mirror of
https://github.com/pgsty/minio.git
synced 2026-07-19 12:10:24 +03:00
fix: IAM LDAP access key import bug (#19608)
When importing access keys (i.e. service accounts) for LDAP accounts, we are requiring groups to exist under one of the configured group base DNs. This is not correct. This change fixes this by only checking for existence and storing the normalized form of the group DN - we do not return an error if the group is not under a base DN. Test is updated to illustrate an import failure that would happen without this change.
This commit is contained in:
committed by
GitHub
parent
3212d0c8cd
commit
62c3cdee75
@@ -222,9 +222,8 @@ func (a adminAPIHandlers) AddServiceAccountLDAP(w http.ResponseWriter, r *http.R
|
||||
err error
|
||||
)
|
||||
|
||||
// If we are creating svc account for request sender, ensure
|
||||
// that targetUser is a real user (i.e. not derived
|
||||
// credentials).
|
||||
// If we are creating svc account for request sender, ensure that targetUser
|
||||
// is a real user (i.e. not derived credentials).
|
||||
if isSvcAccForRequestor {
|
||||
if requestorIsDerivedCredential {
|
||||
if requestorParentUser == "" {
|
||||
|
||||
@@ -1632,9 +1632,10 @@ func (a adminAPIHandlers) SetPolicyForUserOrGroup(w http.ResponseWriter, r *http
|
||||
var err error
|
||||
if isGroup {
|
||||
var foundGroupDN string
|
||||
if foundGroupDN, err = globalIAMSys.LDAPConfig.GetValidatedGroupDN(nil, entityName); err != nil {
|
||||
var underBaseDN bool
|
||||
if foundGroupDN, underBaseDN, err = globalIAMSys.LDAPConfig.GetValidatedGroupDN(nil, entityName); err != nil {
|
||||
iamLogIf(ctx, err)
|
||||
} else if foundGroupDN == "" {
|
||||
} else if foundGroupDN == "" || !underBaseDN {
|
||||
err = errNoSuchGroup
|
||||
}
|
||||
entityName = foundGroupDN
|
||||
|
||||
+16
-11
@@ -1503,12 +1503,14 @@ func (sys *IAMSys) NormalizeLDAPAccessKeypairs(ctx context.Context, accessKeyMap
|
||||
|
||||
hasDiff := false
|
||||
|
||||
validatedParent, err := sys.LDAPConfig.GetValidatedUserDN(conn, parent)
|
||||
// For the parent value, we require that the parent exists in the LDAP
|
||||
// server and is under a configured base DN.
|
||||
validatedParent, isUnderBaseDN, err := sys.LDAPConfig.GetValidatedUserDN(conn, parent)
|
||||
if err != nil {
|
||||
collectedErrors = append(collectedErrors, fmt.Errorf("could not validate `%s` exists in LDAP directory: %w", parent, err))
|
||||
continue
|
||||
}
|
||||
if validatedParent == "" {
|
||||
if validatedParent == "" || !isUnderBaseDN {
|
||||
err := fmt.Errorf("DN `%s` was not found in the LDAP directory", parent)
|
||||
collectedErrors = append(collectedErrors, err)
|
||||
continue
|
||||
@@ -1518,9 +1520,11 @@ func (sys *IAMSys) NormalizeLDAPAccessKeypairs(ctx context.Context, accessKeyMap
|
||||
hasDiff = true
|
||||
}
|
||||
|
||||
var validatedGroups []string
|
||||
var normalizedGroups []string
|
||||
for _, group := range groups {
|
||||
validatedGroup, err := sys.LDAPConfig.GetValidatedGroupDN(conn, group)
|
||||
// For a group, we store the normalized DN even if it not under a
|
||||
// configured base DN.
|
||||
validatedGroup, _, err := sys.LDAPConfig.GetValidatedGroupDN(conn, group)
|
||||
if err != nil {
|
||||
collectedErrors = append(collectedErrors, fmt.Errorf("could not validate `%s` exists in LDAP directory: %w", group, err))
|
||||
continue
|
||||
@@ -1534,13 +1538,13 @@ func (sys *IAMSys) NormalizeLDAPAccessKeypairs(ctx context.Context, accessKeyMap
|
||||
if validatedGroup != group {
|
||||
hasDiff = true
|
||||
}
|
||||
validatedGroups = append(validatedGroups, validatedGroup)
|
||||
normalizedGroups = append(normalizedGroups, validatedGroup)
|
||||
}
|
||||
|
||||
if hasDiff {
|
||||
updatedCreateReq := createReq
|
||||
updatedCreateReq.Parent = validatedParent
|
||||
updatedCreateReq.Groups = validatedGroups
|
||||
updatedCreateReq.Groups = normalizedGroups
|
||||
|
||||
updatedKeysMap[ak] = updatedCreateReq
|
||||
}
|
||||
@@ -1611,7 +1615,7 @@ func (sys *IAMSys) NormalizeLDAPMappingImport(ctx context.Context, isGroup bool,
|
||||
|
||||
// We map keys that correspond to LDAP DNs and validate that they exist in
|
||||
// the LDAP server.
|
||||
var dnValidator func(*libldap.Conn, string) (string, error) = sys.LDAPConfig.GetValidatedUserDN
|
||||
var dnValidator func(*libldap.Conn, string) (string, bool, error) = sys.LDAPConfig.GetValidatedUserDN
|
||||
if isGroup {
|
||||
dnValidator = sys.LDAPConfig.GetValidatedGroupDN
|
||||
}
|
||||
@@ -1625,12 +1629,12 @@ func (sys *IAMSys) NormalizeLDAPMappingImport(ctx context.Context, isGroup bool,
|
||||
// not a valid DN, ignore.
|
||||
continue
|
||||
}
|
||||
validatedDN, err := dnValidator(conn, k)
|
||||
validatedDN, underBaseDN, err := dnValidator(conn, k)
|
||||
if err != nil {
|
||||
collectedErrors = append(collectedErrors, fmt.Errorf("could not validate `%s` exists in LDAP directory: %w", k, err))
|
||||
continue
|
||||
}
|
||||
if validatedDN == "" {
|
||||
if validatedDN == "" || !underBaseDN {
|
||||
err := fmt.Errorf("DN `%s` was not found in the LDAP directory", k)
|
||||
collectedErrors = append(collectedErrors, err)
|
||||
continue
|
||||
@@ -1949,10 +1953,11 @@ func (sys *IAMSys) PolicyDBUpdateLDAP(ctx context.Context, isAttach bool,
|
||||
} else {
|
||||
if isAttach {
|
||||
var foundGroupDN string
|
||||
if foundGroupDN, err = sys.LDAPConfig.GetValidatedGroupDN(nil, r.Group); err != nil {
|
||||
var underBaseDN bool
|
||||
if foundGroupDN, underBaseDN, err = sys.LDAPConfig.GetValidatedGroupDN(nil, r.Group); err != nil {
|
||||
iamLogIf(ctx, err)
|
||||
return
|
||||
} else if foundGroupDN == "" {
|
||||
} else if foundGroupDN == "" || !underBaseDN {
|
||||
err = errNoSuchGroup
|
||||
return
|
||||
}
|
||||
|
||||
@@ -1441,9 +1441,10 @@ func (c *SiteReplicationSys) PeerPolicyMappingHandler(ctx context.Context, mappi
|
||||
var err error
|
||||
if isGroup {
|
||||
var foundGroupDN string
|
||||
if foundGroupDN, err = globalIAMSys.LDAPConfig.GetValidatedGroupDN(nil, entityName); err != nil {
|
||||
var underBaseDN bool
|
||||
if foundGroupDN, underBaseDN, err = globalIAMSys.LDAPConfig.GetValidatedGroupDN(nil, entityName); err != nil {
|
||||
iamLogIf(ctx, err)
|
||||
} else if foundGroupDN == "" {
|
||||
} else if foundGroupDN == "" || !underBaseDN {
|
||||
err = errNoSuchGroup
|
||||
}
|
||||
entityName = foundGroupDN
|
||||
|
||||
@@ -829,12 +829,14 @@ func TestIAMImportAssetWithLDAP(t *testing.T) {
|
||||
}
|
||||
}
|
||||
`,
|
||||
// The `cn=projecty,..` group below is not under a configured DN, but we
|
||||
// should still import without an error.
|
||||
allSvcAcctsFile: `{
|
||||
"u4ccRswj62HV3Ifwima7": {
|
||||
"parent": "uid=svc.algorithm,OU=swengg,DC=min,DC=io",
|
||||
"accessKey": "u4ccRswj62HV3Ifwima7",
|
||||
"secretKey": "ZoEoZdLlzVbOlT9rbhD7ZN7TLyiYXSAlB79uGEge",
|
||||
"groups": ["cn=project.c,ou=groups,OU=swengg,DC=min,DC=io"],
|
||||
"groups": ["cn=project.c,ou=groups,OU=swengg,DC=min,DC=io", "cn=projecty,ou=groups,ou=hwengg,dc=min,dc=io"],
|
||||
"claims": {
|
||||
"accessKey": "u4ccRswj62HV3Ifwima7",
|
||||
"ldapUser": "uid=svc.algorithm,ou=swengg,dc=min,dc=io",
|
||||
|
||||
Reference in New Issue
Block a user