Skip to content

Commit

Permalink
minor fix the IAM user arn verification
Browse files Browse the repository at this point in the history
  • Loading branch information
nnmin-aws committed Dec 10, 2023
1 parent 8309d67 commit 50a3dd9
Showing 1 changed file with 10 additions and 6 deletions.
16 changes: 10 additions & 6 deletions pkg/mapper/dynamicfile/mapper.go
Original file line number Diff line number Diff line change
Expand Up @@ -3,6 +3,7 @@ package dynamicfile
import (
"strings"

"github.com/sirupsen/logrus"
"sigs.k8s.io/aws-iam-authenticator/pkg/arn"
"sigs.k8s.io/aws-iam-authenticator/pkg/config"
"sigs.k8s.io/aws-iam-authenticator/pkg/errutil"
Expand Down Expand Up @@ -46,31 +47,34 @@ func (m *DynamicFileMapper) Map(identity *token.Identity) (*config.IdentityMappi
}

if roleMapping, err := m.RoleMapping(key); err == nil {
if err := m.match(identity, roleMapping.RoleARN, roleMapping.UserId); err != nil {
if err := m.match(canonicalARN, roleMapping.RoleARN); err != nil {
return nil, err
}
return roleMapping.IdentityMapping(identity), nil
}

if userMapping, err := m.UserMapping(key); err == nil {
if err := m.match(identity, userMapping.UserARN, userMapping.UserId); err != nil {
if err := m.match(canonicalARN, userMapping.UserARN); err != nil {
return nil, err
}
return userMapping.IdentityMapping(identity), nil
}

}
return nil, errutil.ErrNotMapped
}

func (m *DynamicFileMapper) match(token *token.Identity, mappedARN, mappedUserID string) error {
func (m *DynamicFileMapper) match(canonicalARN string, mappingARN string) error {
if m.userIDStrict {
// If ARN is provided, ARN must be validated along with UserID. This avoids having to
// support IAM user name/ARN changes. Without preventing this the mapping would look
// invalid but still work and auditing would be difficult/impossible.
strippedArn, _ := arn.StripPath(mappedARN)
if strippedArn != "" && token.CanonicalARN != strings.ToLower(strippedArn) {
strippedArn, _ := arn.StripPath(mappingARN)
logrus.Infof("additional arn comparison for IAM arn. arn from STS response is %s, arn in mapper is %s",
canonicalARN, strings.ToLower(strippedArn))
if strippedArn != "" && canonicalARN != strings.ToLower(strippedArn) {
return errutil.ErrIDAndARNMismatch
}
return nil
}
return nil
}
Expand Down

0 comments on commit 50a3dd9

Please sign in to comment.