Add support for session policies in STS APIs (#7747)

This PR adds support for adding session policies for further restrictions on STS credentials, useful in situations when applications want to generate creds for multiple interested parties with different set of policy restrictions. This session policy is not mandatory, but optional. Fixes #7732
2025-11-07 04:42:56 -05:00 · 2019-06-20 15:28:33 -07:00
parent 98d3913a1e
commit 1af6e8cb72
7 changed files with 233 additions and 49 deletions
--- a/cmd/auth-handler.go
+++ b/cmd/auth-handler.go
@@ -200,6 +200,39 @@ func getClaimsFromToken(r *http.Request) (map[string]interface{}, error) {
 	if _, ok = v.(string); !ok {
 		return nil, errInvalidAccessKeyID
 	}
+
+	if globalPolicyOPA == nil {
+		// If OPA is not set, session token should
+		// have a policy and its mandatory, reject
+		// requests without policy claim.
+		p, pok := claims[iampolicy.PolicyName]
+		if !pok {
+			return nil, errAuthentication
+		}
+		if _, pok = p.(string); !pok {
+			return nil, errAuthentication
+		}
+		sp, spok := claims[iampolicy.SessionPolicyName]
+		// Sub policy is optional, if not set return success.
+		if !spok {
+			return claims, nil
+		}
+		// Sub policy is set but its not a string, reject such requests
+		spStr, spok := sp.(string)
+		if !spok {
+			return nil, errAuthentication
+		}
+		// Looks like subpolicy is set and is a string, if set then its
+		// base64 encoded, decode it. Decoding fails reject such requests.
+		spBytes, err := base64.StdEncoding.DecodeString(spStr)
+		if err != nil {
+			// Base64 decoding fails, we should log to indicate
+			// something is malforming the request sent by client.
+			logger.LogIf(context.Background(), err)
+			return nil, errAuthentication
+		}
+		claims[iampolicy.SessionPolicyName] = string(spBytes)
+	}
 	return claims, nil
 }

--- a/cmd/iam.go
+++ b/cmd/iam.go
@@ -17,6 +17,7 @@
 package cmd

 import (
+	"bytes"
 	"context"
 	"encoding/json"
 	"path"
@@ -649,16 +650,87 @@ func (sys *IAMSys) GetUser(accessKey string) (cred auth.Credentials, ok bool) {
 	return cred, ok && cred.IsValid()
 }

-// IsAllowed - checks given policy args is allowed to continue the Rest API.
-func (sys *IAMSys) IsAllowed(args iampolicy.Args) bool {
+// IsAllowedSTS is meant for STS based temporary credentials,
+// which implements claims validation and verification other than
+// applying policies.
+func (sys *IAMSys) IsAllowedSTS(args iampolicy.Args) bool {
+	pname, ok := args.Claims[iampolicy.PolicyName]
+	if !ok {
+		// When claims are set, it should have a "policy" field.
+		return false
+	}
+	pnameStr, ok := pname.(string)
+	if !ok {
+		// When claims has "policy" field, it should be string.
+		return false
+	}
+
 	sys.RLock()
 	defer sys.RUnlock()

+	// If policy is available for given user, check the policy.
+	name, ok := sys.iamPolicyMap[args.AccountName]
+	if !ok {
+		// No policy available reject.
+		return false
+	}
+
+	if pnameStr != name {
+		// When claims has a policy, it should match the
+		// policy of args.AccountName which server remembers.
+		// if not reject such requests.
+		return false
+	}
+
+	// Now check if we have a sessionPolicy.
+	spolicy, ok := args.Claims[iampolicy.SessionPolicyName]
+	if !ok {
+		// Sub policy not set, this is most common since subPolicy
+		// is optional, use the top level policy only.
+		p, ok := sys.iamCannedPolicyMap[pnameStr]
+		return ok && p.IsAllowed(args)
+	}
+
+	spolicyStr, ok := spolicy.(string)
+	if !ok {
+		// Sub policy if set, should be a string reject
+		// malformed/malicious requests.
+		return false
+	}
+
+	// Check if policy is parseable.
+	subPolicy, err := iampolicy.ParseConfig(bytes.NewReader([]byte(spolicyStr)))
+	if err != nil {
+		// Log any error in input session policy config.
+		logger.LogIf(context.Background(), err)
+		return false
+	}
+
+	// Policy without Version string value reject it.
+	if subPolicy.Version == "" {
+		return false
+	}
+
+	// Sub policy is set and valid.
+	p, ok := sys.iamCannedPolicyMap[pnameStr]
+	return ok && p.IsAllowed(args) && subPolicy.IsAllowed(args)
+}
+
+// IsAllowed - checks given policy args is allowed to continue the Rest API.
+func (sys *IAMSys) IsAllowed(args iampolicy.Args) bool {
 	// If opa is configured, use OPA always.
 	if globalPolicyOPA != nil {
 		return globalPolicyOPA.IsAllowed(args)
 	}

+	// With claims set, we should do STS related checks and validation.
+	if len(args.Claims) > 0 {
+		return sys.IsAllowedSTS(args)
+	}
+
+	sys.RLock()
+	defer sys.RUnlock()
+
 	// If policy is available for given user, check the policy.
 	if name, found := sys.iamPolicyMap[args.AccountName]; found {
 		p, ok := sys.iamCannedPolicyMap[name]
--- a/cmd/sts-handlers.go
+++ b/cmd/sts-handlers.go
@@ -17,13 +17,16 @@
 package cmd

 import (
+	"bytes"
 	"context"
+	"encoding/base64"
 	"fmt"
 	"net/http"

 	"github.com/gorilla/mux"
 	"github.com/minio/minio/cmd/logger"
 	"github.com/minio/minio/pkg/auth"
+	iampolicy "github.com/minio/minio/pkg/iam/policy"
 	"github.com/minio/minio/pkg/iam/validator"
 	"github.com/minio/minio/pkg/wildcard"
 )
@@ -124,11 +127,6 @@ func (sts *stsAPIHandlers) AssumeRole(w http.ResponseWriter, r *http.Request) {
 		return
 	}

-	if r.Form.Get("Policy") != "" {
-		writeSTSErrorResponse(w, stsErrCodes.ToSTSErr(ErrSTSInvalidParameterValue))
-		return
-	}
-
 	if r.Form.Get("Version") != stsAPIVersion {
 		logger.LogIf(ctx, fmt.Errorf("Invalid STS API version %s, expecting %s", r.Form.Get("Version"), stsAPIVersion))
 		writeSTSErrorResponse(w, stsErrCodes.ToSTSErr(ErrSTSMissingParameter))
@@ -147,6 +145,29 @@ func (sts *stsAPIHandlers) AssumeRole(w http.ResponseWriter, r *http.Request) {
 	ctx = newContext(r, w, action)
 	defer logger.AuditLog(w, r, action, nil)

+	sessionPolicyStr := r.Form.Get("Policy")
+	// https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRole.html
+	// The plain text that you use for both inline and managed session
+	// policies shouldn't exceed 2048 characters.
+	if len(sessionPolicyStr) > 2048 {
+		writeSTSErrorResponse(w, stsErrCodes.ToSTSErr(ErrSTSInvalidParameterValue))
+		return
+	}
+
+	if len(sessionPolicyStr) > 0 {
+		sessionPolicy, err := iampolicy.ParseConfig(bytes.NewReader([]byte(sessionPolicyStr)))
+		if err != nil {
+			writeSTSErrorResponse(w, stsErrCodes.ToSTSErr(ErrSTSInvalidParameterValue))
+			return
+		}
+
+		// Version in policy must not be empty
+		if sessionPolicy.Version == "" {
+			writeSTSErrorResponse(w, stsErrCodes.ToSTSErr(ErrSTSInvalidParameterValue))
+			return
+		}
+	}
+
 	var err error
 	m := make(map[string]interface{})
 	m["exp"], err = validator.GetDefaultExpiration(r.Form.Get("DurationSeconds"))
@@ -171,7 +192,11 @@ func (sts *stsAPIHandlers) AssumeRole(w http.ResponseWriter, r *http.Request) {
 	// This policy is the policy associated with the user
 	// requesting for temporary credentials. The temporary
 	// credentials will inherit the same policy requirements.
-	m["policy"] = policyName
+	m[iampolicy.PolicyName] = policyName
+
+	if len(sessionPolicyStr) > 0 {
+		m[iampolicy.SessionPolicyName] = base64.StdEncoding.EncodeToString([]byte(sessionPolicyStr))
+	}

 	secret := globalServerConfig.GetCredential().SecretKey
 	cred, err := auth.GetNewCredentialsWithMetadata(m, secret)
@@ -216,11 +241,6 @@ func (sts *stsAPIHandlers) AssumeRoleWithJWT(w http.ResponseWriter, r *http.Requ
 		return
 	}

-	if r.Form.Get("Policy") != "" {
-		writeSTSErrorResponse(w, stsErrCodes.ToSTSErr(ErrSTSInvalidParameterValue))
-		return
-	}
-
 	if r.Form.Get("Version") != stsAPIVersion {
 		logger.LogIf(ctx, fmt.Errorf("Invalid STS API version %s, expecting %s", r.Form.Get("Version"), stsAPIVersion))
 		writeSTSErrorResponse(w, stsErrCodes.ToSTSErr(ErrSTSMissingParameter))
@@ -276,6 +296,29 @@ func (sts *stsAPIHandlers) AssumeRoleWithJWT(w http.ResponseWriter, r *http.Requ
 		return
 	}

+	sessionPolicyStr := r.Form.Get("Policy")
+	// https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRoleWithWebIdentity.html
+	// The plain text that you use for both inline and managed session
+	// policies shouldn't exceed 2048 characters.
+	if len(sessionPolicyStr) > 2048 {
+		writeSTSErrorResponse(w, stsErrCodes.ToSTSErr(ErrSTSInvalidParameterValue))
+		return
+	}
+
+	if len(sessionPolicyStr) > 0 {
+		sessionPolicy, err := iampolicy.ParseConfig(bytes.NewReader([]byte(sessionPolicyStr)))
+		if err != nil {
+			writeSTSErrorResponse(w, stsErrCodes.ToSTSErr(ErrSTSInvalidParameterValue))
+			return
+		}
+
+		// Version in policy must not be empty
+		if sessionPolicy.Version == "" {
+			writeSTSErrorResponse(w, stsErrCodes.ToSTSErr(ErrSTSInvalidParameterValue))
+			return
+		}
+	}
+
 	secret := globalServerConfig.GetCredential().SecretKey
 	cred, err := auth.GetNewCredentialsWithMetadata(m, secret)
 	if err != nil {
@@ -289,7 +332,7 @@ func (sts *stsAPIHandlers) AssumeRoleWithJWT(w http.ResponseWriter, r *http.Requ
 	// be set and configured on your identity provider as part of
 	// JWT custom claims.
 	var policyName string
-	if v, ok := m["policy"]; ok {
+	if v, ok := m[iampolicy.PolicyName]; ok {
 		policyName, _ = v.(string)
 	}

@@ -298,6 +341,10 @@ func (sts *stsAPIHandlers) AssumeRoleWithJWT(w http.ResponseWriter, r *http.Requ
 		subFromToken, _ = v.(string)
 	}

+	if len(sessionPolicyStr) > 0 {
+		m[iampolicy.SessionPolicyName] = base64.StdEncoding.EncodeToString([]byte(sessionPolicyStr))
+	}
+
 	// Set the newly generated credentials.
 	if err = globalIAMSys.SetTempUser(cred.AccessKey, cred, policyName); err != nil {
 		logger.LogIf(ctx, err)