Add support for LDAP user and group in policy attachments (#446)

* feat: add support for LDAP user and group
aminueza · Apr 11, 2023 · ae4966e · ae4966e
1 parent e462c49
commit ae4966e
Show file tree

Hide file tree

Showing 9 changed files with 97 additions and 41 deletions.
diff --git a/docs/resources/iam_group_policy_attachment.md b/docs/resources/iam_group_policy_attachment.md
@@ -18,8 +18,8 @@ resource "minio_iam_group" "developer" {
 }
 
 resource "minio_iam_group_policy" "test_policy" {
-  name = "state-terraform-s3"
-  policy= <<EOF
+  name   = "state-terraform-s3"
+  policy = <<EOF
 {
   "Version":"2012-10-17",
   "Statement": [
@@ -36,20 +36,28 @@ EOF
 }
 
 resource "minio_iam_group_policy_attachment" "developer" {
-  group_name      = "${minio_iam_group.group.name}"
-  policy_name = "${minio_iam_policy.test_policy.id}"
+  group_name  = minio_iam_group.group.name
+  policy_name = minio_iam_policy.test_policy.id
 }
 
 output "minio_name" {
-  value = "${minio_iam_group_policy_attachment.developer.id}"
+  value = minio_iam_group_policy_attachment.developer.id
 }
 
 output "minio_users" {
-  value = "${minio_iam_group_policy_attachment.developer.group_name}"
+  value = minio_iam_group_policy_attachment.developer.group_name
 }
 
 output "minio_group" {
-  value = "${minio_iam_group_policy_attachment.developer.policy_name}"
+  value = minio_iam_group_policy_attachment.developer.policy_name
+}
+
+
+# Example using an LDAP Group instead of a static MinIO group
+
+resource "minio_iam_group_policy_attachment" "developer" {
+  user_name   = "OU=Unit,DC=example,DC=com"
+  policy_name = "${minio_iam_policy.test_policy.id}"
 }
 ```
 
@@ -58,11 +66,11 @@ output "minio_group" {
 
 ### Required
 
-- **group_name** (String)
-- **policy_name** (String)
+- `group_name` (String)
+- `policy_name` (String)
 
-### Optional
+### Read-Only
 
-- **id** (String) The ID of this resource.
+- `id` (String) The ID of this resource.
 
 
diff --git a/docs/resources/iam_user_policy_attachment.md b/docs/resources/iam_user_policy_attachment.md
@@ -18,8 +18,8 @@ resource "minio_iam_user" "test_user" {
 }
 
 resource "minio_iam_policy" "test_policy" {
-  name = "state-terraform-s3"
-  policy= <<EOF
+  name   = "state-terraform-s3"
+  policy = <<EOF
 {
   "Version":"2012-10-17",
   "Statement": [
@@ -36,20 +36,27 @@ EOF
 }
 
 resource "minio_iam_user_policy_attachment" "developer" {
-  user_name      = "${minio_iam_user.test_user.id}"
-  policy_name = "${minio_iam_policy.test_policy.id}"
+  user_name   = minio_iam_user.test_user.id
+  policy_name = minio_iam_policy.test_policy.id
 }
 
 output "minio_name" {
-  value = "${minio_iam_user_policy_attachment.developer.id}"
+  value = minio_iam_user_policy_attachment.developer.id
 }
 
 output "minio_users" {
-  value = "${minio_iam_user_policy_attachment.developer.user_name}"
+  value = minio_iam_user_policy_attachment.developer.user_name
 }
 
 output "minio_group" {
-  value = "${minio_iam_user_policy_attachment.developer.policy_name}"
+  value = minio_iam_user_policy_attachment.developer.policy_name
+}
+
+# Example using an LDAP User instead of a static MinIO group
+
+resource "minio_iam_user_policy_attachment" "developer" {
+  user_name   = "CN=My User,OU=Unit,DC=example,DC=com"
+  policy_name = minio_iam_policy.test_policy.id
 }
 ```
 
@@ -58,11 +65,11 @@ output "minio_group" {
 
 ### Required
 
-- **policy_name** (String)
-- **user_name** (String)
+- `policy_name` (String)
+- `user_name` (String)
 
-### Optional
+### Read-Only
 
-- **id** (String) The ID of this resource.
+- `id` (String) The ID of this resource.
 
 
diff --git a/examples/resources/minio_iam_group_policy_attachment/resource.tf b/examples/resources/minio_iam_group_policy_attachment/resource.tf
@@ -3,8 +3,8 @@ resource "minio_iam_group" "developer" {
 }
 
 resource "minio_iam_group_policy" "test_policy" {
-  name = "state-terraform-s3"
-  policy= <<EOF
+  name   = "state-terraform-s3"
+  policy = <<EOF
 {
   "Version":"2012-10-17",
   "Statement": [
@@ -21,18 +21,26 @@ EOF
 }
 
 resource "minio_iam_group_policy_attachment" "developer" {
-  group_name      = "${minio_iam_group.group.name}"
-  policy_name = "${minio_iam_policy.test_policy.id}"
+  group_name  = minio_iam_group.group.name
+  policy_name = minio_iam_policy.test_policy.id
 }
 
 output "minio_name" {
-  value = "${minio_iam_group_policy_attachment.developer.id}"
+  value = minio_iam_group_policy_attachment.developer.id
 }
 
 output "minio_users" {
-  value = "${minio_iam_group_policy_attachment.developer.group_name}"
+  value = minio_iam_group_policy_attachment.developer.group_name
 }
 
 output "minio_group" {
-  value = "${minio_iam_group_policy_attachment.developer.policy_name}"
+  value = minio_iam_group_policy_attachment.developer.policy_name
+}
+
+
+# Example using an LDAP Group instead of a static MinIO group
+
+resource "minio_iam_group_policy_attachment" "developer" {
+  user_name   = "OU=Unit,DC=example,DC=com"
+  policy_name = "${minio_iam_policy.test_policy.id}"
 }
diff --git a/examples/resources/minio_iam_user_policy_attachment/resource.tf b/examples/resources/minio_iam_user_policy_attachment/resource.tf
@@ -3,8 +3,8 @@ resource "minio_iam_user" "test_user" {
 }
 
 resource "minio_iam_policy" "test_policy" {
-  name = "state-terraform-s3"
-  policy= <<EOF
+  name   = "state-terraform-s3"
+  policy = <<EOF
 {
   "Version":"2012-10-17",
   "Statement": [
@@ -21,18 +21,25 @@ EOF
 }
 
 resource "minio_iam_user_policy_attachment" "developer" {
-  user_name      = "${minio_iam_user.test_user.id}"
-  policy_name = "${minio_iam_policy.test_policy.id}"
+  user_name   = minio_iam_user.test_user.id
+  policy_name = minio_iam_policy.test_policy.id
 }
 
 output "minio_name" {
-  value = "${minio_iam_user_policy_attachment.developer.id}"
+  value = minio_iam_user_policy_attachment.developer.id
 }
 
 output "minio_users" {
-  value = "${minio_iam_user_policy_attachment.developer.user_name}"
+  value = minio_iam_user_policy_attachment.developer.user_name
 }
 
 output "minio_group" {
-  value = "${minio_iam_user_policy_attachment.developer.policy_name}"
+  value = minio_iam_user_policy_attachment.developer.policy_name
+}
+
+# Example using an LDAP User instead of a static MinIO group
+
+resource "minio_iam_user_policy_attachment" "developer" {
+  user_name   = "CN=My User,OU=Unit,DC=example,DC=com"
+  policy_name = minio_iam_policy.test_policy.id
 }
diff --git a/minio/resource_minio_iam_group.go b/minio/resource_minio_iam_group.go
@@ -13,6 +13,11 @@ import (
 	"github.com/minio/madmin-go"
 )
 
+var (
+	LDAPGroupDistinguishedNamePattern = regexp.MustCompile(`^(?:((?:(?:CN|OU)=[^,]+,?)+),)+((?:DC=[^,]+,?)+)$`)
+	StaticGroupNamePattern            = regexp.MustCompile(`^[0-9A-Za-z=,.@\-_+]+$`)
+)
+
 func resourceMinioIAMGroup() *schema.Resource {
 	return &schema.Resource{
 		CreateContext: minioCreateGroup,
@@ -214,9 +219,9 @@ func deleteMinioGroup(ctx context.Context, iamGroupConfig *S3MinioIAMGroupConfig
 
 func validateMinioIamGroupName(v interface{}, k string) (ws []string, errors []error) {
 	value := v.(string)
-	if !regexp.MustCompile(`^[0-9A-Za-z=,.@\-_+]+$`).MatchString(value) {
+	if !StaticGroupNamePattern.MatchString(value) && !LDAPGroupDistinguishedNamePattern.MatchString(value) {
 		errors = append(errors, fmt.Errorf(
-			"only alphanumeric characters, hyphens, underscores, commas, periods, @ symbols, plus and equals signs allowed in %q: %q",
+			"only alphanumeric characters, hyphens, underscores, commas, periods, @ symbols, plus and equals signs allowed or a valid LDAP Distinguished Name (DN) in %q: %q",
 			k, value))
 	}
 	return

diff --git a/minio/resource_minio_iam_group_test.go b/minio/resource_minio_iam_group_test.go
@@ -40,6 +40,8 @@ func TestValidateMinioIamGroupName(t *testing.T) {
 		"test name",
 		"/slash-at-the-beginning",
 		"slash-at-the-end/",
+		"DC=gr u,DC=it",
+		"OU=Microsoft Exchange Security Groups",
 	}
 
 	for _, minioName := range minioInvalidNames {

diff --git a/minio/resource_minio_iam_user.go b/minio/resource_minio_iam_user.go
@@ -13,6 +13,11 @@ import (
 	"github.com/minio/madmin-go"
 )
 
+var (
+	LDAPUserDistinguishedNamePattern = regexp.MustCompile(`^(?:(CN=([^,]*)),)+(?:((?:(?:CN|OU)=[^,]+,?)+),)+((?:DC=[^,]+,?)+)$`)
+	StaticUserNamePattern            = regexp.MustCompile(`^[0-9A-Za-z=,.@\-_+]+$`)
+)
+
 func resourceMinioIAMUser() *schema.Resource {
 	return &schema.Resource{
 		CreateContext: minioCreateUser,
@@ -184,9 +189,9 @@ func minioDeleteUser(ctx context.Context, d *schema.ResourceData, meta interface
 
 func validateMinioIamUserName(v interface{}, k string) (ws []string, errors []error) {
 	value := v.(string)
-	if !regexp.MustCompile(`^[0-9A-Za-z=,.@\-_+]+$`).MatchString(value) {
+	if !StaticUserNamePattern.MatchString(value) && !LDAPUserDistinguishedNamePattern.MatchString(value) {
 		errors = append(errors, fmt.Errorf(
-			"only alphanumeric characters, hyphens, underscores, commas, periods, @ symbols, plus and equals signs allowed in %q: %q",
+			"only alphanumeric characters, hyphens, underscores, commas, periods, @ symbols, plus and equals signs allowed or a valid LDAP Distinguished Name (DN) in %q: %q",
 			k, value))
 	}
 	return

diff --git a/minio/resource_minio_iam_user_policy_attachment.go b/minio/resource_minio_iam_user_policy_attachment.go
@@ -10,6 +10,7 @@ import (
 	"github.com/hashicorp/terraform-plugin-sdk/v2/diag"
 	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/id"
 	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema"
+	"github.com/minio/madmin-go"
 )
 
 func resourceMinioIAMUserPolicyAttachment() *schema.Resource {
@@ -55,10 +56,19 @@ func minioCreateUserPolicyAttachment(ctx context.Context, d *schema.ResourceData
 func minioReadUserPolicyAttachment(ctx context.Context, d *schema.ResourceData, meta interface{}) diag.Diagnostics {
 	minioAdmin := meta.(*S3MinioClient).S3Admin
 	var userName = d.Get("user_name").(string)
+	var isLDAPUser = LDAPUserDistinguishedNamePattern.MatchString(userName)
+
+	log.Printf("[DEBUG] UserPolicyAttachment: is user '%s' an LDAP user? %t", userName, isLDAPUser)
 
 	userInfo, errUser := minioAdmin.GetUserInfo(ctx, userName)
 	if errUser != nil {
-		return NewResourceError("failed to load user Infos", userName, errUser)
+		errUserResponse, errUserIsResponse := errUser.(madmin.ErrorResponse)
+
+		log.Printf("[DEBUG] UserPolicyAttachment: got an error, errUserIsResponse=%t, errUserResponse.Code=%s", errUserIsResponse, errUserResponse.Code)
+
+		if !isLDAPUser || !errUserIsResponse || !strings.EqualFold(errUserResponse.Code, "XMinioAdminNoSuchUser") {
+			return NewResourceError("failed to load user Infos", userName, errUser)
+		}
 	}
 
 	if userInfo.PolicyName == "" {

diff --git a/minio/resource_minio_iam_user_test.go b/minio/resource_minio_iam_user_test.go
@@ -26,6 +26,8 @@ func TestValidateMinioIamUserName(t *testing.T) {
 		"test.123,user",
 		"testuser@minio",
 		"[email protected]",
+		"CN=Backup Operators,CN=Builtin,DC=gr-u,DC=it",
+		"CN=View-Only Organization Management,OU=Microsoft Exchange Security Groups,DC=gr-u,DC=it",
 	}
 
 	for _, minioName := range minioValidNames {
@@ -44,6 +46,8 @@ func TestValidateMinioIamUserName(t *testing.T) {
 		"test name",
 		"/slash-at-the-beginning",
 		"slash-at-the-end/",
+		"OU=Microsoft Exchange Security Groups,DC=gr-u,DC=it",
+		"OU=Microsoft Exchange Security Groups",
 	}
 
 	for _, minioName := range minioInvalidNames {