MyFavMirrors/minio
1
0
Fork 0
mirror of https://github.com/minio/minio.git synced 2025-11-07 12:52:58 -05:00
Code Issues Packages Projects Releases Wiki Activity

If role policy is configured, require that role ARN be set in STS (#13814)

Browse Source
This commit is contained in:
Aditya Manthramurthy
2021-12-02 15:43:39 -08:00
committed by GitHub
parent f840080e5b
commit b14527b7af
2 changed files with 16 additions and 17 deletions
Download Patch File Download Diff File Expand all files Collapse all files

12
cmd/sts-handlers.go
View File

@@ -394,8 +394,8 @@ func (sts *stsAPIHandlers) AssumeRoleWithSSO(w http.ResponseWriter, r *http.Requ
}
var policyName string
roleArn := r.Form.Get(stsRoleArn)
if roleArn != "" {
if globalIAMSys.HasRolePolicy() {
roleArn := r.Form.Get(stsRoleArn)
_, err := globalIAMSys.GetRolePolicy(roleArn)
if err != nil {
writeSTSErrorResponse(ctx, w, true, ErrSTSInvalidParameterValue,
@@ -406,10 +406,10 @@ func (sts *stsAPIHandlers) AssumeRoleWithSSO(w http.ResponseWriter, r *http.Requ
// associated policy when credentials are used.
m[roleArnClaim] = roleArn
} else {
// JWT has requested a custom claim with policy value set.
// This is a MinIO STS API specific value, this value should
// be set and configured on your identity provider as part of
// JWT custom claims.
// If no role policy is configured, then we use claims from the
// JWT. This is a MinIO STS API specific value, this value
// should be set and configured on your identity provider as
// part of JWT custom claims.
policySet, ok := iampolicy.GetPoliciesFromClaims(m, iamPolicyClaimNameOpenID())
policies := strings.Join(policySet.ToSlice(), ",")
if ok {