You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
195 lines
6.6 KiB
195 lines
6.6 KiB
package s3api
|
|
|
|
import (
|
|
"net/http"
|
|
"net/http/httptest"
|
|
"net/url"
|
|
"strings"
|
|
"testing"
|
|
|
|
"github.com/gorilla/mux"
|
|
"github.com/seaweedfs/seaweedfs/weed/credential"
|
|
"github.com/seaweedfs/seaweedfs/weed/util"
|
|
"github.com/stretchr/testify/assert"
|
|
)
|
|
|
|
// setupRoutingTestServer creates a minimal S3ApiServer for routing tests
|
|
func setupRoutingTestServer(t *testing.T) *S3ApiServer {
|
|
opt := &S3ApiServerOption{EnableIam: true}
|
|
iam := NewIdentityAccessManagementWithStore(opt, "memory")
|
|
iam.isAuthEnabled = true
|
|
|
|
if iam.credentialManager == nil {
|
|
cm, err := credential.NewCredentialManager("memory", util.GetViper(), "")
|
|
if err != nil {
|
|
t.Fatalf("Failed to create credential manager: %v", err)
|
|
}
|
|
iam.credentialManager = cm
|
|
}
|
|
|
|
server := &S3ApiServer{
|
|
option: opt,
|
|
iam: iam,
|
|
credentialManager: iam.credentialManager,
|
|
embeddedIam: NewEmbeddedIamApi(iam.credentialManager, iam),
|
|
stsHandlers: &STSHandlers{},
|
|
}
|
|
|
|
return server
|
|
}
|
|
|
|
// TestRouting_STSWithQueryParams verifies that AssumeRoleWithWebIdentity with query params routes to STS
|
|
func TestRouting_STSWithQueryParams(t *testing.T) {
|
|
router := mux.NewRouter()
|
|
s3a := setupRoutingTestServer(t)
|
|
s3a.registerRouter(router)
|
|
|
|
// Create request with Action in query params (no auth header)
|
|
req, _ := http.NewRequest("POST", "/?Action=AssumeRoleWithWebIdentity&WebIdentityToken=test-token&RoleArn=arn:aws:iam::123:role/test&RoleSessionName=test-session", nil)
|
|
req.Header.Set("Content-Type", "application/x-www-form-urlencoded")
|
|
|
|
rr := httptest.NewRecorder()
|
|
router.ServeHTTP(rr, req)
|
|
|
|
// Should route to STS handler -> 503 (service not initialized) or 400 (validation error)
|
|
assert.Contains(t, []int{http.StatusBadRequest, http.StatusServiceUnavailable}, rr.Code, "Should route to STS handler")
|
|
}
|
|
|
|
// TestRouting_STSWithBodyParams verifies that AssumeRoleWithWebIdentity with body params routes to STS fallback
|
|
func TestRouting_STSWithBodyParams(t *testing.T) {
|
|
router := mux.NewRouter()
|
|
s3a := setupRoutingTestServer(t)
|
|
s3a.registerRouter(router)
|
|
|
|
// Create request with Action in POST body (no auth header)
|
|
data := url.Values{}
|
|
data.Set("Action", "AssumeRoleWithWebIdentity")
|
|
data.Set("WebIdentityToken", "test-token")
|
|
data.Set("RoleArn", "arn:aws:iam::123:role/test")
|
|
data.Set("RoleSessionName", "test-session")
|
|
|
|
req, _ := http.NewRequest("POST", "/", strings.NewReader(data.Encode()))
|
|
req.Header.Set("Content-Type", "application/x-www-form-urlencoded")
|
|
|
|
rr := httptest.NewRecorder()
|
|
router.ServeHTTP(rr, req)
|
|
|
|
// Should route to STS fallback handler -> 503 (service not initialized in test)
|
|
assert.Equal(t, http.StatusServiceUnavailable, rr.Code, "Should route to STS fallback handler (503 because STS not initialized)")
|
|
}
|
|
|
|
// TestRouting_AuthenticatedIAM verifies that authenticated IAM requests route to IAM handler
|
|
func TestRouting_AuthenticatedIAM(t *testing.T) {
|
|
router := mux.NewRouter()
|
|
s3a := setupRoutingTestServer(t)
|
|
s3a.registerRouter(router)
|
|
|
|
// Create IAM request with Authorization header
|
|
data := url.Values{}
|
|
data.Set("Action", "CreateUser")
|
|
data.Set("UserName", "testuser")
|
|
|
|
req, _ := http.NewRequest("POST", "/", strings.NewReader(data.Encode()))
|
|
req.Header.Set("Content-Type", "application/x-www-form-urlencoded")
|
|
req.Header.Set("Authorization", "AWS4-HMAC-SHA256 Credential=AKIA.../...")
|
|
|
|
rr := httptest.NewRecorder()
|
|
router.ServeHTTP(rr, req)
|
|
|
|
// Should route to IAM handler -> 400/403 (invalid signature)
|
|
// NOT 503 (which would indicate STS handler)
|
|
assert.NotEqual(t, http.StatusServiceUnavailable, rr.Code, "Should NOT route to STS handler")
|
|
assert.Contains(t, []int{http.StatusBadRequest, http.StatusForbidden}, rr.Code, "Should route to IAM handler (400/403 due to invalid signature)")
|
|
}
|
|
|
|
// TestRouting_IAMMatcherLogic verifies the iamMatcher correctly distinguishes auth types
|
|
func TestRouting_IAMMatcherLogic(t *testing.T) {
|
|
tests := []struct {
|
|
name string
|
|
authHeader string
|
|
queryParams string
|
|
expectsIAM bool
|
|
description string
|
|
}{
|
|
{
|
|
name: "No auth - anonymous",
|
|
authHeader: "",
|
|
queryParams: "",
|
|
expectsIAM: false,
|
|
description: "Request with no auth should NOT match IAM",
|
|
},
|
|
{
|
|
name: "AWS4 signature",
|
|
authHeader: "AWS4-HMAC-SHA256 Credential=AKIA.../...",
|
|
queryParams: "",
|
|
expectsIAM: true,
|
|
description: "Request with AWS4 signature should match IAM",
|
|
},
|
|
{
|
|
name: "AWS2 signature",
|
|
authHeader: "AWS AKIA...:signature",
|
|
queryParams: "",
|
|
expectsIAM: true,
|
|
description: "Request with AWS2 signature should match IAM",
|
|
},
|
|
{
|
|
name: "Presigned V4",
|
|
authHeader: "",
|
|
queryParams: "?X-Amz-Credential=AKIA...",
|
|
expectsIAM: true,
|
|
description: "Request with presigned V4 params should match IAM",
|
|
},
|
|
{
|
|
name: "Presigned V2",
|
|
authHeader: "",
|
|
queryParams: "?AWSAccessKeyId=AKIA...",
|
|
expectsIAM: true,
|
|
description: "Request with presigned V2 params should match IAM",
|
|
},
|
|
{
|
|
name: "AWS4 signature with STS action in body",
|
|
authHeader: "AWS4-HMAC-SHA256 Credential=AKIA.../...",
|
|
queryParams: "",
|
|
expectsIAM: true,
|
|
description: "Authenticated STS action should still route to IAM (auth takes precedence)",
|
|
},
|
|
}
|
|
|
|
for _, tt := range tests {
|
|
t.Run(tt.name, func(t *testing.T) {
|
|
router := mux.NewRouter()
|
|
s3a := setupRoutingTestServer(t)
|
|
s3a.registerRouter(router)
|
|
|
|
data := url.Values{}
|
|
// For the authenticated STS action test, set the STS action
|
|
// For other tests, don't set Action to avoid STS validation errors
|
|
if tt.name == "AWS4 signature with STS action in body" {
|
|
data.Set("Action", "AssumeRoleWithWebIdentity")
|
|
data.Set("WebIdentityToken", "test-token")
|
|
data.Set("RoleArn", "arn:aws:iam::123:role/test")
|
|
data.Set("RoleSessionName", "test-session")
|
|
}
|
|
|
|
req, _ := http.NewRequest("POST", "/"+tt.queryParams, strings.NewReader(data.Encode()))
|
|
req.Header.Set("Content-Type", "application/x-www-form-urlencoded")
|
|
if tt.authHeader != "" {
|
|
req.Header.Set("Authorization", tt.authHeader)
|
|
}
|
|
|
|
rr := httptest.NewRecorder()
|
|
router.ServeHTTP(rr, req)
|
|
|
|
if tt.expectsIAM {
|
|
// Should route to IAM (400/403 for invalid sig)
|
|
// NOT 400 from STS (which would be missing Action parameter)
|
|
// We distinguish by checking it's NOT a generic 400 with empty body
|
|
assert.NotEqual(t, http.StatusServiceUnavailable, rr.Code, tt.description)
|
|
} else {
|
|
// Should route to STS fallback
|
|
// Can be 503 (service not initialized) or 400 (missing/invalid Action parameter)
|
|
assert.Contains(t, []int{http.StatusBadRequest, http.StatusServiceUnavailable}, rr.Code, tt.description)
|
|
}
|
|
})
|
|
}
|
|
}
|