aboutsummaryrefslogtreecommitdiff
path: root/weed/s3api/s3_multipart_iam_test.go
diff options
context:
space:
mode:
authorChris Lu <chrislusf@users.noreply.github.com>2025-11-12 22:14:50 -0800
committerGitHub <noreply@github.com>2025-11-12 22:14:50 -0800
commit508d06d9a5c763668ba149a8f1182e8552505c2b (patch)
treea34d21d801d2b71dc3c6968cbb4ff8568e0fa8da /weed/s3api/s3_multipart_iam_test.go
parent50f067bcfd99ecf1821ba2d34fc2f109e90428bb (diff)
downloadseaweedfs-508d06d9a5c763668ba149a8f1182e8552505c2b.tar.xz
seaweedfs-508d06d9a5c763668ba149a8f1182e8552505c2b.zip
S3: Enforce bucket policy (#7471)
* evaluate policies during authorization * cache bucket policy * refactor * matching with regex special characters * Case Sensitivity, pattern cache, Dead Code Removal * Fixed Typo, Restored []string Case, Added Cache Size Limit * hook up with policy engine * remove old implementation * action mapping * validate * if not specified, fall through to IAM checks * fmt * Fail-close on policy evaluation errors * Explicit `Allow` bypasses IAM checks * fix error message * arn:seaweed => arn:aws * remove legacy support * fix tests * Clean up bucket policy after this test * fix for tests * address comments * security fixes * fix tests * temp comment out
Diffstat (limited to 'weed/s3api/s3_multipart_iam_test.go')
-rw-r--r--weed/s3api/s3_multipart_iam_test.go14
1 files changed, 7 insertions, 7 deletions
diff --git a/weed/s3api/s3_multipart_iam_test.go b/weed/s3api/s3_multipart_iam_test.go
index 2aa68fda0..608d30042 100644
--- a/weed/s3api/s3_multipart_iam_test.go
+++ b/weed/s3api/s3_multipart_iam_test.go
@@ -58,7 +58,7 @@ func TestMultipartIAMValidation(t *testing.T) {
// Get session token
response, err := iamManager.AssumeRoleWithWebIdentity(ctx, &sts.AssumeRoleWithWebIdentityRequest{
- RoleArn: "arn:seaweed:iam::role/S3WriteRole",
+ RoleArn: "arn:aws:iam::role/S3WriteRole",
WebIdentityToken: validJWTToken,
RoleSessionName: "multipart-test-session",
})
@@ -443,8 +443,8 @@ func TestMultipartUploadSession(t *testing.T) {
UploadID: "test-upload-123",
Bucket: "test-bucket",
ObjectKey: "test-file.txt",
- Initiator: "arn:seaweed:iam::user/testuser",
- Owner: "arn:seaweed:iam::user/testuser",
+ Initiator: "arn:aws:iam::user/testuser",
+ Owner: "arn:aws:iam::user/testuser",
CreatedAt: time.Now(),
Parts: []MultipartUploadPart{
{
@@ -550,8 +550,8 @@ func setupTestRolesForMultipart(ctx context.Context, manager *integration.IAMMan
"s3:ListParts",
},
Resource: []string{
- "arn:seaweed:s3:::*",
- "arn:seaweed:s3:::*/*",
+ "arn:aws:s3:::*",
+ "arn:aws:s3:::*/*",
},
},
},
@@ -603,8 +603,8 @@ func createMultipartRequest(t *testing.T, method, path, sessionToken string) *ht
if sessionToken != "" {
req.Header.Set("Authorization", "Bearer "+sessionToken)
// Set the principal ARN header that matches the assumed role from the test setup
- // This corresponds to the role "arn:seaweed:iam::role/S3WriteRole" with session name "multipart-test-session"
- req.Header.Set("X-SeaweedFS-Principal", "arn:seaweed:sts::assumed-role/S3WriteRole/multipart-test-session")
+ // This corresponds to the role "arn:aws:iam::role/S3WriteRole" with session name "multipart-test-session"
+ req.Header.Set("X-SeaweedFS-Principal", "arn:aws:sts::assumed-role/S3WriteRole/multipart-test-session")
}
// Add common headers
generated by cgit v1.2.3 (git 2.25.1) at 2025-12-24 22:13:47 +0000