Merge pull request #675 from nnmin-aws/nnmin-fix2

k8s-ci-robot · web-flow · commit a5116fa48e9d · 2023-12-10T05:23:31.000+01:00
release v0.6.16
diff --git a/pkg/mapper/dynamicfile/mapper.go b/pkg/mapper/dynamicfile/mapper.go
@@ -3,6 +3,7 @@ package dynamicfile
 import (
 	"strings"
 
+	"github.com/sirupsen/logrus"
 	"sigs.k8s.io/aws-iam-authenticator/pkg/arn"
 	"sigs.k8s.io/aws-iam-authenticator/pkg/config"
 	"sigs.k8s.io/aws-iam-authenticator/pkg/errutil"
@@ -46,31 +47,34 @@ func (m *DynamicFileMapper) Map(identity *token.Identity) (*config.IdentityMappi
 	}
 
 	if roleMapping, err := m.RoleMapping(key); err == nil {
-		if err := m.match(identity, roleMapping.RoleARN, roleMapping.UserId); err != nil {
+		if err := m.match(canonicalARN, roleMapping.RoleARN); err != nil {
 			return nil, err
 		}
 		return roleMapping.IdentityMapping(identity), nil
 	}
 
 	if userMapping, err := m.UserMapping(key); err == nil {
-		if err := m.match(identity, userMapping.UserARN, userMapping.UserId); err != nil {
+		if err := m.match(canonicalARN, userMapping.UserARN); err != nil {
 			return nil, err
 		}
 		return userMapping.IdentityMapping(identity), nil
-	}
 
+	}
 	return nil, errutil.ErrNotMapped
 }
 
-func (m *DynamicFileMapper) match(token *token.Identity, mappedARN, mappedUserID string) error {
+func (m *DynamicFileMapper) match(canonicalARN string, mappingARN string) error {
 	if m.userIDStrict {
 		// If ARN is provided, ARN must be validated along with UserID.  This avoids having to
 		// support IAM user name/ARN changes. Without preventing this the mapping would look
 		// invalid but still work and auditing would be difficult/impossible.
-		strippedArn, _ := arn.StripPath(mappedARN)
-		if strippedArn != "" && token.CanonicalARN != strings.ToLower(strippedArn) {
+		strippedArn, _ := arn.StripPath(mappingARN)
+		logrus.Infof("additional arn comparison for IAM arn. arn from STS response is %s, arn in mapper is %s",
+			canonicalARN, strings.ToLower(strippedArn))
+		if strippedArn != "" && canonicalARN != strings.ToLower(strippedArn) {
 			return errutil.ErrIDAndARNMismatch
 		}
+		return nil
 	}
 	return nil
 }
diff --git a/version.txt b/version.txt
@@ -1 +1 @@
-0.6.15
+0.6.16

Original file line number	Diff line number	Diff line change
`@@ -3,6 +3,7 @@ package dynamicfile`
`3`	`3`	`import (`
`4`	`4`	`"strings"`
`5`	`5`
	`6`	`+ "github.com/sirupsen/logrus"`
`6`	`7`	`"sigs.k8s.io/aws-iam-authenticator/pkg/arn"`
`7`	`8`	`"sigs.k8s.io/aws-iam-authenticator/pkg/config"`
`8`	`9`	`"sigs.k8s.io/aws-iam-authenticator/pkg/errutil"`
`@@ -46,31 +47,34 @@ func (m DynamicFileMapper) Map(identity token.Identity) (*config.IdentityMappi`
`46`	`47`	`}`
`47`	`48`
`48`	`49`	`if roleMapping, err := m.RoleMapping(key); err == nil {`
`49`		`- if err := m.match(identity, roleMapping.RoleARN, roleMapping.UserId); err != nil {`
	`50`	`+ if err := m.match(canonicalARN, roleMapping.RoleARN); err != nil {`
`50`	`51`	`return nil, err`
`51`	`52`	`}`
`52`	`53`	`return roleMapping.IdentityMapping(identity), nil`
`53`	`54`	`}`
`54`	`55`
`55`	`56`	`if userMapping, err := m.UserMapping(key); err == nil {`
`56`		`- if err := m.match(identity, userMapping.UserARN, userMapping.UserId); err != nil {`
	`57`	`+ if err := m.match(canonicalARN, userMapping.UserARN); err != nil {`
`57`	`58`	`return nil, err`
`58`	`59`	`}`
`59`	`60`	`return userMapping.IdentityMapping(identity), nil`
`60`		`- }`
`61`	`61`
	`62`	`+ }`
`62`	`63`	`return nil, errutil.ErrNotMapped`
`63`	`64`	`}`
`64`	`65`
`65`		`-func (m DynamicFileMapper) match(token token.Identity, mappedARN, mappedUserID string) error {`
	`66`	`+func (m *DynamicFileMapper) match(canonicalARN string, mappingARN string) error {`
`66`	`67`	`if m.userIDStrict {`
`67`	`68`	`// If ARN is provided, ARN must be validated along with UserID. This avoids having to`
`68`	`69`	`// support IAM user name/ARN changes. Without preventing this the mapping would look`
`69`	`70`	`// invalid but still work and auditing would be difficult/impossible.`
`70`		`- strippedArn, _ := arn.StripPath(mappedARN)`
`71`		`- if strippedArn != "" && token.CanonicalARN != strings.ToLower(strippedArn) {`
	`71`	`+ strippedArn, _ := arn.StripPath(mappingARN)`
	`72`	`+ logrus.Infof("additional arn comparison for IAM arn. arn from STS response is %s, arn in mapper is %s",`
	`73`	`+ canonicalARN, strings.ToLower(strippedArn))`
	`74`	`+ if strippedArn != "" && canonicalARN != strings.ToLower(strippedArn) {`
`72`	`75`	`return errutil.ErrIDAndARNMismatch`
`73`	`76`	`}`
	`77`	`+ return nil`
`74`	`78`	`}`
`75`	`79`	`return nil`
`76`	`80`	`}`