fix: assume parentUser correctly for serviceAccounts (#9504)

ListServiceAccounts/DeleteServiceAccount didn't work properly
with STS credentials yet due to incorrect Parent user.
master
Harshavardhana 5 years ago committed by GitHub
parent 09571d03a5
commit 28f9c477a8
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
  1. 18
      cmd/admin-handlers-users.go
  2. 9
      cmd/iam.go
  3. 3
      cmd/typed-errors.go

@ -461,7 +461,12 @@ func (a adminAPIHandlers) ListServiceAccounts(w http.ResponseWriter, r *http.Req
return return
} }
serviceAccounts, err := globalIAMSys.ListServiceAccounts(ctx, cred.AccessKey) parentUser := cred.AccessKey
if cred.ParentUser != "" {
parentUser = cred.ParentUser
}
serviceAccounts, err := globalIAMSys.ListServiceAccounts(ctx, parentUser)
if err != nil { if err != nil {
writeErrorResponseJSON(ctx, w, toAdminAPIErr(ctx, err), r.URL) writeErrorResponseJSON(ctx, w, toAdminAPIErr(ctx, err), r.URL)
return return
@ -521,8 +526,15 @@ func (a adminAPIHandlers) DeleteServiceAccount(w http.ResponseWriter, r *http.Re
return return
} }
if cred.AccessKey != user || cred.ParentUser != user { parentUser := cred.AccessKey
// The service account belongs to another user but return not found error to mitigate brute force attacks. if cred.ParentUser != "" {
parentUser = cred.ParentUser
}
if parentUser != user || user == "" {
// The service account belongs to another user but return not
// found error to mitigate brute force attacks. or the
// serviceAccount doesn't exist.
writeErrorResponseJSON(ctx, w, errorCodes.ToAPIErr(ErrServiceAccountNotFound), r.URL) writeErrorResponseJSON(ctx, w, errorCodes.ToAPIErr(ErrServiceAccountNotFound), r.URL)
return return
} }

@ -889,12 +889,11 @@ func (sys *IAMSys) GetServiceAccountParent(ctx context.Context, accessKey string
defer sys.store.runlock() defer sys.store.runlock()
sa, ok := sys.iamUsersMap[accessKey] sa, ok := sys.iamUsersMap[accessKey]
if !ok || !sa.IsServiceAccount() { if ok && sa.IsServiceAccount() {
return "", errNoSuchServiceAccount
}
return sa.ParentUser, nil return sa.ParentUser, nil
} }
return "", nil
}
// DeleteServiceAccount - delete a service account // DeleteServiceAccount - delete a service account
func (sys *IAMSys) DeleteServiceAccount(ctx context.Context, accessKey string) error { func (sys *IAMSys) DeleteServiceAccount(ctx context.Context, accessKey string) error {
@ -908,7 +907,7 @@ func (sys *IAMSys) DeleteServiceAccount(ctx context.Context, accessKey string) e
sa, ok := sys.iamUsersMap[accessKey] sa, ok := sys.iamUsersMap[accessKey]
if !ok || !sa.IsServiceAccount() { if !ok || !sa.IsServiceAccount() {
return errNoSuchServiceAccount return nil
} }
// It is ok to ignore deletion error on the mapped policy // It is ok to ignore deletion error on the mapped policy

@ -77,9 +77,6 @@ var errInvalidDecompressedSize = errors.New("Invalid Decompressed Size")
// error returned in IAM subsystem when user doesn't exist. // error returned in IAM subsystem when user doesn't exist.
var errNoSuchUser = errors.New("Specified user does not exist") var errNoSuchUser = errors.New("Specified user does not exist")
// error returned in IAM subsystem when the service account doesn't exist.
var errNoSuchServiceAccount = errors.New("Specified service account does not exist")
// error returned in IAM subsystem when groups doesn't exist. // error returned in IAM subsystem when groups doesn't exist.
var errNoSuchGroup = errors.New("Specified group does not exist") var errNoSuchGroup = errors.New("Specified group does not exist")

Loading…
Cancel
Save