Adds TokenRevokeType field to credential providers. (#2075)

taran-p · web-flow · commit 07d26d943841 · 2025-03-19T16:22:16.000-07:00
diff --git a/pkg/credentials/assume_role.go b/pkg/credentials/assume_role.go
@@ -104,6 +104,8 @@ type STSAssumeRoleOptions struct {
 	RoleARN         string
 	RoleSessionName string
 	ExternalID      string
+
+	TokenRevokeType string // Optional, used for token revokation (MinIO only extension)
 }
 
 // NewSTSAssumeRole returns a pointer to a new
@@ -161,6 +163,9 @@ func getAssumeRoleCredentials(clnt *http.Client, endpoint string, opts STSAssume
 	if opts.ExternalID != "" {
 		v.Set("ExternalId", opts.ExternalID)
 	}
+	if opts.TokenRevokeType != "" {
+		v.Set("TokenRevokeType", opts.TokenRevokeType)
+	}
 
 	u, err := url.Parse(endpoint)
 	if err != nil {
diff --git a/pkg/credentials/sts_custom_identity.go b/pkg/credentials/sts_custom_identity.go
@@ -69,6 +69,9 @@ type CustomTokenIdentity struct {
 	// RequestedExpiry is to set the validity of the generated credentials
 	// (this value bounded by server).
 	RequestedExpiry time.Duration
+
+	// Optional, used for token revokation
+	TokenRevokeType string
 }
 
 // RetrieveWithCredContext with Retrieve optionally cred context
@@ -98,6 +101,9 @@ func (c *CustomTokenIdentity) RetrieveWithCredContext(cc *CredContext) (value Va
 	if c.RequestedExpiry != 0 {
 		v.Set("DurationSeconds", fmt.Sprintf("%d", int(c.RequestedExpiry.Seconds())))
 	}
+	if c.TokenRevokeType != "" {
+		v.Set("TokenRevokeType", c.TokenRevokeType)
+	}
 
 	u.RawQuery = v.Encode()
 
diff --git a/pkg/credentials/sts_ldap_identity.go b/pkg/credentials/sts_ldap_identity.go
@@ -73,6 +73,9 @@ type LDAPIdentity struct {
 	// RequestedExpiry is the configured expiry duration for credentials
 	// requested from LDAP.
 	RequestedExpiry time.Duration
+
+	// Optional, used for token revokation
+	TokenRevokeType string
 }
 
 // NewLDAPIdentity returns new credentials object that uses LDAP
@@ -152,6 +155,9 @@ func (k *LDAPIdentity) RetrieveWithCredContext(cc *CredContext) (value Value, er
 	if k.RequestedExpiry != 0 {
 		v.Set("DurationSeconds", fmt.Sprintf("%d", int(k.RequestedExpiry.Seconds())))
 	}
+	if k.TokenRevokeType != "" {
+		v.Set("TokenRevokeType", k.TokenRevokeType)
+	}
 
 	req, err := http.NewRequest(http.MethodPost, u.String(), strings.NewReader(v.Encode()))
 	if err != nil {
diff --git a/pkg/credentials/sts_tls_identity.go b/pkg/credentials/sts_tls_identity.go
@@ -80,6 +80,9 @@ type STSCertificateIdentity struct {
 	// Certificate is the client certificate that is used for
 	// STS authentication.
 	Certificate tls.Certificate
+
+	// Optional, used for token revokation
+	TokenRevokeType string
 }
 
 // NewSTSCertificateIdentity returns a STSCertificateIdentity that authenticates
@@ -122,6 +125,9 @@ func (i *STSCertificateIdentity) RetrieveWithCredContext(cc *CredContext) (Value
 	queryValues := url.Values{}
 	queryValues.Set("Action", "AssumeRoleWithCertificate")
 	queryValues.Set("Version", STSVersion)
+	if i.TokenRevokeType != "" {
+		queryValues.Set("TokenRevokeType", i.TokenRevokeType)
+	}
 	endpointURL.RawQuery = queryValues.Encode()
 
 	req, err := http.NewRequest(http.MethodPost, endpointURL.String(), nil)
diff --git a/pkg/credentials/sts_web_identity.go b/pkg/credentials/sts_web_identity.go
@@ -93,6 +93,9 @@ type STSWebIdentity struct {
 
 	// roleSessionName is the identifier for the assumed role session.
 	roleSessionName string
+
+	// Optional, used for token revokation
+	TokenRevokeType string
 }
 
 // NewSTSWebIdentity returns a pointer to a new
@@ -135,7 +138,7 @@ func WithPolicy(policy string) func(*STSWebIdentity) {
 }
 
 func getWebIdentityCredentials(clnt *http.Client, endpoint, roleARN, roleSessionName string, policy string,
-	getWebIDTokenExpiry func() (*WebIdentityToken, error),
+	getWebIDTokenExpiry func() (*WebIdentityToken, error), tokenRevokeType string,
 ) (AssumeRoleWithWebIdentityResponse, error) {
 	idToken, err := getWebIDTokenExpiry()
 	if err != nil {
@@ -168,6 +171,9 @@ func getWebIdentityCredentials(clnt *http.Client, endpoint, roleARN, roleSession
 		v.Set("Policy", policy)
 	}
 	v.Set("Version", STSVersion)
+	if tokenRevokeType != "" {
+		v.Set("TokenRevokeType", tokenRevokeType)
+	}
 
 	u, err := url.Parse(endpoint)
 	if err != nil {
@@ -236,7 +242,7 @@ func (m *STSWebIdentity) RetrieveWithCredContext(cc *CredContext) (Value, error)
 		return Value{}, errors.New("STS endpoint unknown")
 	}
 
-	a, err := getWebIdentityCredentials(client, stsEndpoint, m.RoleARN, m.roleSessionName, m.Policy, m.GetWebIDTokenExpiry)
+	a, err := getWebIdentityCredentials(client, stsEndpoint, m.RoleARN, m.roleSessionName, m.Policy, m.GetWebIDTokenExpiry, m.TokenRevokeType)
 	if err != nil {
 		return Value{}, err
 	}
