MyFavMirrors/minio
1
0
Fork 0
mirror of https://github.com/minio/minio.git synced 2025-11-07 21:02:58 -05:00
Code Issues Packages Projects Releases Wiki Activity

tests: add OpenID service accounts creation and update (#13708)

Browse Source 
- service account creation for STS accounts
- service account session policy update for STS accounts
- refactor svc acc tests and add them for OpenID
This commit is contained in:
Aditya Manthramurthy
2021-11-20 02:07:16 -08:00
committed by GitHub
parent 1cddbc80cf
commit 9739e55d0f
3 changed files with 260 additions and 280 deletions
Download Patch File Download Diff File Expand all files Collapse all files

28
cmd/iam-store.go
View File

@@ -1464,24 +1464,8 @@ func (store *IAMStoreSys) AddServiceAccount(ctx context.Context, cred auth.Crede
return errIAMActionNotAllowed
}
// Check that at least one policy is available.
policies, err := cache.policyDBGet(store.getUsersSysType(), parentUser, false)
if err != nil {
return err
}
for _, group := range cred.Groups {
gp, err := cache.policyDBGet(store.getUsersSysType(), group, true)
if err != nil && err != errNoSuchGroup {
return err
}
policies = append(policies, gp...)
}
if len(policies) == 0 {
return errNoSuchUser
}
u := newUserIdentity(cred)
err = store.saveUserIdentity(ctx, u.Credentials.AccessKey, svcUser, u)
err := store.saveUserIdentity(ctx, u.Credentials.AccessKey, svcUser, u)
if err != nil {
return err
}
@@ -1519,8 +1503,12 @@ func (store *IAMStoreSys) UpdateServiceAccount(ctx context.Context, accessKey st
}
if opts.sessionPolicy != nil {
m := make(map[string]interface{})
err := opts.sessionPolicy.Validate()
m, err := getClaimsFromToken(cr.SessionToken)
if err != nil {
return fmt.Errorf("unable to get svc acc claims: %v", err)
}
err = opts.sessionPolicy.Validate()
if err != nil {
return err
}
@@ -1532,9 +1520,9 @@ func (store *IAMStoreSys) UpdateServiceAccount(ctx context.Context, accessKey st
return fmt.Errorf("Session policy should not exceed 16 KiB characters")
}
// Overwrite session policy claims.
m[iampolicy.SessionPolicyName] = base64.StdEncoding.EncodeToString(policyBuf)
m[iamPolicyClaimNameSA()] = "embedded-policy"
m[parentClaim] = cr.ParentUser
cr.SessionToken, err = auth.JWTSignWithAccessKey(accessKey, m, globalActiveCred.SecretKey)
if err != nil {
return err