Merge 177a6c5182 into 7ced9663e6

simplify validating policy mapping (#21450 )
fix boundary value bug when objTime ends in whole seconds (without sub-second) (#21419 )
2025-07-23 18:32:44 +02:00 · 2025-07-23 08:54:02 -07:00 · 2025-07-23 05:36:06 -07:00 · 2025-07-23 04:21:15 -07:00
4 changed files with 33 additions and 33 deletions
--- a/cmd/erasure-object.go
+++ b/cmd/erasure-object.go
@ -826,6 +826,13 @@ func (er erasureObjects) getObjectFileInfo(ctx context.Context, bucket, object s
 		minDisks = er.setDriveCount - er.defaultParityCount
 	}

+	if minDisks == er.setDriveCount/2 {
+		// when data and parity are same we must atleast
+		// wait for response from 1 extra drive to avoid
+		// split-brain.
+		minDisks++
+	}
+
 	calcQuorum := func(metaArr []FileInfo, errs []error) (FileInfo, []FileInfo, []StorageAPI, time.Time, string, error) {
 		readQuorum, _, err := objectQuorumFromMeta(ctx, metaArr, errs, er.defaultParityCount)
 		if err != nil {
--- a/cmd/iam.go
+++ b/cmd/iam.go
@ -24,6 +24,7 @@ import (
 	"encoding/json"
 	"errors"
 	"fmt"
+	"maps"
 	"math/rand"
 	"path"
 	"sort"
@ -366,14 +367,11 @@ func (sys *IAMSys) Init(ctx context.Context, objAPI ObjectLayer, etcdClient *etc
 	sys.rolesMap = make(map[arn.ARN]string)

 	// From OpenID
-	if riMap := sys.OpenIDConfig.GetRoleInfo(); riMap != nil {
-		sys.validateAndAddRolePolicyMappings(ctx, riMap)
-	}
+	maps.Copy(sys.rolesMap, sys.OpenIDConfig.GetRoleInfo())

 	// From AuthN plugin if enabled.
 	if authn := newGlobalAuthNPluginFn(); authn != nil {
-		riMap := authn.GetRoleInfo()
-		sys.validateAndAddRolePolicyMappings(ctx, riMap)
+		maps.Copy(sys.rolesMap, authn.GetRoleInfo())
 	}

 	sys.printIAMRoles()
@ -501,33 +499,6 @@ func (sys *IAMSys) periodicRoutines(ctx context.Context, baseInterval time.Durat
 	}
 }

-func (sys *IAMSys) validateAndAddRolePolicyMappings(ctx context.Context, m map[arn.ARN]string) {
-	// Validate that policies associated with roles are defined. If
-	// authZ plugin is set, role policies are just claims sent to
-	// the plugin and they need not exist.
-	//
-	// If some mapped policies do not exist, we print some error
-	// messages but continue any way - they can be fixed in the
-	// running server by creating the policies after start up.
-	for arn, rolePolicies := range m {
-		specifiedPoliciesSet := newMappedPolicy(rolePolicies).policySet()
-		validPolicies, _ := sys.store.MergePolicies(rolePolicies)
-		knownPoliciesSet := newMappedPolicy(validPolicies).policySet()
-		unknownPoliciesSet := specifiedPoliciesSet.Difference(knownPoliciesSet)
-		if len(unknownPoliciesSet) > 0 {
-			authz := newGlobalAuthZPluginFn()
-			if authz == nil {
-				// Print a warning that some policies mapped to a role are not defined.
-				errMsg := fmt.Errorf(
-					"The policies \"%s\" mapped to role ARN %s are not defined - this role may not work as expected.",
-					unknownPoliciesSet.ToSlice(), arn.String())
-				authZLogIf(ctx, errMsg, logger.WarningKind)
-			}
-		}
-		sys.rolesMap[arn] = rolePolicies
-	}
-}
-
 // Prints IAM role ARNs.
 func (sys *IAMSys) printIAMRoles() {
 	if len(sys.rolesMap) == 0 {
--- a/cmd/object-handlers-common.go
+++ b/cmd/object-handlers-common.go
@ -331,7 +331,7 @@ func checkPreconditions(ctx context.Context, w http.ResponseWriter, r *http.Requ
 func ifModifiedSince(objTime time.Time, givenTime time.Time) bool {
 	// The Date-Modified header truncates sub-second precision, so
 	// use mtime < t+1s instead of mtime <= t to check for unmodified.
-	return objTime.After(givenTime.Add(1 * time.Second))
+	return !objTime.Before(givenTime.Add(1 * time.Second))
 }

 // canonicalizeETag returns ETag with leading and trailing double-quotes removed,
--- a/cmd/sts-handlers.go
+++ b/cmd/sts-handlers.go
@ -545,6 +545,14 @@ func (sts *stsAPIHandlers) AssumeRoleWithSSO(w http.ResponseWriter, r *http.Requ
 				writeSTSErrorResponse(ctx, w, ErrSTSAccessDenied, err)
 				return
 			}
+			if newGlobalAuthZPluginFn() == nil {
+				// if authZ is not set - we expect the policies to be present.
+				if globalIAMSys.CurrentPolicies(p) == "" {
+					writeSTSErrorResponse(ctx, w, ErrSTSInvalidParameterValue,
+						fmt.Errorf("None of the given policies (`%s`) are defined, credentials will not be generated", p))
+					return
+				}
+			}
 		}

 		if !globalIAMSys.doesPolicyAllow(p, policy.Args{
@ -1003,6 +1011,20 @@ func (sts *stsAPIHandlers) AssumeRoleWithCustomToken(w http.ResponseWriter, r *h
 		return
 	}

+	_, policyName, err := globalIAMSys.GetRolePolicy(roleArnStr)
+	if err != nil {
+		writeSTSErrorResponse(ctx, w, ErrSTSAccessDenied, err)
+		return
+	}
+
+	if newGlobalAuthZPluginFn() == nil { // if authZ is not set - we expect the policyname to be present.
+		if globalIAMSys.CurrentPolicies(policyName) == "" {
+			writeSTSErrorResponse(ctx, w, ErrSTSInvalidParameterValue,
+				fmt.Errorf("None of the given policies (`%s`) are defined, credentials will not be generated", policyName))
+			return
+		}
+	}
+
 	res, err := authn.Authenticate(roleArn, token)
 	if err != nil {
 		writeSTSErrorResponse(ctx, w, ErrSTSInvalidParameterValue, err)
Author	SHA1	Message	Date
asamuj	3b7f1c149a	Merge `177a6c5182` into `7ced9663e6`	2025-07-23 18:32:44 +02:00
M Alvee	7ced9663e6	simplify validating policy mapping (#21450 )	2025-07-23 08:54:02 -07:00
MagicPig	50fcf9b670	fix boundary value bug when objTime ends in whole seconds (without sub-second) (#21419 ) VulnCheck / Analysis (push) Waiting to run Details	2025-07-23 05:36:06 -07:00
Harshavardhana	64f5c6103f	wait for metadata reads on minDisks+1 for HEAD/GET when data==parity (#21449 ) fixes a regression since #19741	2025-07-23 04:21:15 -07:00