Skip to content

Commit b1ba7ba

Browse files
naveenpaul1naveenpaul1
committed
IAM | Change bucket owner for IAM user to account and more
Signed-off-by: Naveen Paul <napaul@redhat.com>
1 parent 2017b80 commit b1ba7ba

File tree

5 files changed

+62
-70
lines changed

5 files changed

+62
-70
lines changed

src/sdk/accountspace_nb.js

Lines changed: 45 additions & 57 deletions
Original file line numberDiff line numberDiff line change
@@ -2,7 +2,6 @@
22
'use strict';
33

44
const _ = require('lodash');
5-
const SensitiveString = require('../util/sensitive_string');
65
const account_util = require('../util/account_util');
76
const iam_utils = require('../endpoint/iam/iam_utils');
87
const dbg = require('../util/debug_module')(__filename);
@@ -47,29 +46,28 @@ class AccountSpaceNB {
4746
account_util._check_if_requesting_account_is_root_account(action, requesting_account,
4847
{ username: params.username, path: params.iam_path });
4948
account_util._check_username_already_exists(action, params, requesting_account);
50-
const iam_arn = iam_utils.create_arn_for_user(requesting_account._id.toString(), params.username, params.iam_path);
51-
const account_name = account_util.get_account_name_from_username(params.username, requesting_account.name.unwrap());
49+
const iam_arn = iam_utils.create_arn_for_user(requesting_account._id.toString(), params.username,
50+
params.iam_path || IAM_DEFAULT_PATH);
51+
const account_name = account_util.get_account_name_from_username(params.username, requesting_account._id.toString());
5252
const req = {
5353
rpc_params: {
5454
name: account_name,
5555
email: account_name,
5656
has_login: false,
5757
s3_access: true,
5858
allow_bucket_creation: true,
59-
owner: requesting_account._id.toString(),
59+
owner: requesting_account._id,
6060
is_iam: true,
6161
iam_arn: iam_arn,
6262
iam_path: params.iam_path,
63-
role: 'iam_user',
63+
role: 'admin',
6464

6565
// TODO: default_resource remove
6666
default_resource: 'noobaa-default-backing-store',
6767
},
6868
account: requesting_account,
6969
};
70-
// CORE CHANGES PENDING - START
7170
const iam_account = await account_util.create_account(req);
72-
// CORE CHANGES PENDING - END
7371

7472
// TODO : Clean account cache
7573
// TODO : Send Event
@@ -87,19 +85,15 @@ class AccountSpaceNB {
8785
async get_user(params, account_sdk) {
8886
const action = IAM_ACTIONS.GET_USER;
8987
const requesting_account = system_store.get_account_by_email(account_sdk.requesting_account.email);
90-
const account_name = account_util.get_account_name_from_username(params.username, requesting_account.name.unwrap());
91-
const requested_account = system_store.get_account_by_email(account_name);
92-
account_util._check_if_requesting_account_is_root_account(action, requesting_account,
93-
{ username: params.username, iam_path: params.iam_path });
94-
account_util._check_if_account_exists(action, account_name);
95-
account_util._check_if_requested_account_is_root_account_or_IAM_user(action, requesting_account, requested_account);
96-
account_util._check_if_requested_is_owned_by_root_account(action, requesting_account, requested_account);
88+
const requested_account = validate_and_return_requested_account(params, action, requesting_account);
89+
const username = account_util.get_iam_username(params.username || requested_account.name.unwrap());
90+
const iam_arn = iam_utils.create_arn_for_user(requesting_account._id.toString(), username,
91+
requested_account.iam_path || IAM_DEFAULT_PATH);
9792
const reply = {
9893
user_id: requested_account._id.toString(),
99-
// TODO : IAM PATH
10094
iam_path: requested_account.iam_path || IAM_DEFAULT_PATH,
101-
username: account_util.get_iam_username(requested_account.name.unwrap()),
102-
arn: requested_account.iam_arn,
95+
username: username,
96+
arn: iam_arn,
10397
// TODO: GAP Need to save created date
10498
create_date: Date.now(),
10599
// TODO: Dates missing : GAP
@@ -111,27 +105,25 @@ class AccountSpaceNB {
111105
async update_user(params, account_sdk) {
112106
const action = IAM_ACTIONS.UPDATE_USER;
113107
const requesting_account = system_store.get_account_by_email(account_sdk.requesting_account.email);
114-
const username = account_util.get_account_name_from_username(params.username, requesting_account.name.unwrap());
108+
const username = account_util.get_account_name_from_username(params.username, requesting_account._id.toString());
115109
account_util._check_if_requesting_account_is_root_account(action, requesting_account,
116110
{ username: params.username, iam_path: params.iam_path });
117111
account_util._check_if_account_exists(action, username);
118112
const requested_account = system_store.get_account_by_email(username);
119113
let iam_path = requested_account.iam_path;
120-
let user_name = requested_account.name.unwrap();
114+
let user_name = account_util.get_iam_username(requested_account.name.unwrap());
121115
account_util._check_username_already_exists(action, { username: params.new_username }, requesting_account);
122116
account_util._check_if_requested_account_is_root_account_or_IAM_user(action, requesting_account, requested_account);
123117
account_util._check_if_requested_is_owned_by_root_account(action, requesting_account, requested_account);
124-
if (params.new_iam_path !== undefined) iam_path = params.new_iam_path;
125-
if (params.new_username !== undefined) user_name = params.new_username;
126-
const iam_arn = iam_utils.create_arn_for_user(requested_account._id.toString(), user_name, iam_path);
127-
const new_account_name = new SensitiveString(`${params.new_username}:${requesting_account.name.unwrap()}`);
118+
if (params.new_iam_path) iam_path = params.new_iam_path;
119+
if (params.new_username) user_name = params.new_username;
120+
const iam_arn = iam_utils.create_arn_for_user(requesting_account._id.toString(), user_name, iam_path);
121+
const new_account_name = account_util.get_account_name_from_username(user_name, requesting_account._id.toString());
128122
const updates = {
129123
name: new_account_name,
130124
email: new_account_name,
131-
iam_arn: iam_arn,
132125
iam_path: iam_path,
133126
};
134-
// CORE CHANGES PENDING - START
135127
await system_store.make_changes({
136128
update: {
137129
accounts: [{
@@ -140,11 +132,9 @@ class AccountSpaceNB {
140132
}]
141133
}
142134
});
143-
// CORE CHANGES PENDING - END
144135
// TODO : Clean account cache
145136
// TODO : Send Event
146137
return {
147-
// TODO: IAM path needs to be saved
148138
iam_path: iam_path || IAM_DEFAULT_PATH,
149139
username: user_name,
150140
user_id: requested_account._id.toString(),
@@ -156,15 +146,14 @@ class AccountSpaceNB {
156146
async delete_user(params, account_sdk) {
157147
const action = IAM_ACTIONS.DELETE_USER;
158148
const requesting_account = system_store.get_account_by_email(account_sdk.requesting_account.email);
159-
const username = account_util.get_account_name_from_username(params.username, requesting_account.name.unwrap());
149+
const username = account_util.get_account_name_from_username(params.username, requesting_account._id.toString());
160150
account_util._check_if_requesting_account_is_root_account(action, requesting_account, { username: params.username });
161151
account_util._check_if_account_exists(action, username);
162152
const requested_account = system_store.get_account_by_email(username);
163153
account_util._check_if_requested_account_is_root_account_or_IAM_user(action, requesting_account, requested_account);
164154
account_util._check_if_requested_is_owned_by_root_account(action, requesting_account, requested_account);
165155
account_util._check_if_user_does_not_have_resources_before_deletion(action, requested_account);
166156
// TODO: DELETE INLINE POLICY : Manually
167-
// TODO: DELETE ACCESS KEY : manually
168157
const req = {
169158
system: system_store.data.systems[0],
170159
account: requested_account,
@@ -182,28 +171,29 @@ class AccountSpaceNB {
182171
account_util._check_if_requesting_account_is_root_account(action, requesting_account, { });
183172
const is_truncated = false; // GAP - no pagination at this point
184173

185-
const root_name = requesting_account.name.unwrap();
186-
// CORE CHANGES PENDING - START
187-
const requesting_account_iam_users = _.filter(system_store.data.accounts, function(acc) {
188-
if (!acc.name.unwrap().includes(IAM_SPLIT_CHARACTERS)) {
174+
175+
const requesting_account_iam_users = _.filter(system_store.data.accounts, function(user) {
176+
if (!user.name.unwrap().includes(IAM_SPLIT_CHARACTERS)) {
189177
return false;
190178
}
191-
return acc.name.unwrap().split(IAM_SPLIT_CHARACTERS)[1] === root_name;
179+
// Check IAM user owner is same as requesting_account id
180+
return user.owner?._id.toString() === requesting_account._id.toString();
192181
});
193182
let members = _.map(requesting_account_iam_users, function(iam_user) {
183+
const iam_username = account_util.get_iam_username(iam_user.name.unwrap());
184+
const iam_path = iam_user.iam_path || IAM_DEFAULT_PATH;
194185
const member = {
195186
user_id: iam_user._id.toString(),
196-
iam_path: iam_user.iam_path || IAM_DEFAULT_PATH,
197-
username: iam_user.name.unwrap().split(IAM_SPLIT_CHARACTERS)[0],
198-
arn: iam_user.iam_arn,
187+
iam_path: iam_path,
188+
username: iam_username,
189+
arn: iam_utils.create_arn_for_user(iam_user.owner?._id.toString(), iam_username, iam_path),
199190
// TODO: GAP Need to save created date
200191
create_date: Date.now(),
201192
// TODO: GAP missing password_last_used
202193
password_last_used: Date.now(), // GAP
203194
};
204195
return member;
205196
});
206-
// CORE CHANGES PENDING - END
207197
members = members.sort((a, b) => a.username.localeCompare(b.username));
208198
return { members, is_truncated };
209199
}
@@ -215,9 +205,10 @@ class AccountSpaceNB {
215205
async create_access_key(params, account_sdk) {
216206
const action = IAM_ACTIONS.CREATE_ACCESS_KEY;
217207
const requesting_account = system_store.get_account_by_email(account_sdk.requesting_account.email);
218-
const requested_account = validate_and_return_requested_account(params, action, requesting_account, account_sdk);
219-
const account_email = params.username ? new SensitiveString(`${params.username}:${requesting_account.name.unwrap()}`) :
220-
account_sdk.requesting_account.email;
208+
const requested_account = validate_and_return_requested_account(params, action, requesting_account);
209+
const account_email = params.username ? account_util.get_account_name_from_username(params.username,
210+
requesting_account._id.toString()) :
211+
requesting_account.email;
221212
account_util._check_number_of_access_key_array(action, requested_account);
222213
const req = {
223214
rpc_params: {
@@ -226,7 +217,6 @@ class AccountSpaceNB {
226217
},
227218
account: requesting_account,
228219
};
229-
// CORE CHANGES PENDING - START
230220
let iam_access_key;
231221
try {
232222
iam_access_key = await account_util.generate_account_keys(req);
@@ -237,10 +227,8 @@ class AccountSpaceNB {
237227
throw new IamError({ code, message: message_with_details, http_code, type });
238228
}
239229

240-
// CORE CHANGES PENDING - STOP
241-
242230
return {
243-
username: params.username,
231+
username: account_util.get_iam_username(requested_account.name.unwrap()),
244232
access_key: iam_access_key.access_key.unwrap(),
245233
create_date: iam_access_key.creation_date,
246234
status: ACCESS_KEY_STATUS_ENUM.ACTIVE,
@@ -268,7 +256,7 @@ class AccountSpaceNB {
268256
const action = IAM_ACTIONS.UPDATE_ACCESS_KEY;
269257
const access_key_id = params.access_key;
270258
const requesting_account = system_store.get_account_by_email(account_sdk.requesting_account.email);
271-
const requested_account = validate_and_return_requested_account(params, action, requesting_account, account_sdk);
259+
const requested_account = validate_and_return_requested_account(params, action, requesting_account);
272260
account_util._check_access_key_belongs_to_account(action, requested_account, access_key_id);
273261

274262
const updating_access_key_obj = _.find(requested_account.access_keys,
@@ -299,7 +287,7 @@ class AccountSpaceNB {
299287
const access_key_id = params.access_key;
300288
const requesting_account = system_store.get_account_by_email(account_sdk.requesting_account.email);
301289

302-
const requested_account = validate_and_return_requested_account(params, action, requesting_account, account_sdk);
290+
const requested_account = validate_and_return_requested_account(params, action, requesting_account);
303291
account_util._check_access_key_belongs_to_account(action, requested_account, access_key_id);
304292
// Filter out the deleting access key from the access key list and save remaining accesskey.
305293
const filtered_access_keys = account_util.get_non_updating_access_key(requested_account, access_key_id);
@@ -320,7 +308,7 @@ class AccountSpaceNB {
320308
async list_access_keys(params, account_sdk) {
321309
const action = IAM_ACTIONS.LIST_ACCESS_KEYS;
322310
const requesting_account = system_store.get_account_by_email(account_sdk.requesting_account.email);
323-
const requested_account = validate_and_return_requested_account(params, action, requesting_account, account_sdk);
311+
const requested_account = validate_and_return_requested_account(params, action, requesting_account);
324312

325313
const is_truncated = false; // // GAP - no pagination at this point
326314
let members = account_util._list_access_keys_from_account(requesting_account, requested_account, false);
@@ -336,7 +324,7 @@ class AccountSpaceNB {
336324
async tag_user(params, account_sdk) {
337325
const action = IAM_ACTIONS.TAG_USER;
338326
const requesting_account = system_store.get_account_by_email(account_sdk.requesting_account.email);
339-
const username = account_util.get_account_name_from_username(params.username, requesting_account.name.unwrap());
327+
const username = account_util.get_account_name_from_username(params.username, requesting_account._id.toString());
340328

341329
account_util._check_if_requesting_account_is_root_account(action, requesting_account, { username: params.username });
342330
account_util._check_if_account_exists(action, username);
@@ -379,7 +367,7 @@ class AccountSpaceNB {
379367
async untag_user(params, account_sdk) {
380368
const action = IAM_ACTIONS.UNTAG_USER;
381369
const requesting_account = system_store.get_account_by_email(account_sdk.requesting_account.email);
382-
const username = account_util.get_account_name_from_username(params.username, requesting_account.name.unwrap());
370+
const username = account_util.get_account_name_from_username(params.username, requesting_account._id.toString());
383371

384372
account_util._check_if_requesting_account_is_root_account(action, requesting_account, { username: params.username });
385373
account_util._check_if_account_exists(action, username);
@@ -408,7 +396,7 @@ class AccountSpaceNB {
408396
async list_user_tags(params, account_sdk) {
409397
const action = IAM_ACTIONS.LIST_USER_TAGS;
410398
const requesting_account = system_store.get_account_by_email(account_sdk.requesting_account.email);
411-
const username = account_util.get_account_name_from_username(params.username, requesting_account.name.unwrap());
399+
const username = account_util.get_account_name_from_username(params.username, requesting_account._id.toString());
412400

413401
account_util._check_if_requesting_account_is_root_account(action, requesting_account, { username: params.username });
414402
account_util._check_if_account_exists(action, username);
@@ -444,7 +432,7 @@ class AccountSpaceNB {
444432
const action = IAM_ACTIONS.PUT_USER_POLICY;
445433
dbg.log1(`AccountSpaceNB.${action}`, params);
446434
const requesting_account = system_store.get_account_by_email(account_sdk.requesting_account.email);
447-
const requested_account = validate_and_return_requested_account(params, action, requesting_account, account_sdk);
435+
const requested_account = validate_and_return_requested_account(params, action, requesting_account);
448436
const iam_user_policies = requested_account.iam_user_policies || [];
449437
const index_of_iam_user_policy = account_util._get_iam_user_policy_index(iam_user_policies, params.policy_name);
450438
const iam_user_policy_to_add = {
@@ -473,7 +461,7 @@ class AccountSpaceNB {
473461
const action = IAM_ACTIONS.GET_USER_POLICY;
474462
dbg.log1(`AccountSpaceNB.${action}`, params);
475463
const requesting_account = system_store.get_account_by_email(account_sdk.requesting_account.email);
476-
const requested_account = validate_and_return_requested_account(params, action, requesting_account, account_sdk);
464+
const requested_account = validate_and_return_requested_account(params, action, requesting_account);
477465
const iam_user_policies = requested_account.iam_user_policies || [];
478466
const iam_user_policy_index = account_util._check_user_policy_exists(action, iam_user_policies, params.policy_name);
479467
return {
@@ -487,7 +475,7 @@ class AccountSpaceNB {
487475
const action = IAM_ACTIONS.DELETE_USER_POLICY;
488476
dbg.log1(`AccountSpaceNB.${action}`, params);
489477
const requesting_account = system_store.get_account_by_email(account_sdk.requesting_account.email);
490-
const requested_account = validate_and_return_requested_account(params, action, requesting_account, account_sdk);
478+
const requested_account = validate_and_return_requested_account(params, action, requesting_account);
491479
const iam_user_policies = requested_account.iam_user_policies || [];
492480
const iam_user_policy_index = account_util._check_user_policy_exists(action, iam_user_policies, params.policy_name);
493481
iam_user_policies.splice(iam_user_policy_index, 1);
@@ -506,7 +494,7 @@ class AccountSpaceNB {
506494
const action = IAM_ACTIONS.LIST_USER_POLICIES;
507495
dbg.log1(`AccountSpaceNB.${action}`, params);
508496
const requesting_account = system_store.get_account_by_email(account_sdk.requesting_account.email);
509-
const requested_account = validate_and_return_requested_account(params, action, requesting_account, account_sdk);
497+
const requested_account = validate_and_return_requested_account(params, action, requesting_account);
510498
const is_truncated = false; // GAP - no pagination at this point
511499
let members = _.map(requested_account.iam_user_policies || [], iam_user_policy => iam_user_policy.policy_name);
512500
members = members.sort((a, b) => a.localeCompare(b));
@@ -518,7 +506,7 @@ class AccountSpaceNB {
518506
}
519507

520508

521-
function validate_and_return_requested_account(params, action, requesting_account, account_sdk) {
509+
function validate_and_return_requested_account(params, action, requesting_account) {
522510
const on_itself = !params.username;
523511
let requested_account;
524512
if (on_itself) {
@@ -527,7 +515,7 @@ function validate_and_return_requested_account(params, action, requesting_accoun
527515
requested_account = requesting_account;
528516
} else {
529517
account_util._check_if_requesting_account_is_root_account(action, requesting_account, { username: params.username });
530-
const account_email = account_util.get_account_name_from_username(params.username, requesting_account.name.unwrap());
518+
const account_email = account_util.get_account_name_from_username(params.username, requesting_account._id.toString());
531519
account_util._check_if_account_exists(action, account_email);
532520
requested_account = system_store.get_account_by_email(account_email);
533521
account_util._check_if_requested_account_is_root_account_or_IAM_user(action, requesting_account, requested_account);

0 commit comments

Comments
 (0)