name: "S3 IAM Integration Tests" on: pull_request: paths: - 'weed/iam/**' - 'weed/s3api/**' - 'test/s3/iam/**' - '.github/workflows/s3-iam-tests.yml' push: branches: [ master ] paths: - 'weed/iam/**' - 'weed/s3api/**' - 'test/s3/iam/**' - '.github/workflows/s3-iam-tests.yml' concurrency: group: ${{ github.head_ref }}/s3-iam-tests cancel-in-progress: true permissions: contents: read defaults: run: working-directory: weed jobs: # Unit tests for IAM components iam-unit-tests: name: IAM Unit Tests runs-on: ubuntu-22.04 timeout-minutes: 15 steps: - name: Check out code uses: actions/checkout@v5 - name: Set up Go uses: actions/setup-go@v5 with: go-version-file: 'go.mod' id: go - name: Get dependencies run: | go mod download - name: Run IAM Unit Tests timeout-minutes: 10 run: | set -x echo "=== Running IAM STS Tests ===" go test -v -timeout 5m ./iam/sts/... echo "=== Running IAM Policy Tests ===" go test -v -timeout 5m ./iam/policy/... echo "=== Running IAM Integration Tests ===" go test -v -timeout 5m ./iam/integration/... echo "=== Running S3 API IAM Tests ===" go test -v -timeout 5m ./s3api/... -run ".*IAM.*|.*JWT.*|.*Auth.*" - name: Upload test results on failure if: failure() uses: actions/upload-artifact@v4 with: name: iam-unit-test-results path: | weed/testdata/ weed/**/testdata/ retention-days: 3 # S3 IAM integration tests with SeaweedFS services s3-iam-integration-tests: name: S3 IAM Integration Tests runs-on: ubuntu-22.04 timeout-minutes: 25 strategy: matrix: test-type: ["basic", "advanced", "policy-enforcement", "keycloak-integration"] steps: - name: Check out code uses: actions/checkout@v5 - name: Set up Go uses: actions/setup-go@v5 with: go-version-file: 'go.mod' id: go - name: Install SeaweedFS working-directory: weed run: | go install -buildvcs=false - name: Run S3 IAM Integration Tests - ${{ matrix.test-type }} timeout-minutes: 20 working-directory: test/s3/iam run: | set -x echo "=== System Information ===" uname -a free -h df -h echo "=== Starting S3 IAM Integration Tests (${{ matrix.test-type }}) ===" # Set WEED_BINARY to use the installed version export WEED_BINARY=$(which weed) export TEST_TIMEOUT=15m # Run tests based on type case "${{ matrix.test-type }}" in "basic") echo "Running basic IAM functionality tests..." make clean setup start-services wait-for-services go test -v -timeout 15m -run "TestS3IAMAuthentication|TestS3IAMBasicWorkflow|TestS3IAMTokenValidation" ./... ;; "advanced") echo "Running advanced IAM feature tests..." make clean setup start-services wait-for-services go test -v -timeout 15m -run "TestS3IAMSessionExpiration|TestS3IAMMultipart|TestS3IAMPresigned" ./... ;; "policy-enforcement") echo "Running policy enforcement tests..." make clean setup start-services wait-for-services go test -v -timeout 15m -run "TestS3IAMPolicyEnforcement|TestS3IAMBucketPolicy|TestS3IAMContextual" ./... ;; "keycloak-integration") echo "Running Keycloak integration tests..." # Start Keycloak container docker run -d \ --name keycloak \ -p 8080:8080 \ -e KC_BOOTSTRAP_ADMIN_USERNAME=admin \ -e KC_BOOTSTRAP_ADMIN_PASSWORD=admin \ -e KC_HTTP_ENABLED=true \ -e KC_HOSTNAME_STRICT=false \ -e KC_HOSTNAME_STRICT_HTTPS=false \ quay.io/keycloak/keycloak:26.0 \ start-dev # Wait for Keycloak with better health checking timeout 300 bash -c ' while true; do if curl -s http://localhost:8080/health/ready > /dev/null 2>&1; then echo "✅ Keycloak health check passed" break fi if curl -s http://localhost:8080/realms/master > /dev/null 2>&1; then echo "✅ Keycloak master realm accessible" break fi echo "Waiting for Keycloak..." sleep 5 done ' # Setup Keycloak realm and users chmod +x setup_keycloak.sh ./setup_keycloak.sh # Start SeaweedFS services make clean setup start-services wait-for-services # Run Keycloak tests export KEYCLOAK_URL="http://localhost:8080" go test -v -timeout 15m -run "TestKeycloak" ./... # Cleanup Keycloak docker stop keycloak || true docker rm keycloak || true ;; esac # Always cleanup make stop-services - name: Show service logs on failure if: failure() working-directory: test/s3/iam run: | echo "=== Service Logs ===" echo "--- Master Log ---" tail -50 weed-master.log 2>/dev/null || echo "No master log found" echo "" echo "--- Filer Log ---" tail -50 weed-filer.log 2>/dev/null || echo "No filer log found" echo "" echo "--- Volume Log ---" tail -50 weed-volume.log 2>/dev/null || echo "No volume log found" echo "" echo "--- S3 API Log ---" tail -50 weed-s3.log 2>/dev/null || echo "No S3 log found" echo "" echo "=== Process Information ===" ps aux | grep -E "(weed|test)" || true netstat -tlnp | grep -E "(8333|8888|9333|8080)" || true - name: Upload test logs on failure if: failure() uses: actions/upload-artifact@v4 with: name: s3-iam-integration-logs-${{ matrix.test-type }} path: test/s3/iam/weed-*.log retention-days: 5 # Keycloak integration tests with Docker Compose s3-iam-keycloak-tests: name: S3 IAM Keycloak Integration runs-on: ubuntu-22.04 timeout-minutes: 30 # Always run Keycloak integration tests steps: - name: Check out code uses: actions/checkout@v5 - name: Set up Go uses: actions/setup-go@v5 with: go-version-file: 'go.mod' id: go - name: Install SeaweedFS working-directory: weed run: | go install -buildvcs=false - name: Start Keycloak with Docker run: | echo "Starting Keycloak container..." docker run -d \ --name keycloak \ -p 8080:8080 \ -e KC_BOOTSTRAP_ADMIN_USERNAME=admin \ -e KC_BOOTSTRAP_ADMIN_PASSWORD=admin \ -e KC_HTTP_ENABLED=true \ -e KC_HOSTNAME_STRICT=false \ -e KC_HOSTNAME_STRICT_HTTPS=false \ quay.io/keycloak/keycloak:26.0 \ start-dev echo "Waiting for Keycloak to be ready..." timeout 300 bash -c ' while true; do if curl -s http://localhost:8080/health/ready > /dev/null 2>&1; then echo "✅ Keycloak health check passed" break fi if curl -s http://localhost:8080/realms/master > /dev/null 2>&1; then echo "✅ Keycloak master realm accessible" break fi echo "Waiting for Keycloak..." sleep 5 done ' || { echo "Keycloak failed to start" docker logs keycloak exit 1 } echo "Keycloak is ready" - name: Setup Keycloak Realm and Users working-directory: test/s3/iam run: | echo "Setting up Keycloak realm and test users..." chmod +x setup_keycloak.sh ./setup_keycloak.sh - name: Start SeaweedFS Services working-directory: test/s3/iam run: | echo "Starting SeaweedFS services..." export WEED_BINARY=$(which weed) make clean setup start-services wait-for-services echo "SeaweedFS services are ready" - name: Run Keycloak Integration Tests timeout-minutes: 20 working-directory: test/s3/iam run: | set -x echo "=== Running Keycloak Integration Tests ===" export KEYCLOAK_URL="http://localhost:8080" export S3_ENDPOINT="http://localhost:8333" # Give services extra time to fully initialize sleep 10 # Verify services are accessible echo "=== Verifying Service Accessibility ===" curl -f http://localhost:8080/realms/master || { echo "❌ Keycloak not accessible" docker logs keycloak --tail=50 exit 1 } curl -f http://localhost:8333 || { echo "❌ SeaweedFS S3 API not accessible" cat weed-s3.log || true exit 1 } # Run Keycloak-specific tests echo "=== Running Keycloak Tests ===" go test -v -timeout 15m -run "TestKeycloak" ./... || { echo "❌ Keycloak integration tests failed" echo "=== Service Logs ===" echo "--- Keycloak logs ---" docker logs keycloak --tail=100 echo "--- SeaweedFS logs ---" cat weed-s3.log 2>/dev/null || echo "No S3 log found" cat weed-master.log 2>/dev/null || echo "No master log found" cat weed-filer.log 2>/dev/null || echo "No filer log found" exit 1 } - name: Show service logs on failure if: failure() working-directory: test/s3/iam run: | echo "=== Keycloak Container Logs ===" docker logs keycloak --tail=200 || true echo "=== SeaweedFS Service Logs ===" echo "--- S3 API Log ---" tail -100 weed-s3.log 2>/dev/null || echo "No S3 log found" echo "--- Master Log ---" tail -100 weed-master.log 2>/dev/null || echo "No master log found" echo "--- Filer Log ---" tail -100 weed-filer.log 2>/dev/null || echo "No filer log found" echo "--- Volume Log ---" tail -100 weed-volume.log 2>/dev/null || echo "No volume log found" echo "=== Container Status ===" docker ps -a echo "=== Network Information ===" netstat -tlnp | grep -E "(8080|8333|8888|9333)" || true curl -v http://localhost:8080/realms/master || true curl -v http://localhost:8333 || true - name: Cleanup Services if: always() working-directory: test/s3/iam run: | echo "Stopping SeaweedFS services..." make stop-services || true echo "Stopping Keycloak container..." docker stop keycloak || true docker rm keycloak || true - name: Upload service logs on failure if: failure() uses: actions/upload-artifact@v4 with: name: s3-iam-keycloak-logs path: | test/s3/iam/weed-*.log test/s3/iam/*.log retention-days: 5 # Distributed IAM tests s3-iam-distributed-tests: name: S3 IAM Distributed Tests runs-on: ubuntu-22.04 timeout-minutes: 25 steps: - name: Check out code uses: actions/checkout@v5 - name: Set up Go uses: actions/setup-go@v5 with: go-version-file: 'go.mod' id: go - name: Install SeaweedFS working-directory: weed run: | go install -buildvcs=false - name: Run Distributed IAM Tests timeout-minutes: 20 working-directory: test/s3/iam run: | set -x echo "=== System Information ===" uname -a free -h export WEED_BINARY=$(which weed) export TEST_TIMEOUT=15m # Test distributed configuration echo "Testing distributed IAM configuration..." make clean setup # Start services with distributed IAM config echo "Starting services with distributed configuration..." make start-services make wait-for-services # Run distributed-specific tests export ENABLE_DISTRIBUTED_TESTS=true go test -v -timeout 15m -run "TestS3IAMDistributedTests" ./... || { echo "❌ Distributed tests failed, checking logs..." make logs exit 1 } make stop-services - name: Upload distributed test logs if: always() uses: actions/upload-artifact@v4 with: name: s3-iam-distributed-logs path: test/s3/iam/weed-*.log retention-days: 7 # Performance and stress tests s3-iam-performance-tests: name: S3 IAM Performance Tests runs-on: ubuntu-22.04 timeout-minutes: 30 steps: - name: Check out code uses: actions/checkout@v5 - name: Set up Go uses: actions/setup-go@v5 with: go-version-file: 'go.mod' id: go - name: Install SeaweedFS working-directory: weed run: | go install -buildvcs=false - name: Run IAM Performance Benchmarks timeout-minutes: 25 working-directory: test/s3/iam run: | set -x echo "=== Running IAM Performance Tests ===" export WEED_BINARY=$(which weed) export TEST_TIMEOUT=20m make clean setup start-services wait-for-services # Run performance tests (benchmarks disabled for CI) echo "Running performance tests..." export ENABLE_PERFORMANCE_TESTS=true go test -v -timeout 15m -run "TestS3IAMPerformanceTests" ./... || { echo "❌ Performance tests failed" make logs exit 1 } make stop-services - name: Upload performance test results if: always() uses: actions/upload-artifact@v4 with: name: s3-iam-performance-results path: | test/s3/iam/weed-*.log test/s3/iam/*.test retention-days: 7