fix: disallow invalid x-amz-security-token for root credentials (#13388)

* fix: disallow invalid x-amz-security-token for root credentials

fixes #13335

This was a regression added in #12947 when this part of the
code was refactored to avoid privilege issues with service
accounts with session policy.

Bonus: 

- fix: AssumeRoleWithCertificate policy mapping and reload

  AssumeRoleWithCertificate was not mapping to correct
  policies even after successfully generating keys, since
  the claims associated with this API were never looked up
  properly. Ensure that policies are set appropriately.

- GetUser() API was not loading policies correctly based
  on AccessKey based mapping which is true with OpenID
  and AssumeRoleWithCertificate API.
This commit is contained in:
Harshavardhana 2021-10-09 22:00:23 -07:00 committed by GitHub
parent c49ebaaf1a
commit 8d52c7daf3
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
3 changed files with 25 additions and 17 deletions

View File

@ -1817,7 +1817,7 @@ func (sys *IAMSys) GetUser(accessKey string) (cred auth.Credentials, ok bool) {
if ok && cred.IsValid() { if ok && cred.IsValid() {
if cred.IsServiceAccount() || cred.IsTemp() { if cred.IsServiceAccount() || cred.IsTemp() {
policies, err := sys.policyDBGet(cred.ParentUser, false) policies, err := sys.policyDBGet(cred.AccessKey, false)
if err != nil { if err != nil {
// Reject if the policy map for user doesn't exist anymore. // Reject if the policy map for user doesn't exist anymore.
logger.LogIf(context.Background(), fmt.Errorf("'%s' user does not have a policy present", cred.ParentUser)) logger.LogIf(context.Background(), fmt.Errorf("'%s' user does not have a policy present", cred.ParentUser))

View File

@ -149,6 +149,7 @@ func checkKeyValid(r *http.Request, accessKey string) (auth.Credentials, bool, A
// to retry with 503 errors when server is coming up. // to retry with 503 errors when server is coming up.
return auth.Credentials{}, false, ErrServerNotInitialized return auth.Credentials{}, false, ErrServerNotInitialized
} }
var owner = true var owner = true
var cred = globalActiveCred var cred = globalActiveCred
if cred.AccessKey != accessKey { if cred.AccessKey != accessKey {
@ -157,19 +158,25 @@ func checkKeyValid(r *http.Request, accessKey string) (auth.Credentials, bool, A
if !ok { if !ok {
return cred, false, ErrInvalidAccessKeyID return cred, false, ErrInvalidAccessKeyID
} }
claims, s3Err := checkClaimsFromToken(r, ucred)
if s3Err != ErrNone {
return cred, false, s3Err
}
ucred.Claims = claims
// Now check if we have a sessionPolicy.
if _, ok = claims[iampolicy.SessionPolicyName]; ok {
owner = false
} else {
owner = cred.AccessKey == ucred.ParentUser
}
cred = ucred cred = ucred
} }
claims, s3Err := checkClaimsFromToken(r, cred)
if s3Err != ErrNone {
return cred, false, s3Err
}
if len(claims) > 0 {
cred.Claims = claims
// Now check if we have a sessionPolicy.
if _, ok := claims[iampolicy.SessionPolicyName]; ok {
owner = false
} else {
owner = cred.AccessKey == cred.ParentUser
}
}
return cred, owner, ErrNone return cred, owner, ErrNone
} }

View File

@ -767,11 +767,12 @@ func (sts *stsAPIHandlers) AssumeRoleWithCertificate(w http.ResponseWriter, r *h
parentUser := "tls:" + certificate.Subject.CommonName parentUser := "tls:" + certificate.Subject.CommonName
tmpCredentials, err := auth.GetNewCredentialsWithMetadata(map[string]interface{}{ tmpCredentials, err := auth.GetNewCredentialsWithMetadata(map[string]interface{}{
expClaim: time.Now().UTC().Add(expiry).Unix(), expClaim: time.Now().UTC().Add(expiry).Unix(),
parentClaim: parentUser, parentClaim: parentUser,
subClaim: certificate.Subject.CommonName, subClaim: certificate.Subject.CommonName,
audClaim: certificate.Subject.Organization, audClaim: certificate.Subject.Organization,
issClaim: certificate.Issuer.CommonName, issClaim: certificate.Issuer.CommonName,
iamPolicyClaimNameOpenID(): certificate.Subject.CommonName,
}, globalActiveCred.SecretKey) }, globalActiveCred.SecretKey)
if err != nil { if err != nil {
writeSTSErrorResponse(ctx, w, true, ErrSTSInternalError, err) writeSTSErrorResponse(ctx, w, true, ErrSTSInternalError, err)