COSI-40, COSI-52: Revoke Bucket Access API Implementation and Tests

[anurag4DSB]

Summary

This PR implements the DriverRevokeBucketAccess API, enhances the IAM client, and adds comprehensive tests, including unit and end-to-end coverage.

Key Changes

1. COSI-40: Remove Prefix from Inline Policies

• Inline policy names now match bucket names, simplifying access control.

2. COSI-40: API Implementation

• Fetches bucket parameters for IAM client configuration.
• Adds IAM methods to delete users, inline policies, and keys.

3. COSI-40: Add Unit Tests

• Updated IAM mock and added unit tests for IAM client new methods and RevokeBucketAccess.

4. COSI-52: Add E2E Test

• Validates end-to-end flow for revoking bucket access by checking if the IAM user was deleted.

[codecov]

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 93.12%. Comparing base (7bc2de2) to head (07a2202).
Report is 8 commits behind head on main.

Additional details and impacted files

Files with missing lines	Coverage Δ
pkg/clients/iam/iam_client.go	100.00% <100.00%> (+3.15%)	⬆️
pkg/driver/provisioner_server_impl.go	97.36% <100.00%> (+0.35%)	⬆️

... and 1 file with indirect coverage changes

Components	Coverage Δ
🏠 Main Package	∅ <ø> (∅)
🚗 Driver Package	91.40% <100.00%> (+1.01%)	⬆️
📡 gRPC Factory Package	81.65% <ø> (ø)
🔐 IAM Client Package	100.00% <100.00%> (+3.15%)	⬆️
🌐 S3 Client Package	100.00% <ø> (+6.12%)	⬆️
🔧 Util Package	100.00% <ø> (ø)

@@            Coverage Diff             @@
##             main      #57      +/-   ##
==========================================
+ Coverage   90.69%   93.12%   +2.42%     
==========================================
  Files           9        9              
  Lines         516      611      +95     
==========================================
+ Hits          468      569     +101     
+ Misses         38       36       -2     
+ Partials       10        6       -4     

[jonathan-gramain]

So I assume there is a 1-1 mapping between users and buckets, in which case it looks correct to me.

[anurag4DSB]

There is a 1 to many mapping for buckets and users.
1 bucket can have multiple IAM users accessing it.

But for each access indeed we have 1 IAM user

[jonathan-gramain]

The test says that it should fail "gracefully" but doesn't seem to check the gracefulness of the error (i.e. it tests the same way than the next test).

[anurag4DSB]

Thank you for your feedback — it helped me catch a bug. I’ve added the change along with tests: if an access key is deleted between listing and deletion, we now handle it by returning a “not found” error and continuing with the list.

Additionally, I’ve created a ticket for next week to review the graceful handling of all errors, and I’ve added it to the next sprint: S3C-9439. I have more instances like this.

[jonathan-gramain]

It would be good to check the side-effects of the function i.e. that it actually deleted stuff, although I don't know if this test suite is the good place where it can be done. It also applies to other tests around for function calls that have (or shouldn't have) side-effects.

One way I'm thinking about is attempting to use an access key that was revoked should not be possible, and conversely, using the access key that shouldn't have been revoked should still work. But that may be best done in E2E tests.

[anurag4DSB]

We rely on Vault to handle the revocation of access keys, ensuring that deleted keys cannot be used. As such, this should not be tested in this particular test suite. Instead, the E2E tests verify the deletion of the IAM user, which falls under the scope of the COSI driver’s responsibility.

While I considered testing the deletion of the Kubernetes secret containing access, the responsibility for managing that lies with the COSI controller, not the COSI driver.

[anurag4DSB]

Relying on contracts/promises from other services.

[anurag4DSB]

Addressed review comments, and added more tests for noSuchEntity scenarios.