mirror of
https://github.com/minio/minio.git
synced 2024-12-23 21:55:53 -05:00
Ensure that role ARNs don't collide (#13817)
This is to prepare for multiple providers enhancement.
This commit is contained in:
parent
d29df6714a
commit
4f35054d29
@ -855,7 +855,7 @@ func TestIAMWithOpenIDWithRolePolicyServerSuite(t *testing.T) {
|
||||
}
|
||||
|
||||
const (
|
||||
testRoleARN = "arn:minio:iam:::role/127.0.0.1_minio-cl"
|
||||
testRoleARN = "arn:minio:iam:::role/nOybJqMNzNmroqEKq5D0EUsRZw0"
|
||||
)
|
||||
|
||||
func (s *TestSuiteIAM) TestOpenIDSTSWithRolePolicy(c *check) {
|
||||
|
@ -59,9 +59,9 @@ type ARN struct {
|
||||
}
|
||||
|
||||
var (
|
||||
// Allows lower-case chars, numbers, '.', '-', '_' and '/'. Starts with
|
||||
// a letter or digit. At least 1 character long.
|
||||
validResourceIDRegex = regexp.MustCompile(`^[a-z0-9][a-z0-9_/\.-]*$`)
|
||||
// Allows english letters, numbers, '.', '-', '_' and '/'. Starts with a
|
||||
// letter or digit. At least 1 character long.
|
||||
validResourceIDRegex = regexp.MustCompile(`^[A-Za-z0-9][A-Za-z0-9_/\.-]*$`)
|
||||
)
|
||||
|
||||
// NewIAMRoleARN - returns an ARN for a role in MinIO.
|
||||
|
@ -19,6 +19,8 @@ package openid
|
||||
|
||||
import (
|
||||
"crypto"
|
||||
"crypto/sha1"
|
||||
"encoding/base64"
|
||||
"encoding/json"
|
||||
"errors"
|
||||
"fmt"
|
||||
@ -576,11 +578,21 @@ func LookupConfig(kvs config.KVS, transport *http.Transport, closeRespFn func(io
|
||||
return c, config.Errorf("unable to generate a domain from the OpenID config.")
|
||||
}
|
||||
}
|
||||
clientIDFragment := c.ClientID[:8]
|
||||
if clientIDFragment == "" {
|
||||
return c, config.Errorf("unable to get a non-empty clientID fragment from the OpenID config.")
|
||||
|
||||
if c.ClientID == "" {
|
||||
return c, config.Errorf("client ID must not be empty")
|
||||
}
|
||||
|
||||
// We set the resource ID of the role arn as a hash of client
|
||||
// ID, so we can get a short roleARN that stays the same on
|
||||
// restart.
|
||||
var resourceID string
|
||||
{
|
||||
h := sha1.New()
|
||||
h.Write([]byte(c.ClientID))
|
||||
bs := h.Sum(nil)
|
||||
resourceID = base64.RawURLEncoding.EncodeToString(bs)
|
||||
}
|
||||
resourceID := domain + "_" + clientIDFragment
|
||||
c.roleArn, err = arn.NewIAMRoleARN(resourceID, serverRegion)
|
||||
if err != nil {
|
||||
return c, config.Errorf("unable to generate ARN from the OpenID config: %v", err)
|
||||
|
Loading…
Reference in New Issue
Block a user