From bb7fbcdc097eab852a3b72ab4fcc9f9260d64622 Mon Sep 17 00:00:00 2001 From: Harshavardhana Date: Tue, 18 May 2021 15:19:20 -0700 Subject: [PATCH] fix: generating service accounts for group only LDAP accounts (#12318) fixes #12315 --- cmd/config-encrypted.go | 22 ++-------------------- cmd/config-encrypted_test.go | 10 +++++----- cmd/iam-etcd-store.go | 24 ++++++------------------ cmd/iam-object-store.go | 27 ++++++++------------------- cmd/iam.go | 10 ++++++++++ cmd/server-main.go | 2 ++ docs/sts/ldap.md | 2 +- 7 files changed, 34 insertions(+), 63 deletions(-) diff --git a/cmd/config-encrypted.go b/cmd/config-encrypted.go index 17274fbe1..d04b5fa91 100644 --- a/cmd/config-encrypted.go +++ b/cmd/config-encrypted.go @@ -28,7 +28,6 @@ import ( "github.com/minio/madmin-go" "github.com/minio/minio/cmd/config" "github.com/minio/minio/cmd/logger" - "github.com/minio/minio/pkg/auth" "github.com/minio/minio/pkg/kms" etcd "go.etcd.io/etcd/clientv3" ) @@ -64,23 +63,6 @@ func checkBackendEncrypted(objAPI ObjectLayer) (bool, error) { return err == nil && bytes.Equal(data, backendEncryptedMigrationComplete), nil } -// decryptData - decrypts input data with more that one credentials, -func decryptData(edata []byte, creds ...auth.Credentials) ([]byte, error) { - var err error - var data []byte - for _, cred := range creds { - data, err = madmin.DecryptData(cred.String(), bytes.NewReader(edata)) - if err != nil { - if err == madmin.ErrMaliciousData { - continue - } - return nil, err - } - break - } - return data, err -} - func migrateIAMConfigsEtcdToEncrypted(ctx context.Context, client *etcd.Client) error { encrypted, err := checkBackendEtcdEncrypted(ctx, client) if err != nil { @@ -115,7 +97,7 @@ func migrateIAMConfigsEtcdToEncrypted(ctx context.Context, client *etcd.Client) } if !utf8.Valid(data) { - data, err = decryptData(data, globalActiveCred) + data, err = madmin.DecryptData(globalActiveCred.String(), bytes.NewReader(data)) if err != nil { return fmt.Errorf("Decrypting config failed %w, possibly credentials are incorrect", err) } @@ -170,7 +152,7 @@ func migrateConfigPrefixToEncrypted(objAPI ObjectLayer, encrypted bool) error { } if !utf8.Valid(data) { - data, err = decryptData(data, globalActiveCred) + data, err = madmin.DecryptData(globalActiveCred.String(), bytes.NewReader(data)) if err != nil { return fmt.Errorf("Decrypting config failed %w, possibly credentials are incorrect", err) } diff --git a/cmd/config-encrypted_test.go b/cmd/config-encrypted_test.go index c7a281532..37e1ffe38 100644 --- a/cmd/config-encrypted_test.go +++ b/cmd/config-encrypted_test.go @@ -49,17 +49,17 @@ func TestDecryptData(t *testing.T) { tests := []struct { edata []byte - creds []auth.Credentials + cred auth.Credentials success bool }{ - {edata1, []auth.Credentials{cred1, cred2}, true}, - {edata2, []auth.Credentials{cred1, cred2}, true}, - {data, []auth.Credentials{cred1, cred2}, false}, + {edata1, cred1, true}, + {edata2, cred2, true}, + {data, cred1, false}, } for _, test := range tests { t.Run("", func(t *testing.T) { - ddata, err := decryptData(test.edata, test.creds...) + ddata, err := madmin.DecryptData(test.cred.String(), bytes.NewReader(test.edata)) if err != nil && test.success { t.Errorf("Expected success, saw failure %v", err) } diff --git a/cmd/iam-etcd-store.go b/cmd/iam-etcd-store.go index c32ce8b51..0671c43b7 100644 --- a/cmd/iam-etcd-store.go +++ b/cmd/iam-etcd-store.go @@ -18,7 +18,6 @@ package cmd import ( - "bytes" "context" "encoding/json" "errors" @@ -30,7 +29,6 @@ import ( jwtgo "github.com/dgrijalva/jwt-go" jsoniter "github.com/json-iterator/go" - "github.com/minio/madmin-go" "github.com/minio/minio-go/v7/pkg/set" "github.com/minio/minio/cmd/config" "github.com/minio/minio/cmd/logger" @@ -107,22 +105,12 @@ func (ies *IAMEtcdStore) saveIAMConfig(ctx context.Context, item interface{}, it func getIAMConfig(item interface{}, data []byte, itemPath string) error { var err error - if !utf8.Valid(data) { - if GlobalKMS != nil { - data, err = config.DecryptBytes(GlobalKMS, data, kms.Context{ - minioMetaBucket: path.Join(minioMetaBucket, itemPath), - }) - if err != nil { - data, err = madmin.DecryptData(globalActiveCred.String(), bytes.NewReader(data)) - if err != nil { - return err - } - } - } else { - data, err = madmin.DecryptData(globalActiveCred.String(), bytes.NewReader(data)) - if err != nil { - return err - } + if !utf8.Valid(data) && GlobalKMS != nil { + data, err = config.DecryptBytes(GlobalKMS, data, kms.Context{ + minioMetaBucket: path.Join(minioMetaBucket, itemPath), + }) + if err != nil { + return err } } var json = jsoniter.ConfigCompatibleWithStandardLibrary diff --git a/cmd/iam-object-store.go b/cmd/iam-object-store.go index 9fa3cbf1a..f087ee8f2 100644 --- a/cmd/iam-object-store.go +++ b/cmd/iam-object-store.go @@ -18,9 +18,7 @@ package cmd import ( - "bytes" "context" - "encoding/json" "errors" "path" "strings" @@ -29,7 +27,6 @@ import ( "unicode/utf8" jsoniter "github.com/json-iterator/go" - "github.com/minio/madmin-go" "github.com/minio/minio/cmd/config" "github.com/minio/minio/cmd/logger" "github.com/minio/minio/pkg/auth" @@ -171,6 +168,7 @@ func (iamOS *IAMObjectStore) migrateToV1(ctx context.Context) error { case errConfigNotFound: // Need to migrate to V1. default: + // if IAM format return err } } else { @@ -207,6 +205,7 @@ func (iamOS *IAMObjectStore) migrateBackendFormat(ctx context.Context) error { } func (iamOS *IAMObjectStore) saveIAMConfig(ctx context.Context, item interface{}, objPath string, opts ...options) error { + var json = jsoniter.ConfigCompatibleWithStandardLibrary data, err := json.Marshal(item) if err != nil { return err @@ -227,22 +226,12 @@ func (iamOS *IAMObjectStore) loadIAMConfig(ctx context.Context, item interface{} if err != nil { return err } - if !utf8.Valid(data) { - if GlobalKMS != nil { - data, err = config.DecryptBytes(GlobalKMS, data, kms.Context{ - minioMetaBucket: path.Join(minioMetaBucket, objPath), - }) - if err != nil { - data, err = madmin.DecryptData(globalActiveCred.String(), bytes.NewReader(data)) - if err != nil { - return err - } - } - } else { - data, err = madmin.DecryptData(globalActiveCred.String(), bytes.NewReader(data)) - if err != nil { - return err - } + if !utf8.Valid(data) && GlobalKMS != nil { + data, err = config.DecryptBytes(GlobalKMS, data, kms.Context{ + minioMetaBucket: path.Join(minioMetaBucket, objPath), + }) + if err != nil { + return err } } var json = jsoniter.ConfigCompatibleWithStandardLibrary diff --git a/cmd/iam.go b/cmd/iam.go index cdd5ad8e4..6b451489e 100644 --- a/cmd/iam.go +++ b/cmd/iam.go @@ -1135,6 +1135,13 @@ func (sys *IAMSys) NewServiceAccount(ctx context.Context, parentUser string, gro if err != nil { return auth.Credentials{}, err } + for _, group := range groups { + gpolicies, err := sys.policyDBGet(group, true) + if err != nil && err != errNoSuchGroup { + return auth.Credentials{}, err + } + policies = append(policies, gpolicies...) + } if len(policies) == 0 { return auth.Credentials{}, errNoSuchUser } @@ -1896,6 +1903,9 @@ func (sys *IAMSys) policyDBGet(name string, isGroup bool) (policies []string, er var parentName string u, ok := sys.iamUsersMap[name] if ok { + if !u.IsValid() { + return nil, nil + } parentName = u.ParentUser } diff --git a/cmd/server-main.go b/cmd/server-main.go index 20b966dbf..eaeefd41c 100644 --- a/cmd/server-main.go +++ b/cmd/server-main.go @@ -545,6 +545,8 @@ func serverMain(ctx *cli.Context) { if errors.Is(err, context.Canceled) { logger.FatalIf(err, "Server startup canceled upon user request") } + + logger.LogIf(GlobalContext, err) } if globalIsErasure { // to be done after config init diff --git a/docs/sts/ldap.md b/docs/sts/ldap.md index b45c880fe..cf9a75f80 100644 --- a/docs/sts/ldap.md +++ b/docs/sts/ldap.md @@ -236,7 +236,7 @@ $ export MINIO_ROOT_PASSWORD=minio123 $ export MINIO_IDENTITY_LDAP_SERVER_ADDR='my.ldap-active-dir-server.com:636' $ export MINIO_IDENTITY_LDAP_USERNAME_FORMAT='cn=%s,ou=Users,ou=BUS1,ou=LOB,dc=somedomain,dc=com;cn=%s,ou=Users,ou=BUS2,ou=LOB,dc=somedomain,dc=com' $ export MINIO_IDENTITY_LDAP_GROUP_SEARCH_BASE_DN='dc=minioad,dc=local;dc=somedomain,dc=com' -$ export MINIO_IDENTITY_LDAP_GROUP_SEARCH_FILTER='(&(objectclass=group)(member=%s))' +$ export MINIO_IDENTITY_LDAP_GROUP_SEARCH_FILTER='(&(objectclass=groupOfNames)(member=%d))' $ minio server ~/test ``` You can make sure it works appropriately using our [example program](https://raw.githubusercontent.com/minio/minio/master/docs/sts/ldap.go):