fix: correct parentUser lookup for OIDC auto expiration (#14154)

fixes #14026

This is a regression from #13884
This commit is contained in:
Harshavardhana 2022-01-22 16:36:11 -08:00 committed by GitHub
parent 5f36167f1a
commit f6d13f57bb
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
3 changed files with 16 additions and 17 deletions

View File

@ -1457,7 +1457,20 @@ func (store *IAMStoreSys) GetAllParentUsers() []string {
res := set.NewStringSet()
for _, cred := range cache.iamUsersMap {
if cred.IsServiceAccount() || cred.IsTemp() {
res.Add(cred.ParentUser)
parentUser := cred.ParentUser
if cred.SessionToken != "" {
claims, err := getClaimsFromToken(cred.SessionToken)
if err != nil {
continue
}
if v, ok := claims[subClaim]; ok {
subFromToken, ok := v.(string)
if ok {
parentUser = subFromToken
}
}
}
res.Add(parentUser)
}
}

View File

@ -1006,11 +1006,7 @@ func (sys *IAMSys) purgeExpiredCredentialsForExternalSSO(ctx context.Context) {
parentUsers := sys.store.GetAllParentUsers()
var expiredUsers []string
for _, parentUser := range parentUsers {
userid, err := parseOpenIDParentUser(parentUser)
if err == errSkipFile {
continue
}
u, err := globalOpenIDConfig.LookupUser(userid)
u, err := globalOpenIDConfig.LookupUser(parentUser)
if err != nil {
logger.LogIf(GlobalContext, err)
continue

View File

@ -1,4 +1,4 @@
// Copyright (c) 2015-2021 MinIO, Inc.
/// Copyright (c) 2015-2021 MinIO, Inc.
//
// This file is part of MinIO Object Storage stack
//
@ -80,16 +80,6 @@ const (
roleArnClaim = "roleArn"
)
func parseOpenIDParentUser(parentUser string) (userID string, err error) {
if strings.HasPrefix(parentUser, "openid:") {
tokens := strings.SplitN(strings.TrimPrefix(parentUser, "openid:"), ":", 2)
if len(tokens) == 2 {
return tokens[0], nil
}
}
return "", errSkipFile
}
// stsAPIHandlers implements and provides http handlers for AWS STS API.
type stsAPIHandlers struct{}