MyFavMirrors/minio
1
0
Fork 0
mirror of https://github.com/minio/minio.git synced 2025-01-11 15:03:22 -05:00
Code Issues Packages Projects Releases Wiki Activity

collect correct parentUser for OIDC creds auto expiration (#14400)

Browse Source
This commit is contained in:
hellivan 2022-02-24 20:43:15 +01:00 committed by GitHub
parent 5307e18085
commit 03b35ecdd0
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 10 additions and 8 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
cmd/iam-store.go
View File

@ -1450,11 +1450,11 @@ func (store *IAMStoreSys) DeleteUsers(ctx context.Context, users []string) error
// GetAllParentUsers - returns all distinct "parent-users" associated with STS or service // GetAllParentUsers - returns all distinct "parent-users" associated with STS or service
// credentials. // credentials.
func (store *IAMStoreSys) GetAllParentUsers() []string { func (store *IAMStoreSys) GetAllParentUsers() map[string]string {
cache := store.rlock() cache := store.rlock()
defer store.runlock() defer store.runlock()
res := set.NewStringSet() res := map[string]string{}
for _, cred := range cache.iamUsersMap { for _, cred := range cache.iamUsersMap {
if cred.IsServiceAccount() || cred.IsTemp() { if cred.IsServiceAccount() || cred.IsTemp() {
parentUser := cred.ParentUser parentUser := cred.ParentUser
@ -1470,11 +1470,13 @@ func (store *IAMStoreSys) GetAllParentUsers() []string {
} }
} }
} }
res.Add(parentUser) if _, ok := res[parentUser]; !ok {
res[parentUser] = cred.ParentUser
}
} }
} }
return res.ToSlice() return res
} }
// SetUserStatus - sets current user status. // SetUserStatus - sets current user status.

8
cmd/iam.go
View File

@ -1003,7 +1003,7 @@ func (sys *IAMSys) SetUserSecretKey(ctx context.Context, accessKey string, secre
func (sys *IAMSys) purgeExpiredCredentialsForExternalSSO(ctx context.Context) { func (sys *IAMSys) purgeExpiredCredentialsForExternalSSO(ctx context.Context) {
parentUsers := sys.store.GetAllParentUsers() parentUsers := sys.store.GetAllParentUsers()
var expiredUsers []string var expiredUsers []string
for _, parentUser := range parentUsers { for parentUser, expiredUser := range parentUsers {
u, err := globalOpenIDConfig.LookupUser(parentUser) u, err := globalOpenIDConfig.LookupUser(parentUser)
if err != nil { if err != nil {
logger.LogIf(GlobalContext, err) logger.LogIf(GlobalContext, err)
@ -1012,7 +1012,7 @@ func (sys *IAMSys) purgeExpiredCredentialsForExternalSSO(ctx context.Context) {
// If user is set to "disabled", we will remove them // If user is set to "disabled", we will remove them
// subsequently. // subsequently.
if !u.Enabled { if !u.Enabled {
expiredUsers = append(expiredUsers, parentUser) expiredUsers = append(expiredUsers, expiredUser)
} }
} }
@ -1025,12 +1025,12 @@ func (sys *IAMSys) purgeExpiredCredentialsForExternalSSO(ctx context.Context) {
func (sys *IAMSys) purgeExpiredCredentialsForLDAP(ctx context.Context) { func (sys *IAMSys) purgeExpiredCredentialsForLDAP(ctx context.Context) {
parentUsers := sys.store.GetAllParentUsers() parentUsers := sys.store.GetAllParentUsers()
var allDistNames []string var allDistNames []string
for _, parentUser := range parentUsers { for parentUser, expiredUser := range parentUsers {
if !globalLDAPConfig.IsLDAPUserDN(parentUser) { if !globalLDAPConfig.IsLDAPUserDN(parentUser) {
continue continue
} }
allDistNames = append(allDistNames, parentUser) allDistNames = append(allDistNames, expiredUser)
} }
expiredUsers, err := globalLDAPConfig.GetNonEligibleUserDistNames(allDistNames) expiredUsers, err := globalLDAPConfig.GetNonEligibleUserDistNames(allDistNames)