fix: Add support for DurationSeconds in LDAP STS API (#12778)

2025-11-07 12:52:58 -05:00 · 2021-07-22 12:13:21 -07:00
parent 17a37241f0
commit a3079a7de2
3 changed files with 70 additions and 6 deletions
--- a/internal/config/identity/ldap/config.go
+++ b/internal/config/identity/ldap/config.go
@@ -24,10 +24,12 @@ import (
 	"fmt"
 	"math/rand"
 	"net"
+	"strconv"
 	"strings"
 	"time"

 	ldap "github.com/go-ldap/ldap/v3"
+	"github.com/minio/minio/internal/auth"
 	"github.com/minio/minio/internal/config"
 	"github.com/minio/pkg/env"
 )
@@ -36,6 +38,9 @@ const (
 	defaultLDAPExpiry = time.Hour * 1

 	dnDelimiter = ";"
+
+	minLDAPExpiry time.Duration = 15 * time.Minute
+	maxLDAPExpiry time.Duration = 365 * 24 * time.Hour
 )

 // Config contains AD/LDAP server connectivity information.
@@ -416,8 +421,22 @@ func (l *Config) Connect() (ldapConn *ldap.Conn, err error) {
 }

 // GetExpiryDuration - return parsed expiry duration.
-func (l Config) GetExpiryDuration() time.Duration {
-	return l.stsExpiryDuration
+func (l Config) GetExpiryDuration(dsecs string) (time.Duration, error) {
+	if dsecs == "" {
+		return l.stsExpiryDuration, nil
+	}
+
+	d, err := strconv.Atoi(dsecs)
+	if err != nil {
+		return 0, auth.ErrInvalidDuration
+	}
+
+	dur := time.Duration(d) * time.Second
+
+	if dur < minLDAPExpiry || dur > maxLDAPExpiry {
+		return 0, auth.ErrInvalidDuration
+	}
+	return dur, nil
 }

 func (l Config) testConnection() error {
@@ -538,8 +557,11 @@ func Lookup(kvs config.KVS, rootCAs *x509.CertPool) (l Config, err error) {
 		if err != nil {
 			return l, errors.New("LDAP expiry time err:" + err.Error())
 		}
-		if expDur <= 0 {
-			return l, errors.New("LDAP expiry time has to be positive")
+		if expDur < minLDAPExpiry {
+			return l, fmt.Errorf("LDAP expiry time must be at least %s", minLDAPExpiry)
+		}
+		if expDur > maxLDAPExpiry {
+			return l, fmt.Errorf("LDAP expiry time may not exceed %s", maxLDAPExpiry)
 		}
 		l.STSExpiryDuration = v
 		l.stsExpiryDuration = expDur