5782b9d9a2
Co-authored-by: Minio Trusted <trusted@minio.io> Co-authored-by: Daniel Valdivia <18384552+dvaldivia@users.noreply.github.com>
586 lines
17 KiB
Go
586 lines
17 KiB
Go
// This file is part of MinIO Console Server
|
|
// Copyright (c) 2021 MinIO, Inc.
|
|
//
|
|
// This program is free software: you can redistribute it and/or modify
|
|
// it under the terms of the GNU Affero General Public License as published by
|
|
// the Free Software Foundation, either version 3 of the License, or
|
|
// (at your option) any later version.
|
|
//
|
|
// This program is distributed in the hope that it will be useful,
|
|
// but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
// GNU Affero General Public License for more details.
|
|
//
|
|
// You should have received a copy of the GNU Affero General Public License
|
|
// along with this program. If not, see <http://www.gnu.org/licenses/>.
|
|
|
|
package restapi
|
|
|
|
import (
|
|
"sort"
|
|
|
|
iampolicy "github.com/minio/minio/pkg/iam/policy"
|
|
|
|
"github.com/go-openapi/errors"
|
|
"github.com/go-openapi/runtime/middleware"
|
|
"github.com/minio/console/models"
|
|
"github.com/minio/console/restapi/operations"
|
|
"github.com/minio/console/restapi/operations/admin_api"
|
|
"github.com/minio/minio/pkg/madmin"
|
|
|
|
"context"
|
|
"fmt"
|
|
"log"
|
|
"strings"
|
|
)
|
|
|
|
const Allow = 1
|
|
const Deny = -1
|
|
const Unknown = 0
|
|
|
|
func registerUsersHandlers(api *operations.ConsoleAPI) {
|
|
// List Users
|
|
api.AdminAPIListUsersHandler = admin_api.ListUsersHandlerFunc(func(params admin_api.ListUsersParams, session *models.Principal) middleware.Responder {
|
|
listUsersResponse, err := getListUsersResponse(session)
|
|
if err != nil {
|
|
return admin_api.NewListUsersDefault(int(err.Code)).WithPayload(err)
|
|
}
|
|
return admin_api.NewListUsersOK().WithPayload(listUsersResponse)
|
|
})
|
|
// Add User
|
|
api.AdminAPIAddUserHandler = admin_api.AddUserHandlerFunc(func(params admin_api.AddUserParams, session *models.Principal) middleware.Responder {
|
|
userResponse, err := getUserAddResponse(session, params)
|
|
if err != nil {
|
|
return admin_api.NewAddUserDefault(int(err.Code)).WithPayload(err)
|
|
}
|
|
return admin_api.NewAddUserCreated().WithPayload(userResponse)
|
|
})
|
|
// Remove User
|
|
api.AdminAPIRemoveUserHandler = admin_api.RemoveUserHandlerFunc(func(params admin_api.RemoveUserParams, session *models.Principal) middleware.Responder {
|
|
err := getRemoveUserResponse(session, params)
|
|
if err != nil {
|
|
return admin_api.NewRemoveUserDefault(int(err.Code)).WithPayload(err)
|
|
}
|
|
return admin_api.NewRemoveUserNoContent()
|
|
})
|
|
// Update User-Groups
|
|
api.AdminAPIUpdateUserGroupsHandler = admin_api.UpdateUserGroupsHandlerFunc(func(params admin_api.UpdateUserGroupsParams, session *models.Principal) middleware.Responder {
|
|
userUpdateResponse, err := getUpdateUserGroupsResponse(session, params)
|
|
if err != nil {
|
|
return admin_api.NewUpdateUserGroupsDefault(int(err.Code)).WithPayload(err)
|
|
}
|
|
|
|
return admin_api.NewUpdateUserGroupsOK().WithPayload(userUpdateResponse)
|
|
})
|
|
// Get User
|
|
api.AdminAPIGetUserInfoHandler = admin_api.GetUserInfoHandlerFunc(func(params admin_api.GetUserInfoParams, session *models.Principal) middleware.Responder {
|
|
userInfoResponse, err := getUserInfoResponse(session, params)
|
|
if err != nil {
|
|
return admin_api.NewGetUserInfoDefault(int(err.Code)).WithPayload(err)
|
|
}
|
|
|
|
return admin_api.NewGetUserInfoOK().WithPayload(userInfoResponse)
|
|
})
|
|
// Update User
|
|
api.AdminAPIUpdateUserInfoHandler = admin_api.UpdateUserInfoHandlerFunc(func(params admin_api.UpdateUserInfoParams, session *models.Principal) middleware.Responder {
|
|
userUpdateResponse, err := getUpdateUserResponse(session, params)
|
|
if err != nil {
|
|
return admin_api.NewUpdateUserInfoDefault(int(err.Code)).WithPayload(err)
|
|
}
|
|
|
|
return admin_api.NewUpdateUserInfoOK().WithPayload(userUpdateResponse)
|
|
})
|
|
// Update User-Groups Bulk
|
|
api.AdminAPIBulkUpdateUsersGroupsHandler = admin_api.BulkUpdateUsersGroupsHandlerFunc(func(params admin_api.BulkUpdateUsersGroupsParams, session *models.Principal) middleware.Responder {
|
|
err := getAddUsersListToGroupsResponse(session, params)
|
|
if err != nil {
|
|
return admin_api.NewBulkUpdateUsersGroupsDefault(int(err.Code)).WithPayload(err)
|
|
}
|
|
|
|
return admin_api.NewBulkUpdateUsersGroupsOK()
|
|
})
|
|
api.AdminAPIListUsersWithAccessToBucketHandler = admin_api.ListUsersWithAccessToBucketHandlerFunc(func(params admin_api.ListUsersWithAccessToBucketParams, session *models.Principal) middleware.Responder {
|
|
response, err := getListUsersWithAccessToBucketResponse(session, params.Bucket)
|
|
if err != nil {
|
|
return admin_api.NewListUsersWithAccessToBucketDefault(int(err.Code)).WithPayload(err)
|
|
}
|
|
return admin_api.NewListUsersWithAccessToBucketOK().WithPayload(response)
|
|
})
|
|
}
|
|
|
|
func listUsers(ctx context.Context, client MinioAdmin) ([]*models.User, error) {
|
|
|
|
// Get list of all users in the MinIO
|
|
// This call requires explicit authentication, no anonymous requests are
|
|
// allowed for listing users.
|
|
userMap, err := client.listUsers(ctx)
|
|
if err != nil {
|
|
return []*models.User{}, err
|
|
}
|
|
|
|
var users []*models.User
|
|
for accessKey, user := range userMap {
|
|
userElem := &models.User{
|
|
AccessKey: accessKey,
|
|
Status: string(user.Status),
|
|
Policy: strings.Split(user.PolicyName, ","),
|
|
MemberOf: user.MemberOf,
|
|
}
|
|
users = append(users, userElem)
|
|
}
|
|
|
|
return users, nil
|
|
}
|
|
|
|
// getListUsersResponse performs listUsers() and serializes it to the handler's output
|
|
func getListUsersResponse(session *models.Principal) (*models.ListUsersResponse, *models.Error) {
|
|
ctx := context.Background()
|
|
mAdmin, err := newMAdminClient(session)
|
|
if err != nil {
|
|
return nil, prepareError(err)
|
|
}
|
|
// create a minioClient interface implementation
|
|
// defining the client to be used
|
|
adminClient := adminClient{client: mAdmin}
|
|
|
|
users, err := listUsers(ctx, adminClient)
|
|
if err != nil {
|
|
return nil, prepareError(err)
|
|
}
|
|
// serialize output
|
|
listUsersResponse := &models.ListUsersResponse{
|
|
Users: users,
|
|
}
|
|
return listUsersResponse, nil
|
|
}
|
|
|
|
// addUser invokes adding a users on `MinioAdmin` and builds the response `models.User`
|
|
func addUser(ctx context.Context, client MinioAdmin, accessKey, secretKey *string, groups []string) (*models.User, error) {
|
|
// Calls into MinIO to add a new user if there's an error return it
|
|
if err := client.addUser(ctx, *accessKey, *secretKey); err != nil {
|
|
return nil, err
|
|
}
|
|
|
|
if len(groups) > 0 {
|
|
userElem, errUG := updateUserGroups(ctx, client, *accessKey, groups)
|
|
|
|
if errUG != nil {
|
|
return nil, errUG
|
|
}
|
|
return userElem, nil
|
|
}
|
|
|
|
userRet := &models.User{
|
|
AccessKey: *accessKey,
|
|
MemberOf: nil,
|
|
Policy: []string{},
|
|
Status: "",
|
|
}
|
|
return userRet, nil
|
|
}
|
|
|
|
func getUserAddResponse(session *models.Principal, params admin_api.AddUserParams) (*models.User, *models.Error) {
|
|
ctx := context.Background()
|
|
mAdmin, err := newMAdminClient(session)
|
|
if err != nil {
|
|
return nil, prepareError(err)
|
|
}
|
|
// create a minioClient interface implementation
|
|
// defining the client to be used
|
|
adminClient := adminClient{client: mAdmin}
|
|
|
|
user, err := addUser(ctx, adminClient, params.Body.AccessKey, params.Body.SecretKey, params.Body.Groups)
|
|
if err != nil {
|
|
return nil, prepareError(err)
|
|
}
|
|
return user, nil
|
|
}
|
|
|
|
//removeUser invokes removing an user on `MinioAdmin`, then we return the response from API
|
|
func removeUser(ctx context.Context, client MinioAdmin, accessKey string) error {
|
|
if err := client.removeUser(ctx, accessKey); err != nil {
|
|
return err
|
|
}
|
|
return nil
|
|
}
|
|
|
|
func getRemoveUserResponse(session *models.Principal, params admin_api.RemoveUserParams) *models.Error {
|
|
ctx := context.Background()
|
|
|
|
mAdmin, err := newMAdminClient(session)
|
|
if err != nil {
|
|
return prepareError(err)
|
|
}
|
|
|
|
if session.AccountAccessKey == params.Name {
|
|
return prepareError(errAvoidSelfAccountDelete)
|
|
}
|
|
|
|
// create a minioClient interface implementation
|
|
// defining the client to be used
|
|
adminClient := adminClient{client: mAdmin}
|
|
|
|
if err := removeUser(ctx, adminClient, params.Name); err != nil {
|
|
return prepareError(err)
|
|
}
|
|
|
|
log.Println("User removed successfully:", params.Name)
|
|
return nil
|
|
}
|
|
|
|
// getUserInfo calls MinIO server get the User Information
|
|
func getUserInfo(ctx context.Context, client MinioAdmin, accessKey string) (*madmin.UserInfo, error) {
|
|
userInfo, err := client.getUserInfo(ctx, accessKey)
|
|
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
return &userInfo, nil
|
|
}
|
|
|
|
func getUserInfoResponse(session *models.Principal, params admin_api.GetUserInfoParams) (*models.User, *models.Error) {
|
|
ctx := context.Background()
|
|
|
|
mAdmin, err := newMAdminClient(session)
|
|
if err != nil {
|
|
return nil, prepareError(err)
|
|
}
|
|
|
|
// create a minioClient interface implementation
|
|
// defining the client to be used
|
|
adminClient := adminClient{client: mAdmin}
|
|
|
|
user, err := getUserInfo(ctx, adminClient, params.Name)
|
|
if err != nil {
|
|
return nil, prepareError(err)
|
|
}
|
|
|
|
userInformation := &models.User{
|
|
AccessKey: params.Name,
|
|
MemberOf: user.MemberOf,
|
|
Policy: strings.Split(user.PolicyName, ","),
|
|
Status: string(user.Status),
|
|
}
|
|
|
|
return userInformation, nil
|
|
}
|
|
|
|
// updateUserGroups invokes getUserInfo() to get the old groups from the user,
|
|
// then we merge the list with the new groups list to have a shorter iteration between groups and we do a comparison between the current and old groups.
|
|
// We delete or update the groups according the location in each list and send the user with the new groups from `MinioAdmin` to the client
|
|
func updateUserGroups(ctx context.Context, client MinioAdmin, user string, groupsToAssign []string) (*models.User, error) {
|
|
parallelUserUpdate := func(groupName string, originGroups []string) chan error {
|
|
chProcess := make(chan error)
|
|
|
|
go func() error {
|
|
defer close(chProcess)
|
|
|
|
//Compare if groupName is in the arrays
|
|
isGroupPersistent := IsElementInArray(groupsToAssign, groupName)
|
|
isInOriginGroups := IsElementInArray(originGroups, groupName)
|
|
|
|
if isGroupPersistent && isInOriginGroups { // Group is already assigned and doesn't need to be updated
|
|
chProcess <- nil
|
|
|
|
return nil
|
|
}
|
|
|
|
isRemove := false // User is added by default
|
|
|
|
// User is deleted from the group
|
|
if !isGroupPersistent {
|
|
isRemove = true
|
|
}
|
|
|
|
userToAddRemove := []string{user}
|
|
|
|
updateReturn := updateGroupMembers(ctx, client, groupName, userToAddRemove, isRemove)
|
|
|
|
chProcess <- updateReturn
|
|
|
|
return updateReturn
|
|
}()
|
|
|
|
return chProcess
|
|
}
|
|
|
|
userInfoOr, err := getUserInfo(ctx, client, user)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
|
|
memberOf := userInfoOr.MemberOf
|
|
mergedGroupArray := UniqueKeys(append(memberOf, groupsToAssign...))
|
|
|
|
var listOfUpdates []chan error
|
|
|
|
// Each group must be updated individually because there is no way to update all the groups at once for a user,
|
|
// we are using the same logic as 'mc admin group add' command
|
|
for _, groupN := range mergedGroupArray {
|
|
proc := parallelUserUpdate(groupN, memberOf)
|
|
listOfUpdates = append(listOfUpdates, proc)
|
|
}
|
|
|
|
channelHasError := false
|
|
|
|
for _, chanRet := range listOfUpdates {
|
|
locError := <-chanRet
|
|
|
|
if locError != nil {
|
|
channelHasError = true
|
|
}
|
|
}
|
|
|
|
if channelHasError {
|
|
errRt := errors.New(500, "there was an error updating the groups")
|
|
return nil, errRt
|
|
}
|
|
|
|
userInfo, err := getUserInfo(ctx, client, user)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
|
|
policies := strings.Split(userInfo.PolicyName, ",")
|
|
|
|
userReturn := &models.User{
|
|
AccessKey: user,
|
|
MemberOf: userInfo.MemberOf,
|
|
Policy: policies,
|
|
Status: string(userInfo.Status),
|
|
}
|
|
|
|
return userReturn, nil
|
|
}
|
|
|
|
func getUpdateUserGroupsResponse(session *models.Principal, params admin_api.UpdateUserGroupsParams) (*models.User, *models.Error) {
|
|
ctx := context.Background()
|
|
|
|
mAdmin, err := newMAdminClient(session)
|
|
if err != nil {
|
|
return nil, prepareError(err)
|
|
}
|
|
|
|
// create a minioClient interface implementation
|
|
// defining the client to be used
|
|
adminClient := adminClient{client: mAdmin}
|
|
|
|
user, err := updateUserGroups(ctx, adminClient, params.Name, params.Body.Groups)
|
|
|
|
if err != nil {
|
|
return nil, prepareError(err)
|
|
}
|
|
|
|
return user, nil
|
|
}
|
|
|
|
// setUserStatus invokes setUserStatus from madmin to update user status
|
|
func setUserStatus(ctx context.Context, client MinioAdmin, user string, status string) error {
|
|
var setStatus madmin.AccountStatus
|
|
switch status {
|
|
case "enabled":
|
|
setStatus = madmin.AccountEnabled
|
|
case "disabled":
|
|
setStatus = madmin.AccountDisabled
|
|
default:
|
|
return errors.New(500, "status not valid")
|
|
}
|
|
|
|
if err := client.setUserStatus(ctx, user, setStatus); err != nil {
|
|
return err
|
|
}
|
|
return nil
|
|
}
|
|
|
|
func getUpdateUserResponse(session *models.Principal, params admin_api.UpdateUserInfoParams) (*models.User, *models.Error) {
|
|
ctx := context.Background()
|
|
|
|
mAdmin, err := newMAdminClient(session)
|
|
if err != nil {
|
|
return nil, prepareError(err)
|
|
}
|
|
|
|
// create a minioClient interface implementation
|
|
// defining the client to be used
|
|
adminClient := adminClient{client: mAdmin}
|
|
|
|
name := params.Name
|
|
status := *params.Body.Status
|
|
groups := params.Body.Groups
|
|
|
|
if err := setUserStatus(ctx, adminClient, name, status); err != nil {
|
|
return nil, prepareError(err)
|
|
}
|
|
|
|
userElem, errUG := updateUserGroups(ctx, adminClient, name, groups)
|
|
|
|
if errUG != nil {
|
|
return nil, prepareError(errUG)
|
|
}
|
|
return userElem, nil
|
|
}
|
|
|
|
// addUsersListToGroups iterates over the user list & assigns the requested groups to each user.
|
|
func addUsersListToGroups(ctx context.Context, client MinioAdmin, usersToUpdate []string, groupsToAssign []string) error {
|
|
// We update each group with the complete usersList
|
|
parallelGroupsUpdate := func(groupToAssign string) chan error {
|
|
groupProcess := make(chan error)
|
|
|
|
go func() {
|
|
defer close(groupProcess)
|
|
// We add the users array to the group.
|
|
err := updateGroupMembers(ctx, client, groupToAssign, usersToUpdate, false)
|
|
|
|
groupProcess <- err
|
|
}()
|
|
return groupProcess
|
|
}
|
|
|
|
var groupsUpdateList []chan error
|
|
|
|
// We get each group name & add users accordingly
|
|
for _, groupName := range groupsToAssign {
|
|
// We update the group
|
|
proc := parallelGroupsUpdate(groupName)
|
|
groupsUpdateList = append(groupsUpdateList, proc)
|
|
}
|
|
|
|
errorsList := []string{} // We get the errors list because we want to have all errors at once.
|
|
for _, err := range groupsUpdateList {
|
|
errorFromUpdate := <-err // We store the error to avoid Data Race
|
|
if errorFromUpdate != nil {
|
|
// If there is an error, we store the errors strings so we can join them after we receive all errors
|
|
errorsList = append(errorsList, errorFromUpdate.Error()) // We wait until all the channels have been closed.
|
|
}
|
|
}
|
|
|
|
// If there are errors, we throw the final error with the errors inside
|
|
if len(errorsList) > 0 {
|
|
errGen := fmt.Errorf("error in users-groups assignation: %q", strings.Join(errorsList[:], ","))
|
|
return errGen
|
|
}
|
|
|
|
return nil
|
|
}
|
|
|
|
func getAddUsersListToGroupsResponse(session *models.Principal, params admin_api.BulkUpdateUsersGroupsParams) *models.Error {
|
|
ctx := context.Background()
|
|
|
|
mAdmin, err := newMAdminClient(session)
|
|
if err != nil {
|
|
return prepareError(err)
|
|
}
|
|
|
|
// create a minioClient interface implementation
|
|
// defining the client to be used
|
|
adminClient := adminClient{client: mAdmin}
|
|
|
|
usersList := params.Body.Users
|
|
groupsList := params.Body.Groups
|
|
|
|
if err := addUsersListToGroups(ctx, adminClient, usersList, groupsList); err != nil {
|
|
return prepareError(err)
|
|
}
|
|
|
|
return nil
|
|
}
|
|
|
|
func getListUsersWithAccessToBucketResponse(session *models.Principal, bucket string) ([]string, *models.Error) {
|
|
ctx := context.Background()
|
|
mAdmin, err := newMAdminClient(session)
|
|
if err != nil {
|
|
return nil, prepareError(err)
|
|
}
|
|
// create a minioClient interface implementation
|
|
// defining the client to be used
|
|
adminClient := adminClient{client: mAdmin}
|
|
|
|
return listUsersWithAccessToBucket(ctx, adminClient, bucket)
|
|
}
|
|
|
|
func policyAllowsAndMatchesBucket(policy *iampolicy.Policy, bucket string) int {
|
|
policyStatements := policy.Statements
|
|
for i := 0; i < len(policyStatements); i++ {
|
|
resources := policyStatements[i].Resources
|
|
effect := policyStatements[i].Effect
|
|
if resources.Match(bucket, map[string][]string{}) {
|
|
if effect.IsValid() {
|
|
if effect.IsAllowed(true) {
|
|
return Allow
|
|
}
|
|
return Deny
|
|
}
|
|
}
|
|
}
|
|
return Unknown
|
|
}
|
|
|
|
func listUsersWithAccessToBucket(ctx context.Context, adminClient MinioAdmin, bucket string) ([]string, *models.Error) {
|
|
users, err := adminClient.listUsers(ctx)
|
|
if err != nil {
|
|
return nil, prepareError(err)
|
|
}
|
|
var retval []string
|
|
akHasAccess := make(map[string]bool)
|
|
akIsDenied := make(map[string]bool)
|
|
for k, v := range users {
|
|
for _, policyName := range strings.Split(v.PolicyName, ",") {
|
|
policyName = strings.TrimSpace(policyName)
|
|
policy, err := adminClient.getPolicy(ctx, policyName)
|
|
if err == nil {
|
|
if !akIsDenied[k] {
|
|
switch policyAllowsAndMatchesBucket(policy, bucket) {
|
|
case Allow:
|
|
if !akHasAccess[k] {
|
|
akHasAccess[k] = true
|
|
}
|
|
case Deny:
|
|
akIsDenied[k] = true
|
|
akHasAccess[k] = false
|
|
}
|
|
}
|
|
} else {
|
|
log.Println(err)
|
|
}
|
|
}
|
|
}
|
|
|
|
groups, err := listGroups(ctx, adminClient)
|
|
if err != nil {
|
|
log.Println(err)
|
|
return retval, nil
|
|
}
|
|
for i := 0; i < len(*groups); i++ {
|
|
info, err := groupInfo(ctx, adminClient, (*groups)[i])
|
|
if err == nil {
|
|
policy, err2 := adminClient.getPolicy(ctx, info.Policy)
|
|
if err2 == nil {
|
|
for j := 0; j < len(info.Members); j++ {
|
|
if !akIsDenied[info.Members[j]] {
|
|
switch policyAllowsAndMatchesBucket(policy, bucket) {
|
|
case Allow:
|
|
if !akHasAccess[info.Members[j]] {
|
|
akHasAccess[info.Members[j]] = true
|
|
}
|
|
case Deny:
|
|
akIsDenied[info.Members[j]] = true
|
|
akHasAccess[info.Members[j]] = false
|
|
}
|
|
}
|
|
}
|
|
} else {
|
|
log.Println(err2)
|
|
}
|
|
} else {
|
|
log.Println(err)
|
|
}
|
|
}
|
|
for k, v := range akHasAccess {
|
|
if v {
|
|
retval = append(retval, k)
|
|
}
|
|
}
|
|
sort.Strings(retval)
|
|
return retval, nil
|
|
}
|