seaweedfs/weed/iamapi/iamapi_server_test.go

package iamapi

import (
	"context"
	"testing"

	"github.com/seaweedfs/seaweedfs/weed/credential"
	"github.com/seaweedfs/seaweedfs/weed/credential/memory"
	"github.com/seaweedfs/seaweedfs/weed/s3api/policy_engine"
	"github.com/stretchr/testify/assert"
	"github.com/stretchr/testify/require"
)

// newIamS3ApiConfigureForTest builds an IamS3ApiConfigure backed by a memory
// credential store and no filer. The filer-less option is fine because the
// new code only touches the filer for inline/group policies, which these
// tests don't exercise.
func newIamS3ApiConfigureForTest(t *testing.T) (*IamS3ApiConfigure, *credential.CredentialManager) {
	t.Helper()
	store := &memory.MemoryStore{}
	require.NoError(t, store.Initialize(nil, ""))
	cm := &credential.CredentialManager{Store: store}
	cfg := &IamS3ApiConfigure{
		option:            &IamServerOption{},
		credentialManager: cm,
	}
	return cfg, cm
}

func samplePolicyDocument(resource string) policy_engine.PolicyDocument {
	return policy_engine.PolicyDocument{
		Version: "2012-10-17",
		Statement: []policy_engine.PolicyStatement{
			{
				Effect:   policy_engine.PolicyEffectAllow,
				Action:   policy_engine.NewStringOrStringSlice("s3:Get*"),
				Resource: policy_engine.NewStringOrStringSlicePtr(resource),
			},
		},
	}
}

// TestPutPoliciesCreatesInCredentialStore is the regression test for
// https://github.com/seaweedfs/seaweedfs/issues/9518: the IAM API used to
// write managed policies straight to the filer, bypassing any non-filer
// credential store (e.g. postgres). After the fix, a new policy passed to
// PutPolicies must show up in the credential store.
func TestPutPoliciesCreatesInCredentialStore(t *testing.T) {
	cfg, cm := newIamS3ApiConfigureForTest(t)
	ctx := context.Background()

	doc := samplePolicyDocument("arn:aws:s3:::bucket-a")
	require.NoError(t, cfg.PutPolicies(&Policies{
		Policies: map[string]policy_engine.PolicyDocument{"policy-a": doc},
	}))

	stored, err := cm.GetPolicies(ctx)
	require.NoError(t, err)
	require.Contains(t, stored, "policy-a")
	assert.Equal(t, doc, stored["policy-a"])
}

// TestGetPoliciesReadsFromCredentialStore mirrors the read side of the bug:
// ListPolicies / GetPolicy via the IAM API used to read only the filer file
// and therefore missed policies that the Admin UI had written to the store.
func TestGetPoliciesReadsFromCredentialStore(t *testing.T) {
	cfg, cm := newIamS3ApiConfigureForTest(t)
	ctx := context.Background()

	doc := samplePolicyDocument("arn:aws:s3:::bucket-b")
	require.NoError(t, cm.CreatePolicy(ctx, "policy-b", doc))

	loaded := Policies{}
	require.NoError(t, cfg.GetPolicies(&loaded))
	require.Contains(t, loaded.Policies, "policy-b")
	assert.Equal(t, doc, loaded.Policies["policy-b"])
}

// TestPutPoliciesDeletesRemovedFromCredentialStore makes sure the delta path
// translates an in-memory deletion (the pattern the DeletePolicy handler
// uses) into a credential-store DeletePolicy call.
func TestPutPoliciesDeletesRemovedFromCredentialStore(t *testing.T) {
	cfg, cm := newIamS3ApiConfigureForTest(t)
	ctx := context.Background()

	keep := samplePolicyDocument("arn:aws:s3:::keep")
	drop := samplePolicyDocument("arn:aws:s3:::drop")
	require.NoError(t, cm.CreatePolicy(ctx, "keep", keep))
	require.NoError(t, cm.CreatePolicy(ctx, "drop", drop))

	// Caller fetched policies, removed "drop", and asked us to persist.
	require.NoError(t, cfg.PutPolicies(&Policies{
		Policies: map[string]policy_engine.PolicyDocument{"keep": keep},
	}))

	remaining, err := cm.GetPolicies(ctx)
	require.NoError(t, err)
	assert.Contains(t, remaining, "keep")
	assert.NotContains(t, remaining, "drop")
}

// TestPutPoliciesUpdatesChangedInCredentialStore confirms the delta also
// detects document changes for the same policy name.
func TestPutPoliciesUpdatesChangedInCredentialStore(t *testing.T) {
	cfg, cm := newIamS3ApiConfigureForTest(t)
	ctx := context.Background()

	original := samplePolicyDocument("arn:aws:s3:::v1")
	require.NoError(t, cm.CreatePolicy(ctx, "p", original))

	updated := samplePolicyDocument("arn:aws:s3:::v2")
	require.NoError(t, cfg.PutPolicies(&Policies{
		Policies: map[string]policy_engine.PolicyDocument{"p": updated},
	}))

	stored, err := cm.GetPolicy(ctx, "p")
	require.NoError(t, err)
	require.NotNil(t, stored)
	assert.Equal(t, updated, *stored)
}

// TestPutPoliciesRoutesUserInlineThroughCredentialStore is the second half of
// the #9518 fix: per-user inline policies created via the IAM API must land
// in the credential store (so postgres users have a single source of truth)
// rather than in the filer bundle.
func TestPutPoliciesRoutesUserInlineThroughCredentialStore(t *testing.T) {
	cfg, cm := newIamS3ApiConfigureForTest(t)
	ctx := context.Background()

	doc := samplePolicyDocument("arn:aws:s3:::user-bucket")
	require.NoError(t, cfg.PutPolicies(&Policies{
		InlinePolicies: map[string]map[string]policy_engine.PolicyDocument{
			"alice": {"inline-1": doc},
		},
	}))

	stored, err := cm.GetUserInlinePolicy(ctx, "alice", "inline-1")
	require.NoError(t, err)
	require.NotNil(t, stored)
	assert.Equal(t, doc, *stored)
}

// TestPutPoliciesDeletesRemovedUserInline mirrors the deletion side. The
// DeleteUserPolicy handler removes the entry from the in-memory map and calls
// PutPolicies; the delta must call DeleteUserInlinePolicy.
func TestPutPoliciesDeletesRemovedUserInline(t *testing.T) {
	cfg, cm := newIamS3ApiConfigureForTest(t)
	ctx := context.Background()

	keep := samplePolicyDocument("arn:aws:s3:::keep")
	drop := samplePolicyDocument("arn:aws:s3:::drop")
	require.NoError(t, cm.PutUserInlinePolicy(ctx, "bob", "keep", keep))
	require.NoError(t, cm.PutUserInlinePolicy(ctx, "bob", "drop", drop))

	require.NoError(t, cfg.PutPolicies(&Policies{
		InlinePolicies: map[string]map[string]policy_engine.PolicyDocument{
			"bob": {"keep": keep},
		},
	}))

	remaining, err := cm.ListUserInlinePolicies(ctx, "bob")
	require.NoError(t, err)
	assert.ElementsMatch(t, []string{"keep"}, remaining)
}

// TestPutPoliciesRoutesGroupInlineThroughCredentialStore confirms group-attached
// inline policies also persist via the credential manager rather than the
// shared filer bundle.
func TestPutPoliciesRoutesGroupInlineThroughCredentialStore(t *testing.T) {
	cfg, cm := newIamS3ApiConfigureForTest(t)
	ctx := context.Background()

	doc := samplePolicyDocument("arn:aws:s3:::group-bucket")
	require.NoError(t, cfg.PutPolicies(&Policies{
		GroupInlinePolicies: map[string]map[string]policy_engine.PolicyDocument{
			"devs": {"inline-g": doc},
		},
	}))

	stored, err := cm.GetGroupInlinePolicy(ctx, "devs", "inline-g")
	require.NoError(t, err)
	require.NotNil(t, stored)
	assert.Equal(t, doc, *stored)
}

// TestPutPoliciesDeletesRemovedGroupInline covers the deletion delta for
// group-attached inline policies.
func TestPutPoliciesDeletesRemovedGroupInline(t *testing.T) {
	cfg, cm := newIamS3ApiConfigureForTest(t)
	ctx := context.Background()

	keep := samplePolicyDocument("arn:aws:s3:::keep")
	drop := samplePolicyDocument("arn:aws:s3:::drop")
	require.NoError(t, cm.PutGroupInlinePolicy(ctx, "devs", "keep", keep))
	require.NoError(t, cm.PutGroupInlinePolicy(ctx, "devs", "drop", drop))

	require.NoError(t, cfg.PutPolicies(&Policies{
		GroupInlinePolicies: map[string]map[string]policy_engine.PolicyDocument{
			"devs": {"keep": keep},
		},
	}))

	remaining, err := cm.ListGroupInlinePolicies(ctx, "devs")
	require.NoError(t, err)
	assert.ElementsMatch(t, []string{"keep"}, remaining)
}

// TestPutPoliciesIsAuthoritativeWhenStoreIsNotFilerEtc is the regression test
// for the legacy-file resurrection bug: once the credential store is
// authoritative, a delete must stick across the GetPolicies fallback. We
// can't verify the legacy-file rewrite directly without a fake filer in
// the test harness, but we can verify the cm-side delta behavior: a policy
// that was deleted does not come back via cm on a subsequent fetch.
func TestPutPoliciesIsAuthoritativeWhenStoreIsNotFilerEtc(t *testing.T) {
	cfg, cm := newIamS3ApiConfigureForTest(t)
	ctx := context.Background()

	require.Equal(t, "memory", cm.GetStoreName(), "test depends on memory store name carveout")

	doc := samplePolicyDocument("arn:aws:s3:::vanishing")
	require.NoError(t, cfg.PutPolicies(&Policies{
		Policies: map[string]policy_engine.PolicyDocument{"will-vanish": doc},
	}))

	require.NoError(t, cfg.PutPolicies(&Policies{
		Policies: map[string]policy_engine.PolicyDocument{},
	}))

	remaining, err := cm.GetPolicies(ctx)
	require.NoError(t, err)
	assert.NotContains(t, remaining, "will-vanish")
}

// TestGetPoliciesReadsInlineAndGroupInlineFromCredentialStore confirms reads
// pull user-inline and group-inline policies from the store too, so handlers
// like ListUserPolicies / GetUserPolicy see Admin-UI writes.
func TestGetPoliciesReadsInlineAndGroupInlineFromCredentialStore(t *testing.T) {
	cfg, cm := newIamS3ApiConfigureForTest(t)
	ctx := context.Background()

	userDoc := samplePolicyDocument("arn:aws:s3:::user-data")
	groupDoc := samplePolicyDocument("arn:aws:s3:::group-data")
	require.NoError(t, cm.PutUserInlinePolicy(ctx, "carol", "u-policy", userDoc))
	require.NoError(t, cm.PutGroupInlinePolicy(ctx, "admins", "g-policy", groupDoc))

	loaded := Policies{}
	require.NoError(t, cfg.GetPolicies(&loaded))

	require.Contains(t, loaded.InlinePolicies, "carol")
	assert.Equal(t, userDoc, loaded.InlinePolicies["carol"]["u-policy"])
	require.Contains(t, loaded.GroupInlinePolicies, "admins")
	assert.Equal(t, groupDoc, loaded.GroupInlinePolicies["admins"]["g-policy"])
}