LOGC-57: Extract createIAMUser helper to reduce e2e test duplication

dvasilas · dvasilas · commit 029e6a13b8ec · 2026-04-08T12:44:49.000+03:00
diff --git a/test/e2e/acl_required_test.go b/test/e2e/acl_required_test.go
@@ -4,11 +4,9 @@ import (
 	"bytes"
 	"context"
 	"fmt"
-	"os"
 	"time"
 
 	"github.com/aws/aws-sdk-go-v2/aws"
-	"github.com/aws/aws-sdk-go-v2/service/iam"
 	"github.com/aws/aws-sdk-go-v2/service/s3"
 	. "github.com/onsi/ginkgo/v2"
 	. "github.com/onsi/gomega"
@@ -66,43 +64,7 @@ var _ = Describe("aclRequired field in access logs", func() {
 		Expect(err).NotTo(HaveOccurred(), "PUT should succeed")
 
 		// Create IAM user with s3:GetObject permission
-		iamEndpoint := os.Getenv("E2E_IAM_ENDPOINT")
-		if iamEndpoint == "" {
-			iamEndpoint = testIAMEndpoint
-		}
-		accessKey := os.Getenv("E2E_S3_ACCESS_KEY_ID")
-		if accessKey == "" {
-			accessKey = testAccessKeyID
-		}
-		secretKey := os.Getenv("E2E_S3_SECRET_ACCESS_KEY")
-		if secretKey == "" {
-			secretKey = testSecretAccessKey
-		}
-
-		iamClient := iam.NewFromConfig(aws.Config{
-			Region: testRegion,
-			Credentials: aws.CredentialsProviderFunc(func(ctx context.Context) (aws.Credentials, error) {
-				return aws.Credentials{
-					AccessKeyID:     accessKey,
-					SecretAccessKey: secretKey,
-				}, nil
-			}),
-		}, func(o *iam.Options) {
-			o.BaseEndpoint = aws.String(iamEndpoint)
-		})
-
 		userName := fmt.Sprintf("e2e-acl-test-%d", time.Now().UnixNano())
-		_, err = iamClient.CreateUser(ctx, &iam.CreateUserInput{
-			UserName: aws.String(userName),
-		})
-		Expect(err).NotTo(HaveOccurred(), "CreateUser should succeed")
-
-		createKeyResp, err := iamClient.CreateAccessKey(ctx, &iam.CreateAccessKeyInput{
-			UserName: aws.String(userName),
-		})
-		Expect(err).NotTo(HaveOccurred(), "CreateAccessKey should succeed")
-
-		// Attach inline policy allowing s3:GetObject on the source bucket
 		policy := fmt.Sprintf(`{
 			"Version": "2012-10-17",
 			"Statement": [{
@@ -111,32 +73,11 @@ var _ = Describe("aclRequired field in access logs", func() {
 				"Resource": "arn:aws:s3:::%s/*"
 			}]
 		}`, testCtx.SourceBucket)
-		_, err = iamClient.PutUserPolicy(ctx, &iam.PutUserPolicyInput{
-			UserName:       aws.String(userName),
-			PolicyName:     aws.String("allow-get-object"),
-			PolicyDocument: aws.String(policy),
-		})
-		Expect(err).NotTo(HaveOccurred(), "PutUserPolicy should succeed")
-
-		defer func() {
-			_, _ = iamClient.DeleteUserPolicy(ctx, &iam.DeleteUserPolicyInput{
-				UserName:   aws.String(userName),
-				PolicyName: aws.String("allow-get-object"),
-			})
-			_, _ = iamClient.DeleteAccessKey(ctx, &iam.DeleteAccessKeyInput{
-				UserName:    aws.String(userName),
-				AccessKeyId: createKeyResp.AccessKey.AccessKeyId,
-			})
-			_, _ = iamClient.DeleteUser(ctx, &iam.DeleteUserInput{
-				UserName: aws.String(userName),
-			})
-		}()
+		iamUser := createIAMUser(ctx, userName, "allow-get-object", policy)
+		defer iamUser.Cleanup()
 
 		// GET object as the IAM user — authorized via ACL (same account)
-		iamS3Client := newS3ClientWithCredentials(
-			*createKeyResp.AccessKey.AccessKeyId,
-			*createKeyResp.AccessKey.SecretAccessKey,
-		)
+		iamS3Client := iamUser.S3Client
 
 		_, err = iamS3Client.GetObject(ctx, &s3.GetObjectInput{
 			Bucket: aws.String(testCtx.SourceBucket),
@@ -173,42 +114,7 @@ var _ = Describe("aclRequired field in access logs", func() {
 		Expect(err).NotTo(HaveOccurred(), "PUT should succeed")
 
 		// Create IAM user with GetObject + PutObject permissions for the copy
-		iamEndpoint := os.Getenv("E2E_IAM_ENDPOINT")
-		if iamEndpoint == "" {
-			iamEndpoint = testIAMEndpoint
-		}
-		accessKey := os.Getenv("E2E_S3_ACCESS_KEY_ID")
-		if accessKey == "" {
-			accessKey = testAccessKeyID
-		}
-		secretKey := os.Getenv("E2E_S3_SECRET_ACCESS_KEY")
-		if secretKey == "" {
-			secretKey = testSecretAccessKey
-		}
-
-		iamClient := iam.NewFromConfig(aws.Config{
-			Region: testRegion,
-			Credentials: aws.CredentialsProviderFunc(func(ctx context.Context) (aws.Credentials, error) {
-				return aws.Credentials{
-					AccessKeyID:     accessKey,
-					SecretAccessKey: secretKey,
-				}, nil
-			}),
-		}, func(o *iam.Options) {
-			o.BaseEndpoint = aws.String(iamEndpoint)
-		})
-
 		userName := fmt.Sprintf("e2e-acl-copy-%d", time.Now().UnixNano())
-		_, err = iamClient.CreateUser(ctx, &iam.CreateUserInput{
-			UserName: aws.String(userName),
-		})
-		Expect(err).NotTo(HaveOccurred(), "CreateUser should succeed")
-
-		createKeyResp, err := iamClient.CreateAccessKey(ctx, &iam.CreateAccessKeyInput{
-			UserName: aws.String(userName),
-		})
-		Expect(err).NotTo(HaveOccurred(), "CreateAccessKey should succeed")
-
 		policy := fmt.Sprintf(`{
 			"Version": "2012-10-17",
 			"Statement": [{
@@ -217,32 +123,11 @@ var _ = Describe("aclRequired field in access logs", func() {
 				"Resource": "arn:aws:s3:::%s/*"
 			}]
 		}`, testCtx.SourceBucket)
-		_, err = iamClient.PutUserPolicy(ctx, &iam.PutUserPolicyInput{
-			UserName:       aws.String(userName),
-			PolicyName:     aws.String("allow-copy"),
-			PolicyDocument: aws.String(policy),
-		})
-		Expect(err).NotTo(HaveOccurred(), "PutUserPolicy should succeed")
-
-		defer func() {
-			_, _ = iamClient.DeleteUserPolicy(ctx, &iam.DeleteUserPolicyInput{
-				UserName:   aws.String(userName),
-				PolicyName: aws.String("allow-copy"),
-			})
-			_, _ = iamClient.DeleteAccessKey(ctx, &iam.DeleteAccessKeyInput{
-				UserName:    aws.String(userName),
-				AccessKeyId: createKeyResp.AccessKey.AccessKeyId,
-			})
-			_, _ = iamClient.DeleteUser(ctx, &iam.DeleteUserInput{
-				UserName: aws.String(userName),
-			})
-		}()
+		iamUser := createIAMUser(ctx, userName, "allow-copy", policy)
+		defer iamUser.Cleanup()
 
 		// Copy as IAM user — both source GET and destination PUT go through ACL path
-		iamS3Client := newS3ClientWithCredentials(
-			*createKeyResp.AccessKey.AccessKeyId,
-			*createKeyResp.AccessKey.SecretAccessKey,
-		)
+		iamS3Client := iamUser.S3Client
 
 		_, err = iamS3Client.CopyObject(ctx, &s3.CopyObjectInput{
 			Bucket:     aws.String(testCtx.SourceBucket),
diff --git a/test/e2e/error_cases_test.go b/test/e2e/error_cases_test.go
@@ -8,7 +8,6 @@ import (
 	"time"
 
 	"github.com/aws/aws-sdk-go-v2/aws"
-	"github.com/aws/aws-sdk-go-v2/service/iam"
 	"github.com/aws/aws-sdk-go-v2/service/s3"
 	. "github.com/onsi/ginkgo/v2"
 	. "github.com/onsi/gomega"
@@ -183,56 +182,11 @@ var _ = Describe("Error Cases", func() {
 		time.Sleep(1 * time.Second)
 
 		// Create IAM user with no permissions
-		iamEndpoint := os.Getenv("E2E_IAM_ENDPOINT")
-		if iamEndpoint == "" {
-			iamEndpoint = testIAMEndpoint
-		}
-		accessKey := os.Getenv("E2E_S3_ACCESS_KEY_ID")
-		if accessKey == "" {
-			accessKey = testAccessKeyID
-		}
-		secretKey := os.Getenv("E2E_S3_SECRET_ACCESS_KEY")
-		if secretKey == "" {
-			secretKey = testSecretAccessKey
-		}
-
-		iamClient := iam.NewFromConfig(aws.Config{
-			Region: testRegion,
-			Credentials: aws.CredentialsProviderFunc(func(ctx context.Context) (aws.Credentials, error) {
-				return aws.Credentials{
-					AccessKeyID:     accessKey,
-					SecretAccessKey: secretKey,
-				}, nil
-			}),
-		}, func(o *iam.Options) {
-			o.BaseEndpoint = aws.String(iamEndpoint)
-		})
-
 		userName := fmt.Sprintf("e2e-test-user-%d", time.Now().UnixNano())
-		_, err = iamClient.CreateUser(ctx, &iam.CreateUserInput{
-			UserName: aws.String(userName),
-		})
-		Expect(err).NotTo(HaveOccurred(), "CreateUser should succeed")
+		iamUser := createIAMUser(ctx, userName, "", "")
+		defer iamUser.Cleanup()
 
-		createKeyResp, err := iamClient.CreateAccessKey(ctx, &iam.CreateAccessKeyInput{
-			UserName: aws.String(userName),
-		})
-		Expect(err).NotTo(HaveOccurred(), "CreateAccessKey should succeed")
-
-		defer func() {
-			_, _ = iamClient.DeleteAccessKey(ctx, &iam.DeleteAccessKeyInput{
-				UserName:    aws.String(userName),
-				AccessKeyId: createKeyResp.AccessKey.AccessKeyId,
-			})
-			_, _ = iamClient.DeleteUser(ctx, &iam.DeleteUserInput{
-				UserName: aws.String(userName),
-			})
-		}()
-
-		unprivilegedClient := newS3ClientWithCredentials(
-			*createKeyResp.AccessKey.AccessKeyId,
-			*createKeyResp.AccessKey.SecretAccessKey,
-		)
+		unprivilegedClient := iamUser.S3Client
 
 		_, err = unprivilegedClient.GetObject(ctx, &s3.GetObjectInput{
 			Bucket: aws.String(testCtx.SourceBucket),
diff --git a/test/e2e/helpers_test.go b/test/e2e/helpers_test.go
@@ -13,6 +13,7 @@ import (
 	"time"
 
 	"github.com/aws/aws-sdk-go-v2/aws"
+	"github.com/aws/aws-sdk-go-v2/service/iam"
 	"github.com/aws/aws-sdk-go-v2/service/s3"
 	"github.com/aws/aws-sdk-go-v2/service/s3/types"
 	. "github.com/onsi/ginkgo/v2"
@@ -658,6 +659,84 @@ func newS3ClientWithCredentials(accessKeyID, secretAccessKey string) *s3.Client
 	})
 }
 
+type IAMUserResult struct {
+	S3Client *s3.Client
+	Cleanup  func()
+}
+
+// createIAMUser creates an IAM user with an optional inline policy.
+// If policyName and policyDocument are non-empty, the policy is attached.
+func createIAMUser(ctx context.Context, userName, policyName, policyDocument string) IAMUserResult {
+	GinkgoHelper()
+
+	iamEndpoint := os.Getenv("E2E_IAM_ENDPOINT")
+	if iamEndpoint == "" {
+		iamEndpoint = testIAMEndpoint
+	}
+	accessKey := os.Getenv("E2E_S3_ACCESS_KEY_ID")
+	if accessKey == "" {
+		accessKey = testAccessKeyID
+	}
+	secretKey := os.Getenv("E2E_S3_SECRET_ACCESS_KEY")
+	if secretKey == "" {
+		secretKey = testSecretAccessKey
+	}
+
+	iamClient := iam.NewFromConfig(aws.Config{
+		Region: testRegion,
+		Credentials: aws.CredentialsProviderFunc(func(ctx context.Context) (aws.Credentials, error) {
+			return aws.Credentials{
+				AccessKeyID:     accessKey,
+				SecretAccessKey: secretKey,
+			}, nil
+		}),
+	}, func(o *iam.Options) {
+		o.BaseEndpoint = aws.String(iamEndpoint)
+	})
+
+	_, err := iamClient.CreateUser(ctx, &iam.CreateUserInput{
+		UserName: aws.String(userName),
+	})
+	Expect(err).NotTo(HaveOccurred(), "CreateUser should succeed")
+
+	createKeyResp, err := iamClient.CreateAccessKey(ctx, &iam.CreateAccessKeyInput{
+		UserName: aws.String(userName),
+	})
+	Expect(err).NotTo(HaveOccurred(), "CreateAccessKey should succeed")
+
+	if policyName != "" && policyDocument != "" {
+		_, err = iamClient.PutUserPolicy(ctx, &iam.PutUserPolicyInput{
+			UserName:       aws.String(userName),
+			PolicyName:     aws.String(policyName),
+			PolicyDocument: aws.String(policyDocument),
+		})
+		Expect(err).NotTo(HaveOccurred(), "PutUserPolicy should succeed")
+	}
+
+	cleanup := func() {
+		if policyName != "" {
+			_, _ = iamClient.DeleteUserPolicy(ctx, &iam.DeleteUserPolicyInput{
+				UserName:   aws.String(userName),
+				PolicyName: aws.String(policyName),
+			})
+		}
+		_, _ = iamClient.DeleteAccessKey(ctx, &iam.DeleteAccessKeyInput{
+			UserName:    aws.String(userName),
+			AccessKeyId: createKeyResp.AccessKey.AccessKeyId,
+		})
+		_, _ = iamClient.DeleteUser(ctx, &iam.DeleteUserInput{
+			UserName: aws.String(userName),
+		})
+	}
+
+	s3Client := newS3ClientWithCredentials(
+		*createKeyResp.AccessKey.AccessKeyId,
+		*createKeyResp.AccessKey.SecretAccessKey,
+	)
+
+	return IAMUserResult{S3Client: s3Client, Cleanup: cleanup}
+}
+
 // setupE2ETest creates and initializes an E2E test context
 func setupE2ETest() *E2ETestContext {
 	GinkgoHelper()
