seaweedfs/weed/iam/sts/test_utils_test.go

package sts

import (
	"context"
	"fmt"
	"strings"

	"github.com/seaweedfs/seaweedfs/weed/iam/providers"
)

// MockTrustPolicyValidator is a simple mock for testing STS functionality
type MockTrustPolicyValidator struct{}

// ValidateTrustPolicyForWebIdentity allows valid JWT test tokens for STS testing
func (m *MockTrustPolicyValidator) ValidateTrustPolicyForWebIdentity(ctx context.Context, roleArn string, webIdentityToken string) error {
	// Reject non-existent roles for testing
	if strings.Contains(roleArn, "NonExistentRole") {
		return fmt.Errorf("trust policy validation failed: role does not exist")
	}

	// For STS unit tests, allow JWT tokens that look valid (contain dots for JWT structure)
	// In real implementation, this would validate against actual trust policies
	if len(webIdentityToken) > 20 && strings.Count(webIdentityToken, ".") >= 2 {
		// This appears to be a JWT token - allow it for testing
		return nil
	}

	// Legacy support for specific test tokens during migration
	if webIdentityToken == "valid_test_token" || webIdentityToken == "valid-oidc-token" {
		return nil
	}

	// Reject invalid tokens
	if webIdentityToken == "invalid_token" || webIdentityToken == "expired_token" || webIdentityToken == "invalid-token" {
		return fmt.Errorf("trust policy denies token")
	}

	return nil
}

// ValidateTrustPolicyForCredentials allows valid test identities for STS testing
func (m *MockTrustPolicyValidator) ValidateTrustPolicyForCredentials(ctx context.Context, roleArn string, identity *providers.ExternalIdentity) error {
	// Reject non-existent roles for testing
	if strings.Contains(roleArn, "NonExistentRole") {
		return fmt.Errorf("trust policy validation failed: role does not exist")
	}

	// For STS unit tests, allow test identities
	if identity != nil && identity.UserID != "" {
		return nil
	}
	return fmt.Errorf("invalid identity for role assumption")
}