MinIO/buildscripts/minio-iam-ldap-upgrade-import-test.sh

#!/bin/bash

# This script is used to test the migration of IAM content from old minio
# instance to new minio instance.
#
# To run it locally, start the LDAP server in github.com/minio/minio-iam-testing
# repo (e.g. make podman-run), and then run this script.
#
# This script assumes that LDAP server is at:
#
#   `localhost:389`
#
# if this is not the case, set the environment variable
# `_MINIO_LDAP_TEST_SERVER`.

OLD_VERSION=RELEASE.2024-03-26T22-10-45Z
OLD_BINARY_LINK=https://dl.min.io/server/minio/release/linux-amd64/archive/minio.${OLD_VERSION}

__init__() {
	if which curl &>/dev/null; then
		echo "curl is already installed"
	else
		echo "Installing curl:"
		sudo apt install curl -y
	fi

	export GOPATH=/tmp/gopath
	export PATH="${PATH}":"${GOPATH}"/bin

	if which mc &>/dev/null; then
		echo "mc is already installed"
	else
		echo "Installing mc:"
		go install github.com/minio/mc@latest
	fi

	if [ ! -x ./minio.${OLD_VERSION} ]; then
		echo "Downloading minio.${OLD_VERSION} binary"
		curl -o minio.${OLD_VERSION} ${OLD_BINARY_LINK}
		chmod +x minio.${OLD_VERSION}
	fi

	if [ -z "$_MINIO_LDAP_TEST_SERVER" ]; then
		export _MINIO_LDAP_TEST_SERVER=localhost:389
		echo "Using default LDAP endpoint: $_MINIO_LDAP_TEST_SERVER"
	fi

	rm -rf /tmp/data
}

create_iam_content_in_old_minio() {
	echo "Creating IAM content in old minio instance."

	MINIO_CI_CD=1 ./minio.${OLD_VERSION} server /tmp/data/{1...4} &
	sleep 5

	set -x
	mc alias set old-minio http://localhost:9000 minioadmin minioadmin
	mc ready old-minio
	mc idp ldap add old-minio \
		server_addr=localhost:389 \
		server_insecure=on \
		lookup_bind_dn=cn=admin,dc=min,dc=io \
		lookup_bind_password=admin \
		user_dn_search_base_dn=dc=min,dc=io \
		user_dn_search_filter="(uid=%s)" \
		group_search_base_dn=ou=swengg,dc=min,dc=io \
		group_search_filter="(&(objectclass=groupOfNames)(member=%d))"
	mc admin service restart old-minio

	mc idp ldap policy attach old-minio readwrite --user=UID=dillon,ou=people,ou=swengg,dc=min,dc=io
	mc idp ldap policy attach old-minio readwrite --group=CN=project.c,ou=groups,ou=swengg,dc=min,dc=io

	mc idp ldap policy entities old-minio

	mc admin cluster iam export old-minio
	set +x

	mc admin service stop old-minio
}

import_iam_content_in_new_minio() {
	echo "Importing IAM content in new minio instance."
	# Assume current minio binary exists.
	MINIO_CI_CD=1 ./minio server /tmp/data/{1...4} &
	sleep 5

	set -x
	mc alias set new-minio http://localhost:9000 minioadmin minioadmin
	echo "BEFORE IMPORT mappings:"
	mc ready new-minio
	mc idp ldap policy entities new-minio
	mc admin cluster iam import new-minio ./old-minio-iam-info.zip
	echo "AFTER IMPORT mappings:"
	mc idp ldap policy entities new-minio
	set +x

	# mc admin service stop new-minio
}

verify_iam_content_in_new_minio() {
	output=$(mc idp ldap policy entities new-minio --json)

	groups=$(echo "$output" | jq -r '.result.policyMappings[] | select(.policy == "readwrite") | .groups[]')
	if [ "$groups" != "cn=project.c,ou=groups,ou=swengg,dc=min,dc=io" ]; then
		echo "Failed to verify groups: $groups"
		exit 1
	fi

	users=$(echo "$output" | jq -r '.result.policyMappings[] | select(.policy == "readwrite") | .users[]')
	if [ "$users" != "uid=dillon,ou=people,ou=swengg,dc=min,dc=io" ]; then
		echo "Failed to verify users: $users"
		exit 1
	fi

	mc admin service stop new-minio
}

main() {
	create_iam_content_in_old_minio

	import_iam_content_in_new_minio

	verify_iam_content_in_new_minio
}

(__init__ "$@" && main "$@")