From 2f1ee25f504c199876299906375ff2ad7724ebce Mon Sep 17 00:00:00 2001 From: Aditya Manthramurthy Date: Thu, 28 Oct 2021 09:05:51 -0700 Subject: [PATCH] Add test for AssumeRole with internal IDP (#13527) --- cmd/sts-handlers_test.go | 130 +++++++++++++++++++++++++++++++++++++++ 1 file changed, 130 insertions(+) create mode 100644 cmd/sts-handlers_test.go diff --git a/cmd/sts-handlers_test.go b/cmd/sts-handlers_test.go new file mode 100644 index 000000000..4f36c2407 --- /dev/null +++ b/cmd/sts-handlers_test.go @@ -0,0 +1,130 @@ +// Copyright (c) 2015-2021 MinIO, Inc. +// +// This file is part of MinIO Object Storage stack +// +// This program is free software: you can redistribute it and/or modify +// it under the terms of the GNU Affero General Public License as published by +// the Free Software Foundation, either version 3 of the License, or +// (at your option) any later version. +// +// This program is distributed in the hope that it will be useful +// but WITHOUT ANY WARRANTY; without even the implied warranty of +// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +// GNU Affero General Public License for more details. +// +// You should have received a copy of the GNU Affero General Public License +// along with this program. If not, see . + +package cmd + +import ( + "context" + "fmt" + "testing" + + "github.com/minio/madmin-go" + minio "github.com/minio/minio-go/v7" + cr "github.com/minio/minio-go/v7/pkg/credentials" +) + +func runAllIAMSTSTests(suite *TestSuiteIAM, c *check) { + suite.SetUpSuite(c) + suite.TestSTS(c) + suite.TearDownSuite(c) +} + +func TestIAMInternalIDPSTSServerSuite(t *testing.T) { + testCases := []*TestSuiteIAM{ + // Init and run test on FS backend with signature v4. + newTestSuiteIAM(TestSuiteCommon{serverType: "FS", signer: signerV4}), + // Init and run test on FS backend, with tls enabled. + newTestSuiteIAM(TestSuiteCommon{serverType: "FS", signer: signerV4, secure: true}), + // Init and run test on Erasure backend. + newTestSuiteIAM(TestSuiteCommon{serverType: "Erasure", signer: signerV4}), + // Init and run test on ErasureSet backend. + newTestSuiteIAM(TestSuiteCommon{serverType: "ErasureSet", signer: signerV4}), + } + for i, testCase := range testCases { + t.Run(fmt.Sprintf("Test: %d, ServerType: %s", i+1, testCase.serverType), func(t *testing.T) { + runAllIAMSTSTests(testCase, &check{t, testCase.serverType}) + }) + } +} + +func (s *TestSuiteIAM) TestSTS(c *check) { + ctx, cancel := context.WithTimeout(context.Background(), testDefaultTimeout) + defer cancel() + + bucket := getRandomBucketName() + err := s.client.MakeBucket(ctx, bucket, minio.MakeBucketOptions{}) + if err != nil { + c.Fatalf("bucket creat error: %v", err) + } + + // Create policy, user and associate policy + policy := "mypolicy" + policyBytes := []byte(fmt.Sprintf(`{ + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Action": [ + "s3:PutObject", + "s3:GetObject", + "s3:ListBucket" + ], + "Resource": [ + "arn:aws:s3:::%s/*" + ] + } + ] +}`, bucket)) + err = s.adm.AddCannedPolicy(ctx, policy, policyBytes) + if err != nil { + c.Fatalf("policy add error: %v", err) + } + + accessKey, secretKey := mustGenerateCredentials(c) + err = s.adm.SetUser(ctx, accessKey, secretKey, madmin.AccountEnabled) + if err != nil { + c.Fatalf("Unable to set user: %v", err) + } + + err = s.adm.SetPolicy(ctx, policy, accessKey, false) + if err != nil { + c.Fatalf("Unable to set policy: %v", err) + } + + assumeRole := cr.STSAssumeRole{ + Client: s.TestSuiteCommon.client, + STSEndpoint: s.endPoint, + Options: cr.STSAssumeRoleOptions{ + AccessKey: accessKey, + SecretKey: secretKey, + Location: "", + }, + } + + value, err := assumeRole.Retrieve() + if err != nil { + c.Fatalf("err calling assumeRole: %v", err) + } + + minioClient, err := minio.New(s.endpoint, &minio.Options{ + Creds: cr.NewStaticV4(value.AccessKeyID, value.SecretAccessKey, value.SessionToken), + Secure: s.secure, + Transport: s.TestSuiteCommon.client.Transport, + }) + if err != nil { + c.Fatalf("Error initializing client: %v", err) + } + + // Validate that the client from sts creds can access the bucket. + c.mustListObjects(ctx, minioClient, bucket) + + // Validate that the client cannot remove any objects + err = minioClient.RemoveObject(ctx, bucket, "someobject", minio.RemoveObjectOptions{}) + if err.Error() != "Access Denied." { + c.Fatalf("unexpected non-access-denied err: %v", err) + } +}