Add New Accesskey Info and OpenID Accesskey List API endpoints (#21097)

2025-11-07 12:52:58 -05:00 · 2025-04-15 18:06:31 -04:00
parent 3310f740f0
commit eb33bc6bf5
13 changed files with 787 additions and 208 deletions
--- a/cmd/user-provider-utils.go
+++ b/cmd/user-provider-utils.go
@@ -19,8 +19,10 @@ package cmd

 import (
 	"context"
+	"strings"

 	"github.com/minio/madmin-go/v3"
+	"github.com/minio/minio/internal/auth"
 )

 // getUserWithProvider - returns the appropriate internal username based on the user provider.
@@ -55,3 +57,85 @@ func getUserWithProvider(ctx context.Context, userProvider, user string, validat
 		return "", errIAMActionNotAllowed
 	}
 }
+
+// guessUserProvider - guesses the user provider based on the access key and claims.
+func guessUserProvider(credentials auth.Credentials) string {
+	if !credentials.IsServiceAccount() && !credentials.IsTemp() {
+		return madmin.BuiltinProvider // regular users are always internal
+	}
+
+	claims := credentials.Claims
+	if _, ok := claims[ldapUser]; ok {
+		return madmin.LDAPProvider // ldap users
+	}
+
+	if _, ok := claims[subClaim]; ok {
+		providerPrefix, _, found := strings.Cut(credentials.ParentUser, getKeySeparator())
+		if found {
+			return providerPrefix // this is true for certificate and custom providers
+		}
+		return madmin.OpenIDProvider // openid users are already hashed, so no separator
+	}
+
+	return madmin.BuiltinProvider // default to internal
+}
+
+// getProviderInfoFromClaims - returns the provider info from the claims.
+func populateProviderInfoFromClaims(claims map[string]interface{}, provider string, resp *madmin.InfoAccessKeyResp) {
+	resp.UserProvider = provider
+	switch provider {
+	case madmin.LDAPProvider:
+		resp.LDAPSpecificInfo = getLDAPInfoFromClaims(claims)
+	case madmin.OpenIDProvider:
+		resp.OpenIDSpecificInfo = getOpenIDInfoFromClaims(claims)
+	}
+}
+
+func getOpenIDCfgNameFromClaims(claims map[string]interface{}) (string, bool) {
+	roleArn := claims[roleArnClaim]
+
+	s := globalServerConfig.Clone()
+	configs, err := globalIAMSys.OpenIDConfig.GetConfigList(s)
+	if err != nil {
+		return "", false
+	}
+	for _, cfg := range configs {
+		if cfg.RoleARN == roleArn {
+			return cfg.Name, true
+		}
+	}
+	return "", false
+}
+
+func getOpenIDInfoFromClaims(claims map[string]interface{}) madmin.OpenIDSpecificAccessKeyInfo {
+	info := madmin.OpenIDSpecificAccessKeyInfo{}
+
+	cfgName, ok := getOpenIDCfgNameFromClaims(claims)
+	if !ok {
+		return info
+	}
+
+	info.ConfigName = cfgName
+	if displayNameClaim := globalIAMSys.OpenIDConfig.GetUserReadableClaim(cfgName); displayNameClaim != "" {
+		name, _ := claims[displayNameClaim].(string)
+		info.DisplayName = name
+		info.DisplayNameClaim = displayNameClaim
+	}
+	if idClaim := globalIAMSys.OpenIDConfig.GetUserIDClaim(cfgName); idClaim != "" {
+		id, _ := claims[idClaim].(string)
+		info.UserID = id
+		info.UserIDClaim = idClaim
+	}
+
+	return info
+}
+
+func getLDAPInfoFromClaims(claims map[string]interface{}) madmin.LDAPSpecificAccessKeyInfo {
+	info := madmin.LDAPSpecificAccessKeyInfo{}
+
+	if name, ok := claims[ldapUser].(string); ok {
+		info.Username = name
+	}
+
+	return info
+}