From 5aae7178ad0c1d77885566c6296bbe3fb2d4c30c Mon Sep 17 00:00:00 2001 From: Aditya Manthramurthy Date: Wed, 25 May 2022 15:28:54 -0700 Subject: [PATCH] Fix listing of service and sts accounts (#14977) Now returns user does not exist error if the user is not known to the system --- cmd/iam-store.go | 50 ++++++++++++++++++++++++++++++++++++++---------- 1 file changed, 40 insertions(+), 10 deletions(-) diff --git a/cmd/iam-store.go b/cmd/iam-store.go index 40eaf0629..dd07eccbb 100644 --- a/cmd/iam-store.go +++ b/cmd/iam-store.go @@ -1795,14 +1795,29 @@ func (store *IAMStoreSys) ListTempAccounts(ctx context.Context, accessKey string cache := store.rlock() defer store.runlock() + userExists := false var tempAccounts []auth.Credentials for _, v := range cache.iamUsersMap { - if v.IsTemp() && v.ParentUser == accessKey { - // Hide secret key & session key here - v.SecretKey = "" - v.SessionToken = "" - tempAccounts = append(tempAccounts, v) + isDerived := false + if v.IsServiceAccount() || v.IsTemp() { + isDerived = true } + + if !isDerived && v.AccessKey == accessKey { + userExists = true + } else if isDerived && v.ParentUser == accessKey { + userExists = true + if v.IsTemp() { + // Hide secret key & session key here + v.SecretKey = "" + v.SessionToken = "" + tempAccounts = append(tempAccounts, v) + } + } + } + + if !userExists { + return nil, errNoSuchUser } return tempAccounts, nil @@ -1813,14 +1828,29 @@ func (store *IAMStoreSys) ListServiceAccounts(ctx context.Context, accessKey str cache := store.rlock() defer store.runlock() + userExists := false var serviceAccounts []auth.Credentials for _, v := range cache.iamUsersMap { - if v.IsServiceAccount() && v.ParentUser == accessKey { - // Hide secret key & session key here - v.SecretKey = "" - v.SessionToken = "" - serviceAccounts = append(serviceAccounts, v) + isDerived := false + if v.IsServiceAccount() || v.IsTemp() { + isDerived = true } + + if !isDerived && v.AccessKey == accessKey { + userExists = true + } else if isDerived && v.ParentUser == accessKey { + userExists = true + if v.IsServiceAccount() { + // Hide secret key & session key here + v.SecretKey = "" + v.SessionToken = "" + serviceAccounts = append(serviceAccounts, v) + } + } + } + + if !userExists { + return nil, errNoSuchUser } return serviceAccounts, nil