fix: change password is implicit (#861)

Also only match actions do not need to match dynamic values in resources. fixes https://github.com/minio/console/issues/857 fixes https://github.com/minio/console/issues/858
2021-07-10 12:11:11 -07:00
parent 373d576e54
commit 445c0be5b1
4 changed files with 14 additions and 16 deletions
--- a/pkg/acl/endpoints.go
+++ b/pkg/acl/endpoints.go
@@ -178,12 +178,8 @@ var serviceAccountsActionSet = ConfigurationActionSet{

 // changePasswordActionSet requires admin:CreateUser policy permission
 var changePasswordActionSet = ConfigurationActionSet{
-	actionTypes: iampolicy.NewActionSet(
-		iampolicy.AllAdminActions,
-	),
-	actions: iampolicy.NewActionSet(
-		iampolicy.CreateUserAdminAction,
-	),
+	actionTypes: iampolicy.NewActionSet(),
+	actions:     iampolicy.NewActionSet(),
 }

 // tenantsActionSet temporally no actions needed for tenants sections to work
--- a/pkg/acl/endpoints_test.go
+++ b/pkg/acl/endpoints_test.go
@@ -1,4 +1,4 @@
-// This file is part of MinIO Orchestrator
+// This file is part of MinIO Console Server
 // Copyright (c) 2021 MinIO, Inc.
 //
 // This program is free software: you can redistribute it and/or modify
@@ -50,7 +50,7 @@ func TestGetAuthorizedEndpoints(t *testing.T) {
 			args: args{
 				[]string{"admin:ServerInfo"},
 			},
-			want: 6,
+			want: 7,
 		},
 		{
 			name: "policies endpoint",
@@ -63,7 +63,7 @@ func TestGetAuthorizedEndpoints(t *testing.T) {
 					"admin:ListUserPolicies",
 				},
 			},
-			want: 7,
+			want: 8,
 		},
 		{
 			name: "all admin endpoints",
@@ -81,7 +81,7 @@ func TestGetAuthorizedEndpoints(t *testing.T) {
 					"s3:*",
 				},
 			},
-			want: 14,
+			want: 15,
 		},
 		{
 			name: "all admin and s3 endpoints",
@@ -98,7 +98,7 @@ func TestGetAuthorizedEndpoints(t *testing.T) {
 			args: args{
 				[]string{},
 			},
-			want: 5,
+			want: 6,
 		},
 	}

--- a/restapi/user_account.go
+++ b/restapi/user_account.go
@@ -123,8 +123,7 @@ func getUserHasPermissionsResponse(session *models.Principal, params user_api.Ha

 	for _, p := range params.Body.Actions {
 		canPerform := userCanDo(iampolicy.Args{
-			Action:     iampolicy.Action(p.Action),
-			BucketName: p.BucketName,
+			Action: iampolicy.Action(p.Action),
 		}, userPolicy)
 		perms = append(perms, &models.PermissionAction{
 			Can: canPerform,
@@ -140,7 +139,10 @@ func getUserHasPermissionsResponse(session *models.Principal, params user_api.Ha
 func userCanDo(arg iampolicy.Args, userPolicy *iampolicy.Policy) bool {
 	// check in all the statements if any allows the passed action
 	for _, stmt := range userPolicy.Statements {
-		if stmt.IsAllowed(arg) {
+		// We only care about actions to match -
+		// if resources match or not we do not
+		// care since those are dynamic entities.
+		if stmt.Actions.Match(arg.Action) {
 			return true
 		}
 	}
--- a/restapi/user_account_test.go
+++ b/restapi/user_account_test.go
@@ -193,7 +193,7 @@ func Test_useCanDo(t *testing.T) {
 							 ]
 							}`,
 			},
-			want: false,
+			want: true,
 		},
 		{
 			name: "Create Bucket, With Bucket Name",
@@ -217,7 +217,7 @@ func Test_useCanDo(t *testing.T) {
 							 ]
 							}`,
 			},
-			want: false,
+			want: true,
 		},
 		{
 			name: "Can't Create Bucket",