chrislu
1 month ago
1 changed files with 255 additions and 0 deletions
@ -0,0 +1,255 @@ |
|||
package sts |
|||
|
|||
import ( |
|||
"context" |
|||
"testing" |
|||
|
|||
"github.com/stretchr/testify/assert" |
|||
"github.com/stretchr/testify/require" |
|||
) |
|||
|
|||
// TestAssumeRoleWithWebIdentity_SessionPolicy tests the handling of the Policy field
|
|||
// in AssumeRoleWithWebIdentityRequest to ensure users are properly informed that
|
|||
// session policies are not currently supported
|
|||
func TestAssumeRoleWithWebIdentity_SessionPolicy(t *testing.T) { |
|||
service := setupTestSTSService(t) |
|||
|
|||
t.Run("should_reject_request_with_session_policy", func(t *testing.T) { |
|||
ctx := context.Background() |
|||
|
|||
// Create a request with a session policy
|
|||
sessionPolicy := `{ |
|||
"Version": "2012-10-17", |
|||
"Statement": [{ |
|||
"Effect": "Allow", |
|||
"Action": "s3:GetObject", |
|||
"Resource": "arn:aws:s3:::example-bucket/*" |
|||
}] |
|||
}` |
|||
|
|||
request := &AssumeRoleWithWebIdentityRequest{ |
|||
RoleArn: "arn:seaweed:iam::role/TestRole", |
|||
WebIdentityToken: "valid-oidc-token", |
|||
RoleSessionName: "test-session", |
|||
DurationSeconds: nil, // Use default
|
|||
Policy: &sessionPolicy, // ← Session policy provided
|
|||
} |
|||
|
|||
// Should return an error indicating session policies are not supported
|
|||
response, err := service.AssumeRoleWithWebIdentity(ctx, request) |
|||
|
|||
// Verify the error
|
|||
assert.Error(t, err) |
|||
assert.Nil(t, response) |
|||
assert.Contains(t, err.Error(), "session policies are not currently supported") |
|||
assert.Contains(t, err.Error(), "Policy parameter must be omitted") |
|||
}) |
|||
|
|||
t.Run("should_succeed_without_session_policy", func(t *testing.T) { |
|||
ctx := context.Background() |
|||
|
|||
request := &AssumeRoleWithWebIdentityRequest{ |
|||
RoleArn: "arn:seaweed:iam::role/TestRole", |
|||
WebIdentityToken: "valid-oidc-token", |
|||
RoleSessionName: "test-session", |
|||
DurationSeconds: nil, // Use default
|
|||
Policy: nil, // ← No session policy
|
|||
} |
|||
|
|||
// Should succeed without session policy
|
|||
response, err := service.AssumeRoleWithWebIdentity(ctx, request) |
|||
|
|||
// Verify success
|
|||
require.NoError(t, err) |
|||
require.NotNil(t, response) |
|||
assert.NotNil(t, response.Credentials) |
|||
assert.NotEmpty(t, response.Credentials.AccessKeyId) |
|||
assert.NotEmpty(t, response.Credentials.SecretAccessKey) |
|||
assert.NotEmpty(t, response.Credentials.SessionToken) |
|||
}) |
|||
|
|||
t.Run("should_succeed_with_empty_policy_pointer", func(t *testing.T) { |
|||
ctx := context.Background() |
|||
|
|||
request := &AssumeRoleWithWebIdentityRequest{ |
|||
RoleArn: "arn:seaweed:iam::role/TestRole", |
|||
WebIdentityToken: "valid-oidc-token", |
|||
RoleSessionName: "test-session", |
|||
Policy: nil, // ← Explicitly nil
|
|||
} |
|||
|
|||
// Should succeed with nil policy pointer
|
|||
response, err := service.AssumeRoleWithWebIdentity(ctx, request) |
|||
|
|||
require.NoError(t, err) |
|||
require.NotNil(t, response) |
|||
assert.NotNil(t, response.Credentials) |
|||
}) |
|||
|
|||
t.Run("should_reject_empty_string_policy", func(t *testing.T) { |
|||
ctx := context.Background() |
|||
|
|||
emptyPolicy := "" // Empty string, but still a non-nil pointer
|
|||
|
|||
request := &AssumeRoleWithWebIdentityRequest{ |
|||
RoleArn: "arn:seaweed:iam::role/TestRole", |
|||
WebIdentityToken: "valid-oidc-token", |
|||
RoleSessionName: "test-session", |
|||
Policy: &emptyPolicy, // ← Non-nil pointer to empty string
|
|||
} |
|||
|
|||
// Should still reject because pointer is not nil
|
|||
response, err := service.AssumeRoleWithWebIdentity(ctx, request) |
|||
|
|||
assert.Error(t, err) |
|||
assert.Nil(t, response) |
|||
assert.Contains(t, err.Error(), "session policies are not currently supported") |
|||
}) |
|||
} |
|||
|
|||
// TestAssumeRoleWithWebIdentity_SessionPolicy_ErrorMessage tests that the error message
|
|||
// is clear and helps users understand what they need to do
|
|||
func TestAssumeRoleWithWebIdentity_SessionPolicy_ErrorMessage(t *testing.T) { |
|||
service := setupTestSTSService(t) |
|||
|
|||
ctx := context.Background() |
|||
complexPolicy := `{ |
|||
"Version": "2012-10-17", |
|||
"Statement": [ |
|||
{ |
|||
"Sid": "AllowS3Access", |
|||
"Effect": "Allow", |
|||
"Action": [ |
|||
"s3:GetObject", |
|||
"s3:PutObject" |
|||
], |
|||
"Resource": [ |
|||
"arn:aws:s3:::my-bucket/*", |
|||
"arn:aws:s3:::my-bucket" |
|||
], |
|||
"Condition": { |
|||
"StringEquals": { |
|||
"s3:prefix": ["documents/", "images/"] |
|||
} |
|||
} |
|||
} |
|||
] |
|||
}` |
|||
|
|||
request := &AssumeRoleWithWebIdentityRequest{ |
|||
RoleArn: "arn:seaweed:iam::role/TestRole", |
|||
WebIdentityToken: "valid-oidc-token", |
|||
RoleSessionName: "test-session-with-complex-policy", |
|||
Policy: &complexPolicy, |
|||
} |
|||
|
|||
response, err := service.AssumeRoleWithWebIdentity(ctx, request) |
|||
|
|||
// Verify error details
|
|||
require.Error(t, err) |
|||
assert.Nil(t, response) |
|||
|
|||
errorMsg := err.Error() |
|||
|
|||
// The error should be clear and actionable
|
|||
assert.Contains(t, errorMsg, "session policies are not currently supported", |
|||
"Error should explain that session policies aren't supported") |
|||
assert.Contains(t, errorMsg, "Policy parameter must be omitted", |
|||
"Error should specify what action the user needs to take") |
|||
|
|||
// Should NOT contain internal implementation details
|
|||
assert.NotContains(t, errorMsg, "nil pointer", |
|||
"Error should not expose internal implementation details") |
|||
assert.NotContains(t, errorMsg, "struct field", |
|||
"Error should not expose internal struct details") |
|||
} |
|||
|
|||
// Test edge case scenarios for the Policy field handling
|
|||
func TestAssumeRoleWithWebIdentity_SessionPolicy_EdgeCases(t *testing.T) { |
|||
service := setupTestSTSService(t) |
|||
|
|||
t.Run("malformed_json_policy_still_rejected", func(t *testing.T) { |
|||
ctx := context.Background() |
|||
malformedPolicy := `{"Version": "2012-10-17", "Statement": [` // Incomplete JSON
|
|||
|
|||
request := &AssumeRoleWithWebIdentityRequest{ |
|||
RoleArn: "arn:seaweed:iam::role/TestRole", |
|||
WebIdentityToken: "valid-oidc-token", |
|||
RoleSessionName: "test-session", |
|||
Policy: &malformedPolicy, |
|||
} |
|||
|
|||
// Should reject before even parsing the policy JSON
|
|||
response, err := service.AssumeRoleWithWebIdentity(ctx, request) |
|||
|
|||
assert.Error(t, err) |
|||
assert.Nil(t, response) |
|||
assert.Contains(t, err.Error(), "session policies are not currently supported") |
|||
}) |
|||
|
|||
t.Run("policy_with_whitespace_still_rejected", func(t *testing.T) { |
|||
ctx := context.Background() |
|||
whitespacePolicy := " \t\n " // Only whitespace
|
|||
|
|||
request := &AssumeRoleWithWebIdentityRequest{ |
|||
RoleArn: "arn:seaweed:iam::role/TestRole", |
|||
WebIdentityToken: "valid-oidc-token", |
|||
RoleSessionName: "test-session", |
|||
Policy: &whitespacePolicy, |
|||
} |
|||
|
|||
// Should reject any non-nil policy, even whitespace
|
|||
response, err := service.AssumeRoleWithWebIdentity(ctx, request) |
|||
|
|||
assert.Error(t, err) |
|||
assert.Nil(t, response) |
|||
assert.Contains(t, err.Error(), "session policies are not currently supported") |
|||
}) |
|||
} |
|||
|
|||
// TestAssumeRoleWithWebIdentity_PolicyFieldDocumentation verifies that the struct
|
|||
// field is properly documented to help developers understand the limitation
|
|||
func TestAssumeRoleWithWebIdentity_PolicyFieldDocumentation(t *testing.T) { |
|||
// This test documents the current behavior and ensures the struct field
|
|||
// exists with proper typing
|
|||
request := &AssumeRoleWithWebIdentityRequest{} |
|||
|
|||
// Verify the Policy field exists and has the correct type
|
|||
assert.IsType(t, (*string)(nil), request.Policy, |
|||
"Policy field should be *string type for optional JSON policy") |
|||
|
|||
// Verify initial value is nil (no policy by default)
|
|||
assert.Nil(t, request.Policy, |
|||
"Policy field should default to nil (no session policy)") |
|||
|
|||
// Test that we can set it to a string pointer (even though it will be rejected)
|
|||
policyValue := `{"Version": "2012-10-17"}` |
|||
request.Policy = &policyValue |
|||
assert.NotNil(t, request.Policy, "Should be able to assign policy value") |
|||
assert.Equal(t, policyValue, *request.Policy, "Policy value should be preserved") |
|||
} |
|||
|
|||
// TestAssumeRoleWithCredentials_NoSessionPolicySupport verifies that
|
|||
// AssumeRoleWithCredentialsRequest doesn't have a Policy field, which is correct
|
|||
// since credential-based role assumption typically doesn't support session policies
|
|||
func TestAssumeRoleWithCredentials_NoSessionPolicySupport(t *testing.T) { |
|||
// Verify that AssumeRoleWithCredentialsRequest doesn't have a Policy field
|
|||
// This is the expected behavior since session policies are typically only
|
|||
// supported with web identity (OIDC/SAML) flows in AWS STS
|
|||
request := &AssumeRoleWithCredentialsRequest{ |
|||
RoleArn: "arn:seaweed:iam::role/TestRole", |
|||
Username: "testuser", |
|||
Password: "testpass", |
|||
RoleSessionName: "test-session", |
|||
ProviderName: "ldap", |
|||
} |
|||
|
|||
// The struct should compile and work without a Policy field
|
|||
assert.NotNil(t, request) |
|||
assert.Equal(t, "arn:seaweed:iam::role/TestRole", request.RoleArn) |
|||
assert.Equal(t, "testuser", request.Username) |
|||
|
|||
// This documents that credential-based assume role does NOT support session policies
|
|||
// which matches AWS STS behavior where session policies are primarily for
|
|||
// web identity (OIDC/SAML) and federation scenarios
|
|||
} |
|||
Write
Preview
Loading…
Cancel
Save
Reference in new issue