Add LDAP public key authentication to SFTP (#19833)

This commit is contained in:
Sveinn 2024-06-05 00:51:13 -07:00 committed by GitHub
parent 5ffb2a9605
commit 91e1487de4
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
5 changed files with 559 additions and 212 deletions

View File

@ -1,4 +1,4 @@
// Copyright (c) 2015-2023 MinIO, Inc.
// Copyright (c) 2015-2024 MinIO, Inc.
//
// This file is part of MinIO Object Storage stack
//
@ -32,7 +32,6 @@ import (
"github.com/minio/madmin-go/v3"
"github.com/minio/minio-go/v7"
"github.com/minio/minio-go/v7/pkg/credentials"
"github.com/minio/minio/internal/auth"
xioutil "github.com/minio/minio/internal/ioutil"
"github.com/minio/pkg/v3/mimedb"
"github.com/pkg/sftp"
@ -101,103 +100,20 @@ func NewSFTPDriver(perms *ssh.Permissions) sftp.Handlers {
}
func (f *sftpDriver) getMinIOClient() (*minio.Client, error) {
ui, ok := globalIAMSys.GetUser(context.Background(), f.AccessKey())
if !ok && !globalIAMSys.LDAPConfig.Enabled() {
return nil, errNoSuchUser
}
if !ok && globalIAMSys.LDAPConfig.Enabled() {
sa, _, err := globalIAMSys.getServiceAccount(context.Background(), f.AccessKey())
if err != nil && !errors.Is(err, errNoSuchServiceAccount) {
return nil, err
}
var mcreds *credentials.Credentials
if errors.Is(err, errNoSuchServiceAccount) {
lookupResult, targetGroups, err := globalIAMSys.LDAPConfig.LookupUserDN(f.AccessKey())
if err != nil {
return nil, err
}
expiryDur, err := globalIAMSys.LDAPConfig.GetExpiryDuration("")
if err != nil {
return nil, err
}
claims := make(map[string]interface{})
claims[expClaim] = UTCNow().Add(expiryDur).Unix()
for k, v := range f.permissions.CriticalOptions {
claims[k] = v
}
// Set LDAP claims.
claims[ldapUserN] = f.AccessKey()
claims[ldapUser] = lookupResult.NormDN
// Add LDAP attributes that were looked up into the claims.
for attribKey, attribValue := range lookupResult.Attributes {
claims[ldapAttribPrefix+attribKey] = attribValue
}
cred, err := auth.GetNewCredentialsWithMetadata(claims, globalActiveCred.SecretKey)
if err != nil {
return nil, err
}
// Set the parent of the temporary access key, this is useful
// in obtaining service accounts by this cred.
cred.ParentUser = lookupResult.NormDN
// Set this value to LDAP groups, LDAP user can be part
// of large number of groups
cred.Groups = targetGroups
// Set the newly generated credentials, policyName is empty on purpose
// LDAP policies are applied automatically using their ldapUser, ldapGroups
// mapping.
updatedAt, err := globalIAMSys.SetTempUser(context.Background(), cred.AccessKey, cred, "")
if err != nil {
return nil, err
}
// Call hook for site replication.
replLogIf(context.Background(), globalSiteReplicationSys.IAMChangeHook(context.Background(), madmin.SRIAMItem{
Type: madmin.SRIAMItemSTSAcc,
STSCredential: &madmin.SRSTSCredential{
AccessKey: cred.AccessKey,
SecretKey: cred.SecretKey,
SessionToken: cred.SessionToken,
ParentUser: cred.ParentUser,
},
UpdatedAt: updatedAt,
}))
mcreds = credentials.NewStaticV4(cred.AccessKey, cred.SecretKey, cred.SessionToken)
} else {
mcreds = credentials.NewStaticV4(sa.Credentials.AccessKey, sa.Credentials.SecretKey, "")
}
return minio.New(f.endpoint, &minio.Options{
Creds: mcreds,
Secure: globalIsTLS,
Transport: globalRemoteFTPClientTransport,
})
}
// ok == true - at this point
if ui.Credentials.IsTemp() {
// Temporary credentials are not allowed.
return nil, errAuthentication
}
mcreds := credentials.NewStaticV4(
f.permissions.CriticalOptions["AccessKey"],
f.permissions.CriticalOptions["SecretKey"],
f.permissions.CriticalOptions["SessionToken"],
)
return minio.New(f.endpoint, &minio.Options{
Creds: credentials.NewStaticV4(ui.Credentials.AccessKey, ui.Credentials.SecretKey, ""),
Creds: mcreds,
Secure: globalIsTLS,
Transport: globalRemoteFTPClientTransport,
})
}
func (f *sftpDriver) AccessKey() string {
if _, ok := f.permissions.CriticalOptions["accessKey"]; !ok {
return f.permissions.CriticalOptions[ldapUserN]
}
return f.permissions.CriticalOptions["accessKey"]
return f.permissions.CriticalOptions["AccessKey"]
}
func (f *sftpDriver) Fileread(r *sftp.Request) (ra io.ReaderAt, err error) {

View File

@ -1,4 +1,4 @@
// Copyright (c) 2015-2023 MinIO, Inc.
// Copyright (c) 2015-2024 MinIO, Inc.
//
// This file is part of MinIO Object Storage stack
//
@ -18,7 +18,6 @@
package cmd
import (
"bytes"
"context"
"crypto/subtle"
"errors"
@ -29,18 +28,15 @@ import (
"strings"
"time"
"github.com/minio/madmin-go/v3"
"github.com/minio/minio/internal/auth"
"github.com/minio/minio/internal/logger"
xldap "github.com/minio/pkg/v3/ldap"
xsftp "github.com/minio/pkg/v3/sftp"
"github.com/pkg/sftp"
"golang.org/x/crypto/ssh"
)
type sftpLogger struct{}
func (s *sftpLogger) Info(tag xsftp.LogType, msg string) {
logger.Info(msg)
}
const (
kexAlgoDH1SHA1 = "diffie-hellman-group1-sha1"
kexAlgoDH14SHA1 = "diffie-hellman-group14-sha1"
@ -58,6 +54,16 @@ const (
tripledescbcID = "3des-cbc"
)
var (
errSFTPPublicKeyBadFormat = errors.New("the public key provided could not be parsed")
errSFTPUserHasNoPolicies = errors.New("no policies present on this account")
errSFTPLDAPNotEnabled = errors.New("ldap authentication is not enabled")
)
// if the sftp parameter --trusted-user-ca-key is set, then
// the final form of the key file will be set as this variable.
var caPublicKey ssh.PublicKey
// https://cs.opensource.google/go/x/crypto/+/refs/tags/v0.22.0:ssh/common.go;l=46
// preferredKexAlgos specifies the default preference for key-exchange
// algorithms in preference order. The diffie-hellman-group16-sha512 algorithm
@ -120,6 +126,226 @@ var supportedMACs = []string{
"hmac-sha2-256-etm@openssh.com", "hmac-sha2-512-etm@openssh.com", "hmac-sha2-256", "hmac-sha2-512", "hmac-sha1", "hmac-sha1-96",
}
func sshPubKeyAuth(c ssh.ConnMetadata, key ssh.PublicKey) (*ssh.Permissions, error) {
return authenticateSSHConnection(c, key, nil)
}
func sshPasswordAuth(c ssh.ConnMetadata, pass []byte) (*ssh.Permissions, error) {
return authenticateSSHConnection(c, nil, pass)
}
func authenticateSSHConnection(c ssh.ConnMetadata, key ssh.PublicKey, pass []byte) (*ssh.Permissions, error) {
user, found := strings.CutSuffix(c.User(), "=ldap")
if found {
if !globalIAMSys.LDAPConfig.Enabled() {
return nil, errSFTPLDAPNotEnabled
}
return processLDAPAuthentication(key, pass, user)
}
user, found = strings.CutSuffix(c.User(), "=svc")
if found {
goto internalAuth
}
if globalIAMSys.LDAPConfig.Enabled() {
perms, _ := processLDAPAuthentication(key, pass, user)
if perms != nil {
return perms, nil
}
}
internalAuth:
ui, ok := globalIAMSys.GetUser(context.Background(), user)
if !ok {
return nil, errNoSuchUser
}
if caPublicKey != nil {
err := validateKey(c, key)
if err != nil {
return nil, errAuthentication
}
} else {
// Temporary credentials are not allowed.
if ui.Credentials.IsTemp() {
return nil, errAuthentication
}
if subtle.ConstantTimeCompare([]byte(ui.Credentials.SecretKey), pass) != 1 {
return nil, errAuthentication
}
}
return &ssh.Permissions{
CriticalOptions: map[string]string{
"AccessKey": ui.Credentials.AccessKey,
"SecretKey": ui.Credentials.SecretKey,
"SessionToken": ui.Credentials.SessionToken,
},
Extensions: make(map[string]string),
}, nil
}
func processLDAPAuthentication(key ssh.PublicKey, pass []byte, user string) (perms *ssh.Permissions, err error) {
var lookupResult *xldap.DNSearchResult
var targetGroups []string
if pass == nil && key == nil {
return nil, errAuthentication
}
if pass != nil {
sa, _, err := globalIAMSys.getServiceAccount(context.Background(), user)
if err == nil {
if subtle.ConstantTimeCompare([]byte(sa.Credentials.SecretKey), pass) != 1 {
return nil, errAuthentication
}
return &ssh.Permissions{
CriticalOptions: map[string]string{
"AccessKey": sa.Credentials.AccessKey,
"SecretKey": sa.Credentials.SecretKey,
"SessionToken": sa.Credentials.SessionToken,
},
Extensions: make(map[string]string),
}, nil
}
if !errors.Is(err, errNoSuchServiceAccount) {
return nil, err
}
lookupResult, targetGroups, err = globalIAMSys.LDAPConfig.Bind(user, string(pass))
if err != nil {
return nil, err
}
} else if key != nil {
lookupResult, targetGroups, err = globalIAMSys.LDAPConfig.LookupUserDN(user)
if err != nil {
return nil, err
}
}
if lookupResult == nil {
return nil, errNoSuchUser
}
ldapPolicies, _ := globalIAMSys.PolicyDBGet(lookupResult.NormDN, targetGroups...)
if len(ldapPolicies) == 0 {
return nil, errSFTPUserHasNoPolicies
}
claims := make(map[string]interface{})
for attribKey, attribValue := range lookupResult.Attributes {
// we skip multi-value attributes here, as they cannot
// be stored in the critical options.
if len(attribValue) != 1 {
continue
}
if attribKey == "sshPublicKey" && key != nil {
key2, _, _, _, err := ssh.ParseAuthorizedKey([]byte(attribValue[0]))
if err != nil {
return nil, errSFTPPublicKeyBadFormat
}
if subtle.ConstantTimeCompare(key2.Marshal(), key.Marshal()) != 1 {
return nil, errAuthentication
}
}
claims[ldapAttribPrefix+attribKey] = attribValue[0]
}
expiryDur, err := globalIAMSys.LDAPConfig.GetExpiryDuration("")
if err != nil {
return nil, err
}
claims[expClaim] = UTCNow().Add(expiryDur).Unix()
claims[ldapUserN] = user
claims[ldapUser] = lookupResult.NormDN
cred, err := auth.GetNewCredentialsWithMetadata(claims, globalActiveCred.SecretKey)
if err != nil {
return nil, err
}
// Set the parent of the temporary access key, this is useful
// in obtaining service accounts by this cred.
cred.ParentUser = lookupResult.NormDN
// Set this value to LDAP groups, LDAP user can be part
// of large number of groups
cred.Groups = targetGroups
// Set the newly generated credentials, policyName is empty on purpose
// LDAP policies are applied automatically using their ldapUser, ldapGroups
// mapping.
updatedAt, err := globalIAMSys.SetTempUser(context.Background(), cred.AccessKey, cred, "")
if err != nil {
return nil, err
}
replLogIf(context.Background(), globalSiteReplicationSys.IAMChangeHook(context.Background(), madmin.SRIAMItem{
Type: madmin.SRIAMItemSTSAcc,
STSCredential: &madmin.SRSTSCredential{
AccessKey: cred.AccessKey,
SecretKey: cred.SecretKey,
SessionToken: cred.SessionToken,
ParentUser: cred.ParentUser,
},
UpdatedAt: updatedAt,
}))
return &ssh.Permissions{
CriticalOptions: map[string]string{
"AccessKey": cred.AccessKey,
"SecretKey": cred.SecretKey,
"SessionToken": cred.SessionToken,
},
Extensions: make(map[string]string),
}, nil
}
func validateKey(c ssh.ConnMetadata, clientKey ssh.PublicKey) (err error) {
if caPublicKey == nil {
return errors.New("public key authority validation requested but no ca public key specified.")
}
cert, ok := clientKey.(*ssh.Certificate)
if !ok {
return errSftpPublicKeyWithoutCert
}
// ssh.CheckCert called by ssh.Authenticate accepts certificates
// with empty principles list so we block those in here.
if len(cert.ValidPrincipals) == 0 {
return errSftpCertWithoutPrincipals
}
// Verify that certificate provided by user is issued by trusted CA,
// username in authentication request matches to identities in certificate
// and that certificate type is correct.
checker := ssh.CertChecker{}
checker.IsUserAuthority = func(k ssh.PublicKey) bool {
return subtle.ConstantTimeCompare(caPublicKey.Marshal(), k.Marshal()) == 1
}
_, err = checker.Authenticate(c, clientKey)
return
}
type sftpLogger struct{}
func (s *sftpLogger) Info(tag xsftp.LogType, msg string) {
logger.Info(msg)
}
func (s *sftpLogger) Error(tag xsftp.LogType, err error) {
switch tag {
case xsftp.AcceptNetworkError:
@ -160,16 +386,19 @@ func filterAlgos(arg string, want []string, allowed []string) []string {
func startSFTPServer(args []string) {
var (
port int
publicIP string
sshPrivateKey string
userCaKeyFile string
port int
publicIP string
sshPrivateKey string
userCaKeyFile string
disablePassAuth bool
)
allowPubKeys := supportedPubKeyAuthAlgos
allowKexAlgos := preferredKexAlgos
allowCiphers := preferredCiphers
allowMACs := supportedMACs
var err error
for _, arg := range args {
tokens := strings.SplitN(arg, "=", 2)
if len(tokens) != 2 {
@ -201,6 +430,8 @@ func startSFTPServer(args []string) {
allowMACs = filterAlgos(arg, strings.Split(tokens[1], ","), supportedMACs)
case "trusted-user-ca-key":
userCaKeyFile = tokens[1]
case "password-auth":
disablePassAuth, _ = strconv.ParseBool(tokens[1])
}
}
@ -222,6 +453,18 @@ func startSFTPServer(args []string) {
logger.Fatal(fmt.Errorf("invalid arguments passed, private key file is not parseable: %v", err), "unable to start SFTP server")
}
if userCaKeyFile != "" {
keyBytes, err := os.ReadFile(userCaKeyFile)
if err != nil {
logger.Fatal(fmt.Errorf("invalid arguments passed, trusted user certificate authority public key file is not accessible: %v", err), "unable to start SFTP server")
}
caPublicKey, _, _, _, err = ssh.ParseAuthorizedKey(keyBytes)
if err != nil {
logger.Fatal(fmt.Errorf("invalid arguments passed, trusted user certificate authority public key file is not parseable: %v", err), "unable to start SFTP server")
}
}
// An SSH server is represented by a ServerConfig, which holds
// certificate details and handles authentication of ServerConns.
sshConfig := &ssh.ServerConfig{
@ -231,116 +474,13 @@ func startSFTPServer(args []string) {
MACs: allowMACs,
},
PublicKeyAuthAlgorithms: allowPubKeys,
PasswordCallback: func(c ssh.ConnMetadata, pass []byte) (*ssh.Permissions, error) {
if globalIAMSys.LDAPConfig.Enabled() {
sa, _, err := globalIAMSys.getServiceAccount(context.Background(), c.User())
if err != nil && !errors.Is(err, errNoSuchServiceAccount) {
return nil, err
}
if errors.Is(err, errNoSuchServiceAccount) {
lookupResult, targetGroups, err := globalIAMSys.LDAPConfig.Bind(c.User(), string(pass))
if err != nil {
return nil, err
}
targetUser := lookupResult.NormDN
ldapPolicies, _ := globalIAMSys.PolicyDBGet(targetUser, targetGroups...)
if len(ldapPolicies) == 0 {
return nil, errAuthentication
}
criticalOptions := map[string]string{
ldapUser: targetUser,
ldapActualUser: lookupResult.ActualDN,
ldapUserN: c.User(),
}
for attribKey, attribValue := range lookupResult.Attributes {
// we skip multi-value attributes here, as they cannot
// be stored in the critical options.
if len(attribValue) == 1 {
criticalOptions[ldapAttribPrefix+attribKey] = attribValue[0]
}
}
return &ssh.Permissions{
CriticalOptions: criticalOptions,
Extensions: make(map[string]string),
}, nil
}
if subtle.ConstantTimeCompare([]byte(sa.Credentials.SecretKey), pass) == 1 {
return &ssh.Permissions{
CriticalOptions: map[string]string{
"accessKey": c.User(),
},
Extensions: make(map[string]string),
}, nil
}
return nil, errAuthentication
}
ui, ok := globalIAMSys.GetUser(context.Background(), c.User())
if !ok {
return nil, errNoSuchUser
}
if subtle.ConstantTimeCompare([]byte(ui.Credentials.SecretKey), pass) == 1 {
return &ssh.Permissions{
CriticalOptions: map[string]string{
"accessKey": c.User(),
},
Extensions: make(map[string]string),
}, nil
}
return nil, errAuthentication
},
PublicKeyCallback: sshPubKeyAuth,
}
if userCaKeyFile != "" {
keyBytes, err := os.ReadFile(userCaKeyFile)
if err != nil {
logger.Fatal(fmt.Errorf("invalid arguments passed, trusted user certificate authority public key file is not accessible: %v", err), "unable to start SFTP server")
}
caPublicKey, _, _, _, err := ssh.ParseAuthorizedKey(keyBytes)
if err != nil {
logger.Fatal(fmt.Errorf("invalid arguments passed, trusted user certificate authority public key file is not parseable: %v", err), "unable to start SFTP server")
}
sshConfig.PublicKeyCallback = func(c ssh.ConnMetadata, key ssh.PublicKey) (*ssh.Permissions, error) {
_, ok := globalIAMSys.GetUser(context.Background(), c.User())
if !ok {
return nil, errNoSuchUser
}
// Verify that client provided certificate, not only public key.
cert, ok := key.(*ssh.Certificate)
if !ok {
return nil, errSftpPublicKeyWithoutCert
}
// ssh.CheckCert called by ssh.Authenticate accepts certificates
// with empty principles list so we block those in here.
if len(cert.ValidPrincipals) == 0 {
return nil, errSftpCertWithoutPrincipals
}
// Verify that certificate provided by user is issued by trusted CA,
// username in authentication request matches to identities in certificate
// and that certificate type is correct.
checker := ssh.CertChecker{}
checker.IsUserAuthority = func(k ssh.PublicKey) bool {
return bytes.Equal(k.Marshal(), caPublicKey.Marshal())
}
_, err = checker.Authenticate(c, key)
if err != nil {
return nil, err
}
return &ssh.Permissions{
CriticalOptions: map[string]string{
"accessKey": c.User(),
},
Extensions: make(map[string]string),
}, nil
}
if !disablePassAuth {
sshConfig.PasswordCallback = sshPasswordAuth
} else {
sshConfig.PasswordCallback = nil
}
sshConfig.AddHostKey(private)

289
cmd/sftp-server_test.go Normal file
View File

@ -0,0 +1,289 @@
// Copyright (c) 2015-2024 MinIO, Inc.
//
// This file is part of MinIO Object Storage stack
//
// This program is free software: you can redistribute it and/or modify
// it under the terms of the GNU Affero General Public License as published by
// the Free Software Foundation, either version 3 of the License, or
// (at your option) any later version.
//
// This program is distributed in the hope that it will be useful
// but WITHOUT ANY WARRANTY; without even the implied warranty of
// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
// GNU Affero General Public License for more details.
//
// You should have received a copy of the GNU Affero General Public License
// along with this program. If not, see <http://www.gnu.org/licenses/>.
package cmd
import (
"context"
"errors"
"fmt"
"net"
"os"
"testing"
"github.com/minio/madmin-go/v3"
"golang.org/x/crypto/ssh"
)
type MockConnMeta struct {
username string
}
func (m *MockConnMeta) User() string {
return m.username
}
func (m *MockConnMeta) SessionID() []byte {
return []byte{}
}
func (m *MockConnMeta) ClientVersion() []byte {
return []byte{}
}
func (m *MockConnMeta) ServerVersion() []byte {
return []byte{}
}
func (m *MockConnMeta) RemoteAddr() net.Addr {
return nil
}
func (m *MockConnMeta) LocalAddr() net.Addr {
return nil
}
func newSSHConnMock(username string) ssh.ConnMetadata {
return &MockConnMeta{username: username}
}
func TestSFTPAuthentication(t *testing.T) {
for i, testCase := range iamTestSuites {
t.Run(
fmt.Sprintf("Test: %d, ServerType: %s", i+1, testCase.ServerTypeDescription),
func(t *testing.T) {
c := &check{t, testCase.serverType}
suite := testCase
suite.SetUpSuite(c)
suite.SFTPServiceAccountLogin(c)
suite.SFTPInvalidServiceAccountPassword(c)
// LDAP tests
ldapServer := os.Getenv(EnvTestLDAPServer)
if ldapServer == "" {
c.Skipf("Skipping LDAP test as no LDAP server is provided via %s", EnvTestLDAPServer)
}
suite.SetUpLDAP(c, ldapServer)
suite.SFTPFailedAuthDueToMissingPolicy(c)
suite.SFTPFailedAuthDueToInvalidUser(c)
suite.SFTPFailedForcedServiceAccountAuthOnLDAPUser(c)
suite.SFTPFailedAuthDueToInvalidPassword(c)
suite.SFTPValidLDAPLoginWithPassword(c)
suite.SFTPPublicKeyAuthentication(c)
suite.SFTPFailedPublicKeyAuthenticationInvalidKey(c)
suite.TearDownSuite(c)
},
)
}
}
func (s *TestSuiteIAM) SFTPFailedPublicKeyAuthenticationInvalidKey(c *check) {
keyBytes, err := os.ReadFile("./testdata/invalid_test_key.pub")
if err != nil {
c.Fatalf("could not read test key file: %s", err)
}
testKey, _, _, _, err := ssh.ParseAuthorizedKey(keyBytes)
if err != nil {
c.Fatalf("could not parse test key file: %s", err)
}
newSSHCon := newSSHConnMock("dillon=ldap")
_, err = sshPubKeyAuth(newSSHCon, testKey)
if err == nil || !errors.Is(err, errAuthentication) {
c.Fatalf("expected err(%s) but got (%s)", errAuthentication, err)
}
newSSHCon = newSSHConnMock("dillon")
_, err = sshPubKeyAuth(newSSHCon, testKey)
if err == nil || !errors.Is(err, errNoSuchUser) {
c.Fatalf("expected err(%s) but got (%s)", errNoSuchUser, err)
}
}
func (s *TestSuiteIAM) SFTPPublicKeyAuthentication(c *check) {
keyBytes, err := os.ReadFile("./testdata/dillon_test_key.pub")
if err != nil {
c.Fatalf("could not read test key file: %s", err)
}
testKey, _, _, _, err := ssh.ParseAuthorizedKey(keyBytes)
if err != nil {
c.Fatalf("could not parse test key file: %s", err)
}
newSSHCon := newSSHConnMock("dillon=ldap")
_, err = sshPubKeyAuth(newSSHCon, testKey)
if err != nil {
c.Fatalf("expected no error but got(%s)", err)
}
newSSHCon = newSSHConnMock("dillon")
_, err = sshPubKeyAuth(newSSHCon, testKey)
if err != nil {
c.Fatalf("expected no error but got(%s)", err)
}
}
func (s *TestSuiteIAM) SFTPFailedAuthDueToMissingPolicy(c *check) {
newSSHCon := newSSHConnMock("dillon=ldap")
_, err := sshPasswordAuth(newSSHCon, []byte("dillon"))
if err == nil || !errors.Is(err, errSFTPUserHasNoPolicies) {
c.Fatalf("expected err(%s) but got (%s)", errSFTPUserHasNoPolicies, err)
}
newSSHCon = newSSHConnMock("dillon")
_, err = sshPasswordAuth(newSSHCon, []byte("dillon"))
if err == nil || !errors.Is(err, errNoSuchUser) {
c.Fatalf("expected err(%s) but got (%s)", errNoSuchUser, err)
}
}
func (s *TestSuiteIAM) SFTPFailedAuthDueToInvalidUser(c *check) {
newSSHCon := newSSHConnMock("dillon_error")
_, err := sshPasswordAuth(newSSHCon, []byte("dillon_error"))
if err == nil || !errors.Is(err, errNoSuchUser) {
c.Fatalf("expected err(%s) but got (%s)", errNoSuchUser, err)
}
}
func (s *TestSuiteIAM) SFTPFailedForcedServiceAccountAuthOnLDAPUser(c *check) {
newSSHCon := newSSHConnMock("dillon=svc")
_, err := sshPasswordAuth(newSSHCon, []byte("dillon"))
if err == nil || !errors.Is(err, errNoSuchUser) {
c.Fatalf("expected err(%s) but got (%s)", errNoSuchUser, err)
}
}
func (s *TestSuiteIAM) SFTPFailedAuthDueToInvalidPassword(c *check) {
newSSHCon := newSSHConnMock("dillon")
_, err := sshPasswordAuth(newSSHCon, []byte("dillon_error"))
if err == nil || !errors.Is(err, errNoSuchUser) {
c.Fatalf("expected err(%s) but got (%s)", errNoSuchUser, err)
}
}
func (s *TestSuiteIAM) SFTPInvalidServiceAccountPassword(c *check) {
ctx, cancel := context.WithTimeout(context.Background(), testDefaultTimeout)
defer cancel()
accessKey, secretKey := mustGenerateCredentials(c)
err := s.adm.SetUser(ctx, accessKey, secretKey, madmin.AccountEnabled)
if err != nil {
c.Fatalf("Unable to set user: %v", err)
}
err = s.adm.SetPolicy(ctx, "readwrite", accessKey, false)
if err != nil {
c.Fatalf("unable to set policy: %v", err)
}
newSSHCon := newSSHConnMock(accessKey + "=svc")
_, err = sshPasswordAuth(newSSHCon, []byte("invalid"))
if err == nil || !errors.Is(err, errAuthentication) {
c.Fatalf("expected err(%s) but got (%s)", errAuthentication, err)
}
newSSHCon = newSSHConnMock(accessKey)
_, err = sshPasswordAuth(newSSHCon, []byte("invalid"))
if err == nil || !errors.Is(err, errAuthentication) {
c.Fatalf("expected err(%s) but got (%s)", errAuthentication, err)
}
}
func (s *TestSuiteIAM) SFTPServiceAccountLogin(c *check) {
ctx, cancel := context.WithTimeout(context.Background(), testDefaultTimeout)
defer cancel()
accessKey, secretKey := mustGenerateCredentials(c)
err := s.adm.SetUser(ctx, accessKey, secretKey, madmin.AccountEnabled)
if err != nil {
c.Fatalf("Unable to set user: %v", err)
}
err = s.adm.SetPolicy(ctx, "readwrite", accessKey, false)
if err != nil {
c.Fatalf("unable to set policy: %v", err)
}
newSSHCon := newSSHConnMock(accessKey + "=svc")
_, err = sshPasswordAuth(newSSHCon, []byte(secretKey))
if err != nil {
c.Fatalf("expected no error but got (%s)", err)
}
newSSHCon = newSSHConnMock(accessKey)
_, err = sshPasswordAuth(newSSHCon, []byte(secretKey))
if err != nil {
c.Fatalf("expected no error but got (%s)", err)
}
}
func (s *TestSuiteIAM) SFTPValidLDAPLoginWithPassword(c *check) {
ctx, cancel := context.WithTimeout(context.Background(), testDefaultTimeout)
defer cancel()
// we need to do this so that the user has a policy before authentication.
// ldap user accounts without policies are denied access in sftp.
policy := "mypolicy"
policyBytes := []byte(`{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:PutObject",
"s3:GetObject",
"s3:ListBucket"
],
"Resource": [
"arn:aws:s3:::BUCKET/*"
]
}
]
}`)
err := s.adm.AddCannedPolicy(ctx, policy, policyBytes)
if err != nil {
c.Fatalf("policy add error: %v", err)
}
userDN := "uid=dillon,ou=people,ou=swengg,dc=min,dc=io"
err = s.adm.SetPolicy(ctx, policy, userDN, false)
if err != nil {
c.Fatalf("Unable to set policy: %v", err)
}
newSSHCon := newSSHConnMock("dillon=ldap")
_, err = sshPasswordAuth(newSSHCon, []byte("dillon"))
if err != nil {
c.Fatal("Password authentication failed for user (dillon):", err)
}
newSSHCon = newSSHConnMock("dillon")
_, err = sshPasswordAuth(newSSHCon, []byte("dillon"))
if err != nil {
c.Fatal("Password authentication failed for user (dillon):", err)
}
}

1
cmd/testdata/dillon_test_key.pub vendored Normal file
View File

@ -0,0 +1 @@
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDVGk/SRz4fwTPK0+Ra7WYUGf3o08YkpI0yTMPpHwYoq dillon@example.io

1
cmd/testdata/invalid_test_key.pub vendored Normal file
View File

@ -0,0 +1 @@
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDES4saDDRpoHDVmiYESEQrCYhw8EK7Utj/A/lqxiqZlP6Il3aN2fWu6uJQdWAovZxNeXUf8LIujisW1mJWGZPql0SLKVq6IZ707OAGmKA59IXfF5onRoU9+K4UDL7BJFfix6/3F5OV2WB3ChFrOrXhJ0CZ0sVAfGcV4q72kS19YjZNX3fqCc2HF8UQEaZGKIkw5MtdZI9a1P2bqnPuPGJybRFUzyoQXPge45QT5jnpcsAXOuXcGxbjuqaaHXFNTSKAkCU93TcjAbqUMkTz2mnFz/MnrKJTECN3Fy0GPCCQ5dxmG8p8DyMiNl7JYkX2r3XYgxmioCzkcg8fDs5p0CaQcipu+MA7iK7APKq7v4Zr/wNltXHI3DE9S8J88Hxb2FZAyEhCRfcgGmCVfoZxVNCRHNkGYzfe63BkxtnseUCzpYEhKv02H5u9rjFpdMY37kDfHDVqBbgutdMij+tQAEp1kyqi6TQL+4XHjPHkLaeekW07yB+VI90dK1A9dzTpOvE= liza@example.io