mirror of
https://github.com/minio/minio.git
synced 2024-12-24 22:25:54 -05:00
Allow OIDC user to query user info if policies permit (#13882)
This commit is contained in:
parent
518612492c
commit
f2bd026d0e
@ -164,32 +164,25 @@ func (a adminAPIHandlers) GetUserInfo(w http.ResponseWriter, r *http.Request) {
|
|||||||
return
|
return
|
||||||
}
|
}
|
||||||
|
|
||||||
accessKey := cred.ParentUser
|
checkDenyOnly := false
|
||||||
if accessKey == "" {
|
if name == cred.AccessKey {
|
||||||
accessKey = cred.AccessKey
|
// Check that there is no explicit deny - otherwise it's allowed
|
||||||
|
// to view one's own info.
|
||||||
|
checkDenyOnly = true
|
||||||
}
|
}
|
||||||
|
|
||||||
// For temporary credentials always
|
|
||||||
// the temporary credentials to check
|
|
||||||
// policy without implicit permissions.
|
|
||||||
if cred.IsTemp() && cred.ParentUser == globalActiveCred.AccessKey {
|
|
||||||
accessKey = cred.AccessKey
|
|
||||||
}
|
|
||||||
|
|
||||||
implicitPerm := name == accessKey
|
|
||||||
if !implicitPerm {
|
|
||||||
if !globalIAMSys.IsAllowed(iampolicy.Args{
|
if !globalIAMSys.IsAllowed(iampolicy.Args{
|
||||||
AccountName: accessKey,
|
AccountName: cred.AccessKey,
|
||||||
Groups: cred.Groups,
|
Groups: cred.Groups,
|
||||||
Action: iampolicy.GetUserAdminAction,
|
Action: iampolicy.GetUserAdminAction,
|
||||||
ConditionValues: getConditionValues(r, "", accessKey, claims),
|
ConditionValues: getConditionValues(r, "", cred.AccessKey, claims),
|
||||||
IsOwner: owner,
|
IsOwner: owner,
|
||||||
Claims: claims,
|
Claims: claims,
|
||||||
|
DenyOnly: checkDenyOnly,
|
||||||
}) {
|
}) {
|
||||||
writeErrorResponseJSON(ctx, w, errorCodes.ToAPIErr(ErrAccessDenied), r.URL)
|
writeErrorResponseJSON(ctx, w, errorCodes.ToAPIErr(ErrAccessDenied), r.URL)
|
||||||
return
|
return
|
||||||
}
|
}
|
||||||
}
|
|
||||||
|
|
||||||
userInfo, err := globalIAMSys.GetUserInfo(ctx, name)
|
userInfo, err := globalIAMSys.GetUserInfo(ctx, name)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
|
@ -844,6 +844,14 @@ func (c *check) mustCreateIAMUser(ctx context.Context, admClnt *madmin.AdminClie
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
func (c *check) mustGetIAMUserInfo(ctx context.Context, admClnt *madmin.AdminClient, accessKey string) madmin.UserInfo {
|
||||||
|
ui, err := admClnt.GetUserInfo(ctx, accessKey)
|
||||||
|
if err != nil {
|
||||||
|
c.Fatalf("should be able to get user info: %v", err)
|
||||||
|
}
|
||||||
|
return ui
|
||||||
|
}
|
||||||
|
|
||||||
func (c *check) mustNotCreateIAMUser(ctx context.Context, admClnt *madmin.AdminClient) {
|
func (c *check) mustNotCreateIAMUser(ctx context.Context, admClnt *madmin.AdminClient) {
|
||||||
randUser := mustGetUUID()
|
randUser := mustGetUUID()
|
||||||
randPass := mustGetUUID()
|
randPass := mustGetUUID()
|
||||||
|
@ -712,7 +712,10 @@ func (s *TestSuiteIAM) TestOpenIDSTSAddUser(c *check) {
|
|||||||
c.Fatalf("policy add error: %v", err)
|
c.Fatalf("policy add error: %v", err)
|
||||||
}
|
}
|
||||||
|
|
||||||
c.mustCreateIAMUser(ctx, userAdmClient)
|
cr := c.mustCreateIAMUser(ctx, userAdmClient)
|
||||||
|
|
||||||
|
userInfo := c.mustGetIAMUserInfo(ctx, userAdmClient, cr.AccessKey)
|
||||||
|
c.Assert(userInfo.Status, madmin.AccountEnabled)
|
||||||
}
|
}
|
||||||
|
|
||||||
func (s *TestSuiteIAM) TestOpenIDServiceAcc(c *check) {
|
func (s *TestSuiteIAM) TestOpenIDServiceAcc(c *check) {
|
||||||
|
Loading…
Reference in New Issue
Block a user