|
|
|
@ -798,18 +798,19 @@ func (sys *IAMSys) NewServiceAccount(ctx context.Context, parentUser, sessionPol |
|
|
|
|
} |
|
|
|
|
|
|
|
|
|
if len(sessionPolicy) > 16*1024 { |
|
|
|
|
return auth.Credentials{}, fmt.Errorf("Session policy should not exceed 16*1024 characters") |
|
|
|
|
return auth.Credentials{}, fmt.Errorf("Session policy should not exceed 16 KiB characters") |
|
|
|
|
} |
|
|
|
|
|
|
|
|
|
if len(sessionPolicy) > 0 { |
|
|
|
|
policy, err := iampolicy.ParseConfig(bytes.NewReader([]byte(sessionPolicy))) |
|
|
|
|
if err != nil { |
|
|
|
|
return auth.Credentials{}, err |
|
|
|
|
} |
|
|
|
|
|
|
|
|
|
// Version in policy must not be empty
|
|
|
|
|
if policy.Version == "" { |
|
|
|
|
return auth.Credentials{}, fmt.Errorf("Invalid session policy version") |
|
|
|
|
} |
|
|
|
|
} |
|
|
|
|
|
|
|
|
|
sys.Lock() |
|
|
|
|
defer sys.Unlock() |
|
|
|
@ -836,9 +837,14 @@ func (sys *IAMSys) NewServiceAccount(ctx context.Context, parentUser, sessionPol |
|
|
|
|
} |
|
|
|
|
|
|
|
|
|
m := make(map[string]interface{}) |
|
|
|
|
m[iampolicy.SessionPolicyName] = base64.StdEncoding.EncodeToString([]byte(sessionPolicy)) |
|
|
|
|
m[parentClaim] = parentUser |
|
|
|
|
m[iamPolicyClaimName()] = "embedded-policy" |
|
|
|
|
|
|
|
|
|
if len(sessionPolicy) > 0 { |
|
|
|
|
m[iampolicy.SessionPolicyName] = base64.StdEncoding.EncodeToString([]byte(sessionPolicy)) |
|
|
|
|
m[iamPolicyClaimNameSA()] = "embedded-policy" |
|
|
|
|
} else { |
|
|
|
|
m[iamPolicyClaimNameSA()] = "inherited-policy" |
|
|
|
|
} |
|
|
|
|
|
|
|
|
|
secret := globalActiveCred.SecretKey |
|
|
|
|
cred, err := auth.GetNewCredentialsWithMetadata(m, secret) |
|
|
|
@ -1473,6 +1479,11 @@ func (sys *IAMSys) IsAllowedServiceAccount(args iampolicy.Args, parent string) b |
|
|
|
|
if parentInClaim != parent { |
|
|
|
|
return false |
|
|
|
|
} |
|
|
|
|
} else { |
|
|
|
|
// This is needed so a malicious user cannot
|
|
|
|
|
// use a leaked session key of another user
|
|
|
|
|
// to widen its privileges.
|
|
|
|
|
return false |
|
|
|
|
} |
|
|
|
|
|
|
|
|
|
// Check if the parent is allowed to perform this action, reject if not
|
|
|
|
@ -1508,12 +1519,27 @@ func (sys *IAMSys) IsAllowedServiceAccount(args iampolicy.Args, parent string) b |
|
|
|
|
availablePolicies[i].Statements...) |
|
|
|
|
} |
|
|
|
|
|
|
|
|
|
serviceAcc := args.AccountName |
|
|
|
|
args.AccountName = parent |
|
|
|
|
if !combinedPolicy.IsAllowed(args) { |
|
|
|
|
parentArgs := args |
|
|
|
|
parentArgs.AccountName = parent |
|
|
|
|
if !combinedPolicy.IsAllowed(parentArgs) { |
|
|
|
|
return false |
|
|
|
|
} |
|
|
|
|
|
|
|
|
|
saPolicyClaim, ok := args.Claims[iamPolicyClaimNameSA()] |
|
|
|
|
if ok { |
|
|
|
|
saPolicyClaimStr, ok := saPolicyClaim.(string) |
|
|
|
|
if !ok { |
|
|
|
|
// Sub policy if set, should be a string reject
|
|
|
|
|
// malformed/malicious requests.
|
|
|
|
|
return false |
|
|
|
|
} |
|
|
|
|
args.AccountName = serviceAcc |
|
|
|
|
|
|
|
|
|
if saPolicyClaimStr == "inherited-policy" { |
|
|
|
|
// Immediately returns true since at this stage, since
|
|
|
|
|
// parent user is allowed to do this action.
|
|
|
|
|
return true |
|
|
|
|
} |
|
|
|
|
} |
|
|
|
|
|
|
|
|
|
// Now check if we have a sessionPolicy.
|
|
|
|
|
spolicy, ok := args.Claims[iampolicy.SessionPolicyName] |
|
|
|
@ -1605,7 +1631,7 @@ func (sys *IAMSys) IsAllowedSTS(args iampolicy.Args) bool { |
|
|
|
|
return combinedPolicy.IsAllowed(args) |
|
|
|
|
} |
|
|
|
|
|
|
|
|
|
pnameSlice, ok := args.GetPolicies(iamPolicyClaimName()) |
|
|
|
|
pnameSlice, ok := args.GetPolicies(iamPolicyClaimNameOpenID()) |
|
|
|
|
if !ok { |
|
|
|
|
// When claims are set, it should have a policy claim field.
|
|
|
|
|
return false |
|
|
|
|