Browse Source
Add AWS IAM integration tests and refactor admin authorization (#8098)
Add AWS IAM integration tests and refactor admin authorization (#8098)
* Add AWS IAM integration tests and refactor admin authorization - Added AWS IAM management integration tests (User, AccessKey, Policy) - Updated test framework to support IAM client creation with JWT/OIDC - Refactored s3api authorization to be policy-driven for IAM actions - Removed hardcoded role name checks for admin privileges - Added new tests to GitHub Actions basic test matrix * test(s3/iam): add UpdateUser and UpdateAccessKey tests and fix nil pointer dereference * feat(s3api): add DeletePolicy and update tests with cleanup logic * test(s3/iam): use t.Cleanup for managed policy deletion in CreatePolicy testpull/8095/merge
Chris Lu
1 day ago
committed by
GitHub
GitHub
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
9 changed files with 396 additions and 52 deletions
-
2.github/workflows/s3-iam-tests.yml
-
8test/s3/iam/iam_config.json
-
8test/s3/iam/iam_config.local.json
-
241test/s3/iam/s3_iam_admin_test.go
-
51test/s3/iam/s3_iam_framework.go
-
107test/s3/iam/test_config.json
-
4weed/s3api/s3_action_resolver.go
-
5weed/s3api/s3_iam_middleware.go
-
22weed/s3api/s3api_embedded_iam.go
@ -0,0 +1,241 @@ |
|||||
|
package iam |
||||
|
|
||||
|
import ( |
||||
|
"testing" |
||||
|
|
||||
|
"github.com/aws/aws-sdk-go/aws" |
||||
|
"github.com/aws/aws-sdk-go/service/iam" |
||||
|
"github.com/stretchr/testify/assert" |
||||
|
"github.com/stretchr/testify/require" |
||||
|
) |
||||
|
|
||||
|
// TestIAMUserManagement tests user management operations
|
||||
|
func TestIAMUserManagement(t *testing.T) { |
||||
|
framework := NewS3IAMTestFramework(t) |
||||
|
defer framework.Cleanup() |
||||
|
|
||||
|
// Create IAM client with admin privileges
|
||||
|
iamClient, err := framework.CreateIAMClientWithJWT("admin-user", "TestAdminRole") |
||||
|
require.NoError(t, err) |
||||
|
|
||||
|
t.Run("create_and_get_user", func(t *testing.T) { |
||||
|
userName := "test-user-mgm" |
||||
|
|
||||
|
// Create user
|
||||
|
createResp, err := iamClient.CreateUser(&iam.CreateUserInput{ |
||||
|
UserName: aws.String(userName), |
||||
|
}) |
||||
|
require.NoError(t, err) |
||||
|
assert.Equal(t, userName, *createResp.User.UserName) |
||||
|
|
||||
|
// Get user
|
||||
|
getResp, err := iamClient.GetUser(&iam.GetUserInput{ |
||||
|
UserName: aws.String(userName), |
||||
|
}) |
||||
|
require.NoError(t, err) |
||||
|
assert.Equal(t, userName, *getResp.User.UserName) |
||||
|
|
||||
|
// List users to verify existence
|
||||
|
listResp, err := iamClient.ListUsers(&iam.ListUsersInput{}) |
||||
|
require.NoError(t, err) |
||||
|
found := false |
||||
|
for _, user := range listResp.Users { |
||||
|
if *user.UserName == userName { |
||||
|
found = true |
||||
|
break |
||||
|
} |
||||
|
} |
||||
|
assert.True(t, found, "Created user should be listed") |
||||
|
|
||||
|
// Clean up
|
||||
|
_, err = iamClient.DeleteUser(&iam.DeleteUserInput{ |
||||
|
UserName: aws.String(userName), |
||||
|
}) |
||||
|
require.NoError(t, err) |
||||
|
}) |
||||
|
|
||||
|
t.Run("update_user", func(t *testing.T) { |
||||
|
userName := "user-to-update" |
||||
|
newUserName := "user-updated" |
||||
|
|
||||
|
// Create user
|
||||
|
_, err := iamClient.CreateUser(&iam.CreateUserInput{ |
||||
|
UserName: aws.String(userName), |
||||
|
}) |
||||
|
require.NoError(t, err) |
||||
|
defer func() { |
||||
|
// Try to delete both just in case
|
||||
|
iamClient.DeleteUser(&iam.DeleteUserInput{UserName: aws.String(userName)}) |
||||
|
iamClient.DeleteUser(&iam.DeleteUserInput{UserName: aws.String(newUserName)}) |
||||
|
}() |
||||
|
|
||||
|
// Update user name
|
||||
|
_, err = iamClient.UpdateUser(&iam.UpdateUserInput{ |
||||
|
UserName: aws.String(userName), |
||||
|
NewUserName: aws.String(newUserName), |
||||
|
}) |
||||
|
require.NoError(t, err) |
||||
|
|
||||
|
// Verify update (GetUser with NEW name should work)
|
||||
|
getResp, err := iamClient.GetUser(&iam.GetUserInput{ |
||||
|
UserName: aws.String(newUserName), |
||||
|
}) |
||||
|
require.NoError(t, err) |
||||
|
assert.Equal(t, newUserName, *getResp.User.UserName) |
||||
|
|
||||
|
// GetUser with OLD name should fail
|
||||
|
_, err = iamClient.GetUser(&iam.GetUserInput{ |
||||
|
UserName: aws.String(userName), |
||||
|
}) |
||||
|
require.Error(t, err) |
||||
|
}) |
||||
|
} |
||||
|
|
||||
|
// TestIAMAccessKeyManagement tests access key operations
|
||||
|
func TestIAMAccessKeyManagement(t *testing.T) { |
||||
|
framework := NewS3IAMTestFramework(t) |
||||
|
defer framework.Cleanup() |
||||
|
|
||||
|
iamClient, err := framework.CreateIAMClientWithJWT("admin-user", "TestAdminRole") |
||||
|
require.NoError(t, err) |
||||
|
|
||||
|
userName := "test-user-keys" |
||||
|
_, err = iamClient.CreateUser(&iam.CreateUserInput{ |
||||
|
UserName: aws.String(userName), |
||||
|
}) |
||||
|
require.NoError(t, err) |
||||
|
defer iamClient.DeleteUser(&iam.DeleteUserInput{UserName: aws.String(userName)}) |
||||
|
|
||||
|
t.Run("create_list_delete_access_key", func(t *testing.T) { |
||||
|
// Create access key
|
||||
|
createResp, err := iamClient.CreateAccessKey(&iam.CreateAccessKeyInput{ |
||||
|
UserName: aws.String(userName), |
||||
|
}) |
||||
|
require.NoError(t, err) |
||||
|
assert.NotEmpty(t, *createResp.AccessKey.AccessKeyId) |
||||
|
assert.NotEmpty(t, *createResp.AccessKey.SecretAccessKey) |
||||
|
assert.Equal(t, "Active", *createResp.AccessKey.Status) |
||||
|
|
||||
|
// List access keys
|
||||
|
listResp, err := iamClient.ListAccessKeys(&iam.ListAccessKeysInput{ |
||||
|
UserName: aws.String(userName), |
||||
|
}) |
||||
|
require.NoError(t, err) |
||||
|
assert.Equal(t, 1, len(listResp.AccessKeyMetadata)) |
||||
|
assert.Equal(t, *createResp.AccessKey.AccessKeyId, *listResp.AccessKeyMetadata[0].AccessKeyId) |
||||
|
|
||||
|
// Delete access key
|
||||
|
_, err = iamClient.DeleteAccessKey(&iam.DeleteAccessKeyInput{ |
||||
|
UserName: aws.String(userName), |
||||
|
AccessKeyId: createResp.AccessKey.AccessKeyId, |
||||
|
}) |
||||
|
require.NoError(t, err) |
||||
|
|
||||
|
// Verify deletion
|
||||
|
listResp, err = iamClient.ListAccessKeys(&iam.ListAccessKeysInput{ |
||||
|
UserName: aws.String(userName), |
||||
|
}) |
||||
|
require.NoError(t, err) |
||||
|
assert.Equal(t, 0, len(listResp.AccessKeyMetadata)) |
||||
|
}) |
||||
|
|
||||
|
t.Run("update_access_key_status", func(t *testing.T) { |
||||
|
// Create access key
|
||||
|
createResp, err := iamClient.CreateAccessKey(&iam.CreateAccessKeyInput{ |
||||
|
UserName: aws.String(userName), |
||||
|
}) |
||||
|
require.NoError(t, err) |
||||
|
defer iamClient.DeleteAccessKey(&iam.DeleteAccessKeyInput{ |
||||
|
UserName: aws.String(userName), |
||||
|
AccessKeyId: createResp.AccessKey.AccessKeyId, |
||||
|
}) |
||||
|
|
||||
|
// Update to Inactive
|
||||
|
_, err = iamClient.UpdateAccessKey(&iam.UpdateAccessKeyInput{ |
||||
|
UserName: aws.String(userName), |
||||
|
AccessKeyId: createResp.AccessKey.AccessKeyId, |
||||
|
Status: aws.String("Inactive"), |
||||
|
}) |
||||
|
require.NoError(t, err) |
||||
|
|
||||
|
// Verify update in ListAccessKeys
|
||||
|
listResp, err := iamClient.ListAccessKeys(&iam.ListAccessKeysInput{ |
||||
|
UserName: aws.String(userName), |
||||
|
}) |
||||
|
require.NoError(t, err) |
||||
|
found := false |
||||
|
for _, key := range listResp.AccessKeyMetadata { |
||||
|
if *key.AccessKeyId == *createResp.AccessKey.AccessKeyId { |
||||
|
assert.Equal(t, "Inactive", *key.Status) |
||||
|
found = true |
||||
|
break |
||||
|
} |
||||
|
} |
||||
|
assert.True(t, found) |
||||
|
}) |
||||
|
} |
||||
|
|
||||
|
// TestIAMPolicyManagement tests policy operations
|
||||
|
func TestIAMPolicyManagement(t *testing.T) { |
||||
|
framework := NewS3IAMTestFramework(t) |
||||
|
defer framework.Cleanup() |
||||
|
|
||||
|
iamClient, err := framework.CreateIAMClientWithJWT("admin-user", "TestAdminRole") |
||||
|
require.NoError(t, err) |
||||
|
|
||||
|
t.Run("create_managed_policy", func(t *testing.T) { |
||||
|
policyName := "test-managed-policy" |
||||
|
policyDoc := `{"Version":"2012-10-17","Statement":[{"Effect":"Allow","Action":"s3:ListBucket","Resource":"*"}]}` |
||||
|
|
||||
|
createResp, err := iamClient.CreatePolicy(&iam.CreatePolicyInput{ |
||||
|
PolicyName: aws.String(policyName), |
||||
|
PolicyDocument: aws.String(policyDoc), |
||||
|
}) |
||||
|
require.NoError(t, err) |
||||
|
assert.Equal(t, policyName, *createResp.Policy.PolicyName) |
||||
|
assert.NotEmpty(t, *createResp.Policy.Arn) |
||||
|
|
||||
|
t.Cleanup(func() { |
||||
|
_, _ = iamClient.DeletePolicy(&iam.DeletePolicyInput{ |
||||
|
PolicyArn: createResp.Policy.Arn, |
||||
|
}) |
||||
|
}) |
||||
|
}) |
||||
|
|
||||
|
t.Run("user_inline_policy", func(t *testing.T) { |
||||
|
userName := "test-user-policy" |
||||
|
_, err := iamClient.CreateUser(&iam.CreateUserInput{ |
||||
|
UserName: aws.String(userName), |
||||
|
}) |
||||
|
require.NoError(t, err) |
||||
|
defer iamClient.DeleteUser(&iam.DeleteUserInput{UserName: aws.String(userName)}) |
||||
|
|
||||
|
policyName := "test-inline-policy" |
||||
|
policyDoc := `{"Version":"2012-10-17","Statement":[{"Effect":"Allow","Action":"s3:GetObject","Resource":"arn:aws:s3:::*"}]}` |
||||
|
|
||||
|
// Put user policy
|
||||
|
_, err = iamClient.PutUserPolicy(&iam.PutUserPolicyInput{ |
||||
|
UserName: aws.String(userName), |
||||
|
PolicyName: aws.String(policyName), |
||||
|
PolicyDocument: aws.String(policyDoc), |
||||
|
}) |
||||
|
require.NoError(t, err) |
||||
|
|
||||
|
// Get user policy
|
||||
|
getResp, err := iamClient.GetUserPolicy(&iam.GetUserPolicyInput{ |
||||
|
UserName: aws.String(userName), |
||||
|
PolicyName: aws.String(policyName), |
||||
|
}) |
||||
|
require.NoError(t, err) |
||||
|
assert.Equal(t, userName, *getResp.UserName) |
||||
|
assert.Equal(t, policyName, *getResp.PolicyName) |
||||
|
assert.Contains(t, *getResp.PolicyDocument, "s3:Get") |
||||
|
|
||||
|
// Delete user policy
|
||||
|
_, err = iamClient.DeleteUserPolicy(&iam.DeleteUserPolicyInput{ |
||||
|
UserName: aws.String(userName), |
||||
|
PolicyName: aws.String(policyName), |
||||
|
}) |
||||
|
require.NoError(t, err) |
||||
|
}) |
||||
|
} |
||||
Write
Preview
Loading…
Cancel
Save
Reference in new issue