From a5b3548edee9ee183ba4a1e2ebba6baca859af74 Mon Sep 17 00:00:00 2001 From: Anis Elleuch Date: Sat, 16 Apr 2022 05:26:02 +0100 Subject: [PATCH] Bring back listing LDAP users temporarly (#14760) In previous releases, mc admin user list would return the list of users that have policies mapped in IAM database. However, this was removed but this commit will bring it back until we revamp this. --- cmd/admin-handlers-users.go | 12 ++++++++++++ cmd/iam-store.go | 12 ++++++++++++ cmd/iam.go | 22 ++++++++++++++++++++++ cmd/sts-handlers_test.go | 8 ++++++-- 4 files changed, 52 insertions(+), 2 deletions(-) diff --git a/cmd/admin-handlers-users.go b/cmd/admin-handlers-users.go index 97dec6482..9e2970125 100644 --- a/cmd/admin-handlers-users.go +++ b/cmd/admin-handlers-users.go @@ -130,6 +130,18 @@ func (a adminAPIHandlers) ListUsers(w http.ResponseWriter, r *http.Request) { return } + // Add ldap users which have mapped policies if in LDAP mode + // FIXME(vadmeste): move this to policy info in the future + ldapUsers, err := globalIAMSys.ListLDAPUsers() + if err != nil && err != errIAMActionNotAllowed { + writeErrorResponseJSON(ctx, w, toAdminAPIErr(ctx, err), r.URL) + return + } + for k, v := range ldapUsers { + allCredentials[k] = v + } + + // Marshal the response data, err := json.Marshal(allCredentials) if err != nil { writeErrorResponseJSON(ctx, w, toAdminAPIErr(ctx, err), r.URL) diff --git a/cmd/iam-store.go b/cmd/iam-store.go index 2bf0c6fc6..233e7ee6e 100644 --- a/cmd/iam-store.go +++ b/cmd/iam-store.go @@ -1184,6 +1184,18 @@ func (store *IAMStoreSys) GetUsers() map[string]madmin.UserInfo { return result } +// GetUsersWithMappedPolicies - safely returns the name of access keys with associated policies +func (store *IAMStoreSys) GetUsersWithMappedPolicies() map[string]string { + cache := store.rlock() + defer store.runlock() + + result := make(map[string]string) + for k, v := range cache.iamUserPolicyMap { + result[k] = v.Policies + } + return result +} + // GetUserInfo - get info on a user. func (store *IAMStoreSys) GetUserInfo(name string) (u madmin.UserInfo, err error) { if name == "" { diff --git a/cmd/iam.go b/cmd/iam.go index 07f6fb607..845f214fc 100644 --- a/cmd/iam.go +++ b/cmd/iam.go @@ -694,6 +694,28 @@ func (sys *IAMSys) ListUsers() (map[string]madmin.UserInfo, error) { return sys.store.GetUsers(), nil } +// ListLDAPUsers - list LDAP users which has +func (sys *IAMSys) ListLDAPUsers() (map[string]madmin.UserInfo, error) { + if !sys.Initialized() { + return nil, errServerNotInitialized + } + + if sys.usersSysType != LDAPUsersSysType { + return nil, errIAMActionNotAllowed + } + + <-sys.configLoaded + + ldapUsers := make(map[string]madmin.UserInfo) + for user, policy := range sys.store.GetUsersWithMappedPolicies() { + ldapUsers[user] = madmin.UserInfo{ + PolicyName: policy, + Status: madmin.AccountEnabled, + } + } + return ldapUsers, nil +} + // IsTempUser - returns if given key is a temporary user. func (sys *IAMSys) IsTempUser(name string) (bool, string, error) { if !sys.Initialized() { diff --git a/cmd/sts-handlers_test.go b/cmd/sts-handlers_test.go index 7ea02b581..7454ddbec 100644 --- a/cmd/sts-handlers_test.go +++ b/cmd/sts-handlers_test.go @@ -476,8 +476,12 @@ func (s *TestSuiteIAM) TestLDAPSTS(c *check) { if err != nil { c.Fatalf("list users should not fail: %v", err) } - if len(usersList) > 0 { - c.Fatalf("expected listing to be empty: %v", usersList) + if len(usersList) != 1 { + c.Fatalf("expected user listing output: %v", usersList) + } + uinfo := usersList[userDN] + if uinfo.PolicyName != policy || uinfo.Status != madmin.AccountEnabled { + c.Fatalf("expected user listing content: %v", uinfo) } // Validate that the client from sts creds can access the bucket.