Add LDAP public key authentication to SFTP (#19833)

cmd/sftp-server-driver.go

@@ -1,4 +1,4 @@
-// Copyright (c) 2015-2023 MinIO, Inc.
+// Copyright (c) 2015-2024 MinIO, Inc.
 //
 // This file is part of MinIO Object Storage stack
 //
@@ -32,7 +32,6 @@ import (
 	"github.com/minio/madmin-go/v3"
 	"github.com/minio/minio-go/v7"
 	"github.com/minio/minio-go/v7/pkg/credentials"
-	"github.com/minio/minio/internal/auth"
 	xioutil "github.com/minio/minio/internal/ioutil"
 	"github.com/minio/pkg/v3/mimedb"
 	"github.com/pkg/sftp"
@@ -101,103 +100,20 @@ func NewSFTPDriver(perms *ssh.Permissions) sftp.Handlers {
 }
 
 func (f *sftpDriver) getMinIOClient() (*minio.Client, error) {
-	ui, ok := globalIAMSys.GetUser(context.Background(), f.AccessKey())
-	if !ok && !globalIAMSys.LDAPConfig.Enabled() {
-		return nil, errNoSuchUser
-	}
-	if !ok && globalIAMSys.LDAPConfig.Enabled() {
-		sa, _, err := globalIAMSys.getServiceAccount(context.Background(), f.AccessKey())
-		if err != nil && !errors.Is(err, errNoSuchServiceAccount) {
-			return nil, err
-		}
-		var mcreds *credentials.Credentials
-		if errors.Is(err, errNoSuchServiceAccount) {
-			lookupResult, targetGroups, err := globalIAMSys.LDAPConfig.LookupUserDN(f.AccessKey())
-			if err != nil {
-				return nil, err
-			}
-			expiryDur, err := globalIAMSys.LDAPConfig.GetExpiryDuration("")
-			if err != nil {
-				return nil, err
-			}
-			claims := make(map[string]interface{})
-			claims[expClaim] = UTCNow().Add(expiryDur).Unix()
-			for k, v := range f.permissions.CriticalOptions {
-				claims[k] = v
-			}
-
-			// Set LDAP claims.
-			claims[ldapUserN] = f.AccessKey()
-			claims[ldapUser] = lookupResult.NormDN
-			// Add LDAP attributes that were looked up into the claims.
-			for attribKey, attribValue := range lookupResult.Attributes {
-				claims[ldapAttribPrefix+attribKey] = attribValue
-			}
-
-			cred, err := auth.GetNewCredentialsWithMetadata(claims, globalActiveCred.SecretKey)
-			if err != nil {
-				return nil, err
-			}
-
-			// Set the parent of the temporary access key, this is useful
-			// in obtaining service accounts by this cred.
-			cred.ParentUser = lookupResult.NormDN
-
-			// Set this value to LDAP groups, LDAP user can be part
-			// of large number of groups
-			cred.Groups = targetGroups
-
-			// Set the newly generated credentials, policyName is empty on purpose
-			// LDAP policies are applied automatically using their ldapUser, ldapGroups
-			// mapping.
-			updatedAt, err := globalIAMSys.SetTempUser(context.Background(), cred.AccessKey, cred, "")
-			if err != nil {
-				return nil, err
-			}
-
-			// Call hook for site replication.
-			replLogIf(context.Background(), globalSiteReplicationSys.IAMChangeHook(context.Background(), madmin.SRIAMItem{
-				Type: madmin.SRIAMItemSTSAcc,
-				STSCredential: &madmin.SRSTSCredential{
-					AccessKey:    cred.AccessKey,
-					SecretKey:    cred.SecretKey,
-					SessionToken: cred.SessionToken,
-					ParentUser:   cred.ParentUser,
-				},
-				UpdatedAt: updatedAt,
-			}))
-
-			mcreds = credentials.NewStaticV4(cred.AccessKey, cred.SecretKey, cred.SessionToken)
-		} else {
-			mcreds = credentials.NewStaticV4(sa.Credentials.AccessKey, sa.Credentials.SecretKey, "")
-		}
-
-		return minio.New(f.endpoint, &minio.Options{
-			Creds:     mcreds,
-			Secure:    globalIsTLS,
-			Transport: globalRemoteFTPClientTransport,
-		})
-	}
-
-	// ok == true - at this point
-
-	if ui.Credentials.IsTemp() {
-		// Temporary credentials are not allowed.
-		return nil, errAuthentication
-	}
-
+	mcreds := credentials.NewStaticV4(
+		f.permissions.CriticalOptions["AccessKey"],
+		f.permissions.CriticalOptions["SecretKey"],
+		f.permissions.CriticalOptions["SessionToken"],
+	)
 	return minio.New(f.endpoint, &minio.Options{
-		Creds:     credentials.NewStaticV4(ui.Credentials.AccessKey, ui.Credentials.SecretKey, ""),
+		Creds:     mcreds,
 		Secure:    globalIsTLS,
 		Transport: globalRemoteFTPClientTransport,
 	})
 }
 
 func (f *sftpDriver) AccessKey() string {
-	if _, ok := f.permissions.CriticalOptions["accessKey"]; !ok {
-		return f.permissions.CriticalOptions[ldapUserN]
-	}
-	return f.permissions.CriticalOptions["accessKey"]
+	return f.permissions.CriticalOptions["AccessKey"]
 }
 
 func (f *sftpDriver) Fileread(r *sftp.Request) (ra io.ReaderAt, err error) {