aboutsummaryrefslogtreecommitdiff
path: root/weed/iam/sts
diff options
context:
space:
mode:
Diffstat (limited to 'weed/iam/sts')
-rw-r--r--weed/iam/sts/cross_instance_token_test.go10
-rw-r--r--weed/iam/sts/session_policy_test.go18
-rw-r--r--weed/iam/sts/sts_service.go4
-rw-r--r--weed/iam/sts/sts_service_test.go18
-rw-r--r--weed/iam/sts/token_utils.go6
5 files changed, 28 insertions, 28 deletions
diff --git a/weed/iam/sts/cross_instance_token_test.go b/weed/iam/sts/cross_instance_token_test.go
index 243951d82..c628d5e0d 100644
--- a/weed/iam/sts/cross_instance_token_test.go
+++ b/weed/iam/sts/cross_instance_token_test.go
@@ -153,7 +153,7 @@ func TestCrossInstanceTokenUsage(t *testing.T) {
mockToken := createMockJWT(t, "http://test-mock:9999", "test-user")
assumeRequest := &AssumeRoleWithWebIdentityRequest{
- RoleArn: "arn:seaweed:iam::role/CrossInstanceTestRole",
+ RoleArn: "arn:aws:iam::role/CrossInstanceTestRole",
WebIdentityToken: mockToken, // JWT token for mock provider
RoleSessionName: "cross-instance-test-session",
DurationSeconds: int64ToPtr(3600),
@@ -198,7 +198,7 @@ func TestCrossInstanceTokenUsage(t *testing.T) {
mockToken := createMockJWT(t, "http://test-mock:9999", "test-user")
assumeRequest := &AssumeRoleWithWebIdentityRequest{
- RoleArn: "arn:seaweed:iam::role/RevocationTestRole",
+ RoleArn: "arn:aws:iam::role/RevocationTestRole",
WebIdentityToken: mockToken,
RoleSessionName: "revocation-test-session",
}
@@ -240,7 +240,7 @@ func TestCrossInstanceTokenUsage(t *testing.T) {
// Try to assume role with same token on different instances
assumeRequest := &AssumeRoleWithWebIdentityRequest{
- RoleArn: "arn:seaweed:iam::role/ProviderTestRole",
+ RoleArn: "arn:aws:iam::role/ProviderTestRole",
WebIdentityToken: testToken,
RoleSessionName: "provider-consistency-test",
}
@@ -452,7 +452,7 @@ func TestSTSRealWorldDistributedScenarios(t *testing.T) {
mockToken := createMockJWT(t, "http://test-mock:9999", "production-user")
assumeRequest := &AssumeRoleWithWebIdentityRequest{
- RoleArn: "arn:seaweed:iam::role/ProductionS3User",
+ RoleArn: "arn:aws:iam::role/ProductionS3User",
WebIdentityToken: mockToken, // JWT token from mock provider
RoleSessionName: "user-production-session",
DurationSeconds: int64ToPtr(7200), // 2 hours
@@ -470,7 +470,7 @@ func TestSTSRealWorldDistributedScenarios(t *testing.T) {
sessionInfo2, err := gateway2.ValidateSessionToken(ctx, sessionToken)
require.NoError(t, err, "Gateway 2 should validate session from Gateway 1")
assert.Equal(t, "user-production-session", sessionInfo2.SessionName)
- assert.Equal(t, "arn:seaweed:iam::role/ProductionS3User", sessionInfo2.RoleArn)
+ assert.Equal(t, "arn:aws:iam::role/ProductionS3User", sessionInfo2.RoleArn)
// Simulate S3 request validation on Gateway 3
sessionInfo3, err := gateway3.ValidateSessionToken(ctx, sessionToken)
diff --git a/weed/iam/sts/session_policy_test.go b/weed/iam/sts/session_policy_test.go
index 6f94169ec..83267fd83 100644
--- a/weed/iam/sts/session_policy_test.go
+++ b/weed/iam/sts/session_policy_test.go
@@ -47,7 +47,7 @@ func TestAssumeRoleWithWebIdentity_SessionPolicy(t *testing.T) {
testToken := createSessionPolicyTestJWT(t, "test-issuer", "test-user")
request := &AssumeRoleWithWebIdentityRequest{
- RoleArn: "arn:seaweed:iam::role/TestRole",
+ RoleArn: "arn:aws:iam::role/TestRole",
WebIdentityToken: testToken,
RoleSessionName: "test-session",
DurationSeconds: nil, // Use default
@@ -69,7 +69,7 @@ func TestAssumeRoleWithWebIdentity_SessionPolicy(t *testing.T) {
testToken := createSessionPolicyTestJWT(t, "test-issuer", "test-user")
request := &AssumeRoleWithWebIdentityRequest{
- RoleArn: "arn:seaweed:iam::role/TestRole",
+ RoleArn: "arn:aws:iam::role/TestRole",
WebIdentityToken: testToken,
RoleSessionName: "test-session",
DurationSeconds: nil, // Use default
@@ -93,7 +93,7 @@ func TestAssumeRoleWithWebIdentity_SessionPolicy(t *testing.T) {
testToken := createSessionPolicyTestJWT(t, "test-issuer", "test-user")
request := &AssumeRoleWithWebIdentityRequest{
- RoleArn: "arn:seaweed:iam::role/TestRole",
+ RoleArn: "arn:aws:iam::role/TestRole",
WebIdentityToken: testToken,
RoleSessionName: "test-session",
Policy: nil, // ← Explicitly nil
@@ -113,7 +113,7 @@ func TestAssumeRoleWithWebIdentity_SessionPolicy(t *testing.T) {
emptyPolicy := "" // Empty string, but still a non-nil pointer
request := &AssumeRoleWithWebIdentityRequest{
- RoleArn: "arn:seaweed:iam::role/TestRole",
+ RoleArn: "arn:aws:iam::role/TestRole",
WebIdentityToken: createSessionPolicyTestJWT(t, "test-issuer", "test-user"),
RoleSessionName: "test-session",
Policy: &emptyPolicy, // ← Non-nil pointer to empty string
@@ -160,7 +160,7 @@ func TestAssumeRoleWithWebIdentity_SessionPolicy_ErrorMessage(t *testing.T) {
testToken := createSessionPolicyTestJWT(t, "test-issuer", "test-user")
request := &AssumeRoleWithWebIdentityRequest{
- RoleArn: "arn:seaweed:iam::role/TestRole",
+ RoleArn: "arn:aws:iam::role/TestRole",
WebIdentityToken: testToken,
RoleSessionName: "test-session-with-complex-policy",
Policy: &complexPolicy,
@@ -196,7 +196,7 @@ func TestAssumeRoleWithWebIdentity_SessionPolicy_EdgeCases(t *testing.T) {
malformedPolicy := `{"Version": "2012-10-17", "Statement": [` // Incomplete JSON
request := &AssumeRoleWithWebIdentityRequest{
- RoleArn: "arn:seaweed:iam::role/TestRole",
+ RoleArn: "arn:aws:iam::role/TestRole",
WebIdentityToken: createSessionPolicyTestJWT(t, "test-issuer", "test-user"),
RoleSessionName: "test-session",
Policy: &malformedPolicy,
@@ -215,7 +215,7 @@ func TestAssumeRoleWithWebIdentity_SessionPolicy_EdgeCases(t *testing.T) {
whitespacePolicy := " \t\n " // Only whitespace
request := &AssumeRoleWithWebIdentityRequest{
- RoleArn: "arn:seaweed:iam::role/TestRole",
+ RoleArn: "arn:aws:iam::role/TestRole",
WebIdentityToken: createSessionPolicyTestJWT(t, "test-issuer", "test-user"),
RoleSessionName: "test-session",
Policy: &whitespacePolicy,
@@ -260,7 +260,7 @@ func TestAssumeRoleWithCredentials_NoSessionPolicySupport(t *testing.T) {
// This is the expected behavior since session policies are typically only
// supported with web identity (OIDC/SAML) flows in AWS STS
request := &AssumeRoleWithCredentialsRequest{
- RoleArn: "arn:seaweed:iam::role/TestRole",
+ RoleArn: "arn:aws:iam::role/TestRole",
Username: "testuser",
Password: "testpass",
RoleSessionName: "test-session",
@@ -269,7 +269,7 @@ func TestAssumeRoleWithCredentials_NoSessionPolicySupport(t *testing.T) {
// The struct should compile and work without a Policy field
assert.NotNil(t, request)
- assert.Equal(t, "arn:seaweed:iam::role/TestRole", request.RoleArn)
+ assert.Equal(t, "arn:aws:iam::role/TestRole", request.RoleArn)
assert.Equal(t, "testuser", request.Username)
// This documents that credential-based assume role does NOT support session policies
diff --git a/weed/iam/sts/sts_service.go b/weed/iam/sts/sts_service.go
index 7305adb4b..3d9f9af35 100644
--- a/weed/iam/sts/sts_service.go
+++ b/weed/iam/sts/sts_service.go
@@ -683,7 +683,7 @@ func (s *STSService) validateRoleAssumptionForWebIdentity(ctx context.Context, r
}
// Basic role ARN format validation
- expectedPrefix := "arn:seaweed:iam::role/"
+ expectedPrefix := "arn:aws:iam::role/"
if len(roleArn) < len(expectedPrefix) || roleArn[:len(expectedPrefix)] != expectedPrefix {
return fmt.Errorf("invalid role ARN format: got %s, expected format: %s*", roleArn, expectedPrefix)
}
@@ -720,7 +720,7 @@ func (s *STSService) validateRoleAssumptionForCredentials(ctx context.Context, r
}
// Basic role ARN format validation
- expectedPrefix := "arn:seaweed:iam::role/"
+ expectedPrefix := "arn:aws:iam::role/"
if len(roleArn) < len(expectedPrefix) || roleArn[:len(expectedPrefix)] != expectedPrefix {
return fmt.Errorf("invalid role ARN format: got %s, expected format: %s*", roleArn, expectedPrefix)
}
diff --git a/weed/iam/sts/sts_service_test.go b/weed/iam/sts/sts_service_test.go
index 60d78118f..72d69c8c8 100644
--- a/weed/iam/sts/sts_service_test.go
+++ b/weed/iam/sts/sts_service_test.go
@@ -95,7 +95,7 @@ func TestAssumeRoleWithWebIdentity(t *testing.T) {
}{
{
name: "successful role assumption",
- roleArn: "arn:seaweed:iam::role/TestRole",
+ roleArn: "arn:aws:iam::role/TestRole",
webIdentityToken: createSTSTestJWT(t, "test-issuer", "test-user-id"),
sessionName: "test-session",
durationSeconds: nil, // Use default
@@ -104,21 +104,21 @@ func TestAssumeRoleWithWebIdentity(t *testing.T) {
},
{
name: "invalid web identity token",
- roleArn: "arn:seaweed:iam::role/TestRole",
+ roleArn: "arn:aws:iam::role/TestRole",
webIdentityToken: "invalid-token",
sessionName: "test-session",
wantErr: true,
},
{
name: "non-existent role",
- roleArn: "arn:seaweed:iam::role/NonExistentRole",
+ roleArn: "arn:aws:iam::role/NonExistentRole",
webIdentityToken: createSTSTestJWT(t, "test-issuer", "test-user"),
sessionName: "test-session",
wantErr: true,
},
{
name: "custom session duration",
- roleArn: "arn:seaweed:iam::role/TestRole",
+ roleArn: "arn:aws:iam::role/TestRole",
webIdentityToken: createSTSTestJWT(t, "test-issuer", "test-user"),
sessionName: "test-session",
durationSeconds: int64Ptr(7200), // 2 hours
@@ -182,7 +182,7 @@ func TestAssumeRoleWithLDAP(t *testing.T) {
}{
{
name: "successful LDAP role assumption",
- roleArn: "arn:seaweed:iam::role/LDAPRole",
+ roleArn: "arn:aws:iam::role/LDAPRole",
username: "testuser",
password: "testpass",
sessionName: "ldap-session",
@@ -190,7 +190,7 @@ func TestAssumeRoleWithLDAP(t *testing.T) {
},
{
name: "invalid LDAP credentials",
- roleArn: "arn:seaweed:iam::role/LDAPRole",
+ roleArn: "arn:aws:iam::role/LDAPRole",
username: "testuser",
password: "wrongpass",
sessionName: "ldap-session",
@@ -231,7 +231,7 @@ func TestSessionTokenValidation(t *testing.T) {
// First, create a session
request := &AssumeRoleWithWebIdentityRequest{
- RoleArn: "arn:seaweed:iam::role/TestRole",
+ RoleArn: "arn:aws:iam::role/TestRole",
WebIdentityToken: createSTSTestJWT(t, "test-issuer", "test-user"),
RoleSessionName: "test-session",
}
@@ -275,7 +275,7 @@ func TestSessionTokenValidation(t *testing.T) {
assert.NoError(t, err)
assert.NotNil(t, session)
assert.Equal(t, "test-session", session.SessionName)
- assert.Equal(t, "arn:seaweed:iam::role/TestRole", session.RoleArn)
+ assert.Equal(t, "arn:aws:iam::role/TestRole", session.RoleArn)
}
})
}
@@ -289,7 +289,7 @@ func TestSessionTokenPersistence(t *testing.T) {
// Create a session first
request := &AssumeRoleWithWebIdentityRequest{
- RoleArn: "arn:seaweed:iam::role/TestRole",
+ RoleArn: "arn:aws:iam::role/TestRole",
WebIdentityToken: createSTSTestJWT(t, "test-issuer", "test-user"),
RoleSessionName: "test-session",
}
diff --git a/weed/iam/sts/token_utils.go b/weed/iam/sts/token_utils.go
index 07c195326..3091ac519 100644
--- a/weed/iam/sts/token_utils.go
+++ b/weed/iam/sts/token_utils.go
@@ -207,11 +207,11 @@ func GenerateSessionId() (string, error) {
// generateAssumedRoleArn generates the ARN for an assumed role user
func GenerateAssumedRoleArn(roleArn, sessionName string) string {
// Convert role ARN to assumed role user ARN
- // arn:seaweed:iam::role/RoleName -> arn:seaweed:sts::assumed-role/RoleName/SessionName
+ // arn:aws:iam::role/RoleName -> arn:aws:sts::assumed-role/RoleName/SessionName
roleName := utils.ExtractRoleNameFromArn(roleArn)
if roleName == "" {
// This should not happen if validation is done properly upstream
- return fmt.Sprintf("arn:seaweed:sts::assumed-role/INVALID-ARN/%s", sessionName)
+ return fmt.Sprintf("arn:aws:sts::assumed-role/INVALID-ARN/%s", sessionName)
}
- return fmt.Sprintf("arn:seaweed:sts::assumed-role/%s/%s", roleName, sessionName)
+ return fmt.Sprintf("arn:aws:sts::assumed-role/%s/%s", roleName, sessionName)
}
generated by cgit v1.2.3 (git 2.25.1) at 2025-12-21 01:01:30 +0000