minio/cmd/credential.go

/*
 * Minio Cloud Storage, (C) 2015, 2016, 2017 Minio, Inc.
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
 * You may obtain a copy of the License at
 *
 *     http://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the License for the specific language governing permissions and
 * limitations under the License.
 */

package cmd

import (
	"crypto/rand"
	"encoding/base64"
	"errors"

	"golang.org/x/crypto/bcrypt"
)

const (
	accessKeyMinLen       = 5
	accessKeyMaxLen       = 20
	secretKeyMinLen       = 8
	secretKeyMaxLenAmazon = 40
	alphaNumericTable     = "0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ"
	alphaNumericTableLen  = byte(len(alphaNumericTable))
)

var (
	errInvalidAccessKeyLength = errors.New("Invalid access key, access key should be 5 to 20 characters in length")
	errInvalidSecretKeyLength = errors.New("Invalid secret key, secret key should be 8 to 40 characters in length")
)
var secretKeyMaxLen = secretKeyMaxLenAmazon

// isAccessKeyValid - validate access key for right length.
func isAccessKeyValid(accessKey string) bool {
	return len(accessKey) >= accessKeyMinLen && len(accessKey) <= accessKeyMaxLen
}

// isSecretKeyValid - validate secret key for right length.
func isSecretKeyValid(secretKey string) bool {
	return len(secretKey) >= secretKeyMinLen && len(secretKey) <= secretKeyMaxLen
}

// credential container for access and secret keys.
type credential struct {
	AccessKey     string `json:"accessKey,omitempty"`
	SecretKey     string `json:"secretKey,omitempty"`
	secretKeyHash []byte
}

// IsValid - returns whether credential is valid or not.
func (cred credential) IsValid() bool {
	return isAccessKeyValid(cred.AccessKey) && isSecretKeyValid(cred.SecretKey)
}

// Equals - returns whether two credentials are equal or not.
func (cred credential) Equal(ccred credential) bool {
	if !ccred.IsValid() {
		return false
	}

	if cred.secretKeyHash == nil {
		secretKeyHash, err := bcrypt.GenerateFromPassword([]byte(cred.SecretKey), bcrypt.DefaultCost)
		if err != nil {
			errorIf(err, "Unable to generate hash of given password")
			return false
		}

		cred.secretKeyHash = secretKeyHash
	}

	return (cred.AccessKey == ccred.AccessKey &&
		bcrypt.CompareHashAndPassword(cred.secretKeyHash, []byte(ccred.SecretKey)) == nil)
}

func createCredential(accessKey, secretKey string) (cred credential, err error) {
	if !isAccessKeyValid(accessKey) {
		err = errInvalidAccessKeyLength
	} else if !isSecretKeyValid(secretKey) {
		err = errInvalidSecretKeyLength
	} else {
		var secretKeyHash []byte
		secretKeyHash, err = bcrypt.GenerateFromPassword([]byte(secretKey), bcrypt.DefaultCost)
		if err == nil {
			cred.AccessKey = accessKey
			cred.SecretKey = secretKey
			cred.secretKeyHash = secretKeyHash
		}
	}

	return cred, err
}

// Initialize a new credential object
func mustGetNewCredential() credential {
	// Generate access key.
	keyBytes := make([]byte, accessKeyMaxLen)
	_, err := rand.Read(keyBytes)
	fatalIf(err, "Unable to generate access key.")
	for i := 0; i < accessKeyMaxLen; i++ {
		keyBytes[i] = alphaNumericTable[keyBytes[i]%alphaNumericTableLen]
	}
	accessKey := string(keyBytes)

	// Generate secret key.
	keyBytes = make([]byte, secretKeyMaxLen)
	_, err = rand.Read(keyBytes)
	fatalIf(err, "Unable to generate secret key.")
	secretKey := string([]byte(base64.StdEncoding.EncodeToString(keyBytes))[:secretKeyMaxLen])

	cred, err := createCredential(accessKey, secretKey)
	fatalIf(err, "Unable to generate new credential.")

	return cred
}
Generate and use access/secret keys properly (#3498) 2016-12-27 02:21:23 +08:00			`/*`
Simplify credential usage. (#3893) 2017-03-16 15:16:06 +08:00			`* Minio Cloud Storage, (C) 2015, 2016, 2017 Minio, Inc.`
Generate and use access/secret keys properly (#3498) 2016-12-27 02:21:23 +08:00			`*`
			`* Licensed under the Apache License, Version 2.0 (the "License");`
			`* you may not use this file except in compliance with the License.`
			`* You may obtain a copy of the License at`
			`*`
			`* http://www.apache.org/licenses/LICENSE-2.0`
			`*`
			`* Unless required by applicable law or agreed to in writing, software`
			`* distributed under the License is distributed on an "AS IS" BASIS,`
			`* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.`
			`* See the License for the specific language governing permissions and`
			`* limitations under the License.`
			`*/`

			`package cmd`

			`import (`
			`"crypto/rand"`
			`"encoding/base64"`
config: Check for duplicated entries in all scopes (#3872) Validate Minio config by checking if there is double json key in any scope level. The returned error contains the json path to the duplicated key. 2017-03-16 07:30:34 +08:00			`"errors"`
Honor envs properly for access and secret key. (#3703) Also changes the behavior of `secretKeyHash` which is not necessary to be sent over the network, each node has its own secretKeyHash to validate. Fixes #3696 Partial(fix) #3700 (More changes needed with some code cleanup) 2017-02-08 04:51:43 +08:00
jwt: Cache the bcrypt password hash. (#3526) Creds don't require secretKeyHash to be calculated everytime, cache it instead and re-use. This is an optimization for bcrypt. Relevant results from the benchmark done locally, negative value means improvement in this scenario. ``` benchmark old ns/op new ns/op delta BenchmarkAuthenticateNode-4 160590992 80125647 -50.11% BenchmarkAuthenticateWeb-4 160556692 80432144 -49.90% benchmark old allocs new allocs delta BenchmarkAuthenticateNode-4 87 75 -13.79% BenchmarkAuthenticateWeb-4 87 75 -13.79% benchmark old bytes new bytes delta BenchmarkAuthenticateNode-4 15222 9785 -35.72% BenchmarkAuthenticateWeb-4 15222 9785 -35.72% ``` 2017-01-27 08:51:51 +08:00			`"golang.org/x/crypto/bcrypt"`
Generate and use access/secret keys properly (#3498) 2016-12-27 02:21:23 +08:00			`)`

			`const (`
Implement S3 Gateway to third party cloud storage providers. (#3756) Currently supported backend is Azure Blob Storage. ``` export MINIO_ACCESS_KEY=azureaccountname export MINIO_SECRET_KEY=azureaccountkey minio gateway azure ``` 2017-03-17 03:21:58 +08:00			`accessKeyMinLen = 5`
			`accessKeyMaxLen = 20`
			`secretKeyMinLen = 8`
			`secretKeyMaxLenAmazon = 40`
			`alphaNumericTable = "0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ"`
			`alphaNumericTableLen = byte(len(alphaNumericTable))`
Generate and use access/secret keys properly (#3498) 2016-12-27 02:21:23 +08:00			`)`

Simplify credential usage. (#3893) 2017-03-16 15:16:06 +08:00			`var (`
			`errInvalidAccessKeyLength = errors.New("Invalid access key, access key should be 5 to 20 characters in length")`
			`errInvalidSecretKeyLength = errors.New("Invalid secret key, secret key should be 8 to 40 characters in length")`
			`)`
Implement S3 Gateway to third party cloud storage providers. (#3756) Currently supported backend is Azure Blob Storage. ``` export MINIO_ACCESS_KEY=azureaccountname export MINIO_SECRET_KEY=azureaccountkey minio gateway azure ``` 2017-03-17 03:21:58 +08:00			`var secretKeyMaxLen = secretKeyMaxLenAmazon`

Generate and use access/secret keys properly (#3498) 2016-12-27 02:21:23 +08:00			`// isAccessKeyValid - validate access key for right length.`
			`func isAccessKeyValid(accessKey string) bool {`
			`return len(accessKey) >= accessKeyMinLen && len(accessKey) <= accessKeyMaxLen`
			`}`

			`// isSecretKeyValid - validate secret key for right length.`
			`func isSecretKeyValid(secretKey string) bool {`
			`return len(secretKey) >= secretKeyMinLen && len(secretKey) <= secretKeyMaxLen`
			`}`

			`// credential container for access and secret keys.`
			`type credential struct {`
jwt: Cache the bcrypt password hash. (#3526) Creds don't require secretKeyHash to be calculated everytime, cache it instead and re-use. This is an optimization for bcrypt. Relevant results from the benchmark done locally, negative value means improvement in this scenario. ``` benchmark old ns/op new ns/op delta BenchmarkAuthenticateNode-4 160590992 80125647 -50.11% BenchmarkAuthenticateWeb-4 160556692 80432144 -49.90% benchmark old allocs new allocs delta BenchmarkAuthenticateNode-4 87 75 -13.79% BenchmarkAuthenticateWeb-4 87 75 -13.79% benchmark old bytes new bytes delta BenchmarkAuthenticateNode-4 15222 9785 -35.72% BenchmarkAuthenticateWeb-4 15222 9785 -35.72% ``` 2017-01-27 08:51:51 +08:00			AccessKey string `json:"accessKey,omitempty"`
			SecretKey string `json:"secretKey,omitempty"`
Honor envs properly for access and secret key. (#3703) Also changes the behavior of `secretKeyHash` which is not necessary to be sent over the network, each node has its own secretKeyHash to validate. Fixes #3696 Partial(fix) #3700 (More changes needed with some code cleanup) 2017-02-08 04:51:43 +08:00			`secretKeyHash []byte`
jwt: Cache the bcrypt password hash. (#3526) Creds don't require secretKeyHash to be calculated everytime, cache it instead and re-use. This is an optimization for bcrypt. Relevant results from the benchmark done locally, negative value means improvement in this scenario. ``` benchmark old ns/op new ns/op delta BenchmarkAuthenticateNode-4 160590992 80125647 -50.11% BenchmarkAuthenticateWeb-4 160556692 80432144 -49.90% benchmark old allocs new allocs delta BenchmarkAuthenticateNode-4 87 75 -13.79% BenchmarkAuthenticateWeb-4 87 75 -13.79% benchmark old bytes new bytes delta BenchmarkAuthenticateNode-4 15222 9785 -35.72% BenchmarkAuthenticateWeb-4 15222 9785 -35.72% ``` 2017-01-27 08:51:51 +08:00			`}`

Simplify credential usage. (#3893) 2017-03-16 15:16:06 +08:00			`// IsValid - returns whether credential is valid or not.`
			`func (cred credential) IsValid() bool {`
			`return isAccessKeyValid(cred.AccessKey) && isSecretKeyValid(cred.SecretKey)`
config: Check for duplicated entries in all scopes (#3872) Validate Minio config by checking if there is double json key in any scope level. The returned error contains the json path to the duplicated key. 2017-03-16 07:30:34 +08:00			`}`

Simplify credential usage. (#3893) 2017-03-16 15:16:06 +08:00			`// Equals - returns whether two credentials are equal or not.`
			`func (cred credential) Equal(ccred credential) bool {`
			`if !ccred.IsValid() {`
			`return false`
jwt: Cache the bcrypt password hash. (#3526) Creds don't require secretKeyHash to be calculated everytime, cache it instead and re-use. This is an optimization for bcrypt. Relevant results from the benchmark done locally, negative value means improvement in this scenario. ``` benchmark old ns/op new ns/op delta BenchmarkAuthenticateNode-4 160590992 80125647 -50.11% BenchmarkAuthenticateWeb-4 160556692 80432144 -49.90% benchmark old allocs new allocs delta BenchmarkAuthenticateNode-4 87 75 -13.79% BenchmarkAuthenticateWeb-4 87 75 -13.79% benchmark old bytes new bytes delta BenchmarkAuthenticateNode-4 15222 9785 -35.72% BenchmarkAuthenticateWeb-4 15222 9785 -35.72% ``` 2017-01-27 08:51:51 +08:00			`}`
Generate and use access/secret keys properly (#3498) 2016-12-27 02:21:23 +08:00
Simplify credential usage. (#3893) 2017-03-16 15:16:06 +08:00			`if cred.secretKeyHash == nil {`
			`secretKeyHash, err := bcrypt.GenerateFromPassword([]byte(cred.SecretKey), bcrypt.DefaultCost)`
			`if err != nil {`
			`errorIf(err, "Unable to generate hash of given password")`
			`return false`
			`}`

			`cred.secretKeyHash = secretKeyHash`
			`}`
jwt: Cache the bcrypt password hash. (#3526) Creds don't require secretKeyHash to be calculated everytime, cache it instead and re-use. This is an optimization for bcrypt. Relevant results from the benchmark done locally, negative value means improvement in this scenario. ``` benchmark old ns/op new ns/op delta BenchmarkAuthenticateNode-4 160590992 80125647 -50.11% BenchmarkAuthenticateWeb-4 160556692 80432144 -49.90% benchmark old allocs new allocs delta BenchmarkAuthenticateNode-4 87 75 -13.79% BenchmarkAuthenticateWeb-4 87 75 -13.79% benchmark old bytes new bytes delta BenchmarkAuthenticateNode-4 15222 9785 -35.72% BenchmarkAuthenticateWeb-4 15222 9785 -35.72% ``` 2017-01-27 08:51:51 +08:00
Simplify credential usage. (#3893) 2017-03-16 15:16:06 +08:00			`return (cred.AccessKey == ccred.AccessKey &&`
			`bcrypt.CompareHashAndPassword(cred.secretKeyHash, []byte(ccred.SecretKey)) == nil)`
Generate and use access/secret keys properly (#3498) 2016-12-27 02:21:23 +08:00			`}`
Have simpler JWT authentication. (#3501) 2016-12-28 00:28:10 +08:00
Simplify credential usage. (#3893) 2017-03-16 15:16:06 +08:00			`func createCredential(accessKey, secretKey string) (cred credential, err error) {`
Have simpler JWT authentication. (#3501) 2016-12-28 00:28:10 +08:00			`if !isAccessKeyValid(accessKey) {`
Simplify credential usage. (#3893) 2017-03-16 15:16:06 +08:00			`err = errInvalidAccessKeyLength`
			`} else if !isSecretKeyValid(secretKey) {`
			`err = errInvalidSecretKeyLength`
			`} else {`
			`var secretKeyHash []byte`
			`secretKeyHash, err = bcrypt.GenerateFromPassword([]byte(secretKey), bcrypt.DefaultCost)`
			`if err == nil {`
			`cred.AccessKey = accessKey`
			`cred.SecretKey = secretKey`
			`cred.secretKeyHash = secretKeyHash`
			`}`
Have simpler JWT authentication. (#3501) 2016-12-28 00:28:10 +08:00			`}`

Simplify credential usage. (#3893) 2017-03-16 15:16:06 +08:00			`return cred, err`
Honor envs properly for access and secret key. (#3703) Also changes the behavior of `secretKeyHash` which is not necessary to be sent over the network, each node has its own secretKeyHash to validate. Fixes #3696 Partial(fix) #3700 (More changes needed with some code cleanup) 2017-02-08 04:51:43 +08:00			`}`

Simplify credential usage. (#3893) 2017-03-16 15:16:06 +08:00			`// Initialize a new credential object`
			`func mustGetNewCredential() credential {`
			`// Generate access key.`
			`keyBytes := make([]byte, accessKeyMaxLen)`
Refactor logger (#3924) This patch fixes below * Previously fatalIf() never writes log other than first logging target. * quiet flag is not honored to show progress messages other than startup messages. * Removes console package usage for progress messages. 2017-03-24 07:36:00 +08:00			`_, err := rand.Read(keyBytes)`
			`fatalIf(err, "Unable to generate access key.")`
Simplify credential usage. (#3893) 2017-03-16 15:16:06 +08:00			`for i := 0; i < accessKeyMaxLen; i++ {`
			`keyBytes[i] = alphaNumericTable[keyBytes[i]%alphaNumericTableLen]`
			`}`
			`accessKey := string(keyBytes)`
Honor envs properly for access and secret key. (#3703) Also changes the behavior of `secretKeyHash` which is not necessary to be sent over the network, each node has its own secretKeyHash to validate. Fixes #3696 Partial(fix) #3700 (More changes needed with some code cleanup) 2017-02-08 04:51:43 +08:00
Simplify credential usage. (#3893) 2017-03-16 15:16:06 +08:00			`// Generate secret key.`
			`keyBytes = make([]byte, secretKeyMaxLen)`
Refactor logger (#3924) This patch fixes below * Previously fatalIf() never writes log other than first logging target. * quiet flag is not honored to show progress messages other than startup messages. * Removes console package usage for progress messages. 2017-03-24 07:36:00 +08:00			`_, err = rand.Read(keyBytes)`
			`fatalIf(err, "Unable to generate secret key.")`
Simplify credential usage. (#3893) 2017-03-16 15:16:06 +08:00			`secretKey := string([]byte(base64.StdEncoding.EncodeToString(keyBytes))[:secretKeyMaxLen])`
Honor envs properly for access and secret key. (#3703) Also changes the behavior of `secretKeyHash` which is not necessary to be sent over the network, each node has its own secretKeyHash to validate. Fixes #3696 Partial(fix) #3700 (More changes needed with some code cleanup) 2017-02-08 04:51:43 +08:00
Simplify credential usage. (#3893) 2017-03-16 15:16:06 +08:00			`cred, err := createCredential(accessKey, secretKey)`
Refactor logger (#3924) This patch fixes below * Previously fatalIf() never writes log other than first logging target. * quiet flag is not honored to show progress messages other than startup messages. * Removes console package usage for progress messages. 2017-03-24 07:36:00 +08:00			`fatalIf(err, "Unable to generate new credential.")`
Honor envs properly for access and secret key. (#3703) Also changes the behavior of `secretKeyHash` which is not necessary to be sent over the network, each node has its own secretKeyHash to validate. Fixes #3696 Partial(fix) #3700 (More changes needed with some code cleanup) 2017-02-08 04:51:43 +08:00
Simplify credential usage. (#3893) 2017-03-16 15:16:06 +08:00			`return cred`
Have simpler JWT authentication. (#3501) 2016-12-28 00:28:10 +08:00			`}`