 2a931bf22..04ae00b73 100644
--- a/weed/credential/filer_etc/filer_etc_group.go
+++ b/weed/credential/filer_etc/filer_etc_group.go
@@ -93,6 +93,9 @@ func (store *FilerEtcStore) deleteGroupFile(ctx context.Context, groupName strin
 }
 
 func (store *FilerEtcStore) CreateGroup(ctx context.Context, group *iam_pb.Group) error {
+	if group == nil || group.Name == "" {
+		return fmt.Errorf("group name is required")
+	}
 	existing, err := store.GetGroup(ctx, group.Name)
 	if err != nil {
 		if !errors.Is(err, credential.ErrGroupNotFound) {
@@ -151,6 +154,9 @@ func (store *FilerEtcStore) ListGroups(ctx context.Context) ([]string, error) {
 }
 
 func (store *FilerEtcStore) UpdateGroup(ctx context.Context, group *iam_pb.Group) error {
+	if group == nil || group.Name == "" {
+		return fmt.Errorf("group name is required")
+	}
 	if _, err := store.GetGroup(ctx, group.Name); err != nil {
 		return err
 	}
diff --git a/weed/credential/filer_etc/filer_etc_identity.go b/weed/credential/filer_etc/filer_etc_identity.go
index 2f36247a7..4046a934a 100644
--- a/weed/credential/filer_etc/filer_etc_identity.go
+++ b/weed/credential/filer_etc/filer_etc_identity.go
@@ -149,7 +149,14 @@ func (store *FilerEtcStore) migrateToMultiFile(ctx context.Context, s3cfg *iam_p
 		}
 	}
 
-	// 3. Rename legacy file
+	// 3. Save all groups
+	for _, g := range s3cfg.Groups {
+		if err := store.saveGroup(ctx, g); err != nil {
+			return err
+		}
+	}
+
+	// 4. Rename legacy file
 	return store.withFilerClient(func(client filer_pb.SeaweedFilerClient) error {
 		_, err := client.AtomicRenameEntry(ctx, &filer_pb.AtomicRenameEntryRequest{
 			OldDirectory: filer.IamConfigDirectory,