From 4c8197a1198e6e44db9edc9bc169478867827847 Mon Sep 17 00:00:00 2001 From: Harshavardhana Date: Mon, 19 Feb 2024 07:34:10 -0800 Subject: [PATCH] reject expired STS credentials early without decoding sessionToken (#19072) --- cmd/auth-handler.go | 5 +++++ cmd/jwt.go | 4 ++++ 2 files changed, 9 insertions(+) diff --git a/cmd/auth-handler.go b/cmd/auth-handler.go index 6621bda38..3aebc022f 100644 --- a/cmd/auth-handler.go +++ b/cmd/auth-handler.go @@ -294,6 +294,11 @@ func checkClaimsFromToken(r *http.Request, cred auth.Credentials) (map[string]in return nil, ErrInvalidToken } + // Expired credentials must return error right away. + if cred.IsTemp() && cred.IsExpired() { + return nil, toAPIErrorCode(r.Context(), errInvalidAccessKeyID) + } + secret := globalActiveCred.SecretKey if cred.IsServiceAccount() { token = cred.SessionToken diff --git a/cmd/jwt.go b/cmd/jwt.go index 166debd16..39740bb70 100644 --- a/cmd/jwt.go +++ b/cmd/jwt.go @@ -113,6 +113,10 @@ func metricsRequestAuthenticate(req *http.Request) (*xjwt.MapClaims, []string, b return nil, errInvalidAccessKeyID } cred := u.Credentials + // Expired credentials return error. + if cred.IsTemp() && cred.IsExpired() { + return nil, errInvalidAccessKeyID + } return []byte(cred.SecretKey), nil } // this means claims.AccessKey == rootAccessKey if !globalAPIConfig.permitRootAccess() {