1
0
mirror of https://github.com/minio/minio.git synced 2025-01-19 02:33:16 -05:00
Aditya Manthramurthy 5f78691fcf
ldap: Add user DN attributes list config param ()
This change uses the updated ldap library in minio/pkg (bumped
up to v3). A new config parameter is added for LDAP configuration to
specify extra user attributes to load from the LDAP server and to store
them as additional claims for the user.

A test is added in sts_handlers.go that shows how to access the LDAP
attributes as a claim.

This is in preparation for adding SSH pubkey authentication to MinIO's SFTP
integration.
2024-05-24 16:05:23 -07:00

1493 lines
38 KiB
Go

// Copyright (c) 2015-2021 MinIO, Inc.
//
// This file is part of MinIO Object Storage stack
//
// This program is free software: you can redistribute it and/or modify
// it under the terms of the GNU Affero General Public License as published by
// the Free Software Foundation, either version 3 of the License, or
// (at your option) any later version.
//
// This program is distributed in the hope that it will be useful
// but WITHOUT ANY WARRANTY; without even the implied warranty of
// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
// GNU Affero General Public License for more details.
//
// You should have received a copy of the GNU Affero General Public License
// along with this program. If not, see <http://www.gnu.org/licenses/>.
package config
import (
"bufio"
"fmt"
"io"
"regexp"
"sort"
"strings"
"sync"
"github.com/minio/madmin-go/v3"
"github.com/minio/minio-go/v7/pkg/set"
"github.com/minio/minio/internal/auth"
"github.com/minio/pkg/v3/env"
)
// ErrorConfig holds the config error types
type ErrorConfig interface {
ErrConfigGeneric | ErrConfigNotFound
}
// ErrConfigGeneric is a generic config type
type ErrConfigGeneric struct {
msg string
}
func (ge *ErrConfigGeneric) setMsg(msg string) {
ge.msg = msg
}
func (ge ErrConfigGeneric) Error() string {
return ge.msg
}
// ErrConfigNotFound is an error to indicate
// that a config parameter is not found
type ErrConfigNotFound struct {
ErrConfigGeneric
}
// Error creates an error message and wraps
// it with the error type specified in the type parameter
func Error[T ErrorConfig, PT interface {
*T
setMsg(string)
}](format string, vals ...interface{},
) T {
pt := PT(new(T))
pt.setMsg(fmt.Sprintf(format, vals...))
return *pt
}
// Errorf formats an error and returns it as a generic config error
func Errorf(format string, vals ...interface{}) ErrConfigGeneric {
return Error[ErrConfigGeneric](format, vals...)
}
// Default keys
const (
Default = madmin.Default
Enable = madmin.EnableKey
Comment = madmin.CommentKey
EnvSeparator = "="
// Enable values
EnableOn = madmin.EnableOn
EnableOff = madmin.EnableOff
RegionKey = "region"
NameKey = "name"
RegionName = "name"
AccessKey = "access_key"
SecretKey = "secret_key"
License = "license" // Deprecated Dec 2021
APIKey = "api_key"
Proxy = "proxy"
)
// Top level config constants.
const (
PolicyOPASubSys = madmin.PolicyOPASubSys
PolicyPluginSubSys = madmin.PolicyPluginSubSys
IdentityOpenIDSubSys = madmin.IdentityOpenIDSubSys
IdentityLDAPSubSys = madmin.IdentityLDAPSubSys
IdentityTLSSubSys = madmin.IdentityTLSSubSys
IdentityPluginSubSys = madmin.IdentityPluginSubSys
CacheSubSys = madmin.CacheSubSys
SiteSubSys = madmin.SiteSubSys
RegionSubSys = madmin.RegionSubSys
EtcdSubSys = madmin.EtcdSubSys
StorageClassSubSys = madmin.StorageClassSubSys
APISubSys = madmin.APISubSys
CompressionSubSys = madmin.CompressionSubSys
LoggerWebhookSubSys = madmin.LoggerWebhookSubSys
AuditWebhookSubSys = madmin.AuditWebhookSubSys
AuditKafkaSubSys = madmin.AuditKafkaSubSys
HealSubSys = madmin.HealSubSys
ScannerSubSys = madmin.ScannerSubSys
CrawlerSubSys = madmin.CrawlerSubSys
SubnetSubSys = madmin.SubnetSubSys
CallhomeSubSys = madmin.CallhomeSubSys
DriveSubSys = madmin.DriveSubSys
BatchSubSys = madmin.BatchSubSys
BrowserSubSys = madmin.BrowserSubSys
ILMSubSys = madmin.ILMSubsys
// Add new constants here (similar to above) if you add new fields to config.
)
// Notification config constants.
const (
NotifyKafkaSubSys = madmin.NotifyKafkaSubSys
NotifyMQTTSubSys = madmin.NotifyMQTTSubSys
NotifyMySQLSubSys = madmin.NotifyMySQLSubSys
NotifyNATSSubSys = madmin.NotifyNATSSubSys
NotifyNSQSubSys = madmin.NotifyNSQSubSys
NotifyESSubSys = madmin.NotifyESSubSys
NotifyAMQPSubSys = madmin.NotifyAMQPSubSys
NotifyPostgresSubSys = madmin.NotifyPostgresSubSys
NotifyRedisSubSys = madmin.NotifyRedisSubSys
NotifyWebhookSubSys = madmin.NotifyWebhookSubSys
// Add new constants here (similar to above) if you add new fields to config.
)
// Lambda config constants.
const (
LambdaWebhookSubSys = madmin.LambdaWebhookSubSys
)
// NotifySubSystems - all notification sub-systems
var NotifySubSystems = set.CreateStringSet(
NotifyKafkaSubSys,
NotifyMQTTSubSys,
NotifyMySQLSubSys,
NotifyNATSSubSys,
NotifyNSQSubSys,
NotifyESSubSys,
NotifyAMQPSubSys,
NotifyPostgresSubSys,
NotifyRedisSubSys,
NotifyWebhookSubSys,
)
// LambdaSubSystems - all lambda sub-systems
var LambdaSubSystems = set.CreateStringSet(
LambdaWebhookSubSys,
)
// LoggerSubSystems - all sub-systems related to logger
var LoggerSubSystems = set.CreateStringSet(
LoggerWebhookSubSys,
AuditWebhookSubSys,
AuditKafkaSubSys,
)
// SubSystems - all supported sub-systems
var SubSystems = madmin.SubSystems
// SubSystemsDynamic - all sub-systems that have dynamic config.
var SubSystemsDynamic = set.CreateStringSet(
APISubSys,
CompressionSubSys,
ScannerSubSys,
HealSubSys,
SubnetSubSys,
CallhomeSubSys,
DriveSubSys,
LoggerWebhookSubSys,
AuditWebhookSubSys,
AuditKafkaSubSys,
StorageClassSubSys,
CacheSubSys,
ILMSubSys,
BatchSubSys,
BrowserSubSys,
)
// SubSystemsSingleTargets - subsystems which only support single target.
var SubSystemsSingleTargets = set.CreateStringSet(
SiteSubSys,
RegionSubSys,
EtcdSubSys,
CacheSubSys,
APISubSys,
StorageClassSubSys,
CompressionSubSys,
PolicyOPASubSys,
PolicyPluginSubSys,
IdentityLDAPSubSys,
IdentityTLSSubSys,
IdentityPluginSubSys,
HealSubSys,
ScannerSubSys,
SubnetSubSys,
CallhomeSubSys,
DriveSubSys,
ILMSubSys,
BatchSubSys,
BrowserSubSys,
)
// Constant separators
const (
SubSystemSeparator = madmin.SubSystemSeparator
KvSeparator = madmin.KvSeparator
KvSpaceSeparator = madmin.KvSpaceSeparator
KvComment = madmin.KvComment
KvNewline = madmin.KvNewline
KvDoubleQuote = madmin.KvDoubleQuote
KvSingleQuote = madmin.KvSingleQuote
// Env prefix used for all envs in MinIO
EnvPrefix = madmin.EnvPrefix
EnvWordDelimiter = madmin.EnvWordDelimiter
)
// DefaultKVS - default kvs for all sub-systems
var DefaultKVS = map[string]KVS{}
// RegisterDefaultKVS - this function saves input kvsMap
// globally, this should be called only once preferably
// during `init()`.
func RegisterDefaultKVS(kvsMap map[string]KVS) {
for subSys, kvs := range kvsMap {
DefaultKVS[subSys] = kvs
}
}
// HelpSubSysMap - help for all individual KVS for each sub-systems
// also carries a special empty sub-system which dumps
// help for each sub-system key.
var HelpSubSysMap = map[string]HelpKVS{}
// RegisterHelpSubSys - this function saves
// input help KVS for each sub-system globally,
// this function should be called only once
// preferably in during `init()`.
func RegisterHelpSubSys(helpKVSMap map[string]HelpKVS) {
for subSys, hkvs := range helpKVSMap {
HelpSubSysMap[subSys] = hkvs
}
}
// HelpDeprecatedSubSysMap - help for all deprecated sub-systems, that may be
// removed in the future.
var HelpDeprecatedSubSysMap = map[string]HelpKV{}
// RegisterHelpDeprecatedSubSys - saves input help KVS for deprecated
// sub-systems globally. Should be called only once at init.
func RegisterHelpDeprecatedSubSys(helpDeprecatedKVMap map[string]HelpKV) {
for k, v := range helpDeprecatedKVMap {
HelpDeprecatedSubSysMap[k] = v
}
}
// KV - is a shorthand of each key value.
type KV struct {
Key string `json:"key"`
Value string `json:"value"`
HiddenIfEmpty bool `json:"-"`
}
func (kv KV) String() string {
var s strings.Builder
s.WriteString(kv.Key)
s.WriteString(KvSeparator)
spc := madmin.HasSpace(kv.Value)
if spc {
s.WriteString(KvDoubleQuote)
}
s.WriteString(kv.Value)
if spc {
s.WriteString(KvDoubleQuote)
}
return s.String()
}
// KVS - is a shorthand for some wrapper functions
// to operate on list of key values.
type KVS []KV
// Empty - return if kv is empty
func (kvs KVS) Empty() bool {
return len(kvs) == 0
}
// Clone - returns a copy of the KVS
func (kvs KVS) Clone() KVS {
return append(make(KVS, 0, len(kvs)), kvs...)
}
// GetWithDefault - returns default value if key not set
func (kvs KVS) GetWithDefault(key string, defaultKVS KVS) string {
v := kvs.Get(key)
if len(v) == 0 {
return defaultKVS.Get(key)
}
return v
}
// Keys returns the list of keys for the current KVS
func (kvs KVS) Keys() []string {
keys := make([]string, len(kvs))
var foundComment bool
for i := range kvs {
if kvs[i].Key == madmin.CommentKey {
foundComment = true
}
keys[i] = kvs[i].Key
}
// Comment KV not found, add it explicitly.
if !foundComment {
keys = append(keys, madmin.CommentKey)
}
return keys
}
func (kvs KVS) String() string {
var s strings.Builder
for _, kv := range kvs {
s.WriteString(kv.String())
s.WriteString(KvSpaceSeparator)
}
return s.String()
}
// Merge environment values with on disk KVS, environment values overrides
// anything on the disk.
func Merge(cfgKVS map[string]KVS, envname string, defaultKVS KVS) map[string]KVS {
newCfgKVS := make(map[string]KVS)
for _, e := range env.List(envname) {
tgt := strings.TrimPrefix(e, envname+Default)
if tgt == envname {
tgt = Default
}
newCfgKVS[tgt] = defaultKVS
}
for tgt, kv := range cfgKVS {
newCfgKVS[tgt] = kv
}
return newCfgKVS
}
// Set sets a value, if not sets a default value.
func (kvs *KVS) Set(key, value string) {
for i, kv := range *kvs {
if kv.Key == key {
(*kvs)[i] = KV{
Key: key,
Value: value,
}
return
}
}
*kvs = append(*kvs, KV{
Key: key,
Value: value,
})
}
// Get - returns the value of a key, if not found returns empty.
func (kvs KVS) Get(key string) string {
v, ok := kvs.Lookup(key)
if ok {
return v
}
return ""
}
// Delete - deletes the key if present from the KV list.
func (kvs *KVS) Delete(key string) {
for i, kv := range *kvs {
if kv.Key == key {
*kvs = append((*kvs)[:i], (*kvs)[i+1:]...)
return
}
}
}
// LookupKV returns the KV by its key
func (kvs KVS) LookupKV(key string) (KV, bool) {
for _, kv := range kvs {
if kv.Key == key {
return kv, true
}
}
return KV{}, false
}
// Lookup - lookup a key in a list of KVS
func (kvs KVS) Lookup(key string) (string, bool) {
for _, kv := range kvs {
if kv.Key == key {
return kv.Value, true
}
}
return "", false
}
// Config - MinIO server config structure.
type Config map[string]map[string]KVS
// DelFrom - deletes all keys in the input reader.
func (c Config) DelFrom(r io.Reader) error {
scanner := bufio.NewScanner(r)
for scanner.Scan() {
// Skip any empty lines, or comment like characters
text := scanner.Text()
if text == "" || strings.HasPrefix(text, KvComment) {
continue
}
if err := c.DelKVS(text); err != nil {
return err
}
}
return scanner.Err()
}
// ContextKeyString is type(string) for contextKey
type ContextKeyString string
// ContextKeyForTargetFromConfig - key for context for target from config
const ContextKeyForTargetFromConfig = ContextKeyString("ContextKeyForTargetFromConfig")
// ParseConfigTargetID - read all targetIDs from reader
func ParseConfigTargetID(r io.Reader) (ids map[string]bool, err error) {
ids = make(map[string]bool)
scanner := bufio.NewScanner(r)
for scanner.Scan() {
// Skip any empty lines, or comment like characters
text := scanner.Text()
if text == "" || strings.HasPrefix(text, KvComment) {
continue
}
_, _, tgt, err := GetSubSys(text)
if err != nil {
return nil, err
}
ids[tgt] = true
}
if err := scanner.Err(); err != nil {
return nil, err
}
return
}
// ReadConfig - read content from input and write into c.
// Returns whether all parameters were dynamic.
func (c Config) ReadConfig(r io.Reader) (dynOnly bool, err error) {
var n int
scanner := bufio.NewScanner(r)
dynOnly = true
for scanner.Scan() {
// Skip any empty lines, or comment like characters
text := scanner.Text()
if text == "" || strings.HasPrefix(text, KvComment) {
continue
}
dynamic, err := c.SetKVS(text, DefaultKVS)
if err != nil {
return false, err
}
dynOnly = dynOnly && dynamic
n += len(text)
}
if err := scanner.Err(); err != nil {
return false, err
}
return dynOnly, nil
}
// RedactSensitiveInfo - removes sensitive information
// like urls and credentials from the configuration
func (c Config) RedactSensitiveInfo() Config {
nc := c.Clone()
for configName, configVals := range nc {
for _, helpKV := range HelpSubSysMap[configName] {
if helpKV.Sensitive {
for name, kvs := range configVals {
for i := range kvs {
if kvs[i].Key == helpKV.Key && len(kvs[i].Value) > 0 {
kvs[i].Value = "*redacted*"
}
}
configVals[name] = kvs
}
}
}
}
return nc
}
// Default KV configs for worm and region
var (
DefaultCredentialKVS = KVS{
KV{
Key: AccessKey,
Value: auth.DefaultAccessKey,
},
KV{
Key: SecretKey,
Value: auth.DefaultSecretKey,
},
}
DefaultSiteKVS = KVS{
KV{
Key: NameKey,
Value: "",
},
KV{
Key: RegionKey,
Value: "",
},
}
DefaultRegionKVS = KVS{
KV{
Key: RegionName,
Value: "",
},
}
)
var siteLK sync.RWMutex
// Site - holds site info - name and region.
type Site struct {
name string
region string
}
// Update safe update the new site name and region
func (s *Site) Update(n Site) {
siteLK.Lock()
s.name = n.name
s.region = n.region
siteLK.Unlock()
}
// Name returns currently configured site name
func (s *Site) Name() string {
siteLK.RLock()
defer siteLK.RUnlock()
return s.name
}
// Region returns currently configured site region
func (s *Site) Region() string {
siteLK.RLock()
defer siteLK.RUnlock()
return s.region
}
var validRegionRegex = regexp.MustCompile("^[a-zA-Z][a-zA-Z0-9-_-]+$")
// validSiteNameRegex - allows lowercase letters, digits and '-', starts with
// letter. At least 2 characters long.
var validSiteNameRegex = regexp.MustCompile("^[a-z][a-z0-9-]+$")
// LookupSite - get site related configuration. Loads configuration from legacy
// region sub-system as well.
func LookupSite(siteKV KVS, regionKV KVS) (s Site, err error) {
if err = CheckValidKeys(SiteSubSys, siteKV, DefaultSiteKVS); err != nil {
return
}
region := env.Get(EnvRegion, "")
if region == "" {
env.Get(EnvRegionName, "")
}
if region == "" {
region = env.Get(EnvSiteRegion, siteKV.Get(RegionKey))
}
if region == "" {
// No region config found in the site-subsystem. So lookup the legacy
// region sub-system.
if err = CheckValidKeys(RegionSubSys, regionKV, DefaultRegionKVS); err != nil {
// An invalid key was found in the region sub-system.
// Since the region sub-system cannot be (re)set as it
// is legacy, we return an error to tell the user to
// reset the region via the new command.
err = Errorf("could not load region from legacy configuration as it was invalid - use 'mc admin config set myminio site region=myregion name=myname' to set a region and name (%v)", err)
return
}
region = regionKV.Get(RegionName)
}
if region != "" {
if !validRegionRegex.MatchString(region) {
err = Errorf(
"region '%s' is invalid, expected simple characters such as [us-east-1, myregion...]",
region)
return
}
s.region = region
}
name := env.Get(EnvSiteName, siteKV.Get(NameKey))
if name != "" {
if !validSiteNameRegex.MatchString(name) {
err = Errorf(
"site name '%s' is invalid, expected simple characters such as [cal-rack0, myname...]",
name)
return
}
s.name = name
}
return
}
// CheckValidKeys - checks if inputs KVS has the necessary keys,
// returns error if it find extra or superfluous keys.
func CheckValidKeys(subSys string, kv KVS, validKVS KVS, deprecatedKeys ...string) error {
nkv := KVS{}
for _, kv := range kv {
// Comment is a valid key, its also fully optional
// ignore it since it is a valid key for all
// sub-systems.
if kv.Key == Comment {
continue
}
var skip bool
for _, deprecatedKey := range deprecatedKeys {
if kv.Key == deprecatedKey {
skip = true
break
}
}
if skip {
continue
}
if _, ok := validKVS.Lookup(kv.Key); !ok {
nkv = append(nkv, kv)
}
}
if len(nkv) > 0 {
return Errorf(
"found invalid keys (%s) for '%s' sub-system, use 'mc admin config reset myminio %s' to fix invalid keys", nkv.String(), subSys, subSys)
}
return nil
}
// LookupWorm - check if worm is enabled
func LookupWorm() (bool, error) {
return ParseBool(env.Get(EnvWorm, EnableOff))
}
// Carries all the renamed sub-systems from their
// previously known names
var renamedSubsys = map[string]string{
CrawlerSubSys: ScannerSubSys,
// Add future sub-system renames
}
const ( // deprecated keys
apiReplicationWorkers = "replication_workers"
apiReplicationFailedWorkers = "replication_failed_workers"
)
// map of subsystem to deleted keys
var deletedSubSysKeys = map[string][]string{
APISubSys: {apiReplicationWorkers, apiReplicationFailedWorkers},
// Add future sub-system deleted keys
}
// Merge - merges a new config with all the
// missing values for default configs,
// returns a config.
func (c Config) Merge() Config {
cp := New()
for subSys, tgtKV := range c {
for tgt := range tgtKV {
ckvs := c[subSys][tgt]
for _, kv := range cp[subSys][Default] {
_, ok := c[subSys][tgt].Lookup(kv.Key)
if !ok {
ckvs.Set(kv.Key, kv.Value)
}
}
if _, ok := cp[subSys]; !ok {
rnSubSys, ok := renamedSubsys[subSys]
if !ok {
// A config subsystem was removed or server was downgraded.
continue
}
// Copy over settings from previous sub-system
// to newly renamed sub-system
for _, kv := range cp[rnSubSys][Default] {
_, ok := c[subSys][tgt].Lookup(kv.Key)
if !ok {
ckvs.Set(kv.Key, kv.Value)
}
}
subSys = rnSubSys
}
// Delete deprecated keys for subsystem if any
if keys, ok := deletedSubSysKeys[subSys]; ok {
for _, key := range keys {
ckvs.Delete(key)
}
}
cp[subSys][tgt] = ckvs
}
}
return cp
}
// New - initialize a new server config.
func New() Config {
srvCfg := make(Config)
for _, k := range SubSystems.ToSlice() {
srvCfg[k] = map[string]KVS{}
srvCfg[k][Default] = DefaultKVS[k]
}
return srvCfg
}
// Target signifies an individual target
type Target struct {
SubSystem string
KVS KVS
}
// Targets sub-system targets
type Targets []Target
// GetKVS - get kvs from specific subsystem.
func (c Config) GetKVS(s string, defaultKVS map[string]KVS) (Targets, error) {
if len(s) == 0 {
return nil, Errorf("input cannot be empty")
}
inputs := strings.Fields(s)
if len(inputs) > 1 {
return nil, Errorf("invalid number of arguments %s", s)
}
subSystemValue := strings.SplitN(inputs[0], SubSystemSeparator, 2)
if len(subSystemValue) == 0 {
return nil, Errorf("invalid number of arguments %s", s)
}
found := SubSystems.Contains(subSystemValue[0])
if !found {
// Check for sub-prefix only if the input value is only a
// single value, this rejects invalid inputs if any.
found = !SubSystems.FuncMatch(strings.HasPrefix, subSystemValue[0]).IsEmpty() && len(subSystemValue) == 1
}
if !found {
return nil, Errorf("unknown sub-system %s", s)
}
targets := Targets{}
subSysPrefix := subSystemValue[0]
if len(subSystemValue) == 2 {
if len(subSystemValue[1]) == 0 {
return nil, Errorf("sub-system target '%s' cannot be empty", s)
}
kvs, ok := c[subSysPrefix][subSystemValue[1]]
if !ok {
return nil, Errorf("sub-system target '%s' doesn't exist", s)
}
for _, kv := range defaultKVS[subSysPrefix] {
_, ok = kvs.Lookup(kv.Key)
if !ok {
kvs.Set(kv.Key, kv.Value)
}
}
targets = append(targets, Target{
SubSystem: inputs[0],
KVS: kvs,
})
} else {
// Use help for sub-system to preserve the order. Add deprecated
// keys at the end (in some order).
kvsOrder := append([]HelpKV{}, HelpSubSysMap[""]...)
for _, v := range HelpDeprecatedSubSysMap {
kvsOrder = append(kvsOrder, v)
}
for _, hkv := range kvsOrder {
if !strings.HasPrefix(hkv.Key, subSysPrefix) {
continue
}
if c[hkv.Key][Default].Empty() {
targets = append(targets, Target{
SubSystem: hkv.Key,
KVS: defaultKVS[hkv.Key],
})
}
for k, kvs := range c[hkv.Key] {
for _, dkv := range defaultKVS[hkv.Key] {
_, ok := kvs.Lookup(dkv.Key)
if !ok {
kvs.Set(dkv.Key, dkv.Value)
}
}
if k != Default {
targets = append(targets, Target{
SubSystem: hkv.Key + SubSystemSeparator + k,
KVS: kvs,
})
} else {
targets = append(targets, Target{
SubSystem: hkv.Key,
KVS: kvs,
})
}
}
}
}
return targets, nil
}
// DelKVS - delete a specific key.
func (c Config) DelKVS(s string) error {
subSys, inputs, tgt, err := GetSubSys(s)
if err != nil {
if !SubSystems.Contains(subSys) && len(inputs) == 1 {
// Unknown sub-system found try to remove it anyways.
delete(c, subSys)
return nil
}
return err
}
ck, ok := c[subSys][tgt]
if !ok {
return Error[ErrConfigNotFound]("sub-system %s:%s already deleted or does not exist", subSys, tgt)
}
if len(inputs) == 2 {
currKVS := ck.Clone()
defKVS := DefaultKVS[subSys]
for _, delKey := range strings.Fields(inputs[1]) {
_, ok := currKVS.Lookup(delKey)
if !ok {
return Error[ErrConfigNotFound]("key %s doesn't exist", delKey)
}
defVal, isDef := defKVS.Lookup(delKey)
if isDef {
currKVS.Set(delKey, defVal)
} else {
currKVS.Delete(delKey)
}
}
c[subSys][tgt] = currKVS
} else {
delete(c[subSys], tgt)
}
return nil
}
// Clone - clones a config map entirely.
func (c Config) Clone() Config {
cp := New()
for subSys, tgtKV := range c {
cp[subSys] = make(map[string]KVS)
for tgt, kv := range tgtKV {
cp[subSys][tgt] = append(cp[subSys][tgt], kv...)
}
}
return cp
}
// GetSubSys - extracts subssystem info from given config string
func GetSubSys(s string) (subSys string, inputs []string, tgt string, e error) {
tgt = Default
if len(s) == 0 {
return subSys, inputs, tgt, Errorf("input arguments cannot be empty")
}
inputs = strings.SplitN(s, KvSpaceSeparator, 2)
subSystemValue := strings.SplitN(inputs[0], SubSystemSeparator, 2)
subSys = subSystemValue[0]
if !SubSystems.Contains(subSys) {
return subSys, inputs, tgt, Errorf("unknown sub-system %s", s)
}
if SubSystemsSingleTargets.Contains(subSystemValue[0]) && len(subSystemValue) == 2 {
return subSys, inputs, tgt, Errorf("sub-system '%s' only supports single target", subSystemValue[0])
}
if len(subSystemValue) == 2 {
tgt = subSystemValue[1]
}
return subSys, inputs, tgt, e
}
// kvFields - converts an input string of form "k1=v1 k2=v2" into
// fields of ["k1=v1", "k2=v2"], the tokenization of each `k=v`
// happens with the right number of input keys, if keys
// input is empty returned value is empty slice as well.
func kvFields(input string, keys []string) []string {
valueIndexes := make([]int, 0, len(keys))
for _, key := range keys {
i := strings.Index(input, key+KvSeparator)
if i == -1 {
continue
}
valueIndexes = append(valueIndexes, i)
}
sort.Ints(valueIndexes)
fields := make([]string, len(valueIndexes))
for i := range valueIndexes {
j := i + 1
if j < len(valueIndexes) {
fields[i] = strings.TrimSpace(input[valueIndexes[i]:valueIndexes[j]])
} else {
fields[i] = strings.TrimSpace(input[valueIndexes[i]:])
}
}
return fields
}
// SetKVS - set specific key values per sub-system.
func (c Config) SetKVS(s string, defaultKVS map[string]KVS) (dynamic bool, err error) {
subSys, inputs, tgt, err := GetSubSys(s)
if err != nil {
return false, err
}
dynamic = SubSystemsDynamic.Contains(subSys)
fields := kvFields(inputs[1], defaultKVS[subSys].Keys())
if len(fields) == 0 {
return false, Errorf("sub-system '%s' cannot have empty keys", subSys)
}
kvs := KVS{}
var prevK string
for _, v := range fields {
kv := strings.SplitN(v, KvSeparator, 2)
if len(kv) == 0 {
continue
}
if len(kv) == 1 && prevK != "" {
value := strings.Join([]string{
kvs.Get(prevK),
madmin.SanitizeValue(kv[0]),
}, KvSpaceSeparator)
kvs.Set(prevK, value)
continue
}
if len(kv) == 2 {
prevK = kv[0]
kvs.Set(prevK, madmin.SanitizeValue(kv[1]))
continue
}
return false, Errorf("key '%s', cannot have empty value", kv[0])
}
_, ok := kvs.Lookup(Enable)
// Check if state is required
_, enableRequired := defaultKVS[subSys].Lookup(Enable)
if !ok && enableRequired {
// implicit state "on" if not specified.
kvs.Set(Enable, EnableOn)
}
var currKVS KVS
ck, ok := c[subSys][tgt]
if !ok {
currKVS = defaultKVS[subSys].Clone()
} else {
currKVS = ck.Clone()
for _, kv := range defaultKVS[subSys] {
if _, ok = currKVS.Lookup(kv.Key); !ok {
currKVS.Set(kv.Key, kv.Value)
}
}
}
for _, kv := range kvs {
if kv.Key == Comment {
// Skip comment and add it later.
continue
}
currKVS.Set(kv.Key, kv.Value)
}
v, ok := kvs.Lookup(Comment)
if ok {
currKVS.Set(Comment, v)
}
hkvs := HelpSubSysMap[subSys]
for _, hkv := range hkvs {
var enabled bool
if enableRequired {
enabled = currKVS.Get(Enable) == EnableOn
} else {
// when enable arg is not required
// then it is implicit on for the sub-system.
enabled = true
}
v, _ := currKVS.Lookup(hkv.Key)
if v == "" && !hkv.Optional && enabled {
// Return error only if the
// key is enabled, for state=off
// let it be empty.
return false, Errorf(
"'%s' is not optional for '%s' sub-system, please check '%s' documentation",
hkv.Key, subSys, subSys)
}
}
c[subSys][tgt] = currKVS
return dynamic, nil
}
// CheckValidKeys - checks if the config parameters for the given subsystem and
// target are valid. It checks both the configuration store as well as
// environment variables.
func (c Config) CheckValidKeys(subSys string, deprecatedKeys []string) error {
defKVS, ok := DefaultKVS[subSys]
if !ok {
return Errorf("Subsystem %s does not exist", subSys)
}
// Make a list of valid keys for the subsystem including the `comment`
// key.
validKeys := make([]string, 0, len(defKVS)+1)
for _, param := range defKVS {
validKeys = append(validKeys, param.Key)
}
validKeys = append(validKeys, Comment)
subSysEnvVars := env.List(fmt.Sprintf("%s%s", EnvPrefix, strings.ToUpper(subSys)))
// Set of env vars for the sub-system to validate.
candidates := set.CreateStringSet(subSysEnvVars...)
// Remove all default target env vars from the candidates set (as they
// are valid).
for _, param := range validKeys {
paramEnvName := getEnvVarName(subSys, Default, param)
candidates.Remove(paramEnvName)
}
isSingleTarget := SubSystemsSingleTargets.Contains(subSys)
if isSingleTarget && len(candidates) > 0 {
return Errorf("The following environment variables are unknown: %s",
strings.Join(candidates.ToSlice(), ", "))
}
if !isSingleTarget {
// Validate other env vars for all targets.
envVars := candidates.ToSlice()
for _, envVar := range envVars {
for _, param := range validKeys {
pEnvName := getEnvVarName(subSys, Default, param) + Default
if len(envVar) > len(pEnvName) && strings.HasPrefix(envVar, pEnvName) {
// This envVar is valid - it has a
// non-empty target.
candidates.Remove(envVar)
}
}
}
// Whatever remains are invalid env vars - return an error.
if len(candidates) > 0 {
return Errorf("The following environment variables are unknown: %s",
strings.Join(candidates.ToSlice(), ", "))
}
}
validKeysSet := set.CreateStringSet(validKeys...)
validKeysSet = validKeysSet.Difference(set.CreateStringSet(deprecatedKeys...))
kvsMap := c[subSys]
for tgt, kvs := range kvsMap {
invalidKV := KVS{}
for _, kv := range kvs {
if !validKeysSet.Contains(kv.Key) {
invalidKV = append(invalidKV, kv)
}
}
if len(invalidKV) > 0 {
return Errorf(
"found invalid keys (%s) for '%s:%s' sub-system, use 'mc admin config reset myminio %s:%s' to fix invalid keys",
invalidKV.String(), subSys, tgt, subSys, tgt)
}
}
return nil
}
// GetAvailableTargets - returns a list of targets configured for the given
// subsystem (whether they are enabled or not). A target could be configured via
// environment variables or via the configuration store. The default target is
// `_` and is always returned. The result is sorted so that the default target
// is the first one and the remaining entries are sorted in ascending order.
func (c Config) GetAvailableTargets(subSys string) ([]string, error) {
if SubSystemsSingleTargets.Contains(subSys) {
return []string{Default}, nil
}
defKVS, ok := DefaultKVS[subSys]
if !ok {
return nil, Errorf("Subsystem %s does not exist", subSys)
}
kvsMap := c[subSys]
seen := set.NewStringSet()
// Add all targets that are configured in the config store.
for k := range kvsMap {
seen.Add(k)
}
// env:prefix
filterMap := map[string]string{}
// Add targets that are configured via environment variables.
for _, param := range defKVS {
envVarPrefix := getEnvVarName(subSys, Default, param.Key) + Default
envsWithPrefix := env.List(envVarPrefix)
for _, k := range envsWithPrefix {
tgtName := strings.TrimPrefix(k, envVarPrefix)
if tgtName != "" {
if v, ok := filterMap[k]; ok {
if strings.HasPrefix(envVarPrefix, v) {
filterMap[k] = envVarPrefix
}
} else {
filterMap[k] = envVarPrefix
}
}
}
}
for k, v := range filterMap {
seen.Add(strings.TrimPrefix(k, v))
}
seen.Remove(Default)
targets := seen.ToSlice()
sort.Strings(targets)
targets = append([]string{Default}, targets...)
return targets, nil
}
func getEnvVarName(subSys, target, param string) string {
if target == Default {
return fmt.Sprintf("%s%s%s%s", EnvPrefix, strings.ToUpper(subSys), Default, strings.ToUpper(param))
}
return fmt.Sprintf("%s%s%s%s%s%s", EnvPrefix, strings.ToUpper(subSys), Default, strings.ToUpper(param),
Default, target)
}
var resolvableSubsystems = set.CreateStringSet(IdentityOpenIDSubSys, IdentityLDAPSubSys, PolicyPluginSubSys)
// ValueSource represents the source of a config parameter value.
type ValueSource uint8
// Constants for ValueSource
const (
ValueSourceAbsent ValueSource = iota // this is an error case
ValueSourceDef
ValueSourceCfg
ValueSourceEnv
)
// ResolveConfigParam returns the effective value of a configuration parameter,
// within a subsystem and subsystem target. The effective value is, in order of
// decreasing precedence:
//
// 1. the value of the corresponding environment variable if set,
// 2. the value of the parameter in the config store if set,
// 3. the default value,
//
// This function only works for a subset of sub-systems, others return
// `ValueSourceAbsent`. FIXME: some parameters have custom environment
// variables for which support needs to be added.
//
// When redactSecrets is true, the returned value is empty if the configuration
// parameter is a secret, and the returned isRedacted flag is set.
func (c Config) ResolveConfigParam(subSys, target, cfgParam string, redactSecrets bool,
) (value string, cs ValueSource, isRedacted bool) {
// cs = ValueSourceAbsent initially as it is iota by default.
// Initially only support OpenID
if !resolvableSubsystems.Contains(subSys) {
return
}
// Check if config param requested is valid.
defKVS, ok := DefaultKVS[subSys]
if !ok {
return
}
defValue, isFound := defKVS.Lookup(cfgParam)
// Comments usually are absent from `defKVS`, so we handle it specially.
if !isFound && cfgParam == Comment {
defValue, isFound = "", true
}
if !isFound {
return
}
if target == "" {
target = Default
}
if redactSecrets {
// If the configuration parameter is a secret, make sure to redact it when
// we return.
helpKV, _ := HelpSubSysMap[subSys].Lookup(cfgParam)
if helpKV.Secret {
defer func() {
value = ""
isRedacted = true
}()
}
}
envVar := getEnvVarName(subSys, target, cfgParam)
// Lookup Env var.
value = env.Get(envVar, "")
if value != "" {
cs = ValueSourceEnv
return
}
// Lookup config store.
if subSysStore, ok := c[subSys]; ok {
if kvs, ok2 := subSysStore[target]; ok2 {
var ok3 bool
value, ok3 = kvs.Lookup(cfgParam)
if ok3 {
cs = ValueSourceCfg
return
}
}
}
// Return the default value.
value = defValue
cs = ValueSourceDef
return
}
// KVSrc represents a configuration parameter key and value along with the
// source of the value.
type KVSrc struct {
Key string
Value string
Src ValueSource
}
// GetResolvedConfigParams returns all applicable config parameters with their
// value sources.
func (c Config) GetResolvedConfigParams(subSys, target string, redactSecrets bool) ([]KVSrc, error) {
if !resolvableSubsystems.Contains(subSys) {
return nil, Errorf("unsupported subsystem: %s", subSys)
}
// Check if config param requested is valid.
defKVS, ok := DefaultKVS[subSys]
if !ok {
return nil, Errorf("unknown subsystem: %s", subSys)
}
r := make([]KVSrc, 0, len(defKVS)+1)
for _, kv := range defKVS {
v, vs, isRedacted := c.ResolveConfigParam(subSys, target, kv.Key, redactSecrets)
// Fix `vs` when default.
if v == kv.Value {
vs = ValueSourceDef
}
if redactSecrets && isRedacted {
// Skip adding redacted secrets to the output.
continue
}
r = append(r, KVSrc{
Key: kv.Key,
Value: v,
Src: vs,
})
}
// Add the comment key as well if non-empty (and comments are never
// redacted).
v, vs, _ := c.ResolveConfigParam(subSys, target, Comment, redactSecrets)
if vs != ValueSourceDef {
r = append(r, KVSrc{
Key: Comment,
Value: v,
Src: vs,
})
}
return r, nil
}
// getTargetKVS returns configuration KVs for the given subsystem and target. It
// does not return any secrets in the configuration values when `redactSecrets`
// is set.
func (c Config) getTargetKVS(subSys, target string, redactSecrets bool) KVS {
store, ok := c[subSys]
if !ok {
return nil
}
// Lookup will succeed, because this function only works with valid subSys
// values.
resultKVS := make([]KV, 0, len(store[target]))
hkvs := HelpSubSysMap[subSys]
for _, kv := range store[target] {
hkv, _ := hkvs.Lookup(kv.Key)
if hkv.Secret && redactSecrets && kv.Value != "" {
// Skip returning secrets.
continue
// clonedKV := kv
// clonedKV.Value = redactedSecret
// resultKVS = append(resultKVS, clonedKV)
}
resultKVS = append(resultKVS, kv)
}
return resultKVS
}
// getTargetEnvs returns configured environment variable settings for the given
// subsystem and target.
func (c Config) getTargetEnvs(subSys, target string, defKVS KVS, redactSecrets bool) map[string]EnvPair {
hkvs := HelpSubSysMap[subSys]
envMap := make(map[string]EnvPair)
// Add all env vars that are set.
for _, kv := range defKVS {
envName := getEnvVarName(subSys, target, kv.Key)
envPair := EnvPair{
Name: envName,
Value: env.Get(envName, ""),
}
if envPair.Value != "" {
hkv, _ := hkvs.Lookup(kv.Key)
if hkv.Secret && redactSecrets {
// Skip adding any secret to the returned value.
continue
// envPair.Value = redactedSecret
}
envMap[kv.Key] = envPair
}
}
return envMap
}
// EnvPair represents an environment variable and its value.
type EnvPair struct {
Name, Value string
}
// SubsysInfo holds config info for a subsystem target.
type SubsysInfo struct {
SubSys, Target string
Defaults KVS
Config KVS
// map of config parameter name to EnvPair.
EnvMap map[string]EnvPair
}
// GetSubsysInfo returns `SubsysInfo`s for all targets for the subsystem, when
// target is empty. Otherwise returns `SubsysInfo` for the desired target only.
// To request the default target only, target must be set to `Default`.
func (c Config) GetSubsysInfo(subSys, target string, redactSecrets bool) ([]SubsysInfo, error) {
// Check if config param requested is valid.
defKVS1, ok := DefaultKVS[subSys]
if !ok {
return nil, Errorf("unknown subsystem: %s", subSys)
}
targets, err := c.GetAvailableTargets(subSys)
if err != nil {
return nil, err
}
if target != "" {
found := false
for _, t := range targets {
if t == target {
found = true
break
}
}
if !found {
return nil, Errorf("there is no target `%s` for subsystem `%s`", target, subSys)
}
targets = []string{target}
}
// The `Comment` configuration variable is optional but is available to be
// set for all sub-systems. It is not present in the `DefaultKVS` map's
// values. To enable fetching a configured comment value from the
// environment we add it to the list of default keys for the subsystem.
defKVS := make([]KV, len(defKVS1), len(defKVS1)+1)
copy(defKVS, defKVS1)
defKVS = append(defKVS, KV{Key: Comment})
r := make([]SubsysInfo, 0, len(targets))
for _, target := range targets {
r = append(r, SubsysInfo{
SubSys: subSys,
Target: target,
Defaults: defKVS,
Config: c.getTargetKVS(subSys, target, redactSecrets),
EnvMap: c.getTargetEnvs(subSys, target, defKVS, redactSecrets),
})
}
return r, nil
}
// AddEnvString adds env vars to the given string builder.
func (cs *SubsysInfo) AddEnvString(b *strings.Builder) {
for _, v := range cs.Defaults {
if ep, ok := cs.EnvMap[v.Key]; ok {
b.WriteString(KvComment)
b.WriteString(KvSpaceSeparator)
b.WriteString(ep.Name)
b.WriteString(EnvSeparator)
b.WriteString(ep.Value)
b.WriteString(KvNewline)
}
}
}
// WriteTo writes the string representation of the configuration to the given
// builder. When off is true, adds a comment character before the config system
// output. It also ignores values when empty and deprecated.
func (cs *SubsysInfo) WriteTo(b *strings.Builder, off bool) {
cs.AddEnvString(b)
if off {
b.WriteString(KvComment)
b.WriteString(KvSpaceSeparator)
}
b.WriteString(cs.SubSys)
if cs.Target != Default {
b.WriteString(SubSystemSeparator)
b.WriteString(cs.Target)
}
b.WriteString(KvSpaceSeparator)
for _, kv := range cs.Config {
dkv, ok := cs.Defaults.LookupKV(kv.Key)
if !ok {
continue
}
// Ignore empty and deprecated values
if dkv.HiddenIfEmpty && kv.Value == "" {
continue
}
// Do not need to print if state is on
if kv.Key == Enable && kv.Value == EnableOn {
continue
}
b.WriteString(kv.String())
b.WriteString(KvSpaceSeparator)
}
b.WriteString(KvNewline)
}