ldap: Create services accounts for LDAP and STS temp accounts (#11808)

2025-11-20 01:50:24 -05:00 · 2021-04-15 06:51:14 +01:00
parent b70c298c27
commit 291d2793ca
12 changed files with 731 additions and 178 deletions
--- a/pkg/auth/credentials.go
+++ b/pkg/auth/credentials.go
@@ -28,6 +28,7 @@ import (
 	"time"

 	jwtgo "github.com/dgrijalva/jwt-go"
+	"github.com/minio/minio/cmd/jwt"
 )

 const (
@@ -210,16 +211,33 @@ func GetNewCredentialsWithMetadata(m map[string]interface{}, tokenSecret string)
 	for i := 0; i < accessKeyMaxLen; i++ {
 		keyBytes[i] = alphaNumericTable[keyBytes[i]%alphaNumericTableLen]
 	}
-	cred.AccessKey = string(keyBytes)
+	accessKey := string(keyBytes)

 	// Generate secret key.
 	keyBytes, err = readBytes(secretKeyMaxLen)
 	if err != nil {
 		return cred, err
 	}
-	cred.SecretKey = strings.Replace(string([]byte(base64.StdEncoding.EncodeToString(keyBytes))[:secretKeyMaxLen]),
+
+	secretKey := strings.Replace(string([]byte(base64.StdEncoding.EncodeToString(keyBytes))[:secretKeyMaxLen]),
 		"/", "+", -1)

+	return CreateNewCredentialsWithMetadata(accessKey, secretKey, m, tokenSecret)
+}
+
+// CreateNewCredentialsWithMetadata - creates new credentials using the specified access & secret keys
+// and generate a session token if a secret token is provided.
+func CreateNewCredentialsWithMetadata(accessKey, secretKey string, m map[string]interface{}, tokenSecret string) (cred Credentials, err error) {
+	if len(accessKey) < accessKeyMinLen || len(accessKey) > accessKeyMaxLen {
+		return Credentials{}, fmt.Errorf("access key length should be between %d and %d", accessKeyMinLen, accessKeyMaxLen)
+	}
+
+	if len(secretKey) < secretKeyMinLen || len(secretKey) > secretKeyMaxLen {
+		return Credentials{}, fmt.Errorf("secret key length should be between %d and %d", secretKeyMinLen, secretKeyMaxLen)
+	}
+
+	cred.AccessKey = accessKey
+	cred.SecretKey = secretKey
 	cred.Status = AccountOn

 	if tokenSecret == "" {
@@ -231,12 +249,9 @@ func GetNewCredentialsWithMetadata(m map[string]interface{}, tokenSecret string)
 	if err != nil {
 		return cred, err
 	}
-
-	m["accessKey"] = cred.AccessKey
-	jwt := jwtgo.NewWithClaims(jwtgo.SigningMethodHS512, jwtgo.MapClaims(m))
-
 	cred.Expiration = time.Unix(expiry, 0).UTC()
-	cred.SessionToken, err = jwt.SignedString([]byte(tokenSecret))
+
+	cred.SessionToken, err = JWTSignWithAccessKey(cred.AccessKey, m, tokenSecret)
 	if err != nil {
 		return cred, err
 	}
@@ -244,6 +259,31 @@ func GetNewCredentialsWithMetadata(m map[string]interface{}, tokenSecret string)
 	return cred, nil
 }

+// JWTSignWithAccessKey - generates a session token.
+func JWTSignWithAccessKey(accessKey string, m map[string]interface{}, tokenSecret string) (string, error) {
+	m["accessKey"] = accessKey
+	jwt := jwtgo.NewWithClaims(jwtgo.SigningMethodHS512, jwtgo.MapClaims(m))
+	return jwt.SignedString([]byte(tokenSecret))
+}
+
+// ExtractClaims extracts JWT claims from a security token using a secret key
+func ExtractClaims(token, secretKey string) (*jwt.MapClaims, error) {
+	if token == "" || secretKey == "" {
+		return nil, errors.New("invalid argument")
+	}
+
+	claims := jwt.NewMapClaims()
+	stsTokenCallback := func(claims *jwt.MapClaims) ([]byte, error) {
+		return []byte(secretKey), nil
+	}
+
+	if err := jwt.ParseWithClaims(token, claims, stsTokenCallback); err != nil {
+		return nil, err
+	}
+
+	return claims, nil
+}
+
 // GetNewCredentials generates and returns new credential.
 func GetNewCredentials() (cred Credentials, err error) {
 	return GetNewCredentialsWithMetadata(map[string]interface{}{}, "")
--- a/pkg/iam/policy/admin-action.go
+++ b/pkg/iam/policy/admin-action.go
@@ -77,6 +77,17 @@ const (
 	// GetUserAdminAction - allows GET permission on user info
 	GetUserAdminAction = "admin:GetUser"

+	// Service account Actions
+
+	// CreateServiceAccountAdminAction - allow create a service account for a user
+	CreateServiceAccountAdminAction = "admin:CreateServiceAccount"
+	// UpdateServiceAccountAdminAction - allow updating a service account
+	UpdateServiceAccountAdminAction = "admin:UpdateServiceAccount"
+	// RemoveServiceAccountAdminAction - allow removing a service account
+	RemoveServiceAccountAdminAction = "admin:RemoveServiceAccount"
+	// ListServiceAccountsAdminAction - allow listing service accounts
+	ListServiceAccountsAdminAction = "admin:ListServiceAccounts"
+
 	// Group Actions

 	// AddUserToGroupAdminAction - allow adding user to group permission
@@ -125,43 +136,47 @@ const (

 // List of all supported admin actions.
 var supportedAdminActions = map[AdminAction]struct{}{
-	HealAdminAction:                {},
-	StorageInfoAdminAction:         {},
-	DataUsageInfoAdminAction:       {},
-	TopLocksAdminAction:            {},
-	ProfilingAdminAction:           {},
-	TraceAdminAction:               {},
-	ConsoleLogAdminAction:          {},
-	KMSKeyStatusAdminAction:        {},
-	ServerInfoAdminAction:          {},
-	HealthInfoAdminAction:          {},
-	BandwidthMonitorAction:         {},
-	ServerUpdateAdminAction:        {},
-	ServiceRestartAdminAction:      {},
-	ServiceStopAdminAction:         {},
-	ConfigUpdateAdminAction:        {},
-	CreateUserAdminAction:          {},
-	DeleteUserAdminAction:          {},
-	ListUsersAdminAction:           {},
-	EnableUserAdminAction:          {},
-	DisableUserAdminAction:         {},
-	GetUserAdminAction:             {},
-	AddUserToGroupAdminAction:      {},
-	RemoveUserFromGroupAdminAction: {},
-	GetGroupAdminAction:            {},
-	ListGroupsAdminAction:          {},
-	EnableGroupAdminAction:         {},
-	DisableGroupAdminAction:        {},
-	CreatePolicyAdminAction:        {},
-	DeletePolicyAdminAction:        {},
-	GetPolicyAdminAction:           {},
-	AttachPolicyAdminAction:        {},
-	ListUserPoliciesAdminAction:    {},
-	SetBucketQuotaAdminAction:      {},
-	GetBucketQuotaAdminAction:      {},
-	SetBucketTargetAction:          {},
-	GetBucketTargetAction:          {},
-	AllAdminActions:                {},
+	HealAdminAction:                 {},
+	StorageInfoAdminAction:          {},
+	DataUsageInfoAdminAction:        {},
+	TopLocksAdminAction:             {},
+	ProfilingAdminAction:            {},
+	TraceAdminAction:                {},
+	ConsoleLogAdminAction:           {},
+	KMSKeyStatusAdminAction:         {},
+	ServerInfoAdminAction:           {},
+	HealthInfoAdminAction:           {},
+	BandwidthMonitorAction:          {},
+	ServerUpdateAdminAction:         {},
+	ServiceRestartAdminAction:       {},
+	ServiceStopAdminAction:          {},
+	ConfigUpdateAdminAction:         {},
+	CreateUserAdminAction:           {},
+	DeleteUserAdminAction:           {},
+	ListUsersAdminAction:            {},
+	EnableUserAdminAction:           {},
+	DisableUserAdminAction:          {},
+	GetUserAdminAction:              {},
+	AddUserToGroupAdminAction:       {},
+	RemoveUserFromGroupAdminAction:  {},
+	GetGroupAdminAction:             {},
+	ListGroupsAdminAction:           {},
+	EnableGroupAdminAction:          {},
+	DisableGroupAdminAction:         {},
+	CreateServiceAccountAdminAction: {},
+	UpdateServiceAccountAdminAction: {},
+	RemoveServiceAccountAdminAction: {},
+	ListServiceAccountsAdminAction:  {},
+	CreatePolicyAdminAction:         {},
+	DeletePolicyAdminAction:         {},
+	GetPolicyAdminAction:            {},
+	AttachPolicyAdminAction:         {},
+	ListUserPoliciesAdminAction:     {},
+	SetBucketQuotaAdminAction:       {},
+	GetBucketQuotaAdminAction:       {},
+	SetBucketTargetAction:           {},
+	GetBucketTargetAction:           {},
+	AllAdminActions:                 {},
 }

 // IsValid - checks if action is valid or not.
@@ -172,40 +187,45 @@ func (action AdminAction) IsValid() bool {

 // adminActionConditionKeyMap - holds mapping of supported condition key for an action.
 var adminActionConditionKeyMap = map[Action]condition.KeySet{
-	AllAdminActions:                condition.NewKeySet(condition.AllSupportedAdminKeys...),
-	HealAdminAction:                condition.NewKeySet(condition.AllSupportedAdminKeys...),
-	StorageInfoAdminAction:         condition.NewKeySet(condition.AllSupportedAdminKeys...),
-	ServerInfoAdminAction:          condition.NewKeySet(condition.AllSupportedAdminKeys...),
-	DataUsageInfoAdminAction:       condition.NewKeySet(condition.AllSupportedAdminKeys...),
-	HealthInfoAdminAction:          condition.NewKeySet(condition.AllSupportedAdminKeys...),
-	BandwidthMonitorAction:         condition.NewKeySet(condition.AllSupportedAdminKeys...),
-	TopLocksAdminAction:            condition.NewKeySet(condition.AllSupportedAdminKeys...),
-	ProfilingAdminAction:           condition.NewKeySet(condition.AllSupportedAdminKeys...),
-	TraceAdminAction:               condition.NewKeySet(condition.AllSupportedAdminKeys...),
-	ConsoleLogAdminAction:          condition.NewKeySet(condition.AllSupportedAdminKeys...),
-	KMSKeyStatusAdminAction:        condition.NewKeySet(condition.AllSupportedAdminKeys...),
-	ServerUpdateAdminAction:        condition.NewKeySet(condition.AllSupportedAdminKeys...),
-	ServiceRestartAdminAction:      condition.NewKeySet(condition.AllSupportedAdminKeys...),
-	ServiceStopAdminAction:         condition.NewKeySet(condition.AllSupportedAdminKeys...),
-	ConfigUpdateAdminAction:        condition.NewKeySet(condition.AllSupportedAdminKeys...),
-	CreateUserAdminAction:          condition.NewKeySet(condition.AllSupportedAdminKeys...),
-	DeleteUserAdminAction:          condition.NewKeySet(condition.AllSupportedAdminKeys...),
-	ListUsersAdminAction:           condition.NewKeySet(condition.AllSupportedAdminKeys...),
-	EnableUserAdminAction:          condition.NewKeySet(condition.AllSupportedAdminKeys...),
-	DisableUserAdminAction:         condition.NewKeySet(condition.AllSupportedAdminKeys...),
-	GetUserAdminAction:             condition.NewKeySet(condition.AllSupportedAdminKeys...),
-	AddUserToGroupAdminAction:      condition.NewKeySet(condition.AllSupportedAdminKeys...),
-	RemoveUserFromGroupAdminAction: condition.NewKeySet(condition.AllSupportedAdminKeys...),
-	ListGroupsAdminAction:          condition.NewKeySet(condition.AllSupportedAdminKeys...),
-	EnableGroupAdminAction:         condition.NewKeySet(condition.AllSupportedAdminKeys...),
-	DisableGroupAdminAction:        condition.NewKeySet(condition.AllSupportedAdminKeys...),
-	CreatePolicyAdminAction:        condition.NewKeySet(condition.AllSupportedAdminKeys...),
-	DeletePolicyAdminAction:        condition.NewKeySet(condition.AllSupportedAdminKeys...),
-	GetPolicyAdminAction:           condition.NewKeySet(condition.AllSupportedAdminKeys...),
-	AttachPolicyAdminAction:        condition.NewKeySet(condition.AllSupportedAdminKeys...),
-	ListUserPoliciesAdminAction:    condition.NewKeySet(condition.AllSupportedAdminKeys...),
-	SetBucketQuotaAdminAction:      condition.NewKeySet(condition.AllSupportedAdminKeys...),
-	GetBucketQuotaAdminAction:      condition.NewKeySet(condition.AllSupportedAdminKeys...),
-	SetBucketTargetAction:          condition.NewKeySet(condition.AllSupportedAdminKeys...),
-	GetBucketTargetAction:          condition.NewKeySet(condition.AllSupportedAdminKeys...),
+	AllAdminActions:                 condition.NewKeySet(condition.AllSupportedAdminKeys...),
+	HealAdminAction:                 condition.NewKeySet(condition.AllSupportedAdminKeys...),
+	StorageInfoAdminAction:          condition.NewKeySet(condition.AllSupportedAdminKeys...),
+	ServerInfoAdminAction:           condition.NewKeySet(condition.AllSupportedAdminKeys...),
+	DataUsageInfoAdminAction:        condition.NewKeySet(condition.AllSupportedAdminKeys...),
+	HealthInfoAdminAction:           condition.NewKeySet(condition.AllSupportedAdminKeys...),
+	BandwidthMonitorAction:          condition.NewKeySet(condition.AllSupportedAdminKeys...),
+	TopLocksAdminAction:             condition.NewKeySet(condition.AllSupportedAdminKeys...),
+	ProfilingAdminAction:            condition.NewKeySet(condition.AllSupportedAdminKeys...),
+	TraceAdminAction:                condition.NewKeySet(condition.AllSupportedAdminKeys...),
+	ConsoleLogAdminAction:           condition.NewKeySet(condition.AllSupportedAdminKeys...),
+	KMSKeyStatusAdminAction:         condition.NewKeySet(condition.AllSupportedAdminKeys...),
+	ServerUpdateAdminAction:         condition.NewKeySet(condition.AllSupportedAdminKeys...),
+	ServiceRestartAdminAction:       condition.NewKeySet(condition.AllSupportedAdminKeys...),
+	ServiceStopAdminAction:          condition.NewKeySet(condition.AllSupportedAdminKeys...),
+	ConfigUpdateAdminAction:         condition.NewKeySet(condition.AllSupportedAdminKeys...),
+	CreateUserAdminAction:           condition.NewKeySet(condition.AllSupportedAdminKeys...),
+	DeleteUserAdminAction:           condition.NewKeySet(condition.AllSupportedAdminKeys...),
+	ListUsersAdminAction:            condition.NewKeySet(condition.AllSupportedAdminKeys...),
+	EnableUserAdminAction:           condition.NewKeySet(condition.AllSupportedAdminKeys...),
+	DisableUserAdminAction:          condition.NewKeySet(condition.AllSupportedAdminKeys...),
+	GetUserAdminAction:              condition.NewKeySet(condition.AllSupportedAdminKeys...),
+	AddUserToGroupAdminAction:       condition.NewKeySet(condition.AllSupportedAdminKeys...),
+	RemoveUserFromGroupAdminAction:  condition.NewKeySet(condition.AllSupportedAdminKeys...),
+	ListGroupsAdminAction:           condition.NewKeySet(condition.AllSupportedAdminKeys...),
+	EnableGroupAdminAction:          condition.NewKeySet(condition.AllSupportedAdminKeys...),
+	DisableGroupAdminAction:         condition.NewKeySet(condition.AllSupportedAdminKeys...),
+	CreateServiceAccountAdminAction: condition.NewKeySet(condition.AllSupportedAdminKeys...),
+	UpdateServiceAccountAdminAction: condition.NewKeySet(condition.AllSupportedAdminKeys...),
+	RemoveServiceAccountAdminAction: condition.NewKeySet(condition.AllSupportedAdminKeys...),
+	ListServiceAccountsAdminAction:  condition.NewKeySet(condition.AllSupportedAdminKeys...),
+
+	CreatePolicyAdminAction:     condition.NewKeySet(condition.AllSupportedAdminKeys...),
+	DeletePolicyAdminAction:     condition.NewKeySet(condition.AllSupportedAdminKeys...),
+	GetPolicyAdminAction:        condition.NewKeySet(condition.AllSupportedAdminKeys...),
+	AttachPolicyAdminAction:     condition.NewKeySet(condition.AllSupportedAdminKeys...),
+	ListUserPoliciesAdminAction: condition.NewKeySet(condition.AllSupportedAdminKeys...),
+	SetBucketQuotaAdminAction:   condition.NewKeySet(condition.AllSupportedAdminKeys...),
+	GetBucketQuotaAdminAction:   condition.NewKeySet(condition.AllSupportedAdminKeys...),
+	SetBucketTargetAction:       condition.NewKeySet(condition.AllSupportedAdminKeys...),
+	GetBucketTargetAction:       condition.NewKeySet(condition.AllSupportedAdminKeys...),
 }
--- a/pkg/madmin/examples/service-accounts.go
+++ b/pkg/madmin/examples/service-accounts.go
@@ -56,14 +56,14 @@ func main() {
 	}

 	// Create a new service account
-	creds, err := madmClnt.AddServiceAccount(context.Background(), &p)
+	creds, err := madmClnt.AddServiceAccount(context.Background(), madmin.AddServiceAccountReq{Policy: &p})
 	if err != nil {
 		log.Fatalln(err)
 	}
 	fmt.Println(creds)

 	// List all services accounts
-	list, err := madmClnt.ListServiceAccounts(context.Background())
+	list, err := madmClnt.ListServiceAccounts(context.Background(), "")
 	if err != nil {
 		log.Fatalln(err)
 	}
--- a/pkg/madmin/user-commands.go
+++ b/pkg/madmin/user-commands.go
@@ -266,9 +266,12 @@ func (adm *AdminClient) SetUserStatus(ctx context.Context, accessKey string, sta
 	return nil
 }

-// AddServiceAccountReq is the request body of the add service account admin call
+// AddServiceAccountReq is the request options of the add service account admin call
 type AddServiceAccountReq struct {
-	Policy *iampolicy.Policy `json:"policy,omitempty"`
+	Policy     *iampolicy.Policy `json:"policy,omitempty"`
+	TargetUser string            `json:"targetUser,omitempty"`
+	AccessKey  string            `json:"accessKey,omitempty"`
+	SecretKey  string            `json:"secretKey,omitempty"`
 }

 // AddServiceAccountResp is the response body of the add service account admin call
@@ -278,16 +281,14 @@ type AddServiceAccountResp struct {

 // AddServiceAccount - creates a new service account belonging to the user sending
 // the request while restricting the service account permission by the given policy document.
-func (adm *AdminClient) AddServiceAccount(ctx context.Context, policy *iampolicy.Policy) (auth.Credentials, error) {
-	if policy != nil {
-		if err := policy.Validate(); err != nil {
+func (adm *AdminClient) AddServiceAccount(ctx context.Context, opts AddServiceAccountReq) (auth.Credentials, error) {
+	if opts.Policy != nil {
+		if err := opts.Policy.Validate(); err != nil {
 			return auth.Credentials{}, err
 		}
 	}

-	data, err := json.Marshal(AddServiceAccountReq{
-		Policy: policy,
-	})
+	data, err := json.Marshal(opts)
 	if err != nil {
 		return auth.Credentials{}, err
 	}
@@ -325,15 +326,67 @@ func (adm *AdminClient) AddServiceAccount(ctx context.Context, policy *iampolicy
 	return serviceAccountResp.Credentials, nil
 }

+// UpdateServiceAccountReq is the request options of the edit service account admin call
+type UpdateServiceAccountReq struct {
+	NewPolicy    *iampolicy.Policy `json:"newPolicy,omitempty"`
+	NewSecretKey string            `json:"newSecretKey,omitempty"`
+	NewStatus    string            `json:"newStatus,omityempty"`
+}
+
+// UpdateServiceAccount - edit an existing service account
+func (adm *AdminClient) UpdateServiceAccount(ctx context.Context, accessKey string, opts UpdateServiceAccountReq) error {
+	if opts.NewPolicy != nil {
+		if err := opts.NewPolicy.Validate(); err != nil {
+			return err
+		}
+	}
+
+	data, err := json.Marshal(opts)
+	if err != nil {
+		return err
+	}
+
+	econfigBytes, err := EncryptData(adm.getSecretKey(), data)
+	if err != nil {
+		return err
+	}
+
+	queryValues := url.Values{}
+	queryValues.Set("accessKey", accessKey)
+
+	reqData := requestData{
+		relPath:     adminAPIPrefix + "/update-service-account",
+		content:     econfigBytes,
+		queryValues: queryValues,
+	}
+
+	// Execute POST on /minio/admin/v3/update-service-account to edit a service account
+	resp, err := adm.executeMethod(ctx, http.MethodPost, reqData)
+	defer closeResponse(resp)
+	if err != nil {
+		return err
+	}
+
+	if resp.StatusCode != http.StatusNoContent {
+		return httpRespToErrorResponse(resp)
+	}
+
+	return nil
+}
+
 // ListServiceAccountsResp is the response body of the list service accounts call
 type ListServiceAccountsResp struct {
 	Accounts []string `json:"accounts"`
 }

 // ListServiceAccounts - list service accounts belonging to the specified user
-func (adm *AdminClient) ListServiceAccounts(ctx context.Context) (ListServiceAccountsResp, error) {
+func (adm *AdminClient) ListServiceAccounts(ctx context.Context, user string) (ListServiceAccountsResp, error) {
+	queryValues := url.Values{}
+	queryValues.Set("user", user)
+
 	reqData := requestData{
-		relPath: adminAPIPrefix + "/list-service-accounts",
+		relPath:     adminAPIPrefix + "/list-service-accounts",
+		queryValues: queryValues,
 	}

 	// Execute GET on /minio/admin/v3/list-service-accounts
@@ -359,6 +412,47 @@ func (adm *AdminClient) ListServiceAccounts(ctx context.Context) (ListServiceAcc
 	return listResp, nil
 }

+// InfoServiceAccountResp is the response body of the info service account call
+type InfoServiceAccountResp struct {
+	ParentUser    string `json:"parentUser"`
+	AccountStatus string `json:"accountStatus"`
+	ImpliedPolicy bool   `json:"impliedPolicy"`
+	Policy        string `json:"policy"`
+}
+
+// InfoServiceAccount - returns the info of service account belonging to the specified user
+func (adm *AdminClient) InfoServiceAccount(ctx context.Context, accessKey string) (InfoServiceAccountResp, error) {
+	queryValues := url.Values{}
+	queryValues.Set("accessKey", accessKey)
+
+	reqData := requestData{
+		relPath:     adminAPIPrefix + "/info-service-account",
+		queryValues: queryValues,
+	}
+
+	// Execute GET on /minio/admin/v3/info-service-account
+	resp, err := adm.executeMethod(ctx, http.MethodGet, reqData)
+	defer closeResponse(resp)
+	if err != nil {
+		return InfoServiceAccountResp{}, err
+	}
+
+	if resp.StatusCode != http.StatusOK {
+		return InfoServiceAccountResp{}, httpRespToErrorResponse(resp)
+	}
+
+	data, err := DecryptData(adm.getSecretKey(), resp.Body)
+	if err != nil {
+		return InfoServiceAccountResp{}, err
+	}
+
+	var infoResp InfoServiceAccountResp
+	if err = json.Unmarshal(data, &infoResp); err != nil {
+		return InfoServiceAccountResp{}, err
+	}
+	return infoResp, nil
+}
+
 // DeleteServiceAccount - delete a specified service account. The server will reject
 // the request if the service account does not belong to the user initiating the request
 func (adm *AdminClient) DeleteServiceAccount(ctx context.Context, serviceAccount string) error {