MyFavMirrors/minio
1
0
Fork 0
mirror of https://github.com/minio/minio.git synced 2025-01-11 15:03:22 -05:00
Code Issues Packages Projects Releases Wiki Activity

webui: Assign parent user with the new temporary account (#12489)

Browse Source 
Web Handlers can generate STS tokens but forgot to create a parent user
and save it along with the temporary access account. This commit fixes
this.

fixes #12381
This commit is contained in:
Anis Elleuch 2021-06-11 16:34:27 +01:00 committed by GitHub
parent 0385ecbf34
commit f982303b4b
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 26 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

27
cmd/web-handlers.go
View File

@ -2248,7 +2248,10 @@ type LoginSTSArgs struct {
Token string `json:"token" form:"token"`
}
var errSTSNotInitialized = errors.New("STS API not initialized, please configure STS support")
var (
errSTSNotInitialized = errors.New("STS API not initialized, please configure STS support")
errSTSInvalidParameterValue = errors.New("An invalid or out-of-range value was supplied for the input parameter")
)
// LoginSTS - STS user login handler.
func (web *webAPIHandlers) LoginSTS(r *http.Request, args *LoginSTSArgs, reply *LoginRep) error {
@ -2269,6 +2272,21 @@ func (web *webAPIHandlers) LoginSTS(r *http.Request, args *LoginSTSArgs, reply *
return toJSONError(ctx, err)
}
var subFromToken string
if v, ok := m[subClaim]; ok {
subFromToken, _ = v.(string)
}
if subFromToken == "" {
logger.LogIf(ctx, errors.New("STS JWT Token has `sub` claim missing, `sub` claim is mandatory"))
return toJSONError(ctx, errSTSInvalidParameterValue)
}
var issFromToken string
if v, ok := m[issClaim]; ok {
issFromToken, _ = v.(string)
}
// JWT has requested a custom claim with policy value set.
// This is a MinIO STS API specific value, this value should
// be set and configured on your identity provider as part of
@ -2289,6 +2307,13 @@ func (web *webAPIHandlers) LoginSTS(r *http.Request, args *LoginSTSArgs, reply *
return toJSONError(ctx, err)
}
// https://openid.net/specs/openid-connect-core-1_0.html#ClaimStability
// claim is only considered stable when subject and iss are used together
// this is to ensure that ParentUser doesn't change and we get to use
// parentUser as per the requirements for service accounts for OpenID
// based logins.
cred.ParentUser = "jwt:" + subFromToken + ":" + issFromToken
// Set the newly generated credentials.
if err = globalIAMSys.SetTempUser(cred.AccessKey, cred, policyName); err != nil {
return toJSONError(ctx, err)