allow claims to be optional in STS (#10078)
not all claims need to be present for the JWT claim, let the policies not exist and only apply which are present when generating the credentials once credentials are generated then those policies should exist, otherwise the request will fail.
This commit is contained in:
Harshavardhana
GitHub
parent
aa6468932b
commit
7764c542f2
28
cmd/iam.go
28
cmd/iam.go
|
|
@ -675,6 +675,24 @@ func (sys *IAMSys) DeleteUser(accessKey string) error {
|
|||
return err
|
||||
}
|
||||
|
||||
// returns comma separated policy string, from an input policy
|
||||
// after validating if there are any current policies which exist
|
||||
// on MinIO corresponding to the input.
|
||||
func (sys *IAMSys) currentPolicies(policyName string) string {
|
||||
sys.store.rlock()
|
||||
defer sys.store.runlock()
|
||||
|
||||
var policies []string
|
||||
mp := newMappedPolicy(policyName)
|
||||
for _, policy := range mp.toSlice() {
|
||||
_, found := sys.iamPolicyDocsMap[policy]
|
||||
if found {
|
||||
policies = append(policies, policy)
|
||||
}
|
||||
}
|
||||
return strings.Join(policies, ",")
|
||||
}
|
||||
|
||||
// SetTempUser - set temporary user credentials, these credentials have an expiry.
|
||||
func (sys *IAMSys) SetTempUser(accessKey string, cred auth.Credentials, policyName string) error {
|
||||
objectAPI := newObjectLayerWithoutSafeModeFn()
|
||||
|
|
@ -693,10 +711,9 @@ func (sys *IAMSys) SetTempUser(accessKey string, cred auth.Credentials, policyNa
|
|||
mp := newMappedPolicy(policyName)
|
||||
for _, policy := range mp.toSlice() {
|
||||
p, found := sys.iamPolicyDocsMap[policy]
|
||||
if !found {
|
||||
return fmt.Errorf("%w: (%s)", errNoSuchPolicy, policy)
|
||||
if found {
|
||||
availablePolicies = append(availablePolicies, p)
|
||||
}
|
||||
availablePolicies = append(availablePolicies, p)
|
||||
}
|
||||
|
||||
combinedPolicy := availablePolicies[0]
|
||||
|
|
@ -1671,6 +1688,7 @@ func (sys *IAMSys) IsAllowedLDAPSTS(args iampolicy.Args) bool {
|
|||
for _, pname := range mp.toSlice() {
|
||||
p, found := sys.iamPolicyDocsMap[pname]
|
||||
if !found {
|
||||
logger.LogIf(GlobalContext, fmt.Errorf("expected policy (%s) missing for the LDAPUser %s, rejecting the request", pname, user))
|
||||
return false
|
||||
}
|
||||
policies = append(policies, p)
|
||||
|
|
@ -1684,6 +1702,7 @@ func (sys *IAMSys) IsAllowedLDAPSTS(args iampolicy.Args) bool {
|
|||
for _, pname := range mp.toSlice() {
|
||||
p, found := sys.iamPolicyDocsMap[pname]
|
||||
if !found {
|
||||
logger.LogIf(GlobalContext, fmt.Errorf("expected policy (%s) missing for the LDAPGroup %s, rejecting the request", pname, group))
|
||||
return false
|
||||
}
|
||||
policies = append(policies, p)
|
||||
|
|
@ -1744,7 +1763,8 @@ func (sys *IAMSys) IsAllowedSTS(args iampolicy.Args) bool {
|
|||
for pname := range policies {
|
||||
p, found := sys.iamPolicyDocsMap[pname]
|
||||
if !found {
|
||||
logger.LogIf(GlobalContext, fmt.Errorf("%w: (%s)", errNoSuchPolicy, pname))
|
||||
// all policies presented in the claim should exist
|
||||
logger.LogIf(GlobalContext, fmt.Errorf("expected policy (%s) missing from the JWT claim %s, rejecting the request", pname, iamPolicyClaimNameOpenID()))
|
||||
return false
|
||||
}
|
||||
availablePolicies = append(availablePolicies, p)
|
||||
|
|
|
|||
|
|
@ -318,6 +318,22 @@ func (sts *stsAPIHandlers) AssumeRoleWithJWT(w http.ResponseWriter, r *http.Requ
|
|||
return
|
||||
}
|
||||
|
||||
// JWT has requested a custom claim with policy value set.
|
||||
// This is a MinIO STS API specific value, this value should
|
||||
// be set and configured on your identity provider as part of
|
||||
// JWT custom claims.
|
||||
var policyName string
|
||||
policySet, ok := iampolicy.GetPoliciesFromClaims(m, iamPolicyClaimNameOpenID())
|
||||
if ok {
|
||||
policyName = globalIAMSys.currentPolicies(strings.Join(policySet.ToSlice(), ","))
|
||||
}
|
||||
|
||||
if policyName == "" {
|
||||
writeSTSErrorResponse(ctx, w, true, ErrSTSInvalidParameterValue, fmt.Errorf("%s claim missing from the JWT token, credentials will not be generated", iamPolicyClaimNameOpenID()))
|
||||
return
|
||||
}
|
||||
m[iamPolicyClaimNameOpenID()] = policyName
|
||||
|
||||
sessionPolicyStr := r.Form.Get(stsPolicy)
|
||||
// https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRoleWithWebIdentity.html
|
||||
// The plain text that you use for both inline and managed session
|
||||
|
|
@ -352,16 +368,6 @@ func (sts *stsAPIHandlers) AssumeRoleWithJWT(w http.ResponseWriter, r *http.Requ
|
|||
return
|
||||
}
|
||||
|
||||
// JWT has requested a custom claim with policy value set.
|
||||
// This is a MinIO STS API specific value, this value should
|
||||
// be set and configured on your identity provider as part of
|
||||
// JWT custom claims.
|
||||
var policyName string
|
||||
policySet, ok := iampolicy.GetPoliciesFromClaims(m, iamPolicyClaimNameOpenID())
|
||||
if ok {
|
||||
policyName = strings.Join(policySet.ToSlice(), ",")
|
||||
}
|
||||
|
||||
var subFromToken string
|
||||
if v, ok := m[subClaim]; ok {
|
||||
subFromToken, _ = v.(string)
|
||||
|
|
|
|||
Loading…
Reference in a new issue