MyFavMirrors/minio
1
0
Fork 0
mirror of https://github.com/minio/minio.git synced 2025-01-27 22:46:00 -05:00
Code Issues Packages Projects Releases Wiki Activity

Fix updateGroupMembershipsForLDAP behavior with unicode (#20137)

Browse Source
This commit is contained in:
Taran Pelkey 2024-07-23 19:10:03 -07:00 committed by GitHub
parent 0680af7414
commit b368d4cc13
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
1 changed files with 17 additions and 11 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

28
cmd/iam.go
View File

@ -1442,11 +1442,13 @@ func (sys *IAMSys) updateGroupMembershipsForLDAP(ctx context.Context) {
// 1. Collect all LDAP users with active creds. // 1. Collect all LDAP users with active creds.
allCreds := sys.store.GetSTSAndServiceAccounts() allCreds := sys.store.GetSTSAndServiceAccounts()
// List of unique LDAP (parent) user DNs that have active creds // List of unique LDAP (parent) user DNs that have active creds
var parentUsers []string var parentUserActualDNList []string
// Map of LDAP user to list of active credential objects // Map of LDAP user (internal representation) to list of active credential objects
parentUserToCredsMap := make(map[string][]auth.Credentials) parentUserToCredsMap := make(map[string][]auth.Credentials)
// DN to ldap username mapping for each LDAP user // DN to ldap username mapping for each LDAP user
parentUserToLDAPUsernameMap := make(map[string]string) actualDNToLDAPUsernameMap := make(map[string]string)
// External (actual) LDAP DN to internal normalized representation
actualDNToParentUserMap := make(map[string]string)
for _, cred := range allCreds { for _, cred := range allCreds {
// Expired credentials don't need parent user updates. // Expired credentials don't need parent user updates.
if cred.IsExpired() { if cred.IsExpired() {
@ -1489,25 +1491,28 @@ func (sys *IAMSys) updateGroupMembershipsForLDAP(ctx context.Context) {
continue continue
} }
ldapUsername, ok := jwtClaims.Lookup(ldapUserN) ldapUsername, okUserN := jwtClaims.Lookup(ldapUserN)
if !ok { ldapActualDN, okDN := jwtClaims.Lookup(ldapActualUser)
if !okUserN || !okDN {
// skip this cred - we dont have the // skip this cred - we dont have the
// username info needed // username info needed
continue continue
} }
// Collect each new cred.ParentUser into parentUsers // Collect each new cred.ParentUser into parentUsers
parentUsers = append(parentUsers, cred.ParentUser) parentUserActualDNList = append(parentUserActualDNList, ldapActualDN)
// Update the ldapUsernameMap // Update the ldapUsernameMap
parentUserToLDAPUsernameMap[cred.ParentUser] = ldapUsername actualDNToLDAPUsernameMap[ldapActualDN] = ldapUsername
// Update the actualDNToParentUserMap
actualDNToParentUserMap[ldapActualDN] = cred.ParentUser
} }
parentUserToCredsMap[cred.ParentUser] = append(parentUserToCredsMap[cred.ParentUser], cred) parentUserToCredsMap[cred.ParentUser] = append(parentUserToCredsMap[cred.ParentUser], cred)
} }
// 2. Query LDAP server for groups of the LDAP users collected. // 2. Query LDAP server for groups of the LDAP users collected.
updatedGroups, err := sys.LDAPConfig.LookupGroupMemberships(parentUsers, parentUserToLDAPUsernameMap) updatedGroups, err := sys.LDAPConfig.LookupGroupMemberships(parentUserActualDNList, actualDNToLDAPUsernameMap)
if err != nil { if err != nil {
// Log and return on error - perhaps it'll work the next time. // Log and return on error - perhaps it'll work the next time.
iamLogIf(GlobalContext, err) iamLogIf(GlobalContext, err)
@ -1515,8 +1520,9 @@ func (sys *IAMSys) updateGroupMembershipsForLDAP(ctx context.Context) {
} }
// 3. Update creds for those users whose groups are changed // 3. Update creds for those users whose groups are changed
for _, parentUser := range parentUsers { for _, parentActualDN := range parentUserActualDNList {
currGroupsSet := updatedGroups[parentUser] currGroupsSet := updatedGroups[parentActualDN]
parentUser := actualDNToParentUserMap[parentActualDN]
currGroups := currGroupsSet.ToSlice() currGroups := currGroupsSet.ToSlice()
for _, cred := range parentUserToCredsMap[parentUser] { for _, cred := range parentUserToCredsMap[parentUser] {
gSet := set.CreateStringSet(cred.Groups...) gSet := set.CreateStringSet(cred.Groups...)