From c34b14de8c7b263ad2cf3952ef68c5e73a9356e6 Mon Sep 17 00:00:00 2001 From: chrislu Date: Tue, 26 Aug 2025 08:10:29 -0700 Subject: [PATCH] fix tests --- weed/iam/integration/iam_integration_test.go | 109 +++++++++---------- weed/iam/integration/role_store_test.go | 12 +- 2 files changed, 60 insertions(+), 61 deletions(-) diff --git a/weed/iam/integration/iam_integration_test.go b/weed/iam/integration/iam_integration_test.go index 9e51f4313..d9f5281c2 100644 --- a/weed/iam/integration/iam_integration_test.go +++ b/weed/iam/integration/iam_integration_test.go @@ -5,8 +5,8 @@ import ( "testing" "time" - "github.com/seaweedfs/seaweedfs/weed/iam/oidc" "github.com/seaweedfs/seaweedfs/weed/iam/ldap" + "github.com/seaweedfs/seaweedfs/weed/iam/oidc" "github.com/seaweedfs/seaweedfs/weed/iam/policy" "github.com/seaweedfs/seaweedfs/weed/iam/sts" "github.com/stretchr/testify/assert" @@ -17,7 +17,7 @@ import ( func TestFullOIDCWorkflow(t *testing.T) { // Set up integrated IAM system iamManager := setupIntegratedIAMSystem(t) - + tests := []struct { name string roleArn string @@ -55,27 +55,27 @@ func TestFullOIDCWorkflow(t *testing.T) { for _, tt := range tests { t.Run(tt.name, func(t *testing.T) { ctx := context.Background() - + // Step 1: Attempt role assumption assumeRequest := &sts.AssumeRoleWithWebIdentityRequest{ RoleArn: tt.roleArn, WebIdentityToken: tt.webToken, RoleSessionName: tt.sessionName, } - + response, err := iamManager.AssumeRoleWithWebIdentity(ctx, assumeRequest) - + if !tt.expectedAllow { assert.Error(t, err) assert.Nil(t, response) return } - + // Should succeed if expectedAllow is true require.NoError(t, err) require.NotNil(t, response) require.NotNil(t, response.Credentials) - + // Step 2: Test policy enforcement with assumed credentials if tt.testAction != "" && tt.testResource != "" { allowed, err := iamManager.IsActionAllowed(ctx, &ActionRequest{ @@ -84,7 +84,7 @@ func TestFullOIDCWorkflow(t *testing.T) { Resource: tt.testResource, SessionToken: response.Credentials.SessionToken, }) - + require.NoError(t, err) assert.True(t, allowed, "Action should be allowed by role policy") } @@ -95,7 +95,7 @@ func TestFullOIDCWorkflow(t *testing.T) { // TestFullLDAPWorkflow tests the complete LDAP → STS → Policy workflow func TestFullLDAPWorkflow(t *testing.T) { iamManager := setupIntegratedIAMSystem(t) - + tests := []struct { name string roleArn string @@ -129,7 +129,7 @@ func TestFullLDAPWorkflow(t *testing.T) { for _, tt := range tests { t.Run(tt.name, func(t *testing.T) { ctx := context.Background() - + // Step 1: Attempt role assumption with LDAP credentials assumeRequest := &sts.AssumeRoleWithCredentialsRequest{ RoleArn: tt.roleArn, @@ -138,18 +138,18 @@ func TestFullLDAPWorkflow(t *testing.T) { RoleSessionName: tt.sessionName, ProviderName: "test-ldap", } - + response, err := iamManager.AssumeRoleWithCredentials(ctx, assumeRequest) - + if !tt.expectedAllow { assert.Error(t, err) assert.Nil(t, response) return } - + require.NoError(t, err) require.NotNil(t, response) - + // Step 2: Test policy enforcement if tt.testAction != "" && tt.testResource != "" { allowed, err := iamManager.IsActionAllowed(ctx, &ActionRequest{ @@ -158,7 +158,7 @@ func TestFullLDAPWorkflow(t *testing.T) { Resource: tt.testResource, SessionToken: response.Credentials.SessionToken, }) - + require.NoError(t, err) assert.True(t, allowed) } @@ -169,7 +169,7 @@ func TestFullLDAPWorkflow(t *testing.T) { // TestPolicyEnforcement tests policy evaluation for various scenarios func TestPolicyEnforcement(t *testing.T) { iamManager := setupIntegratedIAMSystem(t) - + // Create a session for testing ctx := context.Background() assumeRequest := &sts.AssumeRoleWithWebIdentityRequest{ @@ -177,19 +177,19 @@ func TestPolicyEnforcement(t *testing.T) { WebIdentityToken: "valid-oidc-token", RoleSessionName: "policy-test-session", } - + response, err := iamManager.AssumeRoleWithWebIdentity(ctx, assumeRequest) require.NoError(t, err) - + sessionToken := response.Credentials.SessionToken principal := response.AssumedRoleUser.Arn - + tests := []struct { - name string - action string - resource string + name string + action string + resource string shouldAllow bool - reason string + reason string }{ { name: "allow read access", @@ -236,7 +236,7 @@ func TestPolicyEnforcement(t *testing.T) { Resource: tt.resource, SessionToken: sessionToken, }) - + require.NoError(t, err) assert.Equal(t, tt.shouldAllow, allowed, tt.reason) }) @@ -247,7 +247,7 @@ func TestPolicyEnforcement(t *testing.T) { func TestSessionExpiration(t *testing.T) { iamManager := setupIntegratedIAMSystem(t) ctx := context.Background() - + // Create a short-lived session assumeRequest := &sts.AssumeRoleWithWebIdentityRequest{ RoleArn: "arn:seaweed:iam::role/S3ReadOnlyRole", @@ -255,12 +255,12 @@ func TestSessionExpiration(t *testing.T) { RoleSessionName: "expiration-test", DurationSeconds: int64Ptr(900), // 15 minutes } - + response, err := iamManager.AssumeRoleWithWebIdentity(ctx, assumeRequest) require.NoError(t, err) - + sessionToken := response.Credentials.SessionToken - + // Verify session is initially valid allowed, err := iamManager.IsActionAllowed(ctx, &ActionRequest{ Principal: response.AssumedRoleUser.Arn, @@ -270,17 +270,17 @@ func TestSessionExpiration(t *testing.T) { }) require.NoError(t, err) assert.True(t, allowed) - + // Verify the expiration time is set correctly assert.True(t, response.Credentials.Expiration.After(time.Now())) assert.True(t, response.Credentials.Expiration.Before(time.Now().Add(16*time.Minute))) - + // Test session expiration behavior in stateless JWT system // In a stateless system, manual expiration is not supported err = iamManager.ExpireSessionForTesting(ctx, sessionToken) require.Error(t, err, "Manual session expiration should not be supported in stateless system") assert.Contains(t, err.Error(), "manual session expiration not supported") - + // Verify session is still valid (since it hasn't naturally expired) allowed, err = iamManager.IsActionAllowed(ctx, &ActionRequest{ Principal: response.AssumedRoleUser.Arn, @@ -296,7 +296,7 @@ func TestSessionExpiration(t *testing.T) { func TestTrustPolicyValidation(t *testing.T) { iamManager := setupIntegratedIAMSystem(t) ctx := context.Background() - + tests := []struct { name string roleArn string @@ -346,15 +346,14 @@ func TestTrustPolicyValidation(t *testing.T) { func setupIntegratedIAMSystem(t *testing.T) *IAMManager { // Create IAM manager with all components manager := NewIAMManager() - + // Configure and initialize config := &IAMConfig{ STS: &sts.STSConfig{ - TokenDuration: time.Hour, - MaxSessionLength: time.Hour * 12, - Issuer: "test-sts", - SigningKey: []byte("test-signing-key-32-characters-long"), - + TokenDuration: time.Hour, + MaxSessionLength: time.Hour * 12, + Issuer: "test-sts", + SigningKey: []byte("test-signing-key-32-characters-long"), }, Policy: &policy.PolicyEngineConfig{ DefaultEffect: "Deny", @@ -364,16 +363,16 @@ func setupIntegratedIAMSystem(t *testing.T) *IAMManager { StoreType: "memory", // Use memory for unit tests }, } - + err := manager.Initialize(config) require.NoError(t, err) - + // Set up test providers setupTestProviders(t, manager) - + // Set up test policies and roles setupTestPoliciesAndRoles(t, manager) - + return manager } @@ -387,8 +386,8 @@ func setupTestProviders(t *testing.T, manager *IAMManager) { err := oidcProvider.Initialize(oidcConfig) require.NoError(t, err) oidcProvider.SetupDefaultTestData() - - // Set up LDAP provider + + // Set up LDAP provider ldapProvider := ldap.NewMockLDAPProvider("test-ldap") ldapConfig := &ldap.LDAPConfig{ Server: "ldap://test-server:389", @@ -397,7 +396,7 @@ func setupTestProviders(t *testing.T, manager *IAMManager) { err = ldapProvider.Initialize(ldapConfig) require.NoError(t, err) ldapProvider.SetupDefaultTestData() - + // Register providers err = manager.RegisterIdentityProvider(oidcProvider) require.NoError(t, err) @@ -407,7 +406,7 @@ func setupTestProviders(t *testing.T, manager *IAMManager) { func setupTestPoliciesAndRoles(t *testing.T, manager *IAMManager) { ctx := context.Background() - + // Create S3 read-only policy s3ReadPolicy := &policy.PolicyDocument{ Version: "2012-10-17", @@ -423,10 +422,10 @@ func setupTestPoliciesAndRoles(t *testing.T, manager *IAMManager) { }, }, } - - err := manager.CreatePolicy(ctx, "S3ReadOnlyPolicy", s3ReadPolicy) + + err := manager.CreatePolicy(ctx, "", "S3ReadOnlyPolicy", s3ReadPolicy) require.NoError(t, err) - + // Create LDAP user policy ldapUserPolicy := &policy.PolicyDocument{ Version: "2012-10-17", @@ -441,12 +440,12 @@ func setupTestPoliciesAndRoles(t *testing.T, manager *IAMManager) { }, }, } - - err = manager.CreatePolicy(ctx, "LDAPUserPolicy", ldapUserPolicy) + + err = manager.CreatePolicy(ctx, "", "LDAPUserPolicy", ldapUserPolicy) require.NoError(t, err) - + // Create roles with trust policies - err = manager.CreateRole(ctx, "S3ReadOnlyRole", &RoleDefinition{ + err = manager.CreateRole(ctx, "", "S3ReadOnlyRole", &RoleDefinition{ RoleName: "S3ReadOnlyRole", TrustPolicy: &policy.PolicyDocument{ Version: "2012-10-17", @@ -463,8 +462,8 @@ func setupTestPoliciesAndRoles(t *testing.T, manager *IAMManager) { AttachedPolicies: []string{"S3ReadOnlyPolicy"}, }) require.NoError(t, err) - - err = manager.CreateRole(ctx, "LDAPUserRole", &RoleDefinition{ + + err = manager.CreateRole(ctx, "", "LDAPUserRole", &RoleDefinition{ RoleName: "LDAPUserRole", TrustPolicy: &policy.PolicyDocument{ Version: "2012-10-17", diff --git a/weed/iam/integration/role_store_test.go b/weed/iam/integration/role_store_test.go index 2aad9ea8e..6f7c02d20 100644 --- a/weed/iam/integration/role_store_test.go +++ b/weed/iam/integration/role_store_test.go @@ -34,11 +34,11 @@ func TestMemoryRoleStore(t *testing.T) { }, } - err := store.StoreRole(ctx, "TestRole", roleDef) + err := store.StoreRole(ctx, "", "TestRole", roleDef) require.NoError(t, err) // Test retrieving the role - retrievedRole, err := store.GetRole(ctx, "TestRole") + retrievedRole, err := store.GetRole(ctx, "", "TestRole") require.NoError(t, err) assert.Equal(t, "TestRole", retrievedRole.RoleName) assert.Equal(t, "arn:seaweed:iam::role/TestRole", retrievedRole.RoleArn) @@ -46,16 +46,16 @@ func TestMemoryRoleStore(t *testing.T) { assert.Equal(t, []string{"TestPolicy"}, retrievedRole.AttachedPolicies) // Test listing roles - roles, err := store.ListRoles(ctx) + roles, err := store.ListRoles(ctx, "") require.NoError(t, err) assert.Contains(t, roles, "TestRole") // Test deleting the role - err = store.DeleteRole(ctx, "TestRole") + err = store.DeleteRole(ctx, "", "TestRole") require.NoError(t, err) // Verify role is deleted - _, err = store.GetRole(ctx, "TestRole") + _, err = store.GetRole(ctx, "", "TestRole") assert.Error(t, err) } @@ -114,7 +114,7 @@ func TestDistributedIAMManagerWithRoleStore(t *testing.T) { AttachedPolicies: []string{"S3ReadOnlyPolicy"}, } - err = iamManager.CreateRole(ctx, "DistributedTestRole", roleDef) + err = iamManager.CreateRole(ctx, "", "DistributedTestRole", roleDef) require.NoError(t, err) // Test that role is accessible through the IAM manager