From 91f91d8f47f382f83b009614b9198cb4b5b97915 Mon Sep 17 00:00:00 2001 From: Harshavardhana Date: Fri, 5 Apr 2024 14:26:41 -0700 Subject: [PATCH] fix: a regression in IAM policy reload routine() (#19421) all policy reloading is broken since last release since 48deccdc404a5cc147aa722dcc7fc0d6ae64292d fixes #19417 --- cmd/iam-object-store.go | 13 ++++++++++--- cmd/iam.go | 2 +- cmd/signature-v4-utils_test.go | 25 ++++++++++++++++++++++++- 3 files changed, 35 insertions(+), 5 deletions(-) diff --git a/cmd/iam-object-store.go b/cmd/iam-object-store.go index 26b41ec71..53cf2cdee 100644 --- a/cmd/iam-object-store.go +++ b/cmd/iam-object-store.go @@ -399,6 +399,7 @@ var ( groupsListKey = "groups/" policiesListKey = "policies/" stsListKey = "sts/" + policyDBPrefix = "policydb/" policyDBUsersListKey = "policydb/users/" policyDBSTSUsersListKey = "policydb/sts-users/" policyDBGroupsListKey = "policydb/groups/" @@ -406,8 +407,13 @@ var ( // splitPath splits a path into a top-level directory and a child item. The // parent directory retains the trailing slash. -func splitPath(s string) (string, string) { - i := strings.Index(s, "/") +func splitPath(s string, lastIndex bool) (string, string) { + var i int + if lastIndex { + i = strings.LastIndex(s, "/") + } else { + i = strings.Index(s, "/") + } if i == -1 { return s, "" } @@ -424,7 +430,8 @@ func (iamOS *IAMObjectStore) listAllIAMConfigItems(ctx context.Context) (map[str return nil, item.Err } - listKey, trimmedItem := splitPath(item.Item) + lastIndex := strings.HasPrefix(item.Item, policyDBPrefix) + listKey, trimmedItem := splitPath(item.Item, lastIndex) if listKey == iamFormatFile { continue } diff --git a/cmd/iam.go b/cmd/iam.go index 34f3fd83e..ddd9050d9 100644 --- a/cmd/iam.go +++ b/cmd/iam.go @@ -1918,7 +1918,7 @@ func (sys *IAMSys) IsAllowedSTS(args policy.Args, parentUser string) bool { default: // Otherwise, inherit parent user's policy var err error - policies, err = sys.store.PolicyDBGet(parentUser, args.Groups...) + policies, err = sys.PolicyDBGet(parentUser, args.Groups...) if err != nil { iamLogIf(GlobalContext, fmt.Errorf("error fetching policies on %s: %v", parentUser, err)) return false diff --git a/cmd/signature-v4-utils_test.go b/cmd/signature-v4-utils_test.go index be724ec35..5ccf74072 100644 --- a/cmd/signature-v4-utils_test.go +++ b/cmd/signature-v4-utils_test.go @@ -75,10 +75,13 @@ func TestCheckValid(t *testing.T) { t.Fatalf("unable create credential, %s", err) } - globalIAMSys.CreateUser(ctx, ucreds.AccessKey, madmin.AddOrUpdateUserReq{ + _, err = globalIAMSys.CreateUser(ctx, ucreds.AccessKey, madmin.AddOrUpdateUserReq{ SecretKey: ucreds.SecretKey, Status: madmin.AccountEnabled, }) + if err != nil { + t.Fatalf("unable create credential, %s", err) + } _, owner, s3Err = checkKeyValid(req, ucreds.AccessKey) if s3Err != ErrNone { @@ -88,6 +91,26 @@ func TestCheckValid(t *testing.T) { if owner { t.Fatalf("Expected owner to be 'false', found %t", owner) } + + _, err = globalIAMSys.PolicyDBSet(ctx, ucreds.AccessKey, "consoleAdmin", regUser, false) + if err != nil { + t.Fatalf("unable to attach policy to credential, %s", err) + } + + time.Sleep(4 * time.Second) + + policies, err := globalIAMSys.PolicyDBGet(ucreds.AccessKey) + if err != nil { + t.Fatalf("unable to get policy to credential, %s", err) + } + + if len(policies) == 0 { + t.Fatal("no policies found") + } + + if policies[0] != "consoleAdmin" { + t.Fatalf("expected 'consoleAdmin', %s", policies[0]) + } } // TestSkipContentSha256Cksum - Test validate the logic which decides whether