mirror of
https://github.com/minio/minio.git
synced 2024-12-24 22:25:54 -05:00
reject expired STS credentials early without decoding sessionToken (#19072)
This commit is contained in:
parent
23c10350f3
commit
4c8197a119
@ -294,6 +294,11 @@ func checkClaimsFromToken(r *http.Request, cred auth.Credentials) (map[string]in
|
|||||||
return nil, ErrInvalidToken
|
return nil, ErrInvalidToken
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// Expired credentials must return error right away.
|
||||||
|
if cred.IsTemp() && cred.IsExpired() {
|
||||||
|
return nil, toAPIErrorCode(r.Context(), errInvalidAccessKeyID)
|
||||||
|
}
|
||||||
|
|
||||||
secret := globalActiveCred.SecretKey
|
secret := globalActiveCred.SecretKey
|
||||||
if cred.IsServiceAccount() {
|
if cred.IsServiceAccount() {
|
||||||
token = cred.SessionToken
|
token = cred.SessionToken
|
||||||
|
@ -113,6 +113,10 @@ func metricsRequestAuthenticate(req *http.Request) (*xjwt.MapClaims, []string, b
|
|||||||
return nil, errInvalidAccessKeyID
|
return nil, errInvalidAccessKeyID
|
||||||
}
|
}
|
||||||
cred := u.Credentials
|
cred := u.Credentials
|
||||||
|
// Expired credentials return error.
|
||||||
|
if cred.IsTemp() && cred.IsExpired() {
|
||||||
|
return nil, errInvalidAccessKeyID
|
||||||
|
}
|
||||||
return []byte(cred.SecretKey), nil
|
return []byte(cred.SecretKey), nil
|
||||||
} // this means claims.AccessKey == rootAccessKey
|
} // this means claims.AccessKey == rootAccessKey
|
||||||
if !globalAPIConfig.permitRootAccess() {
|
if !globalAPIConfig.permitRootAccess() {
|
||||||
|
Loading…
Reference in New Issue
Block a user