Thanks to visit codestin.com
Credit goes to github.com

Skip to content

Add new API endpoint to revoke STS tokens #21072

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 6 commits into from
Mar 31, 2025
Merged

Add new API endpoint to revoke STS tokens #21072

merged 6 commits into from
Mar 31, 2025

Conversation

@taran-p
Copy link
Contributor

@taran-p taran-p commented Mar 25, 2025
edited
Loading

Community Contribution License

All community contributions in this pull request are licensed to the project maintainers
under the terms of the Apache 2 license.
By creating this pull request I represent that I have the right to license the
contributions to the project maintainers under the Apache 2 license.

Description

Adds the ability to revoke STS tokens by user. There are two options for this, either all STS tokens for a user can be revoked (full revoke) or by tokenRevokeType. This tokenRevokeType is an attribute that can be added to an STS token at creation when calling AssumeRole, then if RevokeTokens is called on the parent user with that tokenRevokeType, only those matching tokens will be revoked.

Adds new RevokeTokens function with endpoints at revoke-tokens/internal and revoke-tokens/ldap. These APIs can be used to revoke tokens for users matching their provider, and the internal API also allows for any kind of user to "self-revoke" when the user value is left blank.

Backport from miniohq/eos#498

Motivation and Context

How to test this PR?

Create STS tokens with/without revoke types using minio-go, revoke using minio/mc#5160

Types of changes

  • Bug fix (non-breaking change which fixes an issue)
  • New feature (non-breaking change which adds functionality)
  • Optimization (provides speedup with no functional changes)
  • Breaking change (fix or feature that would cause existing functionality to change)

Checklist:

  • Fixes a regression (If yes, please add commit-id or PR # here)
  • Unit tests added/updated
  • Internal documentation updated
  • Create a documentation update request here

@taran-p taran-p marked this pull request as ready for review March 31, 2025 17:06
@taran-p taran-p requested a review from Copilot March 31, 2025 17:06
Copilot

This comment was marked as outdated.

Sign in to view

@taran-p taran-p requested a review from Copilot March 31, 2025 17:27
Copilot

This comment was marked as outdated.

Sign in to view

@taran-p taran-p requested a review from Copilot March 31, 2025 17:30
Copilot
Copilot AI reviewed Mar 31, 2025
View reviewed changes
Copy link

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull Request Overview

This pull request adds a new API endpoint to revoke STS tokens by user, either by token type or via full revoke.

  • Introduces RevokeTokens functionality in the IAM system and associated store.
  • Updates STS endpoint handlers to include an optional tokenRevokeType in the token claims.
  • Adds a new admin route and corresponding tests to validate token revocation behavior.

Reviewed Changes

Copilot reviewed 8 out of 9 changed files in this pull request and generated no comments.

Show a summary per file
File Description
cmd/user-provider-utils.go Provides helper function for resolving the internal username based on provider.
cmd/sts-handlers_test.go Adds tests to cover various token revocation scenarios.
cmd/sts-handlers.go Updates STS endpoint handlers to include tokenRevokeType extraction and claim assignment.
cmd/iam.go Exposes a RevokeTokens function in the IAMSys interface.
cmd/iam-store.go Implements the revocation logic for temporary credentials based on token type.
cmd/admin-router.go Adds a new admin route for token revocation based on user provider.
cmd/admin-handlers-users.go Implements the admin handler for token revocation with validation and error responses.
Files not reviewed (1)
  • go.mod: Language not supported
Comments suppressed due to low confidence (2)

cmd/admin-handlers-users.go:2057

  • [nitpick] Consider providing a more specific and descriptive error message for token revocation failures instead of using the generic ErrInvalidRequest.
writeErrorResponseJSON(ctx, w, errorCodes.ToAPIErr(ErrInvalidRequest), r.URL) // TODO: copy error code over

cmd/iam-store.go:2061

  • Evaluate whether returning an error upon failing to extract claims from a token is the desired behavior; if one malformed token should not block revocation of valid tokens, consider handling the error more gracefully.
if v, _ := claims.Lookup(tokenRevokeTypeClaim); v != tokenRevokeType {

@harshavardhana harshavardhana merged commit 53d40e4 into minio:master Mar 31, 2025
22 checks passed
@taran-p taran-p deleted the revoke-tokens branch April 4, 2025 18:05
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@harshavardhana harshavardhana harshavardhana approved these changes

@donatello donatello Awaiting requested review from donatello

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@taran-p @harshavardhana