From afc28b6224da3c8b767146d84d747088ed740fbe Mon Sep 17 00:00:00 2001
From: Min Ni <nnmin@amazon.com>
Date: Sat, 9 Dec 2023 15:34:01 -0800
Subject: [PATCH] minor fix

---
 pkg/mapper/dynamicfile/mapper.go | 32 +++++++++++++-------------------
 1 file changed, 13 insertions(+), 19 deletions(-)

diff --git a/pkg/mapper/dynamicfile/mapper.go b/pkg/mapper/dynamicfile/mapper.go
index d11cda4fc..9faebd272 100644
--- a/pkg/mapper/dynamicfile/mapper.go
+++ b/pkg/mapper/dynamicfile/mapper.go
@@ -3,6 +3,7 @@ package dynamicfile
 import (
 	"strings"
 
+	"github.com/sirupsen/logrus"
 	"sigs.k8s.io/aws-iam-authenticator/pkg/arn"
 	"sigs.k8s.io/aws-iam-authenticator/pkg/config"
 	"sigs.k8s.io/aws-iam-authenticator/pkg/errutil"
@@ -46,35 +47,28 @@ func (m *DynamicFileMapper) Map(identity *token.Identity) (*config.IdentityMappi
 	}
 
 	if roleMapping, err := m.RoleMapping(key); err == nil {
-		if err := m.match(identity, roleMapping.RoleARN, roleMapping.UserId); err != nil {
-			return nil, err
-		}
 		return roleMapping.IdentityMapping(identity), nil
 	}
 
 	if userMapping, err := m.UserMapping(key); err == nil {
-		if err := m.match(identity, userMapping.UserARN, userMapping.UserId); err != nil {
-			return nil, err
+		if !m.userIDStrict {
+			return userMapping.IdentityMapping(identity), nil
+		}
+		// compare arn additionally for IAM user if principalId is used in mapping
+		strippedArn, stripErr := arn.StripPath(userMapping.UserARN)
+		if stripErr != nil {
+			return nil, stripErr
+		}
+		if canonicalARN != strings.ToLower(strippedArn) {
+			logrus.Info("arn not matched though principalId match. arn from STS response is %s, arn in mapper is %s",
+				canonicalARN, strings.ToLower(strippedArn))
+			return nil, errutil.ErrIDAndARNMismatch
 		}
 		return userMapping.IdentityMapping(identity), nil
 	}
-
 	return nil, errutil.ErrNotMapped
 }
 
-func (m *DynamicFileMapper) match(token *token.Identity, mappedARN, mappedUserID string) error {
-	if m.userIDStrict {
-		// If ARN is provided, ARN must be validated along with UserID.  This avoids having to
-		// support IAM user name/ARN changes. Without preventing this the mapping would look
-		// invalid but still work and auditing would be difficult/impossible.
-		strippedArn, _ := arn.StripPath(mappedARN)
-		if strippedArn != "" && token.CanonicalARN != strings.ToLower(strippedArn) {
-			return errutil.ErrIDAndARNMismatch
-		}
-	}
-	return nil
-}
-
 func (m *DynamicFileMapper) IsAccountAllowed(accountID string) bool {
 	return m.AWSAccount(accountID)
 }