Mirror
/
seaweedfs
mirror of https://github.com/seaweedfs/seaweedfs.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
Browse Source

fix: correct TokenGenerator access in STS handlers 

CRITICAL FIX:
- Make TokenGenerator public in STSService (was private tokenGenerator)
- Update all references from Config.TokenGenerator to TokenGenerator
- Remove TokenGenerator from STSConfig (it belongs in STSService)

This fixes the "NotImplemented" errors in distributed and Keycloak tests.
The issue was that Round 5 changes tried to access Config.TokenGenerator
which didn't exist - TokenGenerator is a field in STSService, not STSConfig.

The TokenGenerator is properly initialized in STSService.Initialize() and
is now accessible for JWT token generation in AssumeRole handlers.
pull/8003/head
Chris Lu 3 weeks ago
parent
a5dd98ee8d
commit
52e121bbba
2 changed files with 9 additions and 12 deletions
Whitespace
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Split View
Diff Options
Show Stats Download Patch File Download Diff File
  1. 17
      weed/iam/sts/sts_service.go
  2. 4
      weed/s3api/s3api_sts.go

17
weed/iam/sts/sts_service.go
View File

@ -77,7 +77,7 @@ type STSService struct {
initialized bool
providers map[string]providers.IdentityProvider
issuerToProvider map[string]providers.IdentityProvider // Efficient issuer-based provider lookup
tokenGenerator *TokenGenerator
TokenGenerator *TokenGenerator
trustPolicyValidator TrustPolicyValidator // Interface for trust policy validation
}
@ -101,9 +101,6 @@ type STSConfig struct {
// Providers configuration - enables automatic provider loading
Providers []*ProviderConfig `json:"providers,omitempty"`
// TokenGenerator is used internally for JWT generation (not serialized)
TokenGenerator *TokenGenerator `json:"-"`
}
// ProviderConfig holds identity provider configuration
@ -268,7 +265,7 @@ func (s *STSService) Initialize(config *STSConfig) error {
s.Config = config
// Initialize token generator for stateless JWT operations
s.tokenGenerator = NewTokenGenerator(config.SigningKey, config.Issuer)
s.TokenGenerator = NewTokenGenerator(config.SigningKey, config.Issuer)
// Load identity providers from configuration
if err := s.loadProvidersFromConfig(config); err != nil {
@ -463,7 +460,7 @@ func (s *STSService) AssumeRoleWithWebIdentity(ctx context.Context, request *Ass
WithMaxDuration(sessionDuration)
// Generate self-contained JWT token with all session information
jwtToken, err := s.tokenGenerator.GenerateJWTWithClaims(sessionClaims)
jwtToken, err := s.TokenGenerator.GenerateJWTWithClaims(sessionClaims)
if err != nil {
return nil, fmt.Errorf("failed to generate JWT session token: %w", err)
}
@ -543,7 +540,7 @@ func (s *STSService) AssumeRoleWithCredentials(ctx context.Context, request *Ass
WithMaxDuration(sessionDuration)
// Generate self-contained JWT token with all session information
jwtToken, err := s.tokenGenerator.GenerateJWTWithClaims(sessionClaims)
jwtToken, err := s.TokenGenerator.GenerateJWTWithClaims(sessionClaims)
if err != nil {
return nil, fmt.Errorf("failed to generate JWT session token: %w", err)
}
@ -569,7 +566,7 @@ func (s *STSService) ValidateSessionToken(ctx context.Context, sessionToken stri
}
// Validate JWT and extract comprehensive session claims
claims, err := s.tokenGenerator.ValidateJWTWithClaims(sessionToken)
claims, err := s.TokenGenerator.ValidateJWTWithClaims(sessionToken)
if err != nil {
return nil, fmt.Errorf(ErrSessionValidationFailed, err)
}
@ -815,7 +812,7 @@ func (s *STSService) calculateSessionDuration(durationSeconds *int64, tokenExpir
// extractSessionIdFromToken extracts session ID from JWT session token
func (s *STSService) extractSessionIdFromToken(sessionToken string) string {
// Parse JWT and extract session ID from claims
claims, err := s.tokenGenerator.ValidateJWTWithClaims(sessionToken)
claims, err := s.TokenGenerator.ValidateJWTWithClaims(sessionToken)
if err != nil {
// For test compatibility, also handle direct session IDs
if len(sessionToken) == 32 { // Typical session ID length
@ -870,7 +867,7 @@ func (s *STSService) ExpireSessionForTesting(ctx context.Context, sessionToken s
}
// Validate JWT token format
_, err := s.tokenGenerator.ValidateJWTWithClaims(sessionToken)
_, err := s.TokenGenerator.ValidateJWTWithClaims(sessionToken)
if err != nil {
return fmt.Errorf("invalid session token format: %w", err)
}

4
weed/s3api/s3api_sts.go
View File

@ -302,7 +302,7 @@ func (h *STSHandlers) handleAssumeRole(w http.ResponseWriter, r *http.Request) {
WithRoleInfo(roleArn, fmt.Sprintf("%s:%s", roleName, roleSessionName), identity.PrincipalArn)
// Generate JWT session token
sessionToken, err := h.stsService.Config.TokenGenerator.GenerateJWTWithClaims(claims)
sessionToken, err := h.stsService.TokenGenerator.GenerateJWTWithClaims(claims)
if err != nil {
glog.Errorf("AssumeRole: failed to generate session token: %v", err)
h.writeSTSErrorResponse(w, r, STSErrInternalError, err)
@ -470,7 +470,7 @@ func (h *STSHandlers) handleAssumeRoleWithLDAPIdentity(w http.ResponseWriter, r
WithIdentityProvider("ldap", identity.UserID, identity.Provider)
// Generate JWT session token
sessionToken, err := h.stsService.Config.TokenGenerator.GenerateJWTWithClaims(claims)
sessionToken, err := h.stsService.TokenGenerator.GenerateJWTWithClaims(claims)
if err != nil {
glog.Errorf("AssumeRoleWithLDAPIdentity: failed to generate session token: %v", err)
h.writeSTSErrorResponse(w, r, STSErrInternalError, err)

Write Preview
Loading…
Cancel
Save