restrict identity assignment on a per-policy basis

This commit allows policies to restrict the assignment of identities. Now, a policy can specify that you can only assign identities to specific policies but not to any policies.
minio · Dec 11, 2019 · aca5fa2 · aca5fa2
1 parent 0304339
commit aca5fa2
Show file tree

Hide file tree

Showing 3 changed files with 9 additions and 25 deletions.
diff --git a/client.go b/client.go
@@ -220,18 +220,8 @@ func (c *Client) DeletePolicy(name string) error {
 }
 
 func (c *Client) AssignIdentity(policy string, id Identity) error {
-	type Request struct {
-		Policy string `json:"policy"`
-	}
-	body, err := json.Marshal(Request{
-		Policy: policy,
-	})
-	if err != nil {
-		return err
-	}
-
-	url := fmt.Sprintf("%s/v1/identity/assign/%s", c.addr, id.String())
-	resp, err := c.httpClient.Post(url, "application/json", bytes.NewReader(body))
+	url := fmt.Sprintf("%s/v1/identity/assign/%s/%s", c.addr, policy, id.String())
+	resp, err := c.httpClient.Post(url, "application/json", nil)
 	if err != nil {
 		return err
 	}

diff --git a/handler.go b/handler.go
@@ -9,6 +9,7 @@ import (
 	"fmt"
 	"net/http"
 	"path"
+	"strings"
 
 	"github.com/secure-io/sio-go/sioutil"
 )
@@ -242,16 +243,6 @@ func HandleDeletePolicy(roles *Roles) http.HandlerFunc {
 
 func HandleAssignIdentity(roles *Roles) http.HandlerFunc {
 	return func(w http.ResponseWriter, r *http.Request) {
-		type Request struct {
-			Policy string `json:"policy"`
-		}
-
-		var req Request
-		if err := json.NewDecoder(r.Body).Decode(&req); err != nil {
-			http.Error(w, "invalid JSON", http.StatusBadRequest)
-			return
-		}
-
 		identity := Identity(pathBase(r.URL.Path))
 		if identity.IsUnknown() {
 			http.Error(w, "invalid identity", http.StatusBadRequest)
@@ -265,7 +256,9 @@ func HandleAssignIdentity(roles *Roles) http.HandlerFunc {
 			http.Error(w, "invalid identity: you cannot assign a policy to yourself", http.StatusBadRequest)
 			return
 		}
-		if err := roles.Assign(req.Policy, identity); err != nil {
+
+		policy := pathBase(strings.TrimSuffix(r.URL.Path, identity.String()))
+		if err := roles.Assign(policy, identity); err != nil {
 			http.Error(w, "policy does not exists", http.StatusNotFound)
 			return
 		}

diff --git a/server-config.toml b/server-config.toml
@@ -64,10 +64,11 @@ identities = [ "c956add675567b7a2e5011c6efe6106bc2504a71ce406299a8dd7e292d1610da
 [policy.prod-admin] # Policy that allows displaying policies and identity management operations.
 paths      = [ "/v1/policy/show/prod-*",
                "/v1/policy/list/prod-*",
-               "/v1/identity/assign/*", 
+               "/v1/identity/assign/prod-ops/*", 
+               "/v1/identity/assign/prod-app/*", 
                "/v1/identity/list/*", 
                "/v1/identity/forget/*"
-             ]
+             ] # Observe that the pod-admin can assign identities to prod-ops / prod-app but not to prod-admin 
 identities = [ "7ec8095a5308a535b72b35c7ccd4ce1d7c14af713acd22e2935a9d6e4fe18127" ]
 
 # Key stores configuration. A key store holds secret keys.