support additional claim info in Auditing STS calls (#15381)

Bonus: Adds a missing AuditLog from AssumeRoleWithCertificate API Fixes #9529
2025-11-08 21:24:55 -05:00 · 2022-07-22 11:12:03 -07:00
parent ff5a5c1ee0
commit b0d70a0e5e
3 changed files with 63 additions and 59 deletions
--- a/internal/config/identity/openid/jwt.go
+++ b/internal/config/identity/openid/jwt.go
@@ -131,7 +131,7 @@ const (
 )

 // Validate - validates the id_token.
-func (r *Config) Validate(arn arn.ARN, token, accessToken, dsecs string) (map[string]interface{}, error) {
+func (r *Config) Validate(arn arn.ARN, token, accessToken, dsecs string, claims jwtgo.MapClaims) error {
 	jp := new(jwtgo.Parser)
 	jp.ValidMethods = []string{
 		"RS256", "RS384", "RS512", "ES256", "ES384", "ES512",
@@ -148,33 +148,32 @@ func (r *Config) Validate(arn arn.ARN, token, accessToken, dsecs string) (map[st

 	pCfg, ok := r.arnProviderCfgsMap[arn]
 	if !ok {
-		return nil, fmt.Errorf("Role %s does not exist", arn)
+		return fmt.Errorf("Role %s does not exist", arn)
 	}

-	var claims jwtgo.MapClaims
 	jwtToken, err := jp.ParseWithClaims(token, &claims, keyFuncCallback)
 	if err != nil {
 		// Re-populate the public key in-case the JWKS
 		// pubkeys are refreshed
 		if err = r.PopulatePublicKey(arn); err != nil {
-			return nil, err
+			return err
 		}
 		jwtToken, err = jwtgo.ParseWithClaims(token, &claims, keyFuncCallback)
 		if err != nil {
-			return nil, err
+			return err
 		}
 	}

 	if !jwtToken.Valid {
-		return nil, ErrTokenExpired
+		return ErrTokenExpired
 	}

 	if err = updateClaimsExpiry(dsecs, claims); err != nil {
-		return nil, err
+		return err
 	}

 	if err = r.updateUserinfoClaims(arn, accessToken, claims); err != nil {
-		return nil, err
+		return err
 	}

 	// Validate that matching clientID appears in the aud or azp claims.
@@ -188,7 +187,7 @@ func (r *Config) Validate(arn arn.ARN, token, accessToken, dsecs string) (map[st
 	// case sensitive
 	audValues, ok := iampolicy.GetValuesFromClaims(claims, audClaim)
 	if !ok {
-		return nil, errors.New("STS JWT Token has `aud` claim invalid, `aud` must match configured OpenID Client ID")
+		return errors.New("STS JWT Token has `aud` claim invalid, `aud` must match configured OpenID Client ID")
 	}
 	if !audValues.Contains(pCfg.ClientID) {
 		// if audience claims is missing, look for "azp" claims.
@@ -202,14 +201,14 @@ func (r *Config) Validate(arn arn.ARN, token, accessToken, dsecs string) (map[st
 		// string containing a StringOrURI value
 		azpValues, ok := iampolicy.GetValuesFromClaims(claims, azpClaim)
 		if !ok {
-			return nil, errors.New("STS JWT Token has `azp` claim invalid, `azp` must match configured OpenID Client ID")
+			return errors.New("STS JWT Token has `azp` claim invalid, `azp` must match configured OpenID Client ID")
 		}
 		if !azpValues.Contains(pCfg.ClientID) {
-			return nil, errors.New("STS JWT Token has `azp` claim invalid, `azp` must match configured OpenID Client ID")
+			return errors.New("STS JWT Token has `azp` claim invalid, `azp` must match configured OpenID Client ID")
 		}
 	}

-	return claims, nil
+	return nil
 }

 func (r *Config) updateUserinfoClaims(arn arn.ARN, accessToken string, claims map[string]interface{}) error {