collect correct parentUser for OIDC creds auto expiration (#14400)

This commit is contained in:
hellivan 2022-02-24 20:43:15 +01:00 committed by GitHub
parent 5307e18085
commit 03b35ecdd0
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 10 additions and 8 deletions

View File

@ -1450,11 +1450,11 @@ func (store *IAMStoreSys) DeleteUsers(ctx context.Context, users []string) error
// GetAllParentUsers - returns all distinct "parent-users" associated with STS or service
// credentials.
func (store *IAMStoreSys) GetAllParentUsers() []string {
func (store *IAMStoreSys) GetAllParentUsers() map[string]string {
cache := store.rlock()
defer store.runlock()
res := set.NewStringSet()
res := map[string]string{}
for _, cred := range cache.iamUsersMap {
if cred.IsServiceAccount() || cred.IsTemp() {
parentUser := cred.ParentUser
@ -1470,11 +1470,13 @@ func (store *IAMStoreSys) GetAllParentUsers() []string {
}
}
}
res.Add(parentUser)
if _, ok := res[parentUser]; !ok {
res[parentUser] = cred.ParentUser
}
}
}
return res.ToSlice()
return res
}
// SetUserStatus - sets current user status.

View File

@ -1003,7 +1003,7 @@ func (sys *IAMSys) SetUserSecretKey(ctx context.Context, accessKey string, secre
func (sys *IAMSys) purgeExpiredCredentialsForExternalSSO(ctx context.Context) {
parentUsers := sys.store.GetAllParentUsers()
var expiredUsers []string
for _, parentUser := range parentUsers {
for parentUser, expiredUser := range parentUsers {
u, err := globalOpenIDConfig.LookupUser(parentUser)
if err != nil {
logger.LogIf(GlobalContext, err)
@ -1012,7 +1012,7 @@ func (sys *IAMSys) purgeExpiredCredentialsForExternalSSO(ctx context.Context) {
// If user is set to "disabled", we will remove them
// subsequently.
if !u.Enabled {
expiredUsers = append(expiredUsers, parentUser)
expiredUsers = append(expiredUsers, expiredUser)
}
}
@ -1025,12 +1025,12 @@ func (sys *IAMSys) purgeExpiredCredentialsForExternalSSO(ctx context.Context) {
func (sys *IAMSys) purgeExpiredCredentialsForLDAP(ctx context.Context) {
parentUsers := sys.store.GetAllParentUsers()
var allDistNames []string
for _, parentUser := range parentUsers {
for parentUser, expiredUser := range parentUsers {
if !globalLDAPConfig.IsLDAPUserDN(parentUser) {
continue
}
allDistNames = append(allDistNames, parentUser)
allDistNames = append(allDistNames, expiredUser)
}
expiredUsers, err := globalLDAPConfig.GetNonEligibleUserDistNames(allDistNames)