diff --git a/cmd/iam.go b/cmd/iam.go index 39416a64f..9b60f025e 100644 --- a/cmd/iam.go +++ b/cmd/iam.go @@ -24,6 +24,7 @@ import ( "encoding/json" "errors" "fmt" + "maps" "math/rand" "path" "sort" @@ -366,14 +367,11 @@ func (sys *IAMSys) Init(ctx context.Context, objAPI ObjectLayer, etcdClient *etc sys.rolesMap = make(map[arn.ARN]string) // From OpenID - if riMap := sys.OpenIDConfig.GetRoleInfo(); riMap != nil { - sys.validateAndAddRolePolicyMappings(ctx, riMap) - } + maps.Copy(sys.rolesMap, sys.OpenIDConfig.GetRoleInfo()) // From AuthN plugin if enabled. if authn := newGlobalAuthNPluginFn(); authn != nil { - riMap := authn.GetRoleInfo() - sys.validateAndAddRolePolicyMappings(ctx, riMap) + maps.Copy(sys.rolesMap, authn.GetRoleInfo()) } sys.printIAMRoles() @@ -501,33 +499,6 @@ func (sys *IAMSys) periodicRoutines(ctx context.Context, baseInterval time.Durat } } -func (sys *IAMSys) validateAndAddRolePolicyMappings(ctx context.Context, m map[arn.ARN]string) { - // Validate that policies associated with roles are defined. If - // authZ plugin is set, role policies are just claims sent to - // the plugin and they need not exist. - // - // If some mapped policies do not exist, we print some error - // messages but continue any way - they can be fixed in the - // running server by creating the policies after start up. - for arn, rolePolicies := range m { - specifiedPoliciesSet := newMappedPolicy(rolePolicies).policySet() - validPolicies, _ := sys.store.MergePolicies(rolePolicies) - knownPoliciesSet := newMappedPolicy(validPolicies).policySet() - unknownPoliciesSet := specifiedPoliciesSet.Difference(knownPoliciesSet) - if len(unknownPoliciesSet) > 0 { - authz := newGlobalAuthZPluginFn() - if authz == nil { - // Print a warning that some policies mapped to a role are not defined. - errMsg := fmt.Errorf( - "The policies \"%s\" mapped to role ARN %s are not defined - this role may not work as expected.", - unknownPoliciesSet.ToSlice(), arn.String()) - authZLogIf(ctx, errMsg, logger.WarningKind) - } - } - sys.rolesMap[arn] = rolePolicies - } -} - // Prints IAM role ARNs. func (sys *IAMSys) printIAMRoles() { if len(sys.rolesMap) == 0 { diff --git a/cmd/sts-handlers.go b/cmd/sts-handlers.go index 9ac887a89..80f512b4b 100644 --- a/cmd/sts-handlers.go +++ b/cmd/sts-handlers.go @@ -545,6 +545,14 @@ func (sts *stsAPIHandlers) AssumeRoleWithSSO(w http.ResponseWriter, r *http.Requ writeSTSErrorResponse(ctx, w, ErrSTSAccessDenied, err) return } + if newGlobalAuthZPluginFn() == nil { + // if authZ is not set - we expect the policies to be present. + if globalIAMSys.CurrentPolicies(p) == "" { + writeSTSErrorResponse(ctx, w, ErrSTSInvalidParameterValue, + fmt.Errorf("None of the given policies (`%s`) are defined, credentials will not be generated", p)) + return + } + } } if !globalIAMSys.doesPolicyAllow(p, policy.Args{ @@ -1003,6 +1011,20 @@ func (sts *stsAPIHandlers) AssumeRoleWithCustomToken(w http.ResponseWriter, r *h return } + _, policyName, err := globalIAMSys.GetRolePolicy(roleArnStr) + if err != nil { + writeSTSErrorResponse(ctx, w, ErrSTSAccessDenied, err) + return + } + + if newGlobalAuthZPluginFn() == nil { // if authZ is not set - we expect the policyname to be present. + if globalIAMSys.CurrentPolicies(policyName) == "" { + writeSTSErrorResponse(ctx, w, ErrSTSInvalidParameterValue, + fmt.Errorf("None of the given policies (`%s`) are defined, credentials will not be generated", policyName)) + return + } + } + res, err := authn.Authenticate(roleArn, token) if err != nil { writeSTSErrorResponse(ctx, w, ErrSTSInvalidParameterValue, err)