Mirror
/
seaweedfs
mirror of https://github.com/seaweedfs/seaweedfs.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
Browse Source

fix tests

pull/7160/head
chrislu 3 months ago
parent
db4b613d44
commit
c34b14de8c
2 changed files with 60 additions and 61 deletions
Whitespace
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Unified View
Diff Options
Show Stats Download Patch File Download Diff File
  1. 109
      weed/iam/integration/iam_integration_test.go
  2. 12
      weed/iam/integration/role_store_test.go

109
weed/iam/integration/iam_integration_test.go
View File

@ -5,8 +5,8 @@ import (
"testing" "testing"
"time" "time"
"github.com/seaweedfs/seaweedfs/weed/iam/oidc"
"github.com/seaweedfs/seaweedfs/weed/iam/ldap" "github.com/seaweedfs/seaweedfs/weed/iam/ldap"
"github.com/seaweedfs/seaweedfs/weed/iam/oidc"
"github.com/seaweedfs/seaweedfs/weed/iam/policy" "github.com/seaweedfs/seaweedfs/weed/iam/policy"
"github.com/seaweedfs/seaweedfs/weed/iam/sts" "github.com/seaweedfs/seaweedfs/weed/iam/sts"
"github.com/stretchr/testify/assert" "github.com/stretchr/testify/assert"
@ -17,7 +17,7 @@ import (
func TestFullOIDCWorkflow(t *testing.T) { func TestFullOIDCWorkflow(t *testing.T) {
// Set up integrated IAM system // Set up integrated IAM system
iamManager := setupIntegratedIAMSystem(t) iamManager := setupIntegratedIAMSystem(t)
tests := []struct { tests := []struct {
name string name string
roleArn string roleArn string
@ -55,27 +55,27 @@ func TestFullOIDCWorkflow(t *testing.T) {
for _, tt := range tests { for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) { t.Run(tt.name, func(t *testing.T) {
ctx := context.Background() ctx := context.Background()
// Step 1: Attempt role assumption // Step 1: Attempt role assumption
assumeRequest := &sts.AssumeRoleWithWebIdentityRequest{ assumeRequest := &sts.AssumeRoleWithWebIdentityRequest{
RoleArn: tt.roleArn, RoleArn: tt.roleArn,
WebIdentityToken: tt.webToken, WebIdentityToken: tt.webToken,
RoleSessionName: tt.sessionName, RoleSessionName: tt.sessionName,
} }
response, err := iamManager.AssumeRoleWithWebIdentity(ctx, assumeRequest) response, err := iamManager.AssumeRoleWithWebIdentity(ctx, assumeRequest)
if !tt.expectedAllow { if !tt.expectedAllow {
assert.Error(t, err) assert.Error(t, err)
assert.Nil(t, response) assert.Nil(t, response)
return return
} }
// Should succeed if expectedAllow is true // Should succeed if expectedAllow is true
require.NoError(t, err) require.NoError(t, err)
require.NotNil(t, response) require.NotNil(t, response)
require.NotNil(t, response.Credentials) require.NotNil(t, response.Credentials)
// Step 2: Test policy enforcement with assumed credentials // Step 2: Test policy enforcement with assumed credentials
if tt.testAction != "" && tt.testResource != "" { if tt.testAction != "" && tt.testResource != "" {
allowed, err := iamManager.IsActionAllowed(ctx, &ActionRequest{ allowed, err := iamManager.IsActionAllowed(ctx, &ActionRequest{
@ -84,7 +84,7 @@ func TestFullOIDCWorkflow(t *testing.T) {
Resource: tt.testResource, Resource: tt.testResource,
SessionToken: response.Credentials.SessionToken, SessionToken: response.Credentials.SessionToken,
}) })
require.NoError(t, err) require.NoError(t, err)
assert.True(t, allowed, "Action should be allowed by role policy") assert.True(t, allowed, "Action should be allowed by role policy")
} }
@ -95,7 +95,7 @@ func TestFullOIDCWorkflow(t *testing.T) {
// TestFullLDAPWorkflow tests the complete LDAP → STS → Policy workflow // TestFullLDAPWorkflow tests the complete LDAP → STS → Policy workflow
func TestFullLDAPWorkflow(t *testing.T) { func TestFullLDAPWorkflow(t *testing.T) {
iamManager := setupIntegratedIAMSystem(t) iamManager := setupIntegratedIAMSystem(t)
tests := []struct { tests := []struct {
name string name string
roleArn string roleArn string
@ -129,7 +129,7 @@ func TestFullLDAPWorkflow(t *testing.T) {
for _, tt := range tests { for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) { t.Run(tt.name, func(t *testing.T) {
ctx := context.Background() ctx := context.Background()
// Step 1: Attempt role assumption with LDAP credentials // Step 1: Attempt role assumption with LDAP credentials
assumeRequest := &sts.AssumeRoleWithCredentialsRequest{ assumeRequest := &sts.AssumeRoleWithCredentialsRequest{
RoleArn: tt.roleArn, RoleArn: tt.roleArn,
@ -138,18 +138,18 @@ func TestFullLDAPWorkflow(t *testing.T) {
RoleSessionName: tt.sessionName, RoleSessionName: tt.sessionName,
ProviderName: "test-ldap", ProviderName: "test-ldap",
} }
response, err := iamManager.AssumeRoleWithCredentials(ctx, assumeRequest) response, err := iamManager.AssumeRoleWithCredentials(ctx, assumeRequest)
if !tt.expectedAllow { if !tt.expectedAllow {
assert.Error(t, err) assert.Error(t, err)
assert.Nil(t, response) assert.Nil(t, response)
return return
} }
require.NoError(t, err) require.NoError(t, err)
require.NotNil(t, response) require.NotNil(t, response)
// Step 2: Test policy enforcement // Step 2: Test policy enforcement
if tt.testAction != "" && tt.testResource != "" { if tt.testAction != "" && tt.testResource != "" {
allowed, err := iamManager.IsActionAllowed(ctx, &ActionRequest{ allowed, err := iamManager.IsActionAllowed(ctx, &ActionRequest{
@ -158,7 +158,7 @@ func TestFullLDAPWorkflow(t *testing.T) {
Resource: tt.testResource, Resource: tt.testResource,
SessionToken: response.Credentials.SessionToken, SessionToken: response.Credentials.SessionToken,
}) })
require.NoError(t, err) require.NoError(t, err)
assert.True(t, allowed) assert.True(t, allowed)
} }
@ -169,7 +169,7 @@ func TestFullLDAPWorkflow(t *testing.T) {
// TestPolicyEnforcement tests policy evaluation for various scenarios // TestPolicyEnforcement tests policy evaluation for various scenarios
func TestPolicyEnforcement(t *testing.T) { func TestPolicyEnforcement(t *testing.T) {
iamManager := setupIntegratedIAMSystem(t) iamManager := setupIntegratedIAMSystem(t)
// Create a session for testing // Create a session for testing
ctx := context.Background() ctx := context.Background()
assumeRequest := &sts.AssumeRoleWithWebIdentityRequest{ assumeRequest := &sts.AssumeRoleWithWebIdentityRequest{
@ -177,19 +177,19 @@ func TestPolicyEnforcement(t *testing.T) {
WebIdentityToken: "valid-oidc-token", WebIdentityToken: "valid-oidc-token",
RoleSessionName: "policy-test-session", RoleSessionName: "policy-test-session",
} }
response, err := iamManager.AssumeRoleWithWebIdentity(ctx, assumeRequest) response, err := iamManager.AssumeRoleWithWebIdentity(ctx, assumeRequest)
require.NoError(t, err) require.NoError(t, err)
sessionToken := response.Credentials.SessionToken sessionToken := response.Credentials.SessionToken
principal := response.AssumedRoleUser.Arn principal := response.AssumedRoleUser.Arn
tests := []struct { tests := []struct {
name string
action string
resource string
name string
action string
resource string
shouldAllow bool shouldAllow bool
reason string
reason string
}{ }{
{ {
name: "allow read access", name: "allow read access",
@ -236,7 +236,7 @@ func TestPolicyEnforcement(t *testing.T) {
Resource: tt.resource, Resource: tt.resource,
SessionToken: sessionToken, SessionToken: sessionToken,
}) })
require.NoError(t, err) require.NoError(t, err)
assert.Equal(t, tt.shouldAllow, allowed, tt.reason) assert.Equal(t, tt.shouldAllow, allowed, tt.reason)
}) })
@ -247,7 +247,7 @@ func TestPolicyEnforcement(t *testing.T) {
func TestSessionExpiration(t *testing.T) { func TestSessionExpiration(t *testing.T) {
iamManager := setupIntegratedIAMSystem(t) iamManager := setupIntegratedIAMSystem(t)
ctx := context.Background() ctx := context.Background()
// Create a short-lived session // Create a short-lived session
assumeRequest := &sts.AssumeRoleWithWebIdentityRequest{ assumeRequest := &sts.AssumeRoleWithWebIdentityRequest{
RoleArn: "arn:seaweed:iam::role/S3ReadOnlyRole", RoleArn: "arn:seaweed:iam::role/S3ReadOnlyRole",
@ -255,12 +255,12 @@ func TestSessionExpiration(t *testing.T) {
RoleSessionName: "expiration-test", RoleSessionName: "expiration-test",
DurationSeconds: int64Ptr(900), // 15 minutes DurationSeconds: int64Ptr(900), // 15 minutes
} }
response, err := iamManager.AssumeRoleWithWebIdentity(ctx, assumeRequest) response, err := iamManager.AssumeRoleWithWebIdentity(ctx, assumeRequest)
require.NoError(t, err) require.NoError(t, err)
sessionToken := response.Credentials.SessionToken sessionToken := response.Credentials.SessionToken
// Verify session is initially valid // Verify session is initially valid
allowed, err := iamManager.IsActionAllowed(ctx, &ActionRequest{ allowed, err := iamManager.IsActionAllowed(ctx, &ActionRequest{
Principal: response.AssumedRoleUser.Arn, Principal: response.AssumedRoleUser.Arn,
@ -270,17 +270,17 @@ func TestSessionExpiration(t *testing.T) {
}) })
require.NoError(t, err) require.NoError(t, err)
assert.True(t, allowed) assert.True(t, allowed)
// Verify the expiration time is set correctly // Verify the expiration time is set correctly
assert.True(t, response.Credentials.Expiration.After(time.Now())) assert.True(t, response.Credentials.Expiration.After(time.Now()))
assert.True(t, response.Credentials.Expiration.Before(time.Now().Add(16*time.Minute))) assert.True(t, response.Credentials.Expiration.Before(time.Now().Add(16*time.Minute)))
// Test session expiration behavior in stateless JWT system // Test session expiration behavior in stateless JWT system
// In a stateless system, manual expiration is not supported // In a stateless system, manual expiration is not supported
err = iamManager.ExpireSessionForTesting(ctx, sessionToken) err = iamManager.ExpireSessionForTesting(ctx, sessionToken)
require.Error(t, err, "Manual session expiration should not be supported in stateless system") require.Error(t, err, "Manual session expiration should not be supported in stateless system")
assert.Contains(t, err.Error(), "manual session expiration not supported") assert.Contains(t, err.Error(), "manual session expiration not supported")
// Verify session is still valid (since it hasn't naturally expired) // Verify session is still valid (since it hasn't naturally expired)
allowed, err = iamManager.IsActionAllowed(ctx, &ActionRequest{ allowed, err = iamManager.IsActionAllowed(ctx, &ActionRequest{
Principal: response.AssumedRoleUser.Arn, Principal: response.AssumedRoleUser.Arn,
@ -296,7 +296,7 @@ func TestSessionExpiration(t *testing.T) {
func TestTrustPolicyValidation(t *testing.T) { func TestTrustPolicyValidation(t *testing.T) {
iamManager := setupIntegratedIAMSystem(t) iamManager := setupIntegratedIAMSystem(t)
ctx := context.Background() ctx := context.Background()
tests := []struct { tests := []struct {
name string name string
roleArn string roleArn string
@ -346,15 +346,14 @@ func TestTrustPolicyValidation(t *testing.T) {
func setupIntegratedIAMSystem(t *testing.T) *IAMManager { func setupIntegratedIAMSystem(t *testing.T) *IAMManager {
// Create IAM manager with all components // Create IAM manager with all components
manager := NewIAMManager() manager := NewIAMManager()
// Configure and initialize // Configure and initialize
config := &IAMConfig{ config := &IAMConfig{
STS: &sts.STSConfig{ STS: &sts.STSConfig{
TokenDuration: time.Hour,
MaxSessionLength: time.Hour * 12,
Issuer: "test-sts",
SigningKey: []byte("test-signing-key-32-characters-long"),
TokenDuration: time.Hour,
MaxSessionLength: time.Hour * 12,
Issuer: "test-sts",
SigningKey: []byte("test-signing-key-32-characters-long"),
}, },
Policy: &policy.PolicyEngineConfig{ Policy: &policy.PolicyEngineConfig{
DefaultEffect: "Deny", DefaultEffect: "Deny",
@ -364,16 +363,16 @@ func setupIntegratedIAMSystem(t *testing.T) *IAMManager {
StoreType: "memory", // Use memory for unit tests StoreType: "memory", // Use memory for unit tests
}, },
} }
err := manager.Initialize(config) err := manager.Initialize(config)
require.NoError(t, err) require.NoError(t, err)
// Set up test providers // Set up test providers
setupTestProviders(t, manager) setupTestProviders(t, manager)
// Set up test policies and roles // Set up test policies and roles
setupTestPoliciesAndRoles(t, manager) setupTestPoliciesAndRoles(t, manager)
return manager return manager
} }
@ -387,8 +386,8 @@ func setupTestProviders(t *testing.T, manager *IAMManager) {
err := oidcProvider.Initialize(oidcConfig) err := oidcProvider.Initialize(oidcConfig)
require.NoError(t, err) require.NoError(t, err)
oidcProvider.SetupDefaultTestData() oidcProvider.SetupDefaultTestData()
// Set up LDAP provider
// Set up LDAP provider
ldapProvider := ldap.NewMockLDAPProvider("test-ldap") ldapProvider := ldap.NewMockLDAPProvider("test-ldap")
ldapConfig := &ldap.LDAPConfig{ ldapConfig := &ldap.LDAPConfig{
Server: "ldap://test-server:389", Server: "ldap://test-server:389",
@ -397,7 +396,7 @@ func setupTestProviders(t *testing.T, manager *IAMManager) {
err = ldapProvider.Initialize(ldapConfig) err = ldapProvider.Initialize(ldapConfig)
require.NoError(t, err) require.NoError(t, err)
ldapProvider.SetupDefaultTestData() ldapProvider.SetupDefaultTestData()
// Register providers // Register providers
err = manager.RegisterIdentityProvider(oidcProvider) err = manager.RegisterIdentityProvider(oidcProvider)
require.NoError(t, err) require.NoError(t, err)
@ -407,7 +406,7 @@ func setupTestProviders(t *testing.T, manager *IAMManager) {
func setupTestPoliciesAndRoles(t *testing.T, manager *IAMManager) { func setupTestPoliciesAndRoles(t *testing.T, manager *IAMManager) {
ctx := context.Background() ctx := context.Background()
// Create S3 read-only policy // Create S3 read-only policy
s3ReadPolicy := &policy.PolicyDocument{ s3ReadPolicy := &policy.PolicyDocument{
Version: "2012-10-17", Version: "2012-10-17",
@ -423,10 +422,10 @@ func setupTestPoliciesAndRoles(t *testing.T, manager *IAMManager) {
}, },
}, },
} }
err := manager.CreatePolicy(ctx, "S3ReadOnlyPolicy", s3ReadPolicy)
err := manager.CreatePolicy(ctx, "", "S3ReadOnlyPolicy", s3ReadPolicy)
require.NoError(t, err) require.NoError(t, err)
// Create LDAP user policy // Create LDAP user policy
ldapUserPolicy := &policy.PolicyDocument{ ldapUserPolicy := &policy.PolicyDocument{
Version: "2012-10-17", Version: "2012-10-17",
@ -441,12 +440,12 @@ func setupTestPoliciesAndRoles(t *testing.T, manager *IAMManager) {
}, },
}, },
} }
err = manager.CreatePolicy(ctx, "LDAPUserPolicy", ldapUserPolicy)
err = manager.CreatePolicy(ctx, "", "LDAPUserPolicy", ldapUserPolicy)
require.NoError(t, err) require.NoError(t, err)
// Create roles with trust policies // Create roles with trust policies
err = manager.CreateRole(ctx, "S3ReadOnlyRole", &RoleDefinition{
err = manager.CreateRole(ctx, "", "S3ReadOnlyRole", &RoleDefinition{
RoleName: "S3ReadOnlyRole", RoleName: "S3ReadOnlyRole",
TrustPolicy: &policy.PolicyDocument{ TrustPolicy: &policy.PolicyDocument{
Version: "2012-10-17", Version: "2012-10-17",
@ -463,8 +462,8 @@ func setupTestPoliciesAndRoles(t *testing.T, manager *IAMManager) {
AttachedPolicies: []string{"S3ReadOnlyPolicy"}, AttachedPolicies: []string{"S3ReadOnlyPolicy"},
}) })
require.NoError(t, err) require.NoError(t, err)
err = manager.CreateRole(ctx, "LDAPUserRole", &RoleDefinition{
err = manager.CreateRole(ctx, "", "LDAPUserRole", &RoleDefinition{
RoleName: "LDAPUserRole", RoleName: "LDAPUserRole",
TrustPolicy: &policy.PolicyDocument{ TrustPolicy: &policy.PolicyDocument{
Version: "2012-10-17", Version: "2012-10-17",

12
weed/iam/integration/role_store_test.go
View File

@ -34,11 +34,11 @@ func TestMemoryRoleStore(t *testing.T) {
}, },
} }
err := store.StoreRole(ctx, "TestRole", roleDef)
err := store.StoreRole(ctx, "", "TestRole", roleDef)
require.NoError(t, err) require.NoError(t, err)
// Test retrieving the role // Test retrieving the role
retrievedRole, err := store.GetRole(ctx, "TestRole")
retrievedRole, err := store.GetRole(ctx, "", "TestRole")
require.NoError(t, err) require.NoError(t, err)
assert.Equal(t, "TestRole", retrievedRole.RoleName) assert.Equal(t, "TestRole", retrievedRole.RoleName)
assert.Equal(t, "arn:seaweed:iam::role/TestRole", retrievedRole.RoleArn) assert.Equal(t, "arn:seaweed:iam::role/TestRole", retrievedRole.RoleArn)
@ -46,16 +46,16 @@ func TestMemoryRoleStore(t *testing.T) {
assert.Equal(t, []string{"TestPolicy"}, retrievedRole.AttachedPolicies) assert.Equal(t, []string{"TestPolicy"}, retrievedRole.AttachedPolicies)
// Test listing roles // Test listing roles
roles, err := store.ListRoles(ctx)
roles, err := store.ListRoles(ctx, "")
require.NoError(t, err) require.NoError(t, err)
assert.Contains(t, roles, "TestRole") assert.Contains(t, roles, "TestRole")
// Test deleting the role // Test deleting the role
err = store.DeleteRole(ctx, "TestRole")
err = store.DeleteRole(ctx, "", "TestRole")
require.NoError(t, err) require.NoError(t, err)
// Verify role is deleted // Verify role is deleted
_, err = store.GetRole(ctx, "TestRole")
_, err = store.GetRole(ctx, "", "TestRole")
assert.Error(t, err) assert.Error(t, err)
} }
@ -114,7 +114,7 @@ func TestDistributedIAMManagerWithRoleStore(t *testing.T) {
AttachedPolicies: []string{"S3ReadOnlyPolicy"}, AttachedPolicies: []string{"S3ReadOnlyPolicy"},
} }
err = iamManager.CreateRole(ctx, "DistributedTestRole", roleDef)
err = iamManager.CreateRole(ctx, "", "DistributedTestRole", roleDef)
require.NoError(t, err) require.NoError(t, err)
// Test that role is accessible through the IAM manager // Test that role is accessible through the IAM manager

Write Preview
Loading…
Cancel
Save