mirror of
https://github.com/minio/minio.git
synced 2025-01-11 23:13:23 -05:00
fix: disallow newer policies, users & groups with space characters (#14845)
space characters at the beginning or at the end can lead to confusion under various UI elements in differentiating the actual name of "policy, user or group" - to avoid this behavior this PR onwards we shall reject such inputs for newer entries. existing saved entries will behave as is and are going to be operable until they are removed/renamed to something more meaningful.
This commit is contained in:
parent
2719f1efaa
commit
16bc11e72e
@ -241,6 +241,15 @@ func (a adminAPIHandlers) UpdateGroupMembers(w http.ResponseWriter, r *http.Requ
|
|||||||
if updReq.IsRemove {
|
if updReq.IsRemove {
|
||||||
err = globalIAMSys.RemoveUsersFromGroup(ctx, updReq.Group, updReq.Members)
|
err = globalIAMSys.RemoveUsersFromGroup(ctx, updReq.Group, updReq.Members)
|
||||||
} else {
|
} else {
|
||||||
|
// Check if group already exists
|
||||||
|
if _, gerr := globalIAMSys.GetGroupDescription(updReq.Group); gerr != nil {
|
||||||
|
// If group does not exist, then check if the group has beginning and end space characters
|
||||||
|
// we will reject such group names.
|
||||||
|
if errors.Is(gerr, errNoSuchGroup) && hasSpaceBE(updReq.Group) {
|
||||||
|
writeErrorResponseJSON(ctx, w, errorCodes.ToAPIErr(ErrAdminResourceInvalidArgument), r.URL)
|
||||||
|
return
|
||||||
|
}
|
||||||
|
}
|
||||||
err = globalIAMSys.AddUsersToGroup(ctx, updReq.Group, updReq.Members)
|
err = globalIAMSys.AddUsersToGroup(ctx, updReq.Group, updReq.Members)
|
||||||
}
|
}
|
||||||
if err != nil {
|
if err != nil {
|
||||||
@ -442,6 +451,12 @@ func (a adminAPIHandlers) AddUser(w http.ResponseWriter, r *http.Request) {
|
|||||||
return
|
return
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// Check if accessKey has beginning and end space characters, this only applies to new users.
|
||||||
|
if !exists && hasSpaceBE(accessKey) {
|
||||||
|
writeErrorResponseJSON(ctx, w, errorCodes.ToAPIErr(ErrAdminResourceInvalidArgument), r.URL)
|
||||||
|
return
|
||||||
|
}
|
||||||
|
|
||||||
checkDenyOnly := false
|
checkDenyOnly := false
|
||||||
if accessKey == cred.AccessKey {
|
if accessKey == cred.AccessKey {
|
||||||
// Check that there is no explicit deny - otherwise it's allowed
|
// Check that there is no explicit deny - otherwise it's allowed
|
||||||
@ -533,6 +548,12 @@ func (a adminAPIHandlers) AddServiceAccount(w http.ResponseWriter, r *http.Reque
|
|||||||
return
|
return
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// service account access key cannot have space characters beginning and end of the string.
|
||||||
|
if hasSpaceBE(createReq.AccessKey) {
|
||||||
|
writeErrorResponseJSON(ctx, w, errorCodes.ToAPIErr(ErrAdminResourceInvalidArgument), r.URL)
|
||||||
|
return
|
||||||
|
}
|
||||||
|
|
||||||
var (
|
var (
|
||||||
targetUser string
|
targetUser string
|
||||||
targetGroups []string
|
targetGroups []string
|
||||||
@ -1384,6 +1405,12 @@ func (a adminAPIHandlers) AddCannedPolicy(w http.ResponseWriter, r *http.Request
|
|||||||
vars := mux.Vars(r)
|
vars := mux.Vars(r)
|
||||||
policyName := vars["name"]
|
policyName := vars["name"]
|
||||||
|
|
||||||
|
// Policy has space characters in begin and end reject such inputs.
|
||||||
|
if hasSpaceBE(policyName) {
|
||||||
|
writeErrorResponseJSON(ctx, w, errorCodes.ToAPIErr(ErrAdminResourceInvalidArgument), r.URL)
|
||||||
|
return
|
||||||
|
}
|
||||||
|
|
||||||
// Error out if Content-Length is missing.
|
// Error out if Content-Length is missing.
|
||||||
if r.ContentLength <= 0 {
|
if r.ContentLength <= 0 {
|
||||||
writeErrorResponseJSON(ctx, w, errorCodes.ToAPIErr(ErrMissingContentLength), r.URL)
|
writeErrorResponseJSON(ctx, w, errorCodes.ToAPIErr(ErrMissingContentLength), r.URL)
|
||||||
|
@ -383,6 +383,7 @@ const (
|
|||||||
ErrAdminProfilerNotEnabled
|
ErrAdminProfilerNotEnabled
|
||||||
ErrInvalidDecompressedSize
|
ErrInvalidDecompressedSize
|
||||||
ErrAddUserInvalidArgument
|
ErrAddUserInvalidArgument
|
||||||
|
ErrAdminResourceInvalidArgument
|
||||||
ErrAdminAccountNotEligible
|
ErrAdminAccountNotEligible
|
||||||
ErrAccountNotEligible
|
ErrAccountNotEligible
|
||||||
ErrAdminServiceAccountNotFound
|
ErrAdminServiceAccountNotFound
|
||||||
@ -1825,6 +1826,11 @@ var errorCodes = errorCodeMap{
|
|||||||
Description: "User is not allowed to be same as admin access key",
|
Description: "User is not allowed to be same as admin access key",
|
||||||
HTTPStatusCode: http.StatusForbidden,
|
HTTPStatusCode: http.StatusForbidden,
|
||||||
},
|
},
|
||||||
|
ErrAdminResourceInvalidArgument: {
|
||||||
|
Code: "XMinioInvalidResource",
|
||||||
|
Description: "Policy, user or group names are not allowed to begin or end with space characters",
|
||||||
|
HTTPStatusCode: http.StatusBadRequest,
|
||||||
|
},
|
||||||
ErrAdminAccountNotEligible: {
|
ErrAdminAccountNotEligible: {
|
||||||
Code: "XMinioInvalidIAMCredentials",
|
Code: "XMinioInvalidIAMCredentials",
|
||||||
Description: "The administrator key is not eligible for this operation",
|
Description: "The administrator key is not eligible for this operation",
|
||||||
|
File diff suppressed because one or more lines are too long
@ -158,8 +158,7 @@ type MappedPolicy struct {
|
|||||||
func (mp MappedPolicy) toSlice() []string {
|
func (mp MappedPolicy) toSlice() []string {
|
||||||
var policies []string
|
var policies []string
|
||||||
for _, policy := range strings.Split(mp.Policies, ",") {
|
for _, policy := range strings.Split(mp.Policies, ",") {
|
||||||
policy = strings.TrimSpace(policy)
|
if strings.TrimSpace(policy) == "" {
|
||||||
if policy == "" {
|
|
||||||
continue
|
continue
|
||||||
}
|
}
|
||||||
policies = append(policies, policy)
|
policies = append(policies, policy)
|
||||||
|
@ -88,6 +88,14 @@ func IsErr(err error, errs ...error) bool {
|
|||||||
return false
|
return false
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// returns 'true' if either string has space in the
|
||||||
|
// - beginning of a string
|
||||||
|
// OR
|
||||||
|
// - end of a string
|
||||||
|
func hasSpaceBE(s string) bool {
|
||||||
|
return strings.TrimSpace(s) != s
|
||||||
|
}
|
||||||
|
|
||||||
func request2BucketObjectName(r *http.Request) (bucketName, objectName string) {
|
func request2BucketObjectName(r *http.Request) (bucketName, objectName string) {
|
||||||
path, err := getResource(r.URL.Path, r.Host, globalDomainNames)
|
path, err := getResource(r.URL.Path, r.Host, globalDomainNames)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
|
Loading…
Reference in New Issue
Block a user