From 34b236acfa35de2c907f5176fe2ff18bab494e4f Mon Sep 17 00:00:00 2001 From: Chris Lu Date: Thu, 23 Apr 2026 11:09:17 -0700 Subject: [PATCH] test(s3api): look up NewUser by name in CreateAccessKey collision test The memory credential store backs LoadConfiguration with a map, so the identity order is not stable across a save/load round trip. Indexing Identities[1] intermittently pointed at the owner identity and produced a spurious credential leak. --- weed/s3api/s3api_embedded_iam_test.go | 14 ++++++++++++-- 1 file changed, 12 insertions(+), 2 deletions(-) diff --git a/weed/s3api/s3api_embedded_iam_test.go b/weed/s3api/s3api_embedded_iam_test.go index 5635dc464..124831eb9 100644 --- a/weed/s3api/s3api_embedded_iam_test.go +++ b/weed/s3api/s3api_embedded_iam_test.go @@ -1081,8 +1081,18 @@ func TestEmbeddedIamCreateAccessKeyRejectsCollision(t *testing.T) { assert.Contains(t, rr.Body.String(), "already in use") assert.NotContains(t, rr.Body.String(), ownerName, "should not leak owner name") - // Verify no credentials were added to NewUser - assert.Len(t, api.mockConfig.Identities[1].Credentials, 0) + // Verify no credentials were added to NewUser. Look up by name because the + // memory store backs LoadConfiguration with a map, so Identities order is + // not stable across a save/load round trip. + var newUser *iam_pb.Identity + for _, ident := range api.mockConfig.Identities { + if ident.Name == "NewUser" { + newUser = ident + break + } + } + require.NotNil(t, newUser, "NewUser identity should still exist") + assert.Len(t, newUser.Credentials, 0) } // TestEmbeddedIamCreateAccessKeyRejectsPartialSupply tests that supplying only