support 'ldap:user' variable replacement properly (#10391)

also update `ldap.go` examples with latest minio-go changes Fixes #10367
2024-09-15 22:20:34 +00:00 · 2020-08-31 23:56:22 -07:00 · 2020-08-31 23:56:22 -07:00 · 4b6585d249
parent 9ffad7fceb
commit 4b6585d249
4 changed files with 36 additions and 26 deletions
--- a/cmd/bucket-policy.go
+++ b/cmd/bucket-policy.go
@ -151,9 +151,10 @@ func getConditionValues(r *http.Request, lc string, username string, claims map[
 		if ok {
 			// Special case for AD/LDAP STS users
 			if k == ldapUser {
-				args[ldapUserPolicyVariable] = []string{vStr}
+				args["user"] = []string{vStr}
+			} else {
+				args[k] = []string{vStr}
 			}
-			args[k] = []string{vStr}
 		}
 	}

--- a/cmd/sts-handlers.go
+++ b/cmd/sts-handlers.go
@ -61,8 +61,7 @@ const (
 	parentClaim = "parent"

 	// LDAP claim keys
-	ldapUser               = "ldapUser"
-	ldapUserPolicyVariable = "ldap:user"
+	ldapUser = "ldapUser"
 )

 // stsAPIHandlers implements and provides http handlers for AWS STS API.
--- a/docs/sts/ldap.go
+++ b/docs/sts/ldap.go
@ -18,12 +18,13 @@
 package main

 import (
+	"context"
 	"flag"
 	"fmt"
 	"log"
 	"net/url"

-	miniogo "github.com/minio/minio-go/v7"
+	"github.com/minio/minio-go/v7"
 	cr "github.com/minio/minio-go/v7/pkg/credentials"
 )

@ -53,39 +54,34 @@ func main() {
 	// LDAP STS API.

 	// Initialize LDAP credentials
-	li, err := cr.NewLDAPIdentity(stsEndpoint, ldapUsername, ldapPassword)
-	if err != nil {
-		log.Fatalf("INIT Err: %v", err)
-	}
+	li, _ := cr.NewLDAPIdentity(stsEndpoint, ldapUsername, ldapPassword)

-	// Generate temporary STS credentials
-	v, err := li.Get()
-	if err != nil {
-		log.Fatalf("GET Err: %v", err)
-	}
-	fmt.Printf("%#v\n", v)
-
-	stsEndpointUrl, err := url.Parse(stsEndpoint)
+	stsEndpointURL, err := url.Parse(stsEndpoint)
 	if err != nil {
 		log.Fatalf("Err: %v", err)
 	}

-	secure := false
-	if stsEndpointUrl.Scheme == "https" {
-		secure = true
+	opts := &minio.Options{
+		Creds:  li,
+		Secure: stsEndpointURL.Scheme == "https",
 	}

+	fmt.Println(li.Get())
 	// Use generated credentials to authenticate with MinIO server
-	minioClient, err := miniogo.NewWithCredentials(stsEndpointUrl.Host, li, secure, "")
+	minioClient, err := minio.New(stsEndpointURL.Host, opts)
 	if err != nil {
 		log.Fatalln(err)
 	}

 	// Use minIO Client object normally like the regular client.
-	fmt.Println("Calling list buckets with temp creds:")
-	b, err := minioClient.ListBuckets()
-	if err != nil {
-		log.Fatalln(err)
+	fmt.Println("Calling list objects with temp creds: ")
+	objCh := minioClient.ListObjects(context.Background(), ldapUsername, minio.ListObjectsOptions{})
+	for obj := range objCh {
+		if obj.Err != nil {
+			if err != nil {
+				log.Fatalln(err)
+			}
+		}
+		fmt.Println(obj)
 	}
-	fmt.Println(b)
 }
--- a/docs/sts/list-objects-with-ldap-user.json
+++ b/docs/sts/list-objects-with-ldap-user.json
@ -0,0 +1,14 @@
+{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Effect": "Allow",
+      "Action": [
+        "s3:ListBucket"
+      ],
+      "Resource": [
+        "arn:aws:s3:::${ldap:user}"
+      ]
+    }
+  ]
+}