MyFavMirrors/minio
1
0
Fork 0
mirror of https://github.com/minio/minio.git synced 2025-11-07 12:52:58 -05:00
Code Issues Packages Projects Releases Wiki Activity

simplify validating policy mapping (#21450)

Browse Source
This commit is contained in:
M Alvee
2025-07-23 21:54:02 +06:00
committed by GitHub
parent 50fcf9b670
commit 7ced9663e6
2 changed files with 25 additions and 32 deletions
Download Patch File Download Diff File Expand all files Collapse all files

22
cmd/sts-handlers.go
View File

@@ -545,6 +545,14 @@ func (sts *stsAPIHandlers) AssumeRoleWithSSO(w http.ResponseWriter, r *http.Requ
writeSTSErrorResponse(ctx, w, ErrSTSAccessDenied, err)
return
}
if newGlobalAuthZPluginFn() == nil {
// if authZ is not set - we expect the policies to be present.
if globalIAMSys.CurrentPolicies(p) == "" {
writeSTSErrorResponse(ctx, w, ErrSTSInvalidParameterValue,
fmt.Errorf("None of the given policies (`%s`) are defined, credentials will not be generated", p))
return
}
}
}
if !globalIAMSys.doesPolicyAllow(p, policy.Args{
@@ -1003,6 +1011,20 @@ func (sts *stsAPIHandlers) AssumeRoleWithCustomToken(w http.ResponseWriter, r *h
return
}
_, policyName, err := globalIAMSys.GetRolePolicy(roleArnStr)
if err != nil {
writeSTSErrorResponse(ctx, w, ErrSTSAccessDenied, err)
return
}
if newGlobalAuthZPluginFn() == nil { // if authZ is not set - we expect the policyname to be present.
if globalIAMSys.CurrentPolicies(policyName) == "" {
writeSTSErrorResponse(ctx, w, ErrSTSInvalidParameterValue,
fmt.Errorf("None of the given policies (`%s`) are defined, credentials will not be generated", policyName))
return
}
}
res, err := authn.Authenticate(roleArn, token)
if err != nil {
writeSTSErrorResponse(ctx, w, ErrSTSInvalidParameterValue, err)