fix: regression in AssumeRole session policy handling (fixes #12756) (#12773)

This commit is contained in:
Aditya Manthramurthy 2021-07-22 08:42:07 -07:00 committed by GitHub
parent 026a005b64
commit 17a37241f0
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 22 additions and 26 deletions

View File

@ -213,27 +213,17 @@ func getClaimsFromToken(token string) (map[string]interface{}, error) {
return nil, errAuthentication
}
if globalPolicyOPA == nil {
// If OPA is not set and if ldap claim key is set, allow the claim.
if _, ok := claims.MapClaims[ldapUser]; ok {
// If OPA is set, return without any further checks.
if globalPolicyOPA != nil {
return claims.Map(), nil
}
// If OPA is not set, session token should
// have a policy and its mandatory, reject
// requests without policy claim.
_, pokOpenID := claims.MapClaims[iamPolicyClaimNameOpenID()]
_, pokSA := claims.MapClaims[iamPolicyClaimNameSA()]
if !pokOpenID && !pokSA {
return nil, errAuthentication
}
// Check if a session policy is set. If so, decode it here.
sp, spok := claims.Lookup(iampolicy.SessionPolicyName)
if !spok {
return claims.Map(), nil
}
if spok {
// Looks like subpolicy is set and is a string, if set then its
// base64 encoded, decode it. Decoding fails reject such requests.
// base64 encoded, decode it. Decoding fails reject such
// requests.
spBytes, err := base64.StdEncoding.DecodeString(sp)
if err != nil {
// Base64 decoding fails, we should log to indicate
@ -244,6 +234,19 @@ func getClaimsFromToken(token string) (map[string]interface{}, error) {
claims.MapClaims[iampolicy.SessionPolicyName] = string(spBytes)
}
// If LDAP claim key is set, return here.
if _, ok := claims.MapClaims[ldapUser]; ok {
return claims.Map(), nil
}
// Session token must have a policy, reject requests without policy
// claim.
_, pokOpenID := claims.MapClaims[iamPolicyClaimNameOpenID()]
_, pokSA := claims.MapClaims[iamPolicyClaimNameSA()]
if !pokOpenID && !pokSA {
return nil, errAuthentication
}
return claims.Map(), nil
}

View File

@ -2353,13 +2353,6 @@ func isAllowedBySessionPolicy(args iampolicy.Args) (hasSessionPolicy bool, isAll
return
}
policyBytes, err := base64.StdEncoding.DecodeString(spolicyStr)
if err != nil {
// Got a malformed base64 string
return
}
spolicyStr = string(policyBytes)
// Check if policy is parseable.
subPolicy, err := iampolicy.ParseConfig(bytes.NewReader([]byte(spolicyStr)))
if err != nil {