reject expired STS credentials early without decoding sessionToken (#19072)

This commit is contained in:
Harshavardhana 2024-02-19 07:34:10 -08:00 committed by GitHub
parent 23c10350f3
commit 4c8197a119
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
2 changed files with 9 additions and 0 deletions

View File

@ -294,6 +294,11 @@ func checkClaimsFromToken(r *http.Request, cred auth.Credentials) (map[string]in
return nil, ErrInvalidToken return nil, ErrInvalidToken
} }
// Expired credentials must return error right away.
if cred.IsTemp() && cred.IsExpired() {
return nil, toAPIErrorCode(r.Context(), errInvalidAccessKeyID)
}
secret := globalActiveCred.SecretKey secret := globalActiveCred.SecretKey
if cred.IsServiceAccount() { if cred.IsServiceAccount() {
token = cred.SessionToken token = cred.SessionToken

View File

@ -113,6 +113,10 @@ func metricsRequestAuthenticate(req *http.Request) (*xjwt.MapClaims, []string, b
return nil, errInvalidAccessKeyID return nil, errInvalidAccessKeyID
} }
cred := u.Credentials cred := u.Credentials
// Expired credentials return error.
if cred.IsTemp() && cred.IsExpired() {
return nil, errInvalidAccessKeyID
}
return []byte(cred.SecretKey), nil return []byte(cred.SecretKey), nil
} // this means claims.AccessKey == rootAccessKey } // this means claims.AccessKey == rootAccessKey
if !globalAPIConfig.permitRootAccess() { if !globalAPIConfig.permitRootAccess() {