From ac824d40948701b5c03b028562806baa3aceb612 Mon Sep 17 00:00:00 2001 From: Chris Lu Date: Fri, 2 Jan 2026 20:30:39 -0800 Subject: [PATCH] test(sts): Assert credentials expiration relative to now in credential expiration tests Replace wallclock assertions comparing tc.expiresAt to time.Now() (which only verified test setup) with assertions that check sessionInfo.Credentials.Expiration relative to time.Now(), thus exercising the code under test. Include clarifying comment for intent. --- weed/iam/sts/session_claims_test.go | 32 +++++++++++++++-------------- 1 file changed, 17 insertions(+), 15 deletions(-) diff --git a/weed/iam/sts/session_claims_test.go b/weed/iam/sts/session_claims_test.go index 5236819a8..fffe54a64 100644 --- a/weed/iam/sts/session_claims_test.go +++ b/weed/iam/sts/session_claims_test.go @@ -61,20 +61,20 @@ func TestSTSSessionClaimsToSessionInfoCredentialGeneration(t *testing.T) { // Verify that both have valid credentials assert.NotNil(t, sessionInfo1.Credentials, "credentials should be populated") assert.NotNil(t, sessionInfo2.Credentials, "credentials should be populated") - + // Verify deterministic generation: same SessionId should produce identical access key ID // (based on hash of session ID, not random) assert.Equal(t, sessionInfo1.Credentials.AccessKeyId, sessionInfo2.Credentials.AccessKeyId, "same session ID should produce identical access key ID (deterministic hash-based generation)") - + // Session token is also deterministic (hash-based on session ID) assert.Equal(t, sessionInfo1.Credentials.SessionToken, sessionInfo2.Credentials.SessionToken, "same session ID should produce identical session token (deterministic hash-based generation)") - + // Expiration should match assert.WithinDuration(t, sessionInfo1.Credentials.Expiration, sessionInfo2.Credentials.Expiration, 1*time.Second, "credentials expiration should match") - + // Secret access key is NOT deterministic (uses random.Read), so we just verify it exists assert.NotEmpty(t, sessionInfo1.Credentials.SecretAccessKey, "secret access key should be generated") assert.NotEmpty(t, sessionInfo2.Credentials.SecretAccessKey, "secret access key should be generated") @@ -88,7 +88,7 @@ func TestSTSSessionClaimsToSessionInfoPreservesAllFields(t *testing.T) { policies := []string{"policy1", "policy2"} requestContext := map[string]interface{}{ - "sourceIp": "192.168.1.1", + "sourceIp": "192.168.1.1", "userAgent": "test-agent", } @@ -142,12 +142,12 @@ func TestSTSSessionClaimsToSessionInfoEmptyFields(t *testing.T) { func TestSTSSessionClaimsToSessionInfoCredentialExpiration(t *testing.T) { sessionId := "test-session" issuer := "issuer" - + tests := []struct { - name string - expiresAt time.Time - expectNotExpired bool - description string + name string + expiresAt time.Time + expectNotExpired bool + description string }{ { name: "future_expiration", @@ -177,11 +177,13 @@ func TestSTSSessionClaimsToSessionInfoCredentialExpiration(t *testing.T) { assert.NotNil(t, sessionInfo.Credentials) // Check expiration within 1 second due to timing precision assert.True(t, sessionInfo.Credentials.Expiration.Sub(tc.expiresAt) < time.Second) - + + // We set tc.expiresAt to past/future values to exercise expiration handling. + // Assert the credentials' expiration relative to now to exercise code behavior if tc.expectNotExpired { - assert.False(t, time.Now().After(tc.expiresAt), tc.description) + assert.True(t, time.Now().Before(sessionInfo.Credentials.Expiration), tc.description) } else { - assert.True(t, time.Now().After(tc.expiresAt), tc.description) + assert.True(t, time.Now().After(sessionInfo.Credentials.Expiration), tc.description) } }) } @@ -210,12 +212,12 @@ func TestSessionInfoIntegration(t *testing.T) { assert.NotNil(t, sessionInfo.Credentials) assert.NotEmpty(t, sessionInfo.Credentials.AccessKeyId) assert.NotEmpty(t, sessionInfo.Credentials.SecretAccessKey) - + // Verify basic session properties assert.Equal(t, sessionId, sessionInfo.SessionId) assert.Equal(t, "integration-test", sessionInfo.SessionName) assert.False(t, sessionInfo.ExpiresAt.IsZero()) - + // Verify that the session is valid assert.True(t, sessionInfo.ExpiresAt.After(time.Now()), "session should not be expired") assert.False(t, sessionInfo.Credentials.Expiration.Before(time.Now()), "credentials should not be expired")