Skip to content

Commit

Permalink
minor fix
Browse files Browse the repository at this point in the history
  • Loading branch information
nnmin-aws committed Dec 10, 2023
1 parent 8309d67 commit afc28b6
Showing 1 changed file with 13 additions and 19 deletions.
32 changes: 13 additions & 19 deletions pkg/mapper/dynamicfile/mapper.go
Original file line number Diff line number Diff line change
Expand Up @@ -3,6 +3,7 @@ package dynamicfile
import (
"strings"

"github.com/sirupsen/logrus"
"sigs.k8s.io/aws-iam-authenticator/pkg/arn"
"sigs.k8s.io/aws-iam-authenticator/pkg/config"
"sigs.k8s.io/aws-iam-authenticator/pkg/errutil"
Expand Down Expand Up @@ -46,35 +47,28 @@ func (m *DynamicFileMapper) Map(identity *token.Identity) (*config.IdentityMappi
}

if roleMapping, err := m.RoleMapping(key); err == nil {
if err := m.match(identity, roleMapping.RoleARN, roleMapping.UserId); err != nil {
return nil, err
}
return roleMapping.IdentityMapping(identity), nil
}

if userMapping, err := m.UserMapping(key); err == nil {
if err := m.match(identity, userMapping.UserARN, userMapping.UserId); err != nil {
return nil, err
if !m.userIDStrict {
return userMapping.IdentityMapping(identity), nil
}
// compare arn additionally for IAM user if principalId is used in mapping
strippedArn, stripErr := arn.StripPath(userMapping.UserARN)
if stripErr != nil {
return nil, stripErr
}
if canonicalARN != strings.ToLower(strippedArn) {
logrus.Info("arn not matched though principalId match. arn from STS response is %s, arn in mapper is %s",
canonicalARN, strings.ToLower(strippedArn))
return nil, errutil.ErrIDAndARNMismatch
}
return userMapping.IdentityMapping(identity), nil
}

return nil, errutil.ErrNotMapped
}

func (m *DynamicFileMapper) match(token *token.Identity, mappedARN, mappedUserID string) error {
if m.userIDStrict {
// If ARN is provided, ARN must be validated along with UserID. This avoids having to
// support IAM user name/ARN changes. Without preventing this the mapping would look
// invalid but still work and auditing would be difficult/impossible.
strippedArn, _ := arn.StripPath(mappedARN)
if strippedArn != "" && token.CanonicalARN != strings.ToLower(strippedArn) {
return errutil.ErrIDAndARNMismatch
}
}
return nil
}

func (m *DynamicFileMapper) IsAccountAllowed(accountID string) bool {
return m.AWSAccount(accountID)
}
Expand Down

0 comments on commit afc28b6

Please sign in to comment.