MyFavMirrors/minio
1
0
Fork 0
mirror of https://github.com/minio/minio.git synced 2025-04-04 03:40:30 -04:00
Code Issues Packages Projects Releases Wiki Activity

fix: regression in AssumeRole session policy handling (fixes #12756) (#12773)

Browse Source
This commit is contained in:
Aditya Manthramurthy 2021-07-22 08:42:07 -07:00 committed by GitHub
parent 026a005b64
commit 17a37241f0
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 22 additions and 26 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

41
cmd/auth-handler.go
View File

@ -213,27 +213,17 @@ func getClaimsFromToken(token string) (map[string]interface{}, error) {
return nil, errAuthentication return nil, errAuthentication
} }
if globalPolicyOPA == nil { // If OPA is set, return without any further checks.
// If OPA is not set and if ldap claim key is set, allow the claim. if globalPolicyOPA != nil {
if _, ok := claims.MapClaims[ldapUser]; ok { return claims.Map(), nil
return claims.Map(), nil }
}
// If OPA is not set, session token should // Check if a session policy is set. If so, decode it here.
// have a policy and its mandatory, reject sp, spok := claims.Lookup(iampolicy.SessionPolicyName)
// requests without policy claim. if spok {
_, pokOpenID := claims.MapClaims[iamPolicyClaimNameOpenID()]
_, pokSA := claims.MapClaims[iamPolicyClaimNameSA()]
if !pokOpenID && !pokSA {
return nil, errAuthentication
}
sp, spok := claims.Lookup(iampolicy.SessionPolicyName)
if !spok {
return claims.Map(), nil
}
// Looks like subpolicy is set and is a string, if set then its // Looks like subpolicy is set and is a string, if set then its
// base64 encoded, decode it. Decoding fails reject such requests. // base64 encoded, decode it. Decoding fails reject such
// requests.
spBytes, err := base64.StdEncoding.DecodeString(sp) spBytes, err := base64.StdEncoding.DecodeString(sp)
if err != nil { if err != nil {
// Base64 decoding fails, we should log to indicate // Base64 decoding fails, we should log to indicate
@ -244,6 +234,19 @@ func getClaimsFromToken(token string) (map[string]interface{}, error) {
claims.MapClaims[iampolicy.SessionPolicyName] = string(spBytes) claims.MapClaims[iampolicy.SessionPolicyName] = string(spBytes)
} }
// If LDAP claim key is set, return here.
if _, ok := claims.MapClaims[ldapUser]; ok {
return claims.Map(), nil
}
// Session token must have a policy, reject requests without policy
// claim.
_, pokOpenID := claims.MapClaims[iamPolicyClaimNameOpenID()]
_, pokSA := claims.MapClaims[iamPolicyClaimNameSA()]
if !pokOpenID && !pokSA {
return nil, errAuthentication
}
return claims.Map(), nil return claims.Map(), nil
} }

7
cmd/iam.go
View File

@ -2353,13 +2353,6 @@ func isAllowedBySessionPolicy(args iampolicy.Args) (hasSessionPolicy bool, isAll
return return
} }
policyBytes, err := base64.StdEncoding.DecodeString(spolicyStr)
if err != nil {
// Got a malformed base64 string
return
}
spolicyStr = string(policyBytes)
// Check if policy is parseable. // Check if policy is parseable.
subPolicy, err := iampolicy.ParseConfig(bytes.NewReader([]byte(spolicyStr))) subPolicy, err := iampolicy.ParseConfig(bytes.NewReader([]byte(spolicyStr)))
if err != nil { if err != nil {