MyFavMirrors
/
minio
mirror of https://github.com/minio/minio.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
minio/pkg/iam/policy/statement_test.go

468 lines
12 KiB
Go
Raw Normal View History

update license change for MinIO Signed-off-by: Harshavardhana <harsha@minio.io>
2021-04-18 15:41:13 -04:00
// Copyright (c) 2015-2021 MinIO, Inc.
//
// This file is part of MinIO Object Storage stack
//
// This program is free software: you can redistribute it and/or modify
// it under the terms of the GNU Affero General Public License as published by
// the Free Software Foundation, either version 3 of the License, or
// (at your option) any later version.
//
// This program is distributed in the hope that it will be useful
// but WITHOUT ANY WARRANTY; without even the implied warranty of
// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
// GNU Affero General Public License for more details.
//
// You should have received a copy of the GNU Affero General Public License
// along with this program. If not, see <http://www.gnu.org/licenses/>.
Introduce STS client grants API and OPA policy integration (#6168) This PR introduces two new features - AWS STS compatible STS API named AssumeRoleWithClientGrants ``` POST /?Action=AssumeRoleWithClientGrants&Token=<jwt> ``` This API endpoint returns temporary access credentials, access tokens signature types supported by this API - RSA keys - ECDSA keys Fetches the required public key from the JWKS endpoints, provides them as rsa or ecdsa public keys. - External policy engine support, in this case OPA policy engine - Credentials are stored on disks
2018-10-09 17:00:01 -04:00
package iampolicy
import (
"encoding/json"
"net"
"reflect"
"testing"
Rename pkg/{tagging,lifecycle} to pkg/bucket sub-directory (#8892) Rename to allow for more such features to come in a more proper hierarchical manner.
2020-01-27 17:12:34 -05:00
"github.com/minio/minio/pkg/bucket/policy"
"github.com/minio/minio/pkg/bucket/policy/condition"
Introduce STS client grants API and OPA policy integration (#6168) This PR introduces two new features - AWS STS compatible STS API named AssumeRoleWithClientGrants ``` POST /?Action=AssumeRoleWithClientGrants&Token=<jwt> ``` This API endpoint returns temporary access credentials, access tokens signature types supported by this API - RSA keys - ECDSA keys Fetches the required public key from the JWKS endpoints, provides them as rsa or ecdsa public keys. - External policy engine support, in this case OPA policy engine - Credentials are stored on disks
2018-10-09 17:00:01 -04:00
)
func TestStatementIsAllowed(t *testing.T) {
case1Statement := NewStatement(
policy.Allow,
NewActionSet(GetBucketLocationAction, PutObjectAction),
NewResourceSet(NewResource("*", "")),
condition.NewFunctions(),
)
case2Statement := NewStatement(
policy.Allow,
NewActionSet(GetObjectAction, PutObjectAction),
NewResourceSet(NewResource("mybucket", "/myobject*")),
condition.NewFunctions(),
)
_, IPNet1, err := net.ParseCIDR("192.168.1.0/24")
if err != nil {
t.Fatalf("unexpected error. %v\n", err)
}
func1, err := condition.NewIPAddressFunc(
condition.AWSSourceIP,
IPNet1,
)
if err != nil {
t.Fatalf("unexpected error. %v\n", err)
}
case3Statement := NewStatement(
policy.Allow,
NewActionSet(GetObjectAction, PutObjectAction),
NewResourceSet(NewResource("mybucket", "/myobject*")),
condition.NewFunctions(func1),
)
case4Statement := NewStatement(
policy.Deny,
NewActionSet(GetObjectAction, PutObjectAction),
NewResourceSet(NewResource("mybucket", "/myobject*")),
condition.NewFunctions(func1),
)
anonGetBucketLocationArgs := Args{
AccountName: "Q3AM3UQ867SPQQA43P2F",
Action: GetBucketLocationAction,
BucketName: "mybucket",
ConditionValues: map[string][]string{},
}
anonPutObjectActionArgs := Args{
AccountName: "Q3AM3UQ867SPQQA43P2F",
Action: PutObjectAction,
BucketName: "mybucket",
ConditionValues: map[string][]string{
"x-amz-copy-source": {"mybucket/myobject"},
"SourceIp": {"192.168.1.10"},
},
ObjectName: "myobject",
}
anonGetObjectActionArgs := Args{
AccountName: "Q3AM3UQ867SPQQA43P2F",
Action: GetObjectAction,
BucketName: "mybucket",
ConditionValues: map[string][]string{},
ObjectName: "myobject",
}
getBucketLocationArgs := Args{
AccountName: "Q3AM3UQ867SPQQA43P2F",
Action: GetBucketLocationAction,
BucketName: "mybucket",
ConditionValues: map[string][]string{},
}
putObjectActionArgs := Args{
AccountName: "Q3AM3UQ867SPQQA43P2F",
Action: PutObjectAction,
BucketName: "mybucket",
ConditionValues: map[string][]string{
"x-amz-copy-source": {"mybucket/myobject"},
"SourceIp": {"192.168.1.10"},
},
ObjectName: "myobject",
}
getObjectActionArgs := Args{
AccountName: "Q3AM3UQ867SPQQA43P2F",
Action: GetObjectAction,
BucketName: "mybucket",
ConditionValues: map[string][]string{},
ObjectName: "myobject",
}
testCases := []struct {
statement Statement
args Args
expectedResult bool
}{
{case1Statement, anonGetBucketLocationArgs, true},
{case1Statement, anonPutObjectActionArgs, true},
{case1Statement, anonGetObjectActionArgs, false},
{case1Statement, getBucketLocationArgs, true},
{case1Statement, putObjectActionArgs, true},
{case1Statement, getObjectActionArgs, false},
{case2Statement, anonGetBucketLocationArgs, false},
{case2Statement, anonPutObjectActionArgs, true},
{case2Statement, anonGetObjectActionArgs, true},
{case2Statement, getBucketLocationArgs, false},
{case2Statement, putObjectActionArgs, true},
{case2Statement, getObjectActionArgs, true},
{case3Statement, anonGetBucketLocationArgs, false},
{case3Statement, anonPutObjectActionArgs, true},
{case3Statement, anonGetObjectActionArgs, false},
{case3Statement, getBucketLocationArgs, false},
{case3Statement, putObjectActionArgs, true},
{case3Statement, getObjectActionArgs, false},
{case4Statement, anonGetBucketLocationArgs, true},
{case4Statement, anonPutObjectActionArgs, false},
{case4Statement, anonGetObjectActionArgs, true},
{case4Statement, getBucketLocationArgs, true},
{case4Statement, putObjectActionArgs, false},
{case4Statement, getObjectActionArgs, true},
}
for i, testCase := range testCases {
result := testCase.statement.IsAllowed(testCase.args)
if result != testCase.expectedResult {
t.Fatalf("case %v: expected: %v, got: %v\n", i+1, testCase.expectedResult, result)
}
}
}
func TestStatementIsValid(t *testing.T) {
_, IPNet1, err := net.ParseCIDR("192.168.1.0/24")
if err != nil {
t.Fatalf("unexpected error. %v\n", err)
}
func1, err := condition.NewIPAddressFunc(
condition.AWSSourceIP,
IPNet1,
)
if err != nil {
t.Fatalf("unexpected error. %v\n", err)
}
func2, err := condition.NewStringEqualsFunc(
condition.S3XAmzCopySource,
"mybucket/myobject",
)
if err != nil {
t.Fatalf("unexpected error. %v\n", err)
}
Add support for multiple admins (#8487) Also define IAM policies for administering MinIO server
2019-11-19 05:03:18 -05:00
func3, err := condition.NewStringEqualsFunc(
condition.AWSUserAgent,
"NSPlayer",
)
if err != nil {
t.Fatalf("unexpected error. %v\n", err)
}
Introduce STS client grants API and OPA policy integration (#6168) This PR introduces two new features - AWS STS compatible STS API named AssumeRoleWithClientGrants ``` POST /?Action=AssumeRoleWithClientGrants&Token=<jwt> ``` This API endpoint returns temporary access credentials, access tokens signature types supported by this API - RSA keys - ECDSA keys Fetches the required public key from the JWKS endpoints, provides them as rsa or ecdsa public keys. - External policy engine support, in this case OPA policy engine - Credentials are stored on disks
2018-10-09 17:00:01 -04:00
testCases := []struct {
statement Statement
expectErr bool
}{
// Invalid effect error.
{NewStatement(
policy.Effect("foo"),
NewActionSet(GetBucketLocationAction, PutObjectAction),
NewResourceSet(NewResource("*", "")),
condition.NewFunctions(),
), true},
// Empty actions error.
{NewStatement(
policy.Allow,
NewActionSet(),
NewResourceSet(NewResource("*", "")),
condition.NewFunctions(),
), true},
// Empty resources error.
{NewStatement(
policy.Allow,
NewActionSet(GetBucketLocationAction, PutObjectAction),
NewResourceSet(),
condition.NewFunctions(),
), true},
// Unsupported conditions for GetObject
{NewStatement(
policy.Allow,
NewActionSet(GetObjectAction, PutObjectAction),
NewResourceSet(NewResource("mybucket", "myobject*")),
condition.NewFunctions(func1, func2),
), true},
{NewStatement(
policy.Allow,
NewActionSet(GetBucketLocationAction, PutObjectAction),
NewResourceSet(NewResource("mybucket", "myobject*")),
condition.NewFunctions(),
), false},
{NewStatement(
policy.Allow,
NewActionSet(GetBucketLocationAction, PutObjectAction),
NewResourceSet(NewResource("mybucket", "")),
condition.NewFunctions(),
), false},
{NewStatement(
policy.Deny,
NewActionSet(GetObjectAction, PutObjectAction),
NewResourceSet(NewResource("mybucket", "myobject*")),
condition.NewFunctions(func1),
), false},
Add support for multiple admins (#8487) Also define IAM policies for administering MinIO server
2019-11-19 05:03:18 -05:00
{NewStatement(
policy.Allow,
NewActionSet(CreateUserAdminAction, DeleteUserAdminAction),
nil,
condition.NewFunctions(func2, func3),
), true},
{NewStatement(
policy.Allow,
NewActionSet(CreateUserAdminAction, DeleteUserAdminAction),
nil,
condition.NewFunctions(),
), false},
Introduce STS client grants API and OPA policy integration (#6168) This PR introduces two new features - AWS STS compatible STS API named AssumeRoleWithClientGrants ``` POST /?Action=AssumeRoleWithClientGrants&Token=<jwt> ``` This API endpoint returns temporary access credentials, access tokens signature types supported by this API - RSA keys - ECDSA keys Fetches the required public key from the JWKS endpoints, provides them as rsa or ecdsa public keys. - External policy engine support, in this case OPA policy engine - Credentials are stored on disks
2018-10-09 17:00:01 -04:00
}
for i, testCase := range testCases {
err := testCase.statement.isValid()
expectErr := (err != nil)
if expectErr != testCase.expectErr {
t.Fatalf("case %v: error: expected: %v, got: %v", i+1, testCase.expectErr, expectErr)
}
}
}
policy: Do not return an error for invalid value during parsing (#9442) s3:HardwareInfo was removed recently. Users having that admin action stored in the backend will have an issue starting the server. To fix this, we need to avoid returning an error in Marshal/Unmarshal when they encounter an invalid action and validate only in specific location. Currently the validation is done and in ParseConfig().
2020-05-10 13:55:28 -04:00
func TestStatementUnmarshalJSONAndValidate(t *testing.T) {
Introduce STS client grants API and OPA policy integration (#6168) This PR introduces two new features - AWS STS compatible STS API named AssumeRoleWithClientGrants ``` POST /?Action=AssumeRoleWithClientGrants&Token=<jwt> ``` This API endpoint returns temporary access credentials, access tokens signature types supported by this API - RSA keys - ECDSA keys Fetches the required public key from the JWKS endpoints, provides them as rsa or ecdsa public keys. - External policy engine support, in this case OPA policy engine - Credentials are stored on disks
2018-10-09 17:00:01 -04:00
case1Data := []byte(`{
"Sid": "SomeId1",
"Effect": "Allow",
"Action": "s3:PutObject",
"Resource": "arn:aws:s3:::mybucket/myobject*"
}`)
case1Statement := NewStatement(
policy.Allow,
NewActionSet(PutObjectAction),
NewResourceSet(NewResource("mybucket", "/myobject*")),
condition.NewFunctions(),
)
case1Statement.SID = "SomeId1"
case2Data := []byte(`{
"Effect": "Allow",
"Action": "s3:PutObject",
"Resource": "arn:aws:s3:::mybucket/myobject*",
"Condition": {
"Null": {
"s3:x-amz-copy-source": true
}
}
}`)
func1, err := condition.NewNullFunc(
condition.S3XAmzCopySource,
true,
)
if err != nil {
t.Fatalf("unexpected error. %v\n", err)
}
case2Statement := NewStatement(
policy.Allow,
NewActionSet(PutObjectAction),
NewResourceSet(NewResource("mybucket", "/myobject*")),
condition.NewFunctions(func1),
)
case3Data := []byte(`{
"Effect": "Deny",
"Action": [
"s3:PutObject",
"s3:GetObject"
],
"Resource": "arn:aws:s3:::mybucket/myobject*",
"Condition": {
"Null": {
"s3:x-amz-server-side-encryption": "false"
}
}
}`)
func2, err := condition.NewNullFunc(
condition.S3XAmzServerSideEncryption,
false,
)
if err != nil {
t.Fatalf("unexpected error. %v\n", err)
}
case3Statement := NewStatement(
policy.Deny,
NewActionSet(PutObjectAction, GetObjectAction),
NewResourceSet(NewResource("mybucket", "/myobject*")),
condition.NewFunctions(func2),
)
case4Data := []byte(`{
"Effect": "Allow",
policy: Do not return an error for invalid value during parsing (#9442) s3:HardwareInfo was removed recently. Users having that admin action stored in the backend will have an issue starting the server. To fix this, we need to avoid returning an error in Marshal/Unmarshal when they encounter an invalid action and validate only in specific location. Currently the validation is done and in ParseConfig().
2020-05-10 13:55:28 -04:00
"Action": "s3:PutObjec,
Introduce STS client grants API and OPA policy integration (#6168) This PR introduces two new features - AWS STS compatible STS API named AssumeRoleWithClientGrants ``` POST /?Action=AssumeRoleWithClientGrants&Token=<jwt> ``` This API endpoint returns temporary access credentials, access tokens signature types supported by this API - RSA keys - ECDSA keys Fetches the required public key from the JWKS endpoints, provides them as rsa or ecdsa public keys. - External policy engine support, in this case OPA policy engine - Credentials are stored on disks
2018-10-09 17:00:01 -04:00
"Resource": "arn:aws:s3:::mybucket/myobject*"
}`)
case5Data := []byte(`{
"Action": "s3:PutObject",
"Resource": "arn:aws:s3:::mybucket/myobject*"
}`)
case7Data := []byte(`{
"Effect": "Allow",
"Resource": "arn:aws:s3:::mybucket/myobject*"
}`)
case8Data := []byte(`{
"Effect": "Allow",
"Action": "s3:PutObject"
}`)
case9Data := []byte(`{
"Effect": "Allow",
"Action": "s3:PutObject",
"Resource": "arn:aws:s3:::mybucket/myobject*",
"Condition": {
}
}`)
case10Data := []byte(`{
"Effect": "Deny",
"Action": [
"s3:PutObject",
"s3:GetObject"
],
"Resource": "arn:aws:s3:::mybucket/myobject*",
"Condition": {
"StringEquals": {
"s3:x-amz-copy-source": "yourbucket/myobject*"
}
}
}`)
testCases := []struct {
policy: Do not return an error for invalid value during parsing (#9442) s3:HardwareInfo was removed recently. Users having that admin action stored in the backend will have an issue starting the server. To fix this, we need to avoid returning an error in Marshal/Unmarshal when they encounter an invalid action and validate only in specific location. Currently the validation is done and in ParseConfig().
2020-05-10 13:55:28 -04:00
data []byte
expectedResult Statement
expectUnmarshalErr bool
expectValidationErr bool
Introduce STS client grants API and OPA policy integration (#6168) This PR introduces two new features - AWS STS compatible STS API named AssumeRoleWithClientGrants ``` POST /?Action=AssumeRoleWithClientGrants&Token=<jwt> ``` This API endpoint returns temporary access credentials, access tokens signature types supported by this API - RSA keys - ECDSA keys Fetches the required public key from the JWKS endpoints, provides them as rsa or ecdsa public keys. - External policy engine support, in this case OPA policy engine - Credentials are stored on disks
2018-10-09 17:00:01 -04:00
}{
policy: Do not return an error for invalid value during parsing (#9442) s3:HardwareInfo was removed recently. Users having that admin action stored in the backend will have an issue starting the server. To fix this, we need to avoid returning an error in Marshal/Unmarshal when they encounter an invalid action and validate only in specific location. Currently the validation is done and in ParseConfig().
2020-05-10 13:55:28 -04:00
{case1Data, case1Statement, false, false},
{case2Data, case2Statement, false, false},
{case3Data, case3Statement, false, false},
Introduce STS client grants API and OPA policy integration (#6168) This PR introduces two new features - AWS STS compatible STS API named AssumeRoleWithClientGrants ``` POST /?Action=AssumeRoleWithClientGrants&Token=<jwt> ``` This API endpoint returns temporary access credentials, access tokens signature types supported by this API - RSA keys - ECDSA keys Fetches the required public key from the JWKS endpoints, provides them as rsa or ecdsa public keys. - External policy engine support, in this case OPA policy engine - Credentials are stored on disks
2018-10-09 17:00:01 -04:00
// JSON unmarshaling error.
policy: Do not return an error for invalid value during parsing (#9442) s3:HardwareInfo was removed recently. Users having that admin action stored in the backend will have an issue starting the server. To fix this, we need to avoid returning an error in Marshal/Unmarshal when they encounter an invalid action and validate only in specific location. Currently the validation is done and in ParseConfig().
2020-05-10 13:55:28 -04:00
{case4Data, Statement{}, true, true},
Introduce STS client grants API and OPA policy integration (#6168) This PR introduces two new features - AWS STS compatible STS API named AssumeRoleWithClientGrants ``` POST /?Action=AssumeRoleWithClientGrants&Token=<jwt> ``` This API endpoint returns temporary access credentials, access tokens signature types supported by this API - RSA keys - ECDSA keys Fetches the required public key from the JWKS endpoints, provides them as rsa or ecdsa public keys. - External policy engine support, in this case OPA policy engine - Credentials are stored on disks
2018-10-09 17:00:01 -04:00
// Invalid effect error.
policy: Do not return an error for invalid value during parsing (#9442) s3:HardwareInfo was removed recently. Users having that admin action stored in the backend will have an issue starting the server. To fix this, we need to avoid returning an error in Marshal/Unmarshal when they encounter an invalid action and validate only in specific location. Currently the validation is done and in ParseConfig().
2020-05-10 13:55:28 -04:00
{case5Data, Statement{}, false, true},
Introduce STS client grants API and OPA policy integration (#6168) This PR introduces two new features - AWS STS compatible STS API named AssumeRoleWithClientGrants ``` POST /?Action=AssumeRoleWithClientGrants&Token=<jwt> ``` This API endpoint returns temporary access credentials, access tokens signature types supported by this API - RSA keys - ECDSA keys Fetches the required public key from the JWKS endpoints, provides them as rsa or ecdsa public keys. - External policy engine support, in this case OPA policy engine - Credentials are stored on disks
2018-10-09 17:00:01 -04:00
// Empty action error.
policy: Do not return an error for invalid value during parsing (#9442) s3:HardwareInfo was removed recently. Users having that admin action stored in the backend will have an issue starting the server. To fix this, we need to avoid returning an error in Marshal/Unmarshal when they encounter an invalid action and validate only in specific location. Currently the validation is done and in ParseConfig().
2020-05-10 13:55:28 -04:00
{case7Data, Statement{}, false, true},
Introduce STS client grants API and OPA policy integration (#6168) This PR introduces two new features - AWS STS compatible STS API named AssumeRoleWithClientGrants ``` POST /?Action=AssumeRoleWithClientGrants&Token=<jwt> ``` This API endpoint returns temporary access credentials, access tokens signature types supported by this API - RSA keys - ECDSA keys Fetches the required public key from the JWKS endpoints, provides them as rsa or ecdsa public keys. - External policy engine support, in this case OPA policy engine - Credentials are stored on disks
2018-10-09 17:00:01 -04:00
// Empty resource error.
policy: Do not return an error for invalid value during parsing (#9442) s3:HardwareInfo was removed recently. Users having that admin action stored in the backend will have an issue starting the server. To fix this, we need to avoid returning an error in Marshal/Unmarshal when they encounter an invalid action and validate only in specific location. Currently the validation is done and in ParseConfig().
2020-05-10 13:55:28 -04:00
{case8Data, Statement{}, false, true},
Introduce STS client grants API and OPA policy integration (#6168) This PR introduces two new features - AWS STS compatible STS API named AssumeRoleWithClientGrants ``` POST /?Action=AssumeRoleWithClientGrants&Token=<jwt> ``` This API endpoint returns temporary access credentials, access tokens signature types supported by this API - RSA keys - ECDSA keys Fetches the required public key from the JWKS endpoints, provides them as rsa or ecdsa public keys. - External policy engine support, in this case OPA policy engine - Credentials are stored on disks
2018-10-09 17:00:01 -04:00
// Empty condition error.
policy: Do not return an error for invalid value during parsing (#9442) s3:HardwareInfo was removed recently. Users having that admin action stored in the backend will have an issue starting the server. To fix this, we need to avoid returning an error in Marshal/Unmarshal when they encounter an invalid action and validate only in specific location. Currently the validation is done and in ParseConfig().
2020-05-10 13:55:28 -04:00
{case9Data, Statement{}, true, false},
Introduce STS client grants API and OPA policy integration (#6168) This PR introduces two new features - AWS STS compatible STS API named AssumeRoleWithClientGrants ``` POST /?Action=AssumeRoleWithClientGrants&Token=<jwt> ``` This API endpoint returns temporary access credentials, access tokens signature types supported by this API - RSA keys - ECDSA keys Fetches the required public key from the JWKS endpoints, provides them as rsa or ecdsa public keys. - External policy engine support, in this case OPA policy engine - Credentials are stored on disks
2018-10-09 17:00:01 -04:00
// Unsupported condition key error.
policy: Do not return an error for invalid value during parsing (#9442) s3:HardwareInfo was removed recently. Users having that admin action stored in the backend will have an issue starting the server. To fix this, we need to avoid returning an error in Marshal/Unmarshal when they encounter an invalid action and validate only in specific location. Currently the validation is done and in ParseConfig().
2020-05-10 13:55:28 -04:00
{case10Data, Statement{}, false, true},
Introduce STS client grants API and OPA policy integration (#6168) This PR introduces two new features - AWS STS compatible STS API named AssumeRoleWithClientGrants ``` POST /?Action=AssumeRoleWithClientGrants&Token=<jwt> ``` This API endpoint returns temporary access credentials, access tokens signature types supported by this API - RSA keys - ECDSA keys Fetches the required public key from the JWKS endpoints, provides them as rsa or ecdsa public keys. - External policy engine support, in this case OPA policy engine - Credentials are stored on disks
2018-10-09 17:00:01 -04:00
}
for i, testCase := range testCases {
var result Statement
expectErr := (json.Unmarshal(testCase.data, &result) != nil)
policy: Do not return an error for invalid value during parsing (#9442) s3:HardwareInfo was removed recently. Users having that admin action stored in the backend will have an issue starting the server. To fix this, we need to avoid returning an error in Marshal/Unmarshal when they encounter an invalid action and validate only in specific location. Currently the validation is done and in ParseConfig().
2020-05-10 13:55:28 -04:00
if expectErr != testCase.expectUnmarshalErr {
t.Fatalf("case %v: error during unmarshal: expected: %v, got: %v", i+1, testCase.expectUnmarshalErr, expectErr)
}
expectErr = (result.Validate() != nil)
if expectErr != testCase.expectValidationErr {
t.Fatalf("case %v: error during validation: expected: %v, got: %v", i+1, testCase.expectValidationErr, expectErr)
Introduce STS client grants API and OPA policy integration (#6168) This PR introduces two new features - AWS STS compatible STS API named AssumeRoleWithClientGrants ``` POST /?Action=AssumeRoleWithClientGrants&Token=<jwt> ``` This API endpoint returns temporary access credentials, access tokens signature types supported by this API - RSA keys - ECDSA keys Fetches the required public key from the JWKS endpoints, provides them as rsa or ecdsa public keys. - External policy engine support, in this case OPA policy engine - Credentials are stored on disks
2018-10-09 17:00:01 -04:00
}
policy: Do not return an error for invalid value during parsing (#9442) s3:HardwareInfo was removed recently. Users having that admin action stored in the backend will have an issue starting the server. To fix this, we need to avoid returning an error in Marshal/Unmarshal when they encounter an invalid action and validate only in specific location. Currently the validation is done and in ParseConfig().
2020-05-10 13:55:28 -04:00
if !testCase.expectUnmarshalErr && !testCase.expectValidationErr {
Introduce STS client grants API and OPA policy integration (#6168) This PR introduces two new features - AWS STS compatible STS API named AssumeRoleWithClientGrants ``` POST /?Action=AssumeRoleWithClientGrants&Token=<jwt> ``` This API endpoint returns temporary access credentials, access tokens signature types supported by this API - RSA keys - ECDSA keys Fetches the required public key from the JWKS endpoints, provides them as rsa or ecdsa public keys. - External policy engine support, in this case OPA policy engine - Credentials are stored on disks
2018-10-09 17:00:01 -04:00
if !reflect.DeepEqual(result, testCase.expectedResult) {
t.Fatalf("case %v: result: expected: %v, got: %v", i+1, testCase.expectedResult, result)
}
}
}
}
func TestStatementValidate(t *testing.T) {
case1Statement := NewStatement(
policy.Allow,
NewActionSet(PutObjectAction),
NewResourceSet(NewResource("mybucket", "/myobject*")),
condition.NewFunctions(),
)
func1, err := condition.NewNullFunc(
condition.S3XAmzCopySource,
true,
)
if err != nil {
t.Fatalf("unexpected error. %v\n", err)
}
func2, err := condition.NewNullFunc(
condition.S3XAmzServerSideEncryption,
false,
)
if err != nil {
t.Fatalf("unexpected error. %v\n", err)
}
case2Statement := NewStatement(
policy.Allow,
NewActionSet(GetObjectAction, PutObjectAction),
NewResourceSet(NewResource("mybucket", "myobject*")),
condition.NewFunctions(func1, func2),
)
testCases := []struct {
statement Statement
expectErr bool
}{
{case1Statement, false},
{case2Statement, true},
}
for i, testCase := range testCases {
err := testCase.statement.Validate()
expectErr := (err != nil)
if expectErr != testCase.expectErr {
t.Fatalf("case %v: error: expected: %v, got: %v", i+1, testCase.expectErr, expectErr)
}
}
}