[sec] Match ${aws:username} exactly instead of prefix match

[harshavardhana]

Description

[sec] Match ${aws:username} exactly instead of prefix match

Motivation and Context

This PR fixes a security issue where an IAM user based
on his policy is granted more privileges than restricted
by the users IAM policy.

This is due to an issue of prefix-based Matcher() function
which was incorrectly matching prefix based on resource
prefixes instead of an exact match.

Regression

No, this bug was introduced in IAM implementation PR 54ae364

How Has This Been Tested?

Using the following reproducer

usernamepolicy.json

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": [
          "*"
        ]
      },
      "Action": [
        "s3:GetBucketLocation",
        "s3:ListBucket",
        "s3:ListBucketMultipartUploads"
      ],
      "Resource": [
        "arn:aws:s3:::${aws:username}"
      ]
    },
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": [
          "*"
        ]
      },
      "Action": [
        "s3:AbortMultipartUpload",
        "s3:DeleteObject",
        "s3:GetObject",
        "s3:ListMultipartUploadParts",
        "s3:PutObject"
      ],
      "Resource": [
        "arn:aws:s3:::${aws:username}/*"
      ]
    }
  ]
}

Steps to reproduce:
1. Start minio in server mode.  Version: 2019-06-13T01:41:13Z
./minio server /data

2. Add the host to mc.
./mc config host add minio http://127.0.0.1:9000 accesskey secretkey

3. Create a policy (use the example from issue 7769).
./mc admin policy add minio usernamepolicy usernamepolicy.json

4. Create some users using the policy.
./mc admin user add minio jack jack12345 usernamepolicy
./mc admin user add minio jackie jackie12345 usernamepolicy
./mc admin user add minio jackson jackson12345 usernamepolicy
./mc admin user add minio jill jill12345 usernamepolicy

5. Create some buckets.  Use the admin account because the custom  
policy doesn't allow bucket creation.
./mc mb minio/jack
./mc mb minio/jackie
./mc mb minio/jackson
./mc mb minio/jill

6. Add the hosts, using the individual user accounts.
./mc config host add minio-jack http://127.0.0.1:9000 jack jack12345  
--api s3v4
./mc config host add minio-jackie http://127.0.0.1:9000 jackie  
jackie12345 --api s3v4
./mc config host add minio-jackson http://127.0.0.1:9000 jackson  
jackson12345 --api s3v4
./mc config host add minio-jill http://127.0.0.1:9000 jill jill12345  
--api s3v4

7. Upload a test file into each bucket.  This step isn't required, but  
is useful for testing
touch test.txt
./mc cp test.txt minio-jack/jack
./mc cp test.txt minio-jackie/jackie
./mc cp test.txt minio-jackson/jackson
./mc cp test.txt minio-jill/jill

8. Login to the web UI as jackie, jackson or jill.  You only see the  
bucket that matches your username.

9. Login to the web UI as jack.  You see three buckets and the test  
file in each one: jack, jackie, jackson.  Same behavior when using the  
CLI.
./mc ls minio-jack/jack
./mc ls minio-jack/jackie
./mc ls minio-jack/jackson
./mc ls minio-jack/jill # this times out because access is denied, as expected

Types of changes

• Bug fix (non-breaking change which fixes an issue)
• New feature (non-breaking change which adds functionality)
• Breaking change (fix or feature that would cause existing functionality to change)

Checklist:

• My code follows the code style of this project.
• My change requires a change to the documentation.
• I have updated the documentation accordingly.
• I have added unit tests to cover my changes.
• I have added/updated functional tests in mint. (If yes, add mint PR # here: )
• All new and existing tests passed.

[harshavardhana]

This is a high priority fix @aead @kannappanr and we need to make a security release.

[aead]

Nice finding @harshavardhana 👍

[minio-ops]

Mint Automation

Test	Result
mint-compression-xl.sh	✔️
mint-xl.sh	✔️
mint-compression-dist-xl.sh	✔️
mint-worm.sh	✔️
mint-fs.sh	✔️
mint-gateway-nas.sh	✔️
mint-large-bucket.sh	❌ more...
mint-compression-fs.sh	❌ more...
mint-dist-xl.sh	❌ more...

7791-eff12a2/mint-large-bucket.sh.log:

Running with
SERVER_ENDPOINT:      72.28.97.60:32332
ACCESS_KEY:           minio
SECRET_KEY:           ***REDACTED***
ENABLE_HTTPS:         0
SERVER_REGION:        us-east-1
MINT_DATA_DIR:        /mint/data
MINT_MODE:            full
ENABLE_VIRTUAL_STYLE: 0

To get logs, run 'docker cp b1e770ae0298:/mint/log /tmp/mint-logs'

(1/14) Running aws-sdk-go tests ... done in 9 seconds
(2/14) Running aws-sdk-java tests ... done in 2 seconds
(3/14) Running aws-sdk-php tests ... done in 12 minutes and 49 seconds
(4/14) Running aws-sdk-ruby tests ... done in 26 seconds
(5/14) Running awscli tests ... done in 2 minutes and 17 seconds
(6/14) Running healthcheck tests ... done in 0 seconds
(7/14) Running mc tests ... FAILED in 1 minutes and 48 seconds
{
  "name": "mc",
  "duration": "60291",
  "function": "test_mirror_list_objects_storage_class",
  "status": "FAIL",
  "error": "/mint/run/core/mc/mc --config-dir /tmp/.mc-29747 --quiet --no-color mirror --storage-class REDUCED_REDUNDANCY /mint/data myminio/mc-test-bucket-30545  >>> \n`/mint/data/datafile-1-MB` -> `myminio/mc-test-bucket-30545/datafile-1-MB`\n`/mint/data/datafile-0-b` -> `myminio/mc-test-bucket-30545/datafile-0-b`\n`/mint/data/datafile-1-kB` -> `myminio/mc-test-bucket-30545/datafile-1-kB`\n`/mint/data/datafile-1-b` -> `myminio/mc-test-bucket-30545/datafile-1-b`\n`/mint/data/datafile-10-MB` -> `myminio/mc-test-bucket-30545/datafile-10-MB`\n`/mint/data/datafile-1.03-MB` -> `myminio/mc-test-bucket-30545/datafile-1.03-MB`\n`/mint/data/datafile-100-kB` -> `myminio/mc-test-bucket-30545/datafile-100-kB`\n`/mint/data/datafile-10-kB` -> `myminio/mc-test-bucket-30545/datafile-10-kB`\n`/mint/data/datafile-11-MB` -> `myminio/mc-test-bucket-30545/datafile-11-MB`\n`/mint/data/datafile-129-MB` -> `myminio/mc-test-bucket-30545/datafile-129-MB`\n`/mint/data/datafile-5-MB` -> `myminio/mc-test-bucket-30545/datafile-5-MB`\n`/mint/data/datafile-33-kB` -> `myminio/mc-test-bucket-30545/datafile-33-kB`\n`/mint/data/datafile-5243880-b` -> `myminio/mc-test-bucket-30545/datafile-5243880-b`\n`/mint/data/datafile-6-MB` -> `myminio/mc-test-bucket-30545/datafile-6-MB`\n`/mint/data/datafile-65-MB` -> `myminio/mc-test-bucket-30545/datafile-65-MB`\nmc: <ERROR> Failed to copy `/mint/data/datafile-129-MB`. Please reduce your request\nTotal: 233.17 MiB, Transferred: 717.05 MiB, Speed: 11.91 MiB/s"
}

Executed 6 out of 14 tests successfully.

7791-eff12a2/mint-dist-xl.sh.log:

Running with
SERVER_ENDPOINT:      72.28.97.56:30247
ACCESS_KEY:           minio
SECRET_KEY:           ***REDACTED***
ENABLE_HTTPS:         0
SERVER_REGION:        us-east-1
MINT_DATA_DIR:        /mint/data
MINT_MODE:            full
ENABLE_VIRTUAL_STYLE: 0

To get logs, run 'docker cp d8e62baa35f0:/mint/log /tmp/mint-logs'

(1/14) Running aws-sdk-go tests ... done in 3 seconds
(2/14) Running aws-sdk-java tests ... done in 2 seconds
(3/14) Running aws-sdk-php tests ... done in 2 minutes and 42 seconds
(4/14) Running aws-sdk-ruby tests ... done in 56 seconds
(5/14) Running awscli tests ... done in 3 minutes and 41 seconds
(6/14) Running healthcheck tests ... done in 0 seconds
(7/14) Running mc tests ... done in 2 minutes and 30 seconds
(8/14) Running minio-dotnet tests ... done in 3 minutes and 11 seconds
(9/14) Running minio-go tests ... done in 6 minutes and 11 seconds
(10/14) Running minio-java tests ... FAILED in 8 minutes and 6 seconds
{
  "name": "minio-java",
  "function": "listIncompleteUploads(final String bucketName, final String prefix, final boolean recursive)",
  "args": "prefix: minio, recursive: true",
  "duration": 2537,
  "status": "FAIL",
  "error": "error occurred\nErrorResponse(code=SlowDown, message=Please reduce your request, bucketName=minio-java-test-fs04vh, objectName=minio-java-test-2536qsr, resource=/minio-java-test-fs04vh/minio-java-test-2536qsr, requestId=15A85A0D1D90EBF5, hostId=da026052-4f22-4b10-881b-7f9fb90b452c)\nrequest={method=DELETE, url=http://72.28.97.56:30247/minio-java-test-fs04vh/minio-java-test-2536qsr?uploadId=f24bfca5-7132-40af-80b7-5f11791b4340, headers=Host: 72.28.97.56:30247\nUser-Agent: MinIO (amd64; amd64) minio-java/dev\nx-amz-content-sha256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855\nx-amz-date: 20190615T105803Z\nAuthorization: AWS4-HMAC-SHA256 Credential=*REDACTED*/20190615/us-east-1/s3/aws4_request, SignedHeaders=host;x-amz-content-sha256;x-amz-date, Signature=*REDACTED*\n}\nresponse={code=503, headers=Accept-Ranges: bytes\nContent-Length: 361\nContent-Security-Policy: block-all-mixed-content\nContent-Type: application/xml\nRetry-After: 120\nServer: MinIO/DEVELOPMENT.2019-06-15T10-17-33Z\nVary: Origin\nX-Amz-Request-Id: 15A85A0D1D90EBF5\nX-Minio-Deployment-Id: da026052-4f22-4b10-881b-7f9fb90b452c\nX-Xss-Protection: 1; mode=block\nDate: Sat, 15 Jun 2019 10:58:03 GMT\n}\n >>> [io.minio.MinioClient.executeReq(MinioClient.java:1204), io.minio.MinioClient.execute(MinioClient.java:1070), io.minio.MinioClient.executeDelete(MinioClient.java:1347), io.minio.MinioClient.abortMultipartUpload(MinioClient.java:5149), io.minio.MinioClient.putObject(MinioClient.java:4337), io.minio.MinioClient.putObject(MinioClient.java:4183), FunctionalTest.listIncompleteUploads_test3(FunctionalTest.java:1679), FunctionalTest.runTests(FunctionalTest.java:2990), FunctionalTest.main(FunctionalTest.java:3118)]"
}

Executed 9 out of 14 tests successfully.

7791-eff12a2/mint-compression-fs.sh.log:

Running with
SERVER_ENDPOINT:      72.28.97.57:32006
ACCESS_KEY:           minio
SECRET_KEY:           ***REDACTED***
ENABLE_HTTPS:         0
SERVER_REGION:        us-east-1
MINT_DATA_DIR:        /mint/data
MINT_MODE:            full
ENABLE_VIRTUAL_STYLE: 0

To get logs, run 'docker cp 4d95466678bc:/mint/log /tmp/mint-logs'

(1/14) Running aws-sdk-go tests ... FAILED in 3 seconds
{
  "alert": "",
  "args": {
    "bucketName": "aws-sdk-go-test-ddkpgfm1nsdspo",
    "expiry": 60000000000,
    "objectName": "presignedTest"
  },
  "duration": 3075,
  "error": "RequestError: send request failed\ncaused by: Put http://72.28.97.57:32006/aws-sdk-go-test-ddkpgfm1nsdspo: dial tcp 72.28.97.57:32006: connect: no route to host",
  "function": "PresignedPut",
  "message": "AWS SDK Go CreateBucket Failed",
  "name": "aws-sdk-go",
  "status": "FAIL"
}

Executed 0 out of 14 tests successfully.

[kannappanr]

Tested. LGTM

[krishnasrinivas]

was doing some testing, there is some issue (might not be related to this fix):

krishna@escape:~$ mc --json admin policy list myminio 
{
 "status": "success",
 "policy": "."
}
{
 "status": "success",
 "policy": "readonly"
}
{
 "status": "success",
 "policy": "readwrite"
}
{
 "status": "success",
 "policy": "writeonly"
}
krishna@escape:~$

observe the entry:

{
 "status": "success",
 "policy": "."
}

need to see how it can be reproduced

[harshavardhana]

observe the entry:

{
 "status": "success",
 "policy": "."
}

need to see how it can be reproduced

This is already fixed @krishnasrinivas we made a release after this fix b4ab778

You are on old commits...

[codecov]

Codecov Report

Merging #7791 into master will increase coverage by 0.4%.
The diff coverage is 100%.

@@            Coverage Diff            @@
##           master    #7791     +/-   ##
=========================================
+ Coverage   45.89%   46.29%   +0.4%     
=========================================
  Files         284      300     +16     
  Lines       48016    48359    +343     
=========================================
+ Hits        22038    22390    +352     
+ Misses      23910    23887     -23     
- Partials     2068     2082     +14

Impacted Files	Coverage Δ
pkg/iam/policy/resource.go	95.45% <100%> (ø)	⬆️
pkg/cgroup/linux.go	37.5% <0%> (ø)
cmd/posix-dirent-ino.go	100% <0%> (ø)
cmd/posix-list-dir_unix.go	75% <0%> (ø)
pkg/sys/rlimit-file_nix.go	100% <0%> (ø)
pkg/disk/type_linux.go	66.66% <0%> (ø)
pkg/ioutil/append-file_nix.go	66.66% <0%> (ø)
pkg/disk/root-disk-unix.go	0% <0%> (ø)
pkg/disk/stat_linux.go	84.61% <0%> (ø)
pkg/mountinfo/mountinfo_linux.go	75.38% <0%> (ø)
... and 22 more

---

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 510ec15...3cffe20. Read the comment docs.