MyFavMirrors/minio
1
0
Fork 0
mirror of https://github.com/minio/minio.git synced 2025-04-15 08:36:11 -04:00
Code Issues Packages Projects Releases Wiki Activity

Ensure that role ARNs don't collide ()

Browse Source 
This is to prepare for multiple providers enhancement.
This commit is contained in:
Aditya Manthramurthy 2021-12-03 13:15:56 -08:00 committed by GitHub
parent d29df6714a
commit 4f35054d29
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
3 changed files with 20 additions and 8 deletions
cmd
sts-handlers_test.go
internal
arn
arn.go
config/identity/openid
jwt.go

2
cmd/sts-handlers_test.go

@ -855,7 +855,7 @@ func TestIAMWithOpenIDWithRolePolicyServerSuite(t *testing.T) {
} }
const ( const (
testRoleARN = "arn:minio:iam:::role/127.0.0.1_minio-cl" testRoleARN = "arn:minio:iam:::role/nOybJqMNzNmroqEKq5D0EUsRZw0"
) )
func (s *TestSuiteIAM) TestOpenIDSTSWithRolePolicy(c *check) { func (s *TestSuiteIAM) TestOpenIDSTSWithRolePolicy(c *check) {

6
internal/arn/arn.go

@ -59,9 +59,9 @@ type ARN struct {
} }
var ( var (
// Allows lower-case chars, numbers, '.', '-', '_' and '/'. Starts with // Allows english letters, numbers, '.', '-', '_' and '/'. Starts with a
// a letter or digit. At least 1 character long. // letter or digit. At least 1 character long.
validResourceIDRegex = regexp.MustCompile(`^[a-z0-9][a-z0-9_/\.-]*$`) validResourceIDRegex = regexp.MustCompile(`^[A-Za-z0-9][A-Za-z0-9_/\.-]*$`)
) )
// NewIAMRoleARN - returns an ARN for a role in MinIO. // NewIAMRoleARN - returns an ARN for a role in MinIO.

20
internal/config/identity/openid/jwt.go

@ -19,6 +19,8 @@ package openid
import ( import (
"crypto" "crypto"
"crypto/sha1"
"encoding/base64"
"encoding/json" "encoding/json"
"errors" "errors"
"fmt" "fmt"
@ -576,11 +578,21 @@ func LookupConfig(kvs config.KVS, transport *http.Transport, closeRespFn func(io
return c, config.Errorf("unable to generate a domain from the OpenID config.") return c, config.Errorf("unable to generate a domain from the OpenID config.")
} }
} }
clientIDFragment := c.ClientID[:8]
if clientIDFragment == "" { if c.ClientID == "" {
return c, config.Errorf("unable to get a non-empty clientID fragment from the OpenID config.") return c, config.Errorf("client ID must not be empty")
}
// We set the resource ID of the role arn as a hash of client
// ID, so we can get a short roleARN that stays the same on
// restart.
var resourceID string
{
h := sha1.New()
h.Write([]byte(c.ClientID))
bs := h.Sum(nil)
resourceID = base64.RawURLEncoding.EncodeToString(bs)
} }
resourceID := domain + "_" + clientIDFragment
c.roleArn, err = arn.NewIAMRoleARN(resourceID, serverRegion) c.roleArn, err = arn.NewIAMRoleARN(resourceID, serverRegion)
if err != nil { if err != nil {
return c, config.Errorf("unable to generate ARN from the OpenID config: %v", err) return c, config.Errorf("unable to generate ARN from the OpenID config: %v", err)