minio/cmd/jwt_test.go

/*
 * Minio Cloud Storage, (C) 2016, 2017 Minio, Inc.
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
 * You may obtain a copy of the License at
 *
 *     http://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the License for the specific language governing permissions and
 * limitations under the License.
 */

package cmd

import (
	"net/http"
	"os"
	"testing"

	"github.com/minio/minio/pkg/auth"
)

func testAuthenticate(authType string, t *testing.T) {
	testPath, err := newTestConfig(globalMinioDefaultRegion)
	if err != nil {
		t.Fatalf("unable initialize config file, %s", err)
	}
	defer os.RemoveAll(testPath)
	cred := auth.MustGetNewCredentials()
	serverConfig.SetCredential(cred)

	// Define test cases.
	testCases := []struct {
		accessKey   string
		secretKey   string
		expectedErr error
	}{
		// Access key (less than 5 chrs) too small.
		{"user", cred.SecretKey, auth.ErrInvalidAccessKeyLength},
		// Secret key (less than 8 chrs) too small.
		{cred.AccessKey, "pass", auth.ErrInvalidSecretKeyLength},
		// Authentication error.
		{"myuser", "mypassword", errInvalidAccessKeyID},
		// Authentication error.
		{cred.AccessKey, "mypassword", errAuthentication},
		// Success.
		{cred.AccessKey, cred.SecretKey, nil},
	}

	// Run tests.
	for _, testCase := range testCases {
		var err error
		if authType == "node" {
			_, err = authenticateNode(testCase.accessKey, testCase.secretKey)
		} else if authType == "web" {
			_, err = authenticateWeb(testCase.accessKey, testCase.secretKey)
		} else if authType == "url" {
			_, err = authenticateURL(testCase.accessKey, testCase.secretKey)
		}

		if testCase.expectedErr != nil {
			if err == nil {
				t.Fatalf("%+v: expected: %s, got: <nil>", testCase, testCase.expectedErr)
			}
			if testCase.expectedErr.Error() != err.Error() {
				t.Fatalf("%+v: expected: %s, got: %s", testCase, testCase.expectedErr, err)
			}
		} else if err != nil {
			t.Fatalf("%+v: expected: <nil>, got: %s", testCase, err)
		}
	}
}

func TestAuthenticateNode(t *testing.T) {
	testAuthenticate("node", t)
}

func TestAuthenticateWeb(t *testing.T) {
	testAuthenticate("web", t)
}

func TestAuthenticateURL(t *testing.T) {
	testAuthenticate("url", t)
}

// Tests web request authenticator.
func TestWebRequestAuthenticate(t *testing.T) {
	testPath, err := newTestConfig(globalMinioDefaultRegion)
	if err != nil {
		t.Fatalf("unable initialize config file, %s", err)
	}
	defer os.RemoveAll(testPath)

	creds := serverConfig.GetCredential()
	token, err := getTokenString(creds.AccessKey, creds.SecretKey)
	if err != nil {
		t.Fatalf("unable get token %s", err)
	}
	testCases := []struct {
		req         *http.Request
		expectedErr error
	}{
		// Set valid authorization header.
		{
			req: &http.Request{
				Header: http.Header{
					"Authorization": []string{token},
				},
			},
			expectedErr: nil,
		},
		// No authorization header.
		{
			req: &http.Request{
				Header: http.Header{},
			},
			expectedErr: errNoAuthToken,
		},
		// Invalid authorization token.
		{
			req: &http.Request{
				Header: http.Header{
					"Authorization": []string{"invalid-token"},
				},
			},
			expectedErr: errAuthentication,
		},
	}

	for i, testCase := range testCases {
		gotErr := webRequestAuthenticate(testCase.req)
		if testCase.expectedErr != gotErr {
			t.Errorf("Test %d, expected err %s, got %s", i+1, testCase.expectedErr, gotErr)
		}
	}
}

func BenchmarkAuthenticateNode(b *testing.B) {
	testPath, err := newTestConfig(globalMinioDefaultRegion)
	if err != nil {
		b.Fatalf("unable initialize config file, %s", err)
	}
	defer os.RemoveAll(testPath)

	creds := serverConfig.GetCredential()
	b.ResetTimer()
	b.ReportAllocs()
	for i := 0; i < b.N; i++ {
		authenticateNode(creds.AccessKey, creds.SecretKey)
	}
}

func BenchmarkAuthenticateWeb(b *testing.B) {
	testPath, err := newTestConfig(globalMinioDefaultRegion)
	if err != nil {
		b.Fatalf("unable initialize config file, %s", err)
	}
	defer os.RemoveAll(testPath)

	creds := serverConfig.GetCredential()
	b.ResetTimer()
	b.ReportAllocs()
	for i := 0; i < b.N; i++ {
		authenticateWeb(creds.AccessKey, creds.SecretKey)
	}
}
Have simpler JWT authentication. (#3501) 2016-12-28 00:28:10 +08:00			`/*`
Add constants for commonly used values. (#3588) This is a consolidation effort, avoiding usage of naked strings in codebase. Whenever possible use constants which can be repurposed elsewhere. This also fixes `goconst ./...` reported issues. 2017-01-19 04:24:34 +08:00			`* Minio Cloud Storage, (C) 2016, 2017 Minio, Inc.`
Have simpler JWT authentication. (#3501) 2016-12-28 00:28:10 +08:00			`*`
			`* Licensed under the Apache License, Version 2.0 (the "License");`
			`* you may not use this file except in compliance with the License.`
			`* You may obtain a copy of the License at`
			`*`
			`* http://www.apache.org/licenses/LICENSE-2.0`
			`*`
			`* Unless required by applicable law or agreed to in writing, software`
			`* distributed under the License is distributed on an "AS IS" BASIS,`
			`* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.`
			`* See the License for the specific language governing permissions and`
			`* limitations under the License.`
			`*/`

			`package cmd`

posix: Deprecate custom removeAll/mkdirAll implementations. (#4808) Since go1.8 os.RemoveAll and os.MkdirAll both support long path names i.e UNC path on windows. The code we are carrying was directly borrowed from `pkg/os` package and doesn't need to be in our repo anymore. As a side affect this also addresses our codecoverage issue. Refer #4658 2017-08-13 10:25:43 +08:00			`import (`
[security] rpc: Do not transfer access/secret key. (#4857) This is an improvement upon existing implementation by avoiding transfer of access and secret keys over the network. This change only exchanges JWT tokens generated by an rpc client. Even if the JWT can be traced over the network on a non-TLS connection, this change makes sure that we never really expose the secret key over the network. 2017-09-20 03:37:56 +08:00			`"net/http"`
posix: Deprecate custom removeAll/mkdirAll implementations. (#4808) Since go1.8 os.RemoveAll and os.MkdirAll both support long path names i.e UNC path on windows. The code we are carrying was directly borrowed from `pkg/os` package and doesn't need to be in our repo anymore. As a side affect this also addresses our codecoverage issue. Refer #4658 2017-08-13 10:25:43 +08:00			`"os"`
			`"testing"`
move credentials as separate package (#5115) 2017-11-01 02:54:32 +08:00
			`"github.com/minio/minio/pkg/auth"`
posix: Deprecate custom removeAll/mkdirAll implementations. (#4808) Since go1.8 os.RemoveAll and os.MkdirAll both support long path names i.e UNC path on windows. The code we are carrying was directly borrowed from `pkg/os` package and doesn't need to be in our repo anymore. As a side affect this also addresses our codecoverage issue. Refer #4658 2017-08-13 10:25:43 +08:00			`)`
Have simpler JWT authentication. (#3501) 2016-12-28 00:28:10 +08:00
			`func testAuthenticate(authType string, t *testing.T) {`
Add constants for commonly used values. (#3588) This is a consolidation effort, avoiding usage of naked strings in codebase. Whenever possible use constants which can be repurposed elsewhere. This also fixes `goconst ./...` reported issues. 2017-01-19 04:24:34 +08:00			`testPath, err := newTestConfig(globalMinioDefaultRegion)`
Have simpler JWT authentication. (#3501) 2016-12-28 00:28:10 +08:00			`if err != nil {`
			`t.Fatalf("unable initialize config file, %s", err)`
			`}`
posix: Deprecate custom removeAll/mkdirAll implementations. (#4808) Since go1.8 os.RemoveAll and os.MkdirAll both support long path names i.e UNC path on windows. The code we are carrying was directly borrowed from `pkg/os` package and doesn't need to be in our repo anymore. As a side affect this also addresses our codecoverage issue. Refer #4658 2017-08-13 10:25:43 +08:00			`defer os.RemoveAll(testPath)`
move credentials as separate package (#5115) 2017-11-01 02:54:32 +08:00			`cred := auth.MustGetNewCredentials()`
Removes max limit requirement on accessKey and secretKey length (#4730) 2017-08-04 11:03:37 +08:00			`serverConfig.SetCredential(cred)`
Have simpler JWT authentication. (#3501) 2016-12-28 00:28:10 +08:00
			`// Define test cases.`
			`testCases := []struct {`
			`accessKey string`
			`secretKey string`
			`expectedErr error`
			`}{`
Removes max limit requirement on accessKey and secretKey length (#4730) 2017-08-04 11:03:37 +08:00			`// Access key (less than 5 chrs) too small.`
move credentials as separate package (#5115) 2017-11-01 02:54:32 +08:00			`{"user", cred.SecretKey, auth.ErrInvalidAccessKeyLength},`
Removes max limit requirement on accessKey and secretKey length (#4730) 2017-08-04 11:03:37 +08:00			`// Secret key (less than 8 chrs) too small.`
move credentials as separate package (#5115) 2017-11-01 02:54:32 +08:00			`{cred.AccessKey, "pass", auth.ErrInvalidSecretKeyLength},`
Have simpler JWT authentication. (#3501) 2016-12-28 00:28:10 +08:00			`// Authentication error.`
			`{"myuser", "mypassword", errInvalidAccessKeyID},`
			`// Authentication error.`
Removes max limit requirement on accessKey and secretKey length (#4730) 2017-08-04 11:03:37 +08:00			`{cred.AccessKey, "mypassword", errAuthentication},`
Have simpler JWT authentication. (#3501) 2016-12-28 00:28:10 +08:00			`// Success.`
Removes max limit requirement on accessKey and secretKey length (#4730) 2017-08-04 11:03:37 +08:00			`{cred.AccessKey, cred.SecretKey, nil},`
Have simpler JWT authentication. (#3501) 2016-12-28 00:28:10 +08:00			`}`

			`// Run tests.`
			`for _, testCase := range testCases {`
			`var err error`
			`if authType == "node" {`
			`_, err = authenticateNode(testCase.accessKey, testCase.secretKey)`
			`} else if authType == "web" {`
			`_, err = authenticateWeb(testCase.accessKey, testCase.secretKey)`
jwt,browser: allow short-expiry tokens for GETs (#4684) This commit fixes a potential security issue, whereby a full-access token to the server would be available in the GET URL of a download request. This fixes that issue by introducing short-expiry tokens, which are only valid for one minute, and are regenerated for every download request. This commit specifically introduces the short-lived tokens, adds tests for the tokens, adds an RPC call for generating a token given a full-access token, updates the browser to use the new tokens for requests where the token is passed as a GET parameter, and adds some tests with the new temporary tokens. Refs: https://github.com/minio/minio/pull/4673 2017-07-25 03:46:37 +08:00			`} else if authType == "url" {`
			`_, err = authenticateURL(testCase.accessKey, testCase.secretKey)`
Have simpler JWT authentication. (#3501) 2016-12-28 00:28:10 +08:00			`}`

			`if testCase.expectedErr != nil {`
			`if err == nil {`
			`t.Fatalf("%+v: expected: %s, got: <nil>", testCase, testCase.expectedErr)`
			`}`
			`if testCase.expectedErr.Error() != err.Error() {`
			`t.Fatalf("%+v: expected: %s, got: %s", testCase, testCase.expectedErr, err)`
			`}`
			`} else if err != nil {`
			`t.Fatalf("%+v: expected: <nil>, got: %s", testCase, err)`
			`}`
			`}`
			`}`

jwt: Cache the bcrypt password hash. (#3526) Creds don't require secretKeyHash to be calculated everytime, cache it instead and re-use. This is an optimization for bcrypt. Relevant results from the benchmark done locally, negative value means improvement in this scenario. ``` benchmark old ns/op new ns/op delta BenchmarkAuthenticateNode-4 160590992 80125647 -50.11% BenchmarkAuthenticateWeb-4 160556692 80432144 -49.90% benchmark old allocs new allocs delta BenchmarkAuthenticateNode-4 87 75 -13.79% BenchmarkAuthenticateWeb-4 87 75 -13.79% benchmark old bytes new bytes delta BenchmarkAuthenticateNode-4 15222 9785 -35.72% BenchmarkAuthenticateWeb-4 15222 9785 -35.72% ``` 2017-01-27 08:51:51 +08:00			`func TestAuthenticateNode(t *testing.T) {`
Have simpler JWT authentication. (#3501) 2016-12-28 00:28:10 +08:00			`testAuthenticate("node", t)`
			`}`

jwt: Cache the bcrypt password hash. (#3526) Creds don't require secretKeyHash to be calculated everytime, cache it instead and re-use. This is an optimization for bcrypt. Relevant results from the benchmark done locally, negative value means improvement in this scenario. ``` benchmark old ns/op new ns/op delta BenchmarkAuthenticateNode-4 160590992 80125647 -50.11% BenchmarkAuthenticateWeb-4 160556692 80432144 -49.90% benchmark old allocs new allocs delta BenchmarkAuthenticateNode-4 87 75 -13.79% BenchmarkAuthenticateWeb-4 87 75 -13.79% benchmark old bytes new bytes delta BenchmarkAuthenticateNode-4 15222 9785 -35.72% BenchmarkAuthenticateWeb-4 15222 9785 -35.72% ``` 2017-01-27 08:51:51 +08:00			`func TestAuthenticateWeb(t *testing.T) {`
Have simpler JWT authentication. (#3501) 2016-12-28 00:28:10 +08:00			`testAuthenticate("web", t)`
			`}`
jwt: Cache the bcrypt password hash. (#3526) Creds don't require secretKeyHash to be calculated everytime, cache it instead and re-use. This is an optimization for bcrypt. Relevant results from the benchmark done locally, negative value means improvement in this scenario. ``` benchmark old ns/op new ns/op delta BenchmarkAuthenticateNode-4 160590992 80125647 -50.11% BenchmarkAuthenticateWeb-4 160556692 80432144 -49.90% benchmark old allocs new allocs delta BenchmarkAuthenticateNode-4 87 75 -13.79% BenchmarkAuthenticateWeb-4 87 75 -13.79% benchmark old bytes new bytes delta BenchmarkAuthenticateNode-4 15222 9785 -35.72% BenchmarkAuthenticateWeb-4 15222 9785 -35.72% ``` 2017-01-27 08:51:51 +08:00
jwt,browser: allow short-expiry tokens for GETs (#4684) This commit fixes a potential security issue, whereby a full-access token to the server would be available in the GET URL of a download request. This fixes that issue by introducing short-expiry tokens, which are only valid for one minute, and are regenerated for every download request. This commit specifically introduces the short-lived tokens, adds tests for the tokens, adds an RPC call for generating a token given a full-access token, updates the browser to use the new tokens for requests where the token is passed as a GET parameter, and adds some tests with the new temporary tokens. Refs: https://github.com/minio/minio/pull/4673 2017-07-25 03:46:37 +08:00			`func TestAuthenticateURL(t *testing.T) {`
			`testAuthenticate("url", t)`
			`}`

[security] rpc: Do not transfer access/secret key. (#4857) This is an improvement upon existing implementation by avoiding transfer of access and secret keys over the network. This change only exchanges JWT tokens generated by an rpc client. Even if the JWT can be traced over the network on a non-TLS connection, this change makes sure that we never really expose the secret key over the network. 2017-09-20 03:37:56 +08:00			`// Tests web request authenticator.`
			`func TestWebRequestAuthenticate(t *testing.T) {`
			`testPath, err := newTestConfig(globalMinioDefaultRegion)`
			`if err != nil {`
			`t.Fatalf("unable initialize config file, %s", err)`
			`}`
			`defer os.RemoveAll(testPath)`

			`creds := serverConfig.GetCredential()`
			`token, err := getTokenString(creds.AccessKey, creds.SecretKey)`
			`if err != nil {`
			`t.Fatalf("unable get token %s", err)`
			`}`
			`testCases := []struct {`
			`req *http.Request`
			`expectedErr error`
			`}{`
			`// Set valid authorization header.`
			`{`
			`req: &http.Request{`
			`Header: http.Header{`
			`"Authorization": []string{token},`
			`},`
			`},`
			`expectedErr: nil,`
			`},`
			`// No authorization header.`
			`{`
			`req: &http.Request{`
			`Header: http.Header{},`
			`},`
			`expectedErr: errNoAuthToken,`
			`},`
			`// Invalid authorization token.`
			`{`
			`req: &http.Request{`
			`Header: http.Header{`
			`"Authorization": []string{"invalid-token"},`
			`},`
			`},`
			`expectedErr: errAuthentication,`
			`},`
			`}`

			`for i, testCase := range testCases {`
			`gotErr := webRequestAuthenticate(testCase.req)`
			`if testCase.expectedErr != gotErr {`
			`t.Errorf("Test %d, expected err %s, got %s", i+1, testCase.expectedErr, gotErr)`
			`}`
			`}`
			`}`

jwt: Cache the bcrypt password hash. (#3526) Creds don't require secretKeyHash to be calculated everytime, cache it instead and re-use. This is an optimization for bcrypt. Relevant results from the benchmark done locally, negative value means improvement in this scenario. ``` benchmark old ns/op new ns/op delta BenchmarkAuthenticateNode-4 160590992 80125647 -50.11% BenchmarkAuthenticateWeb-4 160556692 80432144 -49.90% benchmark old allocs new allocs delta BenchmarkAuthenticateNode-4 87 75 -13.79% BenchmarkAuthenticateWeb-4 87 75 -13.79% benchmark old bytes new bytes delta BenchmarkAuthenticateNode-4 15222 9785 -35.72% BenchmarkAuthenticateWeb-4 15222 9785 -35.72% ``` 2017-01-27 08:51:51 +08:00			`func BenchmarkAuthenticateNode(b *testing.B) {`
			`testPath, err := newTestConfig(globalMinioDefaultRegion)`
			`if err != nil {`
			`b.Fatalf("unable initialize config file, %s", err)`
			`}`
posix: Deprecate custom removeAll/mkdirAll implementations. (#4808) Since go1.8 os.RemoveAll and os.MkdirAll both support long path names i.e UNC path on windows. The code we are carrying was directly borrowed from `pkg/os` package and doesn't need to be in our repo anymore. As a side affect this also addresses our codecoverage issue. Refer #4658 2017-08-13 10:25:43 +08:00			`defer os.RemoveAll(testPath)`
jwt: Cache the bcrypt password hash. (#3526) Creds don't require secretKeyHash to be calculated everytime, cache it instead and re-use. This is an optimization for bcrypt. Relevant results from the benchmark done locally, negative value means improvement in this scenario. ``` benchmark old ns/op new ns/op delta BenchmarkAuthenticateNode-4 160590992 80125647 -50.11% BenchmarkAuthenticateWeb-4 160556692 80432144 -49.90% benchmark old allocs new allocs delta BenchmarkAuthenticateNode-4 87 75 -13.79% BenchmarkAuthenticateWeb-4 87 75 -13.79% benchmark old bytes new bytes delta BenchmarkAuthenticateNode-4 15222 9785 -35.72% BenchmarkAuthenticateWeb-4 15222 9785 -35.72% ``` 2017-01-27 08:51:51 +08:00
			`creds := serverConfig.GetCredential()`
			`b.ResetTimer()`
			`b.ReportAllocs()`
			`for i := 0; i < b.N; i++ {`
			`authenticateNode(creds.AccessKey, creds.SecretKey)`
			`}`
			`}`

			`func BenchmarkAuthenticateWeb(b *testing.B) {`
			`testPath, err := newTestConfig(globalMinioDefaultRegion)`
			`if err != nil {`
			`b.Fatalf("unable initialize config file, %s", err)`
			`}`
posix: Deprecate custom removeAll/mkdirAll implementations. (#4808) Since go1.8 os.RemoveAll and os.MkdirAll both support long path names i.e UNC path on windows. The code we are carrying was directly borrowed from `pkg/os` package and doesn't need to be in our repo anymore. As a side affect this also addresses our codecoverage issue. Refer #4658 2017-08-13 10:25:43 +08:00			`defer os.RemoveAll(testPath)`
jwt: Cache the bcrypt password hash. (#3526) Creds don't require secretKeyHash to be calculated everytime, cache it instead and re-use. This is an optimization for bcrypt. Relevant results from the benchmark done locally, negative value means improvement in this scenario. ``` benchmark old ns/op new ns/op delta BenchmarkAuthenticateNode-4 160590992 80125647 -50.11% BenchmarkAuthenticateWeb-4 160556692 80432144 -49.90% benchmark old allocs new allocs delta BenchmarkAuthenticateNode-4 87 75 -13.79% BenchmarkAuthenticateWeb-4 87 75 -13.79% benchmark old bytes new bytes delta BenchmarkAuthenticateNode-4 15222 9785 -35.72% BenchmarkAuthenticateWeb-4 15222 9785 -35.72% ``` 2017-01-27 08:51:51 +08:00
			`creds := serverConfig.GetCredential()`
			`b.ResetTimer()`
			`b.ReportAllocs()`
			`for i := 0; i < b.N; i++ {`
			`authenticateWeb(creds.AccessKey, creds.SecretKey)`
			`}`
			`}`