From b48cbfc708437565a9474f57cf47fdf8b6b47c39 Mon Sep 17 00:00:00 2001
From: Chris Lu <chris.lu@gmail.com>
Date: Mon, 12 Jan 2026 00:40:20 -0800
Subject: [PATCH] update tests

---
 weed/iam/integration/advanced_policy_test.go |  4 ++--
 weed/iam/integration/iam_integration_test.go |  6 +++---
 weed/iam/integration/iam_manager.go          | 16 +++++++++++++++-
 weed/s3api/s3_end_to_end_test.go             |  8 ++++----
 weed/s3api/s3_jwt_auth_test.go               | 10 +++++-----
 weed/s3api/s3_multipart_iam_test.go          |  4 ++--
 weed/s3api/s3_presigned_url_iam_test.go      |  6 +++---
 7 files changed, 34 insertions(+), 20 deletions(-)

diff --git a/weed/iam/integration/advanced_policy_test.go b/weed/iam/integration/advanced_policy_test.go
index 0af233a37..393505d6c 100644
--- a/weed/iam/integration/advanced_policy_test.go
+++ b/weed/iam/integration/advanced_policy_test.go
@@ -25,7 +25,7 @@ func TestPolicyVariableSubstitution(t *testing.T) {
 				{
 					Effect: "Allow",
 					Principal: map[string]interface{}{
-						"Federated": "https://test-issuer.com",
+						"Federated": "test-oidc",
 					},
 					Action: []string{"sts:AssumeRoleWithWebIdentity"},
 				},
@@ -102,7 +102,7 @@ func TestConditionWithNumericComparison(t *testing.T) {
 				{
 					Effect: "Allow",
 					Principal: map[string]interface{}{
-						"Federated": "https://test-issuer.com",
+						"Federated": "test-oidc",
 					},
 					Action: []string{"sts:AssumeRoleWithWebIdentity"},
 					Condition: map[string]map[string]interface{}{
diff --git a/weed/iam/integration/iam_integration_test.go b/weed/iam/integration/iam_integration_test.go
index 8aeedda5c..4740152a8 100644
--- a/weed/iam/integration/iam_integration_test.go
+++ b/weed/iam/integration/iam_integration_test.go
@@ -421,7 +421,7 @@ func TestTrustPolicyWildcardPrincipal(t *testing.T) {
 				{
 					Effect: "Allow",
 					Principal: map[string]interface{}{
-						"Federated": "https://test-issuer.com",
+						"Federated": "test-oidc",
 					},
 					Action: []string{"sts:AssumeRoleWithWebIdentity"},
 				},
@@ -440,7 +440,7 @@ func TestTrustPolicyWildcardPrincipal(t *testing.T) {
 				{
 					Effect: "Allow",
 					Principal: map[string]interface{}{
-						"Federated": []interface{}{"specific-provider", "https://test-issuer.com"},
+						"Federated": []interface{}{"specific-provider", "test-oidc"},
 					},
 					Action: []string{"sts:AssumeRoleWithWebIdentity"},
 				},
@@ -646,7 +646,7 @@ func setupTestPoliciesAndRoles(t *testing.T, manager *IAMManager) {
 				{
 					Effect: "Allow",
 					Principal: map[string]interface{}{
-						"Federated": "https://test-issuer.com",
+						"Federated": "test-oidc",
 					},
 					Action: []string{"sts:AssumeRoleWithWebIdentity"},
 				},
diff --git a/weed/iam/integration/iam_manager.go b/weed/iam/integration/iam_manager.go
index caaa7f31d..93ae2090d 100644
--- a/weed/iam/integration/iam_manager.go
+++ b/weed/iam/integration/iam_manager.go
@@ -346,7 +346,7 @@ func (m *IAMManager) ValidateTrustPolicy(ctx context.Context, roleArn, provider,
 				if principal, ok := statement.Principal.(map[string]interface{}); ok {
 					if federated, ok := principal["Federated"].(string); ok {
 						// For OIDC, check against issuer URL
-						if provider == "oidc" && federated == "https://test-issuer.com" {
+						if provider == "oidc" && federated == "test-oidc" {
 							return true
 						}
 						// For LDAP, check against test-ldap
@@ -391,8 +391,22 @@ func (m *IAMManager) validateTrustPolicyForWebIdentity(ctx context.Context, role
 
 		// The issuer is the federated provider for OIDC
 		if iss, ok := tokenClaims["iss"].(string); ok {
+			// Default to issuer URL
 			requestContext["aws:FederatedProvider"] = iss
 			requestContext["oidc:iss"] = iss
+
+			// Try to resolve provider name from issuer for better policy matching
+			// This allows policies to reference the provider name (e.g. "keycloak") instead of the full issuer URL
+			if m.stsService != nil {
+				for name, provider := range m.stsService.GetProviders() {
+					if oidcProvider, ok := provider.(interface{ GetIssuer() string }); ok {
+						if oidcProvider.GetIssuer() == iss {
+							requestContext["aws:FederatedProvider"] = name
+							break
+						}
+					}
+				}
+			}
 		}
 
 		if sub, ok := tokenClaims["sub"].(string); ok {
diff --git a/weed/s3api/s3_end_to_end_test.go b/weed/s3api/s3_end_to_end_test.go
index 83943b1cc..3fa20194d 100644
--- a/weed/s3api/s3_end_to_end_test.go
+++ b/weed/s3api/s3_end_to_end_test.go
@@ -477,7 +477,7 @@ func setupS3ReadOnlyRole(ctx context.Context, manager *integration.IAMManager) {
 				{
 					Effect: "Allow",
 					Principal: map[string]interface{}{
-						"Federated": "https://test-issuer.com",
+						"Federated": "test-oidc",
 					},
 					Action: []string{"sts:AssumeRoleWithWebIdentity"},
 				},
@@ -521,7 +521,7 @@ func setupS3AdminRole(ctx context.Context, manager *integration.IAMManager) {
 				{
 					Effect: "Allow",
 					Principal: map[string]interface{}{
-						"Federated": "https://test-issuer.com",
+						"Federated": "test-oidc",
 					},
 					Action: []string{"sts:AssumeRoleWithWebIdentity"},
 				},
@@ -565,7 +565,7 @@ func setupS3WriteRole(ctx context.Context, manager *integration.IAMManager) {
 				{
 					Effect: "Allow",
 					Principal: map[string]interface{}{
-						"Federated": "https://test-issuer.com",
+						"Federated": "test-oidc",
 					},
 					Action: []string{"sts:AssumeRoleWithWebIdentity"},
 				},
@@ -614,7 +614,7 @@ func setupS3IPRestrictedRole(ctx context.Context, manager *integration.IAMManage
 				{
 					Effect: "Allow",
 					Principal: map[string]interface{}{
-						"Federated": "https://test-issuer.com",
+						"Federated": "test-oidc",
 					},
 					Action: []string{"sts:AssumeRoleWithWebIdentity"},
 				},
diff --git a/weed/s3api/s3_jwt_auth_test.go b/weed/s3api/s3_jwt_auth_test.go
index afed20671..ccae1827f 100644
--- a/weed/s3api/s3_jwt_auth_test.go
+++ b/weed/s3api/s3_jwt_auth_test.go
@@ -387,7 +387,7 @@ func setupTestReadOnlyRole(ctx context.Context, manager *integration.IAMManager)
 				{
 					Effect: "Allow",
 					Principal: map[string]interface{}{
-						"Federated": "https://test-issuer.com",
+						"Federated": "test-oidc",
 					},
 					Action: []string{"sts:AssumeRoleWithWebIdentity"},
 				},
@@ -405,7 +405,7 @@ func setupTestReadOnlyRole(ctx context.Context, manager *integration.IAMManager)
 				{
 					Effect: "Allow",
 					Principal: map[string]interface{}{
-						"Federated": "https://test-issuer.com",
+						"Federated": "test-oidc",
 					},
 					Action: []string{"sts:AssumeRoleWithWebIdentity"},
 				},
@@ -449,7 +449,7 @@ func setupTestAdminRole(ctx context.Context, manager *integration.IAMManager) {
 				{
 					Effect: "Allow",
 					Principal: map[string]interface{}{
-						"Federated": "https://test-issuer.com",
+						"Federated": "test-oidc",
 					},
 					Action: []string{"sts:AssumeRoleWithWebIdentity"},
 				},
@@ -467,7 +467,7 @@ func setupTestAdminRole(ctx context.Context, manager *integration.IAMManager) {
 				{
 					Effect: "Allow",
 					Principal: map[string]interface{}{
-						"Federated": "https://test-issuer.com",
+						"Federated": "test-oidc",
 					},
 					Action: []string{"sts:AssumeRoleWithWebIdentity"},
 				},
@@ -510,7 +510,7 @@ func setupTestIPRestrictedRole(ctx context.Context, manager *integration.IAMMana
 				{
 					Effect: "Allow",
 					Principal: map[string]interface{}{
-						"Federated": "https://test-issuer.com",
+						"Federated": "test-oidc",
 					},
 					Action: []string{"sts:AssumeRoleWithWebIdentity"},
 				},
diff --git a/weed/s3api/s3_multipart_iam_test.go b/weed/s3api/s3_multipart_iam_test.go
index 5717393b1..7169891c0 100644
--- a/weed/s3api/s3_multipart_iam_test.go
+++ b/weed/s3api/s3_multipart_iam_test.go
@@ -568,7 +568,7 @@ func setupTestRolesForMultipart(ctx context.Context, manager *integration.IAMMan
 				{
 					Effect: "Allow",
 					Principal: map[string]interface{}{
-						"Federated": "https://test-issuer.com",
+						"Federated": "test-oidc",
 					},
 					Action: []string{"sts:AssumeRoleWithWebIdentity"},
 				},
@@ -586,7 +586,7 @@ func setupTestRolesForMultipart(ctx context.Context, manager *integration.IAMMan
 				{
 					Effect: "Allow",
 					Principal: map[string]interface{}{
-						"Federated": "https://test-issuer.com",
+						"Federated": "test-oidc",
 					},
 					Action: []string{"sts:AssumeRoleWithWebIdentity"},
 				},
diff --git a/weed/s3api/s3_presigned_url_iam_test.go b/weed/s3api/s3_presigned_url_iam_test.go
index 8690dc904..2a2686f7b 100644
--- a/weed/s3api/s3_presigned_url_iam_test.go
+++ b/weed/s3api/s3_presigned_url_iam_test.go
@@ -521,7 +521,7 @@ func setupTestRolesForPresigned(ctx context.Context, manager *integration.IAMMan
 				{
 					Effect: "Allow",
 					Principal: map[string]interface{}{
-						"Federated": "https://test-issuer.com",
+						"Federated": "test-oidc",
 					},
 					Action: []string{"sts:AssumeRoleWithWebIdentity"},
 				},
@@ -557,7 +557,7 @@ func setupTestRolesForPresigned(ctx context.Context, manager *integration.IAMMan
 				{
 					Effect: "Allow",
 					Principal: map[string]interface{}{
-						"Federated": "https://test-issuer.com",
+						"Federated": "test-oidc",
 					},
 					Action: []string{"sts:AssumeRoleWithWebIdentity"},
 				},
@@ -575,7 +575,7 @@ func setupTestRolesForPresigned(ctx context.Context, manager *integration.IAMMan
 				{
 					Effect: "Allow",
 					Principal: map[string]interface{}{
-						"Federated": "https://test-issuer.com",
+						"Federated": "test-oidc",
 					},
 					Action: []string{"sts:AssumeRoleWithWebIdentity"},
 				},