fix: IAM LDAP access key import bug (#19608)

When importing access keys (i.e. service accounts) for LDAP accounts,
we are requiring groups to exist under one of the configured group base
DNs. This is not correct. This change fixes this by only checking for
existence and storing the normalized form of the group DN - we do not
return an error if the group is not under a base DN.

Test is updated to illustrate an import failure that would happen
without this change.
This commit is contained in:
Aditya Manthramurthy
2024-04-25 08:50:16 -07:00
committed by GitHub
parent 3212d0c8cd
commit 62c3cdee75
6 changed files with 62 additions and 38 deletions
+2 -3
View File
@@ -222,9 +222,8 @@ func (a adminAPIHandlers) AddServiceAccountLDAP(w http.ResponseWriter, r *http.R
err error
)
// If we are creating svc account for request sender, ensure
// that targetUser is a real user (i.e. not derived
// credentials).
// If we are creating svc account for request sender, ensure that targetUser
// is a real user (i.e. not derived credentials).
if isSvcAccForRequestor {
if requestorIsDerivedCredential {
if requestorParentUser == "" {
+3 -2
View File
@@ -1632,9 +1632,10 @@ func (a adminAPIHandlers) SetPolicyForUserOrGroup(w http.ResponseWriter, r *http
var err error
if isGroup {
var foundGroupDN string
if foundGroupDN, err = globalIAMSys.LDAPConfig.GetValidatedGroupDN(nil, entityName); err != nil {
var underBaseDN bool
if foundGroupDN, underBaseDN, err = globalIAMSys.LDAPConfig.GetValidatedGroupDN(nil, entityName); err != nil {
iamLogIf(ctx, err)
} else if foundGroupDN == "" {
} else if foundGroupDN == "" || !underBaseDN {
err = errNoSuchGroup
}
entityName = foundGroupDN
+16 -11
View File
@@ -1503,12 +1503,14 @@ func (sys *IAMSys) NormalizeLDAPAccessKeypairs(ctx context.Context, accessKeyMap
hasDiff := false
validatedParent, err := sys.LDAPConfig.GetValidatedUserDN(conn, parent)
// For the parent value, we require that the parent exists in the LDAP
// server and is under a configured base DN.
validatedParent, isUnderBaseDN, err := sys.LDAPConfig.GetValidatedUserDN(conn, parent)
if err != nil {
collectedErrors = append(collectedErrors, fmt.Errorf("could not validate `%s` exists in LDAP directory: %w", parent, err))
continue
}
if validatedParent == "" {
if validatedParent == "" || !isUnderBaseDN {
err := fmt.Errorf("DN `%s` was not found in the LDAP directory", parent)
collectedErrors = append(collectedErrors, err)
continue
@@ -1518,9 +1520,11 @@ func (sys *IAMSys) NormalizeLDAPAccessKeypairs(ctx context.Context, accessKeyMap
hasDiff = true
}
var validatedGroups []string
var normalizedGroups []string
for _, group := range groups {
validatedGroup, err := sys.LDAPConfig.GetValidatedGroupDN(conn, group)
// For a group, we store the normalized DN even if it not under a
// configured base DN.
validatedGroup, _, err := sys.LDAPConfig.GetValidatedGroupDN(conn, group)
if err != nil {
collectedErrors = append(collectedErrors, fmt.Errorf("could not validate `%s` exists in LDAP directory: %w", group, err))
continue
@@ -1534,13 +1538,13 @@ func (sys *IAMSys) NormalizeLDAPAccessKeypairs(ctx context.Context, accessKeyMap
if validatedGroup != group {
hasDiff = true
}
validatedGroups = append(validatedGroups, validatedGroup)
normalizedGroups = append(normalizedGroups, validatedGroup)
}
if hasDiff {
updatedCreateReq := createReq
updatedCreateReq.Parent = validatedParent
updatedCreateReq.Groups = validatedGroups
updatedCreateReq.Groups = normalizedGroups
updatedKeysMap[ak] = updatedCreateReq
}
@@ -1611,7 +1615,7 @@ func (sys *IAMSys) NormalizeLDAPMappingImport(ctx context.Context, isGroup bool,
// We map keys that correspond to LDAP DNs and validate that they exist in
// the LDAP server.
var dnValidator func(*libldap.Conn, string) (string, error) = sys.LDAPConfig.GetValidatedUserDN
var dnValidator func(*libldap.Conn, string) (string, bool, error) = sys.LDAPConfig.GetValidatedUserDN
if isGroup {
dnValidator = sys.LDAPConfig.GetValidatedGroupDN
}
@@ -1625,12 +1629,12 @@ func (sys *IAMSys) NormalizeLDAPMappingImport(ctx context.Context, isGroup bool,
// not a valid DN, ignore.
continue
}
validatedDN, err := dnValidator(conn, k)
validatedDN, underBaseDN, err := dnValidator(conn, k)
if err != nil {
collectedErrors = append(collectedErrors, fmt.Errorf("could not validate `%s` exists in LDAP directory: %w", k, err))
continue
}
if validatedDN == "" {
if validatedDN == "" || !underBaseDN {
err := fmt.Errorf("DN `%s` was not found in the LDAP directory", k)
collectedErrors = append(collectedErrors, err)
continue
@@ -1949,10 +1953,11 @@ func (sys *IAMSys) PolicyDBUpdateLDAP(ctx context.Context, isAttach bool,
} else {
if isAttach {
var foundGroupDN string
if foundGroupDN, err = sys.LDAPConfig.GetValidatedGroupDN(nil, r.Group); err != nil {
var underBaseDN bool
if foundGroupDN, underBaseDN, err = sys.LDAPConfig.GetValidatedGroupDN(nil, r.Group); err != nil {
iamLogIf(ctx, err)
return
} else if foundGroupDN == "" {
} else if foundGroupDN == "" || !underBaseDN {
err = errNoSuchGroup
return
}
+3 -2
View File
@@ -1441,9 +1441,10 @@ func (c *SiteReplicationSys) PeerPolicyMappingHandler(ctx context.Context, mappi
var err error
if isGroup {
var foundGroupDN string
if foundGroupDN, err = globalIAMSys.LDAPConfig.GetValidatedGroupDN(nil, entityName); err != nil {
var underBaseDN bool
if foundGroupDN, underBaseDN, err = globalIAMSys.LDAPConfig.GetValidatedGroupDN(nil, entityName); err != nil {
iamLogIf(ctx, err)
} else if foundGroupDN == "" {
} else if foundGroupDN == "" || !underBaseDN {
err = errNoSuchGroup
}
entityName = foundGroupDN
+3 -1
View File
@@ -829,12 +829,14 @@ func TestIAMImportAssetWithLDAP(t *testing.T) {
}
}
`,
// The `cn=projecty,..` group below is not under a configured DN, but we
// should still import without an error.
allSvcAcctsFile: `{
"u4ccRswj62HV3Ifwima7": {
"parent": "uid=svc.algorithm,OU=swengg,DC=min,DC=io",
"accessKey": "u4ccRswj62HV3Ifwima7",
"secretKey": "ZoEoZdLlzVbOlT9rbhD7ZN7TLyiYXSAlB79uGEge",
"groups": ["cn=project.c,ou=groups,OU=swengg,DC=min,DC=io"],
"groups": ["cn=project.c,ou=groups,OU=swengg,DC=min,DC=io", "cn=projecty,ou=groups,ou=hwengg,dc=min,dc=io"],
"claims": {
"accessKey": "u4ccRswj62HV3Ifwima7",
"ldapUser": "uid=svc.algorithm,ou=swengg,dc=min,dc=io",