MyFavMirrors/minio
1
0
Fork 0
mirror of https://github.com/minio/minio.git synced 2025-01-12 15:33:22 -05:00
Code Issues Packages Projects Releases Wiki Activity

allow claims to be optional in STS (#10078)

Browse Source 
not all claims need to be present for
the JWT claim, let the policies not
exist and only apply which are present
when generating the credentials

once credentials are generated then
those policies should exist, otherwise
the request will fail.
This commit is contained in:
Harshavardhana 2020-07-19 15:34:01 -07:00 committed by GitHub
parent aa6468932b
commit 7764c542f2
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 40 additions and 14 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

28
cmd/iam.go
View File

@ -675,6 +675,24 @@ func (sys *IAMSys) DeleteUser(accessKey string) error {
return err return err
} }
// returns comma separated policy string, from an input policy
// after validating if there are any current policies which exist
// on MinIO corresponding to the input.
func (sys *IAMSys) currentPolicies(policyName string) string {
sys.store.rlock()
defer sys.store.runlock()
var policies []string
mp := newMappedPolicy(policyName)
for _, policy := range mp.toSlice() {
_, found := sys.iamPolicyDocsMap[policy]
if found {
policies = append(policies, policy)
}
}
return strings.Join(policies, ",")
}
// SetTempUser - set temporary user credentials, these credentials have an expiry. // SetTempUser - set temporary user credentials, these credentials have an expiry.
func (sys *IAMSys) SetTempUser(accessKey string, cred auth.Credentials, policyName string) error { func (sys *IAMSys) SetTempUser(accessKey string, cred auth.Credentials, policyName string) error {
objectAPI := newObjectLayerWithoutSafeModeFn() objectAPI := newObjectLayerWithoutSafeModeFn()
@ -693,10 +711,9 @@ func (sys *IAMSys) SetTempUser(accessKey string, cred auth.Credentials, policyNa
mp := newMappedPolicy(policyName) mp := newMappedPolicy(policyName)
for _, policy := range mp.toSlice() { for _, policy := range mp.toSlice() {
p, found := sys.iamPolicyDocsMap[policy] p, found := sys.iamPolicyDocsMap[policy]
if !found { if found {
return fmt.Errorf("%w: (%s)", errNoSuchPolicy, policy) availablePolicies = append(availablePolicies, p)
} }
availablePolicies = append(availablePolicies, p)
} }
combinedPolicy := availablePolicies[0] combinedPolicy := availablePolicies[0]
@ -1671,6 +1688,7 @@ func (sys *IAMSys) IsAllowedLDAPSTS(args iampolicy.Args) bool {
for _, pname := range mp.toSlice() { for _, pname := range mp.toSlice() {
p, found := sys.iamPolicyDocsMap[pname] p, found := sys.iamPolicyDocsMap[pname]
if !found { if !found {
logger.LogIf(GlobalContext, fmt.Errorf("expected policy (%s) missing for the LDAPUser %s, rejecting the request", pname, user))
return false return false
} }
policies = append(policies, p) policies = append(policies, p)
@ -1684,6 +1702,7 @@ func (sys *IAMSys) IsAllowedLDAPSTS(args iampolicy.Args) bool {
for _, pname := range mp.toSlice() { for _, pname := range mp.toSlice() {
p, found := sys.iamPolicyDocsMap[pname] p, found := sys.iamPolicyDocsMap[pname]
if !found { if !found {
logger.LogIf(GlobalContext, fmt.Errorf("expected policy (%s) missing for the LDAPGroup %s, rejecting the request", pname, group))
return false return false
} }
policies = append(policies, p) policies = append(policies, p)
@ -1744,7 +1763,8 @@ func (sys *IAMSys) IsAllowedSTS(args iampolicy.Args) bool {
for pname := range policies { for pname := range policies {
p, found := sys.iamPolicyDocsMap[pname] p, found := sys.iamPolicyDocsMap[pname]
if !found { if !found {
logger.LogIf(GlobalContext, fmt.Errorf("%w: (%s)", errNoSuchPolicy, pname)) // all policies presented in the claim should exist
logger.LogIf(GlobalContext, fmt.Errorf("expected policy (%s) missing from the JWT claim %s, rejecting the request", pname, iamPolicyClaimNameOpenID()))
return false return false
} }
availablePolicies = append(availablePolicies, p) availablePolicies = append(availablePolicies, p)

26
cmd/sts-handlers.go
View File

@ -318,6 +318,22 @@ func (sts *stsAPIHandlers) AssumeRoleWithJWT(w http.ResponseWriter, r *http.Requ
return return
} }
// JWT has requested a custom claim with policy value set.
// This is a MinIO STS API specific value, this value should
// be set and configured on your identity provider as part of
// JWT custom claims.
var policyName string
policySet, ok := iampolicy.GetPoliciesFromClaims(m, iamPolicyClaimNameOpenID())
if ok {
policyName = globalIAMSys.currentPolicies(strings.Join(policySet.ToSlice(), ","))
}
if policyName == "" {
writeSTSErrorResponse(ctx, w, true, ErrSTSInvalidParameterValue, fmt.Errorf("%s claim missing from the JWT token, credentials will not be generated", iamPolicyClaimNameOpenID()))
return
}
m[iamPolicyClaimNameOpenID()] = policyName
sessionPolicyStr := r.Form.Get(stsPolicy) sessionPolicyStr := r.Form.Get(stsPolicy)
// https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRoleWithWebIdentity.html // https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRoleWithWebIdentity.html
// The plain text that you use for both inline and managed session // The plain text that you use for both inline and managed session
@ -352,16 +368,6 @@ func (sts *stsAPIHandlers) AssumeRoleWithJWT(w http.ResponseWriter, r *http.Requ
return return
} }
// JWT has requested a custom claim with policy value set.
// This is a MinIO STS API specific value, this value should
// be set and configured on your identity provider as part of
// JWT custom claims.
var policyName string
policySet, ok := iampolicy.GetPoliciesFromClaims(m, iamPolicyClaimNameOpenID())
if ok {
policyName = strings.Join(policySet.ToSlice(), ",")
}
var subFromToken string var subFromToken string
if v, ok := m[subClaim]; ok { if v, ok := m[subClaim]; ok {
subFromToken, _ = v.(string) subFromToken, _ = v.(string)