diff options
| -rw-r--r-- | weed/iam/sts/test_utils_test.go | 53 |
1 files changed, 53 insertions, 0 deletions
diff --git a/weed/iam/sts/test_utils_test.go b/weed/iam/sts/test_utils_test.go new file mode 100644 index 000000000..58de592dc --- /dev/null +++ b/weed/iam/sts/test_utils_test.go @@ -0,0 +1,53 @@ +package sts + +import ( + "context" + "fmt" + "strings" + + "github.com/seaweedfs/seaweedfs/weed/iam/providers" +) + +// MockTrustPolicyValidator is a simple mock for testing STS functionality +type MockTrustPolicyValidator struct{} + +// ValidateTrustPolicyForWebIdentity allows valid JWT test tokens for STS testing +func (m *MockTrustPolicyValidator) ValidateTrustPolicyForWebIdentity(ctx context.Context, roleArn string, webIdentityToken string) error { + // Reject non-existent roles for testing + if strings.Contains(roleArn, "NonExistentRole") { + return fmt.Errorf("trust policy validation failed: role does not exist") + } + + // For STS unit tests, allow JWT tokens that look valid (contain dots for JWT structure) + // In real implementation, this would validate against actual trust policies + if len(webIdentityToken) > 20 && strings.Count(webIdentityToken, ".") >= 2 { + // This appears to be a JWT token - allow it for testing + return nil + } + + // Legacy support for specific test tokens during migration + if webIdentityToken == "valid_test_token" || webIdentityToken == "valid-oidc-token" { + return nil + } + + // Reject invalid tokens + if webIdentityToken == "invalid_token" || webIdentityToken == "expired_token" || webIdentityToken == "invalid-token" { + return fmt.Errorf("trust policy denies token") + } + + return nil +} + +// ValidateTrustPolicyForCredentials allows valid test identities for STS testing +func (m *MockTrustPolicyValidator) ValidateTrustPolicyForCredentials(ctx context.Context, roleArn string, identity *providers.ExternalIdentity) error { + // Reject non-existent roles for testing + if strings.Contains(roleArn, "NonExistentRole") { + return fmt.Errorf("trust policy validation failed: role does not exist") + } + + // For STS unit tests, allow test identities + if identity != nil && identity.UserID != "" { + return nil + } + return fmt.Errorf("invalid identity for role assumption") +} |