Mirror
/
seaweedfs
mirror of https://github.com/seaweedfs/seaweedfs.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
Browse Source

test: add integration tests for AssumeRole and AssumeRoleWithLDAPIdentity STS actions 

- Add s3_sts_assume_role_test.go with comprehensive tests for AssumeRole:
  * Parameter validation (missing RoleArn, RoleSessionName, invalid duration)
  * AWS SigV4 authentication with valid/invalid credentials
  * Temporary credential generation and usage

- Add s3_sts_ldap_test.go with tests for AssumeRoleWithLDAPIdentity:
  * Parameter validation (missing LDAP credentials, RoleArn)
  * LDAP authentication scenarios (valid/invalid credentials)
  * Integration with LDAP server (when configured)

- Update Makefile with new test targets:
  * test-sts: run all STS tests
  * test-sts-assume-role: run AssumeRole tests only
  * test-sts-ldap: run LDAP STS tests only
  * test-sts-suite: run tests with full service lifecycle

- Enhance setup_all_tests.sh:
  * Add OpenLDAP container setup for LDAP testing
  * Create test LDAP users (testuser, ldapadmin)
  * Set LDAP environment variables for tests
  * Update cleanup to remove LDAP container

- Fix setup_keycloak.sh:
  * Enable verbose error logging for realm creation
  * Improve error diagnostics

Tests use fail-fast approach (t.Fatal) when server not configured,
ensuring clear feedback when infrastructure is missing.
pull/8003/head
Chris Lu 2 months ago
parent
d7c30fdb2b
commit
a487284d60
5 changed files with 809 additions and 2 deletions
Whitespace
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Unified View
Diff Options
Show Stats Download Patch File Download Diff File
  1. 23
      test/s3/iam/Makefile
  2. 421
      test/s3/iam/s3_sts_assume_role_test.go
  3. 291
      test/s3/iam/s3_sts_ldap_test.go
  4. 74
      test/s3/iam/setup_all_tests.sh
  5. 2
      test/s3/iam/setup_keycloak.sh

23
test/s3/iam/Makefile
View File

@ -125,6 +125,10 @@ clean: stop-services ## Clean up test environment
@rm -rf test-volume-data @rm -rf test-volume-data
@rm -f weed-*.log @rm -f weed-*.log
@rm -f *.test @rm -f *.test
@rm -f iam_config.json
@rm -f .test_env
@docker rm -f keycloak-iam-test >/dev/null 2>&1 || true
@docker rm -f openldap-iam-test >/dev/null 2>&1 || true
@echo "Cleanup complete" @echo "Cleanup complete"
logs: ## Show service logs logs: ## Show service logs
@ -176,6 +180,20 @@ test-context: ## Test only contextual policy enforcement
test-presigned: ## Test only presigned URL integration test-presigned: ## Test only presigned URL integration
go test -v -run TestS3IAMPresignedURLIntegration ./... go test -v -run TestS3IAMPresignedURLIntegration ./...
test-sts: ## Run all STS tests
go test -v -run "TestSTS" ./...
test-sts-assume-role: ## Run AssumeRole STS tests
go test -v -run "TestSTSAssumeRole" ./...
test-sts-ldap: ## Run LDAP STS tests
go test -v -run "TestSTSLDAP" ./...
test-sts-suite: start-services ## Run all STS tests with full environment setup/teardown
@echo "Running STS test suite..."
-go test -v -run "TestSTS" ./...
@$(MAKE) stop-services
# Performance testing # Performance testing
benchmark: setup start-services wait-for-services ## Run performance benchmarks benchmark: setup start-services wait-for-services ## Run performance benchmarks
@echo "🏁 Running IAM performance benchmarks..." @echo "🏁 Running IAM performance benchmarks..."
@ -240,7 +258,7 @@ docker-build: ## Build custom SeaweedFS image for Docker tests
# All PHONY targets # All PHONY targets
.PHONY: test test-quick run-tests setup start-services stop-services wait-for-services clean logs status debug .PHONY: test test-quick run-tests setup start-services stop-services wait-for-services clean logs status debug
.PHONY: test-auth test-policy test-expiration test-multipart test-bucket-policy test-context test-presigned
.PHONY: test-auth test-policy test-expiration test-multipart test-bucket-policy test-context test-presigned test-sts test-sts-assume-role test-sts-ldap
.PHONY: benchmark ci watch install-deps docker-test docker-up docker-down docker-logs docker-build .PHONY: benchmark ci watch install-deps docker-test docker-up docker-down docker-logs docker-build
.PHONY: test-distributed test-performance test-stress test-versioning-stress test-keycloak-full test-all-previously-skipped setup-all-tests help-advanced .PHONY: test-distributed test-performance test-stress test-versioning-stress test-keycloak-full test-all-previously-skipped setup-all-tests help-advanced
@ -275,6 +293,9 @@ test-all-previously-skipped: ## Run all previously skipped tests
@echo "🎯 Running all previously skipped tests..." @echo "🎯 Running all previously skipped tests..."
@./run_all_tests.sh @./run_all_tests.sh
.PHONY: cleanup
cleanup: clean
setup-all-tests: ## Setup environment for all tests (including Keycloak) setup-all-tests: ## Setup environment for all tests (including Keycloak)
@echo "🚀 Setting up complete test environment..." @echo "🚀 Setting up complete test environment..."
@./setup_all_tests.sh @./setup_all_tests.sh

421
test/s3/iam/s3_sts_assume_role_test.go
View File

@ -0,0 +1,421 @@
package iam
import (
"crypto/hmac"
"crypto/sha256"
"encoding/hex"
"encoding/xml"
"fmt"
"io"
"net/http"
"net/url"
"sort"
"strings"
"testing"
"time"
"github.com/stretchr/testify/assert"
"github.com/stretchr/testify/require"
)
// AssumeRoleResponse represents the STS AssumeRole response
type AssumeRoleTestResponse struct {
XMLName xml.Name `xml:"AssumeRoleResponse"`
Result struct {
Credentials struct {
AccessKeyId string `xml:"AccessKeyId"`
SecretAccessKey string `xml:"SecretAccessKey"`
SessionToken string `xml:"SessionToken"`
Expiration string `xml:"Expiration"`
} `xml:"Credentials"`
AssumedRoleUser struct {
AssumedRoleId string `xml:"AssumedRoleId"`
Arn string `xml:"Arn"`
} `xml:"AssumedRoleUser"`
} `xml:"AssumeRoleResult"`
}
// TestSTSAssumeRoleValidation tests input validation for AssumeRole endpoint
func TestSTSAssumeRoleValidation(t *testing.T) {
if testing.Short() {
t.Skip("Skipping integration test in short mode")
}
if !isSTSEndpointRunning(t) {
t.Fatal("SeaweedFS STS endpoint is not running at", TestSTSEndpoint, "- please run 'make setup-all-tests' first")
}
// Check if AssumeRole is implemented by making a test call
if !isAssumeRoleImplemented(t) {
t.Fatal("AssumeRole action is not implemented in the running server - please rebuild weed binary with new code and restart the server")
}
t.Run("missing_role_arn", func(t *testing.T) {
resp, err := callSTSAPIWithSigV4(t, url.Values{
"Action": {"AssumeRole"},
"Version": {"2011-06-15"},
"RoleSessionName": {"test-session"},
// RoleArn is missing
}, "test-access-key", "test-secret-key")
require.NoError(t, err)
defer resp.Body.Close()
assert.NotEqual(t, http.StatusOK, resp.StatusCode,
"Should fail without RoleArn")
body, err := io.ReadAll(resp.Body)
require.NoError(t, err)
var errResp STSErrorTestResponse
err = xml.Unmarshal(body, &errResp)
require.NoError(t, err, "Failed to parse error response: %s", string(body))
assert.Equal(t, "MissingParameter", errResp.Error.Code)
})
t.Run("missing_role_session_name", func(t *testing.T) {
resp, err := callSTSAPIWithSigV4(t, url.Values{
"Action": {"AssumeRole"},
"Version": {"2011-06-15"},
"RoleArn": {"arn:aws:iam::role/test-role"},
// RoleSessionName is missing
}, "test-access-key", "test-secret-key")
require.NoError(t, err)
defer resp.Body.Close()
assert.NotEqual(t, http.StatusOK, resp.StatusCode,
"Should fail without RoleSessionName")
body, err := io.ReadAll(resp.Body)
require.NoError(t, err)
var errResp STSErrorTestResponse
err = xml.Unmarshal(body, &errResp)
require.NoError(t, err, "Failed to parse error response: %s", string(body))
assert.Equal(t, "MissingParameter", errResp.Error.Code)
})
t.Run("unsupported_action_for_anonymous", func(t *testing.T) {
// AssumeRole requires SigV4 authentication, anonymous requests should fail
resp, err := callSTSAPI(t, url.Values{
"Action": {"AssumeRole"},
"Version": {"2011-06-15"},
"RoleArn": {"arn:aws:iam::role/test-role"},
"RoleSessionName": {"test-session"},
})
require.NoError(t, err)
defer resp.Body.Close()
// Should fail because AssumeRole requires AWS SigV4 authentication
assert.NotEqual(t, http.StatusOK, resp.StatusCode,
"AssumeRole should require authentication")
body, err := io.ReadAll(resp.Body)
require.NoError(t, err)
t.Logf("Response for anonymous AssumeRole: status=%d, body=%s", resp.StatusCode, string(body))
})
t.Run("invalid_duration_too_short", func(t *testing.T) {
resp, err := callSTSAPIWithSigV4(t, url.Values{
"Action": {"AssumeRole"},
"Version": {"2011-06-15"},
"RoleArn": {"arn:aws:iam::role/test-role"},
"RoleSessionName": {"test-session"},
"DurationSeconds": {"100"}, // Less than 900 seconds minimum
}, "test-access-key", "test-secret-key")
require.NoError(t, err)
defer resp.Body.Close()
assert.NotEqual(t, http.StatusOK, resp.StatusCode,
"Should fail with DurationSeconds < 900")
body, err := io.ReadAll(resp.Body)
require.NoError(t, err)
var errResp STSErrorTestResponse
err = xml.Unmarshal(body, &errResp)
require.NoError(t, err, "Failed to parse error response: %s", string(body))
assert.Equal(t, "InvalidParameterValue", errResp.Error.Code)
})
t.Run("invalid_duration_too_long", func(t *testing.T) {
resp, err := callSTSAPIWithSigV4(t, url.Values{
"Action": {"AssumeRole"},
"Version": {"2011-06-15"},
"RoleArn": {"arn:aws:iam::role/test-role"},
"RoleSessionName": {"test-session"},
"DurationSeconds": {"100000"}, // More than 43200 seconds maximum
}, "test-access-key", "test-secret-key")
require.NoError(t, err)
defer resp.Body.Close()
assert.NotEqual(t, http.StatusOK, resp.StatusCode,
"Should fail with DurationSeconds > 43200")
body, err := io.ReadAll(resp.Body)
require.NoError(t, err)
var errResp STSErrorTestResponse
err = xml.Unmarshal(body, &errResp)
require.NoError(t, err, "Failed to parse error response: %s", string(body))
assert.Equal(t, "InvalidParameterValue", errResp.Error.Code)
})
}
// isAssumeRoleImplemented checks if the running server supports AssumeRole
func isAssumeRoleImplemented(t *testing.T) bool {
resp, err := callSTSAPIWithSigV4(t, url.Values{
"Action": {"AssumeRole"},
"Version": {"2011-06-15"},
"RoleArn": {"arn:aws:iam::role/test"},
"RoleSessionName": {"test"},
}, "test", "test")
if err != nil {
return false
}
defer resp.Body.Close()
body, err := io.ReadAll(resp.Body)
if err != nil {
return false
}
// If we get "NotImplemented", the action isn't supported
var errResp STSErrorTestResponse
if xml.Unmarshal(body, &errResp) == nil && errResp.Error.Code == "NotImplemented" {
return false
}
// If we get InvalidAction, the action isn't routed
if errResp.Error.Code == "InvalidAction" {
return false
}
return true
}
// TestSTSAssumeRoleWithValidCredentials tests AssumeRole with valid IAM credentials
// This test requires a configured IAM user in SeaweedFS
func TestSTSAssumeRoleWithValidCredentials(t *testing.T) {
if testing.Short() {
t.Skip("Skipping integration test in short mode")
}
if !isSTSEndpointRunning(t) {
t.Skip("SeaweedFS STS endpoint is not running at", TestSTSEndpoint)
}
// Use test credentials from config - these should be configured in iam_config.json
accessKey := "admin"
secretKey := "admin"
t.Run("successful_assume_role", func(t *testing.T) {
resp, err := callSTSAPIWithSigV4(t, url.Values{
"Action": {"AssumeRole"},
"Version": {"2011-06-15"},
"RoleArn": {"arn:aws:iam::role/admin"},
"RoleSessionName": {"integration-test-session"},
}, accessKey, secretKey)
require.NoError(t, err)
defer resp.Body.Close()
body, err := io.ReadAll(resp.Body)
require.NoError(t, err)
t.Logf("Response status: %d, body: %s", resp.StatusCode, string(body))
// If AssumeRole is not yet implemented, expect an error about unsupported action
if resp.StatusCode != http.StatusOK {
var errResp STSErrorTestResponse
err = xml.Unmarshal(body, &errResp)
require.NoError(t, err, "Failed to parse error response: %s", string(body))
t.Logf("Error response: code=%s, message=%s", errResp.Error.Code, errResp.Error.Message)
// This test will initially fail until AssumeRole is implemented
// Once implemented, uncomment the assertions below
// assert.Fail(t, "AssumeRole not yet implemented")
} else {
var stsResp AssumeRoleTestResponse
err = xml.Unmarshal(body, &stsResp)
require.NoError(t, err, "Failed to parse response: %s", string(body))
creds := stsResp.Result.Credentials
assert.NotEmpty(t, creds.AccessKeyId, "AccessKeyId should not be empty")
assert.NotEmpty(t, creds.SecretAccessKey, "SecretAccessKey should not be empty")
assert.NotEmpty(t, creds.SessionToken, "SessionToken should not be empty")
assert.NotEmpty(t, creds.Expiration, "Expiration should not be empty")
t.Logf("Successfully obtained temporary credentials: AccessKeyId=%s", creds.AccessKeyId)
}
})
t.Run("with_custom_duration", func(t *testing.T) {
resp, err := callSTSAPIWithSigV4(t, url.Values{
"Action": {"AssumeRole"},
"Version": {"2011-06-15"},
"RoleArn": {"arn:aws:iam::role/admin"},
"RoleSessionName": {"duration-test-session"},
"DurationSeconds": {"3600"}, // 1 hour
}, accessKey, secretKey)
require.NoError(t, err)
defer resp.Body.Close()
body, err := io.ReadAll(resp.Body)
require.NoError(t, err)
t.Logf("Response status: %d, body: %s", resp.StatusCode, string(body))
// Verify DurationSeconds is accepted
if resp.StatusCode != http.StatusOK {
var errResp STSErrorTestResponse
err = xml.Unmarshal(body, &errResp)
require.NoError(t, err, "Failed to parse error response: %s", string(body))
// Should not fail due to DurationSeconds parameter
assert.NotContains(t, errResp.Error.Message, "DurationSeconds",
"DurationSeconds parameter should be accepted")
}
})
}
// TestSTSAssumeRoleWithInvalidCredentials tests AssumeRole rejection with bad credentials
func TestSTSAssumeRoleWithInvalidCredentials(t *testing.T) {
if testing.Short() {
t.Skip("Skipping integration test in short mode")
}
if !isSTSEndpointRunning(t) {
t.Skip("SeaweedFS STS endpoint is not running at", TestSTSEndpoint)
}
t.Run("invalid_access_key", func(t *testing.T) {
resp, err := callSTSAPIWithSigV4(t, url.Values{
"Action": {"AssumeRole"},
"Version": {"2011-06-15"},
"RoleArn": {"arn:aws:iam::role/admin"},
"RoleSessionName": {"test-session"},
}, "invalid-access-key", "some-secret-key")
require.NoError(t, err)
defer resp.Body.Close()
// Should fail with access denied or signature mismatch
assert.NotEqual(t, http.StatusOK, resp.StatusCode,
"Should fail with invalid access key")
body, err := io.ReadAll(resp.Body)
require.NoError(t, err)
t.Logf("Response for invalid credentials: status=%d, body=%s", resp.StatusCode, string(body))
})
t.Run("invalid_secret_key", func(t *testing.T) {
resp, err := callSTSAPIWithSigV4(t, url.Values{
"Action": {"AssumeRole"},
"Version": {"2011-06-15"},
"RoleArn": {"arn:aws:iam::role/admin"},
"RoleSessionName": {"test-session"},
}, "admin", "wrong-secret-key")
require.NoError(t, err)
defer resp.Body.Close()
// Should fail with signature mismatch
assert.NotEqual(t, http.StatusOK, resp.StatusCode,
"Should fail with invalid secret key")
body, err := io.ReadAll(resp.Body)
require.NoError(t, err)
t.Logf("Response for wrong secret: status=%d, body=%s", resp.StatusCode, string(body))
})
}
// callSTSAPIWithSigV4 makes an STS API call with AWS Signature V4 authentication
func callSTSAPIWithSigV4(t *testing.T, params url.Values, accessKey, secretKey string) (*http.Response, error) {
// Prepare request body
body := params.Encode()
// Create request
req, err := http.NewRequest(http.MethodPost, TestSTSEndpoint+"/",
strings.NewReader(body))
if err != nil {
return nil, err
}
req.Header.Set("Content-Type", "application/x-www-form-urlencoded")
req.Header.Set("Host", req.URL.Host)
// Sign request with AWS Signature V4
signRequestV4(req, body, accessKey, secretKey, "us-east-1", "sts")
client := &http.Client{Timeout: 30 * time.Second}
return client.Do(req)
}
// signRequestV4 signs an HTTP request using AWS Signature Version 4
func signRequestV4(req *http.Request, payload, accessKey, secretKey, region, service string) {
// AWS SigV4 signing implementation
now := time.Now().UTC()
amzDate := now.Format("20060102T150405Z")
dateStamp := now.Format("20060102")
// Set required headers
req.Header.Set("X-Amz-Date", amzDate)
// Create canonical request
canonicalURI := "/"
canonicalQueryString := ""
// Sort and format headers
signedHeaders := []string{"content-type", "host", "x-amz-date"}
sort.Strings(signedHeaders)
canonicalHeaders := fmt.Sprintf("content-type:%s\nhost:%s\nx-amz-date:%s\n",
req.Header.Get("Content-Type"),
req.Host,
amzDate)
signedHeadersStr := strings.Join(signedHeaders, ";")
// Hash payload
payloadHash := sha256Hex(payload)
canonicalRequest := fmt.Sprintf("%s\n%s\n%s\n%s\n%s\n%s",
req.Method,
canonicalURI,
canonicalQueryString,
canonicalHeaders,
signedHeadersStr,
payloadHash)
// Create string to sign
algorithm := "AWS4-HMAC-SHA256"
credentialScope := fmt.Sprintf("%s/%s/%s/aws4_request", dateStamp, region, service)
stringToSign := fmt.Sprintf("%s\n%s\n%s\n%s",
algorithm,
amzDate,
credentialScope,
sha256Hex(canonicalRequest))
// Calculate signature
signingKey := getSignatureKey(secretKey, dateStamp, region, service)
signature := hex.EncodeToString(hmacSHA256(signingKey, stringToSign))
// Create authorization header
authHeader := fmt.Sprintf("%s Credential=%s/%s, SignedHeaders=%s, Signature=%s",
algorithm,
accessKey,
credentialScope,
signedHeadersStr,
signature)
req.Header.Set("Authorization", authHeader)
}
func sha256Hex(data string) string {
hash := sha256.Sum256([]byte(data))
return hex.EncodeToString(hash[:])
}
func hmacSHA256(key []byte, data string) []byte {
h := hmac.New(sha256.New, key)
h.Write([]byte(data))
return h.Sum(nil)
}
func getSignatureKey(secretKey, dateStamp, region, service string) []byte {
kDate := hmacSHA256([]byte("AWS4"+secretKey), dateStamp)
kRegion := hmacSHA256(kDate, region)
kService := hmacSHA256(kRegion, service)
kSigning := hmacSHA256(kService, "aws4_request")
return kSigning
}

291
test/s3/iam/s3_sts_ldap_test.go
View File

@ -0,0 +1,291 @@
package iam
import (
"encoding/xml"
"io"
"net/http"
"net/url"
"os"
"strings"
"testing"
"time"
"github.com/stretchr/testify/assert"
"github.com/stretchr/testify/require"
)
// AssumeRoleWithLDAPIdentityResponse represents the STS response for LDAP identity
type AssumeRoleWithLDAPIdentityTestResponse struct {
XMLName xml.Name `xml:"AssumeRoleWithLDAPIdentityResponse"`
Result struct {
Credentials struct {
AccessKeyId string `xml:"AccessKeyId"`
SecretAccessKey string `xml:"SecretAccessKey"`
SessionToken string `xml:"SessionToken"`
Expiration string `xml:"Expiration"`
} `xml:"Credentials"`
} `xml:"AssumeRoleWithLDAPIdentityResult"`
}
// TestSTSLDAPValidation tests input validation for AssumeRoleWithLDAPIdentity
func TestSTSLDAPValidation(t *testing.T) {
if testing.Short() {
t.Skip("Skipping integration test in short mode")
}
if !isSTSEndpointRunning(t) {
t.Fatal("SeaweedFS STS endpoint is not running at", TestSTSEndpoint, "- please run 'make setup-all-tests' first")
}
// Check if AssumeRoleWithLDAPIdentity is implemented
if !isLDAPIdentityActionImplemented(t) {
t.Fatal("AssumeRoleWithLDAPIdentity action is not implemented in the running server - please rebuild weed binary with new code and restart the server")
}
t.Run("missing_ldap_username", func(t *testing.T) {
resp, err := callSTSAPIForLDAP(t, url.Values{
"Action": {"AssumeRoleWithLDAPIdentity"},
"Version": {"2011-06-15"},
"RoleArn": {"arn:aws:iam::role/test-role"},
"RoleSessionName": {"test-session"},
"LDAPPassword": {"testpass"},
// LDAPUsername is missing
})
require.NoError(t, err)
defer resp.Body.Close()
assert.NotEqual(t, http.StatusOK, resp.StatusCode,
"Should fail without LDAPUsername")
body, err := io.ReadAll(resp.Body)
require.NoError(t, err)
var errResp STSErrorTestResponse
err = xml.Unmarshal(body, &errResp)
require.NoError(t, err, "Failed to parse error response: %s", string(body))
// Expect either MissingParameter or InvalidAction (if not implemented)
assert.Contains(t, []string{"MissingParameter", "InvalidAction"}, errResp.Error.Code)
})
t.Run("missing_ldap_password", func(t *testing.T) {
resp, err := callSTSAPIForLDAP(t, url.Values{
"Action": {"AssumeRoleWithLDAPIdentity"},
"Version": {"2011-06-15"},
"RoleArn": {"arn:aws:iam::role/test-role"},
"RoleSessionName": {"test-session"},
"LDAPUsername": {"testuser"},
// LDAPPassword is missing
})
require.NoError(t, err)
defer resp.Body.Close()
assert.NotEqual(t, http.StatusOK, resp.StatusCode,
"Should fail without LDAPPassword")
body, err := io.ReadAll(resp.Body)
require.NoError(t, err)
var errResp STSErrorTestResponse
err = xml.Unmarshal(body, &errResp)
require.NoError(t, err, "Failed to parse error response: %s", string(body))
assert.Contains(t, []string{"MissingParameter", "InvalidAction"}, errResp.Error.Code)
})
t.Run("missing_role_arn", func(t *testing.T) {
resp, err := callSTSAPIForLDAP(t, url.Values{
"Action": {"AssumeRoleWithLDAPIdentity"},
"Version": {"2011-06-15"},
"RoleSessionName": {"test-session"},
"LDAPUsername": {"testuser"},
"LDAPPassword": {"testpass"},
// RoleArn is missing
})
require.NoError(t, err)
defer resp.Body.Close()
assert.NotEqual(t, http.StatusOK, resp.StatusCode,
"Should fail without RoleArn")
body, err := io.ReadAll(resp.Body)
require.NoError(t, err)
var errResp STSErrorTestResponse
err = xml.Unmarshal(body, &errResp)
require.NoError(t, err, "Failed to parse error response: %s", string(body))
assert.Contains(t, []string{"MissingParameter", "InvalidAction"}, errResp.Error.Code)
})
t.Run("invalid_duration_too_short", func(t *testing.T) {
resp, err := callSTSAPIForLDAP(t, url.Values{
"Action": {"AssumeRoleWithLDAPIdentity"},
"Version": {"2011-06-15"},
"RoleArn": {"arn:aws:iam::role/test-role"},
"RoleSessionName": {"test-session"},
"LDAPUsername": {"testuser"},
"LDAPPassword": {"testpass"},
"DurationSeconds": {"100"}, // Less than 900 seconds minimum
})
require.NoError(t, err)
defer resp.Body.Close()
// If the action is implemented, it should reject invalid duration
body, err := io.ReadAll(resp.Body)
require.NoError(t, err)
t.Logf("Response for invalid duration: status=%d, body=%s", resp.StatusCode, string(body))
})
}
// TestSTSLDAPWithValidCredentials tests LDAP authentication
// This test requires an LDAP server to be configured
func TestSTSLDAPWithValidCredentials(t *testing.T) {
if testing.Short() {
t.Skip("Skipping integration test in short mode")
}
if !isSTSEndpointRunning(t) {
t.Skip("SeaweedFS STS endpoint is not running at", TestSTSEndpoint)
}
// Check if LDAP is configured (skip if not)
if !isLDAPConfigured() {
t.Skip("LDAP is not configured - skipping LDAP integration tests")
}
t.Run("successful_ldap_auth", func(t *testing.T) {
resp, err := callSTSAPIForLDAP(t, url.Values{
"Action": {"AssumeRoleWithLDAPIdentity"},
"Version": {"2011-06-15"},
"RoleArn": {"arn:aws:iam::role/ldap-user"},
"RoleSessionName": {"ldap-test-session"},
"LDAPUsername": {"testuser"},
"LDAPPassword": {"testpass"},
})
require.NoError(t, err)
defer resp.Body.Close()
body, err := io.ReadAll(resp.Body)
require.NoError(t, err)
t.Logf("Response status: %d, body: %s", resp.StatusCode, string(body))
if resp.StatusCode == http.StatusOK {
var stsResp AssumeRoleWithLDAPIdentityTestResponse
err = xml.Unmarshal(body, &stsResp)
require.NoError(t, err, "Failed to parse response: %s", string(body))
creds := stsResp.Result.Credentials
assert.NotEmpty(t, creds.AccessKeyId, "AccessKeyId should not be empty")
assert.NotEmpty(t, creds.SecretAccessKey, "SecretAccessKey should not be empty")
assert.NotEmpty(t, creds.SessionToken, "SessionToken should not be empty")
assert.NotEmpty(t, creds.Expiration, "Expiration should not be empty")
}
})
}
// TestSTSLDAPWithInvalidCredentials tests LDAP rejection with bad credentials
func TestSTSLDAPWithInvalidCredentials(t *testing.T) {
if testing.Short() {
t.Skip("Skipping integration test in short mode")
}
if !isSTSEndpointRunning(t) {
t.Skip("SeaweedFS STS endpoint is not running at", TestSTSEndpoint)
}
t.Run("invalid_ldap_password", func(t *testing.T) {
resp, err := callSTSAPIForLDAP(t, url.Values{
"Action": {"AssumeRoleWithLDAPIdentity"},
"Version": {"2011-06-15"},
"RoleArn": {"arn:aws:iam::role/ldap-user"},
"RoleSessionName": {"ldap-test-session"},
"LDAPUsername": {"testuser"},
"LDAPPassword": {"wrong-password"},
})
require.NoError(t, err)
defer resp.Body.Close()
body, err := io.ReadAll(resp.Body)
require.NoError(t, err)
t.Logf("Response for invalid LDAP credentials: status=%d, body=%s", resp.StatusCode, string(body))
// Should fail (either AccessDenied or InvalidAction if not implemented)
assert.NotEqual(t, http.StatusOK, resp.StatusCode,
"Should fail with invalid LDAP password")
})
t.Run("nonexistent_ldap_user", func(t *testing.T) {
resp, err := callSTSAPIForLDAP(t, url.Values{
"Action": {"AssumeRoleWithLDAPIdentity"},
"Version": {"2011-06-15"},
"RoleArn": {"arn:aws:iam::role/ldap-user"},
"RoleSessionName": {"ldap-test-session"},
"LDAPUsername": {"nonexistent-user-12345"},
"LDAPPassword": {"somepassword"},
})
require.NoError(t, err)
defer resp.Body.Close()
body, err := io.ReadAll(resp.Body)
require.NoError(t, err)
t.Logf("Response for nonexistent user: status=%d, body=%s", resp.StatusCode, string(body))
// Should fail
assert.NotEqual(t, http.StatusOK, resp.StatusCode,
"Should fail with nonexistent LDAP user")
})
}
// callSTSAPIForLDAP makes an STS API call for LDAP operation
func callSTSAPIForLDAP(t *testing.T, params url.Values) (*http.Response, error) {
req, err := http.NewRequest(http.MethodPost, TestSTSEndpoint+"/",
strings.NewReader(params.Encode()))
if err != nil {
return nil, err
}
req.Header.Set("Content-Type", "application/x-www-form-urlencoded")
client := &http.Client{Timeout: 30 * time.Second}
return client.Do(req)
}
// isLDAPConfigured checks if LDAP server is configured and available
func isLDAPConfigured() bool {
// Check environment variable for LDAP URL
ldapURL := os.Getenv("LDAP_URL")
return ldapURL != ""
}
// isLDAPIdentityActionImplemented checks if the running server supports AssumeRoleWithLDAPIdentity
func isLDAPIdentityActionImplemented(t *testing.T) bool {
resp, err := callSTSAPIForLDAP(t, url.Values{
"Action": {"AssumeRoleWithLDAPIdentity"},
"Version": {"2011-06-15"},
"RoleArn": {"arn:aws:iam::role/test"},
"RoleSessionName": {"test"},
"LDAPUsername": {"test"},
"LDAPPassword": {"test"},
})
if err != nil {
return false
}
defer resp.Body.Close()
body, err := io.ReadAll(resp.Body)
if err != nil {
return false
}
// If we get "NotImplemented" or empty response, the action isn't supported
if len(body) == 0 {
return false
}
var errResp STSErrorTestResponse
if xml.Unmarshal(body, &errResp) == nil && errResp.Error.Code == "NotImplemented" {
return false
}
// If we get InvalidAction, the action isn't routed
if errResp.Error.Code == "InvalidAction" {
return false
}
return true
}

74
test/s3/iam/setup_all_tests.sh
View File

@ -50,6 +50,74 @@ setup_keycloak() {
echo -e "${GREEN}[OK] Keycloak setup completed${NC}" echo -e "${GREEN}[OK] Keycloak setup completed${NC}"
} }
# Set up OpenLDAP for LDAP-based STS testing
setup_ldap() {
echo -e "\n${BLUE}1a. Setting up OpenLDAP for STS LDAP testing...${NC}"
# Check if LDAP container is already running
if docker ps --format '{{.Names}}' | grep -q '^openldap-iam-test$'; then
echo -e "${YELLOW}OpenLDAP container already running${NC}"
echo -e "${GREEN}[OK] LDAP setup completed (using existing container)${NC}"
return 0
fi
# Remove any stopped container with the same name
docker rm -f openldap-iam-test 2>/dev/null || true
# Start OpenLDAP container
echo -e "${YELLOW}🔧 Starting OpenLDAP container...${NC}"
docker run -d \
--name openldap-iam-test \
-p 389:389 \
-p 636:636 \
-e LDAP_ADMIN_PASSWORD=adminpassword \
-e LDAP_ORGANISATION="SeaweedFS" \
-e LDAP_DOMAIN="seaweedfs.test" \
osixia/openldap:latest || {
echo -e "${YELLOW}⚠️ OpenLDAP setup failed (optional for basic STS tests)${NC}"
return 0 # Don't fail - LDAP is optional
}
# Wait for LDAP to be ready
echo -e "${YELLOW}⏳ Waiting for OpenLDAP to be ready...${NC}"
for i in $(seq 1 30); do
if docker exec openldap-iam-test ldapsearch -x -H ldap://localhost -b "dc=seaweedfs,dc=test" -D "cn=admin,dc=seaweedfs,dc=test" -w adminpassword "(objectClass=*)" >/dev/null 2>&1; then
break
fi
sleep 1
done
# Add test users for LDAP STS testing
echo -e "${YELLOW}📝 Adding test users for LDAP STS...${NC}"
docker exec -i openldap-iam-test ldapadd -x -D "cn=admin,dc=seaweedfs,dc=test" -w adminpassword <<EOF 2>/dev/null || true
dn: ou=users,dc=seaweedfs,dc=test
objectClass: organizationalUnit
ou: users
dn: cn=testuser,ou=users,dc=seaweedfs,dc=test
objectClass: inetOrgPerson
cn: testuser
sn: Test User
uid: testuser
userPassword: testpass
dn: cn=ldapadmin,ou=users,dc=seaweedfs,dc=test
objectClass: inetOrgPerson
cn: ldapadmin
sn: LDAP Admin
uid: ldapadmin
userPassword: ldapadminpass
EOF
# Set environment for LDAP tests
export LDAP_URL="ldap://localhost:389"
export LDAP_BASE_DN="dc=seaweedfs,dc=test"
export LDAP_BIND_DN="cn=admin,dc=seaweedfs,dc=test"
export LDAP_BIND_PASSWORD="adminpassword"
echo -e "${GREEN}[OK] LDAP setup completed${NC}"
}
# Set up SeaweedFS test cluster # Set up SeaweedFS test cluster
setup_seaweedfs_cluster() { setup_seaweedfs_cluster() {
echo -e "\n${BLUE}2. Setting up SeaweedFS test cluster...${NC}" echo -e "\n${BLUE}2. Setting up SeaweedFS test cluster...${NC}"
@ -153,6 +221,7 @@ display_summary() {
echo -e "\n${BLUE}📊 Setup Summary${NC}" echo -e "\n${BLUE}📊 Setup Summary${NC}"
echo -e "${BLUE}=================${NC}" echo -e "${BLUE}=================${NC}"
echo -e "Keycloak URL: ${KEYCLOAK_URL:-http://localhost:8080}" echo -e "Keycloak URL: ${KEYCLOAK_URL:-http://localhost:8080}"
echo -e "LDAP URL: ${LDAP_URL:-ldap://localhost:389}"
echo -e "S3 Endpoint: ${S3_ENDPOINT:-http://localhost:8333}" echo -e "S3 Endpoint: ${S3_ENDPOINT:-http://localhost:8333}"
echo -e "Test Timeout: ${TEST_TIMEOUT:-60m}" echo -e "Test Timeout: ${TEST_TIMEOUT:-60m}"
echo -e "IAM Config: ${SCRIPT_DIR}/iam_config.json" echo -e "IAM Config: ${SCRIPT_DIR}/iam_config.json"
@ -161,6 +230,7 @@ display_summary() {
echo -e "${YELLOW}💡 You can now run tests with: make run-all-tests${NC}" echo -e "${YELLOW}💡 You can now run tests with: make run-all-tests${NC}"
echo -e "${YELLOW}💡 Or run specific tests with: go test -v -timeout=60m -run TestName${NC}" echo -e "${YELLOW}💡 Or run specific tests with: go test -v -timeout=60m -run TestName${NC}"
echo -e "${YELLOW}💡 To stop Keycloak: docker stop keycloak-iam-test${NC}" echo -e "${YELLOW}💡 To stop Keycloak: docker stop keycloak-iam-test${NC}"
echo -e "${YELLOW}💡 To stop LDAP: docker stop openldap-iam-test${NC}"
} }
# Main execution # Main execution
@ -177,6 +247,10 @@ main() {
exit 1 exit 1
fi fi
# LDAP is optional but we try to set it up
setup_ldap
setup_steps+=("ldap")
if setup_seaweedfs_cluster; then if setup_seaweedfs_cluster; then
setup_steps+=("seaweedfs") setup_steps+=("seaweedfs")
else else

2
test/s3/iam/setup_keycloak.sh
View File

@ -139,7 +139,7 @@ ensure_realm() {
echo -e "${GREEN}[OK] Realm '${REALM_NAME}' already exists${NC}" echo -e "${GREEN}[OK] Realm '${REALM_NAME}' already exists${NC}"
else else
echo -e "${YELLOW}📝 Creating realm '${REALM_NAME}'...${NC}" echo -e "${YELLOW}📝 Creating realm '${REALM_NAME}'...${NC}"
if kcadm create realms -s realm="${REALM_NAME}" -s enabled=true 2>/dev/null; then
if kcadm create realms -s realm="${REALM_NAME}" -s enabled=true; then
echo -e "${GREEN}[OK] Realm created${NC}" echo -e "${GREEN}[OK] Realm created${NC}"
else else
# Check if it exists now (might have been created by another process) # Check if it exists now (might have been created by another process)

Write Preview
Loading…
Cancel
Save