From b963b31a199a6e0bf18910e69aedd0a23360e696 Mon Sep 17 00:00:00 2001 From: Chris Lu Date: Mon, 12 Jan 2026 01:34:53 -0800 Subject: [PATCH] chore(iam): cleanup debug prints and fix test config port --- test/s3/iam/iam_config.json | 114 ++++++++++++++++++++-------- test/s3/iam/iam_config.local.json | 2 +- weed/iam/integration/iam_manager.go | 6 -- 3 files changed, 84 insertions(+), 38 deletions(-) diff --git a/test/s3/iam/iam_config.json b/test/s3/iam/iam_config.json index 7a903b047..ed1f0df47 100644 --- a/test/s3/iam/iam_config.json +++ b/test/s3/iam/iam_config.json @@ -1,7 +1,7 @@ { "sts": { "tokenDuration": "1h", - "maxSessionLength": "12h", + "maxSessionLength": "12h", "issuer": "seaweedfs-sts", "signingKey": "dGVzdC1zaWduaW5nLWtleS0zMi1jaGFyYWN0ZXJzLWxvbmc=" }, @@ -24,7 +24,11 @@ "clientSecret": "seaweedfs-s3-secret", "jwksUri": "http://localhost:8080/realms/seaweedfs-test/protocol/openid-connect/certs", "userInfoUri": "http://localhost:8080/realms/seaweedfs-test/protocol/openid-connect/userinfo", - "scopes": ["openid", "profile", "email"], + "scopes": [ + "openid", + "profile", + "email" + ], "claimsMapping": { "username": "preferred_username", "email": "email", @@ -38,13 +42,13 @@ "role": "arn:aws:iam::role/KeycloakAdminRole" }, { - "claim": "roles", + "claim": "roles", "value": "s3-read-only", "role": "arn:aws:iam::role/KeycloakReadOnlyRole" }, { "claim": "roles", - "value": "s3-write-only", + "value": "s3-write-only", "role": "arn:aws:iam::role/KeycloakWriteOnlyRole" }, { @@ -73,15 +77,19 @@ "Principal": { "Federated": "test-oidc" }, - "Action": ["sts:AssumeRoleWithWebIdentity"] + "Action": [ + "sts:AssumeRoleWithWebIdentity" + ] } ] }, - "attachedPolicies": ["S3AdminPolicy"], + "attachedPolicies": [ + "S3AdminPolicy" + ], "description": "Admin role for testing" }, { - "roleName": "TestReadOnlyRole", + "roleName": "TestReadOnlyRole", "roleArn": "arn:aws:iam::role/TestReadOnlyRole", "trustPolicy": { "Version": "2012-10-17", @@ -91,15 +99,19 @@ "Principal": { "Federated": "test-oidc" }, - "Action": ["sts:AssumeRoleWithWebIdentity"] + "Action": [ + "sts:AssumeRoleWithWebIdentity" + ] } ] }, - "attachedPolicies": ["S3ReadOnlyPolicy"], + "attachedPolicies": [ + "S3ReadOnlyPolicy" + ], "description": "Read-only role for testing" }, { - "roleName": "TestWriteOnlyRole", + "roleName": "TestWriteOnlyRole", "roleArn": "arn:aws:iam::role/TestWriteOnlyRole", "trustPolicy": { "Version": "2012-10-17", @@ -109,11 +121,15 @@ "Principal": { "Federated": "test-oidc" }, - "Action": ["sts:AssumeRoleWithWebIdentity"] + "Action": [ + "sts:AssumeRoleWithWebIdentity" + ] } ] }, - "attachedPolicies": ["S3WriteOnlyPolicy"], + "attachedPolicies": [ + "S3WriteOnlyPolicy" + ], "description": "Write-only role for testing" }, { @@ -127,11 +143,15 @@ "Principal": { "Federated": "keycloak" }, - "Action": ["sts:AssumeRoleWithWebIdentity"] + "Action": [ + "sts:AssumeRoleWithWebIdentity" + ] } ] }, - "attachedPolicies": ["S3AdminPolicy"], + "attachedPolicies": [ + "S3AdminPolicy" + ], "description": "Admin role for Keycloak users" }, { @@ -145,11 +165,15 @@ "Principal": { "Federated": "keycloak" }, - "Action": ["sts:AssumeRoleWithWebIdentity"] + "Action": [ + "sts:AssumeRoleWithWebIdentity" + ] } ] }, - "attachedPolicies": ["S3ReadOnlyPolicy"], + "attachedPolicies": [ + "S3ReadOnlyPolicy" + ], "description": "Read-only role for Keycloak users" }, { @@ -163,11 +187,15 @@ "Principal": { "Federated": "keycloak" }, - "Action": ["sts:AssumeRoleWithWebIdentity"] + "Action": [ + "sts:AssumeRoleWithWebIdentity" + ] } ] }, - "attachedPolicies": ["S3WriteOnlyPolicy"], + "attachedPolicies": [ + "S3WriteOnlyPolicy" + ], "description": "Write-only role for Keycloak users" }, { @@ -181,11 +209,15 @@ "Principal": { "Federated": "keycloak" }, - "Action": ["sts:AssumeRoleWithWebIdentity"] + "Action": [ + "sts:AssumeRoleWithWebIdentity" + ] } ] }, - "attachedPolicies": ["S3ReadWritePolicy"], + "attachedPolicies": [ + "S3ReadWritePolicy" + ], "description": "Read-write role for Keycloak users" } ], @@ -197,13 +229,21 @@ "Statement": [ { "Effect": "Allow", - "Action": ["s3:*"], - "Resource": ["*"] + "Action": [ + "s3:*" + ], + "Resource": [ + "*" + ] }, { "Effect": "Allow", - "Action": ["sts:ValidateSession"], - "Resource": ["*"] + "Action": [ + "sts:ValidateSession" + ], + "Resource": [ + "*" + ] } ] } @@ -211,7 +251,7 @@ { "name": "S3ReadOnlyPolicy", "document": { - "Version": "2012-10-17", + "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", @@ -226,8 +266,12 @@ }, { "Effect": "Allow", - "Action": ["sts:ValidateSession"], - "Resource": ["*"] + "Action": [ + "sts:ValidateSession" + ], + "Resource": [ + "*" + ] } ] } @@ -260,8 +304,12 @@ }, { "Effect": "Allow", - "Action": ["sts:ValidateSession"], - "Resource": ["*"] + "Action": [ + "sts:ValidateSession" + ], + "Resource": [ + "*" + ] } ] } @@ -283,8 +331,12 @@ }, { "Effect": "Allow", - "Action": ["sts:ValidateSession"], - "Resource": ["*"] + "Action": [ + "sts:ValidateSession" + ], + "Resource": [ + "*" + ] } ] } diff --git a/test/s3/iam/iam_config.local.json b/test/s3/iam/iam_config.local.json index 4817988c7..ed1f0df47 100644 --- a/test/s3/iam/iam_config.local.json +++ b/test/s3/iam/iam_config.local.json @@ -342,4 +342,4 @@ } } ] -} \ No newline at end of file +} diff --git a/weed/iam/integration/iam_manager.go b/weed/iam/integration/iam_manager.go index 2afd08791..894a7f37c 100644 --- a/weed/iam/integration/iam_manager.go +++ b/weed/iam/integration/iam_manager.go @@ -395,26 +395,20 @@ func (m *IAMManager) validateTrustPolicyForWebIdentity(ctx context.Context, role requestContext["aws:FederatedProvider"] = iss requestContext["oidc:iss"] = iss - fmt.Printf("DEBUG: validateTrustPolicyForWebIdentity - Issuer: %s\n", iss) - // Try to resolve provider name from issuer for better policy matching // This allows policies to reference the provider name (e.g. "keycloak") instead of the full issuer URL if m.stsService != nil { for name, provider := range m.stsService.GetProviders() { if oidcProvider, ok := provider.(interface{ GetIssuer() string }); ok { confIssuer := oidcProvider.GetIssuer() - fmt.Printf("DEBUG: Checking provider %s: config_issuer='%s' vs token_issuer='%s'\n", name, confIssuer, iss) if confIssuer == iss { requestContext["aws:FederatedProvider"] = name - fmt.Printf("DEBUG: MATCH FOUND! aws:FederatedProvider set to: %s\n", name) break } } } } - - fmt.Printf("DEBUG: Final aws:FederatedProvider: %v\n", requestContext["aws:FederatedProvider"]) } if sub, ok := tokenClaims["sub"].(string); ok {