Added support for tags for IAM users

Signed-off-by: Aayush Chouhan <achouhan@redhat.com>

Author: aayushchouhan09

src/endpoint/iam/iam_constants.js

@@ -13,6 +13,9 @@ const IAM_ACTIONS = Object.freeze({
     UPDATE_ACCESS_KEY: 'update_access_key',
     DELETE_ACCESS_KEY: 'delete_access_key',
     LIST_ACCESS_KEYS: 'list_access_keys',
+    TAG_USER: 'tag_user',
+    UNTAG_USER: 'untag_user',
+    LIST_USER_TAGS: 'list_user_tags',
     PUT_USER_POLICY: 'put_user_policy',
     GET_USER_POLICY: 'get_user_policy',
     DELETE_USER_POLICY: 'delete_user_policy',
@@ -33,6 +36,9 @@ const ACTION_MESSAGE_TITLE_MAP = Object.freeze({
     'update_access_key': 'UpdateAccessKey',
     'delete_access_key': 'DeleteAccessKey',
     'list_access_keys': 'ListAccessKeys',
+    'tag_user': 'TagUser',
+    'untag_user': 'UntagUser',
+    'list_user_tags': 'ListUserTags',
     'put_user_policy': 'PutUserPolicy',
     'get_user_policy': 'GetUserPolicy',
     'delete_user_policy': 'DeleteUserPolicy',
@@ -51,6 +57,7 @@ const IDENTITY_ENUM = Object.freeze({
 
 // miscellaneous
 const DEFAULT_MAX_ITEMS = 100;
+const DEFAULT_MAX_TAGS = 50;
 const MAX_NUMBER_OF_ACCESS_KEYS = 2;
 const IAM_DEFAULT_PATH = '/';
 const AWS_NOT_USED = 'N/A'; // can be used in case the region or the service name were not used
@@ -76,6 +83,7 @@ exports.ACTION_MESSAGE_TITLE_MAP = ACTION_MESSAGE_TITLE_MAP;
 exports.ACCESS_KEY_STATUS_ENUM = ACCESS_KEY_STATUS_ENUM;
 exports.IDENTITY_ENUM = IDENTITY_ENUM;
 exports.DEFAULT_MAX_ITEMS = DEFAULT_MAX_ITEMS;
+exports.DEFAULT_MAX_TAGS = DEFAULT_MAX_TAGS;
 exports.MAX_NUMBER_OF_ACCESS_KEYS = MAX_NUMBER_OF_ACCESS_KEYS;
 exports.IAM_DEFAULT_PATH = IAM_DEFAULT_PATH;
 exports.AWS_NOT_USED = AWS_NOT_USED;

src/endpoint/iam/iam_rest.js

@@ -21,6 +21,7 @@ const RPC_ERRORS_TO_IAM = Object.freeze({
     NO_SUCH_ACCOUNT: IamError.AccessDeniedException,
     NO_SUCH_ROLE: IamError.AccessDeniedException,
     VALIDATION_ERROR: IamError.ValidationError,
+    INVALID_INPUT: IamError.InvalidInput,
     MALFORMED_POLICY_DOCUMENT: IamError.MalformedPolicyDocument,
 });
 
@@ -35,6 +36,9 @@ const ACTIONS = Object.freeze({
     'UpdateAccessKey': 'update_access_key',
     'DeleteAccessKey': 'delete_access_key',
     'ListAccessKeys': 'list_access_keys',
+    'TagUser': 'tag_user',
+    'UntagUser': 'untag_user',
+    'ListUserTags': 'list_user_tags',
     'PutUserPolicy': 'put_user_policy',
     'GetUserPolicy': 'get_user_policy',
     'DeleteUserPolicy': 'delete_user_policy',
@@ -65,7 +69,6 @@ const ACTIONS = Object.freeze({
     'ListServiceSpecificCredentials': 'list_service_specific_credentials',
     'ListSigningCertificates': 'list_signing_certificates',
     'ListSSHPublicKeys': 'list_ssh_public_keys',
-    'ListUserTags': 'list_user_tags',
     'ListVirtualMFADevices': 'list_virtual_mfa_devices',
 });
 
@@ -83,6 +86,10 @@ const IAM_OPS = js_utils.deep_freeze({
     post_update_access_key: require('./ops/iam_update_access_key'),
     post_delete_access_key: require('./ops/iam_delete_access_key'),
     post_list_access_keys: require('./ops/iam_list_access_keys'),
+    // user tagging
+    post_tag_user: require('./ops/iam_tag_user'),
+    post_untag_user: require('./ops/iam_untag_user'),
+    post_list_user_tags: require('./ops/iam_list_user_tags'),
     // user policy
     post_put_user_policy: require('./ops/iam_put_user_policy'),
     post_get_user_policy: require('./ops/iam_get_user_policy'),
@@ -115,7 +122,6 @@ const IAM_OPS = js_utils.deep_freeze({
     post_list_service_specific_credentials: require('./ops/iam_list_service_specific_credentials'),
     post_list_signing_certificates: require('./ops/iam_list_signing_certificates'),
     post_list_ssh_public_keys: require('./ops/iam_list_ssh_public_keys'),
-    post_list_user_tags: require('./ops/iam_list_user_tags'),
     post_list_virtual_mfa_devices: require('./ops/iam_list_virtual_mfa_devices'),
 });
 

src/endpoint/iam/iam_utils.js

@@ -81,12 +81,15 @@ function parse_max_items(input_max_items) {
 }
 
 /**
- * validate_params will call the aquivalent function in user or access key
+ * validate_params will call the equivalent function (for example: user, access key, tagging, etc.)
+ * Note: The order of conditions matters - check 'tag' before 'user' to avoid misrouting
  * @param {string} action
  * @param {object} params
  */
 function validate_params(action, params) {
-        if (action.includes('policy') || action.includes('policies')) {
+        if (action.includes('tag')) {
+            validate_tagging_params(action, params);
+        } else if (action.includes('policy') || action.includes('policies')) {
             validate_policy_params(action, params);
         } else if (action.includes('user')) {
             validate_user_params(action, params);
@@ -151,6 +154,27 @@ function validate_access_keys_params(action, params) {
       }
 }
 
+/**
+ * validate_tagging_params will call the equivalent function for each action in tagging API
+ * @param {string} action
+ * @param {object} params
+ */
+function validate_tagging_params(action, params) {
+    switch (action) {
+        case iam_constants.IAM_ACTIONS.TAG_USER:
+            validate_tag_user_params(params);
+          break;
+        case iam_constants.IAM_ACTIONS.UNTAG_USER:
+            validate_untag_user_params(params);
+          break;
+        case iam_constants.IAM_ACTIONS.LIST_USER_TAGS:
+            validate_list_user_tags_params(params);
+          break;
+        default:
+          throw new RpcError('INTERNAL_ERROR', `${action} is not supported`);
+      }
+}
+
 /**
  * validate_policy_params will call the aquivalent function for each action in user policy API
  * @param {string} action
@@ -578,9 +602,107 @@ function translate_rpc_error(err) {
         const { code, http_code, type } = IamError.ValidationError;
         throw new IamError({ code, message: err.message, http_code, type });
     }
+    if (err.rpc_code === 'INVALID_INPUT') {
+        const { code, http_code, type } = IamError.InvalidInput;
+        throw new IamError({ code, message: err.message, http_code, type });
+    }
     throw err;
 }
 
+/**
+ * parse_indexed_members parses indexed array members
+ * generic parser for AWS-style indexed request parameters
+ * @param {object} body - request body
+ * @param {string} base_key - the base key pattern (e.g., 'tags_member_{index}_key)
+ * @param {Function} [mapper] - optional function to convert each item
+ */
+function parse_indexed_members(body, base_key, mapper) {
+    const result = [];
+    let index = 1;
+    let check_key = base_key.replace('{index}', String(index));
+
+    while (body[check_key] !== undefined) {
+        result.push(mapper ? mapper(body, index) : body[check_key]);
+        index += 1;
+        check_key = base_key.replace('{index}', String(index));
+    }
+    return result;
+}
+
+/**
+ * parse_tags_from_request_body parses tags from request body
+ * converts AWS encoded indexed members to array of tag objects
+ * example input: { tags_member_1_key: 'env', tags_member_1_value: 'prod', tags_member_2_key: 'team', tags_member_2_value: 'backend' }
+ * example output: [{ key: 'env', value: 'prod' }, { key: 'team', value: 'backend' }]
+ * @param {object} body - request body
+ * @returns {Array<{key: string, value: string}>} array of tag objects
+ */
+function parse_tags_from_request_body(body) {
+    return parse_indexed_members(
+        body,
+        'tags_member_{index}_key',
+        (req_body, index) => ({
+            key: req_body[`tags_member_${index}_key`],
+            value: req_body[`tags_member_${index}_value`] || ''
+        })
+    );
+}
+
+/**
+ * parse_tag_keys_from_request_body parses tag keys from request body
+ * converts AWS encoded indexed members to array
+ * example input: { tag_keys_member_1: 'env', tag_keys_member_2: 'team' }
+ * example output: ['env', 'team']
+ * @param {object} body - request body
+ * @returns {Array<string>} array of tag keys
+ */
+function parse_tag_keys_from_request_body(body) {
+    return parse_indexed_members(body, 'tag_keys_member_{index}');
+}
+
+/**
+ * validate_tag_user_params checks the params for tag_user action
+ * @param {object} params
+ */
+function validate_tag_user_params(params) {
+    try {
+        check_required_username(params);
+        validation_utils.validate_username(params.username, iam_constants.IAM_PARAMETER_NAME.USERNAME);
+        validation_utils.validate_iam_tags(params.tags);
+    } catch (err) {
+        translate_rpc_error(err);
+    }
+}
+
+/**
+ * validate_untag_user_params checks the params for untag_user action
+ * @param {object} params
+ */
+function validate_untag_user_params(params) {
+    try {
+        check_required_username(params);
+        validation_utils.validate_username(params.username, iam_constants.IAM_PARAMETER_NAME.USERNAME);
+        validation_utils.validate_iam_tag_keys(params.tag_keys);
+    } catch (err) {
+        translate_rpc_error(err);
+    }
+}
+
+/**
+ * validate_list_user_tags_params checks the params for list_user_tags action
+ * @param {object} params
+ */
+function validate_list_user_tags_params(params) {
+    try {
+        check_required_username(params);
+        validation_utils.validate_username(params.username, iam_constants.IAM_PARAMETER_NAME.USERNAME);
+        validate_marker(params.marker);
+        validate_max_items(params.max_items);
+    } catch (err) {
+        translate_rpc_error(err);
+    }
+}
+
 // EXPORTS
 exports.format_iam_xml_date = format_iam_xml_date;
 exports.create_arn_for_user = create_arn_for_user;
@@ -593,4 +715,10 @@ exports.validate_iam_path = validate_iam_path;
 exports.validate_marker = validate_marker;
 exports.validate_access_key_id = validate_access_key_id;
 exports.validate_status = validate_status;
+exports.parse_indexed_members = parse_indexed_members;
+exports.parse_tags_from_request_body = parse_tags_from_request_body;
+exports.parse_tag_keys_from_request_body = parse_tag_keys_from_request_body;
+exports.validate_tag_user_params = validate_tag_user_params;
+exports.validate_untag_user_params = validate_untag_user_params;
+exports.validate_list_user_tags_params = validate_list_user_tags_params;
 

src/endpoint/iam/ops/iam_list_user_tags.js

@@ -14,20 +14,19 @@ async function list_user_tags(req, res) {
     const params = {
         username: req.body.user_name,
         marker: req.body.marker,
-        max_items: iam_utils.parse_max_items(req.body.max_items) ?? iam_constants.DEFAULT_MAX_ITEMS,
+        max_items: iam_utils.parse_max_items(req.body.max_items) ?? iam_constants.DEFAULT_MAX_TAGS,
     };
 
-    dbg.log1('To check that we have the user we will run the IAM GET USER', params);
-    iam_utils.validate_params(iam_constants.IAM_ACTIONS.GET_USER, params);
-    await req.account_sdk.get_user(params);
-
-    dbg.log1('IAM LIST USER TAGS (returns empty list on every request)', params);
+    dbg.log1('IAM LIST USER TAGS', params);
+    iam_utils.validate_params(iam_constants.IAM_ACTIONS.LIST_USER_TAGS, params);
+    const reply = await req.account_sdk.list_user_tags(params);
+    dbg.log2('list_user_tags reply', reply);
 
     return {
         ListUserTagsResponse: {
             ListUserTagsResult: {
-                Tags: [],
-                IsTruncated: false,
+                Tags: reply.tags,
+                IsTruncated: reply.is_truncated
             },
             ResponseMetadata: {
                 RequestId: req.request_id,

src/endpoint/iam/ops/iam_tag_user.js

@@ -0,0 +1,43 @@
+/* Copyright (C) 2024 NooBaa */
+'use strict';
+
+const dbg = require('../../../util/debug_module')(__filename);
+const iam_utils = require('../iam_utils');
+const iam_constants = require('../iam_constants');
+const { CONTENT_TYPE_APP_FORM_URLENCODED } = require('../../../util/http_utils');
+
+/**
+ * https://docs.aws.amazon.com/IAM/latest/APIReference/API_TagUser.html
+ */
+async function tag_user(req, res) {
+
+    // parse tags from AWS encoded format
+    // input: { tags_member_1_key: 'env', tags_member_1_value: 'prod', ... }
+    // output: [{ key: 'env', value: 'prod' }, ...]
+    const params = {
+        username: req.body.user_name,
+        tags: iam_utils.parse_tags_from_request_body(req.body),
+    };
+
+    dbg.log1('IAM TAG USER', params);
+    iam_utils.validate_params(iam_constants.IAM_ACTIONS.TAG_USER, params);
+    await req.account_sdk.tag_user(params);
+
+    return {
+        TagUserResponse: {
+            ResponseMetadata: {
+                RequestId: req.request_id,
+            }
+        },
+    };
+}
+
+module.exports = {
+    handler: tag_user,
+    body: {
+        type: CONTENT_TYPE_APP_FORM_URLENCODED,
+    },
+    reply: {
+        type: 'xml',
+    },
+};

src/endpoint/iam/ops/iam_untag_user.js

@@ -0,0 +1,43 @@
+/* Copyright (C) 2024 NooBaa */
+'use strict';
+
+const dbg = require('../../../util/debug_module')(__filename);
+const iam_utils = require('../iam_utils');
+const iam_constants = require('../iam_constants');
+const { CONTENT_TYPE_APP_FORM_URLENCODED } = require('../../../util/http_utils');
+
+/**
+ * https://docs.aws.amazon.com/IAM/latest/APIReference/API_UntagUser.html
+ */
+async function untag_user(req, res) {
+
+    // parse tag keys from AWS encoded format
+    // input: { tag_keys_member_1: 'env', tag_keys_member_2: 'team', ... }
+    // output: ['env', 'team', ...]
+    const params = {
+        username: req.body.user_name,
+        tag_keys: iam_utils.parse_tag_keys_from_request_body(req.body),
+    };
+
+    dbg.log1('IAM UNTAG USER', params);
+    iam_utils.validate_params(iam_constants.IAM_ACTIONS.UNTAG_USER, params);
+    await req.account_sdk.untag_user(params);
+
+    return {
+        UntagUserResponse: {
+            ResponseMetadata: {
+                RequestId: req.request_id,
+            }
+        },
+    };
+}
+
+module.exports = {
+    handler: untag_user,
+    body: {
+        type: CONTENT_TYPE_APP_FORM_URLENCODED,
+    },
+    reply: {
+        type: 'xml',
+    },
+};

src/sdk/account_sdk.js

@@ -117,6 +117,25 @@ class AccountSDK {
         return accountspace.list_users(params, this);
     }
 
+    ////////////
+    // TAGS   //
+    ////////////
+
+    async tag_user(params) {
+        const accountspace = this._get_accountspace();
+        return accountspace.tag_user(params, this);
+    }
+
+    async untag_user(params) {
+        const accountspace = this._get_accountspace();
+        return accountspace.untag_user(params, this);
+    }
+
+    async list_user_tags(params) {
+        const accountspace = this._get_accountspace();
+        return accountspace.list_user_tags(params, this);
+    }
+
     ////////////////
     // ACCESS KEY //
     ////////////////