Merge branch 'master' into persist-heal-mrf

minio · Apr 10, 2024 · adb9bef · adb9bef
2 parents d71a6b0 + a481825
commit adb9bef
Show file tree

Hide file tree

Showing 31 changed files with 550 additions and 292 deletions.
diff --git a/buildscripts/minio-upgrade.sh b/buildscripts/minio-upgrade.sh
@@ -55,6 +55,11 @@ __init__() {
 
  go install github.com/minio/mc@latest
 
+ ## this is needed because github actions don't have
+ ## docker-compose on all runners
+ go install github.com/docker/compose/v2/cmd@latest
+ mv -v /tmp/gopath/bin/cmd /tmp/gopath/bin/docker-compose
+
  TAG=minio/minio:dev make docker
 
  MINIO_VERSION=RELEASE.2019-12-19T22-52-26Z docker-compose \

diff --git a/cmd/admin-handlers-idp-ldap.go b/cmd/admin-handlers-idp-ldap.go
@@ -20,7 +20,6 @@ package cmd
 import (
  "encoding/json"
  "errors"
- "fmt"
  "io"
  "net/http"
  "strings"
@@ -104,6 +103,12 @@ func (a adminAPIHandlers) AttachDetachPolicyLDAP(w http.ResponseWriter, r *http.
  return
  }
 
+ // fail if ldap is not enabled
+ if !globalIAMSys.LDAPConfig.Enabled() {
+ writeErrorResponseJSON(ctx, w, errorCodes.ToAPIErr(ErrAdminLDAPNotEnabled), r.URL)
+ return
+ }
+
  if r.ContentLength > maxEConfigJSONSize || r.ContentLength == -1 {
  // More than maxConfigSize bytes were available
  writeErrorResponseJSON(ctx, w, errorCodes.ToAPIErr(ErrAdminConfigTooLarge), r.URL)
@@ -191,7 +196,7 @@ func (a adminAPIHandlers) AddServiceAccountLDAP(w http.ResponseWriter, r *http.R
 
  // fail if ldap is not enabled
  if !globalIAMSys.LDAPConfig.Enabled() {
- writeErrorResponseJSON(ctx, w, toAdminAPIErr(ctx, errors.New("LDAP not enabled")), r.URL)
+ writeErrorResponseJSON(ctx, w, errorCodes.ToAPIErr(ErrAdminLDAPNotEnabled), r.URL)
  return
  }
 
@@ -258,13 +263,18 @@ func (a adminAPIHandlers) AddServiceAccountLDAP(w http.ResponseWriter, r *http.R
  // The target user may be supplied as a (short) username or a DN.
  // However, for now, we only support using the short username.
 
+ isDN := globalIAMSys.LDAPConfig.ParsesAsDN(targetUser)
  opts.claims[ldapUserN] = targetUser // simple username
  targetUser, targetGroups, err = globalIAMSys.LDAPConfig.LookupUserDN(targetUser)
  if err != nil {
  // if not found, check if DN
- if strings.Contains(err.Error(), "not found") && globalIAMSys.LDAPConfig.ParsesAsDN(targetUser) {
- // warn user that DNs are not allowed
- err = fmt.Errorf("Must use short username to add service account. %w", err)
+ if strings.Contains(err.Error(), "User DN not found for:") {
+ if isDN {
+ // warn user that DNs are not allowed
+ writeErrorResponseJSON(ctx, w, errorCodes.ToAPIErrWithErr(ErrAdminLDAPExpectedLoginName, err), r.URL)
+ } else {
+ writeErrorResponseJSON(ctx, w, errorCodes.ToAPIErrWithErr(ErrAdminNoSuchUser, err), r.URL)
+ }
  }
  writeErrorResponseJSON(ctx, w, toAdminAPIErr(ctx, err), r.URL)
  return

diff --git a/cmd/admin-handlers-users.go b/cmd/admin-handlers-users.go
@@ -1756,15 +1756,14 @@ func (a adminAPIHandlers) AttachDetachPolicyBuiltin(w http.ResponseWriter, r *ht
 }
 
 const (
- allPoliciesFile = "policies.json"
- allUsersFile = "users.json"
- allGroupsFile = "groups.json"
- allSvcAcctsFile = "svcaccts.json"
- userPolicyMappingsFile = "user_mappings.json"
- groupPolicyMappingsFile = "group_mappings.json"
- stsUserPolicyMappingsFile = "stsuser_mappings.json"
- stsGroupPolicyMappingsFile = "stsgroup_mappings.json"
- iamAssetsDir = "iam-assets"
+ allPoliciesFile = "policies.json"
+ allUsersFile = "users.json"
+ allGroupsFile = "groups.json"
+ allSvcAcctsFile = "svcaccts.json"
+ userPolicyMappingsFile = "user_mappings.json"
+ groupPolicyMappingsFile = "group_mappings.json"
+ stsUserPolicyMappingsFile = "stsuser_mappings.json"
+ iamAssetsDir = "iam-assets"
 )
 
 // ExportIAMHandler - exports all iam info as a zipped file
@@ -1813,7 +1812,6 @@ func (a adminAPIHandlers) ExportIAM(w http.ResponseWriter, r *http.Request) {
  userPolicyMappingsFile,
  groupPolicyMappingsFile,
  stsUserPolicyMappingsFile,
- stsGroupPolicyMappingsFile,
  }
  for _, f := range iamFiles {
  iamFile := pathJoin(iamAssetsDir, f)
@@ -1985,22 +1983,6 @@ func (a adminAPIHandlers) ExportIAM(w http.ResponseWriter, r *http.Request) {
  writeErrorResponse(ctx, w, exportError(ctx, err, iamFile, ""), r.URL)
  return
  }
- case stsGroupPolicyMappingsFile:
- groupPolicyMap := xsync.NewMapOf[string, MappedPolicy]()
- err := globalIAMSys.store.loadMappedPolicies(ctx, stsUser, true, groupPolicyMap)
- if err != nil {
- writeErrorResponse(ctx, w, exportError(ctx, err, iamFile, ""), r.URL)
- return
- }
- grpPolData, err := json.Marshal(mappedPoliciesToMap(groupPolicyMap))
- if err != nil {
- writeErrorResponse(ctx, w, exportError(ctx, err, iamFile, ""), r.URL)
- return
- }
- if err = rawDataFn(bytes.NewReader(grpPolData), iamFile, len(grpPolData)); err != nil {
- writeErrorResponse(ctx, w, exportError(ctx, err, iamFile, ""), r.URL)
- return
- }
  }
  }
 }
@@ -2391,35 +2373,6 @@ func (a adminAPIHandlers) ImportIAM(w http.ResponseWriter, r *http.Request) {
  }
  }
  }
-
- // import sts group policy mappings
- {
- f, err := zr.Open(pathJoin(iamAssetsDir, stsGroupPolicyMappingsFile))
- switch {
- case errors.Is(err, os.ErrNotExist):
- case err != nil:
- writeErrorResponseJSON(ctx, w, importErrorWithAPIErr(ctx, ErrInvalidRequest, err, stsGroupPolicyMappingsFile, ""), r.URL)
- return
- default:
- defer f.Close()
- var grpPolicyMap map[string]MappedPolicy
- data, err := io.ReadAll(f)
- if err != nil {
- writeErrorResponseJSON(ctx, w, importErrorWithAPIErr(ctx, ErrInvalidRequest, err, stsGroupPolicyMappingsFile, ""), r.URL)
- return
- }
- if err = json.Unmarshal(data, &grpPolicyMap); err != nil {
- writeErrorResponseJSON(ctx, w, importErrorWithAPIErr(ctx, ErrAdminConfigBadJSON, err, stsGroupPolicyMappingsFile, ""), r.URL)
- return
- }
- for g, pm := range grpPolicyMap {
- if _, err := globalIAMSys.PolicyDBSet(ctx, g, pm.Policies, unknownIAMUserType, true); err != nil {
- writeErrorResponseJSON(ctx, w, importError(ctx, err, stsGroupPolicyMappingsFile, g), r.URL)
- return
- }
- }
- }
- }
 }
 
 func addExpirationToCondValues(exp *time.Time, condValues map[string][]string) {

diff --git a/cmd/api-errors.go b/cmd/api-errors.go
@@ -278,6 +278,7 @@ const (
  ErrMalformedJSON
  ErrAdminNoSuchUser
  ErrAdminNoSuchUserLDAPWarn
+ ErrAdminLDAPExpectedLoginName
  ErrAdminNoSuchGroup
  ErrAdminGroupNotEmpty
  ErrAdminGroupDisabled
@@ -300,6 +301,7 @@ const (
  ErrAdminConfigIDPCfgNameDoesNotExist
  ErrInsecureClientRequest
  ErrObjectTampered
+ ErrAdminLDAPNotEnabled
 
  // Site-Replication errors
  ErrSiteReplicationInvalidRequest
@@ -2079,7 +2081,16 @@ var errorCodes = errorCodeMap{
  Description: "Invalid attribute name specified.",
  HTTPStatusCode: http.StatusBadRequest,
  },
- // Add your error structure here.
+ ErrAdminLDAPNotEnabled: {
+ Code: "XMinioLDAPNotEnabled",
+ Description: "LDAP is not enabled. LDAP must be enabled to make LDAP requests.",
+ HTTPStatusCode: http.StatusNotImplemented,
+ },
+ ErrAdminLDAPExpectedLoginName: {
+ Code: "XMinioLDAPExpectedLoginName",
+ Description: "Expected LDAP short username but was given full DN.",
+ HTTPStatusCode: http.StatusBadRequest,
+ },
 }
 
 // toAPIErrorCode - Converts embedded errors. Convenience