From 23b166b3185c3f2d9b2cbbb06b3c0b7cae7e649c Mon Sep 17 00:00:00 2001
From: Harshavardhana <harsha@minio.io>
Date: Mon, 15 Oct 2018 12:44:03 -0700
Subject: [PATCH] Remove applying custom policies with STS access keys (#6626)

Move away from allowing custom policies, all policies in
STS come from OPA otherwise they fail.
---
 cmd/iam.go          | 14 +++++---------
 cmd/sts-handlers.go | 26 --------------------------
 2 files changed, 5 insertions(+), 35 deletions(-)

diff --git a/cmd/iam.go b/cmd/iam.go
index 372d2a983..738b7f7e9 100644
--- a/cmd/iam.go
+++ b/cmd/iam.go
@@ -326,20 +326,16 @@ func (sys *IAMSys) IsAllowed(args iampolicy.Args) bool {
 	sys.RLock()
 	defer sys.RUnlock()
 
+	// If opa is configured, use OPA always.
+	if globalPolicyOPA != nil {
+		return globalPolicyOPA.IsAllowed(args)
+	}
+
 	// If policy is available for given user, check the policy.
 	if p, found := sys.iamPolicyMap[args.AccountName]; found {
-		// If opa is configured, use OPA in conjunction with IAM policies.
-		if globalPolicyOPA != nil {
-			return p.IsAllowed(args) && globalPolicyOPA.IsAllowed(args)
-		}
 		return p.IsAllowed(args)
 	}
 
-	// If no policies are set, let the policy arrive from OPA if any.
-	if globalPolicyOPA != nil {
-		return globalPolicyOPA.IsAllowed(args)
-	}
-
 	// As policy is not available and OPA is not configured, return the owner value.
 	return args.IsOwner
 }
diff --git a/cmd/sts-handlers.go b/cmd/sts-handlers.go
index 8a6c692e3..3199356f5 100644
--- a/cmd/sts-handlers.go
+++ b/cmd/sts-handlers.go
@@ -17,15 +17,12 @@
 package cmd
 
 import (
-	"bytes"
-	"encoding/base64"
 	"encoding/xml"
 	"net/http"
 
 	"github.com/gorilla/mux"
 	"github.com/minio/minio/cmd/logger"
 	"github.com/minio/minio/pkg/auth"
-	"github.com/minio/minio/pkg/iam/policy"
 	"github.com/minio/minio/pkg/iam/validator"
 )
 
@@ -142,22 +139,6 @@ func (sts *stsAPIHandlers) AssumeRoleWithClientGrants(w http.ResponseWriter, r *
 		return
 	}
 
-	policyStr := r.URL.Query().Get("Policy")
-	var p *iampolicy.Policy
-	if policyStr != "" {
-		var data []byte
-		data, err = base64.URLEncoding.DecodeString(policyStr)
-		if err != nil {
-			writeSTSErrorResponse(w, ErrSTSInvalidParameterValue)
-			return
-		}
-		p, err = iampolicy.ParseConfig(bytes.NewReader(data))
-		if err != nil {
-			writeSTSErrorResponse(w, ErrSTSInvalidParameterValue)
-			return
-		}
-	}
-
 	vars := mux.Vars(r)
 	m, err := v.Validate(vars["Token"], r.URL.Query().Get("DurationSeconds"))
 	if err != nil {
@@ -187,13 +168,6 @@ func (sts *stsAPIHandlers) AssumeRoleWithClientGrants(w http.ResponseWriter, r *
 		writeSTSErrorResponse(w, ErrSTSInternalError)
 		return
 	}
-	if p != nil {
-		if err = globalIAMSys.SetPolicy(cred.AccessKey, *p); err != nil {
-			logger.LogIf(ctx, err)
-			writeSTSErrorResponse(w, ErrSTSInternalError)
-			return
-		}
-	}
 
 	encodedSuccessResponse := encodeResponse(&AssumeRoleWithClientGrantsResponse{
 		Result: ClientGrantsResult{Credentials: cred},