Ensure that role ARNs don't collide (#13817)

This is to prepare for multiple providers enhancement.
2021-12-03 13:15:56 -08:00 · 2021-12-03 13:15:56 -08:00 · 4f35054d29
parent d29df6714a
commit 4f35054d29
3 changed files with 20 additions and 8 deletions
--- a/cmd/sts-handlers_test.go
+++ b/cmd/sts-handlers_test.go
@ -855,7 +855,7 @@ func TestIAMWithOpenIDWithRolePolicyServerSuite(t *testing.T) {
 }

 const (
-	testRoleARN = "arn:minio:iam:::role/127.0.0.1_minio-cl"
+	testRoleARN = "arn:minio:iam:::role/nOybJqMNzNmroqEKq5D0EUsRZw0"
 )

 func (s *TestSuiteIAM) TestOpenIDSTSWithRolePolicy(c *check) {
--- a/internal/arn/arn.go
+++ b/internal/arn/arn.go
@ -59,9 +59,9 @@ type ARN struct {
 }

 var (
-	// Allows lower-case chars, numbers, '.', '-', '_' and '/'. Starts with
-	// a letter or digit. At least 1 character long.
-	validResourceIDRegex = regexp.MustCompile(`^[a-z0-9][a-z0-9_/\.-]*$`)
+	// Allows english letters, numbers, '.', '-', '_' and '/'. Starts with a
+	// letter or digit. At least 1 character long.
+	validResourceIDRegex = regexp.MustCompile(`^[A-Za-z0-9][A-Za-z0-9_/\.-]*$`)
 )

 // NewIAMRoleARN - returns an ARN for a role in MinIO.
--- a/internal/config/identity/openid/jwt.go
+++ b/internal/config/identity/openid/jwt.go
@ -19,6 +19,8 @@ package openid

 import (
 	"crypto"
+	"crypto/sha1"
+	"encoding/base64"
 	"encoding/json"
 	"errors"
 	"fmt"
@ -576,11 +578,21 @@ func LookupConfig(kvs config.KVS, transport *http.Transport, closeRespFn func(io
 				return c, config.Errorf("unable to generate a domain from the OpenID config.")
 			}
 		}
-		clientIDFragment := c.ClientID[:8]
-		if clientIDFragment == "" {
-			return c, config.Errorf("unable to get a non-empty clientID fragment from the OpenID config.")
+
+		if c.ClientID == "" {
+			return c, config.Errorf("client ID must not be empty")
+		}
+
+		// We set the resource ID of the role arn as a hash of client
+		// ID, so we can get a short roleARN that stays the same on
+		// restart.
+		var resourceID string
+		{
+			h := sha1.New()
+			h.Write([]byte(c.ClientID))
+			bs := h.Sum(nil)
+			resourceID = base64.RawURLEncoding.EncodeToString(bs)
 		}
-		resourceID := domain + "_" + clientIDFragment
 		c.roleArn, err = arn.NewIAMRoleARN(resourceID, serverRegion)
 		if err != nil {
 			return c, config.Errorf("unable to generate ARN from the OpenID config: %v", err)