From c3f689a7d9d1fdf0689117a32b5954f589453dac Mon Sep 17 00:00:00 2001 From: Harshavardhana Date: Sat, 30 Apr 2022 15:23:53 -0700 Subject: [PATCH] JWKS should be parsed before usage (#14842) fixes #14811 --- go.mod | 2 +- go.sum | 4 ++-- internal/config/identity/openid/jwt.go | 30 ++++++++++++-------------- 3 files changed, 17 insertions(+), 19 deletions(-) diff --git a/go.mod b/go.mod index fb3319261..5700bfcc8 100644 --- a/go.mod +++ b/go.mod @@ -50,7 +50,7 @@ require ( github.com/minio/kes v0.19.2 github.com/minio/madmin-go v1.3.12 github.com/minio/minio-go/v7 v7.0.24 - github.com/minio/pkg v1.1.22 + github.com/minio/pkg v1.1.23 github.com/minio/selfupdate v0.4.0 github.com/minio/sha256-simd v1.0.0 github.com/minio/simdjson-go v0.4.2 diff --git a/go.sum b/go.sum index 34bb49919..79cace668 100644 --- a/go.sum +++ b/go.sum @@ -625,8 +625,8 @@ github.com/minio/minio-go/v7 v7.0.23/go.mod h1:ei5JjmxwHaMrgsMrn4U/+Nmg+d8MKS1U2 github.com/minio/minio-go/v7 v7.0.24 h1:HPlHiET6L5gIgrHRaw1xFo1OaN4bEP/082asWh3WJtI= github.com/minio/minio-go/v7 v7.0.24/go.mod h1:x81+AX5gHSfCSqw7jxRKHvxUXMlE5uKX0Vb75Xk5yYg= github.com/minio/pkg v1.1.20/go.mod h1:Xo7LQshlxGa9shKwJ7NzQbgW4s8T/Wc1cOStR/eUiMY= -github.com/minio/pkg v1.1.22 h1:Fm3oPu9LJag0FhD5BjFxj0Ut+M8S8IkiPHaq5OAoZaM= -github.com/minio/pkg v1.1.22/go.mod h1:z9PfmEI804KFkF6eY4LoGe8IDVvTCsYGVuaf58Dr0WI= +github.com/minio/pkg v1.1.23 h1:CJSoPslQCWZW3z3T79+pv9dVBDCQEK3ipiwXcoAtzY0= +github.com/minio/pkg v1.1.23/go.mod h1:z9PfmEI804KFkF6eY4LoGe8IDVvTCsYGVuaf58Dr0WI= github.com/minio/selfupdate v0.4.0 h1:A7t07pN4Ch1tBTIRStW0KhUVyykz+2muCqFsITQeEW8= github.com/minio/selfupdate v0.4.0/go.mod h1:mcDkzMgq8PRcpCRJo/NlPY7U45O5dfYl2Y0Rg7IustY= github.com/minio/sha256-simd v0.1.1/go.mod h1:B5e1o+1/KgNmWrSQK08Y6Z1Vb5pwIktudl0J58iy0KM= diff --git a/internal/config/identity/openid/jwt.go b/internal/config/identity/openid/jwt.go index 62dd8a2ed..6448f7e4d 100644 --- a/internal/config/identity/openid/jwt.go +++ b/internal/config/identity/openid/jwt.go @@ -26,7 +26,6 @@ import ( "errors" "fmt" "io" - "net" "net/http" "strconv" "strings" @@ -775,12 +774,11 @@ func LookupConfig(kvsMap map[string]config.KVS, transport http.RoundTripper, clo } seenClientIDs.Add(p.ClientID) - var configURLDomain string p.URL, err = xnet.ParseHTTPURL(configURL) if err != nil { return c, err } - configURLDomain, _, _ = net.SplitHostPort(p.URL.Host) + configURLDomain := p.URL.Hostname() p.DiscoveryDoc, err = parseDiscoveryDoc(p.URL, transport, closeRespFn) if err != nil { return c, err @@ -809,7 +807,17 @@ func LookupConfig(kvsMap map[string]config.KVS, transport http.RoundTripper, clo // `iampolicy.PolicyName` as the claim name explicitly and sets // a role policy, this check is thwarted, but we will be using // the role policy anyway. - return c, config.Errorf("Role Policy (=`%s`) and Claim Name (=`%s`) cannot both be set.", p.RolePolicy, p.ClaimName) + return c, config.Errorf("Role Policy (=`%s`) and Claim Name (=`%s`) cannot both be set", p.RolePolicy, p.ClaimName) + } + + jwksURL := p.DiscoveryDoc.JwksURI + if jwksURL == "" { + return c, config.Errorf("no JWKS URI found in your provider's discovery doc (config_url=%s)", configURL) + } + + p.JWKS.URL, err = xnet.ParseHTTPURL(jwksURL) + if err != nil { + return c, err } if p.RolePolicy != "" { @@ -821,9 +829,9 @@ func LookupConfig(kvsMap map[string]config.KVS, transport http.RoundTripper, clo domain := configURLDomain if domain == "" { // Attempt to parse the JWKs URI. - domain, _, _ = net.SplitHostPort(p.JWKS.URL.Host) + domain = p.JWKS.URL.Hostname() if domain == "" { - return c, config.Errorf("unable to generate a domain from the OpenID config.") + return c, config.Errorf("unable to generate a domain from the OpenID config") } } if p.ClientID == "" { @@ -850,16 +858,6 @@ func LookupConfig(kvsMap map[string]config.KVS, transport http.RoundTripper, clo return c, config.Errorf("A role policy or claim name must be specified") } - jwksURL := p.DiscoveryDoc.JwksURI - if jwksURL == "" { - return c, config.Errorf("no JWKS URI found in your provider's discovery doc (config_url=%s)", configURL) - } - - p.JWKS.URL, err = xnet.ParseHTTPURL(jwksURL) - if err != nil { - return c, err - } - if err = p.initializeProvider(getCfgVal, c.transport); err != nil { return c, err }