minio/internal/config/identity/ldap/config.go

// Copyright (c) 2015-2021 MinIO, Inc.
//
// This file is part of MinIO Object Storage stack
//
// This program is free software: you can redistribute it and/or modify
// it under the terms of the GNU Affero General Public License as published by
// the Free Software Foundation, either version 3 of the License, or
// (at your option) any later version.
//
// This program is distributed in the hope that it will be useful
// but WITHOUT ANY WARRANTY; without even the implied warranty of
// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
// GNU Affero General Public License for more details.
//
// You should have received a copy of the GNU Affero General Public License
// along with this program.  If not, see <http://www.gnu.org/licenses/>.

package ldap

import (
	"crypto/x509"
	"time"

	"github.com/minio/minio/internal/config"
	"github.com/minio/pkg/ldap"
)

const (
	defaultLDAPExpiry = time.Hour * 1

	minLDAPExpiry time.Duration = 15 * time.Minute
	maxLDAPExpiry time.Duration = 365 * 24 * time.Hour
)

// Config contains AD/LDAP server connectivity information.
type Config struct {
	LDAP ldap.Config

	stsExpiryDuration time.Duration // contains converted value
}

// Enabled returns if LDAP is enabled.
func (l *Config) Enabled() bool {
	return l.LDAP.Enabled
}

// Clone returns a cloned copy of LDAP config.
func (l *Config) Clone() Config {
	if l == nil {
		return Config{}
	}
	cfg := Config{
		LDAP:              l.LDAP.Clone(),
		stsExpiryDuration: l.stsExpiryDuration,
	}
	return cfg
}

// LDAP keys and envs.
const (
	ServerAddr         = "server_addr"
	LookupBindDN       = "lookup_bind_dn"
	LookupBindPassword = "lookup_bind_password"
	UserDNSearchBaseDN = "user_dn_search_base_dn"
	UserDNSearchFilter = "user_dn_search_filter"
	GroupSearchFilter  = "group_search_filter"
	GroupSearchBaseDN  = "group_search_base_dn"
	TLSSkipVerify      = "tls_skip_verify"
	ServerInsecure     = "server_insecure"
	ServerStartTLS     = "server_starttls"

	EnvServerAddr         = "MINIO_IDENTITY_LDAP_SERVER_ADDR"
	EnvTLSSkipVerify      = "MINIO_IDENTITY_LDAP_TLS_SKIP_VERIFY"
	EnvServerInsecure     = "MINIO_IDENTITY_LDAP_SERVER_INSECURE"
	EnvServerStartTLS     = "MINIO_IDENTITY_LDAP_SERVER_STARTTLS"
	EnvUsernameFormat     = "MINIO_IDENTITY_LDAP_USERNAME_FORMAT"
	EnvUserDNSearchBaseDN = "MINIO_IDENTITY_LDAP_USER_DN_SEARCH_BASE_DN"
	EnvUserDNSearchFilter = "MINIO_IDENTITY_LDAP_USER_DN_SEARCH_FILTER"
	EnvGroupSearchFilter  = "MINIO_IDENTITY_LDAP_GROUP_SEARCH_FILTER"
	EnvGroupSearchBaseDN  = "MINIO_IDENTITY_LDAP_GROUP_SEARCH_BASE_DN"
	EnvLookupBindDN       = "MINIO_IDENTITY_LDAP_LOOKUP_BIND_DN"
	EnvLookupBindPassword = "MINIO_IDENTITY_LDAP_LOOKUP_BIND_PASSWORD"
)

var removedKeys = []string{
	"sts_expiry",
	"username_format",
	"username_search_filter",
	"username_search_base_dn",
	"group_name_attribute",
}

// DefaultKVS - default config for LDAP config
var (
	DefaultKVS = config.KVS{
		config.KV{
			Key:   ServerAddr,
			Value: "",
		},
		config.KV{
			Key:   UserDNSearchBaseDN,
			Value: "",
		},
		config.KV{
			Key:   UserDNSearchFilter,
			Value: "",
		},
		config.KV{
			Key:   GroupSearchFilter,
			Value: "",
		},
		config.KV{
			Key:   GroupSearchBaseDN,
			Value: "",
		},
		config.KV{
			Key:   TLSSkipVerify,
			Value: config.EnableOff,
		},
		config.KV{
			Key:   ServerInsecure,
			Value: config.EnableOff,
		},
		config.KV{
			Key:   ServerStartTLS,
			Value: config.EnableOff,
		},
		config.KV{
			Key:   LookupBindDN,
			Value: "",
		},
		config.KV{
			Key:   LookupBindPassword,
			Value: "",
		},
	}
)

// Enabled returns if LDAP config is enabled.
func Enabled(kvs config.KVS) bool {
	return kvs.Get(ServerAddr) != ""
}

// Lookup - initializes LDAP config, overrides config, if any ENV values are set.
func Lookup(s config.Config, rootCAs *x509.CertPool) (l Config, err error) {
	l = Config{}

	// Purge all removed keys first
	kvs := s[config.IdentityLDAPSubSys][config.Default]
	if len(kvs) > 0 {
		for _, k := range removedKeys {
			kvs.Delete(k)
		}
		s[config.IdentityLDAPSubSys][config.Default] = kvs
	}

	if err := s.CheckValidKeys(config.IdentityLDAPSubSys, removedKeys); err != nil {
		return l, err
	}

	getCfgVal := func(cfgParam string) string {
		// As parameters are already validated, we skip checking
		// if the config param was found.
		val, _ := s.ResolveConfigParam(config.IdentityLDAPSubSys, config.Default, cfgParam)
		return val
	}

	ldapServer := getCfgVal(ServerAddr)
	if ldapServer == "" {
		return l, nil
	}
	l.LDAP = ldap.Config{
		Enabled:    true,
		RootCAs:    rootCAs,
		ServerAddr: ldapServer,
	}
	l.stsExpiryDuration = defaultLDAPExpiry

	// LDAP connection configuration
	if v := getCfgVal(ServerInsecure); v != "" {
		l.LDAP.ServerInsecure, err = config.ParseBool(v)
		if err != nil {
			return l, err
		}
	}
	if v := getCfgVal(ServerStartTLS); v != "" {
		l.LDAP.ServerStartTLS, err = config.ParseBool(v)
		if err != nil {
			return l, err
		}
	}
	if v := getCfgVal(TLSSkipVerify); v != "" {
		l.LDAP.TLSSkipVerify, err = config.ParseBool(v)
		if err != nil {
			return l, err
		}
	}

	// Lookup bind user configuration
	l.LDAP.LookupBindDN = getCfgVal(LookupBindDN)
	l.LDAP.LookupBindPassword = getCfgVal(LookupBindPassword)

	// User DN search configuration
	l.LDAP.UserDNSearchFilter = getCfgVal(UserDNSearchFilter)
	l.LDAP.UserDNSearchBaseDistName = getCfgVal(UserDNSearchBaseDN)

	// Group search params configuration
	l.LDAP.GroupSearchFilter = getCfgVal(GroupSearchFilter)
	l.LDAP.GroupSearchBaseDistName = getCfgVal(GroupSearchBaseDN)

	// Validate and test configuration.
	valResult := l.LDAP.Validate()
	if !valResult.IsOk() {
		return l, valResult
	}

	return l, nil
}