diff options
| author | Chris Lu <chrislusf@users.noreply.github.com> | 2025-11-12 22:14:50 -0800 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2025-11-12 22:14:50 -0800 |
| commit | 508d06d9a5c763668ba149a8f1182e8552505c2b (patch) | |
| tree | a34d21d801d2b71dc3c6968cbb4ff8568e0fa8da /weed/s3api/s3_jwt_auth_test.go | |
| parent | 50f067bcfd99ecf1821ba2d34fc2f109e90428bb (diff) | |
| download | seaweedfs-508d06d9a5c763668ba149a8f1182e8552505c2b.tar.xz seaweedfs-508d06d9a5c763668ba149a8f1182e8552505c2b.zip | |
S3: Enforce bucket policy (#7471)
* evaluate policies during authorization
* cache bucket policy
* refactor
* matching with regex special characters
* Case Sensitivity, pattern cache, Dead Code Removal
* Fixed Typo, Restored []string Case, Added Cache Size Limit
* hook up with policy engine
* remove old implementation
* action mapping
* validate
* if not specified, fall through to IAM checks
* fmt
* Fail-close on policy evaluation errors
* Explicit `Allow` bypasses IAM checks
* fix error message
* arn:seaweed => arn:aws
* remove legacy support
* fix tests
* Clean up bucket policy after this test
* fix for tests
* address comments
* security fixes
* fix tests
* temp comment out
Diffstat (limited to 'weed/s3api/s3_jwt_auth_test.go')
| -rw-r--r-- | weed/s3api/s3_jwt_auth_test.go | 20 |
1 files changed, 10 insertions, 10 deletions
diff --git a/weed/s3api/s3_jwt_auth_test.go b/weed/s3api/s3_jwt_auth_test.go index f6b2774d7..0e74aea01 100644 --- a/weed/s3api/s3_jwt_auth_test.go +++ b/weed/s3api/s3_jwt_auth_test.go @@ -56,7 +56,7 @@ func TestJWTAuthenticationFlow(t *testing.T) { }{ { name: "Read-Only JWT Authentication", - roleArn: "arn:seaweed:iam::role/S3ReadOnlyRole", + roleArn: "arn:aws:iam::role/S3ReadOnlyRole", setupRole: setupTestReadOnlyRole, testOperations: []JWTTestOperation{ {Action: s3_constants.ACTION_READ, Bucket: "test-bucket", Object: "test-file.txt", ExpectedAllow: true}, @@ -66,7 +66,7 @@ func TestJWTAuthenticationFlow(t *testing.T) { }, { name: "Admin JWT Authentication", - roleArn: "arn:seaweed:iam::role/S3AdminRole", + roleArn: "arn:aws:iam::role/S3AdminRole", setupRole: setupTestAdminRole, testOperations: []JWTTestOperation{ {Action: s3_constants.ACTION_READ, Bucket: "admin-bucket", Object: "admin-file.txt", ExpectedAllow: true}, @@ -221,7 +221,7 @@ func TestIPBasedPolicyEnforcement(t *testing.T) { // Assume role response, err := iamManager.AssumeRoleWithWebIdentity(ctx, &sts.AssumeRoleWithWebIdentityRequest{ - RoleArn: "arn:seaweed:iam::role/S3IPRestrictedRole", + RoleArn: "arn:aws:iam::role/S3IPRestrictedRole", WebIdentityToken: validJWTToken, RoleSessionName: "ip-test-session", }) @@ -363,8 +363,8 @@ func setupTestReadOnlyRole(ctx context.Context, manager *integration.IAMManager) Effect: "Allow", Action: []string{"s3:GetObject", "s3:ListBucket"}, Resource: []string{ - "arn:seaweed:s3:::*", - "arn:seaweed:s3:::*/*", + "arn:aws:s3:::*", + "arn:aws:s3:::*/*", }, }, { @@ -425,8 +425,8 @@ func setupTestAdminRole(ctx context.Context, manager *integration.IAMManager) { Effect: "Allow", Action: []string{"s3:*"}, Resource: []string{ - "arn:seaweed:s3:::*", - "arn:seaweed:s3:::*/*", + "arn:aws:s3:::*", + "arn:aws:s3:::*/*", }, }, { @@ -487,8 +487,8 @@ func setupTestIPRestrictedRole(ctx context.Context, manager *integration.IAMMana Effect: "Allow", Action: []string{"s3:GetObject", "s3:ListBucket"}, Resource: []string{ - "arn:seaweed:s3:::*", - "arn:seaweed:s3:::*/*", + "arn:aws:s3:::*", + "arn:aws:s3:::*/*", }, Condition: map[string]map[string]interface{}{ "IpAddress": { @@ -544,7 +544,7 @@ func testJWTAuthorizationWithRole(t *testing.T, iam *IdentityAccessManagement, i req.Header.Set("X-SeaweedFS-Session-Token", token) // Use a proper principal ARN format that matches what STS would generate - principalArn := "arn:seaweed:sts::assumed-role/" + roleName + "/test-session" + principalArn := "arn:aws:sts::assumed-role/" + roleName + "/test-session" req.Header.Set("X-SeaweedFS-Principal", principalArn) // Test authorization |