mirror of
https://github.com/minio/minio.git
synced 2024-12-24 06:05:55 -05:00
If role policy is configured, require that role ARN be set in STS (#13814)
This commit is contained in:
parent
f840080e5b
commit
b14527b7af
21
cmd/iam.go
21
cmd/iam.go
@ -26,6 +26,7 @@ import (
|
|||||||
"fmt"
|
"fmt"
|
||||||
"math/rand"
|
"math/rand"
|
||||||
"path"
|
"path"
|
||||||
|
"sort"
|
||||||
"strings"
|
"strings"
|
||||||
"sync"
|
"sync"
|
||||||
"time"
|
"time"
|
||||||
@ -338,12 +339,14 @@ func (sys *IAMSys) Init(ctx context.Context, objAPI ObjectLayer, etcdClient *etc
|
|||||||
|
|
||||||
// Prints IAM role ARNs.
|
// Prints IAM role ARNs.
|
||||||
func (sys *IAMSys) printIAMRoles() {
|
func (sys *IAMSys) printIAMRoles() {
|
||||||
arns := sys.GetRoleARNs()
|
if len(sys.rolesMap) == 0 {
|
||||||
|
|
||||||
if len(arns) == 0 {
|
|
||||||
return
|
return
|
||||||
}
|
}
|
||||||
|
var arns []string
|
||||||
|
for arn := range sys.rolesMap {
|
||||||
|
arns = append(arns, arn.String())
|
||||||
|
}
|
||||||
|
sort.Strings(arns)
|
||||||
msgs := make([]string, 0, len(arns))
|
msgs := make([]string, 0, len(arns))
|
||||||
for _, arn := range arns {
|
for _, arn := range arns {
|
||||||
msgs = append(msgs, color.Bold(arn))
|
msgs = append(msgs, color.Bold(arn))
|
||||||
@ -430,13 +433,9 @@ func (sys *IAMSys) loadWatchedEvent(ctx context.Context, event iamWatchEvent) (e
|
|||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
|
|
||||||
// GetRoleARNs - returns a list of enabled role ARNs.
|
// HasRolePolicy - returns if a role policy is configured for IAM.
|
||||||
func (sys *IAMSys) GetRoleARNs() []string {
|
func (sys *IAMSys) HasRolePolicy() bool {
|
||||||
var res []string
|
return len(sys.rolesMap) > 0
|
||||||
for arn := range sys.rolesMap {
|
|
||||||
res = append(res, arn.String())
|
|
||||||
}
|
|
||||||
return res
|
|
||||||
}
|
}
|
||||||
|
|
||||||
// GetRolePolicy - returns policies associated with a role ARN.
|
// GetRolePolicy - returns policies associated with a role ARN.
|
||||||
|
@ -394,8 +394,8 @@ func (sts *stsAPIHandlers) AssumeRoleWithSSO(w http.ResponseWriter, r *http.Requ
|
|||||||
}
|
}
|
||||||
|
|
||||||
var policyName string
|
var policyName string
|
||||||
roleArn := r.Form.Get(stsRoleArn)
|
if globalIAMSys.HasRolePolicy() {
|
||||||
if roleArn != "" {
|
roleArn := r.Form.Get(stsRoleArn)
|
||||||
_, err := globalIAMSys.GetRolePolicy(roleArn)
|
_, err := globalIAMSys.GetRolePolicy(roleArn)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
writeSTSErrorResponse(ctx, w, true, ErrSTSInvalidParameterValue,
|
writeSTSErrorResponse(ctx, w, true, ErrSTSInvalidParameterValue,
|
||||||
@ -406,10 +406,10 @@ func (sts *stsAPIHandlers) AssumeRoleWithSSO(w http.ResponseWriter, r *http.Requ
|
|||||||
// associated policy when credentials are used.
|
// associated policy when credentials are used.
|
||||||
m[roleArnClaim] = roleArn
|
m[roleArnClaim] = roleArn
|
||||||
} else {
|
} else {
|
||||||
// JWT has requested a custom claim with policy value set.
|
// If no role policy is configured, then we use claims from the
|
||||||
// This is a MinIO STS API specific value, this value should
|
// JWT. This is a MinIO STS API specific value, this value
|
||||||
// be set and configured on your identity provider as part of
|
// should be set and configured on your identity provider as
|
||||||
// JWT custom claims.
|
// part of JWT custom claims.
|
||||||
policySet, ok := iampolicy.GetPoliciesFromClaims(m, iamPolicyClaimNameOpenID())
|
policySet, ok := iampolicy.GetPoliciesFromClaims(m, iamPolicyClaimNameOpenID())
|
||||||
policies := strings.Join(policySet.ToSlice(), ",")
|
policies := strings.Join(policySet.ToSlice(), ",")
|
||||||
if ok {
|
if ok {
|
||||||
|
Loading…
Reference in New Issue
Block a user