From 825e29f3015c96bb83b0de71352bc35d003e91f4 Mon Sep 17 00:00:00 2001
From: Aditya Manthramurthy <donatello@users.noreply.github.com>
Date: Wed, 14 Aug 2019 16:59:16 -0700
Subject: [PATCH] Check if user or group is disabled when evaluating policy
 (#8078)

---
 cmd/iam.go | 14 +++++++++++++-
 1 file changed, 13 insertions(+), 1 deletion(-)

diff --git a/cmd/iam.go b/cmd/iam.go
index 19804b60b..b36cf9eeb 100644
--- a/cmd/iam.go
+++ b/cmd/iam.go
@@ -945,8 +945,14 @@ func (sys *IAMSys) policyDBGet(name string, isGroup bool) ([]string, error) {
 		return []string{policy.Policy}, nil
 	}
 
-	if _, ok := sys.iamUsersMap[name]; !ok {
+	// When looking for a user's policies, we also check if the
+	// user and the groups they are member of are enabled.
+	if u, ok := sys.iamUsersMap[name]; !ok {
 		return nil, errNoSuchUser
+	} else if u.Status == statusDisabled {
+		// User is disabled, so we return no policy - this
+		// ensures the request is denied.
+		return nil, nil
 	}
 
 	result := []string{}
@@ -956,6 +962,12 @@ func (sys *IAMSys) policyDBGet(name string, isGroup bool) ([]string, error) {
 		result = append(result, policy.Policy)
 	}
 	for _, group := range sys.iamUserGroupMemberships[name].ToSlice() {
+		// Skip missing or disabled groups
+		gi, ok := sys.iamGroupsMap[group]
+		if !ok || gi.Status == statusDisabled {
+			continue
+		}
+
 		p, ok := sys.iamGroupPolicyMap[group]
 		if ok && p.Policy != "" {
 			result = append(result, p.Policy)