mirror of
https://github.com/minio/minio.git
synced 2025-01-23 04:33:15 -05:00
fix: disallow invalid x-amz-security-token for root credentials (#13388)
* fix: disallow invalid x-amz-security-token for root credentials fixes #13335 This was a regression added in #12947 when this part of the code was refactored to avoid privilege issues with service accounts with session policy. Bonus: - fix: AssumeRoleWithCertificate policy mapping and reload AssumeRoleWithCertificate was not mapping to correct policies even after successfully generating keys, since the claims associated with this API were never looked up properly. Ensure that policies are set appropriately. - GetUser() API was not loading policies correctly based on AccessKey based mapping which is true with OpenID and AssumeRoleWithCertificate API.
This commit is contained in:
parent
c49ebaaf1a
commit
8d52c7daf3
@ -1817,7 +1817,7 @@ func (sys *IAMSys) GetUser(accessKey string) (cred auth.Credentials, ok bool) {
|
||||
|
||||
if ok && cred.IsValid() {
|
||||
if cred.IsServiceAccount() || cred.IsTemp() {
|
||||
policies, err := sys.policyDBGet(cred.ParentUser, false)
|
||||
policies, err := sys.policyDBGet(cred.AccessKey, false)
|
||||
if err != nil {
|
||||
// Reject if the policy map for user doesn't exist anymore.
|
||||
logger.LogIf(context.Background(), fmt.Errorf("'%s' user does not have a policy present", cred.ParentUser))
|
||||
|
@ -149,6 +149,7 @@ func checkKeyValid(r *http.Request, accessKey string) (auth.Credentials, bool, A
|
||||
// to retry with 503 errors when server is coming up.
|
||||
return auth.Credentials{}, false, ErrServerNotInitialized
|
||||
}
|
||||
|
||||
var owner = true
|
||||
var cred = globalActiveCred
|
||||
if cred.AccessKey != accessKey {
|
||||
@ -157,19 +158,25 @@ func checkKeyValid(r *http.Request, accessKey string) (auth.Credentials, bool, A
|
||||
if !ok {
|
||||
return cred, false, ErrInvalidAccessKeyID
|
||||
}
|
||||
claims, s3Err := checkClaimsFromToken(r, ucred)
|
||||
if s3Err != ErrNone {
|
||||
return cred, false, s3Err
|
||||
}
|
||||
ucred.Claims = claims
|
||||
// Now check if we have a sessionPolicy.
|
||||
if _, ok = claims[iampolicy.SessionPolicyName]; ok {
|
||||
owner = false
|
||||
} else {
|
||||
owner = cred.AccessKey == ucred.ParentUser
|
||||
}
|
||||
cred = ucred
|
||||
}
|
||||
|
||||
claims, s3Err := checkClaimsFromToken(r, cred)
|
||||
if s3Err != ErrNone {
|
||||
return cred, false, s3Err
|
||||
}
|
||||
|
||||
if len(claims) > 0 {
|
||||
cred.Claims = claims
|
||||
|
||||
// Now check if we have a sessionPolicy.
|
||||
if _, ok := claims[iampolicy.SessionPolicyName]; ok {
|
||||
owner = false
|
||||
} else {
|
||||
owner = cred.AccessKey == cred.ParentUser
|
||||
}
|
||||
}
|
||||
|
||||
return cred, owner, ErrNone
|
||||
}
|
||||
|
||||
|
@ -767,11 +767,12 @@ func (sts *stsAPIHandlers) AssumeRoleWithCertificate(w http.ResponseWriter, r *h
|
||||
parentUser := "tls:" + certificate.Subject.CommonName
|
||||
|
||||
tmpCredentials, err := auth.GetNewCredentialsWithMetadata(map[string]interface{}{
|
||||
expClaim: time.Now().UTC().Add(expiry).Unix(),
|
||||
parentClaim: parentUser,
|
||||
subClaim: certificate.Subject.CommonName,
|
||||
audClaim: certificate.Subject.Organization,
|
||||
issClaim: certificate.Issuer.CommonName,
|
||||
expClaim: time.Now().UTC().Add(expiry).Unix(),
|
||||
parentClaim: parentUser,
|
||||
subClaim: certificate.Subject.CommonName,
|
||||
audClaim: certificate.Subject.Organization,
|
||||
issClaim: certificate.Issuer.CommonName,
|
||||
iamPolicyClaimNameOpenID(): certificate.Subject.CommonName,
|
||||
}, globalActiveCred.SecretKey)
|
||||
if err != nil {
|
||||
writeSTSErrorResponse(ctx, w, true, ErrSTSInternalError, err)
|
||||
|
Loading…
x
Reference in New Issue
Block a user