diff --git a/lib/utilities/serverAccessLogger.js b/lib/utilities/serverAccessLogger.js index 7d950ae4ab..9dc5531dfc 100644 --- a/lib/utilities/serverAccessLogger.js +++ b/lib/utilities/serverAccessLogger.js @@ -334,10 +334,10 @@ function getRequester(authInfo) { } else if (arn && assumedRoleArnRegex.test(arn)) { return arn; } else if (authInfo.isRequesterAnIAMUser && authInfo.isRequesterAnIAMUser()) { - // IAM user: include IAM user name and account - const iamUserName = authInfo.getIAMdisplayName ? authInfo.getIAMdisplayName() : ''; - const accountName = authInfo.getAccountDisplayName ? authInfo.getAccountDisplayName() : ''; - return iamUserName && accountName ? `${iamUserName}:${accountName}` : authInfo.getCanonicalID(); + // IAM user: emit the IAM ARN (arn:aws:iam:::user/) + // to match the AWS S3 server access log format. Fall back to the + // canonical ID if the ARN is unexpectedly absent. + return arn || authInfo.getCanonicalID(); } else if (authInfo.getCanonicalID) { // Regular user: canonical user ID return authInfo.getCanonicalID(); diff --git a/package.json b/package.json index 2a4c771dbf..2633ee786d 100644 --- a/package.json +++ b/package.json @@ -1,6 +1,6 @@ { "name": "@zenko/cloudserver", - "version": "9.2.35", + "version": "9.2.36", "description": "Zenko CloudServer, an open-source Node.js implementation of a server handling the Amazon S3 protocol", "main": "index.js", "engines": { diff --git a/tests/unit/utils/serverAccessLogger.js b/tests/unit/utils/serverAccessLogger.js index de37d5f952..967a1d52bb 100644 --- a/tests/unit/utils/serverAccessLogger.js +++ b/tests/unit/utils/serverAccessLogger.js @@ -287,24 +287,23 @@ describe('serverAccessLogger utility functions', () => { assert.strictEqual(result, null); }); - it('should return IAM user name with account for IAM user', () => { + it('should return IAM ARN for IAM user', () => { + const arn = 'arn:aws:iam::123456789012:user/myuser'; const authInfo = { isRequesterPublicUser: () => false, isRequesterAnIAMUser: () => true, - getIAMdisplayName: () => 'iamUser', - getAccountDisplayName: () => 'accountName', + getArn: () => arn, getCanonicalID: () => 'canonicalID123', }; const result = getRequester(authInfo); - assert.strictEqual(result, 'iamUser:accountName'); + assert.strictEqual(result, arn); }); - it('should return canonical ID for IAM user if display names are missing', () => { + it('should fall back to canonical ID for IAM user when ARN is missing', () => { const authInfo = { isRequesterPublicUser: () => false, isRequesterAnIAMUser: () => true, - getIAMdisplayName: () => '', - getAccountDisplayName: () => 'accountName', + getArn: () => undefined, getCanonicalID: () => 'canonicalID123', }; const result = getRequester(authInfo); @@ -323,19 +322,6 @@ describe('serverAccessLogger utility functions', () => { assert.strictEqual(result, arn); }); - it('should fall through to IAM user path for non-assumed-role ARN', () => { - const authInfo = { - isRequesterPublicUser: () => false, - isRequesterAnIAMUser: () => true, - getArn: () => 'arn:aws:iam::123456789012:user/myuser', - getIAMdisplayName: () => 'myuser', - getAccountDisplayName: () => 'myaccount', - getCanonicalID: () => 'canonicalID789', - }; - const result = getRequester(authInfo); - assert.strictEqual(result, 'myuser:myaccount'); - }); - it('should return canonical ID for regular user', () => { const authInfo = { isRequesterPublicUser: () => false,