Add Service Account Policy restriction improvement (#1921)

Author: jinapurapu

integration/users_test.go

@@ -854,3 +854,68 @@ func TestUsersGroupsBulk(t *testing.T) {
 	}
 
 }
+
+func Test_GetUserPolicyAPI(t *testing.T) {
+	assert := assert.New(t)
+
+	// 1. Create an active user with valid policy
+	var groups = []string{}
+	var policies = []string{"readwrite"}
+	addUserResponse, addUserError := AddUser(
+		"getpolicyuser", "secretKey", groups, policies)
+	if addUserError != nil {
+		log.Println(addUserError)
+		return
+	}
+	if addUserResponse != nil {
+		fmt.Println("StatusCode:", addUserResponse.StatusCode)
+		assert.Equal(
+			201, addUserResponse.StatusCode, "Status Code is incorrect")
+	}
+
+	type args struct {
+		api string
+	}
+	tests := []struct {
+		name           string
+		args           args
+		expectedStatus int
+		expectedError  error
+	}{
+		{
+			name: "Get User Policies",
+			args: args{
+				api: "/user/policy",
+			},
+			expectedStatus: 200,
+			expectedError:  nil,
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+
+			client := &http.Client{
+				Timeout: 3 * time.Second,
+			}
+
+			request, err := http.NewRequest(
+				"GET", fmt.Sprintf("http://localhost:9090/api/v1%s", tt.args.api), nil)
+			if err != nil {
+				log.Println(err)
+				return
+			}
+			request.Header.Add("Cookie", fmt.Sprintf("token=%s", token))
+			request.Header.Add("Content-Type", "application/json")
+			response, err := client.Do(request)
+			if err != nil {
+				log.Println(err)
+				return
+			}
+			if response != nil {
+				assert.Equal(tt.expectedStatus, response.StatusCode, tt.name+" Failed")
+			}
+		})
+	}
+
+}

portal-ui/src/screens/Console/Account/AddServiceAccountScreen.tsx

@@ -44,7 +44,8 @@ import api from "../../../../src/common/api";
 import CredentialsPrompt from "../Common/CredentialsPrompt/CredentialsPrompt";
 import { setErrorSnackMessage } from "../../../../src/actions";
 import SectionTitle from "../Common/SectionTitle";
-import { getRandomString } from "../../../screens/Console/Tenants/utils";
+import { getRandomString } from   "../../../screens/Console/Tenants/utils";
+import PanelTitle from "../Common/PanelTitle/PanelTitle";
 
 interface IAddServiceAccountProps {
   classes: any;
@@ -74,32 +75,33 @@ const AddServiceAccount = ({
   classes,
   setErrorSnackMessage,
 }: IAddServiceAccountProps) => {
-  const [addSending, setAddSending] = useState<boolean>(false);
-  const [policyDefinition, setPolicyDefinition] = useState<string>("");
+  const [addSending, setAddSending] = useState<boolean>(false);  
   const [accessKey, setAccessKey] = useState<string>(getRandomString(16));
   const [secretKey, setSecretKey] = useState<string>(getRandomString(32));
   const [isRestrictedByPolicy, setIsRestrictedByPolicy] =
     useState<boolean>(false);
   const [newServiceAccount, setNewServiceAccount] =
     useState<NewServiceAccount | null>(null);
-  const [showPassword, setShowPassword] = useState<boolean>(false);
+  const [showPassword, setShowPassword] = useState<boolean>(false);  
+const [policyJSON, setPolicyJSON] = useState<string>("");
 
   useEffect(() => {
     if (addSending) {
-      api
-        .invoke("POST", `/api/v1/service-account-credentials`, {
-          policy: policyDefinition,
-          accessKey: accessKey,
-          secretKey: secretKey,
-        })
-        .then((res) => {
-          setAddSending(false);
-          setNewServiceAccount({
-            accessKey: res.accessKey || "",
-            secretKey: res.secretKey || "",
-            url: res.url || "",
-          });
-        })
+        api
+          .invoke("POST", `/api/v1/service-account-credentials`, {
+            policy: policyJSON,
+            accessKey: accessKey,
+            secretKey: secretKey,
+          })
+          .then((res) => {
+            setAddSending(false);
+            setNewServiceAccount({
+              accessKey: res.accessKey || "",
+              secretKey: res.secretKey || "",
+              url: res.url || "",
+            });
+          })
+          
         .catch((err: ErrorResponseHandler) => {
           setAddSending(false);
           setErrorSnackMessage(err);
@@ -109,18 +111,30 @@ const AddServiceAccount = ({
     addSending,
     setAddSending,
     setErrorSnackMessage,
-    policyDefinition,
+    policyJSON,
     accessKey,
     secretKey,
   ]);
 
+  useEffect(() => {
+    if(isRestrictedByPolicy){
+    api
+      .invoke("GET", `/api/v1/user/policy`)
+      .then((res: string) => {
+       setPolicyJSON(JSON.stringify(JSON.parse(res), null, 4));
+    
+      })
+    }
+  }, [isRestrictedByPolicy]);
+
+   
   const addServiceAccount = (e: React.FormEvent) => {
     e.preventDefault();
     setAddSending(true);
   };
 
   const resetForm = () => {
-    setPolicyDefinition("");
+    setPolicyJSON("");
     setNewServiceAccount(null);
     setAccessKey("");
     setSecretKey("");
@@ -260,13 +274,19 @@ const AddServiceAccount = ({
                         xs={12}
                         className={classes.codeMirrorContainer}
                       >
+                  <div >
+                     <PanelTitle>Current User Policy - edit the JSON to remove permissions for this service account</PanelTitle>
+                    
+                  </div>
+                  <Grid item xs={12} className={classes.formScrollable}>
                         <CodeMirrorWrapper
-                          label={"Policy "}
-                          value={policyDefinition}
+                          value={policyJSON}
                           onBeforeChange={(editor, data, value) => {
-                            setPolicyDefinition(value);
+                            setPolicyJSON(value);
                           }}
+                          editorHeight={"350px"}
                         />
+                        </Grid>
                       </Grid>
                     )}
                   </Grid>

restapi/admin_policies.go

@@ -31,6 +31,8 @@ import (
 	"github.com/minio/console/models"
 	"github.com/minio/console/restapi/operations"
 	iampolicy "github.com/minio/pkg/iam/policy"
+
+	policies "github.com/minio/console/restapi/policy"
 )
 
 func registersPoliciesHandler(api *operations.ConsoleAPI) {
@@ -121,6 +123,14 @@ func registersPoliciesHandler(api *operations.ConsoleAPI) {
 		}
 		return policyApi.NewListGroupsForPolicyOK().WithPayload(policyGroupsResponse)
 	})
+	// Gets policies for currently logged in user
+	api.PolicyGetUserPolicyHandler = policyApi.GetUserPolicyHandlerFunc(func(params policyApi.GetUserPolicyParams, session *models.Principal) middleware.Responder {
+		userPolicyResponse, err := getUserPolicyResponse(session)
+		if err != nil {
+			return policyApi.NewGetUserPolicyDefault(int(err.Code)).WithPayload(err)
+		}
+		return policyApi.NewGetUserPolicyOK().WithPayload(userPolicyResponse)
+	})
 }
 
 func getListAccessRulesWithBucketResponse(session *models.Principal, params bucketApi.ListAccessRulesWithBucketParams) (*models.ListAccessRulesResponse, *models.Error) {
@@ -322,16 +332,47 @@ func getListUsersForPolicyResponse(session *models.Principal, params policyApi.L
 	return filteredUsers, nil
 }
 
+func getUserPolicyResponse(session *models.Principal) (string, *models.Error) {
+	ctx, cancel := context.WithCancel(context.Background())
+	defer cancel()
+	// serialize output
+	if session == nil {
+		return "nil", ErrorWithContext(ctx, ErrPolicyNotFound)
+	}
+	tokenClaims, _ := getClaimsFromToken(session.STSSessionToken)
+
+	// initialize admin client
+	mAdminClient, err := NewMinioAdminClient(&models.Principal{
+		STSAccessKeyID:     session.STSAccessKeyID,
+		STSSecretAccessKey: session.STSSecretAccessKey,
+		STSSessionToken:    session.STSSessionToken,
+	})
+	if err != nil {
+		return "nil", ErrorWithContext(ctx, err)
+	}
+	userAdminClient := AdminClient{Client: mAdminClient}
+	// Obtain the current policy assigned to this user
+	// necessary for generating the list of allowed endpoints
+	accountInfo, err := getAccountInfo(ctx, userAdminClient)
+	if err != nil {
+		return "nil", ErrorWithContext(ctx, err)
+
+	}
+	rawPolicy := policies.ReplacePolicyVariables(tokenClaims, accountInfo)
+
+	return string(rawPolicy), nil
+}
+
 func getListGroupsForPolicyResponse(session *models.Principal, params policyApi.ListGroupsForPolicyParams) ([]string, *models.Error) {
 	ctx, cancel := context.WithCancel(params.HTTPRequest.Context())
 	defer cancel()
-	policy := params.Policy
 	mAdmin, err := NewMinioAdminClient(session)
 	if err != nil {
 		return nil, ErrorWithContext(ctx, err)
 	}
 	// create a minioClient interface implementation
 	// defining the client to be used
+	policy := params.Policy
 	adminClient := AdminClient{Client: mAdmin}
 	policies, err := listPolicies(ctx, adminClient)
 	if err != nil {