Merge branch 'master' into scanner-v2

cmd/admin-cluster-iam-import.go

@@ -23,11 +23,13 @@ import (
 	"io"
 	"os"
 	"path/filepath"
+	"strings"
 
 	"github.com/klauspost/compress/zip"
 	"github.com/minio/cli"
+	json "github.com/minio/colorjson"
+	"github.com/minio/madmin-go/v3"
 	"github.com/minio/mc/pkg/probe"
-	"github.com/minio/pkg/v3/console"
 )
 
 var adminClusterIAMImportCmd = cli.Command{
@@ -54,6 +56,123 @@ EXAMPLES:
 `,
 }
 
+type iamImportInfo madmin.ImportIAMResult
+
+func (i iamImportInfo) JSON() string {
+	bs, e := json.MarshalIndent(madmin.ImportIAMResult(i), "", " ")
+	fatalIf(probe.NewError(e), "Unable to marshal into JSON.")
+	return string(bs)
+}
+
+func (i iamImportInfo) String() string {
+	var messages []string
+	info := madmin.ImportIAMResult(i)
+	messages = append(messages, processIAMEntities(info.Skipped, "Skipped")...)
+	messages = append(messages, processIAMEntities(info.Removed, "Removed")...)
+	messages = append(messages, processIAMEntities(info.Added, "Added")...)
+	messages = append(messages, processErrIAMEntities(info.Failed)...)
+	return strings.Join(messages, "\n")
+}
+
+func processIAMEntities(entities madmin.IAMEntities, action string) []string {
+	var messages []string
+	if len(entities.Policies) > 0 {
+		messages = append(messages, fmt.Sprintf("%s policies: %v", action, strings.Join(entities.Policies, ", ")))
+	}
+	if len(entities.Users) > 0 {
+		messages = append(messages, fmt.Sprintf("%s users: %v", action, strings.Join(entities.Users, ", ")))
+	}
+	if len(entities.Groups) > 0 {
+		messages = append(messages, fmt.Sprintf("%s groups: %v", action, strings.Join(entities.Groups, ", ")))
+	}
+	if len(entities.ServiceAccounts) > 0 {
+		messages = append(messages, fmt.Sprintf("%s service accounts: %v", action, strings.Join(entities.ServiceAccounts, ", ")))
+	}
+	var users []string
+	for _, pol := range entities.UserPolicies {
+		for name := range pol {
+			users = append(users, name)
+		}
+	}
+	if len(users) > 0 {
+		messages = append(messages, fmt.Sprintf("%s policies for users: %v", action, strings.Join(users, ", ")))
+	}
+	var groups []string
+	for _, pol := range entities.GroupPolicies {
+		for name := range pol {
+			groups = append(groups, name)
+		}
+	}
+	if len(groups) > 0 {
+		messages = append(messages, fmt.Sprintf("%s policies for groups: %v", action, strings.Join(groups, ", ")))
+	}
+	var stsarr []string
+	for _, pol := range entities.STSPolicies {
+		for name := range pol {
+			stsarr = append(stsarr, name)
+		}
+	}
+	if len(stsarr) > 0 {
+		messages = append(messages, fmt.Sprintf("%s policies for sts: %v", action, strings.Join(stsarr, ", ")))
+	}
+	return messages
+}
+
+func processErrIAMEntities(entities madmin.IAMErrEntities) []string {
+	var messages []string
+
+	var policies []string
+	for _, entry := range entities.Policies {
+		policies = append(policies, entry.Name)
+	}
+	if len(policies) > 0 {
+		messages = append(messages, fmt.Sprintf("Failed to add policies: %v", strings.Join(policies, ", ")))
+	}
+	var users []string
+	for _, entry := range entities.Users {
+		users = append(users, entry.Name)
+	}
+	if len(users) > 0 {
+		messages = append(messages, fmt.Sprintf("Failed to add users: %v", strings.Join(users, ", ")))
+	}
+	var groups []string
+	for _, entry := range entities.Groups {
+		groups = append(groups, entry.Name)
+	}
+	if len(groups) > 0 {
+		messages = append(messages, fmt.Sprintf("Failed to add groups: %v", strings.Join(groups, ", ")))
+	}
+	var sas []string
+	for _, entry := range entities.ServiceAccounts {
+		sas = append(sas, entry.Name)
+	}
+	if len(sas) > 0 {
+		messages = append(messages, fmt.Sprintf("Failed to add service accounts: %v", strings.Join(sas, ", ")))
+	}
+	var polusers []string
+	for _, pol := range entities.UserPolicies {
+		polusers = append(polusers, pol.Name)
+	}
+	if len(polusers) > 0 {
+		messages = append(messages, fmt.Sprintf("Failed to add policies for users: %v", strings.Join(polusers, ", ")))
+	}
+	var polgroups []string
+	for _, pol := range entities.GroupPolicies {
+		polgroups = append(polgroups, pol.Name)
+	}
+	if len(polgroups) > 0 {
+		messages = append(messages, fmt.Sprintf("Failed to add policies for groups: %v", strings.Join(polgroups, ", ")))
+	}
+	var polsts []string
+	for _, pol := range entities.STSPolicies {
+		polsts = append(polsts, pol.Name)
+	}
+	if len(polsts) > 0 {
+		messages = append(messages, fmt.Sprintf("Failed to add policies for sts: %v", strings.Join(polsts, ", ")))
+	}
+	return messages
+}
+
 func checkIAMImportSyntax(ctx *cli.Context) {
 	if len(ctx.Args()) != 2 {
 		showCommandHelpAndExit(ctx, 1) // last argument is exit code
@@ -95,11 +214,13 @@ func mainClusterIAMImport(ctx *cli.Context) error {
 		return nil
 	}
 
-	e = client.ImportIAM(context.Background(), f)
-	fatalIf(probe.NewError(e).Trace(aliasedURL), "Unable to import IAM info.")
-
-	if !globalJSON {
-		console.Infof("IAM info imported to %s from %s\n", aliasedURL, args.Get(1))
+	iamr, e := client.ImportIAMV2(context.Background(), f)
+	if e != nil {
+		e = client.ImportIAM(context.Background(), f)
+		fatalIf(probe.NewError(e).Trace(aliasedURL), "Unable to import IAM info.")
+	} else {
+		printMsg(iamImportInfo(iamr))
 	}
+
 	return nil
 }

cmd/auto-complete.go

@@ -388,6 +388,9 @@ var completeCmds = map[string]complete.Predictor{
 	"/idp/ldap/accesskey/remove":            aliasCompleter,
 	"/idp/ldap/accesskey/rm":                aliasCompleter,
 	"/idp/ldap/accesskey/info":              aliasCompleter,
+	"/idp/ldap/accesskey/edit":              aliasCompleter,
+	"/idp/ldap/accesskey/enable":            aliasCompleter,
+	"/idp/ldap/accesskey/disable":           aliasCompleter,
 
 	"/admin/policy/info":     aliasCompleter,
 	"/admin/policy/update":   aliasCompleter,

cmd/idp-ldap-accesskey-disable.go

@@ -0,0 +1,48 @@
+// Copyright (c) 2015-2024 MinIO, Inc.
+//
+// This file is part of MinIO Object Storage stack
+//
+// This program is free software: you can redistribute it and/or modify
+// it under the terms of the GNU Affero General Public License as published by
+// the Free Software Foundation, either version 3 of the License, or
+// (at your option) any later version.
+//
+// This program is distributed in the hope that it will be useful
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU Affero General Public License for more details.
+//
+// You should have received a copy of the GNU Affero General Public License
+// along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+package cmd
+
+import (
+	"github.com/minio/cli"
+)
+
+var idpLdapAccesskeyDisableCmd = cli.Command{
+	Name:         "disable",
+	Usage:        "disable an access key",
+	Action:       mainIDPLdapAccesskeyDisable,
+	Before:       setGlobalsFromContext,
+	Flags:        globalFlags,
+	OnUsageError: onUsageError,
+	CustomHelpTemplate: `NAME:
+	  {{.HelpName}} - {{.Usage}}
+
+USAGE:
+  {{.HelpName}} [FLAGS] [TARGET]
+
+FLAGS:
+  {{range .VisibleFlags}}{{.}}
+  {{end}}
+EXAMPLES:
+  1. Disable LDAP access key
+	 {{.Prompt}} {{.HelpName}} myminio myaccesskey
+`,
+}
+
+func mainIDPLdapAccesskeyDisable(ctx *cli.Context) error {
+	return enableDisableAccesskey(ctx, false)
+}

cmd/idp-ldap-accesskey-edit.go

@@ -0,0 +1,167 @@
+// Copyright (c) 2015-2024 MinIO, Inc.
+//
+// This file is part of MinIO Object Storage stack
+//
+// This program is free software: you can redistribute it and/or modify
+// it under the terms of the GNU Affero General Public License as published by
+// the Free Software Foundation, either version 3 of the License, or
+// (at your option) any later version.
+//
+// This program is distributed in the hope that it will be useful
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU Affero General Public License for more details.
+//
+// You should have received a copy of the GNU Affero General Public License
+// along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+package cmd
+
+import (
+	"bytes"
+	"errors"
+	"fmt"
+	"os"
+	"time"
+
+	"github.com/minio/cli"
+	"github.com/minio/madmin-go/v3"
+	"github.com/minio/mc/pkg/probe"
+	"github.com/minio/pkg/v3/policy"
+)
+
+var idpLdapAccesskeyEditFlags = []cli.Flag{
+	cli.StringFlag{
+		Name:  "secret-key",
+		Usage: "set a secret key for the  account",
+	},
+	cli.StringFlag{
+		Name:  "policy",
+		Usage: "path to a JSON policy file",
+	},
+	cli.StringFlag{
+		Name:  "name",
+		Usage: "friendly name for the account",
+	},
+	cli.StringFlag{
+		Name:  "description",
+		Usage: "description for the account",
+	},
+	cli.StringFlag{
+		Name:  "expiry-duration",
+		Usage: "duration before the access key expires",
+	},
+	cli.StringFlag{
+		Name:  "expiry",
+		Usage: "expiry date for the access key",
+	},
+}
+
+var idpLdapAccesskeyEditCmd = cli.Command{
+	Name:         "edit",
+	Usage:        "edit existing access keys for LDAP",
+	Action:       mainIDPLdapAccesskeyEdit,
+	Before:       setGlobalsFromContext,
+	Flags:        append(idpLdapAccesskeyEditFlags, globalFlags...),
+	OnUsageError: onUsageError,
+	CustomHelpTemplate: `NAME:
+  {{.HelpName}} - {{.Usage}}
+
+USAGE:
+  {{.HelpName}} [FLAGS] [TARGET]
+
+FLAGS:
+  {{range .VisibleFlags}}{{.}}
+  {{end}}
+EXAMPLES:
+  1. Change the secret key for the access key "testkey"
+     {{.Prompt}} {{.HelpName}} myminio/ testkey --secret-key 'xxxxxxx'
+  2. Change the expiry duration for the access key "testkey"
+     {{.Prompt}} {{.HelpName}} myminio/ testkey ---expiry-duration 24h
+`,
+}
+
+func mainIDPLdapAccesskeyEdit(ctx *cli.Context) error {
+	if len(ctx.Args()) == 0 || len(ctx.Args()) > 2 {
+		showCommandHelpAndExit(ctx, 1) // last argument is exit code
+	}
+
+	args := ctx.Args()
+	aliasedURL := args.Get(0)
+	accessKey := args.Get(1)
+
+	opts := accessKeyEditOpts(ctx)
+	client, err := newAdminClient(aliasedURL)
+	fatalIf(err, "Unable to initialize admin connection.")
+
+	e := client.UpdateServiceAccount(globalContext, accessKey, opts)
+	fatalIf(probe.NewError(e), "Unable to edit service account.")
+
+	m := ldapAccesskeyMessage{
+		op:        "edit",
+		Status:    "success",
+		AccessKey: accessKey,
+	}
+	printMsg(m)
+
+	return nil
+}
+
+func accessKeyEditOpts(ctx *cli.Context) madmin.UpdateServiceAccountReq {
+	name := ctx.String("name")
+	expVal := ctx.String("expiry")
+	policyPath := ctx.String("policy")
+	secretKey := ctx.String("secret-key")
+	description := ctx.String("description")
+	expDurVal := ctx.Duration("expiry-duration")
+
+	if expVal != "" && expDurVal != 0 {
+		fatalIf(probe.NewError(errors.New("Only one of --expiry or --expiry-duration can be specified")), "invalid flags")
+	}
+
+	opts := madmin.UpdateServiceAccountReq{
+		NewName:        name,
+		NewSecretKey:   secretKey,
+		NewDescription: description,
+	}
+
+	if policyPath != "" {
+		// Validate the policy document and ensure it has at least one statement
+		policyBytes, e := os.ReadFile(policyPath)
+		fatalIf(probe.NewError(e), "unable to read the policy document")
+
+		p, e := policy.ParseConfig(bytes.NewReader(policyBytes))
+		fatalIf(probe.NewError(e), "unable to parse the policy document")
+
+		if p.IsEmpty() {
+			fatalIf(errInvalidArgument(), "empty policies are not allowed")
+		}
+
+		opts.NewPolicy = policyBytes
+	}
+
+	switch {
+	case expVal != "":
+		location, e := time.LoadLocation("Local")
+		fatalIf(probe.NewError(e), "unable to load local location. verify your local TZ=<val> settings")
+
+		var found bool
+		for _, format := range supportedTimeFormats {
+			t, e := time.ParseInLocation(format, expVal, location)
+			if e == nil {
+				found = true
+				opts.NewExpiration = &t
+				break
+			}
+		}
+
+		if !found {
+			fatalIf(probe.NewError(fmt.Errorf("invalid expiry date format '%s'", expVal)), "unable to parse the expiry argument")
+		}
+	case expDurVal != 0:
+		t := time.Now().Add(expDurVal)
+		opts.NewExpiration = &t
+	}
+
+	return opts
+}