minio/internal/config/identity/openid/help.go

// Copyright (c) 2015-2021 MinIO, Inc.
//
// This file is part of MinIO Object Storage stack
//
// This program is free software: you can redistribute it and/or modify
// it under the terms of the GNU Affero General Public License as published by
// the Free Software Foundation, either version 3 of the License, or
// (at your option) any later version.
//
// This program is distributed in the hope that it will be useful
// but WITHOUT ANY WARRANTY; without even the implied warranty of
// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
// GNU Affero General Public License for more details.
//
// You should have received a copy of the GNU Affero General Public License
// along with this program.  If not, see <http://www.gnu.org/licenses/>.

package openid

import "github.com/minio/minio/internal/config"

// Help template for OpenID identity feature.
var (
	defaultHelpPostfix = func(key string) string {
		return config.DefaultHelpPostfix(DefaultKVS, key)
	}

	Help = config.HelpKVS{
		config.HelpKV{
			Key:         config.Enable,
			Description: "Enable or disable OpenID",
			Type:        "on|off",
			Optional:    true,
			Sensitive:   false,
		},
		config.HelpKV{
			Key:         DisplayName,
			Description: "Friendly display name for this Provider/App" + defaultHelpPostfix(DisplayName),
			Optional:    true,
			Type:        "string",
		},
		config.HelpKV{
			Key:         ConfigURL,
			Description: `openid discovery document e.g. "https://accounts.google.com/.well-known/openid-configuration"` + defaultHelpPostfix(ConfigURL),
			Type:        "url",
		},
		config.HelpKV{
			Key:         ClientID,
			Description: `unique public identifier for apps e.g. "292085223830.apps.googleusercontent.com"` + defaultHelpPostfix(ClientID),
			Type:        "string",
		},
		config.HelpKV{
			Key:         ClientSecret,
			Description: `secret for the unique public identifier for apps` + defaultHelpPostfix(ClientSecret),
			Sensitive:   true,
			Type:        "string",
		},
		config.HelpKV{
			Key:         RolePolicy,
			Description: `Set the IAM access policies applicable to this client application and IDP e.g. "app-bucket-write,app-bucket-list"` + defaultHelpPostfix(RolePolicy),
			Optional:    true,
			Type:        "string",
		},
		config.HelpKV{
			Key:         ClaimName,
			Description: `JWT canned policy claim name` + defaultHelpPostfix(ClaimName),
			Optional:    true,
			Type:        "string",
		},
		config.HelpKV{
			Key:         Scopes,
			Description: `Comma separated list of OpenID scopes for server, defaults to advertised scopes from discovery document e.g. "email,admin"` + defaultHelpPostfix(Scopes),
			Optional:    true,
			Type:        "csv",
		},
		config.HelpKV{
			Key:         Vendor,
			Description: `Specify vendor type for vendor specific behavior to checking validity of temporary credentials and service accounts on MinIO` + defaultHelpPostfix(Vendor),
			Optional:    true,
			Type:        "string",
		},
		config.HelpKV{
			Key:         ClaimUserinfo,
			Description: `Enable fetching claims from UserInfo Endpoint for authenticated user` + defaultHelpPostfix(ClaimUserinfo),
			Optional:    true,
			Type:        "on|off",
		},
		config.HelpKV{
			Key:         KeyCloakRealm,
			Description: `Specify Keycloak 'realm' name, only honored if vendor was set to 'keycloak' as value, if no realm is specified 'master' is default` + defaultHelpPostfix(KeyCloakRealm),
			Optional:    true,
			Type:        "string",
		},
		config.HelpKV{
			Key:         KeyCloakAdminURL,
			Description: `Specify Keycloak 'admin' REST API endpoint e.g. http://localhost:8080/auth/admin/` + defaultHelpPostfix(KeyCloakAdminURL),
			Optional:    true,
			Type:        "string",
		},
		config.HelpKV{
			Key:         RedirectURIDynamic,
			Description: `Enable 'Host' header based dynamic redirect URI` + defaultHelpPostfix(RedirectURIDynamic),
			Optional:    true,
			Type:        "on|off",
		},
		config.HelpKV{
			Key:         ClaimPrefix,
			Description: `[DEPRECATED use 'claim_name'] JWT claim namespace prefix e.g. "customer1/"` + defaultHelpPostfix(ClaimPrefix),
			Optional:    true,
			Type:        "string",
		},
		config.HelpKV{
			Key:         RedirectURI,
			Description: `[DEPRECATED use env 'MINIO_BROWSER_REDIRECT_URL'] Configure custom redirect_uri for OpenID login flow callback` + defaultHelpPostfix(RedirectURI),
			Optional:    true,
			Type:        "string",
		},
		config.HelpKV{
			Key:         config.Comment,
			Description: config.DefaultComment,
			Optional:    true,
			Type:        "sentence",
		},
	}
)
update license change for MinIO Signed-off-by: Harshavardhana <harsha@minio.io> 2021-04-19 03:41:13 +08:00			`// Copyright (c) 2015-2021 MinIO, Inc.`
			`//`
			`// This file is part of MinIO Object Storage stack`
			`//`
			`// This program is free software: you can redistribute it and/or modify`
			`// it under the terms of the GNU Affero General Public License as published by`
			`// the Free Software Foundation, either version 3 of the License, or`
			`// (at your option) any later version.`
			`//`
			`// This program is distributed in the hope that it will be useful`
			`// but WITHOUT ANY WARRANTY; without even the implied warranty of`
			`// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the`
			`// GNU Affero General Public License for more details.`
			`//`
			`// You should have received a copy of the GNU Affero General Public License`
			`// along with this program. If not, see <http://www.gnu.org/licenses/>.`
Migrate config to KV data format (#8392) - adding oauth support to MinIO browser (#8400) by @kanagaraj - supports multi-line get/set/del for all config fields - add support for comments, allow toggle - add extensive validation of config before saving - support MinIO browser to support proper claims, using STS tokens - env support for all config parameters, legacy envs are also supported with all documentation now pointing to latest ENVs - preserve accessKey/secretKey from FS mode setups - add history support implements three APIs - ClearHistory - RestoreHistory - ListHistory - add help command support for each config parameters - all the bug fixes after migration to KV, and other bug fixes encountered during testing. 2019-10-23 13:59:13 +08:00
			`package openid`

rename all remaining packages to internal/ (#12418) This is to ensure that there are no projects that try to import `minio/minio/pkg` into their own repo. Any such common packages should go to `https://github.com/minio/pkg` 2021-06-02 05:59:40 +08:00			`import "github.com/minio/minio/internal/config"`
Migrate config to KV data format (#8392) - adding oauth support to MinIO browser (#8400) by @kanagaraj - supports multi-line get/set/del for all config fields - add support for comments, allow toggle - add extensive validation of config before saving - support MinIO browser to support proper claims, using STS tokens - env support for all config parameters, legacy envs are also supported with all documentation now pointing to latest ENVs - preserve accessKey/secretKey from FS mode setups - add history support implements three APIs - ClearHistory - RestoreHistory - ListHistory - add help command support for each config parameters - all the bug fixes after migration to KV, and other bug fixes encountered during testing. 2019-10-23 13:59:13 +08:00
			`// Help template for OpenID identity feature.`
			`var (`
standardize config help defaults (#14788) 2022-04-27 11:11:37 +08:00			`defaultHelpPostfix = func(key string) string {`
			`return config.DefaultHelpPostfix(DefaultKVS, key)`
			`}`

Add help with order of keys (#8535) 2019-11-20 05:48:13 +08:00			`Help = config.HelpKVS{`
Add "enable" to config help (#14866) Most help sections were missing "enable", which means it is filtered out with `mc admin config get --json`. Add it where missing. 2022-05-05 19:17:04 +08:00			`config.HelpKV{`
			`Key: config.Enable,`
			`Description: "Enable or disable OpenID",`
			`Type: "on\|off",`
			`Optional: true,`
			`Sensitive: false,`
			`},`
Add support for multiple OpenID providers with role policies (#14223) - When using multiple providers, claim-based providers are not allowed. All providers must use role policies. - Update markdown config to allow `details` HTML element 2022-04-29 09:27:09 +08:00			`config.HelpKV{`
			`Key: DisplayName,`
			`Description: "Friendly display name for this Provider/App" + defaultHelpPostfix(DisplayName),`
			`Optional: true,`
			`Type: "string",`
			`},`
Add help with order of keys (#8535) 2019-11-20 05:48:13 +08:00			`config.HelpKV{`
			`Key: ConfigURL,`
standardize config help defaults (#14788) 2022-04-27 11:11:37 +08:00			Description: `openid discovery document e.g. "https://accounts.google.com/.well-known/openid-configuration"` + defaultHelpPostfix(ConfigURL),
Add help with order of keys (#8535) 2019-11-20 05:48:13 +08:00			`Type: "url",`
			`},`
Add client_id support for OpenID (#8579) - One click OpenID authorization on Login page - Add client_id help, config keys etc Thanks to @egorkaru @ihostage for the original work and testing. 2019-11-30 13:37:42 +08:00			`config.HelpKV{`
			`Key: ClientID,`
standardize config help defaults (#14788) 2022-04-27 11:11:37 +08:00			Description: `unique public identifier for apps e.g. "292085223830.apps.googleusercontent.com"` + defaultHelpPostfix(ClientID),
Add client_id support for OpenID (#8579) - One click OpenID authorization on Login page - Add client_id help, config keys etc Thanks to @egorkaru @ihostage for the original work and testing. 2019-11-30 13:37:42 +08:00			`Type: "string",`
feat: Deprecate embedded browser and import console (#12460) This feature also changes the default port where the browser is running, now the port has moved to 9001 and it can be configured with ``` --console-address ":9001" ``` 2021-06-18 11:27:04 +08:00			`},`
			`config.HelpKV{`
			`Key: ClientSecret,`
standardize config help defaults (#14788) 2022-04-27 11:11:37 +08:00			Description: `secret for the unique public identifier for apps` + defaultHelpPostfix(ClientSecret),
Add external IDP management Admin API for OpenID (#15152) 2022-07-06 09:18:04 +08:00			`Sensitive: true,`
feat: Deprecate embedded browser and import console (#12460) This feature also changes the default port where the browser is running, now the port has moved to 9001 and it can be configured with ``` --console-address ":9001" ``` 2021-06-18 11:27:04 +08:00			`Type: "string",`
Add client_id support for OpenID (#8579) - One click OpenID authorization on Login page - Add client_id help, config keys etc Thanks to @egorkaru @ihostage for the original work and testing. 2019-11-30 13:37:42 +08:00			`},`
Add custom policy claim name (#8764) In certain organizations policy claim names can be not just 'policy' but also things like 'roles', the value of this field might also be string or []string support this as well In this PR we are still not supporting multiple policies per STS account which will require a more comprehensive change. 2020-01-09 09:21:58 +08:00			`config.HelpKV{`
Add support for multiple OpenID providers with role policies (#14223) - When using multiple providers, claim-based providers are not allowed. All providers must use role policies. - Update markdown config to allow `details` HTML element 2022-04-29 09:27:09 +08:00			`Key: RolePolicy,`
			Description: `Set the IAM access policies applicable to this client application and IDP e.g. "app-bucket-write,app-bucket-list"` + defaultHelpPostfix(RolePolicy),
Add custom policy claim name (#8764) In certain organizations policy claim names can be not just 'policy' but also things like 'roles', the value of this field might also be string or []string support this as well In this PR we are still not supporting multiple policies per STS account which will require a more comprehensive change. 2020-01-09 09:21:58 +08:00			`Optional: true,`
			`Type: "string",`
			`},`
add userinfo support for OpenID (#12469) Some identity providers like GitLab do not provide information about group membership as part of the identity token claims. They only expose it via OIDC compatible '/oauth/userinfo' endpoint, as described in the OpenID Connect 1.0 sepcification. But this of course requires application to make sure to add additional accessToken, since idToken cannot be re-used to perform the same 'userinfo' call. This is why this is specialized requirement. Gitlab seems to be the only OpenID vendor that requires this support for the time being. fixes #12367 2021-09-14 07:22:14 +08:00			`config.HelpKV{`
Add support for multiple OpenID providers with role policies (#14223) - When using multiple providers, claim-based providers are not allowed. All providers must use role policies. - Update markdown config to allow `details` HTML element 2022-04-29 09:27:09 +08:00			`Key: ClaimName,`
			Description: `JWT canned policy claim name` + defaultHelpPostfix(ClaimName),
Add role ARN support for OIDC identity provider (#13651) - Allows setting a role policy parameter when configuring OIDC provider - When role policy is set, the server prints a role ARN usable in STS API requests - The given role policy is applied to STS API requests when the roleARN parameter is provided. - Service accounts for role policy are also possible and work as expected. 2021-11-27 11:22:40 +08:00			`Optional: true,`
			`Type: "string",`
			`},`
fix: support client customized scopes for OpenID (#9880) Fixes #9238 2020-06-23 03:08:50 +08:00			`config.HelpKV{`
			`Key: Scopes,`
standardize config help defaults (#14788) 2022-04-27 11:11:37 +08:00			Description: `Comma separated list of OpenID scopes for server, defaults to advertised scopes from discovery document e.g. "email,admin"` + defaultHelpPostfix(Scopes),
fix: support client customized scopes for OpenID (#9880) Fixes #9238 2020-06-23 03:08:50 +08:00			`Optional: true,`
			`Type: "csv",`
			`},`
feat: Add support to poll users on external SSO (#12592) Additional support for vendor-specific admin API integrations for OpenID, to ensure validity of credentials on MinIO. Every 5minutes check for validity of credentials on MinIO with vendor specific IDP. 2021-07-10 02:17:21 +08:00			`config.HelpKV{`
			`Key: Vendor,`
standardize config help defaults (#14788) 2022-04-27 11:11:37 +08:00			Description: `Specify vendor type for vendor specific behavior to checking validity of temporary credentials and service accounts on MinIO` + defaultHelpPostfix(Vendor),
feat: Add support to poll users on external SSO (#12592) Additional support for vendor-specific admin API integrations for OpenID, to ensure validity of credentials on MinIO. Every 5minutes check for validity of credentials on MinIO with vendor specific IDP. 2021-07-10 02:17:21 +08:00			`Optional: true,`
			`Type: "string",`
			`},`
Add support for multiple OpenID providers with role policies (#14223) - When using multiple providers, claim-based providers are not allowed. All providers must use role policies. - Update markdown config to allow `details` HTML element 2022-04-29 09:27:09 +08:00			`config.HelpKV{`
			`Key: ClaimUserinfo,`
			Description: `Enable fetching claims from UserInfo Endpoint for authenticated user` + defaultHelpPostfix(ClaimUserinfo),
			`Optional: true,`
			`Type: "on\|off",`
			`},`
feat: Add support to poll users on external SSO (#12592) Additional support for vendor-specific admin API integrations for OpenID, to ensure validity of credentials on MinIO. Every 5minutes check for validity of credentials on MinIO with vendor specific IDP. 2021-07-10 02:17:21 +08:00			`config.HelpKV{`
			`Key: KeyCloakRealm,`
standardize config help defaults (#14788) 2022-04-27 11:11:37 +08:00			Description: `Specify Keycloak 'realm' name, only honored if vendor was set to 'keycloak' as value, if no realm is specified 'master' is default` + defaultHelpPostfix(KeyCloakRealm),
feat: Add support to poll users on external SSO (#12592) Additional support for vendor-specific admin API integrations for OpenID, to ensure validity of credentials on MinIO. Every 5minutes check for validity of credentials on MinIO with vendor specific IDP. 2021-07-10 02:17:21 +08:00			`Optional: true,`
			`Type: "string",`
			`},`
			`config.HelpKV{`
			`Key: KeyCloakAdminURL,`
standardize config help defaults (#14788) 2022-04-27 11:11:37 +08:00			Description: `Specify Keycloak 'admin' REST API endpoint e.g. http://localhost:8080/auth/admin/` + defaultHelpPostfix(KeyCloakAdminURL),
feat: Add support to poll users on external SSO (#12592) Additional support for vendor-specific admin API integrations for OpenID, to ensure validity of credentials on MinIO. Every 5minutes check for validity of credentials on MinIO with vendor specific IDP. 2021-07-10 02:17:21 +08:00			`Optional: true,`
			`Type: "string",`
			`},`
support dynamic redirect_uri based on incoming 'host' header (#13666) This feature is useful in situations when console is exposed over multiple intranent or internet entities when users are connecting over local IP v/s going through load balancer. Related console work was merged here https://github.com/minio/console/commit/373bfbfe3f16e6f7d376fb9765a4610d76cf15a2 2021-11-17 10:40:39 +08:00			`config.HelpKV{`
			`Key: RedirectURIDynamic,`
standardize config help defaults (#14788) 2022-04-27 11:11:37 +08:00			Description: `Enable 'Host' header based dynamic redirect URI` + defaultHelpPostfix(RedirectURIDynamic),
support dynamic redirect_uri based on incoming 'host' header (#13666) This feature is useful in situations when console is exposed over multiple intranent or internet entities when users are connecting over local IP v/s going through load balancer. Related console work was merged here https://github.com/minio/console/commit/373bfbfe3f16e6f7d376fb9765a4610d76cf15a2 2021-11-17 10:40:39 +08:00			`Optional: true,`
			`Type: "on\|off",`
			`},`
			`config.HelpKV{`
			`Key: ClaimPrefix,`
standardize config help defaults (#14788) 2022-04-27 11:11:37 +08:00			Description: `[DEPRECATED use 'claim_name'] JWT claim namespace prefix e.g. "customer1/"` + defaultHelpPostfix(ClaimPrefix),
support dynamic redirect_uri based on incoming 'host' header (#13666) This feature is useful in situations when console is exposed over multiple intranent or internet entities when users are connecting over local IP v/s going through load balancer. Related console work was merged here https://github.com/minio/console/commit/373bfbfe3f16e6f7d376fb9765a4610d76cf15a2 2021-11-17 10:40:39 +08:00			`Optional: true,`
			`Type: "string",`
			`},`
			`config.HelpKV{`
			`Key: RedirectURI,`
standardize config help defaults (#14788) 2022-04-27 11:11:37 +08:00			Description: `[DEPRECATED use env 'MINIO_BROWSER_REDIRECT_URL'] Configure custom redirect_uri for OpenID login flow callback` + defaultHelpPostfix(RedirectURI),
support dynamic redirect_uri based on incoming 'host' header (#13666) This feature is useful in situations when console is exposed over multiple intranent or internet entities when users are connecting over local IP v/s going through load balancer. Related console work was merged here https://github.com/minio/console/commit/373bfbfe3f16e6f7d376fb9765a4610d76cf15a2 2021-11-17 10:40:39 +08:00			`Optional: true,`
			`Type: "string",`
			`},`
Add help with order of keys (#8535) 2019-11-20 05:48:13 +08:00			`config.HelpKV{`
			`Key: config.Comment,`
Final changes to config sub-system (#8600) - Introduces changes such as certain types of errors that can be ignored or which need to go into safe mode. - Update help text as per the review 2019-12-05 07:32:37 +08:00			`Description: config.DefaultComment,`
Add help with order of keys (#8535) 2019-11-20 05:48:13 +08:00			`Optional: true,`
			`Type: "sentence",`
			`},`
Migrate config to KV data format (#8392) - adding oauth support to MinIO browser (#8400) by @kanagaraj - supports multi-line get/set/del for all config fields - add support for comments, allow toggle - add extensive validation of config before saving - support MinIO browser to support proper claims, using STS tokens - env support for all config parameters, legacy envs are also supported with all documentation now pointing to latest ENVs - preserve accessKey/secretKey from FS mode setups - add history support implements three APIs - ClearHistory - RestoreHistory - ListHistory - add help command support for each config parameters - all the bug fixes after migration to KV, and other bug fixes encountered during testing. 2019-10-23 13:59:13 +08:00			`}`
			`)`