mirror of
https://github.com/seaweedfs/seaweedfs.git
synced 2026-06-13 23:36:45 +03:00
Chris Lu
d951a8df5a
* feat(iam): STS web-identity AWS-fidelity polish - OIDC discovery via .well-known/openid-configuration; falls back to /.well-known/jwks.json when discovery is absent. Reject discovery docs whose issuer claim does not match the configured issuer to defend against issuer-substitution. - ComputeParentUser derives a stable per-identity hash from (sub, iss). Surface as aws:userid in the request context and as a parent_user claim in the session JWT so per-user state survives token rotation. - Per-role MaxSessionDuration (3600..43200) clamps requested DurationSeconds before the STS service applies its own caps. - Tighten RoleSessionName to the AWS contract: 2..64 chars from [\w+=,.@-]. - Populate PackedPolicySize in AssumeRole / AssumeRoleWithWebIdentity / AssumeRoleWithLDAPIdentity responses as a percentage of the 2048-byte inline session policy budget. * fix(iam): leave omitted DurationSeconds nil so STS default applies capDurationByRole was substituting the role's MaxSessionDuration when the caller omitted DurationSeconds entirely. AWS returns the configured default (typically 1 hour) in that case, not the role's upper bound — a 12h MaxSessionDuration shouldn't silently make every no-duration assume-role mint a 12h session. Return nil when requested is nil; let the downstream calculateSessionDuration in the STS service apply its TokenDuration default. The role-max upper bound still clamps when the request arrives with a concrete value above the cap. Addresses gemini high-priority review on PR #9318. * fix(iam): synchronize OIDCProvider JWKS cache fields jwksCache, jwksFetchedAt, resolvedJWKSUri, and discoveryFailed are mutated lazily on the first token-validate call and refreshed afterwards on TTL expiry. Multiple S3 requests can land here in parallel, so the writes were racing against subsequent reads on every other goroutine. resolvedJWKSUri/discoveryFailed inherited the same un-protected pattern when discovery shipped. Add sync.RWMutex; getPublicKey takes the read lock for the common cache-hit path and promotes to the write lock for misses + refreshes. fetchJWKSLocked / resolveJWKSUriLocked assume the write lock is held by the caller; fetchJWKS keeps the test-friendly entry point that acquires the lock itself. Addresses gemini high-priority review on PR #9318. * fix(iam): trim trailing slash + retry discovery after transient failure Two OIDC discovery edge cases reviewers flagged: 1. Issuer comparison was sensitive to trailing slashes. resolveJWKSUri trims them when building the discovery URL, but the doc.Issuer ↔ p.config.Issuer check did not, so an IDP whose issuer claim drops or adds the slash relative to the configured value would be falsely rejected. Trim a single trailing slash on each side before comparing. 2. discoveryFailed flipped to true on any error and stayed there for the process lifetime. A transient 5xx at startup permanently locked the provider into the /.well-known/jwks.json fallback. Reset the flag at the top of fetchJWKSLocked when no URI has been cached yet, so each JWKS refresh (typically once per TTL = 1h) reattempts discovery. Successful discovery remains cached via resolvedJWKSUri so we don't pay the discovery RTT on every refresh. Addresses gemini security-medium + medium reviews on PR #9318. * fix(iam): require non-empty issuer in OIDC discovery doc The previous "doc.Issuer != "" && ..." guard let a discovery document that omitted the issuer field bypass the issuer-mismatch check entirely, letting the doc steer fetchJWKS at any URL it provided. OIDC Discovery 1.0 §3 mandates the issuer field; treat missing as a hard failure same as mismatched. Trailing-slash equivalence still applies. Adds TestDiscoveryRejectsMissingIssuer alongside the existing TestDiscoveryRejectsIssuerMismatch via a new omitDiscoveryIssuer toggle on fakeIDP.
66 lines
2.2 KiB
Go
66 lines
2.2 KiB
Go
package sts
|
|
|
|
import (
|
|
"strings"
|
|
"testing"
|
|
"time"
|
|
)
|
|
|
|
func TestComputeParentUserStability(t *testing.T) {
|
|
// Same (sub, iss) must produce the same hash, regardless of order or
|
|
// whitespace mutations callers should never apply.
|
|
a := ComputeParentUser("alice", "https://idp.example/")
|
|
b := ComputeParentUser("alice", "https://idp.example/")
|
|
if a == "" {
|
|
t.Fatal("parent user should not be empty for non-empty sub")
|
|
}
|
|
if a != b {
|
|
t.Fatalf("expected stable hash, got %q vs %q", a, b)
|
|
}
|
|
}
|
|
|
|
func TestComputeParentUserDistinguishesIssuer(t *testing.T) {
|
|
// The point of incorporating iss is that the same `sub` from two providers
|
|
// must not collide. If this assertion ever fails, the hash input is wrong.
|
|
a := ComputeParentUser("alice", "https://idp-a.example/")
|
|
b := ComputeParentUser("alice", "https://idp-b.example/")
|
|
if a == b {
|
|
t.Fatalf("hashes for different issuers must differ, both = %q", a)
|
|
}
|
|
}
|
|
|
|
func TestComputeParentUserDistinguishesSubject(t *testing.T) {
|
|
a := ComputeParentUser("alice", "https://idp.example/")
|
|
b := ComputeParentUser("bob", "https://idp.example/")
|
|
if a == b {
|
|
t.Fatalf("hashes for different subjects must differ, both = %q", a)
|
|
}
|
|
}
|
|
|
|
func TestComputeParentUserEmptySub(t *testing.T) {
|
|
if got := ComputeParentUser("", "https://idp.example/"); got != "" {
|
|
t.Fatalf("empty sub should produce empty parent user, got %q", got)
|
|
}
|
|
}
|
|
|
|
func TestComputeParentUserEncoding(t *testing.T) {
|
|
got := ComputeParentUser("alice", "https://idp.example/")
|
|
// Base64 RawURL has no padding and uses URL-safe alphabet — important
|
|
// because parent_user shows up in filer paths and audit log fields.
|
|
if strings.ContainsAny(got, "=+/") {
|
|
t.Fatalf("parent user should be base64 raw url, got %q", got)
|
|
}
|
|
}
|
|
|
|
func TestSessionClaimsRoundTripParentUser(t *testing.T) {
|
|
parent := ComputeParentUser("alice", "https://idp.example/")
|
|
claims := NewSTSSessionClaims("sid-1", "issuer", time.Now().Add(time.Hour)).
|
|
WithRoleInfo("arn:aws:iam::123:role/r", "arn:aws:sts::123:assumed-role/r/s", "arn:aws:sts::123:assumed-role/r/s").
|
|
WithParentUser(parent)
|
|
|
|
info := claims.ToSessionInfo()
|
|
if info.ParentUser != parent {
|
|
t.Fatalf("ParentUser lost on round-trip: got %q want %q", info.ParentUser, parent)
|
|
}
|
|
}
|