From f2bd026d0e531b35b553b3f2f1045b85189eb8f1 Mon Sep 17 00:00:00 2001 From: Aditya Manthramurthy Date: Fri, 10 Dec 2021 15:03:39 -0800 Subject: [PATCH] Allow OIDC user to query user info if policies permit (#13882) --- cmd/admin-handlers-users.go | 39 +++++++++++++------------------- cmd/admin-handlers-users_test.go | 8 +++++++ cmd/sts-handlers_test.go | 5 +++- 3 files changed, 28 insertions(+), 24 deletions(-) diff --git a/cmd/admin-handlers-users.go b/cmd/admin-handlers-users.go index 7a48ec505..8fa0f77d3 100644 --- a/cmd/admin-handlers-users.go +++ b/cmd/admin-handlers-users.go @@ -164,31 +164,24 @@ func (a adminAPIHandlers) GetUserInfo(w http.ResponseWriter, r *http.Request) { return } - accessKey := cred.ParentUser - if accessKey == "" { - accessKey = cred.AccessKey + checkDenyOnly := false + if name == cred.AccessKey { + // Check that there is no explicit deny - otherwise it's allowed + // to view one's own info. + checkDenyOnly = true } - // For temporary credentials always - // the temporary credentials to check - // policy without implicit permissions. - if cred.IsTemp() && cred.ParentUser == globalActiveCred.AccessKey { - accessKey = cred.AccessKey - } - - implicitPerm := name == accessKey - if !implicitPerm { - if !globalIAMSys.IsAllowed(iampolicy.Args{ - AccountName: accessKey, - Groups: cred.Groups, - Action: iampolicy.GetUserAdminAction, - ConditionValues: getConditionValues(r, "", accessKey, claims), - IsOwner: owner, - Claims: claims, - }) { - writeErrorResponseJSON(ctx, w, errorCodes.ToAPIErr(ErrAccessDenied), r.URL) - return - } + if !globalIAMSys.IsAllowed(iampolicy.Args{ + AccountName: cred.AccessKey, + Groups: cred.Groups, + Action: iampolicy.GetUserAdminAction, + ConditionValues: getConditionValues(r, "", cred.AccessKey, claims), + IsOwner: owner, + Claims: claims, + DenyOnly: checkDenyOnly, + }) { + writeErrorResponseJSON(ctx, w, errorCodes.ToAPIErr(ErrAccessDenied), r.URL) + return } userInfo, err := globalIAMSys.GetUserInfo(ctx, name) diff --git a/cmd/admin-handlers-users_test.go b/cmd/admin-handlers-users_test.go index 1b216ca18..6ec2fd78c 100644 --- a/cmd/admin-handlers-users_test.go +++ b/cmd/admin-handlers-users_test.go @@ -844,6 +844,14 @@ func (c *check) mustCreateIAMUser(ctx context.Context, admClnt *madmin.AdminClie } } +func (c *check) mustGetIAMUserInfo(ctx context.Context, admClnt *madmin.AdminClient, accessKey string) madmin.UserInfo { + ui, err := admClnt.GetUserInfo(ctx, accessKey) + if err != nil { + c.Fatalf("should be able to get user info: %v", err) + } + return ui +} + func (c *check) mustNotCreateIAMUser(ctx context.Context, admClnt *madmin.AdminClient) { randUser := mustGetUUID() randPass := mustGetUUID() diff --git a/cmd/sts-handlers_test.go b/cmd/sts-handlers_test.go index 5cc0595a2..9790623e5 100644 --- a/cmd/sts-handlers_test.go +++ b/cmd/sts-handlers_test.go @@ -712,7 +712,10 @@ func (s *TestSuiteIAM) TestOpenIDSTSAddUser(c *check) { c.Fatalf("policy add error: %v", err) } - c.mustCreateIAMUser(ctx, userAdmClient) + cr := c.mustCreateIAMUser(ctx, userAdmClient) + + userInfo := c.mustGetIAMUserInfo(ctx, userAdmClient, cr.AccessKey) + c.Assert(userInfo.Status, madmin.AccountEnabled) } func (s *TestSuiteIAM) TestOpenIDServiceAcc(c *check) {