MyFavMirrors/minio
1
0
Fork 0
mirror of https://github.com/minio/minio.git synced 2025-03-31 09:43:43 -04:00
Code Issues Packages Projects Releases Wiki Activity

Update tests to use AttachPolicy(LDAP) instead of deprecated SetPolicy (#19972)

Browse Source
This commit is contained in:
Taran Pelkey 2024-06-28 05:06:25 -04:00 committed by GitHub
parent 13512170b5
commit 7ca4ba77c4
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
5 changed files with 206 additions and 89 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
Makefile
View File

@ -86,9 +86,9 @@ test-race: verifiers build ## builds minio, runs linters, tests (race)
test-iam: install-race ## verify IAM (external IDP, etcd backends) test-iam: install-race ## verify IAM (external IDP, etcd backends)
@echo "Running tests for IAM (external IDP, etcd backends)" @echo "Running tests for IAM (external IDP, etcd backends)"
@MINIO_API_REQUESTS_MAX=10000 CGO_ENABLED=0 go test -tags kqueue,dev -v -run TestIAM* ./cmd @MINIO_API_REQUESTS_MAX=10000 CGO_ENABLED=0 go test -timeout 15m -tags kqueue,dev -v -run TestIAM* ./cmd
@echo "Running tests for IAM (external IDP, etcd backends) with -race" @echo "Running tests for IAM (external IDP, etcd backends) with -race"
@MINIO_API_REQUESTS_MAX=10000 GORACE=history_size=7 CGO_ENABLED=1 go test -race -tags kqueue,dev -v -run TestIAM* ./cmd @MINIO_API_REQUESTS_MAX=10000 GORACE=history_size=7 CGO_ENABLED=1 go test -timeout 15m -race -tags kqueue,dev -v -run TestIAM* ./cmd
test-iam-ldap-upgrade-import: install-race ## verify IAM (external LDAP IDP) test-iam-ldap-upgrade-import: install-race ## verify IAM (external LDAP IDP)
@echo "Running upgrade tests for IAM (LDAP backend)" @echo "Running upgrade tests for IAM (LDAP backend)"

9
cmd/admin-handlers-users-race_test.go
View File

@ -120,9 +120,12 @@ func (s *TestSuiteIAM) TestDeleteUserRace(c *check) {
c.Fatalf("Unable to set user: %v", err) c.Fatalf("Unable to set user: %v", err)
} }
err = s.adm.SetPolicy(ctx, policy, accessKey, false) userReq := madmin.PolicyAssociationReq{
if err != nil { Policies: []string{policy},
c.Fatalf("Unable to set policy: %v", err) User: accessKey,
}
if _, err := s.adm.AttachPolicy(ctx, userReq); err != nil {
c.Fatalf("Unable to attach policy: %v", err)
} }
accessKeys[i] = accessKey accessKeys[i] = accessKey

74
cmd/admin-handlers-users_test.go
View File

@ -239,9 +239,12 @@ func (s *TestSuiteIAM) TestUserCreate(c *check) {
c.Assert(v.Status, madmin.AccountEnabled) c.Assert(v.Status, madmin.AccountEnabled)
// 3. Associate policy and check that user can access // 3. Associate policy and check that user can access
err = s.adm.SetPolicy(ctx, "readwrite", accessKey, false) _, err = s.adm.AttachPolicy(ctx, madmin.PolicyAssociationReq{
Policies: []string{"readwrite"},
User: accessKey,
})
if err != nil { if err != nil {
c.Fatalf("unable to set policy: %v", err) c.Fatalf("unable to attach policy: %v", err)
} }
client := s.getUserClient(c, accessKey, secretKey, "") client := s.getUserClient(c, accessKey, secretKey, "")
@ -348,9 +351,12 @@ func (s *TestSuiteIAM) TestUserPolicyEscalationBug(c *check) {
if err != nil { if err != nil {
c.Fatalf("policy add error: %v", err) c.Fatalf("policy add error: %v", err)
} }
err = s.adm.SetPolicy(ctx, policy, accessKey, false) _, err = s.adm.AttachPolicy(ctx, madmin.PolicyAssociationReq{
Policies: []string{policy},
User: accessKey,
})
if err != nil { if err != nil {
c.Fatalf("Unable to set policy: %v", err) c.Fatalf("unable to attach policy: %v", err)
} }
// 2.3 check user has access to bucket // 2.3 check user has access to bucket
c.mustListObjects(ctx, uClient, bucket) c.mustListObjects(ctx, uClient, bucket)
@ -470,9 +476,12 @@ func (s *TestSuiteIAM) TestAddServiceAccountPerms(c *check) {
c.mustNotListObjects(ctx, uClient, "testbucket") c.mustNotListObjects(ctx, uClient, "testbucket")
// 3.2 associate policy to user // 3.2 associate policy to user
err = s.adm.SetPolicy(ctx, policy1, accessKey, false) _, err = s.adm.AttachPolicy(ctx, madmin.PolicyAssociationReq{
Policies: []string{policy1},
User: accessKey,
})
if err != nil { if err != nil {
c.Fatalf("Unable to set policy: %v", err) c.Fatalf("unable to attach policy: %v", err)
} }
admClnt := s.getAdminClient(c, accessKey, secretKey, "") admClnt := s.getAdminClient(c, accessKey, secretKey, "")
@ -490,10 +499,22 @@ func (s *TestSuiteIAM) TestAddServiceAccountPerms(c *check) {
c.Fatalf("policy was missing!") c.Fatalf("policy was missing!")
} }
// 3.2 associate policy to user // Detach policy1 to set up for policy2
err = s.adm.SetPolicy(ctx, policy2, accessKey, false) _, err = s.adm.DetachPolicy(ctx, madmin.PolicyAssociationReq{
Policies: []string{policy1},
User: accessKey,
})
if err != nil { if err != nil {
c.Fatalf("Unable to set policy: %v", err) c.Fatalf("unable to detach policy: %v", err)
}
// 3.2 associate policy to user
_, err = s.adm.AttachPolicy(ctx, madmin.PolicyAssociationReq{
Policies: []string{policy2},
User: accessKey,
})
if err != nil {
c.Fatalf("unable to attach policy: %v", err)
} }
// 3.3 check user can create service account implicitly. // 3.3 check user can create service account implicitly.
@ -571,9 +592,12 @@ func (s *TestSuiteIAM) TestPolicyCreate(c *check) {
c.mustNotListObjects(ctx, uClient, bucket) c.mustNotListObjects(ctx, uClient, bucket)
// 3.2 associate policy to user // 3.2 associate policy to user
err = s.adm.SetPolicy(ctx, policy, accessKey, false) _, err = s.adm.AttachPolicy(ctx, madmin.PolicyAssociationReq{
Policies: []string{policy},
User: accessKey,
})
if err != nil { if err != nil {
c.Fatalf("Unable to set policy: %v", err) c.Fatalf("unable to attach policy: %v", err)
} }
// 3.3 check user has access to bucket // 3.3 check user has access to bucket
c.mustListObjects(ctx, uClient, bucket) c.mustListObjects(ctx, uClient, bucket)
@ -726,9 +750,12 @@ func (s *TestSuiteIAM) TestGroupAddRemove(c *check) {
c.mustNotListObjects(ctx, uClient, bucket) c.mustNotListObjects(ctx, uClient, bucket)
// 3. Associate policy to group and check user got access. // 3. Associate policy to group and check user got access.
err = s.adm.SetPolicy(ctx, policy, group, true) _, err = s.adm.AttachPolicy(ctx, madmin.PolicyAssociationReq{
Policies: []string{policy},
Group: group,
})
if err != nil { if err != nil {
c.Fatalf("Unable to set policy: %v", err) c.Fatalf("unable to attach policy: %v", err)
} }
// 3.1 check user has access to bucket // 3.1 check user has access to bucket
c.mustListObjects(ctx, uClient, bucket) c.mustListObjects(ctx, uClient, bucket)
@ -871,9 +898,12 @@ func (s *TestSuiteIAM) TestServiceAccountOpsByUser(c *check) {
c.Fatalf("Unable to set user: %v", err) c.Fatalf("Unable to set user: %v", err)
} }
err = s.adm.SetPolicy(ctx, policy, accessKey, false) _, err = s.adm.AttachPolicy(ctx, madmin.PolicyAssociationReq{
Policies: []string{policy},
User: accessKey,
})
if err != nil { if err != nil {
c.Fatalf("Unable to set policy: %v", err) c.Fatalf("unable to attach policy: %v", err)
} }
// Create an madmin client with user creds // Create an madmin client with user creds
@ -952,9 +982,12 @@ func (s *TestSuiteIAM) TestServiceAccountDurationSecondsCondition(c *check) {
c.Fatalf("Unable to set user: %v", err) c.Fatalf("Unable to set user: %v", err)
} }
err = s.adm.SetPolicy(ctx, policy, accessKey, false) _, err = s.adm.AttachPolicy(ctx, madmin.PolicyAssociationReq{
Policies: []string{policy},
User: accessKey,
})
if err != nil { if err != nil {
c.Fatalf("Unable to set policy: %v", err) c.Fatalf("unable to attach policy: %v", err)
} }
// Create an madmin client with user creds // Create an madmin client with user creds
@ -1031,9 +1064,12 @@ func (s *TestSuiteIAM) TestServiceAccountOpsByAdmin(c *check) {
c.Fatalf("Unable to set user: %v", err) c.Fatalf("Unable to set user: %v", err)
} }
err = s.adm.SetPolicy(ctx, policy, accessKey, false) _, err = s.adm.AttachPolicy(ctx, madmin.PolicyAssociationReq{
Policies: []string{policy},
User: accessKey,
})
if err != nil { if err != nil {
c.Fatalf("Unable to set policy: %v", err) c.Fatalf("unable to attach policy: %v", err)
} }
// 1. Create a service account for the user // 1. Create a service account for the user

27
cmd/sftp-server_test.go
View File

@ -194,9 +194,12 @@ func (s *TestSuiteIAM) SFTPInvalidServiceAccountPassword(c *check) {
c.Fatalf("Unable to set user: %v", err) c.Fatalf("Unable to set user: %v", err)
} }
err = s.adm.SetPolicy(ctx, "readwrite", accessKey, false) userReq := madmin.PolicyAssociationReq{
if err != nil { Policies: []string{"readwrite"},
c.Fatalf("unable to set policy: %v", err) User: accessKey,
}
if _, err := s.adm.AttachPolicy(ctx, userReq); err != nil {
c.Fatalf("Unable to attach policy: %v", err)
} }
newSSHCon := newSSHConnMock(accessKey + "=svc") newSSHCon := newSSHConnMock(accessKey + "=svc")
@ -222,9 +225,12 @@ func (s *TestSuiteIAM) SFTPServiceAccountLogin(c *check) {
c.Fatalf("Unable to set user: %v", err) c.Fatalf("Unable to set user: %v", err)
} }
err = s.adm.SetPolicy(ctx, "readwrite", accessKey, false) userReq := madmin.PolicyAssociationReq{
if err != nil { Policies: []string{"readwrite"},
c.Fatalf("unable to set policy: %v", err) User: accessKey,
}
if _, err := s.adm.AttachPolicy(ctx, userReq); err != nil {
c.Fatalf("Unable to attach policy: %v", err)
} }
newSSHCon := newSSHConnMock(accessKey + "=svc") newSSHCon := newSSHConnMock(accessKey + "=svc")
@ -270,9 +276,12 @@ func (s *TestSuiteIAM) SFTPValidLDAPLoginWithPassword(c *check) {
} }
userDN := "uid=dillon,ou=people,ou=swengg,dc=min,dc=io" userDN := "uid=dillon,ou=people,ou=swengg,dc=min,dc=io"
err = s.adm.SetPolicy(ctx, policy, userDN, false) userReq := madmin.PolicyAssociationReq{
if err != nil { Policies: []string{policy},
c.Fatalf("Unable to set policy: %v", err) User: userDN,
}
if _, err := s.adm.AttachPolicy(ctx, userReq); err != nil {
c.Fatalf("Unable to attach policy: %v", err)
} }
newSSHCon := newSSHConnMock("dillon=ldap") newSSHCon := newSSHConnMock("dillon=ldap")

173
cmd/sts-handlers_test.go
View File

@ -116,9 +116,12 @@ func (s *TestSuiteIAM) TestSTSServiceAccountsWithUsername(c *check) {
c.Fatalf("policy add error: %v", err) c.Fatalf("policy add error: %v", err)
} }
err = s.adm.SetPolicy(ctx, policy, "dillon", false) _, err = s.adm.AttachPolicy(ctx, madmin.PolicyAssociationReq{
Policies: []string{policy},
User: "dillon",
})
if err != nil { if err != nil {
c.Fatalf("Unable to set policy: %v", err) c.Fatalf("Unable to attach policy: %v", err)
} }
assumeRole := cr.STSAssumeRole{ assumeRole := cr.STSAssumeRole{
@ -231,9 +234,12 @@ func (s *TestSuiteIAM) TestSTSWithDenyDeleteVersion(c *check) {
c.Fatalf("Unable to set user: %v", err) c.Fatalf("Unable to set user: %v", err)
} }
err = s.adm.SetPolicy(ctx, policy, accessKey, false) _, err = s.adm.AttachPolicy(ctx, madmin.PolicyAssociationReq{
Policies: []string{policy},
User: accessKey,
})
if err != nil { if err != nil {
c.Fatalf("Unable to set policy: %v", err) c.Fatalf("Unable to attach policy: %v", err)
} }
// confirm that the user is able to access the bucket // confirm that the user is able to access the bucket
@ -332,9 +338,12 @@ func (s *TestSuiteIAM) TestSTSWithTags(c *check) {
c.Fatalf("Unable to set user: %v", err) c.Fatalf("Unable to set user: %v", err)
} }
err = s.adm.SetPolicy(ctx, policy, accessKey, false) _, err = s.adm.AttachPolicy(ctx, madmin.PolicyAssociationReq{
Policies: []string{policy},
User: accessKey,
})
if err != nil { if err != nil {
c.Fatalf("Unable to set policy: %v", err) c.Fatalf("Unable to attach policy: %v", err)
} }
// confirm that the user is able to access the bucket // confirm that the user is able to access the bucket
@ -420,9 +429,12 @@ func (s *TestSuiteIAM) TestSTS(c *check) {
c.Fatalf("Unable to set user: %v", err) c.Fatalf("Unable to set user: %v", err)
} }
err = s.adm.SetPolicy(ctx, policy, accessKey, false) _, err = s.adm.AttachPolicy(ctx, madmin.PolicyAssociationReq{
Policies: []string{policy},
User: accessKey,
})
if err != nil { if err != nil {
c.Fatalf("Unable to set policy: %v", err) c.Fatalf("Unable to attach policy: %v", err)
} }
// confirm that the user is able to access the bucket // confirm that the user is able to access the bucket
@ -515,9 +527,12 @@ func (s *TestSuiteIAM) TestSTSWithGroupPolicy(c *check) {
c.Fatalf("unable to add user to group: %v", err) c.Fatalf("unable to add user to group: %v", err)
} }
err = s.adm.SetPolicy(ctx, policy, "test-group", true) _, err = s.adm.AttachPolicy(ctx, madmin.PolicyAssociationReq{
Policies: []string{policy},
Group: "test-group",
})
if err != nil { if err != nil {
c.Fatalf("Unable to set policy: %v", err) c.Fatalf("Unable to attach policy: %v", err)
} }
// confirm that the user is able to access the bucket - permission comes // confirm that the user is able to access the bucket - permission comes
@ -984,6 +999,7 @@ func (s *TestSuiteIAM) TestIAMExport(c *check, caseNum int, content iamTestConte
} }
for userDN, policies := range content.ldapUserPolicyMappings { for userDN, policies := range content.ldapUserPolicyMappings {
// No need to detach, we are starting from a clean slate after exporting.
_, err := s.adm.AttachPolicyLDAP(ctx, madmin.PolicyAssociationReq{ _, err := s.adm.AttachPolicyLDAP(ctx, madmin.PolicyAssociationReq{
Policies: policies, Policies: policies,
User: userDN, User: userDN,
@ -1194,14 +1210,21 @@ func (s *TestSuiteIAM) TestLDAPSTS(c *check) {
// Attempting to set a non-existent policy should fail. // Attempting to set a non-existent policy should fail.
userDN := "uid=dillon,ou=people,ou=swengg,dc=min,dc=io" userDN := "uid=dillon,ou=people,ou=swengg,dc=min,dc=io"
err = s.adm.SetPolicy(ctx, policy+"x", userDN, false) _, err = s.adm.AttachPolicyLDAP(ctx, madmin.PolicyAssociationReq{
Policies: []string{policy + "x"},
User: userDN,
})
if err == nil { if err == nil {
c.Fatalf("should not be able to set non-existent policy") c.Fatalf("should not be able to attach non-existent policy")
} }
err = s.adm.SetPolicy(ctx, policy, userDN, false) userReq := madmin.PolicyAssociationReq{
if err != nil { Policies: []string{policy},
c.Fatalf("Unable to set policy: %v", err) User: userDN,
}
if _, err = s.adm.AttachPolicyLDAP(ctx, userReq); err != nil {
c.Fatalf("Unable to attach user policy: %v", err)
} }
value, err := ldapID.Retrieve() value, err := ldapID.Retrieve()
@ -1240,10 +1263,8 @@ func (s *TestSuiteIAM) TestLDAPSTS(c *check) {
c.Fatalf("unexpected non-access-denied err: %v", err) c.Fatalf("unexpected non-access-denied err: %v", err)
} }
// Remove the policy assignment on the user DN: if _, err = s.adm.DetachPolicyLDAP(ctx, userReq); err != nil {
err = s.adm.SetPolicy(ctx, "", userDN, false) c.Fatalf("Unable to detach user policy: %v", err)
if err != nil {
c.Fatalf("Unable to remove policy setting: %v", err)
} }
_, err = ldapID.Retrieve() _, err = ldapID.Retrieve()
@ -1253,9 +1274,13 @@ func (s *TestSuiteIAM) TestLDAPSTS(c *check) {
// Set policy via group and validate policy assignment. // Set policy via group and validate policy assignment.
groupDN := "cn=projectb,ou=groups,ou=swengg,dc=min,dc=io" groupDN := "cn=projectb,ou=groups,ou=swengg,dc=min,dc=io"
err = s.adm.SetPolicy(ctx, policy, groupDN, true) groupReq := madmin.PolicyAssociationReq{
if err != nil { Policies: []string{policy},
c.Fatalf("Unable to set group policy: %v", err) Group: groupDN,
}
if _, err = s.adm.AttachPolicyLDAP(ctx, groupReq); err != nil {
c.Fatalf("Unable to attach group policy: %v", err)
} }
value, err = ldapID.Retrieve() value, err = ldapID.Retrieve()
@ -1278,6 +1303,10 @@ func (s *TestSuiteIAM) TestLDAPSTS(c *check) {
// Validate that the client cannot remove any objects // Validate that the client cannot remove any objects
err = minioClient.RemoveObject(ctx, bucket, "someobject", minio.RemoveObjectOptions{}) err = minioClient.RemoveObject(ctx, bucket, "someobject", minio.RemoveObjectOptions{})
c.Assert(err.Error(), "Access Denied.") c.Assert(err.Error(), "Access Denied.")
if _, err = s.adm.DetachPolicyLDAP(ctx, groupReq); err != nil {
c.Fatalf("Unable to detach group policy: %v", err)
}
} }
func (s *TestSuiteIAM) TestLDAPUnicodeVariationsLegacyAPI(c *check) { func (s *TestSuiteIAM) TestLDAPUnicodeVariationsLegacyAPI(c *check) {
@ -1490,12 +1519,13 @@ func (s *TestSuiteIAM) TestLDAPUnicodeVariations(c *check) {
// \uFE52 is the unicode dot SMALL FULL STOP used below: // \uFE52 is the unicode dot SMALL FULL STOP used below:
userDNWithUnicodeDot := "uid=svc﹒algorithm,OU=swengg,DC=min,DC=io" userDNWithUnicodeDot := "uid=svc﹒algorithm,OU=swengg,DC=min,DC=io"
_, err = s.adm.AttachPolicyLDAP(ctx, madmin.PolicyAssociationReq{ userReq := madmin.PolicyAssociationReq{
Policies: []string{policy}, Policies: []string{policy},
User: userDNWithUnicodeDot, User: userDNWithUnicodeDot,
}) }
if err != nil {
c.Fatalf("Unable to set policy: %v", err) if _, err = s.adm.AttachPolicyLDAP(ctx, userReq); err != nil {
c.Fatalf("Unable to attach user policy: %v", err)
} }
value, err := ldapID.Retrieve() value, err := ldapID.Retrieve()
@ -1534,12 +1564,9 @@ func (s *TestSuiteIAM) TestLDAPUnicodeVariations(c *check) {
} }
// Remove the policy assignment on the user DN: // Remove the policy assignment on the user DN:
_, err = s.adm.DetachPolicyLDAP(ctx, madmin.PolicyAssociationReq{
Policies: []string{policy}, if _, err = s.adm.DetachPolicyLDAP(ctx, userReq); err != nil {
User: userDNWithUnicodeDot, c.Fatalf("Unable to detach user policy: %v", err)
})
if err != nil {
c.Fatalf("Unable to remove policy setting: %v", err)
} }
_, err = ldapID.Retrieve() _, err = ldapID.Retrieve()
@ -1550,11 +1577,12 @@ func (s *TestSuiteIAM) TestLDAPUnicodeVariations(c *check) {
// Set policy via group and validate policy assignment. // Set policy via group and validate policy assignment.
actualGroupDN := mustNormalizeDN("cn=project.c,ou=groups,ou=swengg,dc=min,dc=io") actualGroupDN := mustNormalizeDN("cn=project.c,ou=groups,ou=swengg,dc=min,dc=io")
groupDNWithUnicodeDot := "cn=project﹒c,ou=groups,ou=swengg,dc=min,dc=io" groupDNWithUnicodeDot := "cn=project﹒c,ou=groups,ou=swengg,dc=min,dc=io"
_, err = s.adm.AttachPolicyLDAP(ctx, madmin.PolicyAssociationReq{ groupReq := madmin.PolicyAssociationReq{
Policies: []string{policy}, Policies: []string{policy},
Group: groupDNWithUnicodeDot, Group: groupDNWithUnicodeDot,
}) }
if err != nil {
if _, err = s.adm.AttachPolicyLDAP(ctx, groupReq); err != nil {
c.Fatalf("Unable to attach group policy: %v", err) c.Fatalf("Unable to attach group policy: %v", err)
} }
@ -1594,6 +1622,10 @@ func (s *TestSuiteIAM) TestLDAPUnicodeVariations(c *check) {
// Validate that the client cannot remove any objects // Validate that the client cannot remove any objects
err = minioClient.RemoveObject(ctx, bucket, "someobject", minio.RemoveObjectOptions{}) err = minioClient.RemoveObject(ctx, bucket, "someobject", minio.RemoveObjectOptions{})
c.Assert(err.Error(), "Access Denied.") c.Assert(err.Error(), "Access Denied.")
if _, err = s.adm.DetachPolicyLDAP(ctx, groupReq); err != nil {
c.Fatalf("Unable to detach group policy: %v", err)
}
} }
func (s *TestSuiteIAM) TestLDAPSTSServiceAccounts(c *check) { func (s *TestSuiteIAM) TestLDAPSTSServiceAccounts(c *check) {
@ -1630,9 +1662,13 @@ func (s *TestSuiteIAM) TestLDAPSTSServiceAccounts(c *check) {
} }
userDN := "uid=dillon,ou=people,ou=swengg,dc=min,dc=io" userDN := "uid=dillon,ou=people,ou=swengg,dc=min,dc=io"
err = s.adm.SetPolicy(ctx, policy, userDN, false) userReq := madmin.PolicyAssociationReq{
if err != nil { Policies: []string{policy},
c.Fatalf("Unable to set policy: %v", err) User: userDN,
}
if _, err = s.adm.AttachPolicyLDAP(ctx, userReq); err != nil {
c.Fatalf("Unable to attach user policy: %v", err)
} }
ldapID := cr.LDAPIdentity{ ldapID := cr.LDAPIdentity{
@ -1687,6 +1723,11 @@ func (s *TestSuiteIAM) TestLDAPSTSServiceAccounts(c *check) {
// 6. Check that service account cannot be created for some other user. // 6. Check that service account cannot be created for some other user.
c.mustNotCreateSvcAccount(ctx, globalActiveCred.AccessKey, userAdmClient) c.mustNotCreateSvcAccount(ctx, globalActiveCred.AccessKey, userAdmClient)
// Detach the policy from the user
if _, err = s.adm.DetachPolicyLDAP(ctx, userReq); err != nil {
c.Fatalf("Unable to detach user policy: %v", err)
}
} }
func (s *TestSuiteIAM) TestLDAPSTSServiceAccountsWithUsername(c *check) { func (s *TestSuiteIAM) TestLDAPSTSServiceAccountsWithUsername(c *check) {
@ -1723,9 +1764,14 @@ func (s *TestSuiteIAM) TestLDAPSTSServiceAccountsWithUsername(c *check) {
} }
userDN := "uid=dillon,ou=people,ou=swengg,dc=min,dc=io" userDN := "uid=dillon,ou=people,ou=swengg,dc=min,dc=io"
err = s.adm.SetPolicy(ctx, policy, userDN, false)
if err != nil { userReq := madmin.PolicyAssociationReq{
c.Fatalf("Unable to set policy: %v", err) Policies: []string{policy},
User: userDN,
}
if _, err = s.adm.AttachPolicyLDAP(ctx, userReq); err != nil {
c.Fatalf("Unable to attach user policy: %v", err)
} }
ldapID := cr.LDAPIdentity{ ldapID := cr.LDAPIdentity{
@ -1776,6 +1822,10 @@ func (s *TestSuiteIAM) TestLDAPSTSServiceAccountsWithUsername(c *check) {
// 3. Check S3 access for download // 3. Check S3 access for download
c.mustDownload(ctx, svcClient, bucket) c.mustDownload(ctx, svcClient, bucket)
if _, err = s.adm.DetachPolicyLDAP(ctx, userReq); err != nil {
c.Fatalf("Unable to detach user policy: %v", err)
}
} }
// In this test, the parent users gets their permissions from a group, rather // In this test, the parent users gets their permissions from a group, rather
@ -1814,9 +1864,13 @@ func (s *TestSuiteIAM) TestLDAPSTSServiceAccountsWithGroups(c *check) {
} }
groupDN := "cn=projecta,ou=groups,ou=swengg,dc=min,dc=io" groupDN := "cn=projecta,ou=groups,ou=swengg,dc=min,dc=io"
err = s.adm.SetPolicy(ctx, policy, groupDN, true) userReq := madmin.PolicyAssociationReq{
if err != nil { Policies: []string{policy},
c.Fatalf("Unable to set policy: %v", err) Group: groupDN,
}
if _, err = s.adm.AttachPolicyLDAP(ctx, userReq); err != nil {
c.Fatalf("Unable to attach user policy: %v", err)
} }
ldapID := cr.LDAPIdentity{ ldapID := cr.LDAPIdentity{
@ -1871,18 +1925,24 @@ func (s *TestSuiteIAM) TestLDAPSTSServiceAccountsWithGroups(c *check) {
// 6. Check that service account cannot be created for some other user. // 6. Check that service account cannot be created for some other user.
c.mustNotCreateSvcAccount(ctx, globalActiveCred.AccessKey, userAdmClient) c.mustNotCreateSvcAccount(ctx, globalActiveCred.AccessKey, userAdmClient)
// Detach the user policy
if _, err = s.adm.DetachPolicyLDAP(ctx, userReq); err != nil {
c.Fatalf("Unable to detach user policy: %v", err)
}
} }
func (s *TestSuiteIAM) TestLDAPCyrillicUser(c *check) { func (s *TestSuiteIAM) TestLDAPCyrillicUser(c *check) {
ctx, cancel := context.WithTimeout(context.Background(), 10*time.Second) ctx, cancel := context.WithTimeout(context.Background(), 10*time.Second)
defer cancel() defer cancel()
_, err := s.adm.AttachPolicyLDAP(ctx, madmin.PolicyAssociationReq{ userReq := madmin.PolicyAssociationReq{
Policies: []string{"readwrite"}, Policies: []string{"readwrite"},
User: "uid=Пользователь,ou=people,ou=swengg,dc=min,dc=io", User: "uid=Пользователь,ou=people,ou=swengg,dc=min,dc=io",
}) }
if err != nil {
c.Fatalf("Unable to set policy: %v", err) if _, err := s.adm.AttachPolicyLDAP(ctx, userReq); err != nil {
c.Fatalf("Unable to attach user policy: %v", err)
} }
cases := []struct { cases := []struct {
@ -1940,6 +2000,10 @@ func (s *TestSuiteIAM) TestLDAPCyrillicUser(c *check) {
c.Fatalf("Test %d: unexpected dn claim: %s", i+1, dnClaim) c.Fatalf("Test %d: unexpected dn claim: %s", i+1, dnClaim)
} }
} }
if _, err = s.adm.DetachPolicyLDAP(ctx, userReq); err != nil {
c.Fatalf("Unable to detach user policy: %v", err)
}
} }
func (s *TestSuiteIAM) TestLDAPAttributesLookup(c *check) { func (s *TestSuiteIAM) TestLDAPAttributesLookup(c *check) {
@ -1947,12 +2011,13 @@ func (s *TestSuiteIAM) TestLDAPAttributesLookup(c *check) {
defer cancel() defer cancel()
groupDN := "cn=projectb,ou=groups,ou=swengg,dc=min,dc=io" groupDN := "cn=projectb,ou=groups,ou=swengg,dc=min,dc=io"
_, err := s.adm.AttachPolicyLDAP(ctx, madmin.PolicyAssociationReq{ groupReq := madmin.PolicyAssociationReq{
Policies: []string{"readwrite"}, Policies: []string{"readwrite"},
Group: groupDN, Group: groupDN,
}) }
if err != nil {
c.Fatalf("Unable to set policy: %v", err) if _, err := s.adm.AttachPolicyLDAP(ctx, groupReq); err != nil {
c.Fatalf("Unable to attach user policy: %v", err)
} }
cases := []struct { cases := []struct {
@ -2025,6 +2090,10 @@ func (s *TestSuiteIAM) TestLDAPAttributesLookup(c *check) {
c.Fatalf("Test %d: unexpected sshPublicKey type: %s", i+1, parts[0]) c.Fatalf("Test %d: unexpected sshPublicKey type: %s", i+1, parts[0])
} }
} }
if _, err = s.adm.DetachPolicyLDAP(ctx, groupReq); err != nil {
c.Fatalf("Unable to detach group policy: %v", err)
}
} }
func (s *TestSuiteIAM) TestOpenIDSTS(c *check) { func (s *TestSuiteIAM) TestOpenIDSTS(c *check) {