Change behavior of service account empty policies (#18346)

* Fix embedded/implied policy behavior * assume implied policy if pased to empty * fix for all * Fix failing tests --------- Co-authored-by: Prakash Senthil Vel <23444145+prakashsvmx@users.noreply.github.com>
2025-04-12 23:42:22 -04:00 · 2023-10-31 15:30:36 -04:00 · 2023-10-31 15:30:36 -04:00 · 33322e6638
commit 33322e6638
parent a1792ca0d1
1 changed files with 11 additions and 2 deletions
--- a/cmd/admin-handlers-users.go
+++ b/cmd/admin-handlers-users.go
@ -781,6 +781,9 @@ func (a adminAPIHandlers) AddServiceAccount(w http.ResponseWriter, r *http.Reque
 			writeErrorResponseJSON(ctx, w, toAdminAPIErr(ctx, err), r.URL)
 			return
 		}
 		if sp.Version == "" && len(sp.Statements) == 0 {
 			sp = nil
 		}
 	}
 	opts.sessionPolicy = sp
@ -911,6 +914,9 @@ func (a adminAPIHandlers) UpdateServiceAccount(w http.ResponseWriter, r *http.Re
 			writeErrorResponseJSON(ctx, w, toAdminAPIErr(ctx, err), r.URL)
 			return
 		}
 		if sp.Version == "" && len(sp.Statements) == 0 {
 			sp = nil
 		}
 	}
 	opts := updateServiceAccountOpts{
 		secretKey:     updateReq.NewSecretKey,
@ -996,9 +1002,12 @@ func (a adminAPIHandlers) InfoServiceAccount(w http.ResponseWriter, r *http.Requ
 		}
 	}
 	// if session policy is nil or empty, then it is implied policy
 	impliedPolicy := sessionPolicy == nil || (sessionPolicy.Version == "" && len(sessionPolicy.Statements) == 0)
 	var svcAccountPolicy policy.Policy
-	if sessionPolicy != nil {
+	if !impliedPolicy {
 		svcAccountPolicy = *sessionPolicy
 	} else {
 		policiesNames, err := globalIAMSys.PolicyDBGet(svcAccount.ParentUser, false)
@ -1025,7 +1034,7 @@ func (a adminAPIHandlers) InfoServiceAccount(w http.ResponseWriter, r *http.Requ
 		Name:          svcAccount.Name,
 		Description:   svcAccount.Description,
 		AccountStatus: svcAccount.Status,
-		ImpliedPolicy: sessionPolicy == nil,
+		ImpliedPolicy: impliedPolicy,
 		Policy:        string(policyJSON),
 		Expiration:    expiration,
 	}