From ae8f7f11d584a9fd1ceeebcf8f65d02e911e7b69 Mon Sep 17 00:00:00 2001 From: Harshavardhana Date: Thu, 26 Aug 2021 21:57:30 -0700 Subject: [PATCH] fix: svc accounts cannot have same name as parent/targetUser (#13082) Currently in master this can cause existing parent users to stop working and lead to credentials getting overwritten. ``` ~ mc admin user add alias/ minio123 minio123456 ``` ``` ~ mc admin user svcacct add alias/ minio123 \ --access-key minio123 --secret-key minio123456 ``` This PR rejects all such scenarios. --- cmd/iam.go | 30 ++++++++++++++++++++++++++++++ cmd/typed-errors.go | 2 +- 2 files changed, 31 insertions(+), 1 deletion(-) diff --git a/cmd/iam.go b/cmd/iam.go index f5e12a1d0..48da26c9b 100644 --- a/cmd/iam.go +++ b/cmd/iam.go @@ -1177,6 +1177,10 @@ func (sys *IAMSys) NewServiceAccount(ctx context.Context, parentUser string, gro return auth.Credentials{}, errServerNotInitialized } + if parentUser == "" { + return auth.Credentials{}, errInvalidArgument + } + var policyBuf []byte if opts.sessionPolicy != nil { err := opts.sessionPolicy.Validate() @@ -1192,9 +1196,35 @@ func (sys *IAMSys) NewServiceAccount(ctx context.Context, parentUser string, gro } } + // found newly requested service account, to be same as + // parentUser, reject such operations. + if parentUser == opts.accessKey { + return auth.Credentials{}, errIAMActionNotAllowed + } + sys.store.lock() defer sys.store.unlock() + // Handle validation of incoming service accounts. + { + cr, found := sys.iamUsersMap[opts.accessKey] + // found newly requested service account, to be an existing + // user, reject such operations. + if found && !cr.IsTemp() && !cr.IsServiceAccount() { + return auth.Credentials{}, errIAMActionNotAllowed + } + // found newly requested service account, to be an existing + // temporary user, reject such operations. + if found && cr.IsTemp() { + return auth.Credentials{}, errIAMActionNotAllowed + } + // found newly requested service account, to be an existing + // service account for another parentUser, reject such operations. + if found && cr.IsServiceAccount() && cr.ParentUser != parentUser { + return auth.Credentials{}, errIAMActionNotAllowed + } + } + cr, found := sys.iamUsersMap[parentUser] // Disallow service accounts to further create more service accounts. if found && cr.IsServiceAccount() { diff --git a/cmd/typed-errors.go b/cmd/typed-errors.go index 2331b015d..0aa6adba1 100644 --- a/cmd/typed-errors.go +++ b/cmd/typed-errors.go @@ -82,7 +82,7 @@ var errGroupNotEmpty = errors.New("Specified group is not empty - cannot remove var errNoSuchPolicy = errors.New("Specified canned policy does not exist") // error returned in IAM subsystem when an external users systems is configured. -var errIAMActionNotAllowed = errors.New("Specified IAM action is not allowed with LDAP configuration") +var errIAMActionNotAllowed = errors.New("Specified IAM action is not allowed") // error returned in IAM subsystem when IAM sub-system is still being initialized. var errIAMNotInitialized = errors.New("IAM sub-system is being initialized, please try again")