package policy_engine import ( "net/http" "net/url" "testing" "github.com/seaweedfs/seaweedfs/weed/s3api/s3err" ) func TestPolicyEngine(t *testing.T) { engine := NewPolicyEngine() // Test policy JSON policyJSON := `{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": ["s3:GetObject", "s3:PutObject"], "Resource": ["arn:aws:s3:::test-bucket/*"] }, { "Effect": "Deny", "Action": ["s3:DeleteObject"], "Resource": ["arn:aws:s3:::test-bucket/*"], "Condition": { "StringEquals": { "s3:RequestMethod": ["DELETE"] } } } ] }` // Set bucket policy err := engine.SetBucketPolicy("test-bucket", policyJSON) if err != nil { t.Fatalf("Failed to set bucket policy: %v", err) } // Test Allow case args := &PolicyEvaluationArgs{ Action: "s3:GetObject", Resource: "arn:aws:s3:::test-bucket/test-object", Principal: "user1", Conditions: map[string][]string{}, } result := engine.EvaluatePolicy("test-bucket", args) if result != PolicyResultAllow { t.Errorf("Expected Allow, got %v", result) } // Test Deny case args = &PolicyEvaluationArgs{ Action: "s3:DeleteObject", Resource: "arn:aws:s3:::test-bucket/test-object", Principal: "user1", Conditions: map[string][]string{ "s3:RequestMethod": {"DELETE"}, }, } result = engine.EvaluatePolicy("test-bucket", args) if result != PolicyResultDeny { t.Errorf("Expected Deny, got %v", result) } // Test non-matching action args = &PolicyEvaluationArgs{ Action: "s3:ListBucket", Resource: "arn:aws:s3:::test-bucket", Principal: "user1", Conditions: map[string][]string{}, } result = engine.EvaluatePolicy("test-bucket", args) if result != PolicyResultDeny { t.Errorf("Expected Deny for non-matching action, got %v", result) } // Test GetBucketPolicy policy, err := engine.GetBucketPolicy("test-bucket") if err != nil { t.Fatalf("Failed to get bucket policy: %v", err) } if policy.Version != "2012-10-17" { t.Errorf("Expected version 2012-10-17, got %s", policy.Version) } // Test DeleteBucketPolicy err = engine.DeleteBucketPolicy("test-bucket") if err != nil { t.Fatalf("Failed to delete bucket policy: %v", err) } // Test policy is gone result = engine.EvaluatePolicy("test-bucket", args) if result != PolicyResultIndeterminate { t.Errorf("Expected Indeterminate after policy deletion, got %v", result) } } func TestConditionEvaluators(t *testing.T) { tests := []struct { name string operator string conditionValue interface{} contextValues []string expected bool }{ { name: "StringEquals - match", operator: "StringEquals", conditionValue: "test-value", contextValues: []string{"test-value"}, expected: true, }, { name: "StringEquals - no match", operator: "StringEquals", conditionValue: "test-value", contextValues: []string{"other-value"}, expected: false, }, { name: "StringLike - wildcard match", operator: "StringLike", conditionValue: "test-*", contextValues: []string{"test-value"}, expected: true, }, { name: "StringLike - wildcard no match", operator: "StringLike", conditionValue: "test-*", contextValues: []string{"other-value"}, expected: false, }, { name: "NumericEquals - match", operator: "NumericEquals", conditionValue: "42", contextValues: []string{"42"}, expected: true, }, { name: "NumericLessThan - match", operator: "NumericLessThan", conditionValue: "100", contextValues: []string{"50"}, expected: true, }, { name: "NumericLessThan - no match", operator: "NumericLessThan", conditionValue: "100", contextValues: []string{"150"}, expected: false, }, { name: "IpAddress - CIDR match", operator: "IpAddress", conditionValue: "192.168.1.0/24", contextValues: []string{"192.168.1.100"}, expected: true, }, { name: "IpAddress - CIDR no match", operator: "IpAddress", conditionValue: "192.168.1.0/24", contextValues: []string{"10.0.0.1"}, expected: false, }, { name: "Bool - true match", operator: "Bool", conditionValue: "true", contextValues: []string{"true"}, expected: true, }, { name: "Bool - false match", operator: "Bool", conditionValue: "false", contextValues: []string{"false"}, expected: true, }, { name: "Bool - no match", operator: "Bool", conditionValue: "true", contextValues: []string{"false"}, expected: false, }, } for _, tt := range tests { t.Run(tt.name, func(t *testing.T) { evaluator, err := GetConditionEvaluator(tt.operator) if err != nil { t.Fatalf("Failed to get condition evaluator: %v", err) } result := evaluator.Evaluate(tt.conditionValue, tt.contextValues) if result != tt.expected { t.Errorf("Expected %v, got %v", tt.expected, result) } }) } } func TestConvertIdentityToPolicy(t *testing.T) { identityActions := []string{ "Read:bucket1/*", "Write:bucket1/*", "Admin:bucket2", } policy, err := ConvertIdentityToPolicy(identityActions, "bucket1") if err != nil { t.Fatalf("Failed to convert identity to policy: %v", err) } if policy.Version != "2012-10-17" { t.Errorf("Expected version 2012-10-17, got %s", policy.Version) } if len(policy.Statement) != 3 { t.Errorf("Expected 3 statements, got %d", len(policy.Statement)) } // Check first statement (Read) stmt := policy.Statement[0] if stmt.Effect != PolicyEffectAllow { t.Errorf("Expected Allow effect, got %s", stmt.Effect) } actions := normalizeToStringSlice(stmt.Action) if len(actions) != 3 { t.Errorf("Expected 3 read actions, got %d", len(actions)) } resources := normalizeToStringSlice(stmt.Resource) if len(resources) != 2 { t.Errorf("Expected 2 resources, got %d", len(resources)) } } func TestPolicyValidation(t *testing.T) { tests := []struct { name string policyJSON string expectError bool }{ { name: "Valid policy", policyJSON: `{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "s3:GetObject", "Resource": "arn:aws:s3:::test-bucket/*" } ] }`, expectError: false, }, { name: "Invalid version", policyJSON: `{ "Version": "2008-10-17", "Statement": [ { "Effect": "Allow", "Action": "s3:GetObject", "Resource": "arn:aws:s3:::test-bucket/*" } ] }`, expectError: true, }, { name: "Missing action", policyJSON: `{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Resource": "arn:aws:s3:::test-bucket/*" } ] }`, expectError: true, }, { name: "Invalid JSON", policyJSON: `{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "s3:GetObject", "Resource": "arn:aws:s3:::test-bucket/*" } ] }extra`, expectError: true, }, } for _, tt := range tests { t.Run(tt.name, func(t *testing.T) { _, err := ParsePolicy(tt.policyJSON) if (err != nil) != tt.expectError { t.Errorf("Expected error: %v, got error: %v", tt.expectError, err) } }) } } func TestPatternMatching(t *testing.T) { tests := []struct { name string pattern string value string expected bool }{ { name: "Exact match", pattern: "s3:GetObject", value: "s3:GetObject", expected: true, }, { name: "Wildcard match", pattern: "s3:Get*", value: "s3:GetObject", expected: true, }, { name: "Wildcard no match", pattern: "s3:Put*", value: "s3:GetObject", expected: false, }, { name: "Full wildcard", pattern: "*", value: "anything", expected: true, }, { name: "Question mark wildcard", pattern: "s3:GetObjec?", value: "s3:GetObject", expected: true, }, } for _, tt := range tests { t.Run(tt.name, func(t *testing.T) { compiled, err := compilePattern(tt.pattern) if err != nil { t.Fatalf("Failed to compile pattern %s: %v", tt.pattern, err) } result := compiled.MatchString(tt.value) if result != tt.expected { t.Errorf("Pattern %s against %s: expected %v, got %v", tt.pattern, tt.value, tt.expected, result) } }) } } func TestExtractConditionValuesFromRequest(t *testing.T) { // Create a test request req := &http.Request{ Method: "GET", URL: &url.URL{ Path: "/test-bucket/test-object", RawQuery: "prefix=test&delimiter=/", }, Header: map[string][]string{ "User-Agent": {"test-agent"}, "X-Amz-Copy-Source": {"source-bucket/source-object"}, }, RemoteAddr: "192.168.1.100:12345", } values := ExtractConditionValuesFromRequest(req) // Check extracted values if len(values["aws:SourceIp"]) != 1 || values["aws:SourceIp"][0] != "192.168.1.100" { t.Errorf("Expected SourceIp to be 192.168.1.100, got %v", values["aws:SourceIp"]) } if len(values["aws:UserAgent"]) != 1 || values["aws:UserAgent"][0] != "test-agent" { t.Errorf("Expected UserAgent to be test-agent, got %v", values["aws:UserAgent"]) } if len(values["s3:prefix"]) != 1 || values["s3:prefix"][0] != "test" { t.Errorf("Expected prefix to be test, got %v", values["s3:prefix"]) } if len(values["s3:delimiter"]) != 1 || values["s3:delimiter"][0] != "/" { t.Errorf("Expected delimiter to be /, got %v", values["s3:delimiter"]) } if len(values["s3:RequestMethod"]) != 1 || values["s3:RequestMethod"][0] != "GET" { t.Errorf("Expected RequestMethod to be GET, got %v", values["s3:RequestMethod"]) } if len(values["x-amz-copy-source"]) != 1 || values["x-amz-copy-source"][0] != "source-bucket/source-object" { t.Errorf("Expected X-Amz-Copy-Source header to be extracted, got %v", values["x-amz-copy-source"]) } // Check that aws:CurrentTime is properly set if len(values["aws:CurrentTime"]) != 1 { t.Errorf("Expected aws:CurrentTime to be set, got %v", values["aws:CurrentTime"]) } // Check that aws:RequestTime is still available for backward compatibility if len(values["aws:RequestTime"]) != 1 { t.Errorf("Expected aws:RequestTime to be set for backward compatibility, got %v", values["aws:RequestTime"]) } } func TestPolicyEvaluationWithConditions(t *testing.T) { engine := NewPolicyEngine() // Policy with IP condition policyJSON := `{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "s3:GetObject", "Resource": "arn:aws:s3:::test-bucket/*", "Condition": { "IpAddress": { "aws:SourceIp": "192.168.1.0/24" } } } ] }` err := engine.SetBucketPolicy("test-bucket", policyJSON) if err != nil { t.Fatalf("Failed to set bucket policy: %v", err) } // Test matching IP args := &PolicyEvaluationArgs{ Action: "s3:GetObject", Resource: "arn:aws:s3:::test-bucket/test-object", Principal: "user1", Conditions: map[string][]string{ "aws:SourceIp": {"192.168.1.100"}, }, } result := engine.EvaluatePolicy("test-bucket", args) if result != PolicyResultAllow { t.Errorf("Expected Allow for matching IP, got %v", result) } // Test non-matching IP args.Conditions["aws:SourceIp"] = []string{"10.0.0.1"} result = engine.EvaluatePolicy("test-bucket", args) if result != PolicyResultDeny { t.Errorf("Expected Deny for non-matching IP, got %v", result) } } func TestResourceArn(t *testing.T) { tests := []struct { name string bucketName string objectName string expected string }{ { name: "Bucket only", bucketName: "test-bucket", objectName: "", expected: "arn:aws:s3:::test-bucket", }, { name: "Bucket and object", bucketName: "test-bucket", objectName: "test-object", expected: "arn:aws:s3:::test-bucket/test-object", }, { name: "Bucket and nested object", bucketName: "test-bucket", objectName: "folder/subfolder/test-object", expected: "arn:aws:s3:::test-bucket/folder/subfolder/test-object", }, } for _, tt := range tests { t.Run(tt.name, func(t *testing.T) { result := BuildResourceArn(tt.bucketName, tt.objectName) if result != tt.expected { t.Errorf("Expected %s, got %s", tt.expected, result) } }) } } func TestActionConversion(t *testing.T) { tests := []struct { name string action string expected string }{ { name: "Already has s3 prefix", action: "s3:GetObject", expected: "s3:GetObject", }, { name: "Add s3 prefix", action: "GetObject", expected: "s3:GetObject", }, } for _, tt := range tests { t.Run(tt.name, func(t *testing.T) { result := BuildActionName(tt.action) if result != tt.expected { t.Errorf("Expected %s, got %s", tt.expected, result) } }) } } func TestPolicyEngineForRequest(t *testing.T) { engine := NewPolicyEngine() // Set up a policy policyJSON := `{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "s3:GetObject", "Resource": "arn:aws:s3:::test-bucket/*", "Condition": { "StringEquals": { "s3:RequestMethod": "GET" } } } ] }` err := engine.SetBucketPolicy("test-bucket", policyJSON) if err != nil { t.Fatalf("Failed to set bucket policy: %v", err) } // Create test request req := &http.Request{ Method: "GET", URL: &url.URL{ Path: "/test-bucket/test-object", }, Header: make(map[string][]string), RemoteAddr: "192.168.1.100:12345", } // Test the request result := engine.EvaluatePolicyForRequest("test-bucket", "test-object", "GetObject", "user1", req) if result != PolicyResultAllow { t.Errorf("Expected Allow for matching request, got %v", result) } } func TestWildcardMatching(t *testing.T) { tests := []struct { name string pattern string str string expected bool }{ { name: "Exact match", pattern: "test", str: "test", expected: true, }, { name: "Single wildcard", pattern: "*", str: "anything", expected: true, }, { name: "Prefix wildcard", pattern: "test*", str: "test123", expected: true, }, { name: "Suffix wildcard", pattern: "*test", str: "123test", expected: true, }, { name: "Middle wildcard", pattern: "test*123", str: "testABC123", expected: true, }, { name: "No match", pattern: "test*", str: "other", expected: false, }, { name: "Multiple wildcards", pattern: "test*abc*123", str: "testXYZabcDEF123", expected: true, }, } for _, tt := range tests { t.Run(tt.name, func(t *testing.T) { result := MatchesWildcard(tt.pattern, tt.str) if result != tt.expected { t.Errorf("Pattern %s against %s: expected %v, got %v", tt.pattern, tt.str, tt.expected, result) } }) } } func TestCompilePolicy(t *testing.T) { policyJSON := `{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": ["s3:GetObject", "s3:PutObject"], "Resource": "arn:aws:s3:::test-bucket/*" } ] }` policy, err := ParsePolicy(policyJSON) if err != nil { t.Fatalf("Failed to parse policy: %v", err) } compiled, err := CompilePolicy(policy) if err != nil { t.Fatalf("Failed to compile policy: %v", err) } if len(compiled.Statements) != 1 { t.Errorf("Expected 1 compiled statement, got %d", len(compiled.Statements)) } stmt := compiled.Statements[0] if len(stmt.ActionPatterns) != 2 { t.Errorf("Expected 2 action patterns, got %d", len(stmt.ActionPatterns)) } if len(stmt.ResourcePatterns) != 1 { t.Errorf("Expected 1 resource pattern, got %d", len(stmt.ResourcePatterns)) } } // TestNewPolicyBackedIAMWithLegacy tests the constructor overload func TestNewPolicyBackedIAMWithLegacy(t *testing.T) { // Mock legacy IAM mockLegacyIAM := &MockLegacyIAM{} // Test the new constructor policyBackedIAM := NewPolicyBackedIAMWithLegacy(mockLegacyIAM) // Verify that the legacy IAM is set if policyBackedIAM.legacyIAM != mockLegacyIAM { t.Errorf("Expected legacy IAM to be set, but it wasn't") } // Verify that the policy engine is initialized if policyBackedIAM.policyEngine == nil { t.Errorf("Expected policy engine to be initialized, but it wasn't") } // Compare with the traditional approach traditionalIAM := NewPolicyBackedIAM() traditionalIAM.SetLegacyIAM(mockLegacyIAM) // Both should behave the same if policyBackedIAM.legacyIAM != traditionalIAM.legacyIAM { t.Errorf("Expected both approaches to result in the same legacy IAM") } } // MockLegacyIAM implements the LegacyIAM interface for testing type MockLegacyIAM struct{} func (m *MockLegacyIAM) authRequest(r *http.Request, action Action) (Identity, s3err.ErrorCode) { return nil, s3err.ErrNone }