If role policy is configured, require that role ARN be set in STS (#13814)

This commit is contained in:
Aditya Manthramurthy 2021-12-02 15:43:39 -08:00 committed by GitHub
parent f840080e5b
commit b14527b7af
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 16 additions and 17 deletions

View File

@ -26,6 +26,7 @@ import (
"fmt" "fmt"
"math/rand" "math/rand"
"path" "path"
"sort"
"strings" "strings"
"sync" "sync"
"time" "time"
@ -338,12 +339,14 @@ func (sys *IAMSys) Init(ctx context.Context, objAPI ObjectLayer, etcdClient *etc
// Prints IAM role ARNs. // Prints IAM role ARNs.
func (sys *IAMSys) printIAMRoles() { func (sys *IAMSys) printIAMRoles() {
arns := sys.GetRoleARNs() if len(sys.rolesMap) == 0 {
if len(arns) == 0 {
return return
} }
var arns []string
for arn := range sys.rolesMap {
arns = append(arns, arn.String())
}
sort.Strings(arns)
msgs := make([]string, 0, len(arns)) msgs := make([]string, 0, len(arns))
for _, arn := range arns { for _, arn := range arns {
msgs = append(msgs, color.Bold(arn)) msgs = append(msgs, color.Bold(arn))
@ -430,13 +433,9 @@ func (sys *IAMSys) loadWatchedEvent(ctx context.Context, event iamWatchEvent) (e
return err return err
} }
// GetRoleARNs - returns a list of enabled role ARNs. // HasRolePolicy - returns if a role policy is configured for IAM.
func (sys *IAMSys) GetRoleARNs() []string { func (sys *IAMSys) HasRolePolicy() bool {
var res []string return len(sys.rolesMap) > 0
for arn := range sys.rolesMap {
res = append(res, arn.String())
}
return res
} }
// GetRolePolicy - returns policies associated with a role ARN. // GetRolePolicy - returns policies associated with a role ARN.

View File

@ -394,8 +394,8 @@ func (sts *stsAPIHandlers) AssumeRoleWithSSO(w http.ResponseWriter, r *http.Requ
} }
var policyName string var policyName string
roleArn := r.Form.Get(stsRoleArn) if globalIAMSys.HasRolePolicy() {
if roleArn != "" { roleArn := r.Form.Get(stsRoleArn)
_, err := globalIAMSys.GetRolePolicy(roleArn) _, err := globalIAMSys.GetRolePolicy(roleArn)
if err != nil { if err != nil {
writeSTSErrorResponse(ctx, w, true, ErrSTSInvalidParameterValue, writeSTSErrorResponse(ctx, w, true, ErrSTSInvalidParameterValue,
@ -406,10 +406,10 @@ func (sts *stsAPIHandlers) AssumeRoleWithSSO(w http.ResponseWriter, r *http.Requ
// associated policy when credentials are used. // associated policy when credentials are used.
m[roleArnClaim] = roleArn m[roleArnClaim] = roleArn
} else { } else {
// JWT has requested a custom claim with policy value set. // If no role policy is configured, then we use claims from the
// This is a MinIO STS API specific value, this value should // JWT. This is a MinIO STS API specific value, this value
// be set and configured on your identity provider as part of // should be set and configured on your identity provider as
// JWT custom claims. // part of JWT custom claims.
policySet, ok := iampolicy.GetPoliciesFromClaims(m, iamPolicyClaimNameOpenID()) policySet, ok := iampolicy.GetPoliciesFromClaims(m, iamPolicyClaimNameOpenID())
policies := strings.Join(policySet.ToSlice(), ",") policies := strings.Join(policySet.ToSlice(), ",")
if ok { if ok {