add MockTrustPolicyValidator

1 month ago · 7eb587f956
3 changed files with 49 additions and 0 deletions
--- a/weed/iam/sts/cross_instance_token_test.go
+++ b/weed/iam/sts/cross_instance_token_test.go
@ -59,6 +59,12 @@ func TestCrossInstanceTokenUsage(t *testing.T) {
 	err = instanceC.Initialize(sharedConfig)
 	require.NoError(t, err, "Instance C should initialize")

+	// Set up mock trust policy validator for all instances (required for STS testing)
+	mockValidator := &MockTrustPolicyValidator{}
+	instanceA.SetTrustPolicyValidator(mockValidator)
+	instanceB.SetTrustPolicyValidator(mockValidator)
+	instanceC.SetTrustPolicyValidator(mockValidator)
+
 	// Test 1: Token generated on Instance A can be validated on Instance B & C
 	t.Run("cross_instance_token_validation", func(t *testing.T) {
 		// Generate session token on Instance A
@ -368,6 +374,12 @@ func TestSTSRealWorldDistributedScenarios(t *testing.T) {
 		err = gateway3.Initialize(productionConfig)
 		require.NoError(t, err)

+		// Set up mock trust policy validator for all gateway instances
+		mockValidator := &MockTrustPolicyValidator{}
+		gateway1.SetTrustPolicyValidator(mockValidator)
+		gateway2.SetTrustPolicyValidator(mockValidator)
+		gateway3.SetTrustPolicyValidator(mockValidator)
+
 		// Step 1: User authenticates and hits Gateway 1 for AssumeRole
 		assumeRequest := &AssumeRoleWithWebIdentityRequest{
 			RoleArn:          "arn:seaweed:iam::role/ProductionS3User",
--- a/weed/iam/sts/sts_service_test.go
+++ b/weed/iam/sts/sts_service_test.go
@ -312,6 +312,10 @@ func setupTestSTSService(t *testing.T) *STSService {
 	err := service.Initialize(config)
 	require.NoError(t, err)

+	// Set up mock trust policy validator (required for STS testing)
+	mockValidator := &MockTrustPolicyValidator{}
+	service.SetTrustPolicyValidator(mockValidator)
+
 	// Register test providers
 	mockOIDCProvider := &MockIdentityProvider{
 		name: "test-oidc",
--- a/weed/iam/sts/test_utils.go
+++ b/weed/iam/sts/test_utils.go
@ -0,0 +1,33 @@
+package sts
+
+import (
+	"context"
+	"fmt"
+
+	"github.com/seaweedfs/seaweedfs/weed/iam/providers"
+)
+
+// MockTrustPolicyValidator is a simple mock for testing STS functionality
+type MockTrustPolicyValidator struct{}
+
+// ValidateTrustPolicyForWebIdentity allows valid test tokens for STS testing
+func (m *MockTrustPolicyValidator) ValidateTrustPolicyForWebIdentity(ctx context.Context, roleArn string, webIdentityToken string) error {
+	// For STS unit tests, allow valid test tokens
+	if webIdentityToken == "valid_test_token" || webIdentityToken == "valid-oidc-token" {
+		return nil
+	}
+	// Reject invalid tokens
+	if webIdentityToken == "invalid_token" || webIdentityToken == "expired_token" || webIdentityToken == "invalid-token" {
+		return fmt.Errorf("trust policy denies token")
+	}
+	return nil
+}
+
+// ValidateTrustPolicyForCredentials allows valid test identities for STS testing
+func (m *MockTrustPolicyValidator) ValidateTrustPolicyForCredentials(ctx context.Context, roleArn string, identity *providers.ExternalIdentity) error {
+	// For STS unit tests, allow test identities
+	if identity != nil && identity.UserID != "" {
+		return nil
+	}
+	return fmt.Errorf("invalid identity for role assumption")
+}