refactor

1 month ago · b6e8c5a8ea
10 changed files with 126 additions and 222 deletions
--- a/test/s3/iam/Makefile
+++ b/test/s3/iam/Makefile
@ -6,7 +6,7 @@
 all: test
 # Test configuration
 WEED_BINARY ?= /Users/chrislu/go/bin/weed
 WEED_BINARY ?= $(shell go env GOPATH)/bin/weed
 LOG_LEVEL ?= 2
 S3_PORT ?= 8333
 FILER_PORT ?= 8888
--- a/weed/iam/integration/iam_manager.go
+++ b/weed/iam/integration/iam_manager.go
@ -5,12 +5,12 @@ import (
 	"encoding/base64"
 	"encoding/json"
 	"fmt"
 	"path/filepath"
 	"strings"
 	"github.com/seaweedfs/seaweedfs/weed/iam/policy"
 	"github.com/seaweedfs/seaweedfs/weed/iam/providers"
 	"github.com/seaweedfs/seaweedfs/weed/iam/sts"
 	"github.com/seaweedfs/seaweedfs/weed/iam/utils"
 )
 // IAMManager orchestrates all IAM components
@ -240,7 +240,7 @@ func (m *IAMManager) IsActionAllowed(ctx context.Context, request *ActionRequest
 	}
 	// Extract role name from principal ARN
 	roleName := extractRoleNameFromPrincipal(request.Principal)
 	roleName := utils.ExtractRoleNameFromPrincipal(request.Principal)
 	if roleName == "" {
 		return false, fmt.Errorf("could not extract role from principal: %s", request.Principal)
 	}
@ -381,37 +381,6 @@ func extractRoleNameFromArn(roleArn string) string {
 	return ""
 }
 // extractRoleNameFromPrincipal extracts role name from principal ARN
 func extractRoleNameFromPrincipal(principal string) string {
 	// Handle STS assumed role format: arn:seaweed:sts::assumed-role/RoleName/SessionName
 	stsPrefix := "arn:seaweed:sts::assumed-role/"
 	if len(principal) > len(stsPrefix) && principal[:len(stsPrefix)] == stsPrefix {
 		remainder := principal[len(stsPrefix):]
 		// Split on first '/' to get role name
 		if slashIndex := indexOf(remainder, "/"); slashIndex != -1 {
 			return remainder[:slashIndex]
 		}
 	}
 	// Handle IAM role format: arn:seaweed:iam::role/RoleName
 	iamPrefix := "arn:seaweed:iam::role/"
 	if len(principal) > len(iamPrefix) && principal[:len(iamPrefix)] == iamPrefix {
 		return principal[len(iamPrefix):]
 	}
 	return ""
 }
 // indexOf finds the index of the first occurrence of substring in string
 func indexOf(s, substr string) int {
 	for i := 0; i <= len(s)-len(substr); i++ {
 		if s[i:i+len(substr)] == substr {
 			return i
 		}
 	}
 	return -1
 }
 // ExpireSessionForTesting manually expires a session for testing purposes
 func (m *IAMManager) ExpireSessionForTesting(ctx context.Context, sessionToken string) error {
 	if !m.initialized {
@ -525,15 +494,15 @@ func (m *IAMManager) evaluateTrustPolicyConditions(conditions map[string]map[str
 	for conditionType, conditionBlock := range conditions {
 		switch conditionType {
 		case "StringEquals":
 			if !m.evaluateStringConditionForTrust(conditionBlock, evalCtx, true, false) {
 			if !m.policyEngine.EvaluateStringCondition(conditionBlock, evalCtx, true, false) {
 				return false
 			}
 		case "StringNotEquals":
 			if !m.evaluateStringConditionForTrust(conditionBlock, evalCtx, false, false) {
 			if !m.policyEngine.EvaluateStringCondition(conditionBlock, evalCtx, false, false) {
 				return false
 			}
 		case "StringLike":
 			if !m.evaluateStringConditionForTrust(conditionBlock, evalCtx, true, true) {
 			if !m.policyEngine.EvaluateStringCondition(conditionBlock, evalCtx, true, true) {
 				return false
 			}
 		// Add other condition types as needed
@ -545,71 +514,7 @@ func (m *IAMManager) evaluateTrustPolicyConditions(conditions map[string]map[str
 	return true
 }
 // evaluateStringConditionForTrust evaluates string conditions for trust policies
 func (m *IAMManager) evaluateStringConditionForTrust(block map[string]interface{}, evalCtx *policy.EvaluationContext, shouldMatch bool, useWildcard bool) bool {
 	for conditionKey, conditionValue := range block {
 		contextValues, exists := evalCtx.RequestContext[conditionKey]
 		if !exists {
 			if shouldMatch {
 				return false
 			}
 			continue
 		}
 		// Convert context value to string slice
 		var contextStrings []string
 		switch v := contextValues.(type) {
 		case string:
 			contextStrings = []string{v}
 		case []string:
 			contextStrings = v
 		default:
 			contextStrings = []string{fmt.Sprintf("%v", v)}
 		}
 		// Convert condition value to string slice
 		var expectedStrings []string
 		switch v := conditionValue.(type) {
 		case string:
 			expectedStrings = []string{v}
 		case []string:
 			expectedStrings = v
 		default:
 			expectedStrings = []string{fmt.Sprintf("%v", v)}
 		}
 		// Evaluate the condition
 		conditionMet := false
 		for _, expected := range expectedStrings {
 			for _, contextValue := range contextStrings {
 				if useWildcard {
 					matched, err := filepath.Match(expected, contextValue)
 					if err == nil && matched {
 						conditionMet = true
 						break
 					}
 				} else {
 					if expected == contextValue {
 						conditionMet = true
 						break
 					}
 				}
 			}
 			if conditionMet {
 				break
 			}
 		}
 		if shouldMatch && !conditionMet {
 			return false
 		}
 		if !shouldMatch && conditionMet {
 			return false
 		}
 	}
 	return true
 }
 // isOIDCToken checks if a token is an OIDC JWT token (vs STS session token)
 func isOIDCToken(token string) bool {
--- a/weed/iam/policy/policy_engine.go
+++ b/weed/iam/policy/policy_engine.go
@ -360,11 +360,11 @@ func (e *PolicyEngine) evaluateConditionBlock(conditionType string, block map[st
 	case "NotIpAddress":
 		return e.evaluateIPCondition(block, evalCtx, false)
 	case "StringEquals":
 		return e.evaluateStringCondition(block, evalCtx, true, false)
 		return e.EvaluateStringCondition(block, evalCtx, true, false)
 	case "StringNotEquals":
 		return e.evaluateStringCondition(block, evalCtx, false, false)
 		return e.EvaluateStringCondition(block, evalCtx, false, false)
 	case "StringLike":
 		return e.evaluateStringCondition(block, evalCtx, true, true)
 		return e.EvaluateStringCondition(block, evalCtx, true, true)
 	default:
 		// Unknown condition types default to false (more secure)
 		return false
@ -418,8 +418,8 @@ func (e *PolicyEngine) evaluateIPCondition(block map[string]interface{}, evalCtx
 	return !shouldMatch
 }
 // evaluateStringCondition evaluates string-based conditions
 func (e *PolicyEngine) evaluateStringCondition(block map[string]interface{}, evalCtx *EvaluationContext, shouldMatch bool, useWildcard bool) bool {
 // EvaluateStringCondition evaluates string-based conditions
 func (e *PolicyEngine) EvaluateStringCondition(block map[string]interface{}, evalCtx *EvaluationContext, shouldMatch bool, useWildcard bool) bool {
 	// Iterate through all condition keys in the block
 	for conditionKey, conditionValue := range block {
 		// Get the context values for this condition key
@ -582,38 +582,37 @@ func validateStatementWithType(statement *Statement, policyType string) error {
 	return nil
 }
 // matchResource checks if a resource pattern matches a requested resource
 // Uses filepath.Match for consistent wildcard behavior across the IAM system
 func matchResource(pattern, resource string) bool {
 	if pattern == resource {
 		return true
 	}
 	if pattern == "*" {
 		return true
 	}
 	if strings.HasSuffix(pattern, "*") {
 		prefix := pattern[:len(pattern)-1]
 		return strings.HasPrefix(resource, prefix)
 	// Use filepath.Match for standard wildcard support (*, ?, [])
 	matched, err := filepath.Match(pattern, resource)
 	if err != nil {
 		// Fallback to exact match if pattern is malformed
 		return pattern == resource
 	}
 	return false
 	return matched
 }
 // matchAction checks if an action pattern matches a requested action
 // Uses filepath.Match for consistent wildcard behavior across the IAM system
 func matchAction(pattern, action string) bool {
 	if pattern == action {
 		return true
 	}
 	if pattern == "*" {
 		return true
 	}
 	if strings.HasSuffix(pattern, "*") {
 		prefix := pattern[:len(pattern)-1]
 		return strings.HasPrefix(action, prefix)
 	// Use filepath.Match for standard wildcard support (*, ?, [])
 	matched, err := filepath.Match(pattern, action)
 	if err != nil {
 		// Fallback to exact match if pattern is malformed
 		return pattern == action
 	}
 	return false
 	return matched
 }
--- a/weed/iam/sts/constants.go
+++ b/weed/iam/sts/constants.go
@ -30,11 +30,11 @@ const (
 // Default Values
 const (
 	DefaultTokenDuration      = 3600          // 1 hour in seconds
 	DefaultMaxSessionLength   = 43200         // 12 hours in seconds
 	DefaultIssuer            = "seaweedfs-sts"
 	DefaultStoreType         = StoreTypeFiler // Default store type for persistence
 	MinSigningKeyLength      = 16             // Minimum signing key length in bytes
 	DefaultTokenDuration    = 3600  // 1 hour in seconds
 	DefaultMaxSessionLength = 43200 // 12 hours in seconds
 	DefaultIssuer           = "seaweedfs-sts"
 	DefaultStoreType        = StoreTypeFiler // Default store type for persistence
 	MinSigningKeyLength     = 16             // Minimum signing key length in bytes
 )
 // Configuration Field Names
@ -52,30 +52,30 @@ const (
 // Error Messages
 const (
 	ErrConfigCannotBeNil           = "config cannot be nil"
 	ErrProviderCannotBeNil         = "provider cannot be nil"
 	ErrProviderNameEmpty           = "provider name cannot be empty"
 	ErrProviderTypeEmpty           = "provider type cannot be empty"
 	ErrTokenCannotBeEmpty          = "token cannot be empty"
 	ErrSessionTokenCannotBeEmpty   = "session token cannot be empty"
 	ErrSessionIDCannotBeEmpty      = "session ID cannot be empty"
 	ErrSTSServiceNotInitialized    = "STS service not initialized"
 	ErrProviderNotInitialized      = "provider not initialized"
 	ErrInvalidTokenDuration        = "token duration must be positive"
 	ErrInvalidMaxSessionLength     = "max session length must be positive"
 	ErrIssuerRequired              = "issuer is required"
 	ErrSigningKeyTooShort          = "signing key must be at least %d bytes"
 	ErrFilerAddressRequired        = "filer address is required"
 	ErrClientIDRequired            = "clientId is required for OIDC provider"
 	ErrUnsupportedStoreType        = "unsupported store type: %s"
 	ErrUnsupportedProviderType     = "unsupported provider type: %s"
 	ErrInvalidTokenFormat          = "invalid session token format: %w"
 	ErrSessionValidationFailed     = "session validation failed: %w"
 	ErrInvalidToken                = "invalid token: %w"
 	ErrTokenNotValid               = "token is not valid"
 	ErrInvalidTokenClaims          = "invalid token claims"
 	ErrInvalidIssuer               = "invalid issuer"
 	ErrMissingSessionID            = "missing session ID"
 	ErrConfigCannotBeNil         = "config cannot be nil"
 	ErrProviderCannotBeNil       = "provider cannot be nil"
 	ErrProviderNameEmpty         = "provider name cannot be empty"
 	ErrProviderTypeEmpty         = "provider type cannot be empty"
 	ErrTokenCannotBeEmpty        = "token cannot be empty"
 	ErrSessionTokenCannotBeEmpty = "session token cannot be empty"
 	ErrSessionIDCannotBeEmpty    = "session ID cannot be empty"
 	ErrSTSServiceNotInitialized  = "STS service not initialized"
 	ErrProviderNotInitialized    = "provider not initialized"
 	ErrInvalidTokenDuration      = "token duration must be positive"
 	ErrInvalidMaxSessionLength   = "max session length must be positive"
 	ErrIssuerRequired            = "issuer is required"
 	ErrSigningKeyTooShort        = "signing key must be at least %d bytes"
 	ErrFilerAddressRequired      = "filer address is required"
 	ErrClientIDRequired          = "clientId is required for OIDC provider"
 	ErrUnsupportedStoreType      = "unsupported store type: %s"
 	ErrUnsupportedProviderType   = "unsupported provider type: %s"
 	ErrInvalidTokenFormat        = "invalid session token format: %w"
 	ErrSessionValidationFailed   = "session validation failed: %w"
 	ErrInvalidToken              = "invalid token: %w"
 	ErrTokenNotValid             = "token is not valid"
 	ErrInvalidTokenClaims        = "invalid token claims"
 	ErrInvalidIssuer             = "invalid issuer"
 	ErrMissingSessionID          = "missing session ID"
 )
 // JWT Claims
@ -97,11 +97,10 @@ const (
 // AWS STS Actions
 const (
 	ActionAssumeRole                    = "sts:AssumeRole"
 	ActionAssumeRoleWithWebIdentity     = "sts:AssumeRoleWithWebIdentity"
 	ActionAssumeRoleWithCredentials     = "sts:AssumeRoleWithCredentials"
 	ActionValidateSession               = "sts:ValidateSession"
 	ActionRevokeSession                 = "sts:RevokeSession"
 	ActionAssumeRole                = "sts:AssumeRole"
 	ActionAssumeRoleWithWebIdentity = "sts:AssumeRoleWithWebIdentity"
 	ActionAssumeRoleWithCredentials = "sts:AssumeRoleWithCredentials"
 	ActionValidateSession           = "sts:ValidateSession"
 )
 // Session File Prefixes
@ -122,17 +121,17 @@ const (
 // Content Types
 const (
 	ContentTypeJSON            = "application/json"
 	ContentTypeFormURLEncoded  = "application/x-www-form-urlencoded"
 	ContentTypeJSON           = "application/json"
 	ContentTypeFormURLEncoded = "application/x-www-form-urlencoded"
 )
 // Default Test Values
 const (
 	TestSigningKey32Chars = "test-signing-key-32-characters-long"
 	TestIssuer           = "test-sts"
 	TestClientID         = "test-client"
 	TestSessionID        = "test-session-123"
 	TestValidToken       = "valid_test_token"
 	TestInvalidToken     = "invalid_token"
 	TestExpiredToken     = "expired_token"
 	TestIssuer            = "test-sts"
 	TestClientID          = "test-client"
 	TestSessionID         = "test-session-123"
 	TestValidToken        = "valid_test_token"
 	TestInvalidToken      = "invalid_token"
 	TestExpiredToken      = "expired_token"
 )
--- a/weed/iam/sts/cross_instance_token_test.go
+++ b/weed/iam/sts/cross_instance_token_test.go
@ -144,12 +144,12 @@ func TestCrossInstanceTokenUsage(t *testing.T) {
 		_, err = instanceB.ValidateSessionToken(ctx, sessionToken)
 		require.NoError(t, err, "Token should be valid on Instance B initially")
 		// Attempt to revoke session on Instance C (in stateless system, this only validates)
 		err = instanceC.RevokeSession(ctx, sessionToken)
 		// Validate session on Instance C to verify cross-instance token compatibility
 		_, err = instanceC.ValidateSessionToken(ctx, sessionToken)
 		require.NoError(t, err, "Instance C should be able to validate session token")
 		// In a stateless JWT system, tokens cannot be truly revoked without a shared blacklist
 		// The token should still be valid on all instances since it's self-contained
 		// In a stateless JWT system, tokens remain valid on all instances since they're self-contained
 		// No revocation is possible without breaking the stateless architecture
 		_, err = instanceA.ValidateSessionToken(ctx, sessionToken)
 		assert.NoError(t, err, "Token should still be valid on Instance A (stateless system)")
--- a/weed/iam/sts/sts_service.go
+++ b/weed/iam/sts/sts_service.go
@ -462,31 +462,18 @@ func (s *STSService) ValidateSessionToken(ctx context.Context, sessionToken stri
 	return claims.ToSessionInfo(), nil
 }
 // RevokeSession validates a session token (stateless operation)
 // Note: In a stateless JWT system, sessions cannot be revoked without a blacklist.
 // This method validates the token format but cannot actually revoke it.
 // For production use, consider implementing a token blacklist or use short-lived tokens.
 func (s *STSService) RevokeSession(ctx context.Context, sessionToken string) error {
 	if !s.initialized {
 		return fmt.Errorf("STS service not initialized")
 	}
 	if sessionToken == "" {
 		return fmt.Errorf("session token cannot be empty")
 	}
 	// Validate JWT token format
 	_, err := s.tokenGenerator.ValidateJWTWithClaims(sessionToken)
 	if err != nil {
 		return fmt.Errorf("invalid session token format: %w", err)
 	}
 	// In a stateless system, we cannot revoke JWT tokens without a blacklist
 	// The token will naturally expire based on its embedded expiration time
 	glog.V(1).Infof("Session revocation requested for stateless token - token will expire naturally at its embedded expiration time")
 	return nil
 }
 // NOTE: Session revocation is not supported in the stateless JWT design.
 //
 // In a stateless JWT system, tokens cannot be revoked without implementing a token blacklist,
 // which would break the stateless architecture. Tokens remain valid until their natural
 // expiration time.
 //
 // For applications requiring token revocation, consider:
 // 1. Using shorter token lifespans (e.g., 15-30 minutes)
 // 2. Implementing a distributed token blacklist (breaks stateless design)
 // 3. Including a "jti" (JWT ID) claim for tracking specific tokens
 //
 // Use ValidateSessionToken() to verify if a token is valid and not expired.
 // Helper methods for AssumeRoleWithWebIdentity
--- a/weed/iam/sts/sts_service_test.go
+++ b/weed/iam/sts/sts_service_test.go
@ -265,8 +265,9 @@ func TestSessionTokenValidation(t *testing.T) {
 	}
 }
 // TestSessionRevocation tests session token revocation
 func TestSessionRevocation(t *testing.T) {
 // TestSessionTokenPersistence tests that JWT tokens remain valid throughout their lifetime
 // Note: In the stateless JWT design, tokens cannot be revoked and remain valid until expiration
 func TestSessionTokenPersistence(t *testing.T) {
 	service := setupTestSTSService(t)
 	ctx := context.Background()
@ -282,20 +283,18 @@ func TestSessionRevocation(t *testing.T) {
 	sessionToken := response.Credentials.SessionToken
 	// Verify token is valid before revocation
 	// Verify token is valid initially
 	session, err := service.ValidateSessionToken(ctx, sessionToken)
 	assert.NoError(t, err)
 	assert.NotNil(t, session)
 	// Attempt to revoke the session (in stateless JWT system, this only validates the token)
 	err = service.RevokeSession(ctx, sessionToken)
 	assert.NoError(t, err, "RevokeSession should succeed in stateless system")
 	// In a stateless JWT system, tokens cannot be truly revoked without a blacklist
 	// The token should still be valid since it's self-contained and hasn't expired
 	session, err = service.ValidateSessionToken(ctx, sessionToken)
 	assert.NoError(t, err, "Token should still be valid in stateless system")
 	assert.NotNil(t, session, "Session should be returned from JWT token")
 	assert.Equal(t, "test-session", session.SessionName)
 	// In a stateless JWT system, tokens remain valid throughout their lifetime
 	// Multiple validations should all succeed as long as the token hasn't expired
 	session2, err := service.ValidateSessionToken(ctx, sessionToken)
 	assert.NoError(t, err, "Token should remain valid in stateless system")
 	assert.NotNil(t, session2, "Session should be returned from JWT token")
 	assert.Equal(t, session.SessionId, session2.SessionId, "Session ID should be consistent")
 }
 // Helper functions
--- a/weed/iam/utils/arn_utils.go
+++ b/weed/iam/utils/arn_utils.go
@ -0,0 +1,28 @@
 package utils
 import "strings"
 // ExtractRoleNameFromPrincipal extracts role name from principal ARN
 // Handles both STS assumed role and IAM role formats
 func ExtractRoleNameFromPrincipal(principal string) string {
 	// Handle STS assumed role format: arn:seaweed:sts::assumed-role/RoleName/SessionName
 	stsPrefix := "arn:seaweed:sts::assumed-role/"
 	if strings.HasPrefix(principal, stsPrefix) {
 		remainder := principal[len(stsPrefix):]
 		// Split on first '/' to get role name
 		if slashIndex := strings.Index(remainder, "/"); slashIndex != -1 {
 			return remainder[:slashIndex]
 		}
 		// If no slash found, return the remainder (edge case)
 		return remainder
 	}
 	// Handle IAM role format: arn:seaweed:iam::role/RoleName
 	iamPrefix := "arn:seaweed:iam::role/"
 	if strings.HasPrefix(principal, iamPrefix) {
 		return principal[len(iamPrefix):]
 	}
 	// For backwards compatibility, return original principal if no recognized format
 	return principal
 }
--- a/weed/s3api/s3_iam_middleware.go
+++ b/weed/s3api/s3_iam_middleware.go
@ -325,20 +325,6 @@ func extractSourceIP(r *http.Request) string {
 	return r.RemoteAddr
 }
 // extractRoleNameFromPrincipal extracts role name from assumed role principal ARN
 func extractRoleNameFromPrincipal(principal string) string {
 	// Expected format: arn:seaweed:sts::assumed-role/RoleName/SessionName
 	prefix := "arn:seaweed:sts::assumed-role/"
 	if len(principal) > len(prefix) && principal[:len(prefix)] == prefix {
 		remainder := principal[len(prefix):]
 		// Split on first '/' to get role name
 		if slashIndex := strings.Index(remainder, "/"); slashIndex != -1 {
 			return remainder[:slashIndex]
 		}
 	}
 	return principal // Return original if parsing fails
 }
 // parseJWTToken parses a JWT token and returns its claims without verification
 // Note: This is for extracting claims only. Verification is done by the IAM system.
 func parseJWTToken(tokenString string) (jwt.MapClaims, error) {
--- a/weed/s3api/s3_iam_simple_test.go
+++ b/weed/s3api/s3_iam_simple_test.go
@ -10,6 +10,7 @@ import (
 	"github.com/seaweedfs/seaweedfs/weed/iam/integration"
 	"github.com/seaweedfs/seaweedfs/weed/iam/policy"
 	"github.com/seaweedfs/seaweedfs/weed/iam/sts"
 	"github.com/seaweedfs/seaweedfs/weed/iam/utils"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
 )
@ -212,7 +213,7 @@ func TestExtractRoleNameFromPrincipal(t *testing.T) {
 		{
 			name:      "missing session name",
 			principal: "arn:seaweed:sts::assumed-role/TestRole",
 			expected:  "arn:seaweed:sts::assumed-role/TestRole", // Returns original on failure
 			expected:  "TestRole", // Extracts role name even without session name
 		},
 		{
 			name:      "empty principal",
@ -223,7 +224,7 @@ func TestExtractRoleNameFromPrincipal(t *testing.T) {
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
 			result := extractRoleNameFromPrincipal(tt.principal)
 			result := utils.ExtractRoleNameFromPrincipal(tt.principal)
 			assert.Equal(t, tt.expected, result)
 		})
 	}