Allow LDAP DNs with slashes to be loaded from object store (#20541)

2025-11-07 12:52:58 -05:00 · 2024-10-10 19:40:37 -04:00
parent e0aceca1b7
commit d4157b819c
3 changed files with 159 additions and 5 deletions
--- a/cmd/sts-handlers_test.go
+++ b/cmd/sts-handlers_test.go
@@ -740,6 +740,7 @@ func TestIAMWithLDAPServerSuite(t *testing.T) {
 				suite.TestLDAPSTSServiceAccountsWithGroups(c)
 				suite.TestLDAPAttributesLookup(c)
 				suite.TestLDAPCyrillicUser(c)
+				suite.TestLDAPSlashDN(c)
 				suite.TearDownSuite(c)
 			},
 		)
@@ -770,6 +771,7 @@ func TestIAMWithLDAPNonNormalizedBaseDNConfigServerSuite(t *testing.T) {
 				suite.TestLDAPSTSServiceAccounts(c)
 				suite.TestLDAPSTSServiceAccountsWithUsername(c)
 				suite.TestLDAPSTSServiceAccountsWithGroups(c)
+				suite.TestLDAPSlashDN(c)
 				suite.TearDownSuite(c)
 			},
 		)
@@ -2008,6 +2010,93 @@ func (s *TestSuiteIAM) TestLDAPCyrillicUser(c *check) {
 	}
 }

+func (s *TestSuiteIAM) TestLDAPSlashDN(c *check) {
+	ctx, cancel := context.WithTimeout(context.Background(), 10*time.Second)
+	defer cancel()
+
+	policyReq := madmin.PolicyAssociationReq{
+		Policies: []string{"readwrite"},
+	}
+
+	cases := []struct {
+		username string
+		dn       string
+		group    string
+	}{
+		{
+			username: "slashuser",
+			dn:       "uid=slash/user,ou=people,ou=swengg,dc=min,dc=io",
+		},
+		{
+			username: "dillon",
+			dn:       "uid=dillon,ou=people,ou=swengg,dc=min,dc=io",
+			group:    "cn=project/d,ou=groups,ou=swengg,dc=min,dc=io",
+		},
+	}
+
+	conn, err := globalIAMSys.LDAPConfig.LDAP.Connect()
+	if err != nil {
+		c.Fatalf("LDAP connect failed: %v", err)
+	}
+	defer conn.Close()
+
+	for i, testCase := range cases {
+		if testCase.group != "" {
+			policyReq.Group = testCase.group
+			policyReq.User = ""
+		} else {
+			policyReq.User = testCase.dn
+			policyReq.Group = ""
+		}
+
+		if _, err := s.adm.AttachPolicyLDAP(ctx, policyReq); err != nil {
+			c.Fatalf("Unable to attach  policy: %v", err)
+		}
+
+		ldapID := cr.LDAPIdentity{
+			Client:       s.TestSuiteCommon.client,
+			STSEndpoint:  s.endPoint,
+			LDAPUsername: testCase.username,
+			LDAPPassword: testCase.username,
+		}
+
+		value, err := ldapID.Retrieve()
+		if err != nil {
+			c.Fatalf("Expected to generate STS creds, got err: %#v", err)
+		}
+
+		// Retrieve the STS account's credential object.
+		u, ok := globalIAMSys.GetUser(ctx, value.AccessKeyID)
+		if !ok {
+			c.Fatalf("Expected to find user %s", value.AccessKeyID)
+		}
+
+		if u.Credentials.AccessKey != value.AccessKeyID {
+			c.Fatalf("Expected access key %s, got %s", value.AccessKeyID, u.Credentials.AccessKey)
+		}
+
+		// Retrieve the credential's claims.
+		secret, err := getTokenSigningKey()
+		if err != nil {
+			c.Fatalf("Error getting token signing key: %v", err)
+		}
+		claims, err := getClaimsFromTokenWithSecret(value.SessionToken, secret)
+		if err != nil {
+			c.Fatalf("Error getting claims from token: %v", err)
+		}
+
+		// Validate claims.
+		dnClaim := claims.MapClaims[ldapActualUser].(string)
+		if dnClaim != testCase.dn {
+			c.Fatalf("Test %d: unexpected dn claim: %s", i+1, dnClaim)
+		}
+
+		if _, err = s.adm.DetachPolicyLDAP(ctx, policyReq); err != nil {
+			c.Fatalf("Unable to detach user policy: %v", err)
+		}
+	}
+}
+
 func (s *TestSuiteIAM) TestLDAPAttributesLookup(c *check) {
 	ctx, cancel := context.WithTimeout(context.Background(), 10*time.Second)
 	defer cancel()