mirror of
https://github.com/minio/minio.git
synced 2025-01-29 07:26:00 -05:00
fix: LDAP derivative accounts parentUser validation is not needed (#9573)
* fix: LDAP derivative accounts parentUser validation is not needed fixes #9435 * Update cmd/iam.go Co-authored-by: Lenin Alevski <alevsk.8772@gmail.com> Co-authored-by: Lenin Alevski <alevsk.8772@gmail.com>
This commit is contained in:
Harshavardhana
GitHub
parent
e25ace2151
commit
1756b7c6ff
111
cmd/iam.go
111
cmd/iam.go
@ -1023,9 +1023,15 @@ func (sys *IAMSys) GetUser(accessKey string) (cred auth.Credentials, ok bool) {
|
|||||||
|
|
||||||
cred, ok = sys.iamUsersMap[accessKey]
|
cred, ok = sys.iamUsersMap[accessKey]
|
||||||
if ok && cred.IsValid() {
|
if ok && cred.IsValid() {
|
||||||
if cred.ParentUser != "" {
|
if cred.ParentUser != "" && sys.usersSysType == MinIOUsersSysType {
|
||||||
_, ok = sys.iamUsersMap[cred.ParentUser]
|
_, ok = sys.iamUsersMap[cred.ParentUser]
|
||||||
}
|
}
|
||||||
|
// for LDAP service accounts with ParentUser set
|
||||||
|
// we have no way to validate, either because user
|
||||||
|
// doesn't need an explicit policy as it can come
|
||||||
|
// automatically from a group. We are safe to ignore
|
||||||
|
// this and continue as policies would fail eventually
|
||||||
|
// the policies are missing or not configured.
|
||||||
}
|
}
|
||||||
return cred, ok && cred.IsValid()
|
return cred, ok && cred.IsValid()
|
||||||
}
|
}
|
||||||
@ -1617,59 +1623,74 @@ func (sys *IAMSys) IsAllowedServiceAccount(args iampolicy.Args, parent string) b
|
|||||||
func (sys *IAMSys) IsAllowedSTS(args iampolicy.Args) bool {
|
func (sys *IAMSys) IsAllowedSTS(args iampolicy.Args) bool {
|
||||||
// If it is an LDAP request, check that user and group
|
// If it is an LDAP request, check that user and group
|
||||||
// policies allow the request.
|
// policies allow the request.
|
||||||
if userIface, ok := args.Claims[ldapUser]; ok {
|
if sys.usersSysType == LDAPUsersSysType {
|
||||||
var user string
|
if userIface, ok := args.Claims[ldapUser]; ok {
|
||||||
if u, ok := userIface.(string); ok {
|
var user string
|
||||||
user = u
|
if u, ok := userIface.(string); ok {
|
||||||
} else {
|
user = u
|
||||||
return false
|
} else {
|
||||||
}
|
return false
|
||||||
|
}
|
||||||
|
|
||||||
var groups []string
|
var groups []string
|
||||||
groupsVal := args.Claims[ldapGroups]
|
groupsVal := args.Claims[ldapGroups]
|
||||||
if g, ok := groupsVal.([]interface{}); ok {
|
if g, ok := groupsVal.([]interface{}); ok {
|
||||||
for _, eachG := range g {
|
for _, eachG := range g {
|
||||||
if eachGStr, ok := eachG.(string); ok {
|
if eachGStr, ok := eachG.(string); ok {
|
||||||
groups = append(groups, eachGStr)
|
groups = append(groups, eachGStr)
|
||||||
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
} else {
|
|
||||||
return false
|
|
||||||
}
|
|
||||||
|
|
||||||
sys.store.rlock()
|
sys.store.rlock()
|
||||||
defer sys.store.runlock()
|
defer sys.store.runlock()
|
||||||
|
|
||||||
// We look up the policy mapping directly to bypass
|
// We look up the policy mapping directly to bypass
|
||||||
// users exists, group exists validations that do not
|
// users exists, group exists validations that do not
|
||||||
// apply here.
|
// apply here.
|
||||||
var policies []iampolicy.Policy
|
var policies []iampolicy.Policy
|
||||||
if policy, ok := sys.iamUserPolicyMap[user]; ok {
|
if mp, ok := sys.iamUserPolicyMap[user]; ok {
|
||||||
p, found := sys.iamPolicyDocsMap[policy.Policy]
|
for _, pname := range strings.Split(mp.Policy, ",") {
|
||||||
if found {
|
pname = strings.TrimSpace(pname)
|
||||||
policies = append(policies, p)
|
if pname == "" {
|
||||||
|
continue
|
||||||
|
}
|
||||||
|
p, found := sys.iamPolicyDocsMap[pname]
|
||||||
|
if !found {
|
||||||
|
return false
|
||||||
|
}
|
||||||
|
policies = append(policies, p)
|
||||||
|
}
|
||||||
}
|
}
|
||||||
}
|
for _, group := range groups {
|
||||||
for _, group := range groups {
|
mp, ok := sys.iamGroupPolicyMap[group]
|
||||||
policy, ok := sys.iamGroupPolicyMap[group]
|
if !ok {
|
||||||
if !ok {
|
continue
|
||||||
continue
|
}
|
||||||
|
for _, pname := range strings.Split(mp.Policy, ",") {
|
||||||
|
pname = strings.TrimSpace(pname)
|
||||||
|
if pname == "" {
|
||||||
|
continue
|
||||||
|
}
|
||||||
|
p, found := sys.iamPolicyDocsMap[pname]
|
||||||
|
if !found {
|
||||||
|
return false
|
||||||
|
}
|
||||||
|
policies = append(policies, p)
|
||||||
|
}
|
||||||
}
|
}
|
||||||
p, found := sys.iamPolicyDocsMap[policy.Policy]
|
if len(policies) == 0 {
|
||||||
if found {
|
return false
|
||||||
policies = append(policies, p)
|
|
||||||
}
|
}
|
||||||
|
combinedPolicy := policies[0]
|
||||||
|
for i := 1; i < len(policies); i++ {
|
||||||
|
combinedPolicy.Statements =
|
||||||
|
append(combinedPolicy.Statements,
|
||||||
|
policies[i].Statements...)
|
||||||
|
}
|
||||||
|
return combinedPolicy.IsAllowed(args)
|
||||||
}
|
}
|
||||||
if len(policies) == 0 {
|
return false
|
||||||
return false
|
|
||||||
}
|
|
||||||
combinedPolicy := policies[0]
|
|
||||||
for i := 1; i < len(policies); i++ {
|
|
||||||
combinedPolicy.Statements =
|
|
||||||
append(combinedPolicy.Statements,
|
|
||||||
policies[i].Statements...)
|
|
||||||
}
|
|
||||||
return combinedPolicy.IsAllowed(args)
|
|
||||||
}
|
}
|
||||||
|
|
||||||
policies, ok := args.GetPolicies(iamPolicyClaimNameOpenID())
|
policies, ok := args.GetPolicies(iamPolicyClaimNameOpenID())
|
||||||
|
|||||||
Loading…
x
Reference in New Issue
Block a user