| 1234567891011121314151617181920212223242526272829303132333435363738394041424344454647484950515253 |
- package sts
- import (
- "context"
- "fmt"
- "strings"
- "github.com/seaweedfs/seaweedfs/weed/iam/providers"
- )
- // MockTrustPolicyValidator is a simple mock for testing STS functionality
- type MockTrustPolicyValidator struct{}
- // ValidateTrustPolicyForWebIdentity allows valid JWT test tokens for STS testing
- func (m *MockTrustPolicyValidator) ValidateTrustPolicyForWebIdentity(ctx context.Context, roleArn string, webIdentityToken string) error {
- // Reject non-existent roles for testing
- if strings.Contains(roleArn, "NonExistentRole") {
- return fmt.Errorf("trust policy validation failed: role does not exist")
- }
- // For STS unit tests, allow JWT tokens that look valid (contain dots for JWT structure)
- // In real implementation, this would validate against actual trust policies
- if len(webIdentityToken) > 20 && strings.Count(webIdentityToken, ".") >= 2 {
- // This appears to be a JWT token - allow it for testing
- return nil
- }
- // Legacy support for specific test tokens during migration
- if webIdentityToken == "valid_test_token" || webIdentityToken == "valid-oidc-token" {
- return nil
- }
- // Reject invalid tokens
- if webIdentityToken == "invalid_token" || webIdentityToken == "expired_token" || webIdentityToken == "invalid-token" {
- return fmt.Errorf("trust policy denies token")
- }
- return nil
- }
- // ValidateTrustPolicyForCredentials allows valid test identities for STS testing
- func (m *MockTrustPolicyValidator) ValidateTrustPolicyForCredentials(ctx context.Context, roleArn string, identity *providers.ExternalIdentity) error {
- // Reject non-existent roles for testing
- if strings.Contains(roleArn, "NonExistentRole") {
- return fmt.Errorf("trust policy validation failed: role does not exist")
- }
- // For STS unit tests, allow test identities
- if identity != nil && identity.UserID != "" {
- return nil
- }
- return fmt.Errorf("invalid identity for role assumption")
- }
|
