From d0f744ebef89dfe0dc7dd4fa01e6a86f8f7fdc07 Mon Sep 17 00:00:00 2001
From: Anis Eleuch <vadmeste@users.noreply.github.com>
Date: Wed, 8 May 2024 17:47:57 +0100
Subject: [PATCH] svc: Assume access key creation permission to be available by
 default (#3306)

Allow SVC creation when CreateServiceAccount is denied with a condition

Adding this policy will make the user not able to create a service account anymore:

```
    {
      "Effect": "Deny",
      "Action": [
              "admin:CreateServiceAccount"
      ],
      "Condition": {
              "NumericGreaterThanIfExists": {"svc:DurationSeconds": "1500"}
      }
    },

```

The reason is that policy.IsAllowedActions() is called with conditions from the user login.

Assume svc account creation to be possible for now until we come up with a better fix

Co-authored-by: Anis Eleuch <anis@min.io>
Co-authored-by: Prakash Senthil Vel <23444145+prakashsvmx@users.noreply.github.com>
---
 api/user_session.go | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/api/user_session.go b/api/user_session.go
index 99ed10181..ff9defc65 100644
--- a/api/user_session.go
+++ b/api/user_session.go
@@ -139,6 +139,14 @@ func getSessionResponse(ctx context.Context, session *models.Principal) (*models
 
 	defaultActions := policy.IsAllowedActions("", "", conditionValues)
 
+	// Allow Create Access Key when admin:CreateServiceAccount is provided with a condition
+	for _, statement := range policy.Statements {
+		if statement.Effect == "Deny" && len(statement.Conditions) > 0 &&
+			statement.Actions.Contains(minioIAMPolicy.CreateServiceAccountAdminAction) {
+			defaultActions.Add(minioIAMPolicy.Action(minioIAMPolicy.CreateServiceAccountAdminAction))
+		}
+	}
+
 	permissions := map[string]minioIAMPolicy.ActionSet{
 		ConsoleResourceName: defaultActions,
 	}