minio/cmd/ldap-ops.go

/*
 * MinIO Cloud Storage, (C) 2019 MinIO, Inc.
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
 * You may obtain a copy of the License at
 *
 *     http://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the License for the specific language governing permissions and
 * limitations under the License.
 */

package cmd

import (
	"crypto/tls"
	"errors"
	"fmt"
	"log"
	"os"
	"regexp"
	"time"

	ldap "gopkg.in/ldap.v3"
)

const (
	defaultLDAPExpiry = time.Hour * 1
)

// ldapServerConfig contains server connectivity information.
type ldapServerConfig struct {
	IsEnabled bool `json:"enabled"`

	// E.g. "ldap.minio.io:636"
	ServerAddr string `json:"serverAddr"`

	// STS credentials expiry duration
	STSExpiryDuration string        `json:"stsExpiryDuration"`
	stsExpiryDuration time.Duration // contains converted value

	// Skips TLS verification (for testing, not
	// recommended in production).
	SkipTLSVerify bool `json:"skipTLSverify"`

	// Format string for usernames
	UsernameFormat string `json:"usernameFormat"`

	GroupSearchBaseDN  string `json:"groupSearchBaseDN"`
	GroupSearchFilter  string `json:"groupSearchFilter"`
	GroupNameAttribute string `json:"groupNameAttribute"`
}

func (l *ldapServerConfig) Connect() (ldapConn *ldap.Conn, err error) {
	if l == nil {
		// Happens when LDAP is not configured.
		return
	}
	if l.SkipTLSVerify {
		ldapConn, err = ldap.DialTLS("tcp", l.ServerAddr, &tls.Config{InsecureSkipVerify: true})
	} else {
		ldapConn, err = ldap.DialTLS("tcp", l.ServerAddr, &tls.Config{})
	}
	return
}

// newLDAPConfigFromEnv loads configuration from the environment
func newLDAPConfigFromEnv() (l ldapServerConfig, err error) {
	if ldapServer, ok := os.LookupEnv("MINIO_IDENTITY_LDAP_SERVER_ADDR"); ok {
		l.IsEnabled = true
		l.ServerAddr = ldapServer

		if v := os.Getenv("MINIO_IDENTITY_LDAP_TLS_SKIP_VERIFY"); v == "true" {
			l.SkipTLSVerify = true
		}

		if v := os.Getenv("MINIO_IDENTITY_LDAP_STS_EXPIRY"); v != "" {
			expDur, err := time.ParseDuration(v)
			if err != nil {
				return l, errors.New("LDAP expiry time err:" + err.Error())
			}
			if expDur <= 0 {
				return l, errors.New("LDAP expiry time has to be positive")
			}
			l.STSExpiryDuration = v
			l.stsExpiryDuration = expDur
		} else {
			l.stsExpiryDuration = defaultLDAPExpiry
		}

		if v := os.Getenv("MINIO_IDENTITY_LDAP_USERNAME_FORMAT"); v != "" {
			subs := newSubstituter("username", "test")
			if _, err := subs.substitute(v); err != nil {
				return l, errors.New("Only username may be substituted in the username format")
			}
			l.UsernameFormat = v
		}

		grpSearchFilter := os.Getenv("MINIO_IDENTITY_LDAP_GROUP_SEARCH_FILTER")
		grpSearchNameAttr := os.Getenv("MINIO_IDENTITY_LDAP_GROUP_NAME_ATTRIBUTE")
		grpSearchBaseDN := os.Getenv("MINIO_IDENTITY_LDAP_GROUP_SEARCH_BASE_DN")

		// Either all group params must be set or none must be set.
		allNotSet := grpSearchFilter == "" && grpSearchNameAttr == "" && grpSearchBaseDN == ""
		allSet := grpSearchFilter != "" && grpSearchNameAttr != "" && grpSearchBaseDN != ""
		if !allNotSet && !allSet {
			return l, errors.New("All group related parameters must be set")
		}

		if allSet {
			subs := newSubstituter("username", "test", "usernamedn", "test2")
			if _, err := subs.substitute(grpSearchFilter); err != nil {
				return l, errors.New("Only username and usernamedn may be substituted in the group search filter string")
			}
			l.GroupSearchFilter = grpSearchFilter

			l.GroupNameAttribute = grpSearchNameAttr

			subs = newSubstituter("username", "test", "usernamedn", "test2")
			if _, err := subs.substitute(grpSearchBaseDN); err != nil {
				return l, errors.New("Only username and usernamedn may be substituted in the base DN string")
			}
			l.GroupSearchBaseDN = grpSearchBaseDN
		}
	}
	return
}

// substituter - This type is to allow restricted runtime
// substitutions of variables in LDAP configuration items during
// runtime.
type substituter struct {
	vals map[string]string
}

// newSubstituter - sets up the substituter for usage, for e.g.:
//
//  subber := newSubstituter("username", "john")
func newSubstituter(v ...string) substituter {
	if len(v)%2 != 0 {
		log.Fatal("Need an even number of arguments")
	}
	vals := make(map[string]string)
	for i := 0; i < len(v); i += 2 {
		vals[v[i]] = v[i+1]
	}
	return substituter{vals: vals}
}

// substitute - performs substitution on the given string `t`. Returns
// an error if there are any variables in the input that do not have
// values in the substituter. E.g.:
//
// subber.substitute("uid=${username},cn=users,dc=example,dc=com")
//
// returns "uid=john,cn=users,dc=example,dc=com"
//
// whereas:
//
// subber.substitute("uid=${usernamedn}")
//
// returns an error.
func (s *substituter) substitute(t string) (string, error) {
	for k, v := range s.vals {
		re := regexp.MustCompile(fmt.Sprintf(`\$\{%s\}`, k))
		t = re.ReplaceAllLiteralString(t, v)
	}
	// Check if all requested substitutions have been made.
	re := regexp.MustCompile(`\$\{.*\}`)
	if re.MatchString(t) {
		return "", errors.New("unsupported substitution requested")
	}
	return t, nil
}
LDAP STS API (#8091) Add LDAP based users-groups system This change adds support to integrate an LDAP server for user authentication. This works via a custom STS API for LDAP. Each user accessing the MinIO who can be authenticated via LDAP receives temporary credentials to access the MinIO server. LDAP is enabled only over TLS. User groups are also supported via LDAP. The administrator may configure an LDAP search query to find the group attribute of a user - this may correspond to any attribute in the LDAP tree (that the user has access to view). One or more groups may be returned by such a query. A group is mapped to an IAM policy in the usual way, and the server enforces a policy corresponding to all the groups and the user's own mapped policy. When LDAP is configured, the internal MinIO users system is disabled. 2019-09-10 07:12:29 +08:00			`/*`
			`* MinIO Cloud Storage, (C) 2019 MinIO, Inc.`
			`*`
			`* Licensed under the Apache License, Version 2.0 (the "License");`
			`* you may not use this file except in compliance with the License.`
			`* You may obtain a copy of the License at`
			`*`
			`* http://www.apache.org/licenses/LICENSE-2.0`
			`*`
			`* Unless required by applicable law or agreed to in writing, software`
			`* distributed under the License is distributed on an "AS IS" BASIS,`
			`* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.`
			`* See the License for the specific language governing permissions and`
			`* limitations under the License.`
			`*/`

			`package cmd`

			`import (`
			`"crypto/tls"`
			`"errors"`
			`"fmt"`
			`"log"`
			`"os"`
			`"regexp"`
			`"time"`

			`ldap "gopkg.in/ldap.v3"`
			`)`

			`const (`
			`defaultLDAPExpiry = time.Hour * 1`
			`)`

			`// ldapServerConfig contains server connectivity information.`
			`type ldapServerConfig struct {`
			IsEnabled bool `json:"enabled"`

			`// E.g. "ldap.minio.io:636"`
			ServerAddr string `json:"serverAddr"`

			`// STS credentials expiry duration`
			STSExpiryDuration string `json:"stsExpiryDuration"`
			`stsExpiryDuration time.Duration // contains converted value`

			`// Skips TLS verification (for testing, not`
			`// recommended in production).`
			SkipTLSVerify bool `json:"skipTLSverify"`

			`// Format string for usernames`
			UsernameFormat string `json:"usernameFormat"`

			GroupSearchBaseDN string `json:"groupSearchBaseDN"`
			GroupSearchFilter string `json:"groupSearchFilter"`
			GroupNameAttribute string `json:"groupNameAttribute"`
			`}`

			`func (l ldapServerConfig) Connect() (ldapConn ldap.Conn, err error) {`
			`if l == nil {`
			`// Happens when LDAP is not configured.`
			`return`
			`}`
			`if l.SkipTLSVerify {`
			`ldapConn, err = ldap.DialTLS("tcp", l.ServerAddr, &tls.Config{InsecureSkipVerify: true})`
			`} else {`
			`ldapConn, err = ldap.DialTLS("tcp", l.ServerAddr, &tls.Config{})`
			`}`
			`return`
			`}`

			`// newLDAPConfigFromEnv loads configuration from the environment`
			`func newLDAPConfigFromEnv() (l ldapServerConfig, err error) {`
			`if ldapServer, ok := os.LookupEnv("MINIO_IDENTITY_LDAP_SERVER_ADDR"); ok {`
			`l.IsEnabled = true`
			`l.ServerAddr = ldapServer`

			`if v := os.Getenv("MINIO_IDENTITY_LDAP_TLS_SKIP_VERIFY"); v == "true" {`
			`l.SkipTLSVerify = true`
			`}`

			`if v := os.Getenv("MINIO_IDENTITY_LDAP_STS_EXPIRY"); v != "" {`
			`expDur, err := time.ParseDuration(v)`
			`if err != nil {`
			`return l, errors.New("LDAP expiry time err:" + err.Error())`
			`}`
			`if expDur <= 0 {`
			`return l, errors.New("LDAP expiry time has to be positive")`
			`}`
			`l.STSExpiryDuration = v`
			`l.stsExpiryDuration = expDur`
			`} else {`
			`l.stsExpiryDuration = defaultLDAPExpiry`
			`}`

			`if v := os.Getenv("MINIO_IDENTITY_LDAP_USERNAME_FORMAT"); v != "" {`
			`subs := newSubstituter("username", "test")`
			`if _, err := subs.substitute(v); err != nil {`
			`return l, errors.New("Only username may be substituted in the username format")`
			`}`
			`l.UsernameFormat = v`
			`}`

			`grpSearchFilter := os.Getenv("MINIO_IDENTITY_LDAP_GROUP_SEARCH_FILTER")`
			`grpSearchNameAttr := os.Getenv("MINIO_IDENTITY_LDAP_GROUP_NAME_ATTRIBUTE")`
			`grpSearchBaseDN := os.Getenv("MINIO_IDENTITY_LDAP_GROUP_SEARCH_BASE_DN")`

			`// Either all group params must be set or none must be set.`
			`allNotSet := grpSearchFilter == "" && grpSearchNameAttr == "" && grpSearchBaseDN == ""`
			`allSet := grpSearchFilter != "" && grpSearchNameAttr != "" && grpSearchBaseDN != ""`
			`if !allNotSet && !allSet {`
			`return l, errors.New("All group related parameters must be set")`
			`}`

			`if allSet {`
			`subs := newSubstituter("username", "test", "usernamedn", "test2")`
			`if _, err := subs.substitute(grpSearchFilter); err != nil {`
			`return l, errors.New("Only username and usernamedn may be substituted in the group search filter string")`
			`}`
			`l.GroupSearchFilter = grpSearchFilter`

			`l.GroupNameAttribute = grpSearchNameAttr`

			`subs = newSubstituter("username", "test", "usernamedn", "test2")`
			`if _, err := subs.substitute(grpSearchBaseDN); err != nil {`
			`return l, errors.New("Only username and usernamedn may be substituted in the base DN string")`
			`}`
			`l.GroupSearchBaseDN = grpSearchBaseDN`
			`}`
			`}`
			`return`
			`}`

			`// substituter - This type is to allow restricted runtime`
			`// substitutions of variables in LDAP configuration items during`
			`// runtime.`
			`type substituter struct {`
			`vals map[string]string`
			`}`

			`// newSubstituter - sets up the substituter for usage, for e.g.:`
			`//`
			`// subber := newSubstituter("username", "john")`
			`func newSubstituter(v ...string) substituter {`
			`if len(v)%2 != 0 {`
			`log.Fatal("Need an even number of arguments")`
			`}`
			`vals := make(map[string]string)`
			`for i := 0; i < len(v); i += 2 {`
			`vals[v[i]] = v[i+1]`
			`}`
			`return substituter{vals: vals}`
			`}`

			// substitute - performs substitution on the given string `t`. Returns
			`// an error if there are any variables in the input that do not have`
			`// values in the substituter. E.g.:`
			`//`
			`// subber.substitute("uid=${username},cn=users,dc=example,dc=com")`
			`//`
			`// returns "uid=john,cn=users,dc=example,dc=com"`
			`//`
			`// whereas:`
			`//`
			`// subber.substitute("uid=${usernamedn}")`
			`//`
			`// returns an error.`
			`func (s *substituter) substitute(t string) (string, error) {`
			`for k, v := range s.vals {`
			re := regexp.MustCompile(fmt.Sprintf(`\$\{%s\}`, k))
			`t = re.ReplaceAllLiteralString(t, v)`
			`}`
			`// Check if all requested substitutions have been made.`
			re := regexp.MustCompile(`\$\{.*\}`)
			`if re.MatchString(t) {`
			`return "", errors.New("unsupported substitution requested")`
			`}`
			`return t, nil`
			`}`