Populate AddUserServiceAccount policy restrictor with user permissions (#1987)

Created api to generate single JSON including all user permissions to populate AddUserServiceAccount policy restrictor
2022-05-25 11:34:26 -07:00
parent 69e1d653ce
commit fce2a148b8
12 changed files with 787 additions and 2 deletions
--- a/restapi/admin_policies.go
+++ b/restapi/admin_policies.go
@@ -133,6 +133,14 @@ func registersPoliciesHandler(api *operations.ConsoleAPI) {
 		}
 		return policyApi.NewGetUserPolicyOK().WithPayload(userPolicyResponse)
 	})
+	// Gets policies for specified user
+	api.PolicyGetSAUserPolicyHandler = policyApi.GetSAUserPolicyHandlerFunc(func(params policyApi.GetSAUserPolicyParams, session *models.Principal) middleware.Responder {
+		userPolicyResponse, err := getSAUserPolicyResponse(session, params)
+		if err != nil {
+			return policyApi.NewGetSAUserPolicyDefault(int(err.Code)).WithPayload(err)
+		}
+		return policyApi.NewGetSAUserPolicyOK().WithPayload(userPolicyResponse)
+	})
 }

 func getListAccessRulesWithBucketResponse(session *models.Principal, params bucketApi.ListAccessRulesWithBucketParams) (*models.ListAccessRulesResponse, *models.Error) {
@@ -363,10 +371,88 @@ func getUserPolicyResponse(session *models.Principal) (string, *models.Error) {
 		return "nil", ErrorWithContext(ctx, err)
 	}
 	rawPolicy := policies.ReplacePolicyVariables(tokenClaims, accountInfo)
-
 	return string(rawPolicy), nil
 }

+func getSAUserPolicyResponse(session *models.Principal, params policyApi.GetSAUserPolicyParams) (*models.AUserPolicyResponse, *models.Error) {
+	ctx, cancel := context.WithCancel(params.HTTPRequest.Context())
+	defer cancel()
+	// serialize output
+	if session == nil {
+		return nil, ErrorWithContext(ctx, ErrPolicyNotFound)
+	}
+	// initialize admin client
+	mAdminClient, err := NewMinioAdminClient(&models.Principal{
+		STSAccessKeyID:     session.STSAccessKeyID,
+		STSSecretAccessKey: session.STSSecretAccessKey,
+		STSSessionToken:    session.STSSessionToken,
+	})
+	if err != nil {
+		return nil, ErrorWithContext(ctx, err)
+	}
+	userAdminClient := AdminClient{Client: mAdminClient}
+
+	userName, err := utils.DecodeBase64(params.Name)
+	if err != nil {
+		return nil, ErrorWithContext(ctx, err)
+	}
+
+	user, err := getUserInfo(ctx, userAdminClient, userName)
+	if err != nil {
+		return nil, ErrorWithContext(ctx, err)
+	}
+	var userPolicies []string
+	if len(user.PolicyName) > 0 {
+		userPolicies = strings.Split(user.PolicyName, ",")
+	}
+
+	for _, group := range user.MemberOf {
+		groupDesc, err := groupInfo(ctx, userAdminClient, group)
+		if err != nil {
+			return nil, ErrorWithContext(ctx, err)
+		}
+		if groupDesc.Policy != "" {
+			userPolicies = append(userPolicies, strings.Split(groupDesc.Policy, ",")...)
+		}
+	}
+
+	allKeys := make(map[string]bool)
+	var userPolicyList []string
+
+	for _, item := range userPolicies {
+		if _, value := allKeys[item]; !value {
+			allKeys[item] = true
+			userPolicyList = append(userPolicyList, item)
+		}
+	}
+	var userStatements []iampolicy.Statement
+
+	for _, pol := range userPolicyList {
+		policy, err := getPolicyStatements(ctx, userAdminClient, pol)
+		if err != nil {
+			return nil, ErrorWithContext(ctx, err)
+		}
+		userStatements = append(userStatements, policy...)
+	}
+
+	combinedPolicy := iampolicy.Policy{
+		Version:    "2012-10-17",
+		Statements: userStatements,
+	}
+
+	stringPolicy, err := json.Marshal(combinedPolicy)
+	if err != nil {
+		return nil, ErrorWithContext(ctx, err)
+	}
+	parsedPolicy := string(stringPolicy)
+
+	getUserPoliciesResponse := &models.AUserPolicyResponse{
+		Policy: parsedPolicy,
+	}
+
+	return getUserPoliciesResponse, nil
+}
+
 func getListGroupsForPolicyResponse(session *models.Principal, params policyApi.ListGroupsForPolicyParams) ([]string, *models.Error) {
 	ctx, cancel := context.WithCancel(params.HTTPRequest.Context())
 	defer cancel()
@@ -510,6 +596,17 @@ func policyInfo(ctx context.Context, client MinioAdmin, name string) (*models.Po
 	return policy, nil
 }

+// getPolicy Statements calls MinIO server to retrieve information of a canned policy.
+// and returns the associated Statements
+func getPolicyStatements(ctx context.Context, client MinioAdmin, name string) ([]iampolicy.Statement, error) {
+	policyRaw, err := client.getPolicy(ctx, name)
+	if err != nil {
+		return nil, err
+	}
+
+	return policyRaw.Statements, nil
+}
+
 // getPolicyInfoResponse performs policyInfo() and serializes it to the handler's output
 func getPolicyInfoResponse(session *models.Principal, params policyApi.PolicyInfoParams) (*models.Policy, *models.Error) {
 	ctx, cancel := context.WithCancel(params.HTTPRequest.Context())