Mirror
/
MinIO
mirror of https://github.com/minio/minio.git
2
0
Fork 0
Code Issues Releases Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
12513 Commits
4 Branches
520 Tags
175 MiB
Tree: b9f0e8c712
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from 'b9f0e8c712'
${ noResults }
MinIO/cmd/sftp-server_test.go

349 lines
9.7 KiB
Raw Normal View History

Add LDAP public key authentication to SFTP (#19833)
1 year ago
fix: SFTP auth bypass with no pub key in LDAP (#20986) If a user attempts to authenticate with a key but does not have an sshpubkey attribute in LDAP, the server allows the connection, which means the server trusted the key without reason. This is now fixed, and a test has been added for validation.
5 months ago
Add LDAP public key authentication to SFTP (#19833)
1 year ago
fix: SFTP auth bypass with no pub key in LDAP (#20986) If a user attempts to authenticate with a key but does not have an sshpubkey attribute in LDAP, the server allows the connection, which means the server trusted the key without reason. This is now fixed, and a test has been added for validation.
5 months ago
Add LDAP public key authentication to SFTP (#19833)
1 year ago
Update tests to use AttachPolicy(LDAP) instead of deprecated SetPolicy (#19972)
1 year ago
Add LDAP public key authentication to SFTP (#19833)
1 year ago
Update tests to use AttachPolicy(LDAP) instead of deprecated SetPolicy (#19972)
1 year ago
Add LDAP public key authentication to SFTP (#19833)
1 year ago
fix: SFTP auth bypass with no pub key in LDAP (#20986) If a user attempts to authenticate with a key but does not have an sshpubkey attribute in LDAP, the server allows the connection, which means the server trusted the key without reason. This is now fixed, and a test has been added for validation.
5 months ago
Add LDAP public key authentication to SFTP (#19833)
1 year ago
fix: SFTP auth bypass with no pub key in LDAP (#20986) If a user attempts to authenticate with a key but does not have an sshpubkey attribute in LDAP, the server allows the connection, which means the server trusted the key without reason. This is now fixed, and a test has been added for validation.
5 months ago
Add LDAP public key authentication to SFTP (#19833)
1 year ago
  1. // Copyright (c) 2015-2024 MinIO, Inc.
  2. //
  3. // This file is part of MinIO Object Storage stack
  4. //
  5. // This program is free software: you can redistribute it and/or modify
  6. // it under the terms of the GNU Affero General Public License as published by
  7. // the Free Software Foundation, either version 3 of the License, or
  8. // (at your option) any later version.
  9. //
  10. // This program is distributed in the hope that it will be useful
  11. // but WITHOUT ANY WARRANTY; without even the implied warranty of
  12. // MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
  13. // GNU Affero General Public License for more details.
  14. //
  15. // You should have received a copy of the GNU Affero General Public License
  16. // along with this program. If not, see <http://www.gnu.org/licenses/>.
  18. package cmd
  20. import (
  21. "context"
  22. "errors"
  23. "fmt"
  24. "net"
  25. "os"
  26. "testing"
  28. "github.com/minio/madmin-go/v3"
  29. "golang.org/x/crypto/ssh"
  30. )
  32. type MockConnMeta struct {
  33. username string
  34. }
  36. func (m *MockConnMeta) User() string {
  37. return m.username
  38. }
  40. func (m *MockConnMeta) SessionID() []byte {
  41. return []byte{}
  42. }
  44. func (m *MockConnMeta) ClientVersion() []byte {
  45. return []byte{}
  46. }
  48. func (m *MockConnMeta) ServerVersion() []byte {
  49. return []byte{}
  50. }
  52. func (m *MockConnMeta) RemoteAddr() net.Addr {
  53. return nil
  54. }
  56. func (m *MockConnMeta) LocalAddr() net.Addr {
  57. return nil
  58. }
  60. func newSSHConnMock(username string) ssh.ConnMetadata {
  61. return &MockConnMeta{username: username}
  62. }
  64. func TestSFTPAuthentication(t *testing.T) {
  65. for i, testCase := range iamTestSuites {
  66. t.Run(
  67. fmt.Sprintf("Test: %d, ServerType: %s", i+1, testCase.ServerTypeDescription),
  68. func(t *testing.T) {
  69. c := &check{t, testCase.serverType}
  70. suite := testCase
  72. suite.SetUpSuite(c)
  74. suite.SFTPServiceAccountLogin(c)
  75. suite.SFTPInvalidServiceAccountPassword(c)
  77. // LDAP tests
  78. ldapServer := os.Getenv(EnvTestLDAPServer)
  79. if ldapServer == "" {
  80. c.Skipf("Skipping LDAP test as no LDAP server is provided via %s", EnvTestLDAPServer)
  81. }
  83. suite.SetUpLDAP(c, ldapServer)
  85. suite.SFTPFailedAuthDueToMissingPolicy(c)
  86. suite.SFTPFailedAuthDueToInvalidUser(c)
  87. suite.SFTPFailedForcedServiceAccountAuthOnLDAPUser(c)
  88. suite.SFTPFailedAuthDueToInvalidPassword(c)
  90. suite.SFTPValidLDAPLoginWithPassword(c)
  92. suite.SFTPPublicKeyAuthentication(c)
  93. suite.SFTPFailedPublicKeyAuthenticationInvalidKey(c)
  94. suite.SFTPPublicKeyAuthNoPubKey(c)
  96. suite.TearDownSuite(c)
  97. },
  98. )
  99. }
  100. }
  102. func (s *TestSuiteIAM) SFTPFailedPublicKeyAuthenticationInvalidKey(c *check) {
  103. keyBytes, err := os.ReadFile("./testdata/invalid_test_key.pub")
  104. if err != nil {
  105. c.Fatalf("could not read test key file: %s", err)
  106. }
  108. testKey, _, _, _, err := ssh.ParseAuthorizedKey(keyBytes)
  109. if err != nil {
  110. c.Fatalf("could not parse test key file: %s", err)
  111. }
  113. newSSHCon := newSSHConnMock("dillon=ldap")
  114. _, err = sshPubKeyAuth(newSSHCon, testKey)
  115. if err == nil || !errors.Is(err, errAuthentication) {
  116. c.Fatalf("expected err(%s) but got (%s)", errAuthentication, err)
  117. }
  119. newSSHCon = newSSHConnMock("dillon")
  120. _, err = sshPubKeyAuth(newSSHCon, testKey)
  121. if err == nil || !errors.Is(err, errNoSuchUser) {
  122. c.Fatalf("expected err(%s) but got (%s)", errNoSuchUser, err)
  123. }
  124. }
  126. func (s *TestSuiteIAM) SFTPPublicKeyAuthentication(c *check) {
  127. keyBytes, err := os.ReadFile("./testdata/dillon_test_key.pub")
  128. if err != nil {
  129. c.Fatalf("could not read test key file: %s", err)
  130. }
  132. testKey, _, _, _, err := ssh.ParseAuthorizedKey(keyBytes)
  133. if err != nil {
  134. c.Fatalf("could not parse test key file: %s", err)
  135. }
  137. newSSHCon := newSSHConnMock("dillon=ldap")
  138. _, err = sshPubKeyAuth(newSSHCon, testKey)
  139. if err != nil {
  140. c.Fatalf("expected no error but got(%s)", err)
  141. }
  143. newSSHCon = newSSHConnMock("dillon")
  144. _, err = sshPubKeyAuth(newSSHCon, testKey)
  145. if err != nil {
  146. c.Fatalf("expected no error but got(%s)", err)
  147. }
  148. }
  150. // A user without an sshpubkey attribute in LDAP (here: fahim) should not be
  151. // able to authenticate.
  152. func (s *TestSuiteIAM) SFTPPublicKeyAuthNoPubKey(c *check) {
  153. keyBytes, err := os.ReadFile("./testdata/dillon_test_key.pub")
  154. if err != nil {
  155. c.Fatalf("could not read test key file: %s", err)
  156. }
  158. testKey, _, _, _, err := ssh.ParseAuthorizedKey(keyBytes)
  159. if err != nil {
  160. c.Fatalf("could not parse test key file: %s", err)
  161. }
  163. newSSHCon := newSSHConnMock("fahim=ldap")
  164. _, err = sshPubKeyAuth(newSSHCon, testKey)
  165. if err == nil {
  166. c.Fatalf("expected error but got none")
  167. }
  169. newSSHCon = newSSHConnMock("fahim")
  170. _, err = sshPubKeyAuth(newSSHCon, testKey)
  171. if err == nil {
  172. c.Fatalf("expected error but got none")
  173. }
  174. }
  176. func (s *TestSuiteIAM) SFTPFailedAuthDueToMissingPolicy(c *check) {
  177. newSSHCon := newSSHConnMock("dillon=ldap")
  178. _, err := sshPasswordAuth(newSSHCon, []byte("dillon"))
  179. if err == nil || !errors.Is(err, errSFTPUserHasNoPolicies) {
  180. c.Fatalf("expected err(%s) but got (%s)", errSFTPUserHasNoPolicies, err)
  181. }
  183. newSSHCon = newSSHConnMock("dillon")
  184. _, err = sshPasswordAuth(newSSHCon, []byte("dillon"))
  185. if err == nil || !errors.Is(err, errNoSuchUser) {
  186. c.Fatalf("expected err(%s) but got (%s)", errNoSuchUser, err)
  187. }
  188. }
  190. func (s *TestSuiteIAM) SFTPFailedAuthDueToInvalidUser(c *check) {
  191. newSSHCon := newSSHConnMock("dillon_error")
  192. _, err := sshPasswordAuth(newSSHCon, []byte("dillon_error"))
  193. if err == nil || !errors.Is(err, errNoSuchUser) {
  194. c.Fatalf("expected err(%s) but got (%s)", errNoSuchUser, err)
  195. }
  196. }
  198. func (s *TestSuiteIAM) SFTPFailedForcedServiceAccountAuthOnLDAPUser(c *check) {
  199. newSSHCon := newSSHConnMock("dillon=svc")
  200. _, err := sshPasswordAuth(newSSHCon, []byte("dillon"))
  201. if err == nil || !errors.Is(err, errNoSuchUser) {
  202. c.Fatalf("expected err(%s) but got (%s)", errNoSuchUser, err)
  203. }
  204. }
  206. func (s *TestSuiteIAM) SFTPFailedAuthDueToInvalidPassword(c *check) {
  207. newSSHCon := newSSHConnMock("dillon")
  208. _, err := sshPasswordAuth(newSSHCon, []byte("dillon_error"))
  209. if err == nil || !errors.Is(err, errNoSuchUser) {
  210. c.Fatalf("expected err(%s) but got (%s)", errNoSuchUser, err)
  211. }
  212. }
  214. func (s *TestSuiteIAM) SFTPInvalidServiceAccountPassword(c *check) {
  215. ctx, cancel := context.WithTimeout(context.Background(), testDefaultTimeout)
  216. defer cancel()
  218. accessKey, secretKey := mustGenerateCredentials(c)
  219. err := s.adm.SetUser(ctx, accessKey, secretKey, madmin.AccountEnabled)
  220. if err != nil {
  221. c.Fatalf("Unable to set user: %v", err)
  222. }
  224. userReq := madmin.PolicyAssociationReq{
  225. Policies: []string{"readwrite"},
  226. User: accessKey,
  227. }
  228. if _, err := s.adm.AttachPolicy(ctx, userReq); err != nil {
  229. c.Fatalf("Unable to attach policy: %v", err)
  230. }
  232. newSSHCon := newSSHConnMock(accessKey + "=svc")
  233. _, err = sshPasswordAuth(newSSHCon, []byte("invalid"))
  234. if err == nil || !errors.Is(err, errAuthentication) {
  235. c.Fatalf("expected err(%s) but got (%s)", errAuthentication, err)
  236. }
  238. newSSHCon = newSSHConnMock(accessKey)
  239. _, err = sshPasswordAuth(newSSHCon, []byte("invalid"))
  240. if err == nil || !errors.Is(err, errAuthentication) {
  241. c.Fatalf("expected err(%s) but got (%s)", errAuthentication, err)
  242. }
  243. }
  245. func (s *TestSuiteIAM) SFTPServiceAccountLogin(c *check) {
  246. ctx, cancel := context.WithTimeout(context.Background(), testDefaultTimeout)
  247. defer cancel()
  249. accessKey, secretKey := mustGenerateCredentials(c)
  250. err := s.adm.SetUser(ctx, accessKey, secretKey, madmin.AccountEnabled)
  251. if err != nil {
  252. c.Fatalf("Unable to set user: %v", err)
  253. }
  255. userReq := madmin.PolicyAssociationReq{
  256. Policies: []string{"readwrite"},
  257. User: accessKey,
  258. }
  259. if _, err := s.adm.AttachPolicy(ctx, userReq); err != nil {
  260. c.Fatalf("Unable to attach policy: %v", err)
  261. }
  263. newSSHCon := newSSHConnMock(accessKey + "=svc")
  264. _, err = sshPasswordAuth(newSSHCon, []byte(secretKey))
  265. if err != nil {
  266. c.Fatalf("expected no error but got (%s)", err)
  267. }
  269. newSSHCon = newSSHConnMock(accessKey)
  270. _, err = sshPasswordAuth(newSSHCon, []byte(secretKey))
  271. if err != nil {
  272. c.Fatalf("expected no error but got (%s)", err)
  273. }
  274. }
  276. func (s *TestSuiteIAM) SFTPValidLDAPLoginWithPassword(c *check) {
  277. ctx, cancel := context.WithTimeout(context.Background(), testDefaultTimeout)
  278. defer cancel()
  280. // we need to do this so that the user has a policy before authentication.
  281. // ldap user accounts without policies are denied access in sftp.
  282. policy := "mypolicy"
  283. policyBytes := []byte(`{
  284. "Version": "2012-10-17",
  285. "Statement": [
  286. {
  287. "Effect": "Allow",
  288. "Action": [
  289. "s3:PutObject",
  290. "s3:GetObject",
  291. "s3:ListBucket"
  292. ],
  293. "Resource": [
  294. "arn:aws:s3:::BUCKET/*"
  295. ]
  296. }
  297. ]
  298. }`)
  300. err := s.adm.AddCannedPolicy(ctx, policy, policyBytes)
  301. if err != nil {
  302. c.Fatalf("policy add error: %v", err)
  303. }
  305. {
  306. userDN := "uid=dillon,ou=people,ou=swengg,dc=min,dc=io"
  307. userReq := madmin.PolicyAssociationReq{
  308. Policies: []string{policy},
  309. User: userDN,
  310. }
  311. if _, err := s.adm.AttachPolicyLDAP(ctx, userReq); err != nil {
  312. c.Fatalf("Unable to attach policy: %v", err)
  313. }
  315. newSSHCon := newSSHConnMock("dillon=ldap")
  316. _, err = sshPasswordAuth(newSSHCon, []byte("dillon"))
  317. if err != nil {
  318. c.Fatal("Password authentication failed for user (dillon):", err)
  319. }
  321. newSSHCon = newSSHConnMock("dillon")
  322. _, err = sshPasswordAuth(newSSHCon, []byte("dillon"))
  323. if err != nil {
  324. c.Fatal("Password authentication failed for user (dillon):", err)
  325. }
  326. }
  327. {
  328. userDN := "uid=fahim,ou=people,ou=swengg,dc=min,dc=io"
  329. userReq := madmin.PolicyAssociationReq{
  330. Policies: []string{policy},
  331. User: userDN,
  332. }
  333. if _, err := s.adm.AttachPolicyLDAP(ctx, userReq); err != nil {
  334. c.Fatalf("Unable to attach policy: %v", err)
  335. }
  337. newSSHCon := newSSHConnMock("fahim=ldap")
  338. _, err = sshPasswordAuth(newSSHCon, []byte("fahim"))
  339. if err != nil {
  340. c.Fatal("Password authentication failed for user (fahim):", err)
  341. }
  343. newSSHCon = newSSHConnMock("fahim")
  344. _, err = sshPasswordAuth(newSSHCon, []byte("fahim"))
  345. if err != nil {
  346. c.Fatal("Password authentication failed for user (fahim):", err)
  347. }
  348. }
  349. }