fix: generating service accounts for group only LDAP accounts (#12318)

fixes #12315
This commit is contained in:
Harshavardhana 2021-05-18 15:19:20 -07:00 committed by GitHub
parent 82c53ac260
commit bb7fbcdc09
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
7 changed files with 34 additions and 63 deletions

View File

@ -28,7 +28,6 @@ import (
"github.com/minio/madmin-go"
"github.com/minio/minio/cmd/config"
"github.com/minio/minio/cmd/logger"
"github.com/minio/minio/pkg/auth"
"github.com/minio/minio/pkg/kms"
etcd "go.etcd.io/etcd/clientv3"
)
@ -64,23 +63,6 @@ func checkBackendEncrypted(objAPI ObjectLayer) (bool, error) {
return err == nil && bytes.Equal(data, backendEncryptedMigrationComplete), nil
}
// decryptData - decrypts input data with more that one credentials,
func decryptData(edata []byte, creds ...auth.Credentials) ([]byte, error) {
var err error
var data []byte
for _, cred := range creds {
data, err = madmin.DecryptData(cred.String(), bytes.NewReader(edata))
if err != nil {
if err == madmin.ErrMaliciousData {
continue
}
return nil, err
}
break
}
return data, err
}
func migrateIAMConfigsEtcdToEncrypted(ctx context.Context, client *etcd.Client) error {
encrypted, err := checkBackendEtcdEncrypted(ctx, client)
if err != nil {
@ -115,7 +97,7 @@ func migrateIAMConfigsEtcdToEncrypted(ctx context.Context, client *etcd.Client)
}
if !utf8.Valid(data) {
data, err = decryptData(data, globalActiveCred)
data, err = madmin.DecryptData(globalActiveCred.String(), bytes.NewReader(data))
if err != nil {
return fmt.Errorf("Decrypting config failed %w, possibly credentials are incorrect", err)
}
@ -170,7 +152,7 @@ func migrateConfigPrefixToEncrypted(objAPI ObjectLayer, encrypted bool) error {
}
if !utf8.Valid(data) {
data, err = decryptData(data, globalActiveCred)
data, err = madmin.DecryptData(globalActiveCred.String(), bytes.NewReader(data))
if err != nil {
return fmt.Errorf("Decrypting config failed %w, possibly credentials are incorrect", err)
}

View File

@ -49,17 +49,17 @@ func TestDecryptData(t *testing.T) {
tests := []struct {
edata []byte
creds []auth.Credentials
cred auth.Credentials
success bool
}{
{edata1, []auth.Credentials{cred1, cred2}, true},
{edata2, []auth.Credentials{cred1, cred2}, true},
{data, []auth.Credentials{cred1, cred2}, false},
{edata1, cred1, true},
{edata2, cred2, true},
{data, cred1, false},
}
for _, test := range tests {
t.Run("", func(t *testing.T) {
ddata, err := decryptData(test.edata, test.creds...)
ddata, err := madmin.DecryptData(test.cred.String(), bytes.NewReader(test.edata))
if err != nil && test.success {
t.Errorf("Expected success, saw failure %v", err)
}

View File

@ -18,7 +18,6 @@
package cmd
import (
"bytes"
"context"
"encoding/json"
"errors"
@ -30,7 +29,6 @@ import (
jwtgo "github.com/dgrijalva/jwt-go"
jsoniter "github.com/json-iterator/go"
"github.com/minio/madmin-go"
"github.com/minio/minio-go/v7/pkg/set"
"github.com/minio/minio/cmd/config"
"github.com/minio/minio/cmd/logger"
@ -107,22 +105,12 @@ func (ies *IAMEtcdStore) saveIAMConfig(ctx context.Context, item interface{}, it
func getIAMConfig(item interface{}, data []byte, itemPath string) error {
var err error
if !utf8.Valid(data) {
if GlobalKMS != nil {
data, err = config.DecryptBytes(GlobalKMS, data, kms.Context{
minioMetaBucket: path.Join(minioMetaBucket, itemPath),
})
if err != nil {
data, err = madmin.DecryptData(globalActiveCred.String(), bytes.NewReader(data))
if err != nil {
return err
}
}
} else {
data, err = madmin.DecryptData(globalActiveCred.String(), bytes.NewReader(data))
if err != nil {
return err
}
if !utf8.Valid(data) && GlobalKMS != nil {
data, err = config.DecryptBytes(GlobalKMS, data, kms.Context{
minioMetaBucket: path.Join(minioMetaBucket, itemPath),
})
if err != nil {
return err
}
}
var json = jsoniter.ConfigCompatibleWithStandardLibrary

View File

@ -18,9 +18,7 @@
package cmd
import (
"bytes"
"context"
"encoding/json"
"errors"
"path"
"strings"
@ -29,7 +27,6 @@ import (
"unicode/utf8"
jsoniter "github.com/json-iterator/go"
"github.com/minio/madmin-go"
"github.com/minio/minio/cmd/config"
"github.com/minio/minio/cmd/logger"
"github.com/minio/minio/pkg/auth"
@ -171,6 +168,7 @@ func (iamOS *IAMObjectStore) migrateToV1(ctx context.Context) error {
case errConfigNotFound:
// Need to migrate to V1.
default:
// if IAM format
return err
}
} else {
@ -207,6 +205,7 @@ func (iamOS *IAMObjectStore) migrateBackendFormat(ctx context.Context) error {
}
func (iamOS *IAMObjectStore) saveIAMConfig(ctx context.Context, item interface{}, objPath string, opts ...options) error {
var json = jsoniter.ConfigCompatibleWithStandardLibrary
data, err := json.Marshal(item)
if err != nil {
return err
@ -227,22 +226,12 @@ func (iamOS *IAMObjectStore) loadIAMConfig(ctx context.Context, item interface{}
if err != nil {
return err
}
if !utf8.Valid(data) {
if GlobalKMS != nil {
data, err = config.DecryptBytes(GlobalKMS, data, kms.Context{
minioMetaBucket: path.Join(minioMetaBucket, objPath),
})
if err != nil {
data, err = madmin.DecryptData(globalActiveCred.String(), bytes.NewReader(data))
if err != nil {
return err
}
}
} else {
data, err = madmin.DecryptData(globalActiveCred.String(), bytes.NewReader(data))
if err != nil {
return err
}
if !utf8.Valid(data) && GlobalKMS != nil {
data, err = config.DecryptBytes(GlobalKMS, data, kms.Context{
minioMetaBucket: path.Join(minioMetaBucket, objPath),
})
if err != nil {
return err
}
}
var json = jsoniter.ConfigCompatibleWithStandardLibrary

View File

@ -1135,6 +1135,13 @@ func (sys *IAMSys) NewServiceAccount(ctx context.Context, parentUser string, gro
if err != nil {
return auth.Credentials{}, err
}
for _, group := range groups {
gpolicies, err := sys.policyDBGet(group, true)
if err != nil && err != errNoSuchGroup {
return auth.Credentials{}, err
}
policies = append(policies, gpolicies...)
}
if len(policies) == 0 {
return auth.Credentials{}, errNoSuchUser
}
@ -1896,6 +1903,9 @@ func (sys *IAMSys) policyDBGet(name string, isGroup bool) (policies []string, er
var parentName string
u, ok := sys.iamUsersMap[name]
if ok {
if !u.IsValid() {
return nil, nil
}
parentName = u.ParentUser
}

View File

@ -545,6 +545,8 @@ func serverMain(ctx *cli.Context) {
if errors.Is(err, context.Canceled) {
logger.FatalIf(err, "Server startup canceled upon user request")
}
logger.LogIf(GlobalContext, err)
}
if globalIsErasure { // to be done after config init

View File

@ -236,7 +236,7 @@ $ export MINIO_ROOT_PASSWORD=minio123
$ export MINIO_IDENTITY_LDAP_SERVER_ADDR='my.ldap-active-dir-server.com:636'
$ export MINIO_IDENTITY_LDAP_USERNAME_FORMAT='cn=%s,ou=Users,ou=BUS1,ou=LOB,dc=somedomain,dc=com;cn=%s,ou=Users,ou=BUS2,ou=LOB,dc=somedomain,dc=com'
$ export MINIO_IDENTITY_LDAP_GROUP_SEARCH_BASE_DN='dc=minioad,dc=local;dc=somedomain,dc=com'
$ export MINIO_IDENTITY_LDAP_GROUP_SEARCH_FILTER='(&(objectclass=group)(member=%s))'
$ export MINIO_IDENTITY_LDAP_GROUP_SEARCH_FILTER='(&(objectclass=groupOfNames)(member=%d))'
$ minio server ~/test
```
You can make sure it works appropriately using our [example program](https://raw.githubusercontent.com/minio/minio/master/docs/sts/ldap.go):