From de02eca467a470c61f30e5e07815c5c1104cb4c6 Mon Sep 17 00:00:00 2001
From: Harshavardhana <harsha@minio.io>
Date: Wed, 15 Mar 2023 08:07:42 -0700
Subject: [PATCH] restore rotating root credentials properly (#16812)

---
 cmd/auth-handler.go     | 2 +-
 cmd/iam-etcd-store.go   | 7 +++++++
 cmd/iam-object-store.go | 8 ++++++++
 3 files changed, 16 insertions(+), 1 deletion(-)

diff --git a/cmd/auth-handler.go b/cmd/auth-handler.go
index 7214ed645..addf5a7b7 100644
--- a/cmd/auth-handler.go
+++ b/cmd/auth-handler.go
@@ -207,7 +207,7 @@ func getClaimsFromTokenWithSecret(token, secret string) (map[string]interface{},
 	// that clients cannot decode the token using the temp
 	// secret keys and generate an entirely new claim by essentially
 	// hijacking the policies. We need to make sure that this is
-	// based an admin credential such that token cannot be decoded
+	// based on admin credential such that token cannot be decoded
 	// on the client side and is treated like an opaque value.
 	claims, err := auth.ExtractClaims(token, secret)
 	if err != nil {
diff --git a/cmd/iam-etcd-store.go b/cmd/iam-etcd-store.go
index 52d4bc56e..e688f7c36 100644
--- a/cmd/iam-etcd-store.go
+++ b/cmd/iam-etcd-store.go
@@ -248,6 +248,13 @@ func (ies *IAMEtcdStore) addUser(ctx context.Context, user string, userType IAMU
 	if u.Credentials.SessionToken != "" {
 		jwtClaims, err := extractJWTClaims(u)
 		if err != nil {
+			if u.Credentials.IsTemp() {
+				// We should delete such that the client can re-request
+				// for the expiring credentials.
+				deleteKeyEtcd(ctx, ies.client, getUserIdentityPath(user, userType))
+				deleteKeyEtcd(ctx, ies.client, getMappedPolicyPath(user, userType, false))
+				return nil
+			}
 			return err
 		}
 		u.Credentials.Claims = jwtClaims.Map()
diff --git a/cmd/iam-object-store.go b/cmd/iam-object-store.go
index e61450eb7..fc2ad9b40 100644
--- a/cmd/iam-object-store.go
+++ b/cmd/iam-object-store.go
@@ -187,7 +187,15 @@ func (iamOS *IAMObjectStore) loadUser(ctx context.Context, user string, userType
 	if u.Credentials.SessionToken != "" {
 		jwtClaims, err := extractJWTClaims(u)
 		if err != nil {
+			if u.Credentials.IsTemp() {
+				// We should delete such that the client can re-request
+				// for the expiring credentials.
+				iamOS.deleteIAMConfig(ctx, getUserIdentityPath(user, userType))
+				iamOS.deleteIAMConfig(ctx, getMappedPolicyPath(user, userType, false))
+				return nil
+			}
 			return err
+
 		}
 		u.Credentials.Claims = jwtClaims.Map()
 	}