fix: checking for stale STS account under site replication (#16109)

This commit is contained in:
Anis Elleuch 2022-11-22 16:26:33 +01:00 committed by GitHub
parent 98ba622679
commit 04948b4d55
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
3 changed files with 43 additions and 8 deletions

View File

@ -1025,7 +1025,7 @@ func (sys *IAMSys) ListTempAccounts(ctx context.Context, accessKey string) ([]Us
func (sys *IAMSys) GetServiceAccount(ctx context.Context, accessKey string) (auth.Credentials, *iampolicy.Policy, error) { func (sys *IAMSys) GetServiceAccount(ctx context.Context, accessKey string) (auth.Credentials, *iampolicy.Policy, error) {
sa, embeddedPolicy, err := sys.getServiceAccount(ctx, accessKey) sa, embeddedPolicy, err := sys.getServiceAccount(ctx, accessKey)
if err != nil { if err != nil {
return auth.Credentials{}, embeddedPolicy, err return auth.Credentials{}, nil, err
} }
// Hide secret & session keys // Hide secret & session keys
sa.Credentials.SecretKey = "" sa.Credentials.SecretKey = ""
@ -1033,15 +1033,45 @@ func (sys *IAMSys) GetServiceAccount(ctx context.Context, accessKey string) (aut
return sa.Credentials, embeddedPolicy, nil return sa.Credentials, embeddedPolicy, nil
} }
// getServiceAccount - gets information about a service account func (sys *IAMSys) getServiceAccount(ctx context.Context, accessKey string) (UserIdentity, *iampolicy.Policy, error) {
func (sys *IAMSys) getServiceAccount(ctx context.Context, accessKey string) (u UserIdentity, p *iampolicy.Policy, err error) { sa, embeddedPolicy, err := sys.getAccountWithEmbeddedPolicy(ctx, accessKey)
if err != nil {
if err == errNoSuchAccount {
return UserIdentity{}, nil, errNoSuchServiceAccount
}
return UserIdentity{}, nil, err
}
if !sa.Credentials.IsServiceAccount() {
return UserIdentity{}, nil, errNoSuchServiceAccount
}
return sa, embeddedPolicy, nil
}
func (sys *IAMSys) getTempAccount(ctx context.Context, accessKey string) (UserIdentity, *iampolicy.Policy, error) {
tmpAcc, embeddedPolicy, err := sys.getAccountWithEmbeddedPolicy(ctx, accessKey)
if err != nil {
if err == errNoSuchAccount {
return UserIdentity{}, nil, errNoSuchTempAccount
}
return UserIdentity{}, nil, err
}
if !tmpAcc.Credentials.IsTemp() {
return UserIdentity{}, nil, errNoSuchTempAccount
}
return tmpAcc, embeddedPolicy, nil
}
// getAccountWithEmbeddedPolicy - gets information about an account with its embedded policy if found
func (sys *IAMSys) getAccountWithEmbeddedPolicy(ctx context.Context, accessKey string) (u UserIdentity, p *iampolicy.Policy, err error) {
if !sys.Initialized() { if !sys.Initialized() {
return u, nil, errServerNotInitialized return u, nil, errServerNotInitialized
} }
sa, ok := sys.store.GetUser(accessKey) sa, ok := sys.store.GetUser(accessKey)
if !ok || !sa.Credentials.IsServiceAccount() { if !ok {
return u, nil, errNoSuchServiceAccount return u, nil, errNoSuchAccount
} }
var embeddedPolicy *iampolicy.Policy var embeddedPolicy *iampolicy.Policy

View File

@ -1257,9 +1257,8 @@ func (c *SiteReplicationSys) PeerSTSAccHandler(ctx context.Context, stsCred *mad
} }
// skip overwrite of local update if peer sent stale info // skip overwrite of local update if peer sent stale info
if !updatedAt.IsZero() { if !updatedAt.IsZero() {
if u, err := globalIAMSys.GetUserInfo(ctx, stsCred.AccessKey); err == nil { if u, _, err := globalIAMSys.getTempAccount(ctx, stsCred.AccessKey); err == nil {
ok, _, _ := globalIAMSys.IsTempUser(stsCred.AccessKey) if u.UpdatedAt.After(updatedAt) {
if ok && u.UpdatedAt.After(updatedAt) {
return nil return nil
} }
} }

View File

@ -71,6 +71,12 @@ var errNoSuchUser = errors.New("Specified user does not exist")
// error returned when service account is not found // error returned when service account is not found
var errNoSuchServiceAccount = errors.New("Specified service account does not exist") var errNoSuchServiceAccount = errors.New("Specified service account does not exist")
// error returned when temporary account is not found
var errNoSuchTempAccount = errors.New("Specified temporary account does not exist")
// error returned in IAM subsystem when an account doesn't exist.
var errNoSuchAccount = errors.New("Specified account does not exist")
// error returned in IAM subsystem when groups doesn't exist. // error returned in IAM subsystem when groups doesn't exist.
var errNoSuchGroup = errors.New("Specified group does not exist") var errNoSuchGroup = errors.New("Specified group does not exist")