root
/
minio
mirror of https://github.com/minio/minio.git
1
0
Fork 0
Code Issues Actions 1 Packages Projects Releases Wiki Activity

cleaning value of tlsSubKey

This commit is contained in:
Mayuresh Chaubal 2025-06-02 18:01:46 +02:00
parent a0f7fdce4d
commit 4ab0449a35
2 changed files with 38 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

30
cmd/sts-handlers.go
View File

@ -762,6 +762,24 @@ func (sts *stsAPIHandlers) AssumeRoleWithLDAPIdentity(w http.ResponseWriter, r *
writeSuccessResponseXML(w, encodedSuccessResponse) writeSuccessResponseXML(w, encodedSuccessResponse)
} }
func extractPolicyName(sanURI string) (string, error) {
parsedURL, err := url.Parse(sanURI)
if err != nil {
return "", err
}
key := parsedURL.Host + strings.ReplaceAll(parsedURL.Path, "/", "+")
if len(key) > 128 {
return "", errors.New("Policy URL " + key + " is more than 128 characters long.")
}
return key, nil
}
// AssumeRoleWithCertificate implements user authentication with client certificates. // AssumeRoleWithCertificate implements user authentication with client certificates.
// It verifies the client-provided X.509 certificate, maps the certificate to an S3 policy // It verifies the client-provided X.509 certificate, maps the certificate to an S3 policy
// and returns temp. S3 credentials to the client. // and returns temp. S3 credentials to the client.
@ -899,7 +917,17 @@ func (sts *stsAPIHandlers) AssumeRoleWithCertificate(w http.ResponseWriter, r *h
} }
// Pick first SAN URI // Pick first SAN URI
tlsSubKey = certificate.URIs[0].String() // Extract Policy Name From SAN URI
// Set Policy Name as Subject Key
policyName, err := extractPolicyName(certificate.URIs[0].String())
if err != nil {
writeSTSErrorResponse(ctx, w, ErrSTSInvalidParameterValue, errors.New("Unable to convert from SAN URI to Policy Name"))
return
}
tlsSubKey = policyName
} }
expiry, err := globalIAMSys.STSTLSConfig.GetExpiryDuration(r.Form.Get(stsDurationSeconds)) expiry, err := globalIAMSys.STSTLSConfig.GetExpiryDuration(r.Form.Get(stsDurationSeconds))

10
internal/config/identity/tls/config.go
View File

@ -46,6 +46,14 @@ const (
// Subject for verified certificate identity in JWT Claim. // Subject for verified certificate identity in JWT Claim.
// This claim is sent to Authorization Engine. // This claim is sent to Authorization Engine.
// If set to true, First URI will be used as subject instead of CommonName // If set to true, First URI will be used as subject instead of CommonName
// The URI will be converted into suitable policy name by following operations
// 1. remove protocol name (or scheme name) from URI
// 2. Replace all Path separators (ie /) from the Path in URI, this results in CleanedPath
// 3. Join Host+CleanedPath
// 4. If the above string becomes greater than 128 characters in length, then
// a proper error is thrown
// As example, http://my.domain:10000/my/app/path will be converted to
// my.domain:10000+my+app+path
// Valid values for this field are true and false // Valid values for this field are true and false
// By default, it will be false. Thus Common Name will be used // By default, it will be false. Thus Common Name will be used
EnvIdentityTLSSubjectSanURI = "MINIO_IDENTITY_TLS_SUBJECT_USE_SANURI" EnvIdentityTLSSubjectSanURI = "MINIO_IDENTITY_TLS_SUBJECT_USE_SANURI"
@ -149,7 +157,7 @@ var Help = config.HelpKVS{
}, },
config.HelpKV{ config.HelpKV{
Key: tlsSubjectUseSanURI, Key: tlsSubjectUseSanURI,
Description: `use first san uri from client certificate instead common name (default: 'off')`, Description: `use cleaned value of first san uri from client certificate instead common name. cleaning results in stripping scheme, replacing path separator with plus sign in uri path and joining it with host name (default: 'off')`,
Optional: true, Optional: true,
Type: "on|off", Type: "on|off",
}, },