diff --git a/weed/iam/integration/iam_integration_test.go b/weed/iam/integration/iam_integration_test.go index 803ec87b5..e06f36822 100644 --- a/weed/iam/integration/iam_integration_test.go +++ b/weed/iam/integration/iam_integration_test.go @@ -364,7 +364,9 @@ func setupIntegratedIAMSystem(t *testing.T) *IAMManager { }, } - err := manager.Initialize(config) + err := manager.Initialize(config, func() string { + return "localhost:8888" // Mock filer address for testing + }) require.NoError(t, err) // Set up test providers diff --git a/weed/iam/integration/iam_manager.go b/weed/iam/integration/iam_manager.go index 4d69b89ba..5fc3ffb88 100644 --- a/weed/iam/integration/iam_manager.go +++ b/weed/iam/integration/iam_manager.go @@ -15,10 +15,11 @@ import ( // IAMManager orchestrates all IAM components type IAMManager struct { - stsService *sts.STSService - policyEngine *policy.PolicyEngine - roleStore RoleStore - initialized bool + stsService *sts.STSService + policyEngine *policy.PolicyEngine + roleStore RoleStore + filerAddressProvider func() string // Function to get current filer address + initialized bool } // IAMConfig holds configuration for all IAM components @@ -84,11 +85,14 @@ func NewIAMManager() *IAMManager { } // Initialize initializes the IAM manager with all components -func (m *IAMManager) Initialize(config *IAMConfig) error { +func (m *IAMManager) Initialize(config *IAMConfig, filerAddressProvider func() string) error { if config == nil { return fmt.Errorf("config cannot be nil") } + // Store the filer address provider function + m.filerAddressProvider = filerAddressProvider + // Initialize STS service m.stsService = sts.NewSTSService() if err := m.stsService.Initialize(config.STS); err != nil { @@ -115,6 +119,14 @@ func (m *IAMManager) Initialize(config *IAMConfig) error { return nil } +// getFilerAddress returns the current filer address using the provider function +func (m *IAMManager) getFilerAddress() string { + if m.filerAddressProvider != nil { + return m.filerAddressProvider() + } + return "" // Fallback to empty string if no provider is set +} + // createRoleStore creates a role store based on configuration func (m *IAMManager) createRoleStore(config *RoleStoreConfig) (RoleStore, error) { if config == nil { @@ -190,7 +202,7 @@ func (m *IAMManager) AssumeRoleWithWebIdentity(ctx context.Context, request *sts roleName := extractRoleNameFromArn(request.RoleArn) // Get role definition - roleDef, err := m.roleStore.GetRole(ctx, "", roleName) + roleDef, err := m.roleStore.GetRole(ctx, m.getFilerAddress(), roleName) if err != nil { return nil, fmt.Errorf("role not found: %s", roleName) } @@ -214,7 +226,7 @@ func (m *IAMManager) AssumeRoleWithCredentials(ctx context.Context, request *sts roleName := extractRoleNameFromArn(request.RoleArn) // Get role definition - roleDef, err := m.roleStore.GetRole(ctx, "", roleName) + roleDef, err := m.roleStore.GetRole(ctx, m.getFilerAddress(), roleName) if err != nil { return nil, fmt.Errorf("role not found: %s", roleName) } @@ -249,7 +261,7 @@ func (m *IAMManager) IsActionAllowed(ctx context.Context, request *ActionRequest } // Get role definition - roleDef, err := m.roleStore.GetRole(ctx, "", roleName) + roleDef, err := m.roleStore.GetRole(ctx, m.getFilerAddress(), roleName) if err != nil { return false, fmt.Errorf("role not found: %s", roleName) } @@ -274,7 +286,7 @@ func (m *IAMManager) IsActionAllowed(ctx context.Context, request *ActionRequest // ValidateTrustPolicy validates if a principal can assume a role (for testing) func (m *IAMManager) ValidateTrustPolicy(ctx context.Context, roleArn, provider, userID string) bool { roleName := extractRoleNameFromArn(roleArn) - roleDef, err := m.roleStore.GetRole(ctx, "", roleName) + roleDef, err := m.roleStore.GetRole(ctx, m.getFilerAddress(), roleName) if err != nil { return false } @@ -542,7 +554,7 @@ func (m *IAMManager) ValidateTrustPolicyForWebIdentity(ctx context.Context, role roleName := extractRoleNameFromArn(roleArn) // Get role definition - roleDef, err := m.roleStore.GetRole(ctx, "", roleName) + roleDef, err := m.roleStore.GetRole(ctx, m.getFilerAddress(), roleName) if err != nil { return fmt.Errorf("role not found: %s", roleName) } @@ -561,7 +573,7 @@ func (m *IAMManager) ValidateTrustPolicyForCredentials(ctx context.Context, role roleName := extractRoleNameFromArn(roleArn) // Get role definition - roleDef, err := m.roleStore.GetRole(ctx, "", roleName) + roleDef, err := m.roleStore.GetRole(ctx, m.getFilerAddress(), roleName) if err != nil { return fmt.Errorf("role not found: %s", roleName) } diff --git a/weed/iam/integration/role_store_test.go b/weed/iam/integration/role_store_test.go index 6f7c02d20..0802d5cc7 100644 --- a/weed/iam/integration/role_store_test.go +++ b/weed/iam/integration/role_store_test.go @@ -103,7 +103,9 @@ func TestDistributedIAMManagerWithRoleStore(t *testing.T) { } iamManager := NewIAMManager() - err := iamManager.Initialize(config) + err := iamManager.Initialize(config, func() string { + return "localhost:8888" // Mock filer address for testing + }) require.NoError(t, err) // Test creating a role diff --git a/weed/s3api/s3_end_to_end_test.go b/weed/s3api/s3_end_to_end_test.go index 217612ac4..32290b500 100644 --- a/weed/s3api/s3_end_to_end_test.go +++ b/weed/s3api/s3_end_to_end_test.go @@ -296,7 +296,9 @@ func setupCompleteS3IAMSystem(t *testing.T) (http.Handler, *integration.IAMManag }, } - err := iamManager.Initialize(config) + err := iamManager.Initialize(config, func() string { + return "localhost:8888" // Mock filer address for testing + }) require.NoError(t, err) // Set up test identity providers diff --git a/weed/s3api/s3_iam_simple_test.go b/weed/s3api/s3_iam_simple_test.go index 1673b0819..8283edb69 100644 --- a/weed/s3api/s3_iam_simple_test.go +++ b/weed/s3api/s3_iam_simple_test.go @@ -39,7 +39,9 @@ func TestS3IAMMiddleware(t *testing.T) { }, } - err := iamManager.Initialize(config) + err := iamManager.Initialize(config, func() string { + return "localhost:8888" // Mock filer address for testing + }) require.NoError(t, err) // Create S3 IAM integration diff --git a/weed/s3api/s3api_server.go b/weed/s3api/s3api_server.go index 07e5993db..7f5b88566 100644 --- a/weed/s3api/s3api_server.go +++ b/weed/s3api/s3api_server.go @@ -102,7 +102,9 @@ func NewS3ApiServerWithStore(router *mux.Router, option *S3ApiServerOption, expl if option.IamConfig != "" { glog.V(0).Infof("Loading advanced IAM configuration from: %s", option.IamConfig) - iamManager, err := loadIAMManagerFromConfig(option.IamConfig) + iamManager, err := loadIAMManagerFromConfig(option.IamConfig, func() string { + return string(option.Filer) + }) if err != nil { glog.Errorf("Failed to load IAM configuration: %v", err) } else { @@ -412,7 +414,7 @@ func (s3a *S3ApiServer) registerRouter(router *mux.Router) { } // loadIAMManagerFromConfig loads the advanced IAM manager from configuration file -func loadIAMManagerFromConfig(configPath string) (*integration.IAMManager, error) { +func loadIAMManagerFromConfig(configPath string, filerAddressProvider func() string) (*integration.IAMManager, error) { // Read configuration file configData, err := os.ReadFile(configPath) if err != nil { @@ -446,7 +448,7 @@ func loadIAMManagerFromConfig(configPath string) (*integration.IAMManager, error // Initialize IAM manager iamManager := integration.NewIAMManager() - if err := iamManager.Initialize(iamConfig); err != nil { + if err := iamManager.Initialize(iamConfig, filerAddressProvider); err != nil { return nil, fmt.Errorf("failed to initialize IAM manager: %w", err) }