IAM | IAM Unit test

naveenpaul1 · naveenpaul1 · commit 8c499473efde · 2025-11-25T11:46:15.000+05:30
Signed-off-by: Naveen Paul &lt;napaul@redhat.com&gt;
diff --git a/src/endpoint/iam/ops/iam_list_attached_user_policies.js b/src/endpoint/iam/ops/iam_list_attached_user_policies.js
@@ -21,7 +21,7 @@ async function list_attached_user_policies(req, res) {
 
     dbg.log1('To check that we have the user we will run the IAM GET USER', params);
     iam_utils.validate_params(iam_constants.IAM_ACTIONS.GET_USER, params);
-    await req.account_sdk.get_user(params);
+    await req.account_sdk.get_user({ username: params.username });
 
     dbg.log1('IAM LIST ATTACHED USER POLICIES (returns empty list on every request)', params);
 
diff --git a/src/endpoint/iam/ops/iam_list_groups_for_user.js b/src/endpoint/iam/ops/iam_list_groups_for_user.js
@@ -17,7 +17,7 @@ async function list_groups_for_user(req, res) {
 
     dbg.log1('To check that we have the user we will run the IAM GET USER', params);
     iam_utils.validate_params(iam_constants.IAM_ACTIONS.GET_USER, params);
-    await req.account_sdk.get_user(params);
+    await req.account_sdk.get_user({ username: params.username });
 
     dbg.log1('IAM LIST GROUPS FOR USER (returns empty list on every request)', params);
 
diff --git a/src/endpoint/iam/ops/iam_list_mfa_devices.js b/src/endpoint/iam/ops/iam_list_mfa_devices.js
@@ -18,7 +18,7 @@ async function list_mfa_devices(req, res) {
     if (params.username !== undefined) {
         dbg.log1('To check that we have the user we will run the IAM GET USER', params);
         iam_utils.validate_params(iam_constants.IAM_ACTIONS.GET_USER, params);
-        await req.account_sdk.get_user(params);
+        await req.account_sdk.get_user({ username: params.username });
     }
     dbg.log1('IAM LIST MFA DEVICES (returns empty list on every request)', params);
 
diff --git a/src/endpoint/iam/ops/iam_list_service_specific_credentials.js b/src/endpoint/iam/ops/iam_list_service_specific_credentials.js
@@ -18,7 +18,7 @@ async function list_service_specific_credentials(req, res) {
     if (params.username !== undefined) {
         dbg.log1('To check that we have the user we will run the IAM GET USER', params);
         iam_utils.validate_params(iam_constants.IAM_ACTIONS.GET_USER, params);
-        await req.account_sdk.get_user(params);
+        await req.account_sdk.get_user({ username: params.username });
     }
     dbg.log1('IAM LIST SERVER SPECIFIC CREDENTIALS (returns empty list on every request)', params);
 
diff --git a/src/endpoint/iam/ops/iam_list_signing_certificates.js b/src/endpoint/iam/ops/iam_list_signing_certificates.js
@@ -20,7 +20,7 @@ async function list_signing_certificates(req, res) {
     if (params.username !== undefined) {
         dbg.log1('To check that we have the user we will run the IAM GET USER', params);
         iam_utils.validate_params(iam_constants.IAM_ACTIONS.GET_USER, params);
-        await req.account_sdk.get_user(params);
+        await req.account_sdk.get_user({ username: params.username });
     }
     dbg.log1('IAM LIST SIGNING CERTIFICATES (returns empty list on every request)', params);
     const requesting_account_name = req.account_sdk.requesting_account.name instanceof SensitiveString ?
diff --git a/src/endpoint/iam/ops/iam_list_ssh_public_keys.js b/src/endpoint/iam/ops/iam_list_ssh_public_keys.js
@@ -19,7 +19,7 @@ async function list_ssh_public_keys(req, res) {
     if (params.username !== undefined) {
         dbg.log1('To check that we have the user we will run the IAM GET USER', params);
         iam_utils.validate_params(iam_constants.IAM_ACTIONS.GET_USER, params);
-        await req.account_sdk.get_user(params);
+        await req.account_sdk.get_user({ username: params.username });
     }
     dbg.log1('IAM LIST SSH PUBLIC KEYS (returns empty list on every request)', params);
 
diff --git a/src/sdk/accountspace_nb.js b/src/sdk/accountspace_nb.js
@@ -63,7 +63,6 @@ class AccountSpaceNB {
     }
 
     async get_user(params, account_sdk) {
-
         const requesting_account = system_store.get_account_by_email(account_sdk.requesting_account.email);
         return await account_sdk.rpc_client.account.get_user(params, requesting_account);
     }
diff --git a/src/server/common_services/auth_server.js b/src/server/common_services/auth_server.js
@@ -316,7 +316,7 @@ function _authorize_signature_token(req) {
     const auth_token_obj = req.auth_token;
 
     const account = _.find(system_store.data.accounts, function(acc) {
-        return acc.access_keys &&
+        return acc.access_keys && acc.access_keys.length > 0 &&
             acc.access_keys[0].access_key.unwrap() ===
             auth_token_obj.access_key;
     });
diff --git a/src/server/system_services/account_server.js b/src/server/system_services/account_server.js
@@ -1277,10 +1277,10 @@ async function list_users(req) {
     const requesting_account = req.account;
     account_util._check_if_requesting_account_is_root_account(action, requesting_account, { });
     const is_truncated = false; // GAP - no pagination at this point
-
     const requesting_account_iam_users = _.filter(system_store.data.accounts, function(account) {
+        const owner_account_id = account_util.get_owner_account_id(account);
         // Check IAM user owner is same as requesting_account id
-        return account.owner?._id.toString() === requesting_account._id.toString();
+        return owner_account_id === requesting_account._id.toString();
     });
     let members = _.map(requesting_account_iam_users, function(iam_user) {
         const iam_username = account_util.get_iam_username(iam_user.name.unwrap());
diff --git a/src/test/integration_tests/api/iam/test_iam_basic_integration.js b/src/test/integration_tests/api/iam/test_iam_basic_integration.js
@@ -7,9 +7,10 @@ const path = require('path');
 const _ = require('lodash');
 const mocha = require('mocha');
 const assert = require('assert');
+const SensitiveString = require('../../../../util/sensitive_string');
 const fs_utils = require('../../../../util/fs_utils');
 const { TMP_PATH, generate_nsfs_account, get_new_buckets_path_by_test_env, generate_iam_client,
-         require_coretest } = require('../../../system_tests/test_utils');
+         require_coretest, is_nc_coretest } = require('../../../system_tests/test_utils');
 const { ListUsersCommand, CreateUserCommand, GetUserCommand, UpdateUserCommand, DeleteUserCommand,
         ListAccessKeysCommand, CreateAccessKeyCommand, GetAccessKeyLastUsedCommand,
         UpdateAccessKeyCommand, DeleteAccessKeyCommand,
@@ -28,37 +29,47 @@ const IamError = require('../../../../endpoint/iam/iam_errors').IamError;
 
 
 const coretest = require_coretest();
-const setup_options = { should_run_iam: true, https_port_iam: 7005, debug: 5 };
+let setup_options;
+if (is_nc_coretest) {
+    setup_options = { should_run_iam: true, https_port_iam: 7005, debug: 5 };
+}
 coretest.setup(setup_options);
 const { rpc_client, EMAIL, get_current_setup_options, stop_nsfs_process, start_nsfs_process } = coretest;
 
-const CORETEST_ENDPOINT_IAM = coretest.get_iam_https_address();
-
-const config_root = path.join(TMP_PATH, 'test_nc_iam');
-// on NC - new_buckets_path is full absolute path
-// on Containerized - new_buckets_path is the directory
-const new_bucket_path_param = get_new_buckets_path_by_test_env(config_root, '/');
-
 let iam_account;
+let account_res;
+let config_root;
 
 mocha.describe('IAM basic integration tests - happy path', async function() {
     this.timeout(50000); // eslint-disable-line no-invalid-this
 
     mocha.before(async () => {
         // we want to make sure that we run this test with a couple of forks (by default setup it is 0)
-        const current_setup_options = get_current_setup_options();
-        const same_setup = _.isEqual(current_setup_options, setup_options);
-        if (!same_setup) {
-            console.log('current_setup_options', current_setup_options, 'same_setup', same_setup);
-            await stop_nsfs_process();
-            await start_nsfs_process(setup_options);
+        if (is_nc_coretest) {
+            config_root = path.join(TMP_PATH, 'test_nc_iam');
+            // on NC - new_buckets_path is full absolute path
+            // on Containerized - new_buckets_path is the directory
+            const new_bucket_path_param = get_new_buckets_path_by_test_env(config_root, '/');
+
+            const current_setup_options = get_current_setup_options();
+            const same_setup = _.isEqual(current_setup_options, setup_options);
+            if (!same_setup) {
+                console.log('current_setup_options', current_setup_options, 'same_setup', same_setup);
+                await stop_nsfs_process();
+                await start_nsfs_process(setup_options);
+            }
+            await fs_utils.create_fresh_path(new_bucket_path_param);
+            await fs_utils.file_must_exist(new_bucket_path_param);
+            account_res = await generate_nsfs_account(rpc_client, EMAIL, new_bucket_path_param, { admin: true });
+        } else {
+            account_res = (await rpc_client.account.read_account({ email: EMAIL })).access_keys[0];
         }
 
         // needed details for creating the account (and then the client)
-        await fs_utils.create_fresh_path(new_bucket_path_param);
-        await fs_utils.file_must_exist(new_bucket_path_param);
-        const res = await generate_nsfs_account(rpc_client, EMAIL, new_bucket_path_param, { admin: true });
-        iam_account = generate_iam_client(res.access_key, res.secret_key, CORETEST_ENDPOINT_IAM);
+        const coretest_endpoint_iam = coretest.get_https_address_iam();
+        const access_key = account_res.access_key instanceof SensitiveString ? account_res.access_key.unwrap() : account_res.access_key;
+        const secret_key = account_res.secret_key instanceof SensitiveString ? account_res.secret_key.unwrap() : account_res.secret_key;
+        iam_account = generate_iam_client(access_key, secret_key, coretest_endpoint_iam);
     });
 
     mocha.after(async () => {
@@ -196,6 +207,8 @@ mocha.describe('IAM basic integration tests - happy path', async function() {
         });
 
         mocha.it('get access key (last used)', async function() {
+            // Skipping for containerized noobaa
+            if (!is_nc_coretest) this.skip(); // eslint-disable-line no-invalid-this
             const input = {
                 AccessKeyId: access_key_id
             };
diff --git a/src/test/utils/coretest/coretest.js b/src/test/utils/coretest/coretest.js
@@ -66,6 +66,8 @@ let http_server;
 let https_address;
 let https_server_sts;
 let https_address_sts;
+let https_server_iam;
+let https_address_iam;
 let https_server;
 let _setup = false;
 let _incomplete_rpc_coverage;
@@ -148,6 +150,9 @@ function setup(options = {}) {
     const endpoint_request_handler_sts = endpoint.create_endpoint_handler('STS',
         endpoint.create_init_request_sdk(server_rpc.rpc, rpc_client, object_io), { virtual_hosts: [], notification_logger });
 
+    const endpoint_request_handler_iam = endpoint.create_endpoint_handler('IAM',
+        endpoint.create_init_request_sdk(server_rpc.rpc, rpc_client, object_io), { virtual_hosts: [], notification_logger });
+
     async function announce(msg) {
         if (process.env.SUPPRESS_LOGS) return;
         const l = Math.max(80, msg.length + 4);
@@ -204,6 +209,14 @@ function setup(options = {}) {
             logging: true,
             default_handler: endpoint_request_handler_sts,
         });
+
+        await announce('start_https_server (iam)');
+        https_server_iam = await server_rpc.rpc.start_http_server({
+            port: 0,
+            protocol: 'wss:',
+            logging: true,
+            default_handler: endpoint_request_handler_iam,
+        });
         // the http/ws port is used by the agents
         const http_net_address = /** @type {import('net').AddressInfo} */ (http_server.address());
         const https_net_address = /** @type {import('net').AddressInfo} */ (https_server.address());
@@ -213,11 +226,14 @@ function setup(options = {}) {
         const https_net_address_sts = /** @type {import('net').AddressInfo} */ (https_server_sts.address());
         const https_port_sts = https_net_address_sts.port;
 
+        const https_net_address_iam = /** @type {import('net').AddressInfo} */ (https_server_iam.address());
+        const https_port_iam = https_net_address_iam.port;
+
         base_address = `wss://localhost:${https_port}`;
         http_address = `http://localhost:${http_port}`;
         https_address = `https://localhost:${https_port}`;
         https_address_sts = `https://localhost:${https_port_sts}`;
-
+        https_address_iam = `https://localhost:${https_port_iam}`;
         // update the nodes_monitor n2n_rpc to find the base_address correctly for signals
         await node_server.start_monitor();
         node_server.get_local_monitor().n2n_rpc.router.default = base_address;
@@ -274,6 +290,8 @@ function setup(options = {}) {
             if (https_server) https_server.close();
             await announce('https_server_sts close()');
             if (https_server_sts) https_server_sts.close();
+            await announce('https_server_iam close()');
+            if (https_server_iam) https_server_iam.close();
             await announce('coretest done ...');
 
         } catch (err) {
@@ -459,6 +477,10 @@ function get_https_address() {
 function get_https_address_sts() {
     return https_address_sts;
 }
+
+function get_https_address_iam() {
+    return https_address_iam;
+}
 // This was coded for tests that create multiple systems (not necessary parallel, could be creation of system after deletion of system)
 // Webserver's init happens only one time (upon init of process), it is crucial in order to ensure internal storage structures
 // When we create systems without doing the init, we encounter a problem regarding failed internal storage structures
@@ -687,5 +709,6 @@ exports.anon_rpc_client = anon_rpc_client;
 exports.get_http_address = get_http_address;
 exports.get_https_address = get_https_address;
 exports.get_https_address_sts = get_https_address_sts;
+exports.get_https_address_iam = get_https_address_iam;
 exports.describe_mapper_test_case = describe_mapper_test_case;
 exports.get_dbg_level = get_dbg_level;
diff --git a/src/test/utils/coretest/nc_coretest.js b/src/test/utils/coretest/nc_coretest.js
@@ -281,10 +281,10 @@ function get_https_address() {
 }
 
 /**
- * get_iam_https_address return nc coretest https_address_iam variable
+ * get_https_address_iam return nc coretest https_address_iam variable
  * @returns {string}
  */
-function get_iam_https_address() {
+function get_https_address_iam() {
     return https_address_iam;
 }
 
@@ -554,7 +554,7 @@ exports.get_dbg_level = get_dbg_level;
 exports.rpc_client = rpc_cli_funcs_to_manage_nsfs_cli_cmds;
 exports.get_http_address = get_http_address;
 exports.get_https_address = get_https_address;
-exports.get_iam_https_address = get_iam_https_address;
+exports.get_https_address_iam = get_https_address_iam;
 exports.get_admin_mock_account_details = get_admin_mock_account_details;
 exports.NC_CORETEST_CONFIG_DIR_PATH = NC_CORETEST_CONFIG_DIR_PATH;
 exports.NC_CORETEST_CONFIG_FS = NC_CORETEST_CONFIG_FS;
diff --git a/src/test/utils/index/index.js b/src/test/utils/index/index.js
@@ -109,3 +109,6 @@ require('../../integration_tests/api/s3/test_lifecycle');
 // MD Sequence
 require('../../integration_tests/db/test_mdsequence');
 
+// Running with IAM port
+require('../../integration_tests/api/iam/test_iam_basic_integration');
+
diff --git a/src/test/utils/index/nc_index.js b/src/test/utils/index/nc_index.js
@@ -25,7 +25,7 @@ require('../../integration_tests/nc/lifecycle/test_nc_lifecycle_expiration');
 require('../../integration_tests/api/s3/test_chunked_upload');
 
 // running with iam port
-require('../../integration_tests/api/iam/test_nc_iam_basic_integration.js'); // please notice that we use a different setup
+require('../../integration_tests/api/iam/test_iam_basic_integration'); // please notice that we use a different setup
 // running with a couple of forks - please notice and add only relevant tests here
 require('../../integration_tests/nc/test_nc_with_a_couple_of_forks.js'); // please notice that we use a different setup
 
diff --git a/src/util/account_util.js b/src/util/account_util.js
@@ -333,19 +333,23 @@ function _check_if_account_exists(action, email_wrapped) {
 function _check_root_account_owns_user(root_account, user_account) {
     if (user_account.owner === undefined) return false;
     let root_account_id;
-    let owner_account_id;
     if (typeof root_account._id === 'object') {
         root_account_id = String(root_account._id);
     } else {
         root_account_id = root_account._id;
     }
+    const owner_account_id = get_owner_account_id(user_account);
+    return root_account_id === owner_account_id;
+}
 
+function get_owner_account_id(user_account) {
+    let owner_account_id;
     if (typeof user_account.owner === 'object') {
         owner_account_id = String(user_account.owner._id);
     } else {
-        owner_account_id = user_account.owner._id;
+        owner_account_id = user_account.owner;
     }
-    return root_account_id === owner_account_id;
+    return owner_account_id;
 }
 
 function _check_if_requesting_account_is_root_account(action, requesting_account, user_details = {}) {
@@ -719,11 +723,12 @@ function validate_and_return_requested_account(params, action, requesting_accoun
 }
 
 function return_list_member(iam_user, iam_path, iam_username) {
+    const owner_account_id = get_owner_account_id(iam_user);
     return {
         user_id: iam_user._id.toString(),
         iam_path: iam_path,
         username: iam_username,
-        arn: create_arn_for_user(iam_user.owner._id.toString(), iam_username, iam_path),
+        arn: create_arn_for_user(owner_account_id, iam_username, iam_path),
         // TODO: GAP Need to save created date
         create_date: Date.now(),
         // TODO: GAP missing password_last_used
@@ -757,3 +762,4 @@ exports._check_total_policy_size = _check_total_policy_size;
 exports.validate_and_return_requested_account = validate_and_return_requested_account;
 exports.get_iam_username = get_iam_username;
 exports.return_list_member = return_list_member;
+exports.get_owner_account_id = get_owner_account_id;

Original file line number	Diff line number	Diff line change
`@@ -18,7 +18,7 @@ async function list_mfa_devices(req, res) {`
`18`	`18`	`if (params.username !== undefined) {`
`19`	`19`	`dbg.log1('To check that we have the user we will run the IAM GET USER', params);`
`20`	`20`	`iam_utils.validate_params(iam_constants.IAM_ACTIONS.GET_USER, params);`
`21`		`- await req.account_sdk.get_user(params);`
	`21`	`+ await req.account_sdk.get_user({ username: params.username });`
`22`	`22`	`}`
`23`	`23`	`dbg.log1('IAM LIST MFA DEVICES (returns empty list on every request)', params);`
`24`	`24`
Original file line number	Diff line number	Diff line change
`@@ -18,7 +18,7 @@ async function list_service_specific_credentials(req, res) {`
`18`	`18`	`if (params.username !== undefined) {`
`19`	`19`	`dbg.log1('To check that we have the user we will run the IAM GET USER', params);`
`20`	`20`	`iam_utils.validate_params(iam_constants.IAM_ACTIONS.GET_USER, params);`
`21`		`- await req.account_sdk.get_user(params);`
	`21`	`+ await req.account_sdk.get_user({ username: params.username });`
`22`	`22`	`}`
`23`	`23`	`dbg.log1('IAM LIST SERVER SPECIFIC CREDENTIALS (returns empty list on every request)', params);`
`24`	`24`
Original file line number	Diff line number	Diff line change
`@@ -20,7 +20,7 @@ async function list_signing_certificates(req, res) {`
`20`	`20`	`if (params.username !== undefined) {`
`21`	`21`	`dbg.log1('To check that we have the user we will run the IAM GET USER', params);`
`22`	`22`	`iam_utils.validate_params(iam_constants.IAM_ACTIONS.GET_USER, params);`
`23`		`- await req.account_sdk.get_user(params);`
	`23`	`+ await req.account_sdk.get_user({ username: params.username });`
`24`	`24`	`}`
`25`	`25`	`dbg.log1('IAM LIST SIGNING CERTIFICATES (returns empty list on every request)', params);`
`26`	`26`	`const requesting_account_name = req.account_sdk.requesting_account.name instanceof SensitiveString ?`
Original file line number	Diff line number	Diff line change
`@@ -19,7 +19,7 @@ async function list_ssh_public_keys(req, res) {`
`19`	`19`	`if (params.username !== undefined) {`
`20`	`20`	`dbg.log1('To check that we have the user we will run the IAM GET USER', params);`
`21`	`21`	`iam_utils.validate_params(iam_constants.IAM_ACTIONS.GET_USER, params);`
`22`		`- await req.account_sdk.get_user(params);`
	`22`	`+ await req.account_sdk.get_user({ username: params.username });`
`23`	`23`	`}`
`24`	`24`	`dbg.log1('IAM LIST SSH PUBLIC KEYS (returns empty list on every request)', params);`
`25`	`25`
Original file line number	Diff line number	Diff line change
`@@ -63,7 +63,6 @@ class AccountSpaceNB {`
`63`	`63`	`}`
`64`	`64`
`65`	`65`	`async get_user(params, account_sdk) {`
`66`		`-`
`67`	`66`	`const requesting_account = system_store.get_account_by_email(account_sdk.requesting_account.email);`
`68`	`67`	`return await account_sdk.rpc_client.account.get_user(params, requesting_account);`
`69`	`68`	`}`