MyFavMirrors/minio
1
0
Fork 0
mirror of https://github.com/minio/minio.git synced 2025-11-07 12:52:58 -05:00
Code Issues Packages Projects Releases Wiki Activity

fix: IAM import/export: remove sts group handling (#19422)

Browse Source 
There are no separate STS group mappings to be handled.

Also add tests for basic import/export sanity.
This commit is contained in:
Aditya Manthramurthy
2024-04-05 20:13:35 -07:00
committed by GitHub
parent 91f91d8f47
commit 8ff2a7a2b9
2 changed files with 177 additions and 55 deletions
Download Patch File Download Diff File Expand all files Collapse all files

169
cmd/sts-handlers_test.go
View File

@@ -18,9 +18,12 @@
package cmd
import (
"bytes"
"context"
"fmt"
"io"
"os"
"reflect"
"strings"
"testing"
"time"
@@ -752,6 +755,172 @@ func TestIAMWithLDAPNonNormalizedBaseDNConfigServerSuite(t *testing.T) {
}
}
func TestIAMExportImportWithLDAP(t *testing.T) {
for i, testCase := range iamTestSuites {
t.Run(
fmt.Sprintf("Test: %d, ServerType: %s", i+1, testCase.ServerTypeDescription),
func(t *testing.T) {
c := &check{t, testCase.serverType}
suite := testCase
ldapServer := os.Getenv(EnvTestLDAPServer)
if ldapServer == "" {
c.Skipf("Skipping LDAP test as no LDAP server is provided via %s", EnvTestLDAPServer)
}
iamTestContentCases := []iamTestContent{
{
policies: map[string][]byte{
"mypolicy": []byte(`{"Version":"2012-10-17","Statement":[{"Effect":"Allow","Action":["s3:GetObject","s3:ListBucket","s3:PutObject"],"Resource":["arn:aws:s3:::mybucket/*"]}]}`),
},
ldapUserPolicyMappings: map[string][]string{
"uid=dillon,ou=people,ou=swengg,dc=min,dc=io": {"mypolicy"},
"uid=liza,ou=people,ou=swengg,dc=min,dc=io": {"consoleAdmin"},
},
ldapGroupPolicyMappings: map[string][]string{
"cn=projectb,ou=groups,ou=swengg,dc=min,dc=io": {"mypolicy"},
"cn=projecta,ou=groups,ou=swengg,dc=min,dc=io": {"consoleAdmin"},
},
},
}
for caseNum, content := range iamTestContentCases {
suite.SetUpSuite(c)
suite.SetUpLDAP(c, ldapServer)
exportedContent := suite.TestIAMExport(c, caseNum, content)
suite.TearDownSuite(c)
suite.SetUpSuite(c)
suite.SetUpLDAP(c, ldapServer)
suite.TestIAMImport(c, exportedContent, caseNum, content)
suite.TearDownSuite(c)
}
},
)
}
}
type iamTestContent struct {
policies map[string][]byte
ldapUserPolicyMappings map[string][]string
ldapGroupPolicyMappings map[string][]string
}
func (s *TestSuiteIAM) TestIAMExport(c *check, caseNum int, content iamTestContent) []byte {
ctx, cancel := context.WithTimeout(context.Background(), testDefaultTimeout)
defer cancel()
for policy, policyBytes := range content.policies {
err := s.adm.AddCannedPolicy(ctx, policy, policyBytes)
if err != nil {
c.Fatalf("export %d: policy add error: %v", caseNum, err)
}
}
for userDN, policies := range content.ldapUserPolicyMappings {
_, err := s.adm.AttachPolicyLDAP(ctx, madmin.PolicyAssociationReq{
Policies: policies,
User: userDN,
})
if err != nil {
c.Fatalf("export %d: Unable to attach policy: %v", caseNum, err)
}
}
for groupDN, policies := range content.ldapGroupPolicyMappings {
_, err := s.adm.AttachPolicyLDAP(ctx, madmin.PolicyAssociationReq{
Policies: policies,
Group: groupDN,
})
if err != nil {
c.Fatalf("export %d: Unable to attach group policy: %v", caseNum, err)
}
}
contentReader, err := s.adm.ExportIAM(ctx)
if err != nil {
c.Fatalf("export %d: Unable to export IAM: %v", caseNum, err)
}
defer contentReader.Close()
expContent, err := io.ReadAll(contentReader)
if err != nil {
c.Fatalf("export %d: Unable to read exported content: %v", caseNum, err)
}
return expContent
}
type dummyCloser struct {
io.Reader
}
func (d dummyCloser) Close() error { return nil }
func (s *TestSuiteIAM) TestIAMImport(c *check, exportedContent []byte, caseNum int, content iamTestContent) {
ctx, cancel := context.WithTimeout(context.Background(), testDefaultTimeout)
defer cancel()
dummyCloser := dummyCloser{bytes.NewReader(exportedContent)}
err := s.adm.ImportIAM(ctx, dummyCloser)
if err != nil {
c.Fatalf("import %d: Unable to import IAM: %v", caseNum, err)
}
gotContent := iamTestContent{
policies: make(map[string][]byte),
ldapUserPolicyMappings: make(map[string][]string),
ldapGroupPolicyMappings: make(map[string][]string),
}
policyContentMap, err := s.adm.ListCannedPolicies(ctx)
if err != nil {
c.Fatalf("import %d: Unable to list policies: %v", caseNum, err)
}
defaultCannedPolicies := set.CreateStringSet("consoleAdmin", "readwrite", "readonly",
"diagnostics", "writeonly")
for policy, policyBytes := range policyContentMap {
if defaultCannedPolicies.Contains(policy) {
continue
}
gotContent.policies[policy] = policyBytes
}
policyQueryRes, err := s.adm.GetLDAPPolicyEntities(ctx, madmin.PolicyEntitiesQuery{})
if err != nil {
c.Fatalf("import %d: Unable to get policy entities: %v", caseNum, err)
}
for _, entity := range policyQueryRes.PolicyMappings {
m := gotContent.ldapUserPolicyMappings
for _, user := range entity.Users {
m[user] = append(m[user], entity.Policy)
}
m = gotContent.ldapGroupPolicyMappings
for _, group := range entity.Groups {
m[group] = append(m[group], entity.Policy)
}
}
{
// We don't compare the values of the canned policies because server is
// re-encoding them. (FIXME?)
for k := range content.policies {
content.policies[k] = nil
gotContent.policies[k] = nil
}
if !reflect.DeepEqual(content.policies, gotContent.policies) {
c.Fatalf("import %d: policies mismatch: expected: %v, got: %v", caseNum, content.policies, gotContent.policies)
}
}
if !reflect.DeepEqual(content.ldapUserPolicyMappings, gotContent.ldapUserPolicyMappings) {
c.Fatalf("import %d: user policy mappings mismatch: expected: %v, got: %v", caseNum, content.ldapUserPolicyMappings, gotContent.ldapUserPolicyMappings)
}
if !reflect.DeepEqual(content.ldapGroupPolicyMappings, gotContent.ldapGroupPolicyMappings) {
c.Fatalf("import %d: group policy mappings mismatch: expected: %v, got: %v", caseNum, content.ldapGroupPolicyMappings, gotContent.ldapGroupPolicyMappings)
}
}
func (s *TestSuiteIAM) TestLDAPSTS(c *check) {
ctx, cancel := context.WithTimeout(context.Background(), testDefaultTimeout)
defer cancel()