Allow OIDC user to query user info if policies permit (#13882)

2021-12-10 15:03:39 -08:00 · 2021-12-10 15:03:39 -08:00 · f2bd026d0e
parent 518612492c
commit f2bd026d0e
3 changed files with 28 additions and 24 deletions
--- a/cmd/admin-handlers-users.go
+++ b/cmd/admin-handlers-users.go
@ -164,32 +164,25 @@ func (a adminAPIHandlers) GetUserInfo(w http.ResponseWriter, r *http.Request) {
 		return
 	}

-	accessKey := cred.ParentUser
-	if accessKey == "" {
-		accessKey = cred.AccessKey
+	checkDenyOnly := false
+	if name == cred.AccessKey {
+		// Check that there is no explicit deny - otherwise it's allowed
+		// to view one's own info.
+		checkDenyOnly = true
 	}

-	// For temporary credentials always
-	// the temporary credentials to check
-	// policy without implicit permissions.
-	if cred.IsTemp() && cred.ParentUser == globalActiveCred.AccessKey {
-		accessKey = cred.AccessKey
-	}
-
-	implicitPerm := name == accessKey
-	if !implicitPerm {
 	if !globalIAMSys.IsAllowed(iampolicy.Args{
-			AccountName:     accessKey,
+		AccountName:     cred.AccessKey,
 		Groups:          cred.Groups,
 		Action:          iampolicy.GetUserAdminAction,
-			ConditionValues: getConditionValues(r, "", accessKey, claims),
+		ConditionValues: getConditionValues(r, "", cred.AccessKey, claims),
 		IsOwner:         owner,
 		Claims:          claims,
+		DenyOnly:        checkDenyOnly,
 	}) {
 		writeErrorResponseJSON(ctx, w, errorCodes.ToAPIErr(ErrAccessDenied), r.URL)
 		return
 	}
-	}

 	userInfo, err := globalIAMSys.GetUserInfo(ctx, name)
 	if err != nil {
--- a/cmd/admin-handlers-users_test.go
+++ b/cmd/admin-handlers-users_test.go
@ -844,6 +844,14 @@ func (c *check) mustCreateIAMUser(ctx context.Context, admClnt *madmin.AdminClie
 	}
 }

+func (c *check) mustGetIAMUserInfo(ctx context.Context, admClnt *madmin.AdminClient, accessKey string) madmin.UserInfo {
+	ui, err := admClnt.GetUserInfo(ctx, accessKey)
+	if err != nil {
+		c.Fatalf("should be able to get user info: %v", err)
+	}
+	return ui
+}
+
 func (c *check) mustNotCreateIAMUser(ctx context.Context, admClnt *madmin.AdminClient) {
 	randUser := mustGetUUID()
 	randPass := mustGetUUID()
--- a/cmd/sts-handlers_test.go
+++ b/cmd/sts-handlers_test.go
@ -712,7 +712,10 @@ func (s *TestSuiteIAM) TestOpenIDSTSAddUser(c *check) {
 		c.Fatalf("policy add error: %v", err)
 	}

-	c.mustCreateIAMUser(ctx, userAdmClient)
+	cr := c.mustCreateIAMUser(ctx, userAdmClient)
+
+	userInfo := c.mustGetIAMUserInfo(ctx, userAdmClient, cr.AccessKey)
+	c.Assert(userInfo.Status, madmin.AccountEnabled)
 }

 func (s *TestSuiteIAM) TestOpenIDServiceAcc(c *check) {