fix: a regression in IAM policy reload routine() (#19421)

all policy reloading is broken since last release since 48deccdc40 fixes #19417
2024-04-05 14:26:41 -07:00 · 2024-04-05 14:26:41 -07:00 · 91f91d8f47
parent a207bd6790
commit 91f91d8f47
3 changed files with 35 additions and 5 deletions
--- a/cmd/iam-object-store.go
+++ b/cmd/iam-object-store.go
@ -399,6 +399,7 @@ var (
 	groupsListKey           = "groups/"
 	policiesListKey         = "policies/"
 	stsListKey              = "sts/"
+	policyDBPrefix          = "policydb/"
 	policyDBUsersListKey    = "policydb/users/"
 	policyDBSTSUsersListKey = "policydb/sts-users/"
 	policyDBGroupsListKey   = "policydb/groups/"
@ -406,8 +407,13 @@ var (

 // splitPath splits a path into a top-level directory and a child item. The
 // parent directory retains the trailing slash.
-func splitPath(s string) (string, string) {
-	i := strings.Index(s, "/")
+func splitPath(s string, lastIndex bool) (string, string) {
+	var i int
+	if lastIndex {
+		i = strings.LastIndex(s, "/")
+	} else {
+		i = strings.Index(s, "/")
+	}
 	if i == -1 {
 		return s, ""
 	}
@ -424,7 +430,8 @@ func (iamOS *IAMObjectStore) listAllIAMConfigItems(ctx context.Context) (map[str
 			return nil, item.Err
 		}

-		listKey, trimmedItem := splitPath(item.Item)
+		lastIndex := strings.HasPrefix(item.Item, policyDBPrefix)
+		listKey, trimmedItem := splitPath(item.Item, lastIndex)
 		if listKey == iamFormatFile {
 			continue
 		}
--- a/cmd/iam.go
+++ b/cmd/iam.go
@ -1918,7 +1918,7 @@ func (sys *IAMSys) IsAllowedSTS(args policy.Args, parentUser string) bool {
 	default:
 		// Otherwise, inherit parent user's policy
 		var err error
-		policies, err = sys.store.PolicyDBGet(parentUser, args.Groups...)
+		policies, err = sys.PolicyDBGet(parentUser, args.Groups...)
 		if err != nil {
 			iamLogIf(GlobalContext, fmt.Errorf("error fetching policies on %s: %v", parentUser, err))
 			return false
--- a/cmd/signature-v4-utils_test.go
+++ b/cmd/signature-v4-utils_test.go
@ -75,10 +75,13 @@ func TestCheckValid(t *testing.T) {
 		t.Fatalf("unable create credential, %s", err)
 	}

-	globalIAMSys.CreateUser(ctx, ucreds.AccessKey, madmin.AddOrUpdateUserReq{
+	_, err = globalIAMSys.CreateUser(ctx, ucreds.AccessKey, madmin.AddOrUpdateUserReq{
 		SecretKey: ucreds.SecretKey,
 		Status:    madmin.AccountEnabled,
 	})
+	if err != nil {
+		t.Fatalf("unable create credential, %s", err)
+	}

 	_, owner, s3Err = checkKeyValid(req, ucreds.AccessKey)
 	if s3Err != ErrNone {
@ -88,6 +91,26 @@ func TestCheckValid(t *testing.T) {
 	if owner {
 		t.Fatalf("Expected owner to be 'false', found %t", owner)
 	}
+
+	_, err = globalIAMSys.PolicyDBSet(ctx, ucreds.AccessKey, "consoleAdmin", regUser, false)
+	if err != nil {
+		t.Fatalf("unable to attach policy to credential, %s", err)
+	}
+
+	time.Sleep(4 * time.Second)
+
+	policies, err := globalIAMSys.PolicyDBGet(ucreds.AccessKey)
+	if err != nil {
+		t.Fatalf("unable to get policy to credential, %s", err)
+	}
+
+	if len(policies) == 0 {
+		t.Fatal("no policies found")
+	}
+
+	if policies[0] != "consoleAdmin" {
+		t.Fatalf("expected 'consoleAdmin', %s", policies[0])
+	}
 }

 // TestSkipContentSha256Cksum - Test validate the logic which decides whether