root
/
minio
mirror of https://github.com/minio/minio.git
1
0
Fork 0
Code Issues Actions 1 Packages Projects Releases Wiki Activity
minio/cmd/jwt.go

160 lines
4.8 KiB
Go
Raw Normal View History

update license change for MinIO Signed-off-by: Harshavardhana <harsha@minio.io>
2021-04-19 03:41:13 +08:00
// Copyright (c) 2015-2021 MinIO, Inc.
//
// This file is part of MinIO Object Storage stack
//
// This program is free software: you can redistribute it and/or modify
// it under the terms of the GNU Affero General Public License as published by
// the Free Software Foundation, either version 3 of the License, or
// (at your option) any later version.
//
// This program is distributed in the hope that it will be useful
// but WITHOUT ANY WARRANTY; without even the implied warranty of
// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
// GNU Affero General Public License for more details.
//
// You should have received a copy of the GNU Affero General Public License
// along with this program. If not, see <http://www.gnu.org/licenses/>.
Have simpler JWT authentication. (#3501)
2016-12-28 00:28:10 +08:00
package cmd
import (
"errors"
"net/http"
"time"
[deps]: update jwt-go dependency (#12544) jwt-go has been renamed to jwt and has a new home. See https://github.com/dgrijalva/jwt-go/issues/462
2021-06-24 23:41:04 +08:00
jwtgo "github.com/golang-jwt/jwt"
jwtreq "github.com/golang-jwt/jwt/request"
rename all remaining packages to internal/ (#12418) This is to ensure that there are no projects that try to import `minio/minio/pkg` into their own repo. Any such common packages should go to `https://github.com/minio/pkg`
2021-06-02 05:59:40 +08:00
"github.com/minio/minio/internal/auth"
xjwt "github.com/minio/minio/internal/jwt"
"github.com/minio/minio/internal/logger"
populate additional claims for prometheus endpoint (#13011) service accounts and STS provide additional claims for policy authorization which needs to be verified along with Prometheus issuer claim.
2021-08-21 02:32:01 +08:00
iampolicy "github.com/minio/pkg/iam/policy"
Have simpler JWT authentication. (#3501)
2016-12-28 00:28:10 +08:00
)
const (
jwtAlgorithm = "Bearer"
// Default JWT token for web handlers is one day.
defaultJWTExpiry = 24 * time.Hour
jwt: Simplify JWT parsing (#8802) JWT parsing is simplified by using a custom claim data structure such as MapClaims{}, also writes a custom Unmarshaller for faster unmarshalling. - Avoid as much reflections as possible - Provide the right types for functions as much as possible - Avoid strings.Join, strings.Split to reduce allocations, rely on indexes directly.
2020-01-31 10:59:22 +08:00
// Inter-node JWT token expiry is 15 minutes.
defaultInterNodeJWTExpiry = 15 * time.Minute
jwt,browser: allow short-expiry tokens for GETs (#4684) This commit fixes a potential security issue, whereby a full-access token to the server would be available in the GET URL of a download request. This fixes that issue by introducing short-expiry tokens, which are only valid for one minute, and are regenerated for every download request. This commit specifically introduces the short-lived tokens, adds tests for the tokens, adds an RPC call for generating a token given a full-access token, updates the browser to use the new tokens for requests where the token is passed as a GET parameter, and adds some tests with the new temporary tokens. Refs: https://github.com/minio/minio/pull/4673
2017-07-25 03:46:37 +08:00
// URL JWT token expiry is one minute (might be exposed).
defaultURLJWTExpiry = time.Minute
Have simpler JWT authentication. (#3501)
2016-12-28 00:28:10 +08:00
)
Honor envs properly for access and secret key. (#3703) Also changes the behavior of `secretKeyHash` which is not necessary to be sent over the network, each node has its own secretKeyHash to validate. Fixes #3696 Partial(fix) #3700 (More changes needed with some code cleanup)
2017-02-08 04:51:43 +08:00
var (
feat: Deprecate embedded browser and import console (#12460) This feature also changes the default port where the browser is running, now the port has moved to 9001 and it can be configured with ``` --console-address ":9001" ```
2021-06-18 11:27:04 +08:00
errInvalidAccessKeyID = errors.New("The access key ID you provided does not exist in our records")
errAuthentication = errors.New("Authentication failed, check your access credentials")
errNoAuthToken = errors.New("JWT token missing")
Honor envs properly for access and secret key. (#3703) Also changes the behavior of `secretKeyHash` which is not necessary to be sent over the network, each node has its own secretKeyHash to validate. Fixes #3696 Partial(fix) #3700 (More changes needed with some code cleanup)
2017-02-08 04:51:43 +08:00
)
Have simpler JWT authentication. (#3501)
2016-12-28 00:28:10 +08:00
Fix browser login with multi users (#6644)
2018-10-17 09:44:58 +08:00
func authenticateJWTUsers(accessKey, secretKey string, expiry time.Duration) (string, error) {
passedCredential, err := auth.CreateCredentials(accessKey, secretKey)
if err != nil {
return "", err
}
Migrate config to KV data format (#8392) - adding oauth support to MinIO browser (#8400) by @kanagaraj - supports multi-line get/set/del for all config fields - add support for comments, allow toggle - add extensive validation of config before saving - support MinIO browser to support proper claims, using STS tokens - env support for all config parameters, legacy envs are also supported with all documentation now pointing to latest ENVs - preserve accessKey/secretKey from FS mode setups - add history support implements three APIs - ClearHistory - RestoreHistory - ListHistory - add help command support for each config parameters - all the bug fixes after migration to KV, and other bug fixes encountered during testing.
2019-10-23 13:59:13 +08:00
expiresAt := UTCNow().Add(expiry)
return authenticateJWTUsersWithCredentials(passedCredential, expiresAt)
}
Fix browser login with multi users (#6644)
2018-10-17 09:44:58 +08:00
Migrate config to KV data format (#8392) - adding oauth support to MinIO browser (#8400) by @kanagaraj - supports multi-line get/set/del for all config fields - add support for comments, allow toggle - add extensive validation of config before saving - support MinIO browser to support proper claims, using STS tokens - env support for all config parameters, legacy envs are also supported with all documentation now pointing to latest ENVs - preserve accessKey/secretKey from FS mode setups - add history support implements three APIs - ClearHistory - RestoreHistory - ListHistory - add help command support for each config parameters - all the bug fixes after migration to KV, and other bug fixes encountered during testing.
2019-10-23 13:59:13 +08:00
func authenticateJWTUsersWithCredentials(credentials auth.Credentials, expiresAt time.Time) (string, error) {
serverCred := globalActiveCred
if serverCred.AccessKey != credentials.AccessKey {
Fix browser login with multi users (#6644)
2018-10-17 09:44:58 +08:00
var ok bool
Migrate config to KV data format (#8392) - adding oauth support to MinIO browser (#8400) by @kanagaraj - supports multi-line get/set/del for all config fields - add support for comments, allow toggle - add extensive validation of config before saving - support MinIO browser to support proper claims, using STS tokens - env support for all config parameters, legacy envs are also supported with all documentation now pointing to latest ENVs - preserve accessKey/secretKey from FS mode setups - add history support implements three APIs - ClearHistory - RestoreHistory - ListHistory - add help command support for each config parameters - all the bug fixes after migration to KV, and other bug fixes encountered during testing.
2019-10-23 13:59:13 +08:00
serverCred, ok = globalIAMSys.GetUser(credentials.AccessKey)
Fix browser login with multi users (#6644)
2018-10-17 09:44:58 +08:00
if !ok {
return "", errInvalidAccessKeyID
}
}
Migrate config to KV data format (#8392) - adding oauth support to MinIO browser (#8400) by @kanagaraj - supports multi-line get/set/del for all config fields - add support for comments, allow toggle - add extensive validation of config before saving - support MinIO browser to support proper claims, using STS tokens - env support for all config parameters, legacy envs are also supported with all documentation now pointing to latest ENVs - preserve accessKey/secretKey from FS mode setups - add history support implements three APIs - ClearHistory - RestoreHistory - ListHistory - add help command support for each config parameters - all the bug fixes after migration to KV, and other bug fixes encountered during testing.
2019-10-23 13:59:13 +08:00
if !serverCred.Equal(credentials) {
Fix browser login with multi users (#6644)
2018-10-17 09:44:58 +08:00
return "", errAuthentication
}
jwt: Simplify JWT parsing (#8802) JWT parsing is simplified by using a custom claim data structure such as MapClaims{}, also writes a custom Unmarshaller for faster unmarshalling. - Avoid as much reflections as possible - Provide the right types for functions as much as possible - Avoid strings.Join, strings.Split to reduce allocations, rely on indexes directly.
2020-01-31 10:59:22 +08:00
claims := xjwt.NewMapClaims()
claims.SetExpiry(expiresAt)
claims.SetAccessKey(credentials.AccessKey)
Migrate config to KV data format (#8392) - adding oauth support to MinIO browser (#8400) by @kanagaraj - supports multi-line get/set/del for all config fields - add support for comments, allow toggle - add extensive validation of config before saving - support MinIO browser to support proper claims, using STS tokens - env support for all config parameters, legacy envs are also supported with all documentation now pointing to latest ENVs - preserve accessKey/secretKey from FS mode setups - add history support implements three APIs - ClearHistory - RestoreHistory - ListHistory - add help command support for each config parameters - all the bug fixes after migration to KV, and other bug fixes encountered during testing.
2019-10-23 13:59:13 +08:00
jwt := jwtgo.NewWithClaims(jwtgo.SigningMethodHS512, claims)
Fix browser login with multi users (#6644)
2018-10-17 09:44:58 +08:00
return jwt.SignedString([]byte(serverCred.SecretKey))
}
jwt: Simplify JWT parsing (#8802) JWT parsing is simplified by using a custom claim data structure such as MapClaims{}, also writes a custom Unmarshaller for faster unmarshalling. - Avoid as much reflections as possible - Provide the right types for functions as much as possible - Avoid strings.Join, strings.Split to reduce allocations, rely on indexes directly.
2020-01-31 10:59:22 +08:00
func authenticateNode(accessKey, secretKey, audience string) (string, error) {
claims := xjwt.NewStandardClaims()
claims.SetExpiry(UTCNow().Add(defaultInterNodeJWTExpiry))
claims.SetAccessKey(accessKey)
claims.SetAudience(audience)
Migrate config to KV data format (#8392) - adding oauth support to MinIO browser (#8400) by @kanagaraj - supports multi-line get/set/del for all config fields - add support for comments, allow toggle - add extensive validation of config before saving - support MinIO browser to support proper claims, using STS tokens - env support for all config parameters, legacy envs are also supported with all documentation now pointing to latest ENVs - preserve accessKey/secretKey from FS mode setups - add history support implements three APIs - ClearHistory - RestoreHistory - ListHistory - add help command support for each config parameters - all the bug fixes after migration to KV, and other bug fixes encountered during testing.
2019-10-23 13:59:13 +08:00
jwt := jwtgo.NewWithClaims(jwtgo.SigningMethodHS512, claims)
jwt: Simplify JWT parsing (#8802) JWT parsing is simplified by using a custom claim data structure such as MapClaims{}, also writes a custom Unmarshaller for faster unmarshalling. - Avoid as much reflections as possible - Provide the right types for functions as much as possible - Avoid strings.Join, strings.Split to reduce allocations, rely on indexes directly.
2020-01-31 10:59:22 +08:00
return jwt.SignedString([]byte(secretKey))
Have simpler JWT authentication. (#3501)
2016-12-28 00:28:10 +08:00
}
func authenticateWeb(accessKey, secretKey string) (string, error) {
Fix browser login with multi users (#6644)
2018-10-17 09:44:58 +08:00
return authenticateJWTUsers(accessKey, secretKey, defaultJWTExpiry)
Have simpler JWT authentication. (#3501)
2016-12-28 00:28:10 +08:00
}
jwt,browser: allow short-expiry tokens for GETs (#4684) This commit fixes a potential security issue, whereby a full-access token to the server would be available in the GET URL of a download request. This fixes that issue by introducing short-expiry tokens, which are only valid for one minute, and are regenerated for every download request. This commit specifically introduces the short-lived tokens, adds tests for the tokens, adds an RPC call for generating a token given a full-access token, updates the browser to use the new tokens for requests where the token is passed as a GET parameter, and adds some tests with the new temporary tokens. Refs: https://github.com/minio/minio/pull/4673
2017-07-25 03:46:37 +08:00
func authenticateURL(accessKey, secretKey string) (string, error) {
Fix browser login with multi users (#6644)
2018-10-17 09:44:58 +08:00
return authenticateJWTUsers(accessKey, secretKey, defaultURLJWTExpiry)
jwt,browser: allow short-expiry tokens for GETs (#4684) This commit fixes a potential security issue, whereby a full-access token to the server would be available in the GET URL of a download request. This fixes that issue by introducing short-expiry tokens, which are only valid for one minute, and are regenerated for every download request. This commit specifically introduces the short-lived tokens, adds tests for the tokens, adds an RPC call for generating a token given a full-access token, updates the browser to use the new tokens for requests where the token is passed as a GET parameter, and adds some tests with the new temporary tokens. Refs: https://github.com/minio/minio/pull/4673
2017-07-25 03:46:37 +08:00
}
browser: Allow anonymous browsing of readable buckets. (#3515)
2017-01-12 05:26:42 +08:00
// Check if the request is authenticated.
// Returns nil if the request is authenticated. errNoAuthToken if token missing.
// Returns errAuthentication for all other errors.
jwt: Simplify JWT parsing (#8802) JWT parsing is simplified by using a custom claim data structure such as MapClaims{}, also writes a custom Unmarshaller for faster unmarshalling. - Avoid as much reflections as possible - Provide the right types for functions as much as possible - Avoid strings.Join, strings.Split to reduce allocations, rely on indexes directly.
2020-01-31 10:59:22 +08:00
func webRequestAuthenticate(req *http.Request) (*xjwt.MapClaims, bool, error) {
token, err := jwtreq.AuthorizationHeaderExtractor.ExtractToken(req)
Have simpler JWT authentication. (#3501)
2016-12-28 00:28:10 +08:00
if err != nil {
browser: Allow anonymous browsing of readable buckets. (#3515)
2017-01-12 05:26:42 +08:00
if err == jwtreq.ErrNoTokenInRequest {
jwt: Simplify JWT parsing (#8802) JWT parsing is simplified by using a custom claim data structure such as MapClaims{}, also writes a custom Unmarshaller for faster unmarshalling. - Avoid as much reflections as possible - Provide the right types for functions as much as possible - Avoid strings.Join, strings.Split to reduce allocations, rely on indexes directly.
2020-01-31 10:59:22 +08:00
return nil, false, errNoAuthToken
browser: Allow anonymous browsing of readable buckets. (#3515)
2017-01-12 05:26:42 +08:00
}
jwt: Simplify JWT parsing (#8802) JWT parsing is simplified by using a custom claim data structure such as MapClaims{}, also writes a custom Unmarshaller for faster unmarshalling. - Avoid as much reflections as possible - Provide the right types for functions as much as possible - Avoid strings.Join, strings.Split to reduce allocations, rely on indexes directly.
2020-01-31 10:59:22 +08:00
return nil, false, err
[security] rpc: Do not transfer access/secret key. (#4857) This is an improvement upon existing implementation by avoiding transfer of access and secret keys over the network. This change only exchanges JWT tokens generated by an rpc client. Even if the JWT can be traced over the network on a non-TLS connection, this change makes sure that we never really expose the secret key over the network.
2017-09-20 03:37:56 +08:00
}
jwt: Simplify JWT parsing (#8802) JWT parsing is simplified by using a custom claim data structure such as MapClaims{}, also writes a custom Unmarshaller for faster unmarshalling. - Avoid as much reflections as possible - Provide the right types for functions as much as possible - Avoid strings.Join, strings.Split to reduce allocations, rely on indexes directly.
2020-01-31 10:59:22 +08:00
claims := xjwt.NewMapClaims()
populate additional claims for prometheus endpoint (#13011) service accounts and STS provide additional claims for policy authorization which needs to be verified along with Prometheus issuer claim.
2021-08-21 02:32:01 +08:00
if err := xjwt.ParseWithClaims(token, claims, func(claims *xjwt.MapClaims) ([]byte, error) {
if claims.AccessKey == globalActiveCred.AccessKey {
return []byte(globalActiveCred.SecretKey), nil
}
cred, ok := globalIAMSys.GetUser(claims.AccessKey)
if !ok {
return nil, errInvalidAccessKeyID
}
return []byte(cred.SecretKey), nil
}); err != nil {
jwt: Simplify JWT parsing (#8802) JWT parsing is simplified by using a custom claim data structure such as MapClaims{}, also writes a custom Unmarshaller for faster unmarshalling. - Avoid as much reflections as possible - Provide the right types for functions as much as possible - Avoid strings.Join, strings.Split to reduce allocations, rely on indexes directly.
2020-01-31 10:59:22 +08:00
return claims, false, errAuthentication
browser: Allow anonymous browsing of readable buckets. (#3515)
2017-01-12 05:26:42 +08:00
}
populate additional claims for prometheus endpoint (#13011) service accounts and STS provide additional claims for policy authorization which needs to be verified along with Prometheus issuer claim.
2021-08-21 02:32:01 +08:00
owner := true
if globalActiveCred.AccessKey != claims.AccessKey {
// Check if the access key is part of users credentials.
ucred, ok := globalIAMSys.GetUser(claims.AccessKey)
if !ok {
return nil, false, errInvalidAccessKeyID
}
// get embedded claims
eclaims, s3Err := checkClaimsFromToken(req, ucred)
if s3Err != ErrNone {
return nil, false, errAuthentication
}
for k, v := range eclaims {
claims.MapClaims[k] = v
}
// Now check if we have a sessionPolicy.
if _, ok = eclaims[iampolicy.SessionPolicyName]; ok {
owner = false
} else {
owner = globalActiveCred.AccessKey == ucred.ParentUser
}
}
jwt: Simplify JWT parsing (#8802) JWT parsing is simplified by using a custom claim data structure such as MapClaims{}, also writes a custom Unmarshaller for faster unmarshalling. - Avoid as much reflections as possible - Provide the right types for functions as much as possible - Avoid strings.Join, strings.Split to reduce allocations, rely on indexes directly.
2020-01-31 10:59:22 +08:00
return claims, owner, nil
Have simpler JWT authentication. (#3501)
2016-12-28 00:28:10 +08:00
}
Implement HTTP POST based RPC (#5840) Added support for new RPC support using HTTP POST. RPC's arguments and reply are Gob encoded and sent as HTTP request/response body. This patch also removes Go RPC based implementation.
2018-06-06 16:51:56 +08:00
jwt: Simplify JWT parsing (#8802) JWT parsing is simplified by using a custom claim data structure such as MapClaims{}, also writes a custom Unmarshaller for faster unmarshalling. - Avoid as much reflections as possible - Provide the right types for functions as much as possible - Avoid strings.Join, strings.Split to reduce allocations, rely on indexes directly.
2020-01-31 10:59:22 +08:00
func newAuthToken(audience string) string {
Migrate config to KV data format (#8392) - adding oauth support to MinIO browser (#8400) by @kanagaraj - supports multi-line get/set/del for all config fields - add support for comments, allow toggle - add extensive validation of config before saving - support MinIO browser to support proper claims, using STS tokens - env support for all config parameters, legacy envs are also supported with all documentation now pointing to latest ENVs - preserve accessKey/secretKey from FS mode setups - add history support implements three APIs - ClearHistory - RestoreHistory - ListHistory - add help command support for each config parameters - all the bug fixes after migration to KV, and other bug fixes encountered during testing.
2019-10-23 13:59:13 +08:00
cred := globalActiveCred
jwt: Simplify JWT parsing (#8802) JWT parsing is simplified by using a custom claim data structure such as MapClaims{}, also writes a custom Unmarshaller for faster unmarshalling. - Avoid as much reflections as possible - Provide the right types for functions as much as possible - Avoid strings.Join, strings.Split to reduce allocations, rely on indexes directly.
2020-01-31 10:59:22 +08:00
token, err := authenticateNode(cred.AccessKey, cred.SecretKey, audience)
use GlobalContext whenever possible (#9280) This change is throughout the codebase to ensure that all codepaths honor GlobalContext
2020-04-10 00:30:02 +08:00
logger.CriticalIf(GlobalContext, err)
Implement HTTP POST based RPC (#5840) Added support for new RPC support using HTTP POST. RPC's arguments and reply are Gob encoded and sent as HTTP request/response body. This patch also removes Go RPC based implementation.
2018-06-06 16:51:56 +08:00
return token
}