From 7ca4ba77c4d876827692607f6c3b264c0cee1b5e Mon Sep 17 00:00:00 2001 From: Taran Pelkey Date: Fri, 28 Jun 2024 05:06:25 -0400 Subject: [PATCH] Update tests to use AttachPolicy(LDAP) instead of deprecated SetPolicy (#19972) --- Makefile | 4 +- cmd/admin-handlers-users-race_test.go | 9 +- cmd/admin-handlers-users_test.go | 74 ++++++++--- cmd/sftp-server_test.go | 27 ++-- cmd/sts-handlers_test.go | 181 ++++++++++++++++++-------- 5 files changed, 206 insertions(+), 89 deletions(-) diff --git a/Makefile b/Makefile index 4a2936f21..0fe9f47e8 100644 --- a/Makefile +++ b/Makefile @@ -86,9 +86,9 @@ test-race: verifiers build ## builds minio, runs linters, tests (race) test-iam: install-race ## verify IAM (external IDP, etcd backends) @echo "Running tests for IAM (external IDP, etcd backends)" - @MINIO_API_REQUESTS_MAX=10000 CGO_ENABLED=0 go test -tags kqueue,dev -v -run TestIAM* ./cmd + @MINIO_API_REQUESTS_MAX=10000 CGO_ENABLED=0 go test -timeout 15m -tags kqueue,dev -v -run TestIAM* ./cmd @echo "Running tests for IAM (external IDP, etcd backends) with -race" - @MINIO_API_REQUESTS_MAX=10000 GORACE=history_size=7 CGO_ENABLED=1 go test -race -tags kqueue,dev -v -run TestIAM* ./cmd + @MINIO_API_REQUESTS_MAX=10000 GORACE=history_size=7 CGO_ENABLED=1 go test -timeout 15m -race -tags kqueue,dev -v -run TestIAM* ./cmd test-iam-ldap-upgrade-import: install-race ## verify IAM (external LDAP IDP) @echo "Running upgrade tests for IAM (LDAP backend)" diff --git a/cmd/admin-handlers-users-race_test.go b/cmd/admin-handlers-users-race_test.go index 0e8ec10e1..b7308e476 100644 --- a/cmd/admin-handlers-users-race_test.go +++ b/cmd/admin-handlers-users-race_test.go @@ -120,9 +120,12 @@ func (s *TestSuiteIAM) TestDeleteUserRace(c *check) { c.Fatalf("Unable to set user: %v", err) } - err = s.adm.SetPolicy(ctx, policy, accessKey, false) - if err != nil { - c.Fatalf("Unable to set policy: %v", err) + userReq := madmin.PolicyAssociationReq{ + Policies: []string{policy}, + User: accessKey, + } + if _, err := s.adm.AttachPolicy(ctx, userReq); err != nil { + c.Fatalf("Unable to attach policy: %v", err) } accessKeys[i] = accessKey diff --git a/cmd/admin-handlers-users_test.go b/cmd/admin-handlers-users_test.go index 3c6002733..f4082ce80 100644 --- a/cmd/admin-handlers-users_test.go +++ b/cmd/admin-handlers-users_test.go @@ -239,9 +239,12 @@ func (s *TestSuiteIAM) TestUserCreate(c *check) { c.Assert(v.Status, madmin.AccountEnabled) // 3. Associate policy and check that user can access - err = s.adm.SetPolicy(ctx, "readwrite", accessKey, false) + _, err = s.adm.AttachPolicy(ctx, madmin.PolicyAssociationReq{ + Policies: []string{"readwrite"}, + User: accessKey, + }) if err != nil { - c.Fatalf("unable to set policy: %v", err) + c.Fatalf("unable to attach policy: %v", err) } client := s.getUserClient(c, accessKey, secretKey, "") @@ -348,9 +351,12 @@ func (s *TestSuiteIAM) TestUserPolicyEscalationBug(c *check) { if err != nil { c.Fatalf("policy add error: %v", err) } - err = s.adm.SetPolicy(ctx, policy, accessKey, false) + _, err = s.adm.AttachPolicy(ctx, madmin.PolicyAssociationReq{ + Policies: []string{policy}, + User: accessKey, + }) if err != nil { - c.Fatalf("Unable to set policy: %v", err) + c.Fatalf("unable to attach policy: %v", err) } // 2.3 check user has access to bucket c.mustListObjects(ctx, uClient, bucket) @@ -470,9 +476,12 @@ func (s *TestSuiteIAM) TestAddServiceAccountPerms(c *check) { c.mustNotListObjects(ctx, uClient, "testbucket") // 3.2 associate policy to user - err = s.adm.SetPolicy(ctx, policy1, accessKey, false) + _, err = s.adm.AttachPolicy(ctx, madmin.PolicyAssociationReq{ + Policies: []string{policy1}, + User: accessKey, + }) if err != nil { - c.Fatalf("Unable to set policy: %v", err) + c.Fatalf("unable to attach policy: %v", err) } admClnt := s.getAdminClient(c, accessKey, secretKey, "") @@ -490,10 +499,22 @@ func (s *TestSuiteIAM) TestAddServiceAccountPerms(c *check) { c.Fatalf("policy was missing!") } - // 3.2 associate policy to user - err = s.adm.SetPolicy(ctx, policy2, accessKey, false) + // Detach policy1 to set up for policy2 + _, err = s.adm.DetachPolicy(ctx, madmin.PolicyAssociationReq{ + Policies: []string{policy1}, + User: accessKey, + }) if err != nil { - c.Fatalf("Unable to set policy: %v", err) + c.Fatalf("unable to detach policy: %v", err) + } + + // 3.2 associate policy to user + _, err = s.adm.AttachPolicy(ctx, madmin.PolicyAssociationReq{ + Policies: []string{policy2}, + User: accessKey, + }) + if err != nil { + c.Fatalf("unable to attach policy: %v", err) } // 3.3 check user can create service account implicitly. @@ -571,9 +592,12 @@ func (s *TestSuiteIAM) TestPolicyCreate(c *check) { c.mustNotListObjects(ctx, uClient, bucket) // 3.2 associate policy to user - err = s.adm.SetPolicy(ctx, policy, accessKey, false) + _, err = s.adm.AttachPolicy(ctx, madmin.PolicyAssociationReq{ + Policies: []string{policy}, + User: accessKey, + }) if err != nil { - c.Fatalf("Unable to set policy: %v", err) + c.Fatalf("unable to attach policy: %v", err) } // 3.3 check user has access to bucket c.mustListObjects(ctx, uClient, bucket) @@ -726,9 +750,12 @@ func (s *TestSuiteIAM) TestGroupAddRemove(c *check) { c.mustNotListObjects(ctx, uClient, bucket) // 3. Associate policy to group and check user got access. - err = s.adm.SetPolicy(ctx, policy, group, true) + _, err = s.adm.AttachPolicy(ctx, madmin.PolicyAssociationReq{ + Policies: []string{policy}, + Group: group, + }) if err != nil { - c.Fatalf("Unable to set policy: %v", err) + c.Fatalf("unable to attach policy: %v", err) } // 3.1 check user has access to bucket c.mustListObjects(ctx, uClient, bucket) @@ -871,9 +898,12 @@ func (s *TestSuiteIAM) TestServiceAccountOpsByUser(c *check) { c.Fatalf("Unable to set user: %v", err) } - err = s.adm.SetPolicy(ctx, policy, accessKey, false) + _, err = s.adm.AttachPolicy(ctx, madmin.PolicyAssociationReq{ + Policies: []string{policy}, + User: accessKey, + }) if err != nil { - c.Fatalf("Unable to set policy: %v", err) + c.Fatalf("unable to attach policy: %v", err) } // Create an madmin client with user creds @@ -952,9 +982,12 @@ func (s *TestSuiteIAM) TestServiceAccountDurationSecondsCondition(c *check) { c.Fatalf("Unable to set user: %v", err) } - err = s.adm.SetPolicy(ctx, policy, accessKey, false) + _, err = s.adm.AttachPolicy(ctx, madmin.PolicyAssociationReq{ + Policies: []string{policy}, + User: accessKey, + }) if err != nil { - c.Fatalf("Unable to set policy: %v", err) + c.Fatalf("unable to attach policy: %v", err) } // Create an madmin client with user creds @@ -1031,9 +1064,12 @@ func (s *TestSuiteIAM) TestServiceAccountOpsByAdmin(c *check) { c.Fatalf("Unable to set user: %v", err) } - err = s.adm.SetPolicy(ctx, policy, accessKey, false) + _, err = s.adm.AttachPolicy(ctx, madmin.PolicyAssociationReq{ + Policies: []string{policy}, + User: accessKey, + }) if err != nil { - c.Fatalf("Unable to set policy: %v", err) + c.Fatalf("unable to attach policy: %v", err) } // 1. Create a service account for the user diff --git a/cmd/sftp-server_test.go b/cmd/sftp-server_test.go index 327a330fd..79f4a03d0 100644 --- a/cmd/sftp-server_test.go +++ b/cmd/sftp-server_test.go @@ -194,9 +194,12 @@ func (s *TestSuiteIAM) SFTPInvalidServiceAccountPassword(c *check) { c.Fatalf("Unable to set user: %v", err) } - err = s.adm.SetPolicy(ctx, "readwrite", accessKey, false) - if err != nil { - c.Fatalf("unable to set policy: %v", err) + userReq := madmin.PolicyAssociationReq{ + Policies: []string{"readwrite"}, + User: accessKey, + } + if _, err := s.adm.AttachPolicy(ctx, userReq); err != nil { + c.Fatalf("Unable to attach policy: %v", err) } newSSHCon := newSSHConnMock(accessKey + "=svc") @@ -222,9 +225,12 @@ func (s *TestSuiteIAM) SFTPServiceAccountLogin(c *check) { c.Fatalf("Unable to set user: %v", err) } - err = s.adm.SetPolicy(ctx, "readwrite", accessKey, false) - if err != nil { - c.Fatalf("unable to set policy: %v", err) + userReq := madmin.PolicyAssociationReq{ + Policies: []string{"readwrite"}, + User: accessKey, + } + if _, err := s.adm.AttachPolicy(ctx, userReq); err != nil { + c.Fatalf("Unable to attach policy: %v", err) } newSSHCon := newSSHConnMock(accessKey + "=svc") @@ -270,9 +276,12 @@ func (s *TestSuiteIAM) SFTPValidLDAPLoginWithPassword(c *check) { } userDN := "uid=dillon,ou=people,ou=swengg,dc=min,dc=io" - err = s.adm.SetPolicy(ctx, policy, userDN, false) - if err != nil { - c.Fatalf("Unable to set policy: %v", err) + userReq := madmin.PolicyAssociationReq{ + Policies: []string{policy}, + User: userDN, + } + if _, err := s.adm.AttachPolicy(ctx, userReq); err != nil { + c.Fatalf("Unable to attach policy: %v", err) } newSSHCon := newSSHConnMock("dillon=ldap") diff --git a/cmd/sts-handlers_test.go b/cmd/sts-handlers_test.go index da79a8797..b56671d47 100644 --- a/cmd/sts-handlers_test.go +++ b/cmd/sts-handlers_test.go @@ -116,9 +116,12 @@ func (s *TestSuiteIAM) TestSTSServiceAccountsWithUsername(c *check) { c.Fatalf("policy add error: %v", err) } - err = s.adm.SetPolicy(ctx, policy, "dillon", false) + _, err = s.adm.AttachPolicy(ctx, madmin.PolicyAssociationReq{ + Policies: []string{policy}, + User: "dillon", + }) if err != nil { - c.Fatalf("Unable to set policy: %v", err) + c.Fatalf("Unable to attach policy: %v", err) } assumeRole := cr.STSAssumeRole{ @@ -231,9 +234,12 @@ func (s *TestSuiteIAM) TestSTSWithDenyDeleteVersion(c *check) { c.Fatalf("Unable to set user: %v", err) } - err = s.adm.SetPolicy(ctx, policy, accessKey, false) + _, err = s.adm.AttachPolicy(ctx, madmin.PolicyAssociationReq{ + Policies: []string{policy}, + User: accessKey, + }) if err != nil { - c.Fatalf("Unable to set policy: %v", err) + c.Fatalf("Unable to attach policy: %v", err) } // confirm that the user is able to access the bucket @@ -332,9 +338,12 @@ func (s *TestSuiteIAM) TestSTSWithTags(c *check) { c.Fatalf("Unable to set user: %v", err) } - err = s.adm.SetPolicy(ctx, policy, accessKey, false) + _, err = s.adm.AttachPolicy(ctx, madmin.PolicyAssociationReq{ + Policies: []string{policy}, + User: accessKey, + }) if err != nil { - c.Fatalf("Unable to set policy: %v", err) + c.Fatalf("Unable to attach policy: %v", err) } // confirm that the user is able to access the bucket @@ -420,9 +429,12 @@ func (s *TestSuiteIAM) TestSTS(c *check) { c.Fatalf("Unable to set user: %v", err) } - err = s.adm.SetPolicy(ctx, policy, accessKey, false) + _, err = s.adm.AttachPolicy(ctx, madmin.PolicyAssociationReq{ + Policies: []string{policy}, + User: accessKey, + }) if err != nil { - c.Fatalf("Unable to set policy: %v", err) + c.Fatalf("Unable to attach policy: %v", err) } // confirm that the user is able to access the bucket @@ -515,9 +527,12 @@ func (s *TestSuiteIAM) TestSTSWithGroupPolicy(c *check) { c.Fatalf("unable to add user to group: %v", err) } - err = s.adm.SetPolicy(ctx, policy, "test-group", true) + _, err = s.adm.AttachPolicy(ctx, madmin.PolicyAssociationReq{ + Policies: []string{policy}, + Group: "test-group", + }) if err != nil { - c.Fatalf("Unable to set policy: %v", err) + c.Fatalf("Unable to attach policy: %v", err) } // confirm that the user is able to access the bucket - permission comes @@ -984,6 +999,7 @@ func (s *TestSuiteIAM) TestIAMExport(c *check, caseNum int, content iamTestConte } for userDN, policies := range content.ldapUserPolicyMappings { + // No need to detach, we are starting from a clean slate after exporting. _, err := s.adm.AttachPolicyLDAP(ctx, madmin.PolicyAssociationReq{ Policies: policies, User: userDN, @@ -1194,14 +1210,21 @@ func (s *TestSuiteIAM) TestLDAPSTS(c *check) { // Attempting to set a non-existent policy should fail. userDN := "uid=dillon,ou=people,ou=swengg,dc=min,dc=io" - err = s.adm.SetPolicy(ctx, policy+"x", userDN, false) + _, err = s.adm.AttachPolicyLDAP(ctx, madmin.PolicyAssociationReq{ + Policies: []string{policy + "x"}, + User: userDN, + }) if err == nil { - c.Fatalf("should not be able to set non-existent policy") + c.Fatalf("should not be able to attach non-existent policy") } - err = s.adm.SetPolicy(ctx, policy, userDN, false) - if err != nil { - c.Fatalf("Unable to set policy: %v", err) + userReq := madmin.PolicyAssociationReq{ + Policies: []string{policy}, + User: userDN, + } + + if _, err = s.adm.AttachPolicyLDAP(ctx, userReq); err != nil { + c.Fatalf("Unable to attach user policy: %v", err) } value, err := ldapID.Retrieve() @@ -1240,10 +1263,8 @@ func (s *TestSuiteIAM) TestLDAPSTS(c *check) { c.Fatalf("unexpected non-access-denied err: %v", err) } - // Remove the policy assignment on the user DN: - err = s.adm.SetPolicy(ctx, "", userDN, false) - if err != nil { - c.Fatalf("Unable to remove policy setting: %v", err) + if _, err = s.adm.DetachPolicyLDAP(ctx, userReq); err != nil { + c.Fatalf("Unable to detach user policy: %v", err) } _, err = ldapID.Retrieve() @@ -1253,9 +1274,13 @@ func (s *TestSuiteIAM) TestLDAPSTS(c *check) { // Set policy via group and validate policy assignment. groupDN := "cn=projectb,ou=groups,ou=swengg,dc=min,dc=io" - err = s.adm.SetPolicy(ctx, policy, groupDN, true) - if err != nil { - c.Fatalf("Unable to set group policy: %v", err) + groupReq := madmin.PolicyAssociationReq{ + Policies: []string{policy}, + Group: groupDN, + } + + if _, err = s.adm.AttachPolicyLDAP(ctx, groupReq); err != nil { + c.Fatalf("Unable to attach group policy: %v", err) } value, err = ldapID.Retrieve() @@ -1278,6 +1303,10 @@ func (s *TestSuiteIAM) TestLDAPSTS(c *check) { // Validate that the client cannot remove any objects err = minioClient.RemoveObject(ctx, bucket, "someobject", minio.RemoveObjectOptions{}) c.Assert(err.Error(), "Access Denied.") + + if _, err = s.adm.DetachPolicyLDAP(ctx, groupReq); err != nil { + c.Fatalf("Unable to detach group policy: %v", err) + } } func (s *TestSuiteIAM) TestLDAPUnicodeVariationsLegacyAPI(c *check) { @@ -1490,12 +1519,13 @@ func (s *TestSuiteIAM) TestLDAPUnicodeVariations(c *check) { // \uFE52 is the unicode dot SMALL FULL STOP used below: userDNWithUnicodeDot := "uid=svc﹒algorithm,OU=swengg,DC=min,DC=io" - _, err = s.adm.AttachPolicyLDAP(ctx, madmin.PolicyAssociationReq{ + userReq := madmin.PolicyAssociationReq{ Policies: []string{policy}, User: userDNWithUnicodeDot, - }) - if err != nil { - c.Fatalf("Unable to set policy: %v", err) + } + + if _, err = s.adm.AttachPolicyLDAP(ctx, userReq); err != nil { + c.Fatalf("Unable to attach user policy: %v", err) } value, err := ldapID.Retrieve() @@ -1534,12 +1564,9 @@ func (s *TestSuiteIAM) TestLDAPUnicodeVariations(c *check) { } // Remove the policy assignment on the user DN: - _, err = s.adm.DetachPolicyLDAP(ctx, madmin.PolicyAssociationReq{ - Policies: []string{policy}, - User: userDNWithUnicodeDot, - }) - if err != nil { - c.Fatalf("Unable to remove policy setting: %v", err) + + if _, err = s.adm.DetachPolicyLDAP(ctx, userReq); err != nil { + c.Fatalf("Unable to detach user policy: %v", err) } _, err = ldapID.Retrieve() @@ -1550,11 +1577,12 @@ func (s *TestSuiteIAM) TestLDAPUnicodeVariations(c *check) { // Set policy via group and validate policy assignment. actualGroupDN := mustNormalizeDN("cn=project.c,ou=groups,ou=swengg,dc=min,dc=io") groupDNWithUnicodeDot := "cn=project﹒c,ou=groups,ou=swengg,dc=min,dc=io" - _, err = s.adm.AttachPolicyLDAP(ctx, madmin.PolicyAssociationReq{ + groupReq := madmin.PolicyAssociationReq{ Policies: []string{policy}, Group: groupDNWithUnicodeDot, - }) - if err != nil { + } + + if _, err = s.adm.AttachPolicyLDAP(ctx, groupReq); err != nil { c.Fatalf("Unable to attach group policy: %v", err) } @@ -1594,6 +1622,10 @@ func (s *TestSuiteIAM) TestLDAPUnicodeVariations(c *check) { // Validate that the client cannot remove any objects err = minioClient.RemoveObject(ctx, bucket, "someobject", minio.RemoveObjectOptions{}) c.Assert(err.Error(), "Access Denied.") + + if _, err = s.adm.DetachPolicyLDAP(ctx, groupReq); err != nil { + c.Fatalf("Unable to detach group policy: %v", err) + } } func (s *TestSuiteIAM) TestLDAPSTSServiceAccounts(c *check) { @@ -1630,9 +1662,13 @@ func (s *TestSuiteIAM) TestLDAPSTSServiceAccounts(c *check) { } userDN := "uid=dillon,ou=people,ou=swengg,dc=min,dc=io" - err = s.adm.SetPolicy(ctx, policy, userDN, false) - if err != nil { - c.Fatalf("Unable to set policy: %v", err) + userReq := madmin.PolicyAssociationReq{ + Policies: []string{policy}, + User: userDN, + } + + if _, err = s.adm.AttachPolicyLDAP(ctx, userReq); err != nil { + c.Fatalf("Unable to attach user policy: %v", err) } ldapID := cr.LDAPIdentity{ @@ -1687,6 +1723,11 @@ func (s *TestSuiteIAM) TestLDAPSTSServiceAccounts(c *check) { // 6. Check that service account cannot be created for some other user. c.mustNotCreateSvcAccount(ctx, globalActiveCred.AccessKey, userAdmClient) + + // Detach the policy from the user + if _, err = s.adm.DetachPolicyLDAP(ctx, userReq); err != nil { + c.Fatalf("Unable to detach user policy: %v", err) + } } func (s *TestSuiteIAM) TestLDAPSTSServiceAccountsWithUsername(c *check) { @@ -1707,12 +1748,12 @@ func (s *TestSuiteIAM) TestLDAPSTSServiceAccountsWithUsername(c *check) { { "Effect": "Allow", "Action": [ - "s3:PutObject", - "s3:GetObject", - "s3:ListBucket" + "s3:PutObject", + "s3:GetObject", + "s3:ListBucket" ], "Resource": [ - "arn:aws:s3:::${ldap:username}/*" + "arn:aws:s3:::${ldap:username}/*" ] } ] @@ -1723,9 +1764,14 @@ func (s *TestSuiteIAM) TestLDAPSTSServiceAccountsWithUsername(c *check) { } userDN := "uid=dillon,ou=people,ou=swengg,dc=min,dc=io" - err = s.adm.SetPolicy(ctx, policy, userDN, false) - if err != nil { - c.Fatalf("Unable to set policy: %v", err) + + userReq := madmin.PolicyAssociationReq{ + Policies: []string{policy}, + User: userDN, + } + + if _, err = s.adm.AttachPolicyLDAP(ctx, userReq); err != nil { + c.Fatalf("Unable to attach user policy: %v", err) } ldapID := cr.LDAPIdentity{ @@ -1776,6 +1822,10 @@ func (s *TestSuiteIAM) TestLDAPSTSServiceAccountsWithUsername(c *check) { // 3. Check S3 access for download c.mustDownload(ctx, svcClient, bucket) + + if _, err = s.adm.DetachPolicyLDAP(ctx, userReq); err != nil { + c.Fatalf("Unable to detach user policy: %v", err) + } } // In this test, the parent users gets their permissions from a group, rather @@ -1814,9 +1864,13 @@ func (s *TestSuiteIAM) TestLDAPSTSServiceAccountsWithGroups(c *check) { } groupDN := "cn=projecta,ou=groups,ou=swengg,dc=min,dc=io" - err = s.adm.SetPolicy(ctx, policy, groupDN, true) - if err != nil { - c.Fatalf("Unable to set policy: %v", err) + userReq := madmin.PolicyAssociationReq{ + Policies: []string{policy}, + Group: groupDN, + } + + if _, err = s.adm.AttachPolicyLDAP(ctx, userReq); err != nil { + c.Fatalf("Unable to attach user policy: %v", err) } ldapID := cr.LDAPIdentity{ @@ -1871,18 +1925,24 @@ func (s *TestSuiteIAM) TestLDAPSTSServiceAccountsWithGroups(c *check) { // 6. Check that service account cannot be created for some other user. c.mustNotCreateSvcAccount(ctx, globalActiveCred.AccessKey, userAdmClient) + + // Detach the user policy + if _, err = s.adm.DetachPolicyLDAP(ctx, userReq); err != nil { + c.Fatalf("Unable to detach user policy: %v", err) + } } func (s *TestSuiteIAM) TestLDAPCyrillicUser(c *check) { ctx, cancel := context.WithTimeout(context.Background(), 10*time.Second) defer cancel() - _, err := s.adm.AttachPolicyLDAP(ctx, madmin.PolicyAssociationReq{ + userReq := madmin.PolicyAssociationReq{ Policies: []string{"readwrite"}, User: "uid=Пользователь,ou=people,ou=swengg,dc=min,dc=io", - }) - if err != nil { - c.Fatalf("Unable to set policy: %v", err) + } + + if _, err := s.adm.AttachPolicyLDAP(ctx, userReq); err != nil { + c.Fatalf("Unable to attach user policy: %v", err) } cases := []struct { @@ -1940,6 +2000,10 @@ func (s *TestSuiteIAM) TestLDAPCyrillicUser(c *check) { c.Fatalf("Test %d: unexpected dn claim: %s", i+1, dnClaim) } } + + if _, err = s.adm.DetachPolicyLDAP(ctx, userReq); err != nil { + c.Fatalf("Unable to detach user policy: %v", err) + } } func (s *TestSuiteIAM) TestLDAPAttributesLookup(c *check) { @@ -1947,12 +2011,13 @@ func (s *TestSuiteIAM) TestLDAPAttributesLookup(c *check) { defer cancel() groupDN := "cn=projectb,ou=groups,ou=swengg,dc=min,dc=io" - _, err := s.adm.AttachPolicyLDAP(ctx, madmin.PolicyAssociationReq{ + groupReq := madmin.PolicyAssociationReq{ Policies: []string{"readwrite"}, Group: groupDN, - }) - if err != nil { - c.Fatalf("Unable to set policy: %v", err) + } + + if _, err := s.adm.AttachPolicyLDAP(ctx, groupReq); err != nil { + c.Fatalf("Unable to attach user policy: %v", err) } cases := []struct { @@ -2025,6 +2090,10 @@ func (s *TestSuiteIAM) TestLDAPAttributesLookup(c *check) { c.Fatalf("Test %d: unexpected sshPublicKey type: %s", i+1, parts[0]) } } + + if _, err = s.adm.DetachPolicyLDAP(ctx, groupReq); err != nil { + c.Fatalf("Unable to detach group policy: %v", err) + } } func (s *TestSuiteIAM) TestOpenIDSTS(c *check) {