From 03b35ecdd0be0426bcba75a2721afde6649c8cef Mon Sep 17 00:00:00 2001 From: hellivan Date: Thu, 24 Feb 2022 20:43:15 +0100 Subject: [PATCH] collect correct parentUser for OIDC creds auto expiration (#14400) --- cmd/iam-store.go | 10 ++++++---- cmd/iam.go | 8 ++++---- 2 files changed, 10 insertions(+), 8 deletions(-) diff --git a/cmd/iam-store.go b/cmd/iam-store.go index 63b94d018..1e719afca 100644 --- a/cmd/iam-store.go +++ b/cmd/iam-store.go @@ -1450,11 +1450,11 @@ func (store *IAMStoreSys) DeleteUsers(ctx context.Context, users []string) error // GetAllParentUsers - returns all distinct "parent-users" associated with STS or service // credentials. -func (store *IAMStoreSys) GetAllParentUsers() []string { +func (store *IAMStoreSys) GetAllParentUsers() map[string]string { cache := store.rlock() defer store.runlock() - res := set.NewStringSet() + res := map[string]string{} for _, cred := range cache.iamUsersMap { if cred.IsServiceAccount() || cred.IsTemp() { parentUser := cred.ParentUser @@ -1470,11 +1470,13 @@ func (store *IAMStoreSys) GetAllParentUsers() []string { } } } - res.Add(parentUser) + if _, ok := res[parentUser]; !ok { + res[parentUser] = cred.ParentUser + } } } - return res.ToSlice() + return res } // SetUserStatus - sets current user status. diff --git a/cmd/iam.go b/cmd/iam.go index 4669a505a..7371b20dc 100644 --- a/cmd/iam.go +++ b/cmd/iam.go @@ -1003,7 +1003,7 @@ func (sys *IAMSys) SetUserSecretKey(ctx context.Context, accessKey string, secre func (sys *IAMSys) purgeExpiredCredentialsForExternalSSO(ctx context.Context) { parentUsers := sys.store.GetAllParentUsers() var expiredUsers []string - for _, parentUser := range parentUsers { + for parentUser, expiredUser := range parentUsers { u, err := globalOpenIDConfig.LookupUser(parentUser) if err != nil { logger.LogIf(GlobalContext, err) @@ -1012,7 +1012,7 @@ func (sys *IAMSys) purgeExpiredCredentialsForExternalSSO(ctx context.Context) { // If user is set to "disabled", we will remove them // subsequently. if !u.Enabled { - expiredUsers = append(expiredUsers, parentUser) + expiredUsers = append(expiredUsers, expiredUser) } } @@ -1025,12 +1025,12 @@ func (sys *IAMSys) purgeExpiredCredentialsForExternalSSO(ctx context.Context) { func (sys *IAMSys) purgeExpiredCredentialsForLDAP(ctx context.Context) { parentUsers := sys.store.GetAllParentUsers() var allDistNames []string - for _, parentUser := range parentUsers { + for parentUser, expiredUser := range parentUsers { if !globalLDAPConfig.IsLDAPUserDN(parentUser) { continue } - allDistNames = append(allDistNames, parentUser) + allDistNames = append(allDistNames, expiredUser) } expiredUsers, err := globalLDAPConfig.GetNonEligibleUserDistNames(allDistNames)