You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
125 lines
3.4 KiB
125 lines
3.4 KiB
package integration
|
|
|
|
import (
|
|
"context"
|
|
"testing"
|
|
|
|
"github.com/seaweedfs/seaweedfs/weed/iam/policy"
|
|
"github.com/seaweedfs/seaweedfs/weed/iam/sts"
|
|
"github.com/stretchr/testify/assert"
|
|
"github.com/stretchr/testify/require"
|
|
)
|
|
|
|
func TestMemoryRoleStore(t *testing.T) {
|
|
ctx := context.Background()
|
|
store := NewMemoryRoleStore()
|
|
|
|
// Test storing a role
|
|
roleDef := &RoleDefinition{
|
|
RoleName: "TestRole",
|
|
RoleArn: "arn:seaweed:iam::role/TestRole",
|
|
Description: "Test role for unit testing",
|
|
AttachedPolicies: []string{"TestPolicy"},
|
|
TrustPolicy: &policy.PolicyDocument{
|
|
Version: "2012-10-17",
|
|
Statement: []policy.Statement{
|
|
{
|
|
Effect: "Allow",
|
|
Action: []string{"sts:AssumeRoleWithWebIdentity"},
|
|
Principal: map[string]interface{}{
|
|
"Federated": "test-provider",
|
|
},
|
|
},
|
|
},
|
|
},
|
|
}
|
|
|
|
err := store.StoreRole(ctx, "TestRole", roleDef)
|
|
require.NoError(t, err)
|
|
|
|
// Test retrieving the role
|
|
retrievedRole, err := store.GetRole(ctx, "TestRole")
|
|
require.NoError(t, err)
|
|
assert.Equal(t, "TestRole", retrievedRole.RoleName)
|
|
assert.Equal(t, "arn:seaweed:iam::role/TestRole", retrievedRole.RoleArn)
|
|
assert.Equal(t, "Test role for unit testing", retrievedRole.Description)
|
|
assert.Equal(t, []string{"TestPolicy"}, retrievedRole.AttachedPolicies)
|
|
|
|
// Test listing roles
|
|
roles, err := store.ListRoles(ctx)
|
|
require.NoError(t, err)
|
|
assert.Contains(t, roles, "TestRole")
|
|
|
|
// Test deleting the role
|
|
err = store.DeleteRole(ctx, "TestRole")
|
|
require.NoError(t, err)
|
|
|
|
// Verify role is deleted
|
|
_, err = store.GetRole(ctx, "TestRole")
|
|
assert.Error(t, err)
|
|
}
|
|
|
|
func TestRoleStoreConfiguration(t *testing.T) {
|
|
// Test memory role store creation
|
|
memoryStore, err := NewMemoryRoleStore(), error(nil)
|
|
require.NoError(t, err)
|
|
assert.NotNil(t, memoryStore)
|
|
|
|
// Test filer role store creation with invalid config
|
|
_, err = NewFilerRoleStore(map[string]interface{}{
|
|
// Missing filerAddress
|
|
"basePath": "/test/roles",
|
|
})
|
|
assert.Error(t, err)
|
|
assert.Contains(t, err.Error(), "filer address is required")
|
|
|
|
// Test filer role store creation with valid config
|
|
filerStore, err := NewFilerRoleStore(map[string]interface{}{
|
|
"filerAddress": "localhost:8888",
|
|
"basePath": "/test/roles",
|
|
})
|
|
require.NoError(t, err)
|
|
assert.NotNil(t, filerStore)
|
|
}
|
|
|
|
func TestDistributedIAMManagerWithRoleStore(t *testing.T) {
|
|
ctx := context.Background()
|
|
|
|
// Create IAM manager with role store configuration
|
|
config := &IAMConfig{
|
|
STS: &sts.STSConfig{
|
|
TokenDuration: 3600,
|
|
MaxSessionLength: 43200,
|
|
Issuer: "test-issuer",
|
|
SigningKey: []byte("test-signing-key-32-characters-long"),
|
|
|
|
},
|
|
Policy: &policy.PolicyEngineConfig{
|
|
DefaultEffect: "Deny",
|
|
StoreType: "memory",
|
|
},
|
|
Roles: &RoleStoreConfig{
|
|
StoreType: "memory",
|
|
},
|
|
}
|
|
|
|
iamManager := NewIAMManager()
|
|
err := iamManager.Initialize(config)
|
|
require.NoError(t, err)
|
|
|
|
// Test creating a role
|
|
roleDef := &RoleDefinition{
|
|
RoleName: "DistributedTestRole",
|
|
RoleArn: "arn:seaweed:iam::role/DistributedTestRole",
|
|
Description: "Test role for distributed IAM",
|
|
AttachedPolicies: []string{"S3ReadOnlyPolicy"},
|
|
}
|
|
|
|
err = iamManager.CreateRole(ctx, "DistributedTestRole", roleDef)
|
|
require.NoError(t, err)
|
|
|
|
// Test that role is accessible through the IAM manager
|
|
// Note: We can't directly test GetRole as it's not exposed,
|
|
// but we can test through IsActionAllowed which internally uses the role store
|
|
assert.True(t, iamManager.initialized)
|
|
}
|