Allow OIDC user to query user info if policies permit (#13882)

This commit is contained in:
Aditya Manthramurthy 2021-12-10 15:03:39 -08:00 committed by GitHub
parent 518612492c
commit f2bd026d0e
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
3 changed files with 28 additions and 24 deletions

View File

@ -164,32 +164,25 @@ func (a adminAPIHandlers) GetUserInfo(w http.ResponseWriter, r *http.Request) {
return return
} }
accessKey := cred.ParentUser checkDenyOnly := false
if accessKey == "" { if name == cred.AccessKey {
accessKey = cred.AccessKey // Check that there is no explicit deny - otherwise it's allowed
// to view one's own info.
checkDenyOnly = true
} }
// For temporary credentials always
// the temporary credentials to check
// policy without implicit permissions.
if cred.IsTemp() && cred.ParentUser == globalActiveCred.AccessKey {
accessKey = cred.AccessKey
}
implicitPerm := name == accessKey
if !implicitPerm {
if !globalIAMSys.IsAllowed(iampolicy.Args{ if !globalIAMSys.IsAllowed(iampolicy.Args{
AccountName: accessKey, AccountName: cred.AccessKey,
Groups: cred.Groups, Groups: cred.Groups,
Action: iampolicy.GetUserAdminAction, Action: iampolicy.GetUserAdminAction,
ConditionValues: getConditionValues(r, "", accessKey, claims), ConditionValues: getConditionValues(r, "", cred.AccessKey, claims),
IsOwner: owner, IsOwner: owner,
Claims: claims, Claims: claims,
DenyOnly: checkDenyOnly,
}) { }) {
writeErrorResponseJSON(ctx, w, errorCodes.ToAPIErr(ErrAccessDenied), r.URL) writeErrorResponseJSON(ctx, w, errorCodes.ToAPIErr(ErrAccessDenied), r.URL)
return return
} }
}
userInfo, err := globalIAMSys.GetUserInfo(ctx, name) userInfo, err := globalIAMSys.GetUserInfo(ctx, name)
if err != nil { if err != nil {

View File

@ -844,6 +844,14 @@ func (c *check) mustCreateIAMUser(ctx context.Context, admClnt *madmin.AdminClie
} }
} }
func (c *check) mustGetIAMUserInfo(ctx context.Context, admClnt *madmin.AdminClient, accessKey string) madmin.UserInfo {
ui, err := admClnt.GetUserInfo(ctx, accessKey)
if err != nil {
c.Fatalf("should be able to get user info: %v", err)
}
return ui
}
func (c *check) mustNotCreateIAMUser(ctx context.Context, admClnt *madmin.AdminClient) { func (c *check) mustNotCreateIAMUser(ctx context.Context, admClnt *madmin.AdminClient) {
randUser := mustGetUUID() randUser := mustGetUUID()
randPass := mustGetUUID() randPass := mustGetUUID()

View File

@ -712,7 +712,10 @@ func (s *TestSuiteIAM) TestOpenIDSTSAddUser(c *check) {
c.Fatalf("policy add error: %v", err) c.Fatalf("policy add error: %v", err)
} }
c.mustCreateIAMUser(ctx, userAdmClient) cr := c.mustCreateIAMUser(ctx, userAdmClient)
userInfo := c.mustGetIAMUserInfo(ctx, userAdmClient, cr.AccessKey)
c.Assert(userInfo.Status, madmin.AccountEnabled)
} }
func (s *TestSuiteIAM) TestOpenIDServiceAcc(c *check) { func (s *TestSuiteIAM) TestOpenIDServiceAcc(c *check) {