fix: IAM LDAP access key import bug (#19608)

When importing access keys (i.e. service accounts) for LDAP accounts, we are requiring groups to exist under one of the configured group base DNs. This is not correct. This change fixes this by only checking for existence and storing the normalized form of the group DN - we do not return an error if the group is not under a base DN. Test is updated to illustrate an import failure that would happen without this change.
2025-02-25 12:29:15 -05:00 · 2024-04-25 08:50:16 -07:00 · 2024-04-25 08:50:16 -07:00 · 62c3cdee75
commit 62c3cdee75
parent 3212d0c8cd
6 changed files with 62 additions and 38 deletions
--- a/cmd/admin-handlers-idp-ldap.go
+++ b/cmd/admin-handlers-idp-ldap.go
@ -222,9 +222,8 @@ func (a adminAPIHandlers) AddServiceAccountLDAP(w http.ResponseWriter, r *http.R
 		err          error
 	)

-	// If we are creating svc account for request sender, ensure
-	// that targetUser is a real user (i.e. not derived
-	// credentials).
+	// If we are creating svc account for request sender, ensure that targetUser
+	// is a real user (i.e. not derived credentials).
 	if isSvcAccForRequestor {
 		if requestorIsDerivedCredential {
 			if requestorParentUser == "" {
--- a/cmd/admin-handlers-users.go
+++ b/cmd/admin-handlers-users.go
@ -1632,9 +1632,10 @@ func (a adminAPIHandlers) SetPolicyForUserOrGroup(w http.ResponseWriter, r *http
 		var err error
 		if isGroup {
 			var foundGroupDN string
-			if foundGroupDN, err = globalIAMSys.LDAPConfig.GetValidatedGroupDN(nil, entityName); err != nil {
+			var underBaseDN bool
+			if foundGroupDN, underBaseDN, err = globalIAMSys.LDAPConfig.GetValidatedGroupDN(nil, entityName); err != nil {
 				iamLogIf(ctx, err)
-			} else if foundGroupDN == "" {
+			} else if foundGroupDN == "" || !underBaseDN {
 				err = errNoSuchGroup
 			}
 			entityName = foundGroupDN
--- a/cmd/iam.go
+++ b/cmd/iam.go
@ -1503,12 +1503,14 @@ func (sys *IAMSys) NormalizeLDAPAccessKeypairs(ctx context.Context, accessKeyMap

 		hasDiff := false

-		validatedParent, err := sys.LDAPConfig.GetValidatedUserDN(conn, parent)
+		// For the parent value, we require that the parent exists in the LDAP
+		// server and is under a configured base DN.
+		validatedParent, isUnderBaseDN, err := sys.LDAPConfig.GetValidatedUserDN(conn, parent)
 		if err != nil {
 			collectedErrors = append(collectedErrors, fmt.Errorf("could not validate `%s` exists in LDAP directory: %w", parent, err))
 			continue
 		}
-		if validatedParent == "" {
+		if validatedParent == "" || !isUnderBaseDN {
 			err := fmt.Errorf("DN `%s` was not found in the LDAP directory", parent)
 			collectedErrors = append(collectedErrors, err)
 			continue
@ -1518,9 +1520,11 @@ func (sys *IAMSys) NormalizeLDAPAccessKeypairs(ctx context.Context, accessKeyMap
 			hasDiff = true
 		}

-		var validatedGroups []string
+		var normalizedGroups []string
 		for _, group := range groups {
-			validatedGroup, err := sys.LDAPConfig.GetValidatedGroupDN(conn, group)
+			// For a group, we store the normalized DN even if it not under a
+			// configured base DN.
+			validatedGroup, _, err := sys.LDAPConfig.GetValidatedGroupDN(conn, group)
 			if err != nil {
 				collectedErrors = append(collectedErrors, fmt.Errorf("could not validate `%s` exists in LDAP directory: %w", group, err))
 				continue
@ -1534,13 +1538,13 @@ func (sys *IAMSys) NormalizeLDAPAccessKeypairs(ctx context.Context, accessKeyMap
 			if validatedGroup != group {
 				hasDiff = true
 			}
-			validatedGroups = append(validatedGroups, validatedGroup)
+			normalizedGroups = append(normalizedGroups, validatedGroup)
 		}

 		if hasDiff {
 			updatedCreateReq := createReq
 			updatedCreateReq.Parent = validatedParent
-			updatedCreateReq.Groups = validatedGroups
+			updatedCreateReq.Groups = normalizedGroups

 			updatedKeysMap[ak] = updatedCreateReq
 		}
@ -1611,7 +1615,7 @@ func (sys *IAMSys) NormalizeLDAPMappingImport(ctx context.Context, isGroup bool,

 	// We map keys that correspond to LDAP DNs and validate that they exist in
 	// the LDAP server.
-	var dnValidator func(*libldap.Conn, string) (string, error) = sys.LDAPConfig.GetValidatedUserDN
+	var dnValidator func(*libldap.Conn, string) (string, bool, error) = sys.LDAPConfig.GetValidatedUserDN
 	if isGroup {
 		dnValidator = sys.LDAPConfig.GetValidatedGroupDN
 	}
@ -1625,12 +1629,12 @@ func (sys *IAMSys) NormalizeLDAPMappingImport(ctx context.Context, isGroup bool,
 			// not a valid DN, ignore.
 			continue
 		}
-		validatedDN, err := dnValidator(conn, k)
+		validatedDN, underBaseDN, err := dnValidator(conn, k)
 		if err != nil {
 			collectedErrors = append(collectedErrors, fmt.Errorf("could not validate `%s` exists in LDAP directory: %w", k, err))
 			continue
 		}
-		if validatedDN == "" {
+		if validatedDN == "" || !underBaseDN {
 			err := fmt.Errorf("DN `%s` was not found in the LDAP directory", k)
 			collectedErrors = append(collectedErrors, err)
 			continue
@ -1949,10 +1953,11 @@ func (sys *IAMSys) PolicyDBUpdateLDAP(ctx context.Context, isAttach bool,
 	} else {
 		if isAttach {
 			var foundGroupDN string
-			if foundGroupDN, err = sys.LDAPConfig.GetValidatedGroupDN(nil, r.Group); err != nil {
+			var underBaseDN bool
+			if foundGroupDN, underBaseDN, err = sys.LDAPConfig.GetValidatedGroupDN(nil, r.Group); err != nil {
 				iamLogIf(ctx, err)
 				return
-			} else if foundGroupDN == "" {
+			} else if foundGroupDN == "" || !underBaseDN {
 				err = errNoSuchGroup
 				return
 			}
--- a/cmd/site-replication.go
+++ b/cmd/site-replication.go
@ -1441,9 +1441,10 @@ func (c *SiteReplicationSys) PeerPolicyMappingHandler(ctx context.Context, mappi
 		var err error
 		if isGroup {
 			var foundGroupDN string
-			if foundGroupDN, err = globalIAMSys.LDAPConfig.GetValidatedGroupDN(nil, entityName); err != nil {
+			var underBaseDN bool
+			if foundGroupDN, underBaseDN, err = globalIAMSys.LDAPConfig.GetValidatedGroupDN(nil, entityName); err != nil {
 				iamLogIf(ctx, err)
-			} else if foundGroupDN == "" {
+			} else if foundGroupDN == "" || !underBaseDN {
 				err = errNoSuchGroup
 			}
 			entityName = foundGroupDN
--- a/cmd/sts-handlers_test.go
+++ b/cmd/sts-handlers_test.go
@ -829,12 +829,14 @@ func TestIAMImportAssetWithLDAP(t *testing.T) {
  }
 }
 `,
+		// The `cn=projecty,..` group below is not under a configured DN, but we
+		// should still import without an error.
 		allSvcAcctsFile: `{
    "u4ccRswj62HV3Ifwima7": {
        "parent": "uid=svc.algorithm,OU=swengg,DC=min,DC=io",
        "accessKey": "u4ccRswj62HV3Ifwima7",
        "secretKey": "ZoEoZdLlzVbOlT9rbhD7ZN7TLyiYXSAlB79uGEge",
-        "groups": ["cn=project.c,ou=groups,OU=swengg,DC=min,DC=io"],
+        "groups": ["cn=project.c,ou=groups,OU=swengg,DC=min,DC=io", "cn=projecty,ou=groups,ou=hwengg,dc=min,dc=io"],
        "claims": {
            "accessKey": "u4ccRswj62HV3Ifwima7",
            "ldapUser": "uid=svc.algorithm,ou=swengg,dc=min,dc=io",
--- a/internal/config/identity/ldap/ldap.go
+++ b/internal/config/identity/ldap/ldap.go
@ -86,7 +86,7 @@ func (l *Config) GetValidatedDNForUsername(username string) (string, error) {
 		// the directory.
 		bindDN, err := l.LDAP.LookupUserDN(conn, username)
 		if err != nil {
-			if strings.Contains(err.Error(), "not found") {
+			if strings.Contains(err.Error(), "User DN not found for") {
 				return "", nil
 			}
 			return "", fmt.Errorf("Unable to find user DN: %w", err)
@ -94,30 +94,36 @@ func (l *Config) GetValidatedDNForUsername(username string) (string, error) {
 		return bindDN, nil
 	}

-	// Since the username is a valid DN, check that it is under a configured
-	// base DN in the LDAP directory.
-	return l.GetValidatedUserDN(conn, username)
+	// Since the username parses as a valid DN, check that it exists and is
+	// under a configured base DN in the LDAP directory.
+	validDN, isUnderBaseDN, err := l.GetValidatedUserDN(conn, username)
+	if err == nil && !isUnderBaseDN {
+		return "", fmt.Errorf("Unable to find user DN: %w", err)
+	}
+	return validDN, err
 }

-// GetValidatedUserDN validates the given user DN. Will error out if conn is nil.
-func (l *Config) GetValidatedUserDN(conn *ldap.Conn, userDN string) (string, error) {
+// GetValidatedUserDN validates the given user DN. Will error out if conn is nil. The returned
+// boolean is true iff the user DN is found under one of the LDAP user base DNs.
+func (l *Config) GetValidatedUserDN(conn *ldap.Conn, userDN string) (string, bool, error) {
 	return l.GetValidatedDNUnderBaseDN(conn, userDN, l.LDAP.UserDNSearchBaseDistNames)
 }

 // GetValidatedGroupDN validates the given group DN. If conn is nil, creates a
-// connection.
-func (l *Config) GetValidatedGroupDN(conn *ldap.Conn, groupDN string) (string, error) {
+// connection. The returned boolean is true iff the group DN is found under one
+// of the configured LDAP base DNs.
+func (l *Config) GetValidatedGroupDN(conn *ldap.Conn, groupDN string) (string, bool, error) {
 	if conn == nil {
 		var err error
 		conn, err = l.LDAP.Connect()
 		if err != nil {
-			return "", err
+			return "", false, err
 		}
 		defer conn.Close()

 		// Bind to the lookup user account
 		if err = l.LDAP.LookupBind(conn); err != nil {
-			return "", err
+			return "", false, err
 		}
 	}

@ -128,22 +134,30 @@ func (l *Config) GetValidatedGroupDN(conn *ldap.Conn, groupDN string) (string, e
 // and returns the DN value sent by the LDAP server. The value returned by the
 // server may not be equal to the input DN, as LDAP equality is not a simple
 // Golang string equality. However, we assume the value returned by the LDAP
-// server is canonical.
+// server is canonical. Additionally, the attribute type names in the DN are
+// lower-cased.
 //
-// If the DN is not found in the LDAP directory, the returned string is empty
-// and err = nil.
-func (l *Config) GetValidatedDNUnderBaseDN(conn *ldap.Conn, dn string, baseDNList []xldap.BaseDNInfo) (string, error) {
+// Return values:
+//
+// If the DN is found, the normalized (string) value is returned and error is
+// nil.
+//
+// If the DN is not found, the string returned is empty and the error is nil.
+//
+// The returned boolean is true iff the DN is found under one of the LDAP
+// subtrees listed in `baseDNList`.
+func (l *Config) GetValidatedDNUnderBaseDN(conn *ldap.Conn, dn string, baseDNList []xldap.BaseDNInfo) (string, bool, error) {
 	if len(baseDNList) == 0 {
-		return "", errors.New("no Base DNs given")
+		return "", false, errors.New("no Base DNs given")
 	}

 	// Check that DN exists in the LDAP directory.
 	validatedDN, err := xldap.LookupDN(conn, dn)
 	if err != nil {
-		return "", fmt.Errorf("Error looking up DN %s: %w", dn, err)
+		return "", false, fmt.Errorf("Error looking up DN %s: %w", dn, err)
 	}
 	if validatedDN == "" {
-		return "", nil
+		return "", false, nil
 	}

 	// This will not return an error as the argument is validated to be a DN.
@ -153,10 +167,12 @@ func (l *Config) GetValidatedDNUnderBaseDN(conn *ldap.Conn, dn string, baseDNLis
 	// directory.
 	for _, baseDN := range baseDNList {
 		if baseDN.Parsed.AncestorOf(pdn) {
-			return validatedDN, nil
+			return validatedDN, true, nil
 		}
 	}
-	return "", fmt.Errorf("DN %s is not under any configured base DN", validatedDN)
+
+	// Not under any configured base DN so return false.
+	return validatedDN, false, nil
 }

 // Bind - binds to ldap, searches LDAP and returns the distinguished name of the