feat: Allow at most one claim based OpenID IDP (#16145)

2025-11-08 21:24:55 -05:00 · 2022-11-29 15:40:49 -08:00
parent be92cf5959
commit 87cbd41265
5 changed files with 57 additions and 25 deletions
--- a/cmd/admin-handlers-users.go
+++ b/cmd/admin-handlers-users.go
@@ -1187,6 +1187,7 @@ func (a adminAPIHandlers) AccountInfoHandler(w http.ResponseWriter, r *http.Requ
 	}

 	roleArn := iampolicy.Args{Claims: claims}.GetRoleArn()
+	policySetFromClaims, hasPolicyClaim := iampolicy.GetPoliciesFromClaims(claims, iamPolicyClaimNameOpenID())
 	var effectivePolicy iampolicy.Policy

 	var buf []byte
@@ -1198,16 +1199,19 @@ func (a adminAPIHandlers) AccountInfoHandler(w http.ResponseWriter, r *http.Requ
 				break
 			}
 		}
+
 	case roleArn != "":
 		_, policy, err := globalIAMSys.GetRolePolicy(roleArn)
 		if err != nil {
-			logger.LogIf(ctx, err)
 			writeErrorResponseJSON(ctx, w, toAdminAPIErr(ctx, err), r.URL)
 			return
 		}
 		policySlice := newMappedPolicy(policy).toSlice()
 		effectivePolicy = globalIAMSys.GetCombinedPolicy(policySlice...)

+	case hasPolicyClaim:
+		effectivePolicy = globalIAMSys.GetCombinedPolicy(policySetFromClaims.ToSlice()...)
+
 	default:
 		policies, err := globalIAMSys.PolicyDBGet(accountName, false, cred.Groups...)
 		if err != nil {
--- a/cmd/sts-handlers.go
+++ b/cmd/sts-handlers.go
@@ -343,17 +343,23 @@ func (sts *stsAPIHandlers) AssumeRoleWithSSO(w http.ResponseWriter, r *http.Requ

 	accessToken := r.Form.Get(stsWebIdentityAccessToken)

+	// RoleARN parameter processing: If a role ARN is given in the request, we
+	// use that and validate the authentication request. If not, we assume this
+	// is an STS request for a claim based IDP (if one is present) and set
+	// roleArn = openid.DummyRoleARN.
+	//
+	// Currently, we do not support multiple claim based IDPs, as there is no
+	// defined parameter to disambiguate the intended IDP in this STS request.
 	roleArn := openid.DummyRoleARN
-	if globalIAMSys.HasRolePolicy() {
+	roleArnStr := r.Form.Get(stsRoleArn)
+	if roleArnStr != "" {
 		var err error
-		roleArnStr := r.Form.Get(stsRoleArn)
 		roleArn, _, err = globalIAMSys.GetRolePolicy(roleArnStr)
 		if err != nil {
 			writeSTSErrorResponse(ctx, w, true, ErrSTSInvalidParameterValue,
 				fmt.Errorf("Error processing %s parameter: %v", stsRoleArn, err))
 			return
 		}
-
 	}

 	// Validate JWT; check clientID in claims matches the one associated with the roleArn
@@ -376,7 +382,7 @@ func (sts *stsAPIHandlers) AssumeRoleWithSSO(w http.ResponseWriter, r *http.Requ
 	}

 	var policyName string
-	if globalIAMSys.HasRolePolicy() {
+	if roleArnStr != "" && globalIAMSys.HasRolePolicy() {
 		// If roleArn is used, we set it as a claim, and use the
 		// associated policy when credentials are used.
 		claims[roleArnClaim] = roleArn.String()
--- a/cmd/sts-handlers_test.go
+++ b/cmd/sts-handlers_test.go
@@ -1563,7 +1563,7 @@ func (s *TestSuiteIAM) TestOpenIDSTSWithRolePolicyWithPolVar(c *check, roleARN s
 	c.mustNotListObjects(ctx, lisaClient, "other")
 }

-func TestIAMWithOpenIDMultipleConfigsValidation(t *testing.T) {
+func TestIAMWithOpenIDMultipleConfigsValidation1(t *testing.T) {
 	openIDServer := os.Getenv(EnvTestOpenIDServer)
 	openIDServer2 := os.Getenv(EnvTestOpenIDServer2)
 	if openIDServer == "" || openIDServer2 == "" {
@@ -1576,6 +1576,38 @@ func TestIAMWithOpenIDMultipleConfigsValidation(t *testing.T) {
 		"readwrite",
 	}

+	for i, testCase := range iamTestSuites {
+		t.Run(
+			fmt.Sprintf("Test: %d, ServerType: %s", i+1, testCase.ServerTypeDescription),
+			func(t *testing.T) {
+				c := &check{t, testCase.serverType}
+				suite := testCase
+
+				suite.SetUpSuite(c)
+				defer suite.TearDownSuite(c)
+
+				err := suite.SetUpOpenIDs(c, testApps, rolePolicies)
+				if err != nil {
+					c.Fatalf("config with 1 claim based and 1 role based provider should pass but got: %v", err)
+				}
+			},
+		)
+	}
+}
+
+func TestIAMWithOpenIDMultipleConfigsValidation2(t *testing.T) {
+	openIDServer := os.Getenv(EnvTestOpenIDServer)
+	openIDServer2 := os.Getenv(EnvTestOpenIDServer2)
+	if openIDServer == "" || openIDServer2 == "" {
+		t.Skip("Skipping OpenID test as enough OpenID servers are not provided.")
+	}
+	testApps := testClientApps
+
+	rolePolicies := []string{
+		"", // Treated as claim-based provider as no role policy is given.
+		"", // Treated as claim-based provider as no role policy is given.
+	}
+
 	for i, testCase := range iamTestSuites {
 		t.Run(
 			fmt.Sprintf("Test: %d, ServerType: %s", i+1, testCase.ServerTypeDescription),
@@ -1588,7 +1620,7 @@ func TestIAMWithOpenIDMultipleConfigsValidation(t *testing.T) {

 				err := suite.SetUpOpenIDs(c, testApps, rolePolicies)
 				if err == nil {
-					c.Fatal("config with both claim based and role policy based providers should fail")
+					c.Fatalf("config with 2 claim based provider should fail")
 				}
 			},
 		)