From 4b6585d249b2d7db7128ecfcde28c8004a00fff9 Mon Sep 17 00:00:00 2001 From: Harshavardhana Date: Mon, 31 Aug 2020 23:56:22 -0700 Subject: [PATCH] support 'ldap:user' variable replacement properly (#10391) also update `ldap.go` examples with latest minio-go changes Fixes #10367 --- cmd/bucket-policy.go | 5 +-- cmd/sts-handlers.go | 3 +- docs/sts/ldap.go | 40 ++++++++++------------- docs/sts/list-objects-with-ldap-user.json | 14 ++++++++ 4 files changed, 36 insertions(+), 26 deletions(-) create mode 100644 docs/sts/list-objects-with-ldap-user.json diff --git a/cmd/bucket-policy.go b/cmd/bucket-policy.go index f00ec90c8..f359b8057 100644 --- a/cmd/bucket-policy.go +++ b/cmd/bucket-policy.go @@ -151,9 +151,10 @@ func getConditionValues(r *http.Request, lc string, username string, claims map[ if ok { // Special case for AD/LDAP STS users if k == ldapUser { - args[ldapUserPolicyVariable] = []string{vStr} + args["user"] = []string{vStr} + } else { + args[k] = []string{vStr} } - args[k] = []string{vStr} } } diff --git a/cmd/sts-handlers.go b/cmd/sts-handlers.go index fcdabaccb..152536e29 100644 --- a/cmd/sts-handlers.go +++ b/cmd/sts-handlers.go @@ -61,8 +61,7 @@ const ( parentClaim = "parent" // LDAP claim keys - ldapUser = "ldapUser" - ldapUserPolicyVariable = "ldap:user" + ldapUser = "ldapUser" ) // stsAPIHandlers implements and provides http handlers for AWS STS API. diff --git a/docs/sts/ldap.go b/docs/sts/ldap.go index 6fb593863..41a67bb84 100644 --- a/docs/sts/ldap.go +++ b/docs/sts/ldap.go @@ -18,12 +18,13 @@ package main import ( + "context" "flag" "fmt" "log" "net/url" - miniogo "github.com/minio/minio-go/v7" + "github.com/minio/minio-go/v7" cr "github.com/minio/minio-go/v7/pkg/credentials" ) @@ -53,39 +54,34 @@ func main() { // LDAP STS API. // Initialize LDAP credentials - li, err := cr.NewLDAPIdentity(stsEndpoint, ldapUsername, ldapPassword) - if err != nil { - log.Fatalf("INIT Err: %v", err) - } + li, _ := cr.NewLDAPIdentity(stsEndpoint, ldapUsername, ldapPassword) - // Generate temporary STS credentials - v, err := li.Get() - if err != nil { - log.Fatalf("GET Err: %v", err) - } - fmt.Printf("%#v\n", v) - - stsEndpointUrl, err := url.Parse(stsEndpoint) + stsEndpointURL, err := url.Parse(stsEndpoint) if err != nil { log.Fatalf("Err: %v", err) } - secure := false - if stsEndpointUrl.Scheme == "https" { - secure = true + opts := &minio.Options{ + Creds: li, + Secure: stsEndpointURL.Scheme == "https", } + fmt.Println(li.Get()) // Use generated credentials to authenticate with MinIO server - minioClient, err := miniogo.NewWithCredentials(stsEndpointUrl.Host, li, secure, "") + minioClient, err := minio.New(stsEndpointURL.Host, opts) if err != nil { log.Fatalln(err) } // Use minIO Client object normally like the regular client. - fmt.Println("Calling list buckets with temp creds:") - b, err := minioClient.ListBuckets() - if err != nil { - log.Fatalln(err) + fmt.Println("Calling list objects with temp creds: ") + objCh := minioClient.ListObjects(context.Background(), ldapUsername, minio.ListObjectsOptions{}) + for obj := range objCh { + if obj.Err != nil { + if err != nil { + log.Fatalln(err) + } + } + fmt.Println(obj) } - fmt.Println(b) } diff --git a/docs/sts/list-objects-with-ldap-user.json b/docs/sts/list-objects-with-ldap-user.json new file mode 100644 index 000000000..6a3de7a0e --- /dev/null +++ b/docs/sts/list-objects-with-ldap-user.json @@ -0,0 +1,14 @@ +{ + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Action": [ + "s3:ListBucket" + ], + "Resource": [ + "arn:aws:s3:::${ldap:user}" + ] + } + ] +}