MyFavMirrors/minio
1
0
Fork 0
mirror of https://github.com/minio/minio.git synced 2025-03-29 00:33:42 -04:00
Code Issues Packages Projects Releases Wiki Activity

Fix behavior of AddServiceAccountLDAP for non-admin users (#20442)

Browse Source
This commit is contained in:
Taran Pelkey 2024-09-16 19:04:51 -04:00 committed by GitHub
parent 70d40083e9
commit 3c82cf9327
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
2 changed files with 12 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
cmd/admin-handlers-idp-ldap.go
View File

@ -190,7 +190,7 @@ func (a adminAPIHandlers) AttachDetachPolicyLDAP(w http.ResponseWriter, r *http.
// //
// PUT /minio/admin/v3/idp/ldap/add-service-account // PUT /minio/admin/v3/idp/ldap/add-service-account
func (a adminAPIHandlers) AddServiceAccountLDAP(w http.ResponseWriter, r *http.Request) { func (a adminAPIHandlers) AddServiceAccountLDAP(w http.ResponseWriter, r *http.Request) {
ctx, cred, opts, createReq, targetUser, APIError := commonAddServiceAccount(r) ctx, cred, opts, createReq, targetUser, APIError := commonAddServiceAccount(r, true)
if APIError.Code != "" { if APIError.Code != "" {
writeErrorResponseJSON(ctx, w, APIError, r.URL) writeErrorResponseJSON(ctx, w, APIError, r.URL)
return return

14
cmd/admin-handlers-users.go
View File

@ -637,7 +637,7 @@ func (a adminAPIHandlers) TemporaryAccountInfo(w http.ResponseWriter, r *http.Re
// AddServiceAccount - PUT /minio/admin/v3/add-service-account // AddServiceAccount - PUT /minio/admin/v3/add-service-account
func (a adminAPIHandlers) AddServiceAccount(w http.ResponseWriter, r *http.Request) { func (a adminAPIHandlers) AddServiceAccount(w http.ResponseWriter, r *http.Request) {
ctx, cred, opts, createReq, targetUser, APIError := commonAddServiceAccount(r) ctx, cred, opts, createReq, targetUser, APIError := commonAddServiceAccount(r, false)
if APIError.Code != "" { if APIError.Code != "" {
writeErrorResponseJSON(ctx, w, APIError, r.URL) writeErrorResponseJSON(ctx, w, APIError, r.URL)
return return
@ -2529,7 +2529,7 @@ func addExpirationToCondValues(exp *time.Time, condValues map[string][]string) e
return nil return nil
} }
func commonAddServiceAccount(r *http.Request) (context.Context, auth.Credentials, newServiceAccountOpts, madmin.AddServiceAccountReq, string, APIError) { func commonAddServiceAccount(r *http.Request, ldap bool) (context.Context, auth.Credentials, newServiceAccountOpts, madmin.AddServiceAccountReq, string, APIError) {
ctx := r.Context() ctx := r.Context()
// Get current object layer instance. // Get current object layer instance.
@ -2596,6 +2596,14 @@ func commonAddServiceAccount(r *http.Request) (context.Context, auth.Credentials
return ctx, auth.Credentials{}, newServiceAccountOpts{}, madmin.AddServiceAccountReq{}, "", toAdminAPIErr(ctx, err) return ctx, auth.Credentials{}, newServiceAccountOpts{}, madmin.AddServiceAccountReq{}, "", toAdminAPIErr(ctx, err)
} }
denyOnly := (targetUser == cred.AccessKey || targetUser == cred.ParentUser)
if ldap && !denyOnly {
res, _ := globalIAMSys.LDAPConfig.GetValidatedDNForUsername(targetUser)
if res.NormDN == cred.ParentUser {
denyOnly = true
}
}
// Check if action is allowed if creating access key for another user // Check if action is allowed if creating access key for another user
// Check if action is explicitly denied if for self // Check if action is explicitly denied if for self
if !globalIAMSys.IsAllowed(policy.Args{ if !globalIAMSys.IsAllowed(policy.Args{
@ -2605,7 +2613,7 @@ func commonAddServiceAccount(r *http.Request) (context.Context, auth.Credentials
ConditionValues: condValues, ConditionValues: condValues,
IsOwner: owner, IsOwner: owner,
Claims: cred.Claims, Claims: cred.Claims,
DenyOnly: (targetUser == cred.AccessKey || targetUser == cred.ParentUser), DenyOnly: denyOnly,
}) { }) {
return ctx, auth.Credentials{}, newServiceAccountOpts{}, madmin.AddServiceAccountReq{}, "", errorCodes.ToAPIErr(ErrAccessDenied) return ctx, auth.Credentials{}, newServiceAccountOpts{}, madmin.AddServiceAccountReq{}, "", errorCodes.ToAPIErr(ErrAccessDenied)
} }