mirror of
https://github.com/minio/minio.git
synced 2025-11-07 12:52:58 -05:00
support additional claim info in Auditing STS calls (#15381)
Bonus: Adds a missing AuditLog from AssumeRoleWithCertificate API Fixes #9529
This commit is contained in:
Harshavardhana
GitHub
@@ -183,6 +183,9 @@ func parseForm(r *http.Request) error {
|
||||
func (sts *stsAPIHandlers) AssumeRole(w http.ResponseWriter, r *http.Request) {
|
||||
ctx := newContext(r, w, "AssumeRole")
|
||||
|
||||
claims := make(map[string]interface{})
|
||||
defer logger.AuditLog(ctx, w, r, claims)
|
||||
|
||||
// Check auth here (otherwise r.Form will have unexpected values from
|
||||
// the call to `parseForm` below), but return failure only after we are
|
||||
// able to validate that it is a valid STS request, so that we are able
|
||||
@@ -208,7 +211,6 @@ func (sts *stsAPIHandlers) AssumeRole(w http.ResponseWriter, r *http.Request) {
|
||||
}
|
||||
|
||||
ctx = newContext(r, w, action)
|
||||
defer logger.AuditLog(ctx, w, r, nil)
|
||||
|
||||
// Validate the authentication result here so that failures will be
|
||||
// audit-logged.
|
||||
@@ -246,25 +248,22 @@ func (sts *stsAPIHandlers) AssumeRole(w http.ResponseWriter, r *http.Request) {
|
||||
return
|
||||
}
|
||||
|
||||
m := map[string]interface{}{
|
||||
expClaim: UTCNow().Add(duration).Unix(),
|
||||
parentClaim: user.AccessKey,
|
||||
}
|
||||
claims[expClaim] = UTCNow().Add(duration).Unix()
|
||||
claims[parentClaim] = user.AccessKey
|
||||
|
||||
// Validate that user.AccessKey's policies can be retrieved - it may not
|
||||
// be in case the user is disabled.
|
||||
_, err = globalIAMSys.PolicyDBGet(user.AccessKey, false)
|
||||
if err != nil {
|
||||
if _, err = globalIAMSys.PolicyDBGet(user.AccessKey, false); err != nil {
|
||||
writeSTSErrorResponse(ctx, w, true, ErrSTSInvalidParameterValue, err)
|
||||
return
|
||||
}
|
||||
|
||||
if len(sessionPolicyStr) > 0 {
|
||||
m[iampolicy.SessionPolicyName] = base64.StdEncoding.EncodeToString([]byte(sessionPolicyStr))
|
||||
claims[iampolicy.SessionPolicyName] = base64.StdEncoding.EncodeToString([]byte(sessionPolicyStr))
|
||||
}
|
||||
|
||||
secret := globalActiveCred.SecretKey
|
||||
cred, err := auth.GetNewCredentialsWithMetadata(m, secret)
|
||||
cred, err := auth.GetNewCredentialsWithMetadata(claims, secret)
|
||||
if err != nil {
|
||||
writeSTSErrorResponse(ctx, w, true, ErrSTSInternalError, err)
|
||||
return
|
||||
@@ -310,6 +309,9 @@ func (sts *stsAPIHandlers) AssumeRole(w http.ResponseWriter, r *http.Request) {
|
||||
func (sts *stsAPIHandlers) AssumeRoleWithSSO(w http.ResponseWriter, r *http.Request) {
|
||||
ctx := newContext(r, w, "AssumeRoleSSOCommon")
|
||||
|
||||
claims := make(map[string]interface{})
|
||||
defer logger.AuditLog(ctx, w, r, claims)
|
||||
|
||||
// Parse the incoming form data.
|
||||
if err := parseForm(r); err != nil {
|
||||
writeSTSErrorResponse(ctx, w, true, ErrSTSInvalidParameterValue, err)
|
||||
@@ -333,7 +335,6 @@ func (sts *stsAPIHandlers) AssumeRoleWithSSO(w http.ResponseWriter, r *http.Requ
|
||||
}
|
||||
|
||||
ctx = newContext(r, w, action)
|
||||
defer logger.AuditLog(ctx, w, r, nil)
|
||||
|
||||
token := r.Form.Get(stsToken)
|
||||
if token == "" {
|
||||
@@ -356,8 +357,7 @@ func (sts *stsAPIHandlers) AssumeRoleWithSSO(w http.ResponseWriter, r *http.Requ
|
||||
}
|
||||
|
||||
// Validate JWT; check clientID in claims matches the one associated with the roleArn
|
||||
m, err := globalOpenIDConfig.Validate(roleArn, token, accessToken, r.Form.Get(stsDurationSeconds))
|
||||
if err != nil {
|
||||
if err := globalOpenIDConfig.Validate(roleArn, token, accessToken, r.Form.Get(stsDurationSeconds), claims); err != nil {
|
||||
switch err {
|
||||
case openid.ErrTokenExpired:
|
||||
switch action {
|
||||
@@ -379,13 +379,13 @@ func (sts *stsAPIHandlers) AssumeRoleWithSSO(w http.ResponseWriter, r *http.Requ
|
||||
if globalIAMSys.HasRolePolicy() {
|
||||
// If roleArn is used, we set it as a claim, and use the
|
||||
// associated policy when credentials are used.
|
||||
m[roleArnClaim] = roleArn.String()
|
||||
claims[roleArnClaim] = roleArn.String()
|
||||
} else {
|
||||
// If no role policy is configured, then we use claims from the
|
||||
// JWT. This is a MinIO STS API specific value, this value
|
||||
// should be set and configured on your identity provider as
|
||||
// part of JWT custom claims.
|
||||
policySet, ok := iampolicy.GetPoliciesFromClaims(m, iamPolicyClaimNameOpenID())
|
||||
policySet, ok := iampolicy.GetPoliciesFromClaims(claims, iamPolicyClaimNameOpenID())
|
||||
policies := strings.Join(policySet.ToSlice(), ",")
|
||||
if ok {
|
||||
policyName = globalIAMSys.CurrentPolicies(policies)
|
||||
@@ -402,7 +402,7 @@ func (sts *stsAPIHandlers) AssumeRoleWithSSO(w http.ResponseWriter, r *http.Requ
|
||||
return
|
||||
}
|
||||
}
|
||||
m[iamPolicyClaimNameOpenID()] = policyName
|
||||
claims[iamPolicyClaimNameOpenID()] = policyName
|
||||
}
|
||||
|
||||
sessionPolicyStr := r.Form.Get(stsPolicy)
|
||||
@@ -427,11 +427,11 @@ func (sts *stsAPIHandlers) AssumeRoleWithSSO(w http.ResponseWriter, r *http.Requ
|
||||
return
|
||||
}
|
||||
|
||||
m[iampolicy.SessionPolicyName] = base64.StdEncoding.EncodeToString([]byte(sessionPolicyStr))
|
||||
claims[iampolicy.SessionPolicyName] = base64.StdEncoding.EncodeToString([]byte(sessionPolicyStr))
|
||||
}
|
||||
|
||||
secret := globalActiveCred.SecretKey
|
||||
cred, err := auth.GetNewCredentialsWithMetadata(m, secret)
|
||||
cred, err := auth.GetNewCredentialsWithMetadata(claims, secret)
|
||||
if err != nil {
|
||||
writeSTSErrorResponse(ctx, w, true, ErrSTSInternalError, err)
|
||||
return
|
||||
@@ -443,7 +443,7 @@ func (sts *stsAPIHandlers) AssumeRoleWithSSO(w http.ResponseWriter, r *http.Requ
|
||||
// parentUser as per the requirements for service accounts for OpenID
|
||||
// based logins.
|
||||
var subFromToken string
|
||||
if v, ok := m[subClaim]; ok {
|
||||
if v, ok := claims[subClaim]; ok {
|
||||
subFromToken, _ = v.(string)
|
||||
}
|
||||
|
||||
@@ -454,7 +454,7 @@ func (sts *stsAPIHandlers) AssumeRoleWithSSO(w http.ResponseWriter, r *http.Requ
|
||||
}
|
||||
|
||||
var issFromToken string
|
||||
if v, ok := m[issClaim]; ok {
|
||||
if v, ok := claims[issClaim]; ok {
|
||||
issFromToken, _ = v.(string)
|
||||
}
|
||||
|
||||
@@ -540,7 +540,8 @@ func (sts *stsAPIHandlers) AssumeRoleWithClientGrants(w http.ResponseWriter, r *
|
||||
func (sts *stsAPIHandlers) AssumeRoleWithLDAPIdentity(w http.ResponseWriter, r *http.Request) {
|
||||
ctx := newContext(r, w, "AssumeRoleWithLDAPIdentity")
|
||||
|
||||
defer logger.AuditLog(ctx, w, r, nil, stsLDAPPassword)
|
||||
claims := make(map[string]interface{})
|
||||
defer logger.AuditLog(ctx, w, r, claims, stsLDAPPassword)
|
||||
|
||||
// Parse the incoming form data.
|
||||
if err := parseForm(r); err != nil {
|
||||
@@ -615,18 +616,16 @@ func (sts *stsAPIHandlers) AssumeRoleWithLDAPIdentity(w http.ResponseWriter, r *
|
||||
return
|
||||
}
|
||||
|
||||
m := map[string]interface{}{
|
||||
expClaim: UTCNow().Add(expiryDur).Unix(),
|
||||
ldapUser: ldapUserDN,
|
||||
ldapUserN: ldapUsername,
|
||||
}
|
||||
claims[expClaim] = UTCNow().Add(expiryDur).Unix()
|
||||
claims[ldapUser] = ldapUserDN
|
||||
claims[ldapUserN] = ldapUsername
|
||||
|
||||
if len(sessionPolicyStr) > 0 {
|
||||
m[iampolicy.SessionPolicyName] = base64.StdEncoding.EncodeToString([]byte(sessionPolicyStr))
|
||||
claims[iampolicy.SessionPolicyName] = base64.StdEncoding.EncodeToString([]byte(sessionPolicyStr))
|
||||
}
|
||||
|
||||
secret := globalActiveCred.SecretKey
|
||||
cred, err := auth.GetNewCredentialsWithMetadata(m, secret)
|
||||
cred, err := auth.GetNewCredentialsWithMetadata(claims, secret)
|
||||
if err != nil {
|
||||
writeSTSErrorResponse(ctx, w, true, ErrSTSInternalError, err)
|
||||
return
|
||||
@@ -682,6 +681,9 @@ func (sts *stsAPIHandlers) AssumeRoleWithLDAPIdentity(w http.ResponseWriter, r *
|
||||
func (sts *stsAPIHandlers) AssumeRoleWithCertificate(w http.ResponseWriter, r *http.Request) {
|
||||
ctx := newContext(r, w, "AssumeRoleWithCertificate")
|
||||
|
||||
claims := make(map[string]interface{})
|
||||
defer logger.AuditLog(ctx, w, r, claims)
|
||||
|
||||
if !globalSTSTLSConfig.Enabled {
|
||||
writeSTSErrorResponse(ctx, w, true, ErrSTSNotInitialized, errors.New("STS API 'AssumeRoleWithCertificate' is disabled"))
|
||||
return
|
||||
@@ -789,13 +791,13 @@ func (sts *stsAPIHandlers) AssumeRoleWithCertificate(w http.ResponseWriter, r *h
|
||||
// Associate any service accounts to the certificate CN
|
||||
parentUser := "tls:" + certificate.Subject.CommonName
|
||||
|
||||
tmpCredentials, err := auth.GetNewCredentialsWithMetadata(map[string]interface{}{
|
||||
expClaim: UTCNow().Add(expiry).Unix(),
|
||||
parentClaim: parentUser,
|
||||
subClaim: certificate.Subject.CommonName,
|
||||
audClaim: certificate.Subject.Organization,
|
||||
issClaim: certificate.Issuer.CommonName,
|
||||
}, globalActiveCred.SecretKey)
|
||||
claims[expClaim] = UTCNow().Add(expiry).Unix()
|
||||
claims[subClaim] = certificate.Subject.CommonName
|
||||
claims[audClaim] = certificate.Subject.Organization
|
||||
claims[issClaim] = certificate.Issuer.CommonName
|
||||
claims[parentClaim] = parentUser
|
||||
|
||||
tmpCredentials, err := auth.GetNewCredentialsWithMetadata(claims, globalActiveCred.SecretKey)
|
||||
if err != nil {
|
||||
writeSTSErrorResponse(ctx, w, true, ErrSTSInternalError, err)
|
||||
return
|
||||
@@ -838,6 +840,9 @@ func (sts *stsAPIHandlers) AssumeRoleWithCertificate(w http.ResponseWriter, r *h
|
||||
func (sts *stsAPIHandlers) AssumeRoleWithCustomToken(w http.ResponseWriter, r *http.Request) {
|
||||
ctx := newContext(r, w, "AssumeRoleWithCustomToken")
|
||||
|
||||
claims := make(map[string]interface{})
|
||||
defer logger.AuditLog(ctx, w, r, claims)
|
||||
|
||||
if globalAuthNPlugin == nil {
|
||||
writeSTSErrorResponse(ctx, w, true, ErrSTSNotInitialized, errors.New("STS API 'AssumeRoleWithCustomToken' is disabled"))
|
||||
return
|
||||
@@ -849,8 +854,6 @@ func (sts *stsAPIHandlers) AssumeRoleWithCustomToken(w http.ResponseWriter, r *h
|
||||
return
|
||||
}
|
||||
|
||||
defer logger.AuditLog(ctx, w, r, nil)
|
||||
|
||||
token := r.Form.Get(stsToken)
|
||||
if token == "" {
|
||||
writeSTSErrorResponse(ctx, w, true, ErrSTSInvalidParameterValue, fmt.Errorf("Invalid empty `Token` parameter provided"))
|
||||
@@ -904,21 +907,20 @@ func (sts *stsAPIHandlers) AssumeRoleWithCustomToken(w http.ResponseWriter, r *h
|
||||
parentUser := "custom:" + res.Success.User
|
||||
|
||||
// metadata map
|
||||
m := map[string]interface{}{
|
||||
expClaim: UTCNow().Add(time.Duration(expiry) * time.Second).Unix(),
|
||||
parentClaim: parentUser,
|
||||
subClaim: parentUser,
|
||||
roleArnClaim: roleArn.String(),
|
||||
}
|
||||
claims[expClaim] = UTCNow().Add(time.Duration(expiry) * time.Second).Unix()
|
||||
claims[subClaim] = parentUser
|
||||
claims[roleArnClaim] = roleArn.String()
|
||||
claims[parentClaim] = parentUser
|
||||
|
||||
// Add all other claims from the plugin **without** replacing any
|
||||
// existing claims.
|
||||
for k, v := range res.Success.Claims {
|
||||
if _, ok := m[k]; !ok {
|
||||
m[k] = v
|
||||
if _, ok := claims[k]; !ok {
|
||||
claims[k] = v
|
||||
}
|
||||
}
|
||||
|
||||
tmpCredentials, err := auth.GetNewCredentialsWithMetadata(m, globalActiveCred.SecretKey)
|
||||
tmpCredentials, err := auth.GetNewCredentialsWithMetadata(claims, globalActiveCred.SecretKey)
|
||||
if err != nil {
|
||||
writeSTSErrorResponse(ctx, w, true, ErrSTSInternalError, err)
|
||||
return
|
||||
|
||||
Reference in New Issue
Block a user