Validate requests to logSearchApi endpoint (#1375)
- Previously any user with a validate session in console could query the `/api/v1/logs/search` endpoint which was not ideal, now we are limiting that to users with the `admin:OBDInfo` iam action - Removing deprecated `has-permission` endpoint and backend code Signed-off-by: Lenin Alevski <alevsk.8772@gmail.com>
This commit is contained in:
Lenin Alevski
GitHub
@@ -18,12 +18,9 @@ package restapi
|
||||
|
||||
import (
|
||||
"context"
|
||||
"encoding/json"
|
||||
"errors"
|
||||
"testing"
|
||||
|
||||
iampolicy "github.com/minio/pkg/iam/policy"
|
||||
|
||||
"github.com/minio/console/models"
|
||||
)
|
||||
|
||||
@@ -109,152 +106,3 @@ func Test_changePassword(t *testing.T) {
|
||||
})
|
||||
}
|
||||
}
|
||||
|
||||
func Test_useCanDo(t *testing.T) {
|
||||
type args struct {
|
||||
arg iampolicy.Args
|
||||
userPolicy string
|
||||
}
|
||||
tests := []struct {
|
||||
name string
|
||||
args args
|
||||
want bool
|
||||
}{
|
||||
{
|
||||
name: "Create Bucket",
|
||||
args: args{
|
||||
arg: iampolicy.Args{
|
||||
Action: "s3:CreateBucket",
|
||||
},
|
||||
userPolicy: `{
|
||||
"Version": "2012-10-17",
|
||||
"Statement": [
|
||||
{
|
||||
"Effect": "Allow",
|
||||
"Action": [
|
||||
"admin:*"
|
||||
]
|
||||
},
|
||||
{
|
||||
"Effect": "Allow",
|
||||
"Action": [
|
||||
"s3:*"
|
||||
],
|
||||
"Resource": [
|
||||
"arn:aws:s3:::*"
|
||||
]
|
||||
}
|
||||
]
|
||||
}`,
|
||||
},
|
||||
want: true,
|
||||
},
|
||||
{
|
||||
name: "Create Bucket, No Admin",
|
||||
args: args{
|
||||
arg: iampolicy.Args{
|
||||
Action: "s3:CreateBucket",
|
||||
},
|
||||
userPolicy: `{
|
||||
"Version": "2012-10-17",
|
||||
"Statement": [
|
||||
{
|
||||
"Effect": "Allow",
|
||||
"Action": [
|
||||
"s3:*"
|
||||
],
|
||||
"Resource": [
|
||||
"arn:aws:s3:::*"
|
||||
]
|
||||
}
|
||||
]
|
||||
}`,
|
||||
},
|
||||
want: true,
|
||||
},
|
||||
{
|
||||
name: "Create Bucket, By Prefix",
|
||||
args: args{
|
||||
arg: iampolicy.Args{
|
||||
Action: "s3:CreateBucket",
|
||||
},
|
||||
userPolicy: `{
|
||||
"Version": "2012-10-17",
|
||||
"Statement": [
|
||||
{
|
||||
"Effect": "Allow",
|
||||
"Action": [
|
||||
"s3:*"
|
||||
],
|
||||
"Resource": [
|
||||
"arn:aws:s3:::bucket1"
|
||||
]
|
||||
}
|
||||
]
|
||||
}`,
|
||||
},
|
||||
want: true,
|
||||
},
|
||||
{
|
||||
name: "Create Bucket, With Bucket Name",
|
||||
args: args{
|
||||
arg: iampolicy.Args{
|
||||
Action: "s3:CreateBucket",
|
||||
BucketName: "bucket2",
|
||||
},
|
||||
userPolicy: `{
|
||||
"Version": "2012-10-17",
|
||||
"Statement": [
|
||||
{
|
||||
"Effect": "Allow",
|
||||
"Action": [
|
||||
"s3:*"
|
||||
],
|
||||
"Resource": [
|
||||
"arn:aws:s3:::bucket1"
|
||||
]
|
||||
}
|
||||
]
|
||||
}`,
|
||||
},
|
||||
want: true,
|
||||
},
|
||||
{
|
||||
name: "Can't Create Bucket",
|
||||
args: args{
|
||||
arg: iampolicy.Args{
|
||||
Action: "s3:CreateBucket",
|
||||
BucketName: "bucket2",
|
||||
},
|
||||
userPolicy: `{
|
||||
"Version": "2012-10-17",
|
||||
"Statement": [
|
||||
{
|
||||
"Sid": "VisualEditor1",
|
||||
"Effect": "Allow",
|
||||
"Action": "s3:ListBucket",
|
||||
"Resource": [
|
||||
"arn:aws:s3:::bucket1",
|
||||
"arn:aws:s3:::bucket1/*",
|
||||
"arn:aws:s3:::lkasdkljasd090901",
|
||||
"arn:aws:s3:::lkasdkljasd090901/*"
|
||||
]
|
||||
}
|
||||
]
|
||||
}`,
|
||||
},
|
||||
want: false,
|
||||
},
|
||||
}
|
||||
for _, tt := range tests {
|
||||
t.Run(tt.name, func(t *testing.T) {
|
||||
var pol iampolicy.Policy
|
||||
if err := json.Unmarshal([]byte(tt.args.userPolicy), &pol); err != nil {
|
||||
t.Errorf("Policy can't be parsed: %s", err)
|
||||
}
|
||||
if got := userCanDo(tt.args.arg, &pol); got != tt.want {
|
||||
t.Errorf("userCanDo() = %v, want %v", got, tt.want)
|
||||
}
|
||||
})
|
||||
}
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user