root
/
minio
mirror of https://github.com/minio/minio.git
1
0
Fork 0
Code Issues Actions 1 Packages Projects Releases Wiki Activity
minio/cmd/auth-handler.go

662 lines
22 KiB
Go
Raw Normal View History

update license change for MinIO Signed-off-by: Harshavardhana <harsha@minio.io>
2021-04-19 03:41:13 +08:00
// Copyright (c) 2015-2021 MinIO, Inc.
//
// This file is part of MinIO Object Storage stack
//
// This program is free software: you can redistribute it and/or modify
// it under the terms of the GNU Affero General Public License as published by
// the Free Software Foundation, either version 3 of the License, or
// (at your option) any later version.
//
// This program is distributed in the hope that it will be useful
// but WITHOUT ANY WARRANTY; without even the implied warranty of
// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
// GNU Affero General Public License for more details.
//
// You should have received a copy of the GNU Affero General Public License
// along with this program. If not, see <http://www.gnu.org/licenses/>.
signature: Rewrite signature handling and move it into a library.
2016-02-16 09:42:39 +08:00
server: Move all the top level files into cmd folder. (#2490) This change brings a change which was done for the 'mc' package to allow for clean repo and have a cleaner github drop in experience.
2016-08-19 07:23:42 +08:00
package cmd
signature: Rewrite signature handling and move it into a library.
2016-02-16 09:42:39 +08:00
signV4: Move pkg/signature to pkg/s3/signature4 Cleanup and move this to relevant path.
2016-02-22 09:57:05 +08:00
import (
signature: Use a layered approach for signature verification. Signature calculation has now moved out from being a package to top-level as a layered mechanism. In case of payload calculation with body, go-routines are initiated to simultaneously write and calculate shasum. Errors are sent over the writer so that the lower layer removes the temporary files properly.
2016-03-13 08:08:15 +08:00
"bytes"
Create logger package and rename errorIf to LogIf (#5678) Removing message from error logging Replace errors.Trace with LogIf
2018-04-06 06:04:40 +08:00
"context"
Audit log claims from token (#6847)
2018-11-22 12:03:24 +08:00
"crypto/subtle"
Return InvalidDigest when md5 sent by client is invalid (#5654) This is to ensure proper compatibility with AWS S3, handle special cases where - Content-Md5 is set to empty - Content-Md5 is set to invalid
2018-03-17 02:22:34 +08:00
"encoding/base64"
"encoding/hex"
fix authentication bypass against Admin-API (#5412) This change fixes an authentication bypass attack against the minio Admin-API. Therefore the Admin-API rejects now all types of requests except valid signature V2 and signature V4 requests - this includes signature V2/V4 pre-signed requests. Fixes #5411
2018-01-18 02:36:25 +08:00
"errors"
fix DoS vulnerability in request authentication (#5887) This commit fixes a DoS vulnerability in the request authentication. The root cause is an 'unlimited' read-into-RAM from the request body. Since this read happens before the request authentication is verified the vulnerability can be exploit without any access privileges. This commit limits the size of the request body to 3 MB. This is about the same size as AWS. The limit seems to be between 1.6 and 3.2 MB - depending on the AWS machine which is handling the request.
2018-05-05 02:16:14 +08:00
"io"
signature: Use a layered approach for signature verification. Signature calculation has now moved out from being a package to top-level as a layered mechanism. In case of payload calculation with body, go-routines are initiated to simultaneously write and calculate shasum. Errors are sent over the writer so that the lower layer removes the temporary files properly.
2016-03-13 08:08:15 +08:00
"io/ioutil"
signV4: Move pkg/signature to pkg/s3/signature4 Cleanup and move this to relevant path.
2016-02-22 09:57:05 +08:00
"net/http"
use ParseForm() to allow query param lookups once (#12900) ``` cpu: Intel(R) Core(TM) i5-7200U CPU @ 2.50GHz BenchmarkURLQueryForm BenchmarkURLQueryForm-4 247099363 4.809 ns/op 0 B/op 0 allocs/op BenchmarkURLQuery BenchmarkURLQuery-4 2517624 462.1 ns/op 432 B/op 4 allocs/op PASS ok github.com/minio/minio/cmd 3.848s ```
2021-08-08 13:43:01 +08:00
"net/url"
fix: support object-remaining-retention-days policy condition (#9259) This PR also tries to simplify the approach taken in object-locking implementation by preferential treatment given towards full validation. This in-turn has fixed couple of bugs related to how policy should have been honored when ByPassGovernance is provided. Simplifies code a bit, but also duplicates code intentionally for clarity due to complex nature of object locking implementation.
2020-04-07 04:44:16 +08:00
"strconv"
signV4: Move pkg/signature to pkg/s3/signature4 Cleanup and move this to relevant path.
2016-02-22 09:57:05 +08:00
"strings"
fix: handle unsupported APIs more granularly (#11674)
2021-03-31 14:19:36 +08:00
"sync/atomic"
fix: support object-remaining-retention-days policy condition (#9259) This PR also tries to simplify the approach taken in object-locking implementation by preferential treatment given towards full validation. This in-turn has fixed couple of bugs related to how policy should have been honored when ByPassGovernance is provided. Simplifies code a bit, but also duplicates code intentionally for clarity due to complex nature of object locking implementation.
2020-04-07 04:44:16 +08:00
"time"
Handle incoming proxy requests ip, scheme (#5591) This PR implements functions to get the right ip, scheme from the incoming proxied requests.
2018-03-03 07:23:04 +08:00
rename all remaining packages to internal/ (#12418) This is to ensure that there are no projects that try to import `minio/minio/pkg` into their own repo. Any such common packages should go to `https://github.com/minio/pkg`
2021-06-02 05:59:40 +08:00
"github.com/minio/minio/internal/auth"
objectlock "github.com/minio/minio/internal/bucket/object/lock"
"github.com/minio/minio/internal/etag"
"github.com/minio/minio/internal/hash"
xhttp "github.com/minio/minio/internal/http"
xjwt "github.com/minio/minio/internal/jwt"
"github.com/minio/minio/internal/logger"
move to iam, bucket policy from minio/pkg (#12400)
2021-05-30 12:16:42 +08:00
"github.com/minio/pkg/bucket/policy"
iampolicy "github.com/minio/pkg/iam/policy"
signature: Rewrite signature handling and move it into a library.
2016-02-16 09:42:39 +08:00
)
signV4: Move pkg/signature to pkg/s3/signature4 Cleanup and move this to relevant path.
2016-02-22 09:57:05 +08:00
// Verify if request has JWT.
func isRequestJWT(r *http.Request) bool {
Ensure that we use constants everywhere (#7845) This allows for canonicalization of the strings throughout our code and provides a common space for all these constants to reside. This list is rather non-exhaustive but captures all the headers used in AWS S3 API operations
2019-07-03 13:34:32 +08:00
return strings.HasPrefix(r.Header.Get(xhttp.Authorization), jwtAlgorithm)
signV4: Move pkg/signature to pkg/s3/signature4 Cleanup and move this to relevant path.
2016-02-22 09:57:05 +08:00
}
// Verify if request has AWS Signature Version '4'.
func isRequestSignatureV4(r *http.Request) bool {
Ensure that we use constants everywhere (#7845) This allows for canonicalization of the strings throughout our code and provides a common space for all these constants to reside. This list is rather non-exhaustive but captures all the headers used in AWS S3 API operations
2019-07-03 13:34:32 +08:00
return strings.HasPrefix(r.Header.Get(xhttp.Authorization), signV4Algorithm)
signV4: Move pkg/signature to pkg/s3/signature4 Cleanup and move this to relevant path.
2016-02-22 09:57:05 +08:00
}
signature: Add legacy signature v2 support transparently. (#2811) Add new tests as well.
2016-10-01 05:32:13 +08:00
// Verify if request has AWS Signature Version '2'.
func isRequestSignatureV2(r *http.Request) bool {
Ensure that we use constants everywhere (#7845) This allows for canonicalization of the strings throughout our code and provides a common space for all these constants to reside. This list is rather non-exhaustive but captures all the headers used in AWS S3 API operations
2019-07-03 13:34:32 +08:00
return (!strings.HasPrefix(r.Header.Get(xhttp.Authorization), signV4Algorithm) &&
strings.HasPrefix(r.Header.Get(xhttp.Authorization), signV2Algorithm))
signature: Add legacy signature v2 support transparently. (#2811) Add new tests as well.
2016-10-01 05:32:13 +08:00
}
api/handlers: Implement streaming signature v4 support. (#2370) * api/handlers: Implement streaming signature v4 support. Fixes #2326 * tests: Add tests for quick/safe
2016-08-09 11:56:29 +08:00
// Verify if request has AWS PreSign Version '4'.
signV4: Move pkg/signature to pkg/s3/signature4 Cleanup and move this to relevant path.
2016-02-22 09:57:05 +08:00
func isRequestPresignedSignatureV4(r *http.Request) bool {
use ParseForm() to allow query param lookups once (#12900) ``` cpu: Intel(R) Core(TM) i5-7200U CPU @ 2.50GHz BenchmarkURLQueryForm BenchmarkURLQueryForm-4 247099363 4.809 ns/op 0 B/op 0 allocs/op BenchmarkURLQuery BenchmarkURLQuery-4 2517624 462.1 ns/op 432 B/op 4 allocs/op PASS ok github.com/minio/minio/cmd 3.848s ```
2021-08-08 13:43:01 +08:00
_, ok := r.Form[xhttp.AmzCredential]
api/handlers: Implement streaming signature v4 support. (#2370) * api/handlers: Implement streaming signature v4 support. Fixes #2326 * tests: Add tests for quick/safe
2016-08-09 11:56:29 +08:00
return ok
signV4: Move pkg/signature to pkg/s3/signature4 Cleanup and move this to relevant path.
2016-02-22 09:57:05 +08:00
}
signature: Add legacy signature v2 support transparently. (#2811) Add new tests as well.
2016-10-01 05:32:13 +08:00
// Verify request has AWS PreSign Version '2'.
func isRequestPresignedSignatureV2(r *http.Request) bool {
use ParseForm() to allow query param lookups once (#12900) ``` cpu: Intel(R) Core(TM) i5-7200U CPU @ 2.50GHz BenchmarkURLQueryForm BenchmarkURLQueryForm-4 247099363 4.809 ns/op 0 B/op 0 allocs/op BenchmarkURLQuery BenchmarkURLQuery-4 2517624 462.1 ns/op 432 B/op 4 allocs/op PASS ok github.com/minio/minio/cmd 3.848s ```
2021-08-08 13:43:01 +08:00
_, ok := r.Form[xhttp.AmzAccessKeyID]
signature: Add legacy signature v2 support transparently. (#2811) Add new tests as well.
2016-10-01 05:32:13 +08:00
return ok
}
signV4: Move pkg/signature to pkg/s3/signature4 Cleanup and move this to relevant path.
2016-02-22 09:57:05 +08:00
// Verify if request has AWS Post policy Signature Version '4'.
func isRequestPostPolicySignatureV4(r *http.Request) bool {
Ensure that we use constants everywhere (#7845) This allows for canonicalization of the strings throughout our code and provides a common space for all these constants to reside. This list is rather non-exhaustive but captures all the headers used in AWS S3 API operations
2019-07-03 13:34:32 +08:00
return strings.Contains(r.Header.Get(xhttp.ContentType), "multipart/form-data") &&
Remove duplicate http constants (#5367)
2018-01-08 12:47:48 +08:00
r.Method == http.MethodPost
api/handlers: Implement streaming signature v4 support. (#2370) * api/handlers: Implement streaming signature v4 support. Fixes #2326 * tests: Add tests for quick/safe
2016-08-09 11:56:29 +08:00
}
// Verify if the request has AWS Streaming Signature Version '4'. This is only valid for 'PUT' operation.
func isRequestSignStreamingV4(r *http.Request) bool {
Ensure that we use constants everywhere (#7845) This allows for canonicalization of the strings throughout our code and provides a common space for all these constants to reside. This list is rather non-exhaustive but captures all the headers used in AWS S3 API operations
2019-07-03 13:34:32 +08:00
return r.Header.Get(xhttp.AmzContentSha256) == streamingContentSHA256 &&
Remove duplicate http constants (#5367)
2018-01-08 12:47:48 +08:00
r.Method == http.MethodPut
signV4: Move pkg/signature to pkg/s3/signature4 Cleanup and move this to relevant path.
2016-02-22 09:57:05 +08:00
}
accessPolicy: Implement Put, Get, Delete access policy. This patch implements Get,Put,Delete bucket policies Supporting - http://docs.aws.amazon.com/AmazonS3/latest/dev/access-policy-language-overview.html Currently supports following actions. "*": true, "s3:*": true, "s3:GetObject": true, "s3:ListBucket": true, "s3:PutObject": true, "s3:CreateBucket": true, "s3:GetBucketLocation": true, "s3:DeleteBucket": true, "s3:DeleteObject": true, "s3:AbortMultipartUpload": true, "s3:ListBucketMultipartUploads": true, "s3:ListMultipartUploadParts": true, following conditions for "StringEquals" and "StringNotEquals" "s3:prefix", "s3:max-keys"
2016-02-04 08:46:56 +08:00
// Authorization type.
type authType int
// List of all supported auth types.
const (
authTypeUnknown authType = iota
authTypeAnonymous
authTypePresigned
signature: Add legacy signature v2 support transparently. (#2811) Add new tests as well.
2016-10-01 05:32:13 +08:00
authTypePresignedV2
accessPolicy: Implement Put, Get, Delete access policy. This patch implements Get,Put,Delete bucket policies Supporting - http://docs.aws.amazon.com/AmazonS3/latest/dev/access-policy-language-overview.html Currently supports following actions. "*": true, "s3:*": true, "s3:GetObject": true, "s3:ListBucket": true, "s3:PutObject": true, "s3:CreateBucket": true, "s3:GetBucketLocation": true, "s3:DeleteBucket": true, "s3:DeleteObject": true, "s3:AbortMultipartUpload": true, "s3:ListBucketMultipartUploads": true, "s3:ListMultipartUploadParts": true, following conditions for "StringEquals" and "StringNotEquals" "s3:prefix", "s3:max-keys"
2016-02-04 08:46:56 +08:00
authTypePostPolicy
api/handlers: Implement streaming signature v4 support. (#2370) * api/handlers: Implement streaming signature v4 support. Fixes #2326 * tests: Add tests for quick/safe
2016-08-09 11:56:29 +08:00
authTypeStreamingSigned
accessPolicy: Implement Put, Get, Delete access policy. This patch implements Get,Put,Delete bucket policies Supporting - http://docs.aws.amazon.com/AmazonS3/latest/dev/access-policy-language-overview.html Currently supports following actions. "*": true, "s3:*": true, "s3:GetObject": true, "s3:ListBucket": true, "s3:PutObject": true, "s3:CreateBucket": true, "s3:GetBucketLocation": true, "s3:DeleteBucket": true, "s3:DeleteObject": true, "s3:AbortMultipartUpload": true, "s3:ListBucketMultipartUploads": true, "s3:ListMultipartUploadParts": true, following conditions for "StringEquals" and "StringNotEquals" "s3:prefix", "s3:max-keys"
2016-02-04 08:46:56 +08:00
authTypeSigned
signature: Add legacy signature v2 support transparently. (#2811) Add new tests as well.
2016-10-01 05:32:13 +08:00
authTypeSignedV2
accessPolicy: Implement Put, Get, Delete access policy. This patch implements Get,Put,Delete bucket policies Supporting - http://docs.aws.amazon.com/AmazonS3/latest/dev/access-policy-language-overview.html Currently supports following actions. "*": true, "s3:*": true, "s3:GetObject": true, "s3:ListBucket": true, "s3:PutObject": true, "s3:CreateBucket": true, "s3:GetBucketLocation": true, "s3:DeleteBucket": true, "s3:DeleteObject": true, "s3:AbortMultipartUpload": true, "s3:ListBucketMultipartUploads": true, "s3:ListMultipartUploadParts": true, following conditions for "StringEquals" and "StringNotEquals" "s3:prefix", "s3:max-keys"
2016-02-04 08:46:56 +08:00
authTypeJWT
Introduce STS client grants API and OPA policy integration (#6168) This PR introduces two new features - AWS STS compatible STS API named AssumeRoleWithClientGrants ``` POST /?Action=AssumeRoleWithClientGrants&Token=<jwt> ``` This API endpoint returns temporary access credentials, access tokens signature types supported by this API - RSA keys - ECDSA keys Fetches the required public key from the JWKS endpoints, provides them as rsa or ecdsa public keys. - External policy engine support, in this case OPA policy engine - Credentials are stored on disks
2018-10-10 05:00:01 +08:00
authTypeSTS
accessPolicy: Implement Put, Get, Delete access policy. This patch implements Get,Put,Delete bucket policies Supporting - http://docs.aws.amazon.com/AmazonS3/latest/dev/access-policy-language-overview.html Currently supports following actions. "*": true, "s3:*": true, "s3:GetObject": true, "s3:ListBucket": true, "s3:PutObject": true, "s3:CreateBucket": true, "s3:GetBucketLocation": true, "s3:DeleteBucket": true, "s3:DeleteObject": true, "s3:AbortMultipartUpload": true, "s3:ListBucketMultipartUploads": true, "s3:ListMultipartUploadParts": true, following conditions for "StringEquals" and "StringNotEquals" "s3:prefix", "s3:max-keys"
2016-02-04 08:46:56 +08:00
)
// Get request authentication type.
func getRequestAuthType(r *http.Request) authType {
use ParseForm() to allow query param lookups once (#12900) ``` cpu: Intel(R) Core(TM) i5-7200U CPU @ 2.50GHz BenchmarkURLQueryForm BenchmarkURLQueryForm-4 247099363 4.809 ns/op 0 B/op 0 allocs/op BenchmarkURLQuery BenchmarkURLQuery-4 2517624 462.1 ns/op 432 B/op 4 allocs/op PASS ok github.com/minio/minio/cmd 3.848s ```
2021-08-08 13:43:01 +08:00
if r.URL != nil {
var err error
r.Form, err = url.ParseQuery(r.URL.RawQuery)
if err != nil {
logger.LogIf(r.Context(), err)
return authTypeUnknown
}
}
signature: Add legacy signature v2 support transparently. (#2811) Add new tests as well.
2016-10-01 05:32:13 +08:00
if isRequestSignatureV2(r) {
return authTypeSignedV2
} else if isRequestPresignedSignatureV2(r) {
return authTypePresignedV2
} else if isRequestSignStreamingV4(r) {
api/handlers: Implement streaming signature v4 support. (#2370) * api/handlers: Implement streaming signature v4 support. Fixes #2326 * tests: Add tests for quick/safe
2016-08-09 11:56:29 +08:00
return authTypeStreamingSigned
} else if isRequestSignatureV4(r) {
accessPolicy: Implement Put, Get, Delete access policy. This patch implements Get,Put,Delete bucket policies Supporting - http://docs.aws.amazon.com/AmazonS3/latest/dev/access-policy-language-overview.html Currently supports following actions. "*": true, "s3:*": true, "s3:GetObject": true, "s3:ListBucket": true, "s3:PutObject": true, "s3:CreateBucket": true, "s3:GetBucketLocation": true, "s3:DeleteBucket": true, "s3:DeleteObject": true, "s3:AbortMultipartUpload": true, "s3:ListBucketMultipartUploads": true, "s3:ListMultipartUploadParts": true, following conditions for "StringEquals" and "StringNotEquals" "s3:prefix", "s3:max-keys"
2016-02-04 08:46:56 +08:00
return authTypeSigned
} else if isRequestPresignedSignatureV4(r) {
return authTypePresigned
} else if isRequestJWT(r) {
return authTypeJWT
} else if isRequestPostPolicySignatureV4(r) {
return authTypePostPolicy
use ParseForm() to allow query param lookups once (#12900) ``` cpu: Intel(R) Core(TM) i5-7200U CPU @ 2.50GHz BenchmarkURLQueryForm BenchmarkURLQueryForm-4 247099363 4.809 ns/op 0 B/op 0 allocs/op BenchmarkURLQuery BenchmarkURLQuery-4 2517624 462.1 ns/op 432 B/op 4 allocs/op PASS ok github.com/minio/minio/cmd 3.848s ```
2021-08-08 13:43:01 +08:00
} else if _, ok := r.Form[xhttp.Action]; ok {
Introduce STS client grants API and OPA policy integration (#6168) This PR introduces two new features - AWS STS compatible STS API named AssumeRoleWithClientGrants ``` POST /?Action=AssumeRoleWithClientGrants&Token=<jwt> ``` This API endpoint returns temporary access credentials, access tokens signature types supported by this API - RSA keys - ECDSA keys Fetches the required public key from the JWKS endpoints, provides them as rsa or ecdsa public keys. - External policy engine support, in this case OPA policy engine - Credentials are stored on disks
2018-10-10 05:00:01 +08:00
return authTypeSTS
Ensure that we use constants everywhere (#7845) This allows for canonicalization of the strings throughout our code and provides a common space for all these constants to reside. This list is rather non-exhaustive but captures all the headers used in AWS S3 API operations
2019-07-03 13:34:32 +08:00
} else if _, ok := r.Header[xhttp.Authorization]; !ok {
Check for STS Action first to allow browser requests (#6796)
2018-11-14 07:53:06 +08:00
return authTypeAnonymous
accessPolicy: Implement Put, Get, Delete access policy. This patch implements Get,Put,Delete bucket policies Supporting - http://docs.aws.amazon.com/AmazonS3/latest/dev/access-policy-language-overview.html Currently supports following actions. "*": true, "s3:*": true, "s3:GetObject": true, "s3:ListBucket": true, "s3:PutObject": true, "s3:CreateBucket": true, "s3:GetBucketLocation": true, "s3:DeleteBucket": true, "s3:DeleteObject": true, "s3:AbortMultipartUpload": true, "s3:ListBucketMultipartUploads": true, "s3:ListMultipartUploadParts": true, following conditions for "StringEquals" and "StringNotEquals" "s3:prefix", "s3:max-keys"
2016-02-04 08:46:56 +08:00
}
return authTypeUnknown
}
fix: deprecate requirement of session token for service accounts (#9320) This PR fixes couple of behaviors with service accounts - not need to have session token for service accounts - service accounts can be generated by any user for themselves implicitly, with a valid signature. - policy input for AddNewServiceAccount API is not fully typed allowing for validation before it is sent to the server. - also bring in additional context for admin API errors if any when replying back to client. - deprecate GetServiceAccount API as we do not need to reply back session tokens
2020-04-15 02:28:56 +08:00
func validateAdminSignature(ctx context.Context, r *http.Request, region string) (auth.Credentials, map[string]interface{}, bool, APIErrorCode) {
Add support for multiple admins (#8487) Also define IAM policies for administering MinIO server
2019-11-19 18:03:18 +08:00
var cred auth.Credentials
var owner bool
fix authentication bypass against Admin-API (#5412) This change fixes an authentication bypass attack against the minio Admin-API. Therefore the Admin-API rejects now all types of requests except valid signature V2 and signature V4 requests - this includes signature V2/V4 pre-signed requests. Fixes #5411
2018-01-18 02:36:25 +08:00
s3Err := ErrAccessDenied
Ensure that we use constants everywhere (#7845) This allows for canonicalization of the strings throughout our code and provides a common space for all these constants to reside. This list is rather non-exhaustive but captures all the headers used in AWS S3 API operations
2019-07-03 13:34:32 +08:00
if _, ok := r.Header[xhttp.AmzContentSha256]; ok &&
allow admin API to support UNSIGNED-PAYLOAD (#13207) admin API requests do not support x-amz-content-sha256 set with UNSIGNED-PAYLOAD, keep this consistent and support it properly.
2021-09-15 04:55:24 +08:00
getRequestAuthType(r) == authTypeSigned {
Introduce STS client grants API and OPA policy integration (#6168) This PR introduces two new features - AWS STS compatible STS API named AssumeRoleWithClientGrants ``` POST /?Action=AssumeRoleWithClientGrants&Token=<jwt> ``` This API endpoint returns temporary access credentials, access tokens signature types supported by this API - RSA keys - ECDSA keys Fetches the required public key from the JWKS endpoints, provides them as rsa or ecdsa public keys. - External policy engine support, in this case OPA policy engine - Credentials are stored on disks
2018-10-10 05:00:01 +08:00
// We only support admin credentials to access admin APIs.
Add support for multiple admins (#8487) Also define IAM policies for administering MinIO server
2019-11-19 18:03:18 +08:00
cred, owner, s3Err = getReqAccessKeyV4(r, region, serviceS3)
Introduce STS client grants API and OPA policy integration (#6168) This PR introduces two new features - AWS STS compatible STS API named AssumeRoleWithClientGrants ``` POST /?Action=AssumeRoleWithClientGrants&Token=<jwt> ``` This API endpoint returns temporary access credentials, access tokens signature types supported by this API - RSA keys - ECDSA keys Fetches the required public key from the JWKS endpoints, provides them as rsa or ecdsa public keys. - External policy engine support, in this case OPA policy engine - Credentials are stored on disks
2018-10-10 05:00:01 +08:00
if s3Err != ErrNone {
fix: deprecate requirement of session token for service accounts (#9320) This PR fixes couple of behaviors with service accounts - not need to have session token for service accounts - service accounts can be generated by any user for themselves implicitly, with a valid signature. - policy input for AddNewServiceAccount API is not fully typed allowing for validation before it is sent to the server. - also bring in additional context for admin API errors if any when replying back to client. - deprecate GetServiceAccount API as we do not need to reply back session tokens
2020-04-15 02:28:56 +08:00
return cred, nil, owner, s3Err
Introduce STS client grants API and OPA policy integration (#6168) This PR introduces two new features - AWS STS compatible STS API named AssumeRoleWithClientGrants ``` POST /?Action=AssumeRoleWithClientGrants&Token=<jwt> ``` This API endpoint returns temporary access credentials, access tokens signature types supported by this API - RSA keys - ECDSA keys Fetches the required public key from the JWKS endpoints, provides them as rsa or ecdsa public keys. - External policy engine support, in this case OPA policy engine - Credentials are stored on disks
2018-10-10 05:00:01 +08:00
}
// we only support V4 (no presign) with auth body
Implement AssumeRole API for Minio users (#7267) For actual API reference read here https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRole.html Documentation is added and updated as well at docs/sts/assume-role.md Fixes #6381
2019-02-28 09:46:55 +08:00
s3Err = isReqAuthenticated(ctx, r, region, serviceS3)
fix authentication bypass against Admin-API (#5412) This change fixes an authentication bypass attack against the minio Admin-API. Therefore the Admin-API rejects now all types of requests except valid signature V2 and signature V4 requests - this includes signature V2/V4 pre-signed requests. Fixes #5411
2018-01-18 02:36:25 +08:00
}
if s3Err != ErrNone {
Create logger package and rename errorIf to LogIf (#5678) Removing message from error logging Replace errors.Trace with LogIf
2018-04-06 06:04:40 +08:00
reqInfo := (&logger.ReqInfo{}).AppendTags("requestHeaders", dumpRequest(r))
Make sure to log unhandled errors always (#6784) In many situations, while testing we encounter ErrInternalError, to reduce logging we have removed logging from quite a few places which is acceptable but when ErrInternalError occurs we should have a facility to log the corresponding error, this helps to debug Minio server.
2018-11-13 03:07:43 +08:00
ctx := logger.SetReqInfo(ctx, reqInfo)
Allow logging targets to be configured to receive `minio` (#8347) specific errors, `application` errors or `all` by default. console logging on server by default lists all logs - enhance admin console API to accept `type` as query parameter to subscribe to application/minio logs.
2019-10-12 09:50:54 +08:00
logger.LogIf(ctx, errors.New(getAPIError(s3Err).Description), logger.Application)
fix: Add missing return in admin requests auth (#9422)
2020-04-23 04:42:01 +08:00
return cred, nil, owner, s3Err
fix authentication bypass against Admin-API (#5412) This change fixes an authentication bypass attack against the minio Admin-API. Therefore the Admin-API rejects now all types of requests except valid signature V2 and signature V4 requests - this includes signature V2/V4 pre-signed requests. Fixes #5411
2018-01-18 02:36:25 +08:00
}
Add support for multiple admins (#8487) Also define IAM policies for administering MinIO server
2019-11-19 18:03:18 +08:00
disallow sub-credentials based on root credentials to gain priviledges (#12947) This happens because of a change added where any sub-credential with parentUser == rootCredential i.e (MINIO_ROOT_USER) will always be an owner, you cannot generate credentials with lower session policy to restrict their access. This doesn't affect user service accounts created with regular users, LDAP or OpenID
2021-08-13 09:07:08 +08:00
return cred, cred.Claims, owner, ErrNone
fix: deprecate requirement of session token for service accounts (#9320) This PR fixes couple of behaviors with service accounts - not need to have session token for service accounts - service accounts can be generated by any user for themselves implicitly, with a valid signature. - policy input for AddNewServiceAccount API is not fully typed allowing for validation before it is sent to the server. - also bring in additional context for admin API errors if any when replying back to client. - deprecate GetServiceAccount API as we do not need to reply back session tokens
2020-04-15 02:28:56 +08:00
}
Profiling does not required object layer to be initialized (#11133)
2020-12-19 03:51:15 +08:00
// checkAdminRequestAuth checks for authentication and authorization for the incoming
// request. It only accepts V2 and V4 requests. Presigned, JWT and anonymous requests
// are automatically rejected.
func checkAdminRequestAuth(ctx context.Context, r *http.Request, action iampolicy.AdminAction, region string) (auth.Credentials, APIErrorCode) {
fix: deprecate requirement of session token for service accounts (#9320) This PR fixes couple of behaviors with service accounts - not need to have session token for service accounts - service accounts can be generated by any user for themselves implicitly, with a valid signature. - policy input for AddNewServiceAccount API is not fully typed allowing for validation before it is sent to the server. - also bring in additional context for admin API errors if any when replying back to client. - deprecate GetServiceAccount API as we do not need to reply back session tokens
2020-04-15 02:28:56 +08:00
cred, claims, owner, s3Err := validateAdminSignature(ctx, r, region)
if s3Err != ErrNone {
return cred, s3Err
}
Add support for multiple admins (#8487) Also define IAM policies for administering MinIO server
2019-11-19 18:03:18 +08:00
if globalIAMSys.IsAllowed(iampolicy.Args{
AccountName: cred.AccessKey,
fix: AccountInfo API for LDAP users (#11874) Also, ensure admin APIs auth additionally validates groups
2021-03-24 08:39:20 +08:00
Groups: cred.Groups,
Add support for multiple admins (#8487) Also define IAM policies for administering MinIO server
2019-11-19 18:03:18 +08:00
Action: iampolicy.Action(action),
ConditionValues: getConditionValues(r, "", cred.AccessKey, claims),
IsOwner: owner,
Claims: claims,
}) {
// Request is allowed return the appropriate access key.
return cred, ErrNone
}
return cred, ErrAccessDenied
fix authentication bypass against Admin-API (#5412) This change fixes an authentication bypass attack against the minio Admin-API. Therefore the Admin-API rejects now all types of requests except valid signature V2 and signature V4 requests - this includes signature V2/V4 pre-signed requests. Fixes #5411
2018-01-18 02:36:25 +08:00
}
Introduce STS client grants API and OPA policy integration (#6168) This PR introduces two new features - AWS STS compatible STS API named AssumeRoleWithClientGrants ``` POST /?Action=AssumeRoleWithClientGrants&Token=<jwt> ``` This API endpoint returns temporary access credentials, access tokens signature types supported by this API - RSA keys - ECDSA keys Fetches the required public key from the JWKS endpoints, provides them as rsa or ecdsa public keys. - External policy engine support, in this case OPA policy engine - Credentials are stored on disks
2018-10-10 05:00:01 +08:00
// Fetch the security token set by the client.
func getSessionToken(r *http.Request) (token string) {
Ensure that we use constants everywhere (#7845) This allows for canonicalization of the strings throughout our code and provides a common space for all these constants to reside. This list is rather non-exhaustive but captures all the headers used in AWS S3 API operations
2019-07-03 13:34:32 +08:00
token = r.Header.Get(xhttp.AmzSecurityToken)
Introduce STS client grants API and OPA policy integration (#6168) This PR introduces two new features - AWS STS compatible STS API named AssumeRoleWithClientGrants ``` POST /?Action=AssumeRoleWithClientGrants&Token=<jwt> ``` This API endpoint returns temporary access credentials, access tokens signature types supported by this API - RSA keys - ECDSA keys Fetches the required public key from the JWKS endpoints, provides them as rsa or ecdsa public keys. - External policy engine support, in this case OPA policy engine - Credentials are stored on disks
2018-10-10 05:00:01 +08:00
if token != "" {
return token
}
use ParseForm() to allow query param lookups once (#12900) ``` cpu: Intel(R) Core(TM) i5-7200U CPU @ 2.50GHz BenchmarkURLQueryForm BenchmarkURLQueryForm-4 247099363 4.809 ns/op 0 B/op 0 allocs/op BenchmarkURLQuery BenchmarkURLQuery-4 2517624 462.1 ns/op 432 B/op 4 allocs/op PASS ok github.com/minio/minio/cmd 3.848s ```
2021-08-08 13:43:01 +08:00
return r.Form.Get(xhttp.AmzSecurityToken)
Introduce STS client grants API and OPA policy integration (#6168) This PR introduces two new features - AWS STS compatible STS API named AssumeRoleWithClientGrants ``` POST /?Action=AssumeRoleWithClientGrants&Token=<jwt> ``` This API endpoint returns temporary access credentials, access tokens signature types supported by this API - RSA keys - ECDSA keys Fetches the required public key from the JWKS endpoints, provides them as rsa or ecdsa public keys. - External policy engine support, in this case OPA policy engine - Credentials are stored on disks
2018-10-10 05:00:01 +08:00
}
Audit log claims from token (#6847)
2018-11-22 12:03:24 +08:00
// Fetch claims in the security token returned by the client, doesn't return
// errors - upon errors the returned claims map will be empty.
func mustGetClaimsFromToken(r *http.Request) map[string]interface{} {
fix: missing user policy enforcement in PostPolicyHandler (#11682)
2021-03-04 00:47:08 +08:00
claims, _ := getClaimsFromToken(getSessionToken(r))
Audit log claims from token (#6847)
2018-11-22 12:03:24 +08:00
return claims
}
decouple service accounts from root credentials (#14534) changing root credentials makes service accounts in-operable, this PR changes the way sessionToken is generated for service accounts. It changes service account behavior to generate sessionToken claims from its own secret instead of using global root credential. Existing credentials will be supported by falling back to verify using root credential. fixes #14530
2022-03-15 00:09:22 +08:00
func getClaimsFromTokenWithSecret(token, secret string) (map[string]interface{}, error) {
ldap: Create services accounts for LDAP and STS temp accounts (#11808)
2021-04-15 13:51:14 +08:00
// JWT token for x-amz-security-token is signed with admin
// secret key, temporary credentials become invalid if
// server admin credentials change. This is done to ensure
// that clients cannot decode the token using the temp
// secret keys and generate an entirely new claim by essentially
// hijacking the policies. We need to make sure that this is
// based an admin credential such that token cannot be decoded
// on the client side and is treated like an opaque value.
decouple service accounts from root credentials (#14534) changing root credentials makes service accounts in-operable, this PR changes the way sessionToken is generated for service accounts. It changes service account behavior to generate sessionToken claims from its own secret instead of using global root credential. Existing credentials will be supported by falling back to verify using root credential. fixes #14530
2022-03-15 00:09:22 +08:00
claims, err := auth.ExtractClaims(token, secret)
ldap: Create services accounts for LDAP and STS temp accounts (#11808)
2021-04-15 13:51:14 +08:00
if err != nil {
decouple service accounts from root credentials (#14534) changing root credentials makes service accounts in-operable, this PR changes the way sessionToken is generated for service accounts. It changes service account behavior to generate sessionToken claims from its own secret instead of using global root credential. Existing credentials will be supported by falling back to verify using root credential. fixes #14530
2022-03-15 00:09:22 +08:00
if subtle.ConstantTimeCompare([]byte(secret), []byte(globalActiveCred.SecretKey)) == 1 {
return nil, errAuthentication
}
claims, err = auth.ExtractClaims(token, globalActiveCred.SecretKey)
if err != nil {
return nil, errAuthentication
}
Parse and return proper errors with x-amz-security-token (#6766) This PR also simplifies the token and access key validation across our signature handling.
2018-11-07 22:40:03 +08:00
}
Add support for session policies in STS APIs (#7747) This PR adds support for adding session policies for further restrictions on STS credentials, useful in situations when applications want to generate creds for multiple interested parties with different set of policy restrictions. This session policy is not mandatory, but optional. Fixes #7732
2019-06-21 06:28:33 +08:00
fix: regression in AssumeRole session policy handling (fixes #12756) (#12773)
2021-07-22 23:42:07 +08:00
// If OPA is set, return without any further checks.
if globalPolicyOPA != nil {
return claims.Map(), nil
}
jwt: Simplify JWT parsing (#8802) JWT parsing is simplified by using a custom claim data structure such as MapClaims{}, also writes a custom Unmarshaller for faster unmarshalling. - Avoid as much reflections as possible - Provide the right types for functions as much as possible - Avoid strings.Join, strings.Split to reduce allocations, rely on indexes directly.
2020-01-31 10:59:22 +08:00
fix: regression in AssumeRole session policy handling (fixes #12756) (#12773)
2021-07-22 23:42:07 +08:00
// Check if a session policy is set. If so, decode it here.
sp, spok := claims.Lookup(iampolicy.SessionPolicyName)
if spok {
Add support for session policies in STS APIs (#7747) This PR adds support for adding session policies for further restrictions on STS credentials, useful in situations when applications want to generate creds for multiple interested parties with different set of policy restrictions. This session policy is not mandatory, but optional. Fixes #7732
2019-06-21 06:28:33 +08:00
// Looks like subpolicy is set and is a string, if set then its
fix: regression in AssumeRole session policy handling (fixes #12756) (#12773)
2021-07-22 23:42:07 +08:00
// base64 encoded, decode it. Decoding fails reject such
// requests.
jwt: Simplify JWT parsing (#8802) JWT parsing is simplified by using a custom claim data structure such as MapClaims{}, also writes a custom Unmarshaller for faster unmarshalling. - Avoid as much reflections as possible - Provide the right types for functions as much as possible - Avoid strings.Join, strings.Split to reduce allocations, rely on indexes directly.
2020-01-31 10:59:22 +08:00
spBytes, err := base64.StdEncoding.DecodeString(sp)
Add support for session policies in STS APIs (#7747) This PR adds support for adding session policies for further restrictions on STS credentials, useful in situations when applications want to generate creds for multiple interested parties with different set of policy restrictions. This session policy is not mandatory, but optional. Fixes #7732
2019-06-21 06:28:33 +08:00
if err != nil {
// Base64 decoding fails, we should log to indicate
// something is malforming the request sent by client.
fix: missing user policy enforcement in PostPolicyHandler (#11682)
2021-03-04 00:47:08 +08:00
logger.LogIf(GlobalContext, err, logger.Application)
Add support for session policies in STS APIs (#7747) This PR adds support for adding session policies for further restrictions on STS credentials, useful in situations when applications want to generate creds for multiple interested parties with different set of policy restrictions. This session policy is not mandatory, but optional. Fixes #7732
2019-06-21 06:28:33 +08:00
return nil, errAuthentication
}
jwt: Simplify JWT parsing (#8802) JWT parsing is simplified by using a custom claim data structure such as MapClaims{}, also writes a custom Unmarshaller for faster unmarshalling. - Avoid as much reflections as possible - Provide the right types for functions as much as possible - Avoid strings.Join, strings.Split to reduce allocations, rely on indexes directly.
2020-01-31 10:59:22 +08:00
claims.MapClaims[iampolicy.SessionPolicyName] = string(spBytes)
Add support for session policies in STS APIs (#7747) This PR adds support for adding session policies for further restrictions on STS credentials, useful in situations when applications want to generate creds for multiple interested parties with different set of policy restrictions. This session policy is not mandatory, but optional. Fixes #7732
2019-06-21 06:28:33 +08:00
}
jwt: Simplify JWT parsing (#8802) JWT parsing is simplified by using a custom claim data structure such as MapClaims{}, also writes a custom Unmarshaller for faster unmarshalling. - Avoid as much reflections as possible - Provide the right types for functions as much as possible - Avoid strings.Join, strings.Split to reduce allocations, rely on indexes directly.
2020-01-31 10:59:22 +08:00
return claims.Map(), nil
Audit log claims from token (#6847)
2018-11-22 12:03:24 +08:00
}
decouple service accounts from root credentials (#14534) changing root credentials makes service accounts in-operable, this PR changes the way sessionToken is generated for service accounts. It changes service account behavior to generate sessionToken claims from its own secret instead of using global root credential. Existing credentials will be supported by falling back to verify using root credential. fixes #14530
2022-03-15 00:09:22 +08:00
// Fetch claims in the security token returned by the client.
func getClaimsFromToken(token string) (map[string]interface{}, error) {
return getClaimsFromTokenWithSecret(token, globalActiveCred.SecretKey)
}
Audit log claims from token (#6847)
2018-11-22 12:03:24 +08:00
// Fetch claims in the security token returned by the client and validate the token.
func checkClaimsFromToken(r *http.Request, cred auth.Credentials) (map[string]interface{}, APIErrorCode) {
Introduce STS client grants API and OPA policy integration (#6168) This PR introduces two new features - AWS STS compatible STS API named AssumeRoleWithClientGrants ``` POST /?Action=AssumeRoleWithClientGrants&Token=<jwt> ``` This API endpoint returns temporary access credentials, access tokens signature types supported by this API - RSA keys - ECDSA keys Fetches the required public key from the JWKS endpoints, provides them as rsa or ecdsa public keys. - External policy engine support, in this case OPA policy engine - Credentials are stored on disks
2018-10-10 05:00:01 +08:00
token := getSessionToken(r)
Parse and return proper errors with x-amz-security-token (#6766) This PR also simplifies the token and access key validation across our signature handling.
2018-11-07 22:40:03 +08:00
if token != "" && cred.AccessKey == "" {
decouple service accounts from root credentials (#14534) changing root credentials makes service accounts in-operable, this PR changes the way sessionToken is generated for service accounts. It changes service account behavior to generate sessionToken claims from its own secret instead of using global root credential. Existing credentials will be supported by falling back to verify using root credential. fixes #14530
2022-03-15 00:09:22 +08:00
// x-amz-security-token is not allowed for anonymous access.
Parse and return proper errors with x-amz-security-token (#6766) This PR also simplifies the token and access key validation across our signature handling.
2018-11-07 22:40:03 +08:00
return nil, ErrNoAccessKey
}
decouple service accounts from root credentials (#14534) changing root credentials makes service accounts in-operable, this PR changes the way sessionToken is generated for service accounts. It changes service account behavior to generate sessionToken claims from its own secret instead of using global root credential. Existing credentials will be supported by falling back to verify using root credential. fixes #14530
2022-03-15 00:09:22 +08:00
if token == "" && cred.IsTemp() {
// Temporary credentials should always have x-amz-security-token
return nil, ErrInvalidToken
fix: deprecate requirement of session token for service accounts (#9320) This PR fixes couple of behaviors with service accounts - not need to have session token for service accounts - service accounts can be generated by any user for themselves implicitly, with a valid signature. - policy input for AddNewServiceAccount API is not fully typed allowing for validation before it is sent to the server. - also bring in additional context for admin API errors if any when replying back to client. - deprecate GetServiceAccount API as we do not need to reply back session tokens
2020-04-15 02:28:56 +08:00
}
decouple service accounts from root credentials (#14534) changing root credentials makes service accounts in-operable, this PR changes the way sessionToken is generated for service accounts. It changes service account behavior to generate sessionToken claims from its own secret instead of using global root credential. Existing credentials will be supported by falling back to verify using root credential. fixes #14530
2022-03-15 00:09:22 +08:00
if token != "" && !cred.IsTemp() {
// x-amz-security-token should not present for static credentials.
Parse and return proper errors with x-amz-security-token (#6766) This PR also simplifies the token and access key validation across our signature handling.
2018-11-07 22:40:03 +08:00
return nil, ErrInvalidToken
}
decouple service accounts from root credentials (#14534) changing root credentials makes service accounts in-operable, this PR changes the way sessionToken is generated for service accounts. It changes service account behavior to generate sessionToken claims from its own secret instead of using global root credential. Existing credentials will be supported by falling back to verify using root credential. fixes #14530
2022-03-15 00:09:22 +08:00
if cred.IsTemp() && subtle.ConstantTimeCompare([]byte(token), []byte(cred.SessionToken)) != 1 {
// validate token for temporary credentials only.
return nil, ErrInvalidToken
Introduce STS client grants API and OPA policy integration (#6168) This PR introduces two new features - AWS STS compatible STS API named AssumeRoleWithClientGrants ``` POST /?Action=AssumeRoleWithClientGrants&Token=<jwt> ``` This API endpoint returns temporary access credentials, access tokens signature types supported by this API - RSA keys - ECDSA keys Fetches the required public key from the JWKS endpoints, provides them as rsa or ecdsa public keys. - External policy engine support, in this case OPA policy engine - Credentials are stored on disks
2018-10-10 05:00:01 +08:00
}
decouple service accounts from root credentials (#14534) changing root credentials makes service accounts in-operable, this PR changes the way sessionToken is generated for service accounts. It changes service account behavior to generate sessionToken claims from its own secret instead of using global root credential. Existing credentials will be supported by falling back to verify using root credential. fixes #14530
2022-03-15 00:09:22 +08:00
secret := globalActiveCred.SecretKey
if cred.IsServiceAccount() {
token = cred.SessionToken
secret = cred.SecretKey
}
if token != "" {
claims, err := getClaimsFromTokenWithSecret(token, secret)
if err != nil {
return nil, toAPIErrorCode(r.Context(), err)
}
return claims, ErrNone
}
claims := xjwt.NewMapClaims()
return claims.Map(), ErrNone
Introduce STS client grants API and OPA policy integration (#6168) This PR introduces two new features - AWS STS compatible STS API named AssumeRoleWithClientGrants ``` POST /?Action=AssumeRoleWithClientGrants&Token=<jwt> ``` This API endpoint returns temporary access credentials, access tokens signature types supported by this API - RSA keys - ECDSA keys Fetches the required public key from the JWKS endpoints, provides them as rsa or ecdsa public keys. - External policy engine support, in this case OPA policy engine - Credentials are stored on disks
2018-10-10 05:00:01 +08:00
}
Cleanup and fixes (#3273) * newRequestID() (previously generateUploadID()) returns string than byte array. * Remove unclear comments and added appropriate comments. * SHA-256, MD5 Hash functions return Hex/Base64 encoded string than byte array. * Remove duplicate MD5 hasher functions. * Rename listObjectsValidateArgs() into validateListObjectsArgs() * Remove repeated auth check code in all bucket request handlers. * Remove abbreviated names in bucket-metadata * Avoid nested if in bucketPolicyMatchStatement() * Use ioutil.ReadFile() instead of os.Open() and ioutil.ReadAll() * Set crossDomainXML as constant.
2016-11-22 05:51:05 +08:00
Introduce STS client grants API and OPA policy integration (#6168) This PR introduces two new features - AWS STS compatible STS API named AssumeRoleWithClientGrants ``` POST /?Action=AssumeRoleWithClientGrants&Token=<jwt> ``` This API endpoint returns temporary access credentials, access tokens signature types supported by this API - RSA keys - ECDSA keys Fetches the required public key from the JWKS endpoints, provides them as rsa or ecdsa public keys. - External policy engine support, in this case OPA policy engine - Credentials are stored on disks
2018-10-10 05:00:01 +08:00
// Check request auth type verifies the incoming http request
// - validates the request signature
// - validates the policy action if anonymous tests bucket policies if any,
// for authenticated requests validates IAM policies.
// returns APIErrorCode if any to be replied to the client.
func checkRequestAuthType(ctx context.Context, r *http.Request, action policy.Action, bucketName, objectName string) (s3Err APIErrorCode) {
fix: LDAP groups handling and group mapping (#11855) comprehensively handle group mapping for LDAP users across IAM sub-subsytem.
2021-03-24 06:15:51 +08:00
_, _, s3Err = checkRequestAuthTypeCredential(ctx, r, action, bucketName, objectName)
With ListBuckets() access-list only buckets the user has access (#8037) This is a behavior change from AWS S3, but it is done with better judgment on our end to allow the listing of buckets only which user has access to. The advantage is this declutters the UI for users and only lists bucket which they have access to. Precursor for this feature to be applicable is a policy must have the following actions ``` s3:ListAllMyBuckets ``` and ``` s3:ListBucket ``` enabled in the policy.
2019-08-13 01:27:38 +08:00
return s3Err
}
// Check request auth type verifies the incoming http request
// - validates the request signature
// - validates the policy action if anonymous tests bucket policies if any,
// for authenticated requests validates IAM policies.
// returns APIErrorCode if any to be replied to the client.
// Additionally returns the accessKey used in the request, and if this request is by an admin.
fix: LDAP groups handling and group mapping (#11855) comprehensively handle group mapping for LDAP users across IAM sub-subsytem.
2021-03-24 06:15:51 +08:00
func checkRequestAuthTypeCredential(ctx context.Context, r *http.Request, action policy.Action, bucketName, objectName string) (cred auth.Credentials, owner bool, s3Err APIErrorCode) {
Enhance policy handling to support SSE and WORM (#5790) - remove old bucket policy handling - add new policy handling - add new policy handling unit tests This patch brings support to bucket policy to have more control not limiting to anonymous. Bucket owner controls to allow/deny any rest API. For example server side encryption can be controlled by allowing PUT/GET objects with encryptions including bucket owner.
2018-04-25 06:53:30 +08:00
switch getRequestAuthType(r) {
Introduce STS client grants API and OPA policy integration (#6168) This PR introduces two new features - AWS STS compatible STS API named AssumeRoleWithClientGrants ``` POST /?Action=AssumeRoleWithClientGrants&Token=<jwt> ``` This API endpoint returns temporary access credentials, access tokens signature types supported by this API - RSA keys - ECDSA keys Fetches the required public key from the JWKS endpoints, provides them as rsa or ecdsa public keys. - External policy engine support, in this case OPA policy engine - Credentials are stored on disks
2018-10-10 05:00:01 +08:00
case authTypeUnknown, authTypeStreamingSigned:
fix: LDAP groups handling and group mapping (#11855) comprehensively handle group mapping for LDAP users across IAM sub-subsytem.
2021-03-24 06:15:51 +08:00
return cred, owner, ErrSignatureVersionNotSupported
Cleanup and fixes (#3273) * newRequestID() (previously generateUploadID()) returns string than byte array. * Remove unclear comments and added appropriate comments. * SHA-256, MD5 Hash functions return Hex/Base64 encoded string than byte array. * Remove duplicate MD5 hasher functions. * Rename listObjectsValidateArgs() into validateListObjectsArgs() * Remove repeated auth check code in all bucket request handlers. * Remove abbreviated names in bucket-metadata * Avoid nested if in bucketPolicyMatchStatement() * Use ioutil.ReadFile() instead of os.Open() and ioutil.ReadAll() * Set crossDomainXML as constant.
2016-11-22 05:51:05 +08:00
case authTypePresignedV2, authTypeSignedV2:
Introduce STS client grants API and OPA policy integration (#6168) This PR introduces two new features - AWS STS compatible STS API named AssumeRoleWithClientGrants ``` POST /?Action=AssumeRoleWithClientGrants&Token=<jwt> ``` This API endpoint returns temporary access credentials, access tokens signature types supported by this API - RSA keys - ECDSA keys Fetches the required public key from the JWKS endpoints, provides them as rsa or ecdsa public keys. - External policy engine support, in this case OPA policy engine - Credentials are stored on disks
2018-10-10 05:00:01 +08:00
if s3Err = isReqAuthenticatedV2(r); s3Err != ErrNone {
fix: LDAP groups handling and group mapping (#11855) comprehensively handle group mapping for LDAP users across IAM sub-subsytem.
2021-03-24 06:15:51 +08:00
return cred, owner, s3Err
Enhance policy handling to support SSE and WORM (#5790) - remove old bucket policy handling - add new policy handling - add new policy handling unit tests This patch brings support to bucket policy to have more control not limiting to anonymous. Bucket owner controls to allow/deny any rest API. For example server side encryption can be controlled by allowing PUT/GET objects with encryptions including bucket owner.
2018-04-25 06:53:30 +08:00
}
Parse and return proper errors with x-amz-security-token (#6766) This PR also simplifies the token and access key validation across our signature handling.
2018-11-07 22:40:03 +08:00
cred, owner, s3Err = getReqAccessKeyV2(r)
Cleanup and fixes (#3273) * newRequestID() (previously generateUploadID()) returns string than byte array. * Remove unclear comments and added appropriate comments. * SHA-256, MD5 Hash functions return Hex/Base64 encoded string than byte array. * Remove duplicate MD5 hasher functions. * Rename listObjectsValidateArgs() into validateListObjectsArgs() * Remove repeated auth check code in all bucket request handlers. * Remove abbreviated names in bucket-metadata * Avoid nested if in bucketPolicyMatchStatement() * Use ioutil.ReadFile() instead of os.Open() and ioutil.ReadAll() * Set crossDomainXML as constant.
2016-11-22 05:51:05 +08:00
case authTypeSigned, authTypePresigned:
Add new `site` config sub-system intended to replace `region` (#13672) - New sub-system has "region" and "name" fields. - `region` subsystem is marked as deprecated, however still works, unless the new region parameter under `site` is set - in this case, the region subsystem is ignored. `region` subsystem is hidden from top-level help (i.e. from `mc admin config set myminio`), but appears when specifically requested (i.e. with `mc admin config set myminio region`). - MINIO_REGION, MINIO_REGION_NAME are supported as legacy environment variables for server region. - Adds MINIO_SITE_REGION as the current environment variable to configure the server region and MINIO_SITE_NAME for the site name.
2021-11-26 05:06:25 +08:00
region := globalSite.Region
Enhance policy handling to support SSE and WORM (#5790) - remove old bucket policy handling - add new policy handling - add new policy handling unit tests This patch brings support to bucket policy to have more control not limiting to anonymous. Bucket owner controls to allow/deny any rest API. For example server side encryption can be controlled by allowing PUT/GET objects with encryptions including bucket owner.
2018-04-25 06:53:30 +08:00
switch action {
case policy.GetBucketLocationAction, policy.ListAllMyBucketsAction:
region = ""
}
Implement AssumeRole API for Minio users (#7267) For actual API reference read here https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRole.html Documentation is added and updated as well at docs/sts/assume-role.md Fixes #6381
2019-02-28 09:46:55 +08:00
if s3Err = isReqAuthenticated(ctx, r, region, serviceS3); s3Err != ErrNone {
fix: LDAP groups handling and group mapping (#11855) comprehensively handle group mapping for LDAP users across IAM sub-subsytem.
2021-03-24 06:15:51 +08:00
return cred, owner, s3Err
Enhance policy handling to support SSE and WORM (#5790) - remove old bucket policy handling - add new policy handling - add new policy handling unit tests This patch brings support to bucket policy to have more control not limiting to anonymous. Bucket owner controls to allow/deny any rest API. For example server side encryption can be controlled by allowing PUT/GET objects with encryptions including bucket owner.
2018-04-25 06:53:30 +08:00
}
Implement AssumeRole API for Minio users (#7267) For actual API reference read here https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRole.html Documentation is added and updated as well at docs/sts/assume-role.md Fixes #6381
2019-02-28 09:46:55 +08:00
cred, owner, s3Err = getReqAccessKeyV4(r, region, serviceS3)
Introduce STS client grants API and OPA policy integration (#6168) This PR introduces two new features - AWS STS compatible STS API named AssumeRoleWithClientGrants ``` POST /?Action=AssumeRoleWithClientGrants&Token=<jwt> ``` This API endpoint returns temporary access credentials, access tokens signature types supported by this API - RSA keys - ECDSA keys Fetches the required public key from the JWKS endpoints, provides them as rsa or ecdsa public keys. - External policy engine support, in this case OPA policy engine - Credentials are stored on disks
2018-10-10 05:00:01 +08:00
}
if s3Err != ErrNone {
fix: LDAP groups handling and group mapping (#11855) comprehensively handle group mapping for LDAP users across IAM sub-subsytem.
2021-03-24 06:15:51 +08:00
return cred, owner, s3Err
Cleanup and fixes (#3273) * newRequestID() (previously generateUploadID()) returns string than byte array. * Remove unclear comments and added appropriate comments. * SHA-256, MD5 Hash functions return Hex/Base64 encoded string than byte array. * Remove duplicate MD5 hasher functions. * Rename listObjectsValidateArgs() into validateListObjectsArgs() * Remove repeated auth check code in all bucket request handlers. * Remove abbreviated names in bucket-metadata * Avoid nested if in bucketPolicyMatchStatement() * Use ioutil.ReadFile() instead of os.Open() and ioutil.ReadAll() * Set crossDomainXML as constant.
2016-11-22 05:51:05 +08:00
}
Enhance policy handling to support SSE and WORM (#5790) - remove old bucket policy handling - add new policy handling - add new policy handling unit tests This patch brings support to bucket policy to have more control not limiting to anonymous. Bucket owner controls to allow/deny any rest API. For example server side encryption can be controlled by allowing PUT/GET objects with encryptions including bucket owner.
2018-04-25 06:53:30 +08:00
// LocationConstraint is valid only for CreateBucketAction.
var locationConstraint string
if action == policy.CreateBucketAction {
// To extract region from XML in request body, get copy of request body.
fix DoS vulnerability in request authentication (#5887) This commit fixes a DoS vulnerability in the request authentication. The root cause is an 'unlimited' read-into-RAM from the request body. Since this read happens before the request authentication is verified the vulnerability can be exploit without any access privileges. This commit limits the size of the request body to 3 MB. This is about the same size as AWS. The limit seems to be between 1.6 and 3.2 MB - depending on the AWS machine which is handling the request.
2018-05-05 02:16:14 +08:00
payload, err := ioutil.ReadAll(io.LimitReader(r.Body, maxLocationConstraintSize))
Virtual host style S3 requests (#5095)
2017-11-15 08:56:24 +08:00
if err != nil {
Allow logging targets to be configured to receive `minio` (#8347) specific errors, `application` errors or `all` by default. console logging on server by default lists all logs - enhance admin console API to accept `type` as query parameter to subscribe to application/minio logs.
2019-10-12 09:50:54 +08:00
logger.LogIf(ctx, err, logger.Application)
fix: LDAP groups handling and group mapping (#11855) comprehensively handle group mapping for LDAP users across IAM sub-subsytem.
2021-03-24 06:15:51 +08:00
return cred, owner, ErrMalformedXML
Enhance policy handling to support SSE and WORM (#5790) - remove old bucket policy handling - add new policy handling - add new policy handling unit tests This patch brings support to bucket policy to have more control not limiting to anonymous. Bucket owner controls to allow/deny any rest API. For example server side encryption can be controlled by allowing PUT/GET objects with encryptions including bucket owner.
2018-04-25 06:53:30 +08:00
}
// Populate payload to extract location constraint.
r.Body = ioutil.NopCloser(bytes.NewReader(payload))
var s3Error APIErrorCode
locationConstraint, s3Error = parseLocationConstraint(r)
if s3Error != ErrNone {
fix: LDAP groups handling and group mapping (#11855) comprehensively handle group mapping for LDAP users across IAM sub-subsytem.
2021-03-24 06:15:51 +08:00
return cred, owner, s3Error
Virtual host style S3 requests (#5095)
2017-11-15 08:56:24 +08:00
}
Enhance policy handling to support SSE and WORM (#5790) - remove old bucket policy handling - add new policy handling - add new policy handling unit tests This patch brings support to bucket policy to have more control not limiting to anonymous. Bucket owner controls to allow/deny any rest API. For example server side encryption can be controlled by allowing PUT/GET objects with encryptions including bucket owner.
2018-04-25 06:53:30 +08:00
// Populate payload again to handle it in HTTP handler.
r.Body = ioutil.NopCloser(bytes.NewReader(payload))
}
Context based AccessKey passing (#10615) A new field called AccessKey is added to the ReqInfo struct and populated. Because ReqInfo is added to the context, this allows the AccessKey to be accessed from 3rd-party code, such as a custom ObjectLayer. Co-authored-by: Harshavardhana <harsha@minio.io> Co-authored-by: Kaloyan Raev <kaloyan@storj.io>
2020-11-05 01:13:34 +08:00
if cred.AccessKey != "" {
logger.GetReqInfo(ctx).AccessKey = cred.AccessKey
}
Enhance policy handling to support SSE and WORM (#5790) - remove old bucket policy handling - add new policy handling - add new policy handling unit tests This patch brings support to bucket policy to have more control not limiting to anonymous. Bucket owner controls to allow/deny any rest API. For example server side encryption can be controlled by allowing PUT/GET objects with encryptions including bucket owner.
2018-04-25 06:53:30 +08:00
Bump default idleConnsPerHost to control conns in time_wait (#10653) This PR fixes a hang which occurs quite commonly at higher concurrency by allowing following changes - allowing lower connections in time_wait allows faster socket open's - lower idle connection timeout to ensure that we let kernel reclaim the time_wait connections quickly - increase somaxconn to 4096 instead of 2048 to allow larger tcp syn backlogs. fixes #10413
2020-10-13 05:19:46 +08:00
if action != policy.ListAllMyBucketsAction && cred.AccessKey == "" {
// Anonymous checks are not meant for ListBuckets action
Introduce STS client grants API and OPA policy integration (#6168) This PR introduces two new features - AWS STS compatible STS API named AssumeRoleWithClientGrants ``` POST /?Action=AssumeRoleWithClientGrants&Token=<jwt> ``` This API endpoint returns temporary access credentials, access tokens signature types supported by this API - RSA keys - ECDSA keys Fetches the required public key from the JWKS endpoints, provides them as rsa or ecdsa public keys. - External policy engine support, in this case OPA policy engine - Credentials are stored on disks
2018-10-10 05:00:01 +08:00
if globalPolicySys.IsAllowed(policy.Args{
Parse and return proper errors with x-amz-security-token (#6766) This PR also simplifies the token and access key validation across our signature handling.
2018-11-07 22:40:03 +08:00
AccountName: cred.AccessKey,
Introduce STS client grants API and OPA policy integration (#6168) This PR introduces two new features - AWS STS compatible STS API named AssumeRoleWithClientGrants ``` POST /?Action=AssumeRoleWithClientGrants&Token=<jwt> ``` This API endpoint returns temporary access credentials, access tokens signature types supported by this API - RSA keys - ECDSA keys Fetches the required public key from the JWKS endpoints, provides them as rsa or ecdsa public keys. - External policy engine support, in this case OPA policy engine - Credentials are stored on disks
2018-10-10 05:00:01 +08:00
Action: action,
BucketName: bucketName,
Add support for {jwt:sub} substitutions for policies (#8393) Fixes #8345
2019-10-16 23:59:59 +08:00
ConditionValues: getConditionValues(r, locationConstraint, "", nil),
Introduce STS client grants API and OPA policy integration (#6168) This PR introduces two new features - AWS STS compatible STS API named AssumeRoleWithClientGrants ``` POST /?Action=AssumeRoleWithClientGrants&Token=<jwt> ``` This API endpoint returns temporary access credentials, access tokens signature types supported by this API - RSA keys - ECDSA keys Fetches the required public key from the JWKS endpoints, provides them as rsa or ecdsa public keys. - External policy engine support, in this case OPA policy engine - Credentials are stored on disks
2018-10-10 05:00:01 +08:00
IsOwner: false,
ObjectName: objectName,
}) {
With ListBuckets() access-list only buckets the user has access (#8037) This is a behavior change from AWS S3, but it is done with better judgment on our end to allow the listing of buckets only which user has access to. The advantage is this declutters the UI for users and only lists bucket which they have access to. Precursor for this feature to be applicable is a policy must have the following actions ``` s3:ListAllMyBuckets ``` and ``` s3:ListBucket ``` enabled in the policy.
2019-08-13 01:27:38 +08:00
// Request is allowed return the appropriate access key.
fix: LDAP groups handling and group mapping (#11855) comprehensively handle group mapping for LDAP users across IAM sub-subsytem.
2021-03-24 06:15:51 +08:00
return cred, owner, ErrNone
Introduce STS client grants API and OPA policy integration (#6168) This PR introduces two new features - AWS STS compatible STS API named AssumeRoleWithClientGrants ``` POST /?Action=AssumeRoleWithClientGrants&Token=<jwt> ``` This API endpoint returns temporary access credentials, access tokens signature types supported by this API - RSA keys - ECDSA keys Fetches the required public key from the JWKS endpoints, provides them as rsa or ecdsa public keys. - External policy engine support, in this case OPA policy engine - Credentials are stored on disks
2018-10-10 05:00:01 +08:00
}
add missing ListBucketVersions from policy actions (#10414)
2020-09-04 09:25:06 +08:00
if action == policy.ListBucketVersionsAction {
// In AWS S3 s3:ListBucket permission is same as s3:ListBucketVersions permission
// verify as a fallback.
if globalPolicySys.IsAllowed(policy.Args{
AccountName: cred.AccessKey,
Action: policy.ListBucketAction,
BucketName: bucketName,
ConditionValues: getConditionValues(r, locationConstraint, "", nil),
IsOwner: false,
ObjectName: objectName,
}) {
// Request is allowed return the appropriate access key.
fix: LDAP groups handling and group mapping (#11855) comprehensively handle group mapping for LDAP users across IAM sub-subsytem.
2021-03-24 06:15:51 +08:00
return cred, owner, ErrNone
add missing ListBucketVersions from policy actions (#10414)
2020-09-04 09:25:06 +08:00
}
}
fix: LDAP groups handling and group mapping (#11855) comprehensively handle group mapping for LDAP users across IAM sub-subsytem.
2021-03-24 06:15:51 +08:00
return cred, owner, ErrAccessDenied
Introduce STS client grants API and OPA policy integration (#6168) This PR introduces two new features - AWS STS compatible STS API named AssumeRoleWithClientGrants ``` POST /?Action=AssumeRoleWithClientGrants&Token=<jwt> ``` This API endpoint returns temporary access credentials, access tokens signature types supported by this API - RSA keys - ECDSA keys Fetches the required public key from the JWKS endpoints, provides them as rsa or ecdsa public keys. - External policy engine support, in this case OPA policy engine - Credentials are stored on disks
2018-10-10 05:00:01 +08:00
}
add missing ListBucketVersions from policy actions (#10414)
2020-09-04 09:25:06 +08:00
Introduce STS client grants API and OPA policy integration (#6168) This PR introduces two new features - AWS STS compatible STS API named AssumeRoleWithClientGrants ``` POST /?Action=AssumeRoleWithClientGrants&Token=<jwt> ``` This API endpoint returns temporary access credentials, access tokens signature types supported by this API - RSA keys - ECDSA keys Fetches the required public key from the JWKS endpoints, provides them as rsa or ecdsa public keys. - External policy engine support, in this case OPA policy engine - Credentials are stored on disks
2018-10-10 05:00:01 +08:00
if globalIAMSys.IsAllowed(iampolicy.Args{
Parse and return proper errors with x-amz-security-token (#6766) This PR also simplifies the token and access key validation across our signature handling.
2018-11-07 22:40:03 +08:00
AccountName: cred.AccessKey,
fix: LDAP groups handling and group mapping (#11855) comprehensively handle group mapping for LDAP users across IAM sub-subsytem.
2021-03-24 06:15:51 +08:00
Groups: cred.Groups,
Introduce STS client grants API and OPA policy integration (#6168) This PR introduces two new features - AWS STS compatible STS API named AssumeRoleWithClientGrants ``` POST /?Action=AssumeRoleWithClientGrants&Token=<jwt> ``` This API endpoint returns temporary access credentials, access tokens signature types supported by this API - RSA keys - ECDSA keys Fetches the required public key from the JWKS endpoints, provides them as rsa or ecdsa public keys. - External policy engine support, in this case OPA policy engine - Credentials are stored on disks
2018-10-10 05:00:01 +08:00
Action: iampolicy.Action(action),
Enhance policy handling to support SSE and WORM (#5790) - remove old bucket policy handling - add new policy handling - add new policy handling unit tests This patch brings support to bucket policy to have more control not limiting to anonymous. Bucket owner controls to allow/deny any rest API. For example server side encryption can be controlled by allowing PUT/GET objects with encryptions including bucket owner.
2018-04-25 06:53:30 +08:00
BucketName: bucketName,
disallow sub-credentials based on root credentials to gain priviledges (#12947) This happens because of a change added where any sub-credential with parentUser == rootCredential i.e (MINIO_ROOT_USER) will always be an owner, you cannot generate credentials with lower session policy to restrict their access. This doesn't affect user service accounts created with regular users, LDAP or OpenID
2021-08-13 09:07:08 +08:00
ConditionValues: getConditionValues(r, "", cred.AccessKey, cred.Claims),
Enhance policy handling to support SSE and WORM (#5790) - remove old bucket policy handling - add new policy handling - add new policy handling unit tests This patch brings support to bucket policy to have more control not limiting to anonymous. Bucket owner controls to allow/deny any rest API. For example server side encryption can be controlled by allowing PUT/GET objects with encryptions including bucket owner.
2018-04-25 06:53:30 +08:00
ObjectName: objectName,
Introduce STS client grants API and OPA policy integration (#6168) This PR introduces two new features - AWS STS compatible STS API named AssumeRoleWithClientGrants ``` POST /?Action=AssumeRoleWithClientGrants&Token=<jwt> ``` This API endpoint returns temporary access credentials, access tokens signature types supported by this API - RSA keys - ECDSA keys Fetches the required public key from the JWKS endpoints, provides them as rsa or ecdsa public keys. - External policy engine support, in this case OPA policy engine - Credentials are stored on disks
2018-10-10 05:00:01 +08:00
IsOwner: owner,
disallow sub-credentials based on root credentials to gain priviledges (#12947) This happens because of a change added where any sub-credential with parentUser == rootCredential i.e (MINIO_ROOT_USER) will always be an owner, you cannot generate credentials with lower session policy to restrict their access. This doesn't affect user service accounts created with regular users, LDAP or OpenID
2021-08-13 09:07:08 +08:00
Claims: cred.Claims,
Enhance policy handling to support SSE and WORM (#5790) - remove old bucket policy handling - add new policy handling - add new policy handling unit tests This patch brings support to bucket policy to have more control not limiting to anonymous. Bucket owner controls to allow/deny any rest API. For example server side encryption can be controlled by allowing PUT/GET objects with encryptions including bucket owner.
2018-04-25 06:53:30 +08:00
}) {
With ListBuckets() access-list only buckets the user has access (#8037) This is a behavior change from AWS S3, but it is done with better judgment on our end to allow the listing of buckets only which user has access to. The advantage is this declutters the UI for users and only lists bucket which they have access to. Precursor for this feature to be applicable is a policy must have the following actions ``` s3:ListAllMyBuckets ``` and ``` s3:ListBucket ``` enabled in the policy.
2019-08-13 01:27:38 +08:00
// Request is allowed return the appropriate access key.
fix: LDAP groups handling and group mapping (#11855) comprehensively handle group mapping for LDAP users across IAM sub-subsytem.
2021-03-24 06:15:51 +08:00
return cred, owner, ErrNone
Enhance policy handling to support SSE and WORM (#5790) - remove old bucket policy handling - add new policy handling - add new policy handling unit tests This patch brings support to bucket policy to have more control not limiting to anonymous. Bucket owner controls to allow/deny any rest API. For example server side encryption can be controlled by allowing PUT/GET objects with encryptions including bucket owner.
2018-04-25 06:53:30 +08:00
}
Bump default idleConnsPerHost to control conns in time_wait (#10653) This PR fixes a hang which occurs quite commonly at higher concurrency by allowing following changes - allowing lower connections in time_wait allows faster socket open's - lower idle connection timeout to ensure that we let kernel reclaim the time_wait connections quickly - increase somaxconn to 4096 instead of 2048 to allow larger tcp syn backlogs. fixes #10413
2020-10-13 05:19:46 +08:00
add missing ListBucketVersions from policy actions (#10414)
2020-09-04 09:25:06 +08:00
if action == policy.ListBucketVersionsAction {
// In AWS S3 s3:ListBucket permission is same as s3:ListBucketVersions permission
// verify as a fallback.
if globalIAMSys.IsAllowed(iampolicy.Args{
AccountName: cred.AccessKey,
fix: LDAP groups handling and group mapping (#11855) comprehensively handle group mapping for LDAP users across IAM sub-subsytem.
2021-03-24 06:15:51 +08:00
Groups: cred.Groups,
fix: use the correct Action type for policy.Args and iampolicy.Args (#10650)
2020-10-13 06:18:22 +08:00
Action: iampolicy.ListBucketAction,
add missing ListBucketVersions from policy actions (#10414)
2020-09-04 09:25:06 +08:00
BucketName: bucketName,
disallow sub-credentials based on root credentials to gain priviledges (#12947) This happens because of a change added where any sub-credential with parentUser == rootCredential i.e (MINIO_ROOT_USER) will always be an owner, you cannot generate credentials with lower session policy to restrict their access. This doesn't affect user service accounts created with regular users, LDAP or OpenID
2021-08-13 09:07:08 +08:00
ConditionValues: getConditionValues(r, "", cred.AccessKey, cred.Claims),
add missing ListBucketVersions from policy actions (#10414)
2020-09-04 09:25:06 +08:00
ObjectName: objectName,
IsOwner: owner,
disallow sub-credentials based on root credentials to gain priviledges (#12947) This happens because of a change added where any sub-credential with parentUser == rootCredential i.e (MINIO_ROOT_USER) will always be an owner, you cannot generate credentials with lower session policy to restrict their access. This doesn't affect user service accounts created with regular users, LDAP or OpenID
2021-08-13 09:07:08 +08:00
Claims: cred.Claims,
add missing ListBucketVersions from policy actions (#10414)
2020-09-04 09:25:06 +08:00
}) {
// Request is allowed return the appropriate access key.
fix: LDAP groups handling and group mapping (#11855) comprehensively handle group mapping for LDAP users across IAM sub-subsytem.
2021-03-24 06:15:51 +08:00
return cred, owner, ErrNone
add missing ListBucketVersions from policy actions (#10414)
2020-09-04 09:25:06 +08:00
}
}
fix: handle array policies in JWT claim (#10041) PR #10014 was not complete as only handled policy claims partially.
2020-07-15 01:26:47 +08:00
fix: LDAP groups handling and group mapping (#11855) comprehensively handle group mapping for LDAP users across IAM sub-subsytem.
2021-03-24 06:15:51 +08:00
return cred, owner, ErrAccessDenied
signature: Use a layered approach for signature verification. Signature calculation has now moved out from being a package to top-level as a layered mechanism. In case of payload calculation with body, go-routines are initiated to simultaneously write and calculate shasum. Errors are sent over the writer so that the lower layer removes the temporary files properly.
2016-03-13 08:08:15 +08:00
}
signature: Add legacy signature v2 support transparently. (#2811) Add new tests as well.
2016-10-01 05:32:13 +08:00
// Verify if request has valid AWS Signature Version '2'.
func isReqAuthenticatedV2(r *http.Request) (s3Error APIErrorCode) {
if isRequestSignatureV2(r) {
return doesSignV2Match(r)
}
return doesPresignV2SignatureMatch(r)
}
Implement AssumeRole API for Minio users (#7267) For actual API reference read here https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRole.html Documentation is added and updated as well at docs/sts/assume-role.md Fixes #6381
2019-02-28 09:46:55 +08:00
func reqSignatureV4Verify(r *http.Request, region string, stype serviceType) (s3Error APIErrorCode) {
sha256sum := getContentSha256Cksum(r, stype)
signature-v4: Use sha256("") for calculating canonical request (#4064)
2017-04-11 00:58:08 +08:00
switch {
case isRequestSignatureV4(r):
Implement AssumeRole API for Minio users (#7267) For actual API reference read here https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRole.html Documentation is added and updated as well at docs/sts/assume-role.md Fixes #6381
2019-02-28 09:46:55 +08:00
return doesSignatureMatch(sha256sum, r, region, stype)
signature-v4: Use sha256("") for calculating canonical request (#4064)
2017-04-11 00:58:08 +08:00
case isRequestPresignedSignatureV4(r):
Implement AssumeRole API for Minio users (#7267) For actual API reference read here https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRole.html Documentation is added and updated as well at docs/sts/assume-role.md Fixes #6381
2019-02-28 09:46:55 +08:00
return doesPresignedSignatureMatch(sha256sum, r, region, stype)
signature-v4: Use sha256("") for calculating canonical request (#4064)
2017-04-11 00:58:08 +08:00
default:
return ErrAccessDenied
sha256: Verify sha256 along with md5sum, signature is verified on the request early. (#2813)
2016-10-03 06:51:49 +08:00
}
}
signV4: Move pkg/signature to pkg/s3/signature4 Cleanup and move this to relevant path.
2016-02-22 09:57:05 +08:00
// Verify if request has valid AWS Signature Version '4'.
Implement AssumeRole API for Minio users (#7267) For actual API reference read here https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRole.html Documentation is added and updated as well at docs/sts/assume-role.md Fixes #6381
2019-02-28 09:46:55 +08:00
func isReqAuthenticated(ctx context.Context, r *http.Request, region string, stype serviceType) (s3Error APIErrorCode) {
if errCode := reqSignatureV4Verify(r, region, stype); errCode != ErrNone {
signature-v4: Use sha256("") for calculating canonical request (#4064)
2017-04-11 00:58:08 +08:00
return errCode
}
Return InvalidDigest when md5 sent by client is invalid (#5654) This is to ensure proper compatibility with AWS S3, handle special cases where - Content-Md5 is set to empty - Content-Md5 is set to invalid
2018-03-17 02:22:34 +08:00
etag: add FromContentMD5 to parse content-md5 as ETag (#11688) This commit adds the `FromContentMD5` function to parse a client-provided content-md5 as ETag. Further, it also adds multipart ETag computation for future needs.
2021-03-04 04:58:28 +08:00
clientETag, err := etag.FromContentMD5(r.Header)
acl: Support PUT calls with success for 'private' ACL's (#9000) Add dummy calls which respond success when ACL's are set to be private and fails, if user tries to change them from their default 'private' Some applications such as nuxeo may have an unnecessary requirement for this operation, we support this anyways such that don't have to fully implement the functionality just that we can respond with success for default ACLs
2020-02-16 14:07:52 +08:00
if err != nil {
return ErrInvalidDigest
signature: Use a layered approach for signature verification. Signature calculation has now moved out from being a package to top-level as a layered mechanism. In case of payload calculation with body, go-routines are initiated to simultaneously write and calculate shasum. Errors are sent over the writer so that the lower layer removes the temporary files properly.
2016-03-13 08:08:15 +08:00
}
signature-v4: Use sha256("") for calculating canonical request (#4064)
2017-04-11 00:58:08 +08:00
security: fix write-to-RAM DoS vulnerability (#5957) This commit fixes a DoS vulnerability for certain APIs using signature V4 by verifying the content-md5 and/or content-sha56 of the request body in a streaming mode. The issue was caused by reading the entire body of the request into memory to verify the content-md5 or content-sha56 checksum if present. The vulnerability could be exploited by either replaying a V4 request (in the 15 min time frame) or sending a V4 presigned request with a large body.
2018-05-19 02:27:25 +08:00
// Extract either 'X-Amz-Content-Sha256' header or 'X-Amz-Content-Sha256' query parameter (if V4 presigned)
// Do not verify 'X-Amz-Content-Sha256' if skipSHA256.
etag: add FromContentMD5 to parse content-md5 as ETag (#11688) This commit adds the `FromContentMD5` function to parse a client-provided content-md5 as ETag. Further, it also adds multipart ETag computation for future needs.
2021-03-04 04:58:28 +08:00
var contentSHA256 []byte
security: fix write-to-RAM DoS vulnerability (#5957) This commit fixes a DoS vulnerability for certain APIs using signature V4 by verifying the content-md5 and/or content-sha56 of the request body in a streaming mode. The issue was caused by reading the entire body of the request into memory to verify the content-md5 or content-sha56 checksum if present. The vulnerability could be exploited by either replaying a V4 request (in the 15 min time frame) or sending a V4 presigned request with a large body.
2018-05-19 02:27:25 +08:00
if skipSHA256 := skipContentSha256Cksum(r); !skipSHA256 && isRequestPresignedSignatureV4(r) {
use ParseForm() to allow query param lookups once (#12900) ``` cpu: Intel(R) Core(TM) i5-7200U CPU @ 2.50GHz BenchmarkURLQueryForm BenchmarkURLQueryForm-4 247099363 4.809 ns/op 0 B/op 0 allocs/op BenchmarkURLQuery BenchmarkURLQuery-4 2517624 462.1 ns/op 432 B/op 4 allocs/op PASS ok github.com/minio/minio/cmd 3.848s ```
2021-08-08 13:43:01 +08:00
if sha256Sum, ok := r.Form[xhttp.AmzContentSha256]; ok && len(sha256Sum) > 0 {
security: fix write-to-RAM DoS vulnerability (#5957) This commit fixes a DoS vulnerability for certain APIs using signature V4 by verifying the content-md5 and/or content-sha56 of the request body in a streaming mode. The issue was caused by reading the entire body of the request into memory to verify the content-md5 or content-sha56 checksum if present. The vulnerability could be exploited by either replaying a V4 request (in the 15 min time frame) or sending a V4 presigned request with a large body.
2018-05-19 02:27:25 +08:00
contentSHA256, err = hex.DecodeString(sha256Sum[0])
if err != nil {
return ErrContentSHA256Mismatch
}
Return InvalidDigest when md5 sent by client is invalid (#5654) This is to ensure proper compatibility with AWS S3, handle special cases where - Content-Md5 is set to empty - Content-Md5 is set to invalid
2018-03-17 02:22:34 +08:00
}
Ensure that we use constants everywhere (#7845) This allows for canonicalization of the strings throughout our code and provides a common space for all these constants to reside. This list is rather non-exhaustive but captures all the headers used in AWS S3 API operations
2019-07-03 13:34:32 +08:00
} else if _, ok := r.Header[xhttp.AmzContentSha256]; !skipSHA256 && ok {
contentSHA256, err = hex.DecodeString(r.Header.Get(xhttp.AmzContentSha256))
security: fix write-to-RAM DoS vulnerability (#5957) This commit fixes a DoS vulnerability for certain APIs using signature V4 by verifying the content-md5 and/or content-sha56 of the request body in a streaming mode. The issue was caused by reading the entire body of the request into memory to verify the content-md5 or content-sha56 checksum if present. The vulnerability could be exploited by either replaying a V4 request (in the 15 min time frame) or sending a V4 presigned request with a large body.
2018-05-19 02:27:25 +08:00
if err != nil || len(contentSHA256) == 0 {
Return InvalidDigest when md5 sent by client is invalid (#5654) This is to ensure proper compatibility with AWS S3, handle special cases where - Content-Md5 is set to empty - Content-Md5 is set to invalid
2018-03-17 02:22:34 +08:00
return ErrContentSHA256Mismatch
}
signature-v4: Use sha256("") for calculating canonical request (#4064)
2017-04-11 00:58:08 +08:00
}
security: fix write-to-RAM DoS vulnerability (#5957) This commit fixes a DoS vulnerability for certain APIs using signature V4 by verifying the content-md5 and/or content-sha56 of the request body in a streaming mode. The issue was caused by reading the entire body of the request into memory to verify the content-md5 or content-sha56 checksum if present. The vulnerability could be exploited by either replaying a V4 request (in the 15 min time frame) or sending a V4 presigned request with a large body.
2018-05-19 02:27:25 +08:00
// Verify 'Content-Md5' and/or 'X-Amz-Content-Sha256' if present.
// The verification happens implicit during reading.
etag: add FromContentMD5 to parse content-md5 as ETag (#11688) This commit adds the `FromContentMD5` function to parse a client-provided content-md5 as ETag. Further, it also adds multipart ETag computation for future needs.
2021-03-04 04:58:28 +08:00
reader, err := hash.NewReader(r.Body, -1, clientETag.String(), hex.EncodeToString(contentSHA256), -1)
security: fix write-to-RAM DoS vulnerability (#5957) This commit fixes a DoS vulnerability for certain APIs using signature V4 by verifying the content-md5 and/or content-sha56 of the request body in a streaming mode. The issue was caused by reading the entire body of the request into memory to verify the content-md5 or content-sha56 checksum if present. The vulnerability could be exploited by either replaying a V4 request (in the 15 min time frame) or sending a V4 presigned request with a large body.
2018-05-19 02:27:25 +08:00
if err != nil {
Make sure to log unhandled errors always (#6784) In many situations, while testing we encounter ErrInternalError, to reduce logging we have removed logging from quite a few places which is acceptable but when ErrInternalError occurs we should have a facility to log the corresponding error, this helps to debug Minio server.
2018-11-13 03:07:43 +08:00
return toAPIErrorCode(ctx, err)
security: fix write-to-RAM DoS vulnerability (#5957) This commit fixes a DoS vulnerability for certain APIs using signature V4 by verifying the content-md5 and/or content-sha56 of the request body in a streaming mode. The issue was caused by reading the entire body of the request into memory to verify the content-md5 or content-sha56 checksum if present. The vulnerability could be exploited by either replaying a V4 request (in the 15 min time frame) or sending a V4 presigned request with a large body.
2018-05-19 02:27:25 +08:00
}
merge nested hash readers (#9582) The `ioutil.NopCloser(reader)` was hiding nested hash readers. We make it an `io.Closer` so it can be attached without wrapping and allows for nesting, by merging the requests.
2020-05-15 05:01:31 +08:00
r.Body = reader
signature-v4: Use sha256("") for calculating canonical request (#4064)
2017-04-11 00:58:08 +08:00
return ErrNone
signV4: Move pkg/signature to pkg/s3/signature4 Cleanup and move this to relevant path.
2016-02-22 09:57:05 +08:00
}
api/handlers: Implement streaming signature v4 support. (#2370) * api/handlers: Implement streaming signature v4 support. Fixes #2326 * tests: Add tests for quick/safe
2016-08-09 11:56:29 +08:00
// List of all support S3 auth types.
minor cleanup - Reused contains() from utils.go at a couple of places - Cleanup in return statements and boolean checks
2016-08-16 22:57:14 +08:00
var supportedS3AuthTypes = map[authType]struct{}{
authTypeAnonymous: {},
authTypePresigned: {},
signature: Add legacy signature v2 support transparently. (#2811) Add new tests as well.
2016-10-01 05:32:13 +08:00
authTypePresignedV2: {},
minor cleanup - Reused contains() from utils.go at a couple of places - Cleanup in return statements and boolean checks
2016-08-16 22:57:14 +08:00
authTypeSigned: {},
signature: Add legacy signature v2 support transparently. (#2811) Add new tests as well.
2016-10-01 05:32:13 +08:00
authTypeSignedV2: {},
minor cleanup - Reused contains() from utils.go at a couple of places - Cleanup in return statements and boolean checks
2016-08-16 22:57:14 +08:00
authTypePostPolicy: {},
authTypeStreamingSigned: {},
api/handlers: Implement streaming signature v4 support. (#2370) * api/handlers: Implement streaming signature v4 support. Fixes #2326 * tests: Add tests for quick/safe
2016-08-09 11:56:29 +08:00
}
// Validate if the authType is valid and supported.
func isSupportedS3AuthType(aType authType) bool {
minor cleanup - Reused contains() from utils.go at a couple of places - Cleanup in return statements and boolean checks
2016-08-16 22:57:14 +08:00
_, ok := supportedS3AuthTypes[aType]
return ok
api/handlers: Implement streaming signature v4 support. (#2370) * api/handlers: Implement streaming signature v4 support. Fixes #2326 * tests: Add tests for quick/safe
2016-08-09 11:56:29 +08:00
}
handlers: Avoid initializing a struct in each handler call (#11217)
2021-01-05 01:54:22 +08:00
// setAuthHandler to validate authorization header for the incoming request.
func setAuthHandler(h http.Handler) http.Handler {
// handler for validating incoming authorization headers.
return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
aType := getRequestAuthType(r)
reduce number of middleware handlers (#13546) - combine similar looking functionalities into single handlers, and remove unnecessary proxying of the requests at handler layer. - remove bucket forwarding handler as part of default setup add it only if bucket federation is enabled. Improvements observed for 1kiB object reads. ``` ------------------- Operation: GET Operations: 4538555 -> 4595804 * Average: +1.26% (+0.2 MiB/s) throughput, +1.26% (+190.2) obj/s * Fastest: +4.67% (+0.7 MiB/s) throughput, +4.67% (+739.8) obj/s * 50% Median: +1.15% (+0.2 MiB/s) throughput, +1.15% (+173.9) obj/s ```
2021-11-01 23:04:03 +08:00
if aType == authTypeSigned || aType == authTypeSignedV2 || aType == authTypeStreamingSigned {
// Verify if date headers are set, if not reject the request
amzDate, errCode := parseAmzDateHeader(r)
if errCode != ErrNone {
// All our internal APIs are sensitive towards Date
// header, for all requests where Date header is not
// present we will reject such clients.
writeErrorResponse(r.Context(), w, errorCodes.ToAPIErr(errCode), r.URL)
atomic.AddUint64(&globalHTTPStats.rejectedRequestsTime, 1)
return
}
// Verify if the request date header is shifted by less than globalMaxSkewTime parameter in the past
// or in the future, reject request otherwise.
curTime := UTCNow()
if curTime.Sub(amzDate) > globalMaxSkewTime || amzDate.Sub(curTime) > globalMaxSkewTime {
writeErrorResponse(r.Context(), w, errorCodes.ToAPIErr(ErrRequestTimeTooSkewed), r.URL)
atomic.AddUint64(&globalHTTPStats.rejectedRequestsTime, 1)
return
}
}
populate additional claims for prometheus endpoint (#13011) service accounts and STS provide additional claims for policy authorization which needs to be verified along with Prometheus issuer claim.
2021-08-21 02:32:01 +08:00
if isSupportedS3AuthType(aType) || aType == authTypeJWT || aType == authTypeSTS {
handlers: Avoid initializing a struct in each handler call (#11217)
2021-01-05 01:54:22 +08:00
h.ServeHTTP(w, r)
signature: Rewrite signature handling and move it into a library.
2016-02-16 09:42:39 +08:00
return
}
feat: Deprecate embedded browser and import console (#12460) This feature also changes the default port where the browser is running, now the port has moved to 9001 and it can be configured with ``` --console-address ":9001" ```
2021-06-18 11:27:04 +08:00
writeErrorResponse(r.Context(), w, errorCodes.ToAPIErr(ErrSignatureVersionNotSupported), r.URL)
fix: handle unsupported APIs more granularly (#11674)
2021-03-31 14:19:36 +08:00
atomic.AddUint64(&globalHTTPStats.rejectedRequestsAuth, 1)
handlers: Avoid initializing a struct in each handler call (#11217)
2021-01-05 01:54:22 +08:00
})
signature: Rewrite signature handling and move it into a library.
2016-02-16 09:42:39 +08:00
}
Introduce STS client grants API and OPA policy integration (#6168) This PR introduces two new features - AWS STS compatible STS API named AssumeRoleWithClientGrants ``` POST /?Action=AssumeRoleWithClientGrants&Token=<jwt> ``` This API endpoint returns temporary access credentials, access tokens signature types supported by this API - RSA keys - ECDSA keys Fetches the required public key from the JWKS endpoints, provides them as rsa or ecdsa public keys. - External policy engine support, in this case OPA policy engine - Credentials are stored on disks
2018-10-10 05:00:01 +08:00
disallow sub-credentials based on root credentials to gain priviledges (#12947) This happens because of a change added where any sub-credential with parentUser == rootCredential i.e (MINIO_ROOT_USER) will always be an owner, you cannot generate credentials with lower session policy to restrict their access. This doesn't affect user service accounts created with regular users, LDAP or OpenID
2021-08-13 09:07:08 +08:00
func validateSignature(atype authType, r *http.Request) (auth.Credentials, bool, APIErrorCode) {
fix: support object-remaining-retention-days policy condition (#9259) This PR also tries to simplify the approach taken in object-locking implementation by preferential treatment given towards full validation. This in-turn has fixed couple of bugs related to how policy should have been honored when ByPassGovernance is provided. Simplifies code a bit, but also duplicates code intentionally for clarity due to complex nature of object locking implementation.
2020-04-07 04:44:16 +08:00
var cred auth.Credentials
var owner bool
var s3Err APIErrorCode
switch atype {
case authTypeUnknown, authTypeStreamingSigned:
disallow sub-credentials based on root credentials to gain priviledges (#12947) This happens because of a change added where any sub-credential with parentUser == rootCredential i.e (MINIO_ROOT_USER) will always be an owner, you cannot generate credentials with lower session policy to restrict their access. This doesn't affect user service accounts created with regular users, LDAP or OpenID
2021-08-13 09:07:08 +08:00
return cred, owner, ErrSignatureVersionNotSupported
fix: support object-remaining-retention-days policy condition (#9259) This PR also tries to simplify the approach taken in object-locking implementation by preferential treatment given towards full validation. This in-turn has fixed couple of bugs related to how policy should have been honored when ByPassGovernance is provided. Simplifies code a bit, but also duplicates code intentionally for clarity due to complex nature of object locking implementation.
2020-04-07 04:44:16 +08:00
case authTypeSignedV2, authTypePresignedV2:
if s3Err = isReqAuthenticatedV2(r); s3Err != ErrNone {
disallow sub-credentials based on root credentials to gain priviledges (#12947) This happens because of a change added where any sub-credential with parentUser == rootCredential i.e (MINIO_ROOT_USER) will always be an owner, you cannot generate credentials with lower session policy to restrict their access. This doesn't affect user service accounts created with regular users, LDAP or OpenID
2021-08-13 09:07:08 +08:00
return cred, owner, s3Err
fix: support object-remaining-retention-days policy condition (#9259) This PR also tries to simplify the approach taken in object-locking implementation by preferential treatment given towards full validation. This in-turn has fixed couple of bugs related to how policy should have been honored when ByPassGovernance is provided. Simplifies code a bit, but also duplicates code intentionally for clarity due to complex nature of object locking implementation.
2020-04-07 04:44:16 +08:00
}
cred, owner, s3Err = getReqAccessKeyV2(r)
case authTypePresigned, authTypeSigned:
Add new `site` config sub-system intended to replace `region` (#13672) - New sub-system has "region" and "name" fields. - `region` subsystem is marked as deprecated, however still works, unless the new region parameter under `site` is set - in this case, the region subsystem is ignored. `region` subsystem is hidden from top-level help (i.e. from `mc admin config set myminio`), but appears when specifically requested (i.e. with `mc admin config set myminio region`). - MINIO_REGION, MINIO_REGION_NAME are supported as legacy environment variables for server region. - Adds MINIO_SITE_REGION as the current environment variable to configure the server region and MINIO_SITE_NAME for the site name.
2021-11-26 05:06:25 +08:00
region := globalSite.Region
fix: support object-remaining-retention-days policy condition (#9259) This PR also tries to simplify the approach taken in object-locking implementation by preferential treatment given towards full validation. This in-turn has fixed couple of bugs related to how policy should have been honored when ByPassGovernance is provided. Simplifies code a bit, but also duplicates code intentionally for clarity due to complex nature of object locking implementation.
2020-04-07 04:44:16 +08:00
if s3Err = isReqAuthenticated(GlobalContext, r, region, serviceS3); s3Err != ErrNone {
disallow sub-credentials based on root credentials to gain priviledges (#12947) This happens because of a change added where any sub-credential with parentUser == rootCredential i.e (MINIO_ROOT_USER) will always be an owner, you cannot generate credentials with lower session policy to restrict their access. This doesn't affect user service accounts created with regular users, LDAP or OpenID
2021-08-13 09:07:08 +08:00
return cred, owner, s3Err
fix: support object-remaining-retention-days policy condition (#9259) This PR also tries to simplify the approach taken in object-locking implementation by preferential treatment given towards full validation. This in-turn has fixed couple of bugs related to how policy should have been honored when ByPassGovernance is provided. Simplifies code a bit, but also duplicates code intentionally for clarity due to complex nature of object locking implementation.
2020-04-07 04:44:16 +08:00
}
cred, owner, s3Err = getReqAccessKeyV4(r, region, serviceS3)
}
if s3Err != ErrNone {
disallow sub-credentials based on root credentials to gain priviledges (#12947) This happens because of a change added where any sub-credential with parentUser == rootCredential i.e (MINIO_ROOT_USER) will always be an owner, you cannot generate credentials with lower session policy to restrict their access. This doesn't affect user service accounts created with regular users, LDAP or OpenID
2021-08-13 09:07:08 +08:00
return cred, owner, s3Err
fix: support object-remaining-retention-days policy condition (#9259) This PR also tries to simplify the approach taken in object-locking implementation by preferential treatment given towards full validation. This in-turn has fixed couple of bugs related to how policy should have been honored when ByPassGovernance is provided. Simplifies code a bit, but also duplicates code intentionally for clarity due to complex nature of object locking implementation.
2020-04-07 04:44:16 +08:00
}
disallow sub-credentials based on root credentials to gain priviledges (#12947) This happens because of a change added where any sub-credential with parentUser == rootCredential i.e (MINIO_ROOT_USER) will always be an owner, you cannot generate credentials with lower session policy to restrict their access. This doesn't affect user service accounts created with regular users, LDAP or OpenID
2021-08-13 09:07:08 +08:00
return cred, owner, ErrNone
fix: support object-remaining-retention-days policy condition (#9259) This PR also tries to simplify the approach taken in object-locking implementation by preferential treatment given towards full validation. This in-turn has fixed couple of bugs related to how policy should have been honored when ByPassGovernance is provided. Simplifies code a bit, but also duplicates code intentionally for clarity due to complex nature of object locking implementation.
2020-04-07 04:44:16 +08:00
}
disallow sub-credentials based on root credentials to gain priviledges (#12947) This happens because of a change added where any sub-credential with parentUser == rootCredential i.e (MINIO_ROOT_USER) will always be an owner, you cannot generate credentials with lower session policy to restrict their access. This doesn't affect user service accounts created with regular users, LDAP or OpenID
2021-08-13 09:07:08 +08:00
func isPutRetentionAllowed(bucketName, objectName string, retDays int, retDate time.Time, retMode objectlock.RetMode, byPassSet bool, r *http.Request, cred auth.Credentials, owner bool) (s3Err APIErrorCode) {
fix: support object-remaining-retention-days policy condition (#9259) This PR also tries to simplify the approach taken in object-locking implementation by preferential treatment given towards full validation. This in-turn has fixed couple of bugs related to how policy should have been honored when ByPassGovernance is provided. Simplifies code a bit, but also duplicates code intentionally for clarity due to complex nature of object locking implementation.
2020-04-07 04:44:16 +08:00
var retSet bool
if cred.AccessKey == "" {
return ErrAccessDenied
}
disallow sub-credentials based on root credentials to gain priviledges (#12947) This happens because of a change added where any sub-credential with parentUser == rootCredential i.e (MINIO_ROOT_USER) will always be an owner, you cannot generate credentials with lower session policy to restrict their access. This doesn't affect user service accounts created with regular users, LDAP or OpenID
2021-08-13 09:07:08 +08:00
conditions := getConditionValues(r, "", cred.AccessKey, cred.Claims)
fix: support object-remaining-retention-days policy condition (#9259) This PR also tries to simplify the approach taken in object-locking implementation by preferential treatment given towards full validation. This in-turn has fixed couple of bugs related to how policy should have been honored when ByPassGovernance is provided. Simplifies code a bit, but also duplicates code intentionally for clarity due to complex nature of object locking implementation.
2020-04-07 04:44:16 +08:00
conditions["object-lock-mode"] = []string{string(retMode)}
conditions["object-lock-retain-until-date"] = []string{retDate.Format(time.RFC3339)}
if retDays > 0 {
conditions["object-lock-remaining-retention-days"] = []string{strconv.Itoa(retDays)}
}
if retMode == objectlock.RetGovernance && byPassSet {
byPassSet = globalIAMSys.IsAllowed(iampolicy.Args{
AccountName: cred.AccessKey,
fix: LDAP groups handling and group mapping (#11855) comprehensively handle group mapping for LDAP users across IAM sub-subsytem.
2021-03-24 06:15:51 +08:00
Groups: cred.Groups,
fix: use the correct Action type for policy.Args and iampolicy.Args (#10650)
2020-10-13 06:18:22 +08:00
Action: iampolicy.BypassGovernanceRetentionAction,
fix: support object-remaining-retention-days policy condition (#9259) This PR also tries to simplify the approach taken in object-locking implementation by preferential treatment given towards full validation. This in-turn has fixed couple of bugs related to how policy should have been honored when ByPassGovernance is provided. Simplifies code a bit, but also duplicates code intentionally for clarity due to complex nature of object locking implementation.
2020-04-07 04:44:16 +08:00
BucketName: bucketName,
ObjectName: objectName,
ConditionValues: conditions,
IsOwner: owner,
disallow sub-credentials based on root credentials to gain priviledges (#12947) This happens because of a change added where any sub-credential with parentUser == rootCredential i.e (MINIO_ROOT_USER) will always be an owner, you cannot generate credentials with lower session policy to restrict their access. This doesn't affect user service accounts created with regular users, LDAP or OpenID
2021-08-13 09:07:08 +08:00
Claims: cred.Claims,
fix: support object-remaining-retention-days policy condition (#9259) This PR also tries to simplify the approach taken in object-locking implementation by preferential treatment given towards full validation. This in-turn has fixed couple of bugs related to how policy should have been honored when ByPassGovernance is provided. Simplifies code a bit, but also duplicates code intentionally for clarity due to complex nature of object locking implementation.
2020-04-07 04:44:16 +08:00
})
}
if globalIAMSys.IsAllowed(iampolicy.Args{
AccountName: cred.AccessKey,
fix: LDAP groups handling and group mapping (#11855) comprehensively handle group mapping for LDAP users across IAM sub-subsytem.
2021-03-24 06:15:51 +08:00
Groups: cred.Groups,
fix: use the correct Action type for policy.Args and iampolicy.Args (#10650)
2020-10-13 06:18:22 +08:00
Action: iampolicy.PutObjectRetentionAction,
fix: support object-remaining-retention-days policy condition (#9259) This PR also tries to simplify the approach taken in object-locking implementation by preferential treatment given towards full validation. This in-turn has fixed couple of bugs related to how policy should have been honored when ByPassGovernance is provided. Simplifies code a bit, but also duplicates code intentionally for clarity due to complex nature of object locking implementation.
2020-04-07 04:44:16 +08:00
BucketName: bucketName,
ConditionValues: conditions,
ObjectName: objectName,
IsOwner: owner,
disallow sub-credentials based on root credentials to gain priviledges (#12947) This happens because of a change added where any sub-credential with parentUser == rootCredential i.e (MINIO_ROOT_USER) will always be an owner, you cannot generate credentials with lower session policy to restrict their access. This doesn't affect user service accounts created with regular users, LDAP or OpenID
2021-08-13 09:07:08 +08:00
Claims: cred.Claims,
fix: support object-remaining-retention-days policy condition (#9259) This PR also tries to simplify the approach taken in object-locking implementation by preferential treatment given towards full validation. This in-turn has fixed couple of bugs related to how policy should have been honored when ByPassGovernance is provided. Simplifies code a bit, but also duplicates code intentionally for clarity due to complex nature of object locking implementation.
2020-04-07 04:44:16 +08:00
}) {
retSet = true
}
if byPassSet || retSet {
return ErrNone
}
return ErrAccessDenied
}
Add object retention at the per object (#8528) level - this PR builds on #8120 which added PutBucketObjectLockConfiguration and GetBucketObjectLockConfiguration APIS This PR implements PutObjectRetention, GetObjectRetention API and enhances PUT and GET API operations to display governance metadata if permissions allow.
2019-11-21 05:18:09 +08:00
// isPutActionAllowed - check if PUT operation is allowed on the resource, this
Introduce STS client grants API and OPA policy integration (#6168) This PR introduces two new features - AWS STS compatible STS API named AssumeRoleWithClientGrants ``` POST /?Action=AssumeRoleWithClientGrants&Token=<jwt> ``` This API endpoint returns temporary access credentials, access tokens signature types supported by this API - RSA keys - ECDSA keys Fetches the required public key from the JWKS endpoints, provides them as rsa or ecdsa public keys. - External policy engine support, in this case OPA policy engine - Credentials are stored on disks
2018-10-10 05:00:01 +08:00
// call verifies bucket policies and IAM policies, supports multi user
// checks etc.
Context based AccessKey passing (#10615) A new field called AccessKey is added to the ReqInfo struct and populated. Because ReqInfo is added to the context, this allows the AccessKey to be accessed from 3rd-party code, such as a custom ObjectLayer. Co-authored-by: Harshavardhana <harsha@minio.io> Co-authored-by: Kaloyan Raev <kaloyan@storj.io>
2020-11-05 01:13:34 +08:00
func isPutActionAllowed(ctx context.Context, atype authType, bucketName, objectName string, r *http.Request, action iampolicy.Action) (s3Err APIErrorCode) {
Parse and return proper errors with x-amz-security-token (#6766) This PR also simplifies the token and access key validation across our signature handling.
2018-11-07 22:40:03 +08:00
var cred auth.Credentials
Introduce STS client grants API and OPA policy integration (#6168) This PR introduces two new features - AWS STS compatible STS API named AssumeRoleWithClientGrants ``` POST /?Action=AssumeRoleWithClientGrants&Token=<jwt> ``` This API endpoint returns temporary access credentials, access tokens signature types supported by this API - RSA keys - ECDSA keys Fetches the required public key from the JWKS endpoints, provides them as rsa or ecdsa public keys. - External policy engine support, in this case OPA policy engine - Credentials are stored on disks
2018-10-10 05:00:01 +08:00
var owner bool
switch atype {
case authTypeUnknown:
fix: allow listBuckets with listBuckets permission (#9253)
2020-04-03 03:35:22 +08:00
return ErrSignatureVersionNotSupported
Introduce STS client grants API and OPA policy integration (#6168) This PR introduces two new features - AWS STS compatible STS API named AssumeRoleWithClientGrants ``` POST /?Action=AssumeRoleWithClientGrants&Token=<jwt> ``` This API endpoint returns temporary access credentials, access tokens signature types supported by this API - RSA keys - ECDSA keys Fetches the required public key from the JWKS endpoints, provides them as rsa or ecdsa public keys. - External policy engine support, in this case OPA policy engine - Credentials are stored on disks
2018-10-10 05:00:01 +08:00
case authTypeSignedV2, authTypePresignedV2:
Parse and return proper errors with x-amz-security-token (#6766) This PR also simplifies the token and access key validation across our signature handling.
2018-11-07 22:40:03 +08:00
cred, owner, s3Err = getReqAccessKeyV2(r)
Introduce STS client grants API and OPA policy integration (#6168) This PR introduces two new features - AWS STS compatible STS API named AssumeRoleWithClientGrants ``` POST /?Action=AssumeRoleWithClientGrants&Token=<jwt> ``` This API endpoint returns temporary access credentials, access tokens signature types supported by this API - RSA keys - ECDSA keys Fetches the required public key from the JWKS endpoints, provides them as rsa or ecdsa public keys. - External policy engine support, in this case OPA policy engine - Credentials are stored on disks
2018-10-10 05:00:01 +08:00
case authTypeStreamingSigned, authTypePresigned, authTypeSigned:
Add new `site` config sub-system intended to replace `region` (#13672) - New sub-system has "region" and "name" fields. - `region` subsystem is marked as deprecated, however still works, unless the new region parameter under `site` is set - in this case, the region subsystem is ignored. `region` subsystem is hidden from top-level help (i.e. from `mc admin config set myminio`), but appears when specifically requested (i.e. with `mc admin config set myminio region`). - MINIO_REGION, MINIO_REGION_NAME are supported as legacy environment variables for server region. - Adds MINIO_SITE_REGION as the current environment variable to configure the server region and MINIO_SITE_NAME for the site name.
2021-11-26 05:06:25 +08:00
region := globalSite.Region
Implement AssumeRole API for Minio users (#7267) For actual API reference read here https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRole.html Documentation is added and updated as well at docs/sts/assume-role.md Fixes #6381
2019-02-28 09:46:55 +08:00
cred, owner, s3Err = getReqAccessKeyV4(r, region, serviceS3)
Introduce STS client grants API and OPA policy integration (#6168) This PR introduces two new features - AWS STS compatible STS API named AssumeRoleWithClientGrants ``` POST /?Action=AssumeRoleWithClientGrants&Token=<jwt> ``` This API endpoint returns temporary access credentials, access tokens signature types supported by this API - RSA keys - ECDSA keys Fetches the required public key from the JWKS endpoints, provides them as rsa or ecdsa public keys. - External policy engine support, in this case OPA policy engine - Credentials are stored on disks
2018-10-10 05:00:01 +08:00
}
if s3Err != ErrNone {
return s3Err
}
Context based AccessKey passing (#10615) A new field called AccessKey is added to the ReqInfo struct and populated. Because ReqInfo is added to the context, this allows the AccessKey to be accessed from 3rd-party code, such as a custom ObjectLayer. Co-authored-by: Harshavardhana <harsha@minio.io> Co-authored-by: Kaloyan Raev <kaloyan@storj.io>
2020-11-05 01:13:34 +08:00
if cred.AccessKey != "" {
logger.GetReqInfo(ctx).AccessKey = cred.AccessKey
}
fix: object lock behavior when default lock config is enabled (#9305)
2020-04-14 05:03:23 +08:00
// Do not check for PutObjectRetentionAction permission,
// if mode and retain until date are not set.
// Can happen when bucket has default lock config set
if action == iampolicy.PutObjectRetentionAction &&
r.Header.Get(xhttp.AmzObjectLockMode) == "" &&
r.Header.Get(xhttp.AmzObjectLockRetainUntilDate) == "" {
return ErrNone
}
Parse and return proper errors with x-amz-security-token (#6766) This PR also simplifies the token and access key validation across our signature handling.
2018-11-07 22:40:03 +08:00
if cred.AccessKey == "" {
Introduce STS client grants API and OPA policy integration (#6168) This PR introduces two new features - AWS STS compatible STS API named AssumeRoleWithClientGrants ``` POST /?Action=AssumeRoleWithClientGrants&Token=<jwt> ``` This API endpoint returns temporary access credentials, access tokens signature types supported by this API - RSA keys - ECDSA keys Fetches the required public key from the JWKS endpoints, provides them as rsa or ecdsa public keys. - External policy engine support, in this case OPA policy engine - Credentials are stored on disks
2018-10-10 05:00:01 +08:00
if globalPolicySys.IsAllowed(policy.Args{
Parse and return proper errors with x-amz-security-token (#6766) This PR also simplifies the token and access key validation across our signature handling.
2018-11-07 22:40:03 +08:00
AccountName: cred.AccessKey,
fix: LDAP groups handling and group mapping (#11855) comprehensively handle group mapping for LDAP users across IAM sub-subsytem.
2021-03-24 06:15:51 +08:00
Groups: cred.Groups,
Add numeric/date policy conditions (#9233) add new policy conditions - NumericEquals - NumericNotEquals - NumericLessThan - NumericLessThanEquals - NumericGreaterThan - NumericGreaterThanEquals - DateEquals - DateNotEquals - DateLessThan - DateLessThanEquals - DateGreaterThan - DateGreaterThanEquals
2020-04-01 15:04:25 +08:00
Action: policy.Action(action),
Introduce STS client grants API and OPA policy integration (#6168) This PR introduces two new features - AWS STS compatible STS API named AssumeRoleWithClientGrants ``` POST /?Action=AssumeRoleWithClientGrants&Token=<jwt> ``` This API endpoint returns temporary access credentials, access tokens signature types supported by this API - RSA keys - ECDSA keys Fetches the required public key from the JWKS endpoints, provides them as rsa or ecdsa public keys. - External policy engine support, in this case OPA policy engine - Credentials are stored on disks
2018-10-10 05:00:01 +08:00
BucketName: bucketName,
Add support for {jwt:sub} substitutions for policies (#8393) Fixes #8345
2019-10-16 23:59:59 +08:00
ConditionValues: getConditionValues(r, "", "", nil),
Introduce STS client grants API and OPA policy integration (#6168) This PR introduces two new features - AWS STS compatible STS API named AssumeRoleWithClientGrants ``` POST /?Action=AssumeRoleWithClientGrants&Token=<jwt> ``` This API endpoint returns temporary access credentials, access tokens signature types supported by this API - RSA keys - ECDSA keys Fetches the required public key from the JWKS endpoints, provides them as rsa or ecdsa public keys. - External policy engine support, in this case OPA policy engine - Credentials are stored on disks
2018-10-10 05:00:01 +08:00
IsOwner: false,
ObjectName: objectName,
}) {
return ErrNone
}
return ErrAccessDenied
}
if globalIAMSys.IsAllowed(iampolicy.Args{
Parse and return proper errors with x-amz-security-token (#6766) This PR also simplifies the token and access key validation across our signature handling.
2018-11-07 22:40:03 +08:00
AccountName: cred.AccessKey,
fix: LDAP groups handling and group mapping (#11855) comprehensively handle group mapping for LDAP users across IAM sub-subsytem.
2021-03-24 06:15:51 +08:00
Groups: cred.Groups,
Add object retention at the per object (#8528) level - this PR builds on #8120 which added PutBucketObjectLockConfiguration and GetBucketObjectLockConfiguration APIS This PR implements PutObjectRetention, GetObjectRetention API and enhances PUT and GET API operations to display governance metadata if permissions allow.
2019-11-21 05:18:09 +08:00
Action: action,
Introduce STS client grants API and OPA policy integration (#6168) This PR introduces two new features - AWS STS compatible STS API named AssumeRoleWithClientGrants ``` POST /?Action=AssumeRoleWithClientGrants&Token=<jwt> ``` This API endpoint returns temporary access credentials, access tokens signature types supported by this API - RSA keys - ECDSA keys Fetches the required public key from the JWKS endpoints, provides them as rsa or ecdsa public keys. - External policy engine support, in this case OPA policy engine - Credentials are stored on disks
2018-10-10 05:00:01 +08:00
BucketName: bucketName,
disallow sub-credentials based on root credentials to gain priviledges (#12947) This happens because of a change added where any sub-credential with parentUser == rootCredential i.e (MINIO_ROOT_USER) will always be an owner, you cannot generate credentials with lower session policy to restrict their access. This doesn't affect user service accounts created with regular users, LDAP or OpenID
2021-08-13 09:07:08 +08:00
ConditionValues: getConditionValues(r, "", cred.AccessKey, cred.Claims),
Introduce STS client grants API and OPA policy integration (#6168) This PR introduces two new features - AWS STS compatible STS API named AssumeRoleWithClientGrants ``` POST /?Action=AssumeRoleWithClientGrants&Token=<jwt> ``` This API endpoint returns temporary access credentials, access tokens signature types supported by this API - RSA keys - ECDSA keys Fetches the required public key from the JWKS endpoints, provides them as rsa or ecdsa public keys. - External policy engine support, in this case OPA policy engine - Credentials are stored on disks
2018-10-10 05:00:01 +08:00
ObjectName: objectName,
IsOwner: owner,
disallow sub-credentials based on root credentials to gain priviledges (#12947) This happens because of a change added where any sub-credential with parentUser == rootCredential i.e (MINIO_ROOT_USER) will always be an owner, you cannot generate credentials with lower session policy to restrict their access. This doesn't affect user service accounts created with regular users, LDAP or OpenID
2021-08-13 09:07:08 +08:00
Claims: cred.Claims,
Introduce STS client grants API and OPA policy integration (#6168) This PR introduces two new features - AWS STS compatible STS API named AssumeRoleWithClientGrants ``` POST /?Action=AssumeRoleWithClientGrants&Token=<jwt> ``` This API endpoint returns temporary access credentials, access tokens signature types supported by this API - RSA keys - ECDSA keys Fetches the required public key from the JWKS endpoints, provides them as rsa or ecdsa public keys. - External policy engine support, in this case OPA policy engine - Credentials are stored on disks
2018-10-10 05:00:01 +08:00
}) {
return ErrNone
}
return ErrAccessDenied
}