mirror of
https://github.com/minio/minio.git
synced 2025-01-11 15:03:22 -05:00
fix: correct parentUser lookup for OIDC auto expiration (#14154)
fixes #14026 This is a regression from #13884
This commit is contained in:
parent
5f36167f1a
commit
f6d13f57bb
@ -1457,7 +1457,20 @@ func (store *IAMStoreSys) GetAllParentUsers() []string {
|
||||
res := set.NewStringSet()
|
||||
for _, cred := range cache.iamUsersMap {
|
||||
if cred.IsServiceAccount() || cred.IsTemp() {
|
||||
res.Add(cred.ParentUser)
|
||||
parentUser := cred.ParentUser
|
||||
if cred.SessionToken != "" {
|
||||
claims, err := getClaimsFromToken(cred.SessionToken)
|
||||
if err != nil {
|
||||
continue
|
||||
}
|
||||
if v, ok := claims[subClaim]; ok {
|
||||
subFromToken, ok := v.(string)
|
||||
if ok {
|
||||
parentUser = subFromToken
|
||||
}
|
||||
}
|
||||
}
|
||||
res.Add(parentUser)
|
||||
}
|
||||
}
|
||||
|
||||
|
@ -1006,11 +1006,7 @@ func (sys *IAMSys) purgeExpiredCredentialsForExternalSSO(ctx context.Context) {
|
||||
parentUsers := sys.store.GetAllParentUsers()
|
||||
var expiredUsers []string
|
||||
for _, parentUser := range parentUsers {
|
||||
userid, err := parseOpenIDParentUser(parentUser)
|
||||
if err == errSkipFile {
|
||||
continue
|
||||
}
|
||||
u, err := globalOpenIDConfig.LookupUser(userid)
|
||||
u, err := globalOpenIDConfig.LookupUser(parentUser)
|
||||
if err != nil {
|
||||
logger.LogIf(GlobalContext, err)
|
||||
continue
|
||||
|
@ -1,4 +1,4 @@
|
||||
// Copyright (c) 2015-2021 MinIO, Inc.
|
||||
/// Copyright (c) 2015-2021 MinIO, Inc.
|
||||
//
|
||||
// This file is part of MinIO Object Storage stack
|
||||
//
|
||||
@ -80,16 +80,6 @@ const (
|
||||
roleArnClaim = "roleArn"
|
||||
)
|
||||
|
||||
func parseOpenIDParentUser(parentUser string) (userID string, err error) {
|
||||
if strings.HasPrefix(parentUser, "openid:") {
|
||||
tokens := strings.SplitN(strings.TrimPrefix(parentUser, "openid:"), ":", 2)
|
||||
if len(tokens) == 2 {
|
||||
return tokens[0], nil
|
||||
}
|
||||
}
|
||||
return "", errSkipFile
|
||||
}
|
||||
|
||||
// stsAPIHandlers implements and provides http handlers for AWS STS API.
|
||||
type stsAPIHandlers struct{}
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user