You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
156 lines
4.5 KiB
156 lines
4.5 KiB
package s3api
|
|
|
|
import (
|
|
"os"
|
|
"path/filepath"
|
|
"testing"
|
|
|
|
"github.com/stretchr/testify/assert"
|
|
)
|
|
|
|
func TestLoadIAMManagerFromConfig_Defaults(t *testing.T) {
|
|
// Create a temporary config file with minimal content (just policy)
|
|
tmpDir := t.TempDir()
|
|
configPath := filepath.Join(tmpDir, "iam_config.json")
|
|
|
|
configContent := `{
|
|
"sts": {
|
|
"providers": []
|
|
},
|
|
"policy": {
|
|
"storeType": "memory",
|
|
"defaultEffect": "Allow"
|
|
}
|
|
}`
|
|
|
|
err := os.WriteFile(configPath, []byte(configContent), 0644)
|
|
assert.NoError(t, err)
|
|
|
|
// dummy filer address provider
|
|
filerProvider := func() string { return "localhost:8888" }
|
|
defaultSigningKeyProvider := func() string { return "default-secure-signing-key" }
|
|
|
|
// Load the manager
|
|
manager, err := loadIAMManagerFromConfig(configPath, filerProvider, defaultSigningKeyProvider)
|
|
assert.NoError(t, err)
|
|
assert.NotNil(t, manager)
|
|
}
|
|
|
|
func TestLoadIAMManagerFromConfig_Overrides(t *testing.T) {
|
|
// Create a temporary config file with EXPLICIT values
|
|
tmpDir := t.TempDir()
|
|
configPath := filepath.Join(tmpDir, "iam_config_explicit.json")
|
|
|
|
configContent := `{
|
|
"sts": {
|
|
"tokenDuration": "2h",
|
|
"maxSessionLength": "24h",
|
|
"issuer": "custom-issuer",
|
|
"signingKey": "ZXhwbGljaXQtc2lnbmluZy1rZXktMTIzNDU="
|
|
},
|
|
"policy": {
|
|
"storeType": "memory",
|
|
"defaultEffect": "Allow"
|
|
}
|
|
}`
|
|
// Base64 encoded "explicit-signing-key-12345" is "ZXhwbGljaXQtc2lnbmluZy1rZXktMTIzNDU="
|
|
|
|
err := os.WriteFile(configPath, []byte(configContent), 0644)
|
|
assert.NoError(t, err)
|
|
|
|
filerProvider := func() string { return "localhost:8888" }
|
|
defaultSigningKeyProvider := func() string { return "default-secure-signing-key" }
|
|
|
|
// Load
|
|
manager, err := loadIAMManagerFromConfig(configPath, filerProvider, defaultSigningKeyProvider)
|
|
assert.NoError(t, err)
|
|
assert.NotNil(t, manager)
|
|
}
|
|
|
|
func TestLoadIAMManagerFromConfig_PartialDefaults(t *testing.T) {
|
|
// Test that partial configs (e.g. providing SigningKey but not Duration) work
|
|
tmpDir := t.TempDir()
|
|
configPath := filepath.Join(tmpDir, "iam_config_partial.json")
|
|
|
|
// Signing key provided in JSON, others missing
|
|
configContent := `{
|
|
"sts": {
|
|
"signingKey": "anNvbi1wcm92aWRlZC1rZXktMTIzNDU="
|
|
},
|
|
"policy": {
|
|
"storeType": "memory",
|
|
"defaultEffect": "Allow"
|
|
}
|
|
}`
|
|
|
|
err := os.WriteFile(configPath, []byte(configContent), 0644)
|
|
assert.NoError(t, err)
|
|
|
|
filerProvider := func() string { return "localhost:8888" }
|
|
// Default signing key provided but should be IGNORED because JSON has one
|
|
defaultSigningKeyProvider := func() string { return "server-default-key-should-be-ignored" }
|
|
|
|
manager, err := loadIAMManagerFromConfig(configPath, filerProvider, defaultSigningKeyProvider)
|
|
assert.NoError(t, err)
|
|
assert.NotNil(t, manager)
|
|
}
|
|
|
|
func TestLoadIAMManagerFromConfig_ExplicitEmptyKey(t *testing.T) {
|
|
// Test that if JSON has empty signing key string, it still falls back
|
|
tmpDir := t.TempDir()
|
|
configPath := filepath.Join(tmpDir, "iam_config_empty_key.json")
|
|
|
|
// Signing key explicitly empty
|
|
configContent := `{
|
|
"sts": {
|
|
"signingKey": ""
|
|
},
|
|
"policy": {
|
|
"storeType": "memory",
|
|
"defaultEffect": "Allow"
|
|
}
|
|
}`
|
|
|
|
err := os.WriteFile(configPath, []byte(configContent), 0644)
|
|
assert.NoError(t, err)
|
|
|
|
filerProvider := func() string { return "localhost:8888" }
|
|
defaultSigningKeyProvider := func() string { return "fallback-key-should-be-used" }
|
|
|
|
manager, err := loadIAMManagerFromConfig(configPath, filerProvider, defaultSigningKeyProvider)
|
|
assert.NoError(t, err)
|
|
assert.NotNil(t, manager)
|
|
}
|
|
|
|
func TestLoadIAMManagerFromConfig_MissingKeyError(t *testing.T) {
|
|
// Test that if BOTH keys are empty, it fails with a clear error
|
|
tmpDir := t.TempDir()
|
|
configPath := filepath.Join(tmpDir, "iam_config_all_empty.json")
|
|
|
|
// Signing key explicitly empty in JSON
|
|
configContent := `{
|
|
"sts": {
|
|
"signingKey": ""
|
|
},
|
|
"policy": {
|
|
"storeType": "memory",
|
|
"defaultEffect": "Allow"
|
|
}
|
|
}`
|
|
|
|
err := os.WriteFile(configPath, []byte(configContent), 0644)
|
|
assert.NoError(t, err)
|
|
|
|
filerProvider := func() string { return "localhost:8888" }
|
|
defaultSigningKeyProvider := func() string { return "" } // Empty default too
|
|
|
|
// Ensure no SSE-S3 key interferes (global state in tests is tricky, but let's assume clean state or no mock)
|
|
// Ideally we would mock GetSSES3KeyManager().GetMasterKey() but it's a global singleton.
|
|
// For this unit test, if the global key manager has no key, it should fail.
|
|
|
|
_, err = loadIAMManagerFromConfig(configPath, filerProvider, defaultSigningKeyProvider)
|
|
|
|
// Should return a clear error
|
|
assert.Error(t, err)
|
|
assert.Contains(t, err.Error(), "no signing key found for STS service")
|
|
}
|