From 6bb693488c6c5efbd4206bd8ed64b0e80be2379d Mon Sep 17 00:00:00 2001
From: Aditya Manthramurthy <donatello@users.noreply.github.com>
Date: Thu, 9 Apr 2020 01:04:08 -0700
Subject: [PATCH] Fix policy setting error in LDAP setups (#9303)

Fixes #8667

In addition to the above, if the user is mapped to a policy or
belongs in a group, the user-info API returns this information,
but otherwise, the API will now return a non-existent user error.
---
 cmd/admin-handlers-users.go |  2 +-
 cmd/iam.go                  | 17 ++++++++++-------
 2 files changed, 11 insertions(+), 8 deletions(-)

diff --git a/cmd/admin-handlers-users.go b/cmd/admin-handlers-users.go
index 9867d4d49..0e7c531e6 100644
--- a/cmd/admin-handlers-users.go
+++ b/cmd/admin-handlers-users.go
@@ -703,7 +703,7 @@ func (a adminAPIHandlers) SetPolicyForUserOrGroup(w http.ResponseWriter, r *http
 
 	if !isGroup {
 		ok, err := globalIAMSys.IsTempUser(entityName)
-		if err != nil {
+		if err != nil && err != errNoSuchUser {
 			writeErrorResponseJSON(ctx, w, toAdminAPIErr(ctx, err), r.URL)
 			return
 		}
diff --git a/cmd/iam.go b/cmd/iam.go
index 63b0489bd..0a62ccb37 100644
--- a/cmd/iam.go
+++ b/cmd/iam.go
@@ -682,9 +682,16 @@ func (sys *IAMSys) GetUserInfo(name string) (u madmin.UserInfo, err error) {
 	defer sys.store.runlock()
 
 	if sys.usersSysType != MinIOUsersSysType {
+		// If the user has a mapped policy or is a member of a group, we
+		// return that info. Otherwise we return error.
+		mappedPolicy, ok1 := sys.iamUserPolicyMap[name]
+		memberships, ok2 := sys.iamUserGroupMemberships[name]
+		if !ok1 && !ok2 {
+			return u, errNoSuchUser
+		}
 		return madmin.UserInfo{
-			PolicyName: sys.iamUserPolicyMap[name].Policy,
-			MemberOf:   sys.iamUserGroupMemberships[name].ToSlice(),
+			PolicyName: mappedPolicy.Policy,
+			MemberOf:   memberships.ToSlice(),
 		}, nil
 	}
 
@@ -1176,9 +1183,7 @@ func (sys *IAMSys) ListGroups() (r []string, err error) {
 	return r, nil
 }
 
-// PolicyDBSet - sets a policy for a user or group in the
-// PolicyDB. This function applies only long-term users. For STS
-// users, policy is set directly by called sys.policyDBSet().
+// PolicyDBSet - sets a policy for a user or group in the PolicyDB.
 func (sys *IAMSys) PolicyDBSet(name, policy string, isGroup bool) error {
 	objectAPI := newObjectLayerWithoutSafeModeFn()
 	if objectAPI == nil || sys == nil || sys.store == nil {
@@ -1188,8 +1193,6 @@ func (sys *IAMSys) PolicyDBSet(name, policy string, isGroup bool) error {
 	sys.store.lock()
 	defer sys.store.unlock()
 
-	// isSTS is always false when called via PolicyDBSet as policy
-	// is never set by an external API call for STS users.
 	return sys.policyDBSet(name, policy, regularUser, isGroup)
 }