Replace aws:username, jwt: and ldap: policy variables in session policies (#1828)

* Replace username variable in session policies Signed-off-by: Daniel Valdivia <18384552+dvaldivia@users.noreply.github.com>
2022-04-11 20:01:49 -07:00
parent dc5b1963ae
commit 6e6aab580c
8 changed files with 348 additions and 17 deletions
--- a/restapi/user_session.go
+++ b/restapi/user_session.go
@@ -17,6 +17,7 @@
 package restapi

 import (
+	"bytes"
 	"context"
 	"encoding/json"
 	"net/http"
@@ -24,6 +25,8 @@ import (
 	"strconv"
 	"time"

+	policies "github.com/minio/console/restapi/policy"
+
 	jwtgo "github.com/golang-jwt/jwt/v4"
 	"github.com/minio/pkg/bucket/policy/condition"

@@ -95,6 +98,7 @@ func getSessionResponse(session *models.Principal) (*models.SessionResponse, *mo
 	if session == nil {
 		return nil, prepareError(errorGenericInvalidSession)
 	}
+	tokenClaims, _ := getClaimsFromToken(session.STSSessionToken)

 	// initialize admin client
 	mAdminClient, err := NewMinioAdminClient(&models.Principal{
@@ -108,7 +112,13 @@ func getSessionResponse(session *models.Principal) (*models.SessionResponse, *mo
 	userAdminClient := AdminClient{Client: mAdminClient}
 	// Obtain the current policy assigned to this user
 	// necessary for generating the list of allowed endpoints
-	policy, err := getAccountPolicy(ctx, userAdminClient)
+	accountInfo, err := getAccountInfo(ctx, userAdminClient)
+	if err != nil {
+		return nil, prepareError(err, errorGenericInvalidSession)
+
+	}
+	rawPolicy := policies.ReplacePolicyVariables(tokenClaims, accountInfo)
+	policy, err := minioIAMPolicy.ParseConfig(bytes.NewReader(rawPolicy))
 	if err != nil {
 		return nil, prepareError(err, errorGenericInvalidSession)
 	}
@@ -210,12 +220,12 @@ func getSessionResponse(session *models.Principal) (*models.SessionResponse, *mo
 		resourcePermissions[key] = resourceActions

 	}
-	rawPolicy, err := json.Marshal(policy)
+	serializedPolicy, err := json.Marshal(policy)
 	if err != nil {
 		return nil, prepareError(err, errorGenericInvalidSession)
 	}
 	var sessionPolicy *models.IamPolicy
-	err = json.Unmarshal(rawPolicy, &sessionPolicy)
+	err = json.Unmarshal(serializedPolicy, &sessionPolicy)
 	if err != nil {
 		return nil, prepareError(err)
 	}