github.com/minio/minio@v0.0.0-20240328213742-3f72439b8a27/docs/sts/ldap.go

github.com/minio/minio@v0.0.0-20240328213742-3f72439b8a27/docs/sts/ldap.go (about)

     1  //go:build ignore
     2  // +build ignore
     3  
     4  // Copyright (c) 2015-2021 MinIO, Inc.
     5  //
     6  // This file is part of MinIO Object Storage stack
     7  //
     8  // This program is free software: you can redistribute it and/or modify
     9  // it under the terms of the GNU Affero General Public License as published by
    10  // the Free Software Foundation, either version 3 of the License, or
    11  // (at your option) any later version.
    12  //
    13  // This program is distributed in the hope that it will be useful
    14  // but WITHOUT ANY WARRANTY; without even the implied warranty of
    15  // MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
    16  // GNU Affero General Public License for more details.
    17  //
    18  // You should have received a copy of the GNU Affero General Public License
    19  // along with this program.  If not, see <http://www.gnu.org/licenses/>.
    20  
    21  package main
    22  
    23  import (
    24  	"context"
    25  	"flag"
    26  	"fmt"
    27  	"io"
    28  	"log"
    29  	"net/url"
    30  	"os"
    31  	"time"
    32  
    33  	"github.com/minio/minio-go/v7"
    34  	cr "github.com/minio/minio-go/v7/pkg/credentials"
    35  )
    36  
    37  var (
    38  	// LDAP integrated Minio endpoint
    39  	stsEndpoint string
    40  
    41  	// LDAP credentials
    42  	ldapUsername string
    43  	ldapPassword string
    44  
    45  	// Display credentials flag
    46  	displayCreds bool
    47  
    48  	// Credential expiry duration
    49  	expiryDuration time.Duration
    50  
    51  	// Bucket to list
    52  	bucketToList string
    53  
    54  	// Session policy file
    55  	sessionPolicyFile string
    56  )
    57  
    58  func init() {
    59  	flag.StringVar(&stsEndpoint, "sts-ep", "http://localhost:9000", "STS endpoint")
    60  	flag.StringVar(&ldapUsername, "u", "", "AD/LDAP Username")
    61  	flag.StringVar(&ldapPassword, "p", "", "AD/LDAP Password")
    62  	flag.BoolVar(&displayCreds, "d", false, "Only show generated credentials")
    63  	flag.DurationVar(&expiryDuration, "e", 0, "Request a duration of validity for the generated credential")
    64  	flag.StringVar(&bucketToList, "b", "", "Bucket to list (defaults to ldap username)")
    65  	flag.StringVar(&sessionPolicyFile, "s", "", "File containing session policy to apply to the STS request")
    66  }
    67  
    68  func main() {
    69  	flag.Parse()
    70  	if ldapUsername == "" || ldapPassword == "" {
    71  		flag.PrintDefaults()
    72  		return
    73  	}
    74  
    75  	// The credentials package in minio-go provides an interface to call the
    76  	// LDAP STS API.
    77  
    78  	// Initialize LDAP credentials
    79  	var ldapOpts []cr.LDAPIdentityOpt
    80  	if sessionPolicyFile != "" {
    81  		var policy string
    82  		if f, err := os.Open(sessionPolicyFile); err != nil {
    83  			log.Fatalf("Unable to open session policy file: %v", sessionPolicyFile, err)
    84  		} else {
    85  			bs, err := io.ReadAll(f)
    86  			if err != nil {
    87  				log.Fatalf("Error reading session policy file: %v", err)
    88  			}
    89  			policy = string(bs)
    90  		}
    91  		ldapOpts = append(ldapOpts, cr.LDAPIdentityPolicyOpt(policy))
    92  	}
    93  	if expiryDuration != 0 {
    94  		ldapOpts = append(ldapOpts, cr.LDAPIdentityExpiryOpt(expiryDuration))
    95  	}
    96  	li, err := cr.NewLDAPIdentity(stsEndpoint, ldapUsername, ldapPassword, ldapOpts...)
    97  	if err != nil {
    98  		log.Fatalf("Error initializing LDAP Identity: %v", err)
    99  	}
   100  
   101  	stsEndpointURL, err := url.Parse(stsEndpoint)
   102  	if err != nil {
   103  		log.Fatalf("Error parsing sts endpoint: %v", err)
   104  	}
   105  
   106  	opts := &minio.Options{
   107  		Creds:  li,
   108  		Secure: stsEndpointURL.Scheme == "https",
   109  	}
   110  
   111  	v, err := li.Get()
   112  	if err != nil {
   113  		log.Fatalf("Error retrieving STS credentials: %v", err)
   114  	}
   115  
   116  	if displayCreds {
   117  		fmt.Println("Only displaying credentials:")
   118  		fmt.Println("AccessKeyID:", v.AccessKeyID)
   119  		fmt.Println("SecretAccessKey:", v.SecretAccessKey)
   120  		fmt.Println("SessionToken:", v.SessionToken)
   121  		return
   122  	}
   123  
   124  	// Use generated credentials to authenticate with MinIO server
   125  	minioClient, err := minio.New(stsEndpointURL.Host, opts)
   126  	if err != nil {
   127  		log.Fatalf("Error initializing client: ", err)
   128  	}
   129  
   130  	// Use minIO Client object normally like the regular client.
   131  	if bucketToList == "" {
   132  		bucketToList = ldapUsername
   133  	}
   134  	fmt.Printf("Calling list objects on bucket named `%s` with temp creds:\n===\n", bucketToList)
   135  	objCh := minioClient.ListObjects(context.Background(), bucketToList, minio.ListObjectsOptions{})
   136  	for obj := range objCh {
   137  		if obj.Err != nil {
   138  			log.Fatalf("Listing error: %v", obj.Err)
   139  		}
   140  		fmt.Printf("Key: %s\nSize: %d\nLast Modified: %s\n===\n", obj.Key, obj.Size, obj.LastModified)
   141  	}
   142  }