root
/
minio
mirror of https://github.com/minio/minio.git
1
0
Fork 0
Code Issues Actions 1 Packages Projects Releases Wiki Activity
minio/cmd/sts-handlers.go

794 lines
27 KiB
Go
Raw Normal View History

update license change for MinIO Signed-off-by: Harshavardhana <harsha@minio.io>
2021-04-19 03:41:13 +08:00
// Copyright (c) 2015-2021 MinIO, Inc.
//
// This file is part of MinIO Object Storage stack
//
// This program is free software: you can redistribute it and/or modify
// it under the terms of the GNU Affero General Public License as published by
// the Free Software Foundation, either version 3 of the License, or
// (at your option) any later version.
//
// This program is distributed in the hope that it will be useful
// but WITHOUT ANY WARRANTY; without even the implied warranty of
// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
// GNU Affero General Public License for more details.
//
// You should have received a copy of the GNU Affero General Public License
// along with this program. If not, see <http://www.gnu.org/licenses/>.
Introduce STS client grants API and OPA policy integration (#6168) This PR introduces two new features - AWS STS compatible STS API named AssumeRoleWithClientGrants ``` POST /?Action=AssumeRoleWithClientGrants&Token=<jwt> ``` This API endpoint returns temporary access credentials, access tokens signature types supported by this API - RSA keys - ECDSA keys Fetches the required public key from the JWKS endpoints, provides them as rsa or ecdsa public keys. - External policy engine support, in this case OPA policy engine - Credentials are stored on disks
2018-10-10 05:00:01 +08:00
package cmd
import (
Add support for session policies in STS APIs (#7747) This PR adds support for adding session policies for further restrictions on STS credentials, useful in situations when applications want to generate creds for multiple interested parties with different set of policy restrictions. This session policy is not mandatory, but optional. Fixes #7732
2019-06-21 06:28:33 +08:00
"bytes"
Implement AssumeRole API for Minio users (#7267) For actual API reference read here https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRole.html Documentation is added and updated as well at docs/sts/assume-role.md Fixes #6381
2019-02-28 09:46:55 +08:00
"context"
sts: add support for certificate-based authentication (#12748) This commit adds a new STS API for X.509 certificate authentication. A client can make an HTTP POST request over a TLS connection and MinIO will verify the provided client certificate, map it to an S3 policy and return temp. S3 credentials to the client. So, this STS API allows clients to authenticate with X.509 certificates over TLS and obtain temp. S3 credentials. For more details and examples refer to the docs/sts/tls.md documentation. Signed-off-by: Andreas Auernhammer <hi@aead.dev>
2021-09-08 10:03:48 +08:00
"crypto/x509"
Add support for session policies in STS APIs (#7747) This PR adds support for adding session policies for further restrictions on STS credentials, useful in situations when applications want to generate creds for multiple interested parties with different set of policy restrictions. This session policy is not mandatory, but optional. Fixes #7732
2019-06-21 06:28:33 +08:00
"encoding/base64"
support service accounts for OpenID connect properly (#12178) OpenID connect generated service accounts do not work properly after console logout, since the parentUser state is lost - instead use sub+iss claims for parentUser, according to OIDC spec both the claims provide the necessary stability across logins etc.
2021-04-30 04:01:42 +08:00
"errors"
Added support for reading body in STS API (#7188) STS API supports both URL query params and reading from a body.
2019-02-06 07:47:11 +08:00
"fmt"
Introduce STS client grants API and OPA policy integration (#6168) This PR introduces two new features - AWS STS compatible STS API named AssumeRoleWithClientGrants ``` POST /?Action=AssumeRoleWithClientGrants&Token=<jwt> ``` This API endpoint returns temporary access credentials, access tokens signature types supported by this API - RSA keys - ECDSA keys Fetches the required public key from the JWKS endpoints, provides them as rsa or ecdsa public keys. - External policy engine support, in this case OPA policy engine - Credentials are stored on disks
2018-10-10 05:00:01 +08:00
"net/http"
fix: add service account support for AssumeRole/LDAPIdentity creds (#9451) allow generating service accounts for temporary credentials which have a designated parent, currently OpenID is not yet supported. added checks to ensure that service account cannot generate further service accounts for itself, service accounts can never be a parent to any credential.
2020-04-29 03:49:56 +08:00
"strings"
sts: add support for certificate-based authentication (#12748) This commit adds a new STS API for X.509 certificate authentication. A client can make an HTTP POST request over a TLS connection and MinIO will verify the provided client certificate, map it to an S3 policy and return temp. S3 credentials to the client. So, this STS API allows clients to authenticate with X.509 certificates over TLS and obtain temp. S3 credentials. For more details and examples refer to the docs/sts/tls.md documentation. Signed-off-by: Andreas Auernhammer <hi@aead.dev>
2021-09-08 10:03:48 +08:00
"time"
Introduce STS client grants API and OPA policy integration (#6168) This PR introduces two new features - AWS STS compatible STS API named AssumeRoleWithClientGrants ``` POST /?Action=AssumeRoleWithClientGrants&Token=<jwt> ``` This API endpoint returns temporary access credentials, access tokens signature types supported by this API - RSA keys - ECDSA keys Fetches the required public key from the JWKS endpoints, provides them as rsa or ecdsa public keys. - External policy engine support, in this case OPA policy engine - Credentials are stored on disks
2018-10-10 05:00:01 +08:00
"github.com/gorilla/mux"
Add new site replication feature (#13311) This change allows a set of MinIO sites (clusters) to be configured for mutual replication of all buckets (including bucket policies, tags, object-lock configuration and bucket encryption), IAM policies, LDAP service accounts and LDAP STS accounts.
2021-10-07 07:36:31 +08:00
"github.com/minio/madmin-go"
rename all remaining packages to internal/ (#12418) This is to ensure that there are no projects that try to import `minio/minio/pkg` into their own repo. Any such common packages should go to `https://github.com/minio/pkg`
2021-06-02 05:59:40 +08:00
"github.com/minio/minio/internal/auth"
"github.com/minio/minio/internal/config/identity/openid"
xhttp "github.com/minio/minio/internal/http"
"github.com/minio/minio/internal/logger"
move to iam, bucket policy from minio/pkg (#12400)
2021-05-30 12:16:42 +08:00
iampolicy "github.com/minio/pkg/iam/policy"
move the dependency to minio/pkg for common libraries (#12397)
2021-05-29 06:17:01 +08:00
"github.com/minio/pkg/wildcard"
Introduce STS client grants API and OPA policy integration (#6168) This PR introduces two new features - AWS STS compatible STS API named AssumeRoleWithClientGrants ``` POST /?Action=AssumeRoleWithClientGrants&Token=<jwt> ``` This API endpoint returns temporary access credentials, access tokens signature types supported by this API - RSA keys - ECDSA keys Fetches the required public key from the JWKS endpoints, provides them as rsa or ecdsa public keys. - External policy engine support, in this case OPA policy engine - Credentials are stored on disks
2018-10-10 05:00:01 +08:00
)
const (
// STS API version.
add userinfo support for OpenID (#12469) Some identity providers like GitLab do not provide information about group membership as part of the identity token claims. They only expose it via OIDC compatible '/oauth/userinfo' endpoint, as described in the OpenID Connect 1.0 sepcification. But this of course requires application to make sure to add additional accessToken, since idToken cannot be re-used to perform the same 'userinfo' call. This is why this is specialized requirement. Gitlab seems to be the only OpenID vendor that requires this support for the time being. fixes #12367
2021-09-14 07:22:14 +08:00
stsAPIVersion = "2011-06-15"
stsVersion = "Version"
stsAction = "Action"
stsPolicy = "Policy"
stsToken = "Token"
stsWebIdentityToken = "WebIdentityToken"
stsWebIdentityAccessToken = "WebIdentityAccessToken" // only valid if UserInfo is enabled.
stsDurationSeconds = "DurationSeconds"
stsLDAPUsername = "LDAPUsername"
stsLDAPPassword = "LDAPPassword"
Added support for reading body in STS API (#7188) STS API supports both URL query params and reading from a body.
2019-02-06 07:47:11 +08:00
// STS API action constants
sts: add support for certificate-based authentication (#12748) This commit adds a new STS API for X.509 certificate authentication. A client can make an HTTP POST request over a TLS connection and MinIO will verify the provided client certificate, map it to an S3 policy and return temp. S3 credentials to the client. So, this STS API allows clients to authenticate with X.509 certificates over TLS and obtain temp. S3 credentials. For more details and examples refer to the docs/sts/tls.md documentation. Signed-off-by: Andreas Auernhammer <hi@aead.dev>
2021-09-08 10:03:48 +08:00
clientGrants = "AssumeRoleWithClientGrants"
webIdentity = "AssumeRoleWithWebIdentity"
ldapIdentity = "AssumeRoleWithLDAPIdentity"
clientCertificate = "AssumeRoleWithCertificate"
assumeRole = "AssumeRole"
fix DoS vulnerability in the content SHA-256 processing (#8026) This commit fixes a DoS issue that is caused by an incorrect SHA-256 content verification during STS requests. Before that fix clients could write arbitrary many bytes to the server memory. This commit fixes this by limiting the request body size.
2019-08-06 01:06:40 +08:00
stsRequestBodyLimit = 10 * (1 << 20) // 10 MiB
LDAP STS API (#8091) Add LDAP based users-groups system This change adds support to integrate an LDAP server for user authentication. This works via a custom STS API for LDAP. Each user accessing the MinIO who can be authenticated via LDAP receives temporary credentials to access the MinIO server. LDAP is enabled only over TLS. User groups are also supported via LDAP. The administrator may configure an LDAP search query to find the group attribute of a user - this may correspond to any attribute in the LDAP tree (that the user has access to view). One or more groups may be returned by such a query. A group is mapped to an IAM policy in the usual way, and the server enforces a policy corresponding to all the groups and the user's own mapped policy. When LDAP is configured, the internal MinIO users system is disabled.
2019-09-10 07:12:29 +08:00
Honor DurationSeconds properly for WebIdentity (#8581) Also cleanup code to add various constants for verbatim strings across the code base. Fixes #8482
2019-11-29 21:27:54 +08:00
// JWT claim keys
expClaim = "exp"
subClaim = "sub"
always validate JWT token audience (#12797) audience for the JWT token should match the configured client_id, this allows rejecting valid JWTs not meant for MinIO.
2021-07-27 10:40:15 +08:00
audClaim = "aud"
fix: allow audience claim to be an array (#12810) Some incorrect setups might have multiple audiences where they are trying to use a single authentication endpoint for multiple services. Nevertheless OpenID spec allows it to make it even more confusin for no good reason. > It MUST contain the OAuth 2.0 client_id of the > Relying Party as an audience value. It MAY also > contain identifiers for other audiences. In the > general case, the aud value is an array of case > sensitive strings. In the common special case > when there is one audience, the aud value MAY > be a single case sensitive string. fixes #12809
2021-07-28 09:37:51 +08:00
azpClaim = "azp"
support service accounts for OpenID connect properly (#12178) OpenID connect generated service accounts do not work properly after console logout, since the parentUser state is lost - instead use sub+iss claims for parentUser, according to OIDC spec both the claims provide the necessary stability across logins etc.
2021-04-30 04:01:42 +08:00
issClaim = "iss"
Honor DurationSeconds properly for WebIdentity (#8581) Also cleanup code to add various constants for verbatim strings across the code base. Fixes #8482
2019-11-29 21:27:54 +08:00
Add service account type in IAM (#9029)
2020-03-18 01:36:13 +08:00
// JWT claim to check the parent user
parentClaim = "parent"
LDAP STS API (#8091) Add LDAP based users-groups system This change adds support to integrate an LDAP server for user authentication. This works via a custom STS API for LDAP. Each user accessing the MinIO who can be authenticated via LDAP receives temporary credentials to access the MinIO server. LDAP is enabled only over TLS. User groups are also supported via LDAP. The administrator may configure an LDAP search query to find the group attribute of a user - this may correspond to any attribute in the LDAP tree (that the user has access to view). One or more groups may be returned by such a query. A group is mapped to an IAM policy in the usual way, and the server enforces a policy corresponding to all the groups and the user's own mapped policy. When LDAP is configured, the internal MinIO users system is disabled.
2019-09-10 07:12:29 +08:00
// LDAP claim keys
fix: ldap:username variable substitution in policies
2021-07-12 09:38:52 +08:00
ldapUser = "ldapUser"
ldapUserN = "ldapUsername"
Introduce STS client grants API and OPA policy integration (#6168) This PR introduces two new features - AWS STS compatible STS API named AssumeRoleWithClientGrants ``` POST /?Action=AssumeRoleWithClientGrants&Token=<jwt> ``` This API endpoint returns temporary access credentials, access tokens signature types supported by this API - RSA keys - ECDSA keys Fetches the required public key from the JWKS endpoints, provides them as rsa or ecdsa public keys. - External policy engine support, in this case OPA policy engine - Credentials are stored on disks
2018-10-10 05:00:01 +08:00
)
feat: Add support to poll users on external SSO (#12592) Additional support for vendor-specific admin API integrations for OpenID, to ensure validity of credentials on MinIO. Every 5minutes check for validity of credentials on MinIO with vendor specific IDP.
2021-07-10 02:17:21 +08:00
func parseOpenIDParentUser(parentUser string) (userID string, err error) {
fix: allow STS credentials with dynamic policies (#12681) - ParentUser for OIDC auth changed to `openid:` instead of `jwt:` to avoid clashes with variable substitution - Do not pass in random parents into IsAllowed() policy evaluation as it can change the behavior of looking for correct policies underneath. fixes #12676 fixes #12680
2021-07-12 08:39:52 +08:00
if strings.HasPrefix(parentUser, "openid:") {
tokens := strings.SplitN(strings.TrimPrefix(parentUser, "openid:"), ":", 2)
feat: Add support to poll users on external SSO (#12592) Additional support for vendor-specific admin API integrations for OpenID, to ensure validity of credentials on MinIO. Every 5minutes check for validity of credentials on MinIO with vendor specific IDP.
2021-07-10 02:17:21 +08:00
if len(tokens) == 2 {
return tokens[0], nil
}
}
return "", errSkipFile
}
Introduce STS client grants API and OPA policy integration (#6168) This PR introduces two new features - AWS STS compatible STS API named AssumeRoleWithClientGrants ``` POST /?Action=AssumeRoleWithClientGrants&Token=<jwt> ``` This API endpoint returns temporary access credentials, access tokens signature types supported by this API - RSA keys - ECDSA keys Fetches the required public key from the JWKS endpoints, provides them as rsa or ecdsa public keys. - External policy engine support, in this case OPA policy engine - Credentials are stored on disks
2018-10-10 05:00:01 +08:00
// stsAPIHandlers implements and provides http handlers for AWS STS API.
type stsAPIHandlers struct{}
// registerSTSRouter - registers AWS STS compatible APIs.
func registerSTSRouter(router *mux.Router) {
// Initialize STS.
sts := &stsAPIHandlers{}
// STS Router
Use const slashSeparator instead of "/" everywhere (#8028)
2019-08-07 03:08:58 +08:00
stsRouter := router.NewRoute().PathPrefix(SlashSeparator).Subrouter()
Introduce STS client grants API and OPA policy integration (#6168) This PR introduces two new features - AWS STS compatible STS API named AssumeRoleWithClientGrants ``` POST /?Action=AssumeRoleWithClientGrants&Token=<jwt> ``` This API endpoint returns temporary access credentials, access tokens signature types supported by this API - RSA keys - ECDSA keys Fetches the required public key from the JWKS endpoints, provides them as rsa or ecdsa public keys. - External policy engine support, in this case OPA policy engine - Credentials are stored on disks
2018-10-10 05:00:01 +08:00
Implement AssumeRole API for Minio users (#7267) For actual API reference read here https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRole.html Documentation is added and updated as well at docs/sts/assume-role.md Fixes #6381
2019-02-28 09:46:55 +08:00
// Assume roles with no JWT, handles AssumeRole.
Ensure that we use constants everywhere (#7845) This allows for canonicalization of the strings throughout our code and provides a common space for all these constants to reside. This list is rather non-exhaustive but captures all the headers used in AWS S3 API operations
2019-07-03 13:34:32 +08:00
stsRouter.Methods(http.MethodPost).MatcherFunc(func(r *http.Request, rm *mux.RouteMatch) bool {
ctypeOk := wildcard.MatchSimple("application/x-www-form-urlencoded*", r.Header.Get(xhttp.ContentType))
authOk := wildcard.MatchSimple(signV4Algorithm+"*", r.Header.Get(xhttp.Authorization))
use ParseForm() to allow query param lookups once (#12900) ``` cpu: Intel(R) Core(TM) i5-7200U CPU @ 2.50GHz BenchmarkURLQueryForm BenchmarkURLQueryForm-4 247099363 4.809 ns/op 0 B/op 0 allocs/op BenchmarkURLQuery BenchmarkURLQuery-4 2517624 462.1 ns/op 432 B/op 4 allocs/op PASS ok github.com/minio/minio/cmd 3.848s ```
2021-08-08 13:43:01 +08:00
noQueries := len(r.URL.RawQuery) == 0
Fix STS AssumeRole route conflict with MultipartUpload (#7574) Since AssumeRole API was introduced we have a wrong route match which results in certain clients failing to upload objects using multipart because, multipart POST conflicts with STS POST AssumeRole API. Write a proper matcher function which verifies the route more appropriately such that both can co-exist.
2019-04-24 06:55:41 +08:00
return ctypeOk && authOk && noQueries
}).HandlerFunc(httpTraceAll(sts.AssumeRole))
Implement AssumeRole API for Minio users (#7267) For actual API reference read here https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRole.html Documentation is added and updated as well at docs/sts/assume-role.md Fixes #6381
2019-02-28 09:46:55 +08:00
Added support for reading body in STS API (#7188) STS API supports both URL query params and reading from a body.
2019-02-06 07:47:11 +08:00
// Assume roles with JWT handler, handles both ClientGrants and WebIdentity.
Honor DurationSeconds properly for WebIdentity (#8581) Also cleanup code to add various constants for verbatim strings across the code base. Fixes #8482
2019-11-29 21:27:54 +08:00
stsRouter.Methods(http.MethodPost).MatcherFunc(func(r *http.Request, rm *mux.RouteMatch) bool {
Ensure that we use constants everywhere (#7845) This allows for canonicalization of the strings throughout our code and provides a common space for all these constants to reside. This list is rather non-exhaustive but captures all the headers used in AWS S3 API operations
2019-07-03 13:34:32 +08:00
ctypeOk := wildcard.MatchSimple("application/x-www-form-urlencoded*", r.Header.Get(xhttp.ContentType))
use ParseForm() to allow query param lookups once (#12900) ``` cpu: Intel(R) Core(TM) i5-7200U CPU @ 2.50GHz BenchmarkURLQueryForm BenchmarkURLQueryForm-4 247099363 4.809 ns/op 0 B/op 0 allocs/op BenchmarkURLQuery BenchmarkURLQuery-4 2517624 462.1 ns/op 432 B/op 4 allocs/op PASS ok github.com/minio/minio/cmd 3.848s ```
2021-08-08 13:43:01 +08:00
noQueries := len(r.URL.RawQuery) == 0
Fix STS AssumeRole route conflict with MultipartUpload (#7574) Since AssumeRole API was introduced we have a wrong route match which results in certain clients failing to upload objects using multipart because, multipart POST conflicts with STS POST AssumeRole API. Write a proper matcher function which verifies the route more appropriately such that both can co-exist.
2019-04-24 06:55:41 +08:00
return ctypeOk && noQueries
fix: allow LDAP identity to support form body POST (#10468) similar to other STS APIs
2020-09-12 14:02:32 +08:00
}).HandlerFunc(httpTraceAll(sts.AssumeRoleWithSSO))
Added support for reading body in STS API (#7188) STS API supports both URL query params and reading from a body.
2019-02-06 07:47:11 +08:00
Introduce STS client grants API and OPA policy integration (#6168) This PR introduces two new features - AWS STS compatible STS API named AssumeRoleWithClientGrants ``` POST /?Action=AssumeRoleWithClientGrants&Token=<jwt> ``` This API endpoint returns temporary access credentials, access tokens signature types supported by this API - RSA keys - ECDSA keys Fetches the required public key from the JWKS endpoints, provides them as rsa or ecdsa public keys. - External policy engine support, in this case OPA policy engine - Credentials are stored on disks
2018-10-10 05:00:01 +08:00
// AssumeRoleWithClientGrants
Honor DurationSeconds properly for WebIdentity (#8581) Also cleanup code to add various constants for verbatim strings across the code base. Fixes #8482
2019-11-29 21:27:54 +08:00
stsRouter.Methods(http.MethodPost).HandlerFunc(httpTraceAll(sts.AssumeRoleWithClientGrants)).
Queries(stsAction, clientGrants).
Queries(stsVersion, stsAPIVersion).
Queries(stsToken, "{Token:.*}")
Introduce STS client grants API and OPA policy integration (#6168) This PR introduces two new features - AWS STS compatible STS API named AssumeRoleWithClientGrants ``` POST /?Action=AssumeRoleWithClientGrants&Token=<jwt> ``` This API endpoint returns temporary access credentials, access tokens signature types supported by this API - RSA keys - ECDSA keys Fetches the required public key from the JWKS endpoints, provides them as rsa or ecdsa public keys. - External policy engine support, in this case OPA policy engine - Credentials are stored on disks
2018-10-10 05:00:01 +08:00
Add support for AssumeRoleWithWebIdentity (#6985)
2019-01-05 05:48:12 +08:00
// AssumeRoleWithWebIdentity
Honor DurationSeconds properly for WebIdentity (#8581) Also cleanup code to add various constants for verbatim strings across the code base. Fixes #8482
2019-11-29 21:27:54 +08:00
stsRouter.Methods(http.MethodPost).HandlerFunc(httpTraceAll(sts.AssumeRoleWithWebIdentity)).
Queries(stsAction, webIdentity).
Queries(stsVersion, stsAPIVersion).
Queries(stsWebIdentityToken, "{Token:.*}")
Introduce STS client grants API and OPA policy integration (#6168) This PR introduces two new features - AWS STS compatible STS API named AssumeRoleWithClientGrants ``` POST /?Action=AssumeRoleWithClientGrants&Token=<jwt> ``` This API endpoint returns temporary access credentials, access tokens signature types supported by this API - RSA keys - ECDSA keys Fetches the required public key from the JWKS endpoints, provides them as rsa or ecdsa public keys. - External policy engine support, in this case OPA policy engine - Credentials are stored on disks
2018-10-10 05:00:01 +08:00
LDAP STS API (#8091) Add LDAP based users-groups system This change adds support to integrate an LDAP server for user authentication. This works via a custom STS API for LDAP. Each user accessing the MinIO who can be authenticated via LDAP receives temporary credentials to access the MinIO server. LDAP is enabled only over TLS. User groups are also supported via LDAP. The administrator may configure an LDAP search query to find the group attribute of a user - this may correspond to any attribute in the LDAP tree (that the user has access to view). One or more groups may be returned by such a query. A group is mapped to an IAM policy in the usual way, and the server enforces a policy corresponding to all the groups and the user's own mapped policy. When LDAP is configured, the internal MinIO users system is disabled.
2019-09-10 07:12:29 +08:00
// AssumeRoleWithLDAPIdentity
Honor DurationSeconds properly for WebIdentity (#8581) Also cleanup code to add various constants for verbatim strings across the code base. Fixes #8482
2019-11-29 21:27:54 +08:00
stsRouter.Methods(http.MethodPost).HandlerFunc(httpTraceAll(sts.AssumeRoleWithLDAPIdentity)).
Queries(stsAction, ldapIdentity).
Queries(stsVersion, stsAPIVersion).
Queries(stsLDAPUsername, "{LDAPUsername:.*}").
Queries(stsLDAPPassword, "{LDAPPassword:.*}")
sts: add support for certificate-based authentication (#12748) This commit adds a new STS API for X.509 certificate authentication. A client can make an HTTP POST request over a TLS connection and MinIO will verify the provided client certificate, map it to an S3 policy and return temp. S3 credentials to the client. So, this STS API allows clients to authenticate with X.509 certificates over TLS and obtain temp. S3 credentials. For more details and examples refer to the docs/sts/tls.md documentation. Signed-off-by: Andreas Auernhammer <hi@aead.dev>
2021-09-08 10:03:48 +08:00
// AssumeRoleWithCertificate
stsRouter.Methods(http.MethodPost).HandlerFunc(httpTraceAll(sts.AssumeRoleWithCertificate)).
Queries(stsAction, clientCertificate).
Queries(stsVersion, stsAPIVersion)
Introduce STS client grants API and OPA policy integration (#6168) This PR introduces two new features - AWS STS compatible STS API named AssumeRoleWithClientGrants ``` POST /?Action=AssumeRoleWithClientGrants&Token=<jwt> ``` This API endpoint returns temporary access credentials, access tokens signature types supported by this API - RSA keys - ECDSA keys Fetches the required public key from the JWKS endpoints, provides them as rsa or ecdsa public keys. - External policy engine support, in this case OPA policy engine - Credentials are stored on disks
2018-10-10 05:00:01 +08:00
}
fixes misleading assume role error msgs (#9642)
2020-05-22 00:09:18 +08:00
func checkAssumeRoleAuth(ctx context.Context, r *http.Request) (user auth.Credentials, isErrCodeSTS bool, stsErr STSErrorCode) {
Implement AssumeRole API for Minio users (#7267) For actual API reference read here https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRole.html Documentation is added and updated as well at docs/sts/assume-role.md Fixes #6381
2019-02-28 09:46:55 +08:00
switch getRequestAuthType(r) {
default:
fixes misleading assume role error msgs (#9642)
2020-05-22 00:09:18 +08:00
return user, true, ErrSTSAccessDenied
Implement AssumeRole API for Minio users (#7267) For actual API reference read here https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRole.html Documentation is added and updated as well at docs/sts/assume-role.md Fixes #6381
2019-02-28 09:46:55 +08:00
case authTypeSigned:
Migrate config to KV data format (#8392) - adding oauth support to MinIO browser (#8400) by @kanagaraj - supports multi-line get/set/del for all config fields - add support for comments, allow toggle - add extensive validation of config before saving - support MinIO browser to support proper claims, using STS tokens - env support for all config parameters, legacy envs are also supported with all documentation now pointing to latest ENVs - preserve accessKey/secretKey from FS mode setups - add history support implements three APIs - ClearHistory - RestoreHistory - ListHistory - add help command support for each config parameters - all the bug fixes after migration to KV, and other bug fixes encountered during testing.
2019-10-23 13:59:13 +08:00
s3Err := isReqAuthenticated(ctx, r, globalServerRegion, serviceSTS)
fix: remove all unused code (#12360)
2021-05-25 00:28:19 +08:00
if s3Err != ErrNone {
fixes misleading assume role error msgs (#9642)
2020-05-22 00:09:18 +08:00
return user, false, STSErrorCode(s3Err)
Implement AssumeRole API for Minio users (#7267) For actual API reference read here https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRole.html Documentation is added and updated as well at docs/sts/assume-role.md Fixes #6381
2019-02-28 09:46:55 +08:00
}
fix: allow root credentials to generate STS, service accounts (#12210)
2021-05-05 02:58:19 +08:00
user, _, s3Err = getReqAccessKeyV4(r, globalServerRegion, serviceSTS)
fix: remove all unused code (#12360)
2021-05-25 00:28:19 +08:00
if s3Err != ErrNone {
fixes misleading assume role error msgs (#9642)
2020-05-22 00:09:18 +08:00
return user, false, STSErrorCode(s3Err)
Implement AssumeRole API for Minio users (#7267) For actual API reference read here https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRole.html Documentation is added and updated as well at docs/sts/assume-role.md Fixes #6381
2019-02-28 09:46:55 +08:00
}
fix: allow root credentials to generate STS, service accounts (#12210)
2021-05-05 02:58:19 +08:00
// Temporary credentials or Service accounts cannot generate further temporary credentials.
if user.IsTemp() || user.IsServiceAccount() {
fixes misleading assume role error msgs (#9642)
2020-05-22 00:09:18 +08:00
return user, true, ErrSTSAccessDenied
Implement AssumeRole API for Minio users (#7267) For actual API reference read here https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRole.html Documentation is added and updated as well at docs/sts/assume-role.md Fixes #6381
2019-02-28 09:46:55 +08:00
}
}
// Session tokens are not allowed in STS AssumeRole requests.
if getSessionToken(r) != "" {
fixes misleading assume role error msgs (#9642)
2020-05-22 00:09:18 +08:00
return user, true, ErrSTSAccessDenied
Implement AssumeRole API for Minio users (#7267) For actual API reference read here https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRole.html Documentation is added and updated as well at docs/sts/assume-role.md Fixes #6381
2019-02-28 09:46:55 +08:00
}
fixes misleading assume role error msgs (#9642)
2020-05-22 00:09:18 +08:00
return user, true, ErrSTSNone
Implement AssumeRole API for Minio users (#7267) For actual API reference read here https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRole.html Documentation is added and updated as well at docs/sts/assume-role.md Fixes #6381
2019-02-28 09:46:55 +08:00
}
use ParseForm() to allow query param lookups once (#12900) ``` cpu: Intel(R) Core(TM) i5-7200U CPU @ 2.50GHz BenchmarkURLQueryForm BenchmarkURLQueryForm-4 247099363 4.809 ns/op 0 B/op 0 allocs/op BenchmarkURLQuery BenchmarkURLQuery-4 2517624 462.1 ns/op 432 B/op 4 allocs/op PASS ok github.com/minio/minio/cmd 3.848s ```
2021-08-08 13:43:01 +08:00
func parseForm(r *http.Request) error {
if err := r.ParseForm(); err != nil {
return err
}
for k, v := range r.PostForm {
if _, ok := r.Form[k]; !ok {
r.Form[k] = v
}
}
return nil
}
Implement AssumeRole API for Minio users (#7267) For actual API reference read here https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRole.html Documentation is added and updated as well at docs/sts/assume-role.md Fixes #6381
2019-02-28 09:46:55 +08:00
// AssumeRole - implementation of AWS STS API AssumeRole to get temporary
// credentials for regular users on Minio.
// https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRole.html
func (sts *stsAPIHandlers) AssumeRole(w http.ResponseWriter, r *http.Request) {
ctx := newContext(r, w, "AssumeRole")
fixes misleading assume role error msgs (#9642)
2020-05-22 00:09:18 +08:00
user, isErrCodeSTS, stsErr := checkAssumeRoleAuth(ctx, r)
Implement AssumeRole API for Minio users (#7267) For actual API reference read here https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRole.html Documentation is added and updated as well at docs/sts/assume-role.md Fixes #6381
2019-02-28 09:46:55 +08:00
if stsErr != ErrSTSNone {
fixes misleading assume role error msgs (#9642)
2020-05-22 00:09:18 +08:00
writeSTSErrorResponse(ctx, w, isErrCodeSTS, stsErr, nil)
Implement AssumeRole API for Minio users (#7267) For actual API reference read here https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRole.html Documentation is added and updated as well at docs/sts/assume-role.md Fixes #6381
2019-02-28 09:46:55 +08:00
return
}
fix: allow root credentials to generate STS, service accounts (#12210)
2021-05-05 02:58:19 +08:00
use ParseForm() to allow query param lookups once (#12900) ``` cpu: Intel(R) Core(TM) i5-7200U CPU @ 2.50GHz BenchmarkURLQueryForm BenchmarkURLQueryForm-4 247099363 4.809 ns/op 0 B/op 0 allocs/op BenchmarkURLQuery BenchmarkURLQuery-4 2517624 462.1 ns/op 432 B/op 4 allocs/op PASS ok github.com/minio/minio/cmd 3.848s ```
2021-08-08 13:43:01 +08:00
if err := parseForm(r); err != nil {
fixes misleading assume role error msgs (#9642)
2020-05-22 00:09:18 +08:00
writeSTSErrorResponse(ctx, w, true, ErrSTSInvalidParameterValue, err)
Implement AssumeRole API for Minio users (#7267) For actual API reference read here https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRole.html Documentation is added and updated as well at docs/sts/assume-role.md Fixes #6381
2019-02-28 09:46:55 +08:00
return
}
Honor DurationSeconds properly for WebIdentity (#8581) Also cleanup code to add various constants for verbatim strings across the code base. Fixes #8482
2019-11-29 21:27:54 +08:00
if r.Form.Get(stsVersion) != stsAPIVersion {
fixes misleading assume role error msgs (#9642)
2020-05-22 00:09:18 +08:00
writeSTSErrorResponse(ctx, w, true, ErrSTSMissingParameter, fmt.Errorf("Invalid STS API version %s, expecting %s", r.Form.Get(stsVersion), stsAPIVersion))
Implement AssumeRole API for Minio users (#7267) For actual API reference read here https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRole.html Documentation is added and updated as well at docs/sts/assume-role.md Fixes #6381
2019-02-28 09:46:55 +08:00
return
}
Honor DurationSeconds properly for WebIdentity (#8581) Also cleanup code to add various constants for verbatim strings across the code base. Fixes #8482
2019-11-29 21:27:54 +08:00
action := r.Form.Get(stsAction)
Implement AssumeRole API for Minio users (#7267) For actual API reference read here https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRole.html Documentation is added and updated as well at docs/sts/assume-role.md Fixes #6381
2019-02-28 09:46:55 +08:00
switch action {
case assumeRole:
default:
fixes misleading assume role error msgs (#9642)
2020-05-22 00:09:18 +08:00
writeSTSErrorResponse(ctx, w, true, ErrSTSInvalidParameterValue, fmt.Errorf("Unsupported action %s", action))
Implement AssumeRole API for Minio users (#7267) For actual API reference read here https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRole.html Documentation is added and updated as well at docs/sts/assume-role.md Fixes #6381
2019-02-28 09:46:55 +08:00
return
}
ctx = newContext(r, w, action)
audit: per object send pool number, set number and servers per operation (#11233)
2021-01-27 05:21:51 +08:00
defer logger.AuditLog(ctx, w, r, nil)
Implement AssumeRole API for Minio users (#7267) For actual API reference read here https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRole.html Documentation is added and updated as well at docs/sts/assume-role.md Fixes #6381
2019-02-28 09:46:55 +08:00
Honor DurationSeconds properly for WebIdentity (#8581) Also cleanup code to add various constants for verbatim strings across the code base. Fixes #8482
2019-11-29 21:27:54 +08:00
sessionPolicyStr := r.Form.Get(stsPolicy)
Add support for session policies in STS APIs (#7747) This PR adds support for adding session policies for further restrictions on STS credentials, useful in situations when applications want to generate creds for multiple interested parties with different set of policy restrictions. This session policy is not mandatory, but optional. Fixes #7732
2019-06-21 06:28:33 +08:00
// https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRole.html
// The plain text that you use for both inline and managed session
// policies shouldn't exceed 2048 characters.
if len(sessionPolicyStr) > 2048 {
fixes misleading assume role error msgs (#9642)
2020-05-22 00:09:18 +08:00
writeSTSErrorResponse(ctx, w, true, ErrSTSInvalidParameterValue, fmt.Errorf("Session policy shouldn't exceed 2048 characters"))
Add support for session policies in STS APIs (#7747) This PR adds support for adding session policies for further restrictions on STS credentials, useful in situations when applications want to generate creds for multiple interested parties with different set of policy restrictions. This session policy is not mandatory, but optional. Fixes #7732
2019-06-21 06:28:33 +08:00
return
}
if len(sessionPolicyStr) > 0 {
sessionPolicy, err := iampolicy.ParseConfig(bytes.NewReader([]byte(sessionPolicyStr)))
if err != nil {
fixes misleading assume role error msgs (#9642)
2020-05-22 00:09:18 +08:00
writeSTSErrorResponse(ctx, w, true, ErrSTSInvalidParameterValue, err)
Add support for session policies in STS APIs (#7747) This PR adds support for adding session policies for further restrictions on STS credentials, useful in situations when applications want to generate creds for multiple interested parties with different set of policy restrictions. This session policy is not mandatory, but optional. Fixes #7732
2019-06-21 06:28:33 +08:00
return
}
// Version in policy must not be empty
if sessionPolicy.Version == "" {
fixes misleading assume role error msgs (#9642)
2020-05-22 00:09:18 +08:00
writeSTSErrorResponse(ctx, w, true, ErrSTSInvalidParameterValue, fmt.Errorf("Version cannot be empty expecting '2012-10-17'"))
Add support for session policies in STS APIs (#7747) This PR adds support for adding session policies for further restrictions on STS credentials, useful in situations when applications want to generate creds for multiple interested parties with different set of policy restrictions. This session policy is not mandatory, but optional. Fixes #7732
2019-06-21 06:28:33 +08:00
return
}
}
Implement AssumeRole API for Minio users (#7267) For actual API reference read here https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRole.html Documentation is added and updated as well at docs/sts/assume-role.md Fixes #6381
2019-02-28 09:46:55 +08:00
var err error
m := make(map[string]interface{})
Honor DurationSeconds properly for WebIdentity (#8581) Also cleanup code to add various constants for verbatim strings across the code base. Fixes #8482
2019-11-29 21:27:54 +08:00
m[expClaim], err = openid.GetDefaultExpiration(r.Form.Get(stsDurationSeconds))
Implement AssumeRole API for Minio users (#7267) For actual API reference read here https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRole.html Documentation is added and updated as well at docs/sts/assume-role.md Fixes #6381
2019-02-28 09:46:55 +08:00
if err != nil {
fixes misleading assume role error msgs (#9642)
2020-05-22 00:09:18 +08:00
writeSTSErrorResponse(ctx, w, true, ErrSTSInvalidParameterValue, err)
Implement AssumeRole API for Minio users (#7267) For actual API reference read here https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRole.html Documentation is added and updated as well at docs/sts/assume-role.md Fixes #6381
2019-02-28 09:46:55 +08:00
return
}
Add IAM groups support (#7981) This change adds admin APIs and IAM subsystem APIs to: - add or remove members to a group (group addition and deletion is implicit on add and remove) - enable/disable a group - list and fetch group info
2019-08-03 05:25:00 +08:00
policies, err := globalIAMSys.PolicyDBGet(user.AccessKey, false)
Implement AssumeRole API for Minio users (#7267) For actual API reference read here https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRole.html Documentation is added and updated as well at docs/sts/assume-role.md Fixes #6381
2019-02-28 09:46:55 +08:00
if err != nil {
fixes misleading assume role error msgs (#9642)
2020-05-22 00:09:18 +08:00
writeSTSErrorResponse(ctx, w, true, ErrSTSInvalidParameterValue, err)
Implement AssumeRole API for Minio users (#7267) For actual API reference read here https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRole.html Documentation is added and updated as well at docs/sts/assume-role.md Fixes #6381
2019-02-28 09:46:55 +08:00
return
}
fix: add service account support for AssumeRole/LDAPIdentity creds (#9451) allow generating service accounts for temporary credentials which have a designated parent, currently OpenID is not yet supported. added checks to ensure that service account cannot generate further service accounts for itself, service accounts can never be a parent to any credential.
2020-04-29 03:49:56 +08:00
policyName := strings.Join(policies, ",")
Add IAM groups support (#7981) This change adds admin APIs and IAM subsystem APIs to: - add or remove members to a group (group addition and deletion is implicit on add and remove) - enable/disable a group - list and fetch group info
2019-08-03 05:25:00 +08:00
Implement AssumeRole API for Minio users (#7267) For actual API reference read here https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRole.html Documentation is added and updated as well at docs/sts/assume-role.md Fixes #6381
2019-02-28 09:46:55 +08:00
// This policy is the policy associated with the user
// requesting for temporary credentials. The temporary
// credentials will inherit the same policy requirements.
sa: Allow empty policy to indicate parent user's policy is inherited (#9185)
2020-03-24 05:17:18 +08:00
m[iamPolicyClaimNameOpenID()] = policyName
Add support for session policies in STS APIs (#7747) This PR adds support for adding session policies for further restrictions on STS credentials, useful in situations when applications want to generate creds for multiple interested parties with different set of policy restrictions. This session policy is not mandatory, but optional. Fixes #7732
2019-06-21 06:28:33 +08:00
if len(sessionPolicyStr) > 0 {
m[iampolicy.SessionPolicyName] = base64.StdEncoding.EncodeToString([]byte(sessionPolicyStr))
}
Implement AssumeRole API for Minio users (#7267) For actual API reference read here https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRole.html Documentation is added and updated as well at docs/sts/assume-role.md Fixes #6381
2019-02-28 09:46:55 +08:00
Migrate config to KV data format (#8392) - adding oauth support to MinIO browser (#8400) by @kanagaraj - supports multi-line get/set/del for all config fields - add support for comments, allow toggle - add extensive validation of config before saving - support MinIO browser to support proper claims, using STS tokens - env support for all config parameters, legacy envs are also supported with all documentation now pointing to latest ENVs - preserve accessKey/secretKey from FS mode setups - add history support implements three APIs - ClearHistory - RestoreHistory - ListHistory - add help command support for each config parameters - all the bug fixes after migration to KV, and other bug fixes encountered during testing.
2019-10-23 13:59:13 +08:00
secret := globalActiveCred.SecretKey
Implement AssumeRole API for Minio users (#7267) For actual API reference read here https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRole.html Documentation is added and updated as well at docs/sts/assume-role.md Fixes #6381
2019-02-28 09:46:55 +08:00
cred, err := auth.GetNewCredentialsWithMetadata(m, secret)
if err != nil {
fixes misleading assume role error msgs (#9642)
2020-05-22 00:09:18 +08:00
writeSTSErrorResponse(ctx, w, true, ErrSTSInternalError, err)
Implement AssumeRole API for Minio users (#7267) For actual API reference read here https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRole.html Documentation is added and updated as well at docs/sts/assume-role.md Fixes #6381
2019-02-28 09:46:55 +08:00
return
}
fix: add service account support for AssumeRole/LDAPIdentity creds (#9451) allow generating service accounts for temporary credentials which have a designated parent, currently OpenID is not yet supported. added checks to ensure that service account cannot generate further service accounts for itself, service accounts can never be a parent to any credential.
2020-04-29 03:49:56 +08:00
// Set the parent of the temporary access key, this is useful
// in obtaining service accounts by this cred.
cred.ParentUser = user.AccessKey
Implement AssumeRole API for Minio users (#7267) For actual API reference read here https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRole.html Documentation is added and updated as well at docs/sts/assume-role.md Fixes #6381
2019-02-28 09:46:55 +08:00
// Set the newly generated credentials.
if err = globalIAMSys.SetTempUser(cred.AccessKey, cred, policyName); err != nil {
fixes misleading assume role error msgs (#9642)
2020-05-22 00:09:18 +08:00
writeSTSErrorResponse(ctx, w, true, ErrSTSInternalError, err)
Implement AssumeRole API for Minio users (#7267) For actual API reference read here https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRole.html Documentation is added and updated as well at docs/sts/assume-role.md Fixes #6381
2019-02-28 09:46:55 +08:00
return
}
Replace Minio refs in docs with MinIO and links (#7494)
2019-04-10 02:39:42 +08:00
// Notify all other MinIO peers to reload temp users
Reload a specific user or policy on peers (#7705) Fixes #7587
2019-06-07 08:46:22 +08:00
for _, nerr := range globalNotificationSys.LoadUser(cred.AccessKey, true) {
Implement AssumeRole API for Minio users (#7267) For actual API reference read here https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRole.html Documentation is added and updated as well at docs/sts/assume-role.md Fixes #6381
2019-02-28 09:46:55 +08:00
if nerr.Err != nil {
logger.GetReqInfo(ctx).SetTags("peerAddress", nerr.Host.String())
logger.LogIf(ctx, nerr.Err)
}
}
assumeRoleResponse := &AssumeRoleResponse{
Result: AssumeRoleResult{
Credentials: cred,
},
}
Ensure that we use constants everywhere (#7845) This allows for canonicalization of the strings throughout our code and provides a common space for all these constants to reside. This list is rather non-exhaustive but captures all the headers used in AWS S3 API operations
2019-07-03 13:34:32 +08:00
assumeRoleResponse.ResponseMetadata.RequestID = w.Header().Get(xhttp.AmzRequestID)
Implement AssumeRole API for Minio users (#7267) For actual API reference read here https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRole.html Documentation is added and updated as well at docs/sts/assume-role.md Fixes #6381
2019-02-28 09:46:55 +08:00
writeSuccessResponseXML(w, encodeResponse(assumeRoleResponse))
}
fix: allow LDAP identity to support form body POST (#10468) similar to other STS APIs
2020-09-12 14:02:32 +08:00
func (sts *stsAPIHandlers) AssumeRoleWithSSO(w http.ResponseWriter, r *http.Request) {
ctx := newContext(r, w, "AssumeRoleSSOCommon")
Add support for AssumeRoleWithWebIdentity (#6985)
2019-01-05 05:48:12 +08:00
Added support for reading body in STS API (#7188) STS API supports both URL query params and reading from a body.
2019-02-06 07:47:11 +08:00
// Parse the incoming form data.
use ParseForm() to allow query param lookups once (#12900) ``` cpu: Intel(R) Core(TM) i5-7200U CPU @ 2.50GHz BenchmarkURLQueryForm BenchmarkURLQueryForm-4 247099363 4.809 ns/op 0 B/op 0 allocs/op BenchmarkURLQuery BenchmarkURLQuery-4 2517624 462.1 ns/op 432 B/op 4 allocs/op PASS ok github.com/minio/minio/cmd 3.848s ```
2021-08-08 13:43:01 +08:00
if err := parseForm(r); err != nil {
fixes misleading assume role error msgs (#9642)
2020-05-22 00:09:18 +08:00
writeSTSErrorResponse(ctx, w, true, ErrSTSInvalidParameterValue, err)
Add support for AssumeRoleWithWebIdentity (#6985)
2019-01-05 05:48:12 +08:00
return
}
Honor DurationSeconds properly for WebIdentity (#8581) Also cleanup code to add various constants for verbatim strings across the code base. Fixes #8482
2019-11-29 21:27:54 +08:00
if r.Form.Get(stsVersion) != stsAPIVersion {
fixes misleading assume role error msgs (#9642)
2020-05-22 00:09:18 +08:00
writeSTSErrorResponse(ctx, w, true, ErrSTSMissingParameter, fmt.Errorf("Invalid STS API version %s, expecting %s", r.Form.Get("Version"), stsAPIVersion))
Add support for AssumeRoleWithWebIdentity (#6985)
2019-01-05 05:48:12 +08:00
return
}
Honor DurationSeconds properly for WebIdentity (#8581) Also cleanup code to add various constants for verbatim strings across the code base. Fixes #8482
2019-11-29 21:27:54 +08:00
action := r.Form.Get(stsAction)
Added support for reading body in STS API (#7188) STS API supports both URL query params and reading from a body.
2019-02-06 07:47:11 +08:00
switch action {
fix: allow LDAP identity to support form body POST (#10468) similar to other STS APIs
2020-09-12 14:02:32 +08:00
case ldapIdentity:
sts.AssumeRoleWithLDAPIdentity(w, r)
return
Added support for reading body in STS API (#7188) STS API supports both URL query params and reading from a body.
2019-02-06 07:47:11 +08:00
case clientGrants, webIdentity:
default:
fixes misleading assume role error msgs (#9642)
2020-05-22 00:09:18 +08:00
writeSTSErrorResponse(ctx, w, true, ErrSTSInvalidParameterValue, fmt.Errorf("Unsupported action %s", action))
Add support for AssumeRoleWithWebIdentity (#6985)
2019-01-05 05:48:12 +08:00
return
}
Added support for reading body in STS API (#7188) STS API supports both URL query params and reading from a body.
2019-02-06 07:47:11 +08:00
ctx = newContext(r, w, action)
audit: per object send pool number, set number and servers per operation (#11233)
2021-01-27 05:21:51 +08:00
defer logger.AuditLog(ctx, w, r, nil)
Audit log claims from token (#6847)
2018-11-22 12:03:24 +08:00
Refactor config and split them in packages (#8351) This change is related to larger config migration PR change, this is a first stage change to move our configs to `cmd/config/` - divided into its subsystems
2019-10-05 01:35:33 +08:00
if globalOpenIDValidators == nil {
fixes misleading assume role error msgs (#9642)
2020-05-22 00:09:18 +08:00
writeSTSErrorResponse(ctx, w, true, ErrSTSNotInitialized, errServerNotInitialized)
Introduce STS client grants API and OPA policy integration (#6168) This PR introduces two new features - AWS STS compatible STS API named AssumeRoleWithClientGrants ``` POST /?Action=AssumeRoleWithClientGrants&Token=<jwt> ``` This API endpoint returns temporary access credentials, access tokens signature types supported by this API - RSA keys - ECDSA keys Fetches the required public key from the JWKS endpoints, provides them as rsa or ecdsa public keys. - External policy engine support, in this case OPA policy engine - Credentials are stored on disks
2018-10-10 05:00:01 +08:00
return
}
Refactor config and split them in packages (#8351) This change is related to larger config migration PR change, this is a first stage change to move our configs to `cmd/config/` - divided into its subsystems
2019-10-05 01:35:33 +08:00
v, err := globalOpenIDValidators.Get("jwt")
Introduce STS client grants API and OPA policy integration (#6168) This PR introduces two new features - AWS STS compatible STS API named AssumeRoleWithClientGrants ``` POST /?Action=AssumeRoleWithClientGrants&Token=<jwt> ``` This API endpoint returns temporary access credentials, access tokens signature types supported by this API - RSA keys - ECDSA keys Fetches the required public key from the JWKS endpoints, provides them as rsa or ecdsa public keys. - External policy engine support, in this case OPA policy engine - Credentials are stored on disks
2018-10-10 05:00:01 +08:00
if err != nil {
fixes misleading assume role error msgs (#9642)
2020-05-22 00:09:18 +08:00
writeSTSErrorResponse(ctx, w, true, ErrSTSInvalidParameterValue, err)
Introduce STS client grants API and OPA policy integration (#6168) This PR introduces two new features - AWS STS compatible STS API named AssumeRoleWithClientGrants ``` POST /?Action=AssumeRoleWithClientGrants&Token=<jwt> ``` This API endpoint returns temporary access credentials, access tokens signature types supported by this API - RSA keys - ECDSA keys Fetches the required public key from the JWKS endpoints, provides them as rsa or ecdsa public keys. - External policy engine support, in this case OPA policy engine - Credentials are stored on disks
2018-10-10 05:00:01 +08:00
return
}
Honor DurationSeconds properly for WebIdentity (#8581) Also cleanup code to add various constants for verbatim strings across the code base. Fixes #8482
2019-11-29 21:27:54 +08:00
token := r.Form.Get(stsToken)
Added support for reading body in STS API (#7188) STS API supports both URL query params and reading from a body.
2019-02-06 07:47:11 +08:00
if token == "" {
Honor DurationSeconds properly for WebIdentity (#8581) Also cleanup code to add various constants for verbatim strings across the code base. Fixes #8482
2019-11-29 21:27:54 +08:00
token = r.Form.Get(stsWebIdentityToken)
Added support for reading body in STS API (#7188) STS API supports both URL query params and reading from a body.
2019-02-06 07:47:11 +08:00
}
add userinfo support for OpenID (#12469) Some identity providers like GitLab do not provide information about group membership as part of the identity token claims. They only expose it via OIDC compatible '/oauth/userinfo' endpoint, as described in the OpenID Connect 1.0 sepcification. But this of course requires application to make sure to add additional accessToken, since idToken cannot be re-used to perform the same 'userinfo' call. This is why this is specialized requirement. Gitlab seems to be the only OpenID vendor that requires this support for the time being. fixes #12367
2021-09-14 07:22:14 +08:00
accessToken := r.Form.Get(stsWebIdentityAccessToken)
m, err := v.Validate(token, accessToken, r.Form.Get(stsDurationSeconds))
Introduce STS client grants API and OPA policy integration (#6168) This PR introduces two new features - AWS STS compatible STS API named AssumeRoleWithClientGrants ``` POST /?Action=AssumeRoleWithClientGrants&Token=<jwt> ``` This API endpoint returns temporary access credentials, access tokens signature types supported by this API - RSA keys - ECDSA keys Fetches the required public key from the JWKS endpoints, provides them as rsa or ecdsa public keys. - External policy engine support, in this case OPA policy engine - Credentials are stored on disks
2018-10-10 05:00:01 +08:00
if err != nil {
switch err {
Rename iam/validator -> iam/openid and add tests (#8340) Refactor as part of config migration
2019-10-02 06:07:20 +08:00
case openid.ErrTokenExpired:
Added support for reading body in STS API (#7188) STS API supports both URL query params and reading from a body.
2019-02-06 07:47:11 +08:00
switch action {
case clientGrants:
fixes misleading assume role error msgs (#9642)
2020-05-22 00:09:18 +08:00
writeSTSErrorResponse(ctx, w, true, ErrSTSClientGrantsExpiredToken, err)
Added support for reading body in STS API (#7188) STS API supports both URL query params and reading from a body.
2019-02-06 07:47:11 +08:00
case webIdentity:
fixes misleading assume role error msgs (#9642)
2020-05-22 00:09:18 +08:00
writeSTSErrorResponse(ctx, w, true, ErrSTSWebIdentityExpiredToken, err)
Added support for reading body in STS API (#7188) STS API supports both URL query params and reading from a body.
2019-02-06 07:47:11 +08:00
}
return
Honor DurationSeconds properly for WebIdentity (#8581) Also cleanup code to add various constants for verbatim strings across the code base. Fixes #8482
2019-11-29 21:27:54 +08:00
case auth.ErrInvalidDuration:
fixes misleading assume role error msgs (#9642)
2020-05-22 00:09:18 +08:00
writeSTSErrorResponse(ctx, w, true, ErrSTSInvalidParameterValue, err)
Added support for reading body in STS API (#7188) STS API supports both URL query params and reading from a body.
2019-02-06 07:47:11 +08:00
return
Introduce STS client grants API and OPA policy integration (#6168) This PR introduces two new features - AWS STS compatible STS API named AssumeRoleWithClientGrants ``` POST /?Action=AssumeRoleWithClientGrants&Token=<jwt> ``` This API endpoint returns temporary access credentials, access tokens signature types supported by this API - RSA keys - ECDSA keys Fetches the required public key from the JWKS endpoints, provides them as rsa or ecdsa public keys. - External policy engine support, in this case OPA policy engine - Credentials are stored on disks
2018-10-10 05:00:01 +08:00
}
fixes misleading assume role error msgs (#9642)
2020-05-22 00:09:18 +08:00
writeSTSErrorResponse(ctx, w, true, ErrSTSInvalidParameterValue, err)
Introduce STS client grants API and OPA policy integration (#6168) This PR introduces two new features - AWS STS compatible STS API named AssumeRoleWithClientGrants ``` POST /?Action=AssumeRoleWithClientGrants&Token=<jwt> ``` This API endpoint returns temporary access credentials, access tokens signature types supported by this API - RSA keys - ECDSA keys Fetches the required public key from the JWKS endpoints, provides them as rsa or ecdsa public keys. - External policy engine support, in this case OPA policy engine - Credentials are stored on disks
2018-10-10 05:00:01 +08:00
return
}
fix: allow audience claim to be an array (#12810) Some incorrect setups might have multiple audiences where they are trying to use a single authentication endpoint for multiple services. Nevertheless OpenID spec allows it to make it even more confusin for no good reason. > It MUST contain the OAuth 2.0 client_id of the > Relying Party as an audience value. It MAY also > contain identifiers for other audiences. In the > general case, the aud value is an array of case > sensitive strings. In the common special case > when there is one audience, the aud value MAY > be a single case sensitive string. fixes #12809
2021-07-28 09:37:51 +08:00
// REQUIRED. Audience(s) that this ID Token is intended for.
// It MUST contain the OAuth 2.0 client_id of the Relying Party
// as an audience value. It MAY also contain identifiers for
// other audiences. In the general case, the aud value is an
// array of case sensitive strings. In the common special case
// when there is one audience, the aud value MAY be a single
// case sensitive
audValues, ok := iampolicy.GetValuesFromClaims(m, audClaim)
if !ok {
writeSTSErrorResponse(ctx, w, true, ErrSTSInvalidParameterValue,
errors.New("STS JWT Token has `aud` claim invalid, `aud` must match configured OpenID Client ID"))
return
}
if !audValues.Contains(globalOpenIDConfig.ClientID) {
// if audience claims is missing, look for "azp" claims.
// OPTIONAL. Authorized party - the party to which the ID
// Token was issued. If present, it MUST contain the OAuth
// 2.0 Client ID of this party. This Claim is only needed
// when the ID Token has a single audience value and that
// audience is different than the authorized party. It MAY
// be included even when the authorized party is the same
// as the sole audience. The azp value is a case sensitive
// string containing a StringOrURI value
azpValues, ok := iampolicy.GetValuesFromClaims(m, azpClaim)
if !ok {
writeSTSErrorResponse(ctx, w, true, ErrSTSInvalidParameterValue,
errors.New("STS JWT Token has `aud` claim invalid, `aud` must match configured OpenID Client ID"))
return
}
if !azpValues.Contains(globalOpenIDConfig.ClientID) {
writeSTSErrorResponse(ctx, w, true, ErrSTSInvalidParameterValue,
errors.New("STS JWT Token has `azp` claim invalid, `azp` must match configured OpenID Client ID"))
return
}
always validate JWT token audience (#12797) audience for the JWT token should match the configured client_id, this allows rejecting valid JWTs not meant for MinIO.
2021-07-27 10:40:15 +08:00
}
support service accounts for OpenID connect properly (#12178) OpenID connect generated service accounts do not work properly after console logout, since the parentUser state is lost - instead use sub+iss claims for parentUser, according to OIDC spec both the claims provide the necessary stability across logins etc.
2021-04-30 04:01:42 +08:00
var subFromToken string
if v, ok := m[subClaim]; ok {
subFromToken, _ = v.(string)
}
if subFromToken == "" {
always validate JWT token audience (#12797) audience for the JWT token should match the configured client_id, this allows rejecting valid JWTs not meant for MinIO.
2021-07-27 10:40:15 +08:00
writeSTSErrorResponse(ctx, w, true, ErrSTSInvalidParameterValue,
errors.New("STS JWT Token has `sub` claim missing, `sub` claim is mandatory"))
return
}
support service accounts for OpenID connect properly (#12178) OpenID connect generated service accounts do not work properly after console logout, since the parentUser state is lost - instead use sub+iss claims for parentUser, according to OIDC spec both the claims provide the necessary stability across logins etc.
2021-04-30 04:01:42 +08:00
var issFromToken string
if v, ok := m[issClaim]; ok {
issFromToken, _ = v.(string)
}
allow claims to be optional in STS (#10078) not all claims need to be present for the JWT claim, let the policies not exist and only apply which are present when generating the credentials once credentials are generated then those policies should exist, otherwise the request will fail.
2020-07-20 06:34:01 +08:00
// JWT has requested a custom claim with policy value set.
// This is a MinIO STS API specific value, this value should
// be set and configured on your identity provider as part of
// JWT custom claims.
var policyName string
policySet, ok := iampolicy.GetPoliciesFromClaims(m, iamPolicyClaimNameOpenID())
fix: enhance openid claim missing error (#12608) The error implies an expected claim is missing even when the claim is present. Added an additional error message to clarify the problem.
2021-07-01 08:11:23 +08:00
policies := strings.Join(policySet.ToSlice(), ",")
allow claims to be optional in STS (#10078) not all claims need to be present for the JWT claim, let the policies not exist and only apply which are present when generating the credentials once credentials are generated then those policies should exist, otherwise the request will fail.
2020-07-20 06:34:01 +08:00
if ok {
fix: enhance openid claim missing error (#12608) The error implies an expected claim is missing even when the claim is present. Added an additional error message to clarify the problem.
2021-07-01 08:11:23 +08:00
policyName = globalIAMSys.CurrentPolicies(policies)
allow claims to be optional in STS (#10078) not all claims need to be present for the JWT claim, let the policies not exist and only apply which are present when generating the credentials once credentials are generated then those policies should exist, otherwise the request will fail.
2020-07-20 06:34:01 +08:00
}
fix: enhance openid claim missing error (#12608) The error implies an expected claim is missing even when the claim is present. Added an additional error message to clarify the problem.
2021-07-01 08:11:23 +08:00
if globalPolicyOPA == nil {
if !ok {
writeSTSErrorResponse(ctx, w, true, ErrSTSInvalidParameterValue,
fmt.Errorf("%s claim missing from the JWT token, credentials will not be generated", iamPolicyClaimNameOpenID()))
return
} else if policyName == "" {
writeSTSErrorResponse(ctx, w, true, ErrSTSInvalidParameterValue,
fmt.Errorf("None of the given policies (`%s`) are defined, credentials will not be generated", policies))
return
}
allow claims to be optional in STS (#10078) not all claims need to be present for the JWT claim, let the policies not exist and only apply which are present when generating the credentials once credentials are generated then those policies should exist, otherwise the request will fail.
2020-07-20 06:34:01 +08:00
}
m[iamPolicyClaimNameOpenID()] = policyName
Honor DurationSeconds properly for WebIdentity (#8581) Also cleanup code to add various constants for verbatim strings across the code base. Fixes #8482
2019-11-29 21:27:54 +08:00
sessionPolicyStr := r.Form.Get(stsPolicy)
Add support for session policies in STS APIs (#7747) This PR adds support for adding session policies for further restrictions on STS credentials, useful in situations when applications want to generate creds for multiple interested parties with different set of policy restrictions. This session policy is not mandatory, but optional. Fixes #7732
2019-06-21 06:28:33 +08:00
// https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRoleWithWebIdentity.html
// The plain text that you use for both inline and managed session
// policies shouldn't exceed 2048 characters.
if len(sessionPolicyStr) > 2048 {
fixes misleading assume role error msgs (#9642)
2020-05-22 00:09:18 +08:00
writeSTSErrorResponse(ctx, w, true, ErrSTSInvalidParameterValue, fmt.Errorf("Session policy should not exceed 2048 characters"))
Add support for session policies in STS APIs (#7747) This PR adds support for adding session policies for further restrictions on STS credentials, useful in situations when applications want to generate creds for multiple interested parties with different set of policy restrictions. This session policy is not mandatory, but optional. Fixes #7732
2019-06-21 06:28:33 +08:00
return
}
if len(sessionPolicyStr) > 0 {
sessionPolicy, err := iampolicy.ParseConfig(bytes.NewReader([]byte(sessionPolicyStr)))
if err != nil {
fixes misleading assume role error msgs (#9642)
2020-05-22 00:09:18 +08:00
writeSTSErrorResponse(ctx, w, true, ErrSTSInvalidParameterValue, err)
Add support for session policies in STS APIs (#7747) This PR adds support for adding session policies for further restrictions on STS credentials, useful in situations when applications want to generate creds for multiple interested parties with different set of policy restrictions. This session policy is not mandatory, but optional. Fixes #7732
2019-06-21 06:28:33 +08:00
return
}
// Version in policy must not be empty
if sessionPolicy.Version == "" {
fixes misleading assume role error msgs (#9642)
2020-05-22 00:09:18 +08:00
writeSTSErrorResponse(ctx, w, true, ErrSTSInvalidParameterValue, fmt.Errorf("Invalid session policy version"))
Add support for session policies in STS APIs (#7747) This PR adds support for adding session policies for further restrictions on STS credentials, useful in situations when applications want to generate creds for multiple interested parties with different set of policy restrictions. This session policy is not mandatory, but optional. Fixes #7732
2019-06-21 06:28:33 +08:00
return
}
Fix LDAP responseXML to be named appropriately (#8285) This PR additionally also adds support for missing - Session policy support for AD/LDAP - Add API request/response parameters detail - Update example to take ldap username, password input from the command line - Fixes session policy handling for ClientGrants and WebIdentity
2019-09-24 06:21:16 +08:00
m[iampolicy.SessionPolicyName] = base64.StdEncoding.EncodeToString([]byte(sessionPolicyStr))
}
Migrate config to KV data format (#8392) - adding oauth support to MinIO browser (#8400) by @kanagaraj - supports multi-line get/set/del for all config fields - add support for comments, allow toggle - add extensive validation of config before saving - support MinIO browser to support proper claims, using STS tokens - env support for all config parameters, legacy envs are also supported with all documentation now pointing to latest ENVs - preserve accessKey/secretKey from FS mode setups - add history support implements three APIs - ClearHistory - RestoreHistory - ListHistory - add help command support for each config parameters - all the bug fixes after migration to KV, and other bug fixes encountered during testing.
2019-10-23 13:59:13 +08:00
secret := globalActiveCred.SecretKey
Introduce STS client grants API and OPA policy integration (#6168) This PR introduces two new features - AWS STS compatible STS API named AssumeRoleWithClientGrants ``` POST /?Action=AssumeRoleWithClientGrants&Token=<jwt> ``` This API endpoint returns temporary access credentials, access tokens signature types supported by this API - RSA keys - ECDSA keys Fetches the required public key from the JWKS endpoints, provides them as rsa or ecdsa public keys. - External policy engine support, in this case OPA policy engine - Credentials are stored on disks
2018-10-10 05:00:01 +08:00
cred, err := auth.GetNewCredentialsWithMetadata(m, secret)
if err != nil {
fixes misleading assume role error msgs (#9642)
2020-05-22 00:09:18 +08:00
writeSTSErrorResponse(ctx, w, true, ErrSTSInternalError, err)
Introduce STS client grants API and OPA policy integration (#6168) This PR introduces two new features - AWS STS compatible STS API named AssumeRoleWithClientGrants ``` POST /?Action=AssumeRoleWithClientGrants&Token=<jwt> ``` This API endpoint returns temporary access credentials, access tokens signature types supported by this API - RSA keys - ECDSA keys Fetches the required public key from the JWKS endpoints, provides them as rsa or ecdsa public keys. - External policy engine support, in this case OPA policy engine - Credentials are stored on disks
2018-10-10 05:00:01 +08:00
return
}
support service accounts for OpenID connect properly (#12178) OpenID connect generated service accounts do not work properly after console logout, since the parentUser state is lost - instead use sub+iss claims for parentUser, according to OIDC spec both the claims provide the necessary stability across logins etc.
2021-04-30 04:01:42 +08:00
// https://openid.net/specs/openid-connect-core-1_0.html#ClaimStability
// claim is only considered stable when subject and iss are used together
// this is to ensure that ParentUser doesn't change and we get to use
// parentUser as per the requirements for service accounts for OpenID
// based logins.
fix: allow STS credentials with dynamic policies (#12681) - ParentUser for OIDC auth changed to `openid:` instead of `jwt:` to avoid clashes with variable substitution - Do not pass in random parents into IsAllowed() policy evaluation as it can change the behavior of looking for correct policies underneath. fixes #12676 fixes #12680
2021-07-12 08:39:52 +08:00
cred.ParentUser = "openid:" + subFromToken + ":" + issFromToken
Add support for AssumeRoleWithWebIdentity (#6985)
2019-01-05 05:48:12 +08:00
Introduce STS client grants API and OPA policy integration (#6168) This PR introduces two new features - AWS STS compatible STS API named AssumeRoleWithClientGrants ``` POST /?Action=AssumeRoleWithClientGrants&Token=<jwt> ``` This API endpoint returns temporary access credentials, access tokens signature types supported by this API - RSA keys - ECDSA keys Fetches the required public key from the JWKS endpoints, provides them as rsa or ecdsa public keys. - External policy engine support, in this case OPA policy engine - Credentials are stored on disks
2018-10-10 05:00:01 +08:00
// Set the newly generated credentials.
Add policy claim support for JWT (#6660) This way temporary credentials can use canned policies on the server without configuring OPA.
2018-10-30 02:08:59 +08:00
if err = globalIAMSys.SetTempUser(cred.AccessKey, cred, policyName); err != nil {
fixes misleading assume role error msgs (#9642)
2020-05-22 00:09:18 +08:00
writeSTSErrorResponse(ctx, w, true, ErrSTSInternalError, err)
Introduce STS client grants API and OPA policy integration (#6168) This PR introduces two new features - AWS STS compatible STS API named AssumeRoleWithClientGrants ``` POST /?Action=AssumeRoleWithClientGrants&Token=<jwt> ``` This API endpoint returns temporary access credentials, access tokens signature types supported by this API - RSA keys - ECDSA keys Fetches the required public key from the JWKS endpoints, provides them as rsa or ecdsa public keys. - External policy engine support, in this case OPA policy engine - Credentials are stored on disks
2018-10-10 05:00:01 +08:00
return
}
Replace Minio refs in docs with MinIO and links (#7494)
2019-04-10 02:39:42 +08:00
// Notify all other MinIO peers to reload temp users
Reload a specific user or policy on peers (#7705) Fixes #7587
2019-06-07 08:46:22 +08:00
for _, nerr := range globalNotificationSys.LoadUser(cred.AccessKey, true) {
Migrate all Peer communication to common Notification subsystem (#7031) Deprecate the use of Admin Peers concept and migrate all peer communication to Notification subsystem. This finally allows for a common subsystem for all peer notification in case of distributed server deployments.
2019-01-14 14:44:20 +08:00
if nerr.Err != nil {
logger.GetReqInfo(ctx).SetTags("peerAddress", nerr.Host.String())
logger.LogIf(ctx, nerr.Err)
Add support for AssumeRoleWithWebIdentity (#6985)
2019-01-05 05:48:12 +08:00
}
}
Added support for reading body in STS API (#7188) STS API supports both URL query params and reading from a body.
2019-02-06 07:47:11 +08:00
var encodedSuccessResponse []byte
switch action {
case clientGrants:
Implement AssumeRole API for Minio users (#7267) For actual API reference read here https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRole.html Documentation is added and updated as well at docs/sts/assume-role.md Fixes #6381
2019-02-28 09:46:55 +08:00
clientGrantsResponse := &AssumeRoleWithClientGrantsResponse{
Added support for reading body in STS API (#7188) STS API supports both URL query params and reading from a body.
2019-02-06 07:47:11 +08:00
Result: ClientGrantsResult{
Credentials: cred,
SubjectFromToken: subFromToken,
},
Implement AssumeRole API for Minio users (#7267) For actual API reference read here https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRole.html Documentation is added and updated as well at docs/sts/assume-role.md Fixes #6381
2019-02-28 09:46:55 +08:00
}
Ensure that we use constants everywhere (#7845) This allows for canonicalization of the strings throughout our code and provides a common space for all these constants to reside. This list is rather non-exhaustive but captures all the headers used in AWS S3 API operations
2019-07-03 13:34:32 +08:00
clientGrantsResponse.ResponseMetadata.RequestID = w.Header().Get(xhttp.AmzRequestID)
Implement AssumeRole API for Minio users (#7267) For actual API reference read here https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRole.html Documentation is added and updated as well at docs/sts/assume-role.md Fixes #6381
2019-02-28 09:46:55 +08:00
encodedSuccessResponse = encodeResponse(clientGrantsResponse)
Added support for reading body in STS API (#7188) STS API supports both URL query params and reading from a body.
2019-02-06 07:47:11 +08:00
case webIdentity:
Implement AssumeRole API for Minio users (#7267) For actual API reference read here https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRole.html Documentation is added and updated as well at docs/sts/assume-role.md Fixes #6381
2019-02-28 09:46:55 +08:00
webIdentityResponse := &AssumeRoleWithWebIdentityResponse{
Added support for reading body in STS API (#7188) STS API supports both URL query params and reading from a body.
2019-02-06 07:47:11 +08:00
Result: WebIdentityResult{
Credentials: cred,
SubjectFromWebIdentityToken: subFromToken,
},
Implement AssumeRole API for Minio users (#7267) For actual API reference read here https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRole.html Documentation is added and updated as well at docs/sts/assume-role.md Fixes #6381
2019-02-28 09:46:55 +08:00
}
Ensure that we use constants everywhere (#7845) This allows for canonicalization of the strings throughout our code and provides a common space for all these constants to reside. This list is rather non-exhaustive but captures all the headers used in AWS S3 API operations
2019-07-03 13:34:32 +08:00
webIdentityResponse.ResponseMetadata.RequestID = w.Header().Get(xhttp.AmzRequestID)
Implement AssumeRole API for Minio users (#7267) For actual API reference read here https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRole.html Documentation is added and updated as well at docs/sts/assume-role.md Fixes #6381
2019-02-28 09:46:55 +08:00
encodedSuccessResponse = encodeResponse(webIdentityResponse)
Added support for reading body in STS API (#7188) STS API supports both URL query params and reading from a body.
2019-02-06 07:47:11 +08:00
}
Introduce STS client grants API and OPA policy integration (#6168) This PR introduces two new features - AWS STS compatible STS API named AssumeRoleWithClientGrants ``` POST /?Action=AssumeRoleWithClientGrants&Token=<jwt> ``` This API endpoint returns temporary access credentials, access tokens signature types supported by this API - RSA keys - ECDSA keys Fetches the required public key from the JWKS endpoints, provides them as rsa or ecdsa public keys. - External policy engine support, in this case OPA policy engine - Credentials are stored on disks
2018-10-10 05:00:01 +08:00
writeSuccessResponseXML(w, encodedSuccessResponse)
}
Added support for reading body in STS API (#7188) STS API supports both URL query params and reading from a body.
2019-02-06 07:47:11 +08:00
// AssumeRoleWithWebIdentity - implementation of AWS STS API supporting OAuth2.0
// users from web identity provider such as Facebook, Google, or any OpenID
// Connect-compatible identity provider.
//
// Eg:-
// $ curl https://minio:9000/?Action=AssumeRoleWithWebIdentity&WebIdentityToken=<jwt>
func (sts *stsAPIHandlers) AssumeRoleWithWebIdentity(w http.ResponseWriter, r *http.Request) {
fix: allow LDAP identity to support form body POST (#10468) similar to other STS APIs
2020-09-12 14:02:32 +08:00
sts.AssumeRoleWithSSO(w, r)
Added support for reading body in STS API (#7188) STS API supports both URL query params and reading from a body.
2019-02-06 07:47:11 +08:00
}
// AssumeRoleWithClientGrants - implementation of AWS STS extension API supporting
// OAuth2.0 client credential grants.
//
// Eg:-
// $ curl https://minio:9000/?Action=AssumeRoleWithClientGrants&Token=<jwt>
func (sts *stsAPIHandlers) AssumeRoleWithClientGrants(w http.ResponseWriter, r *http.Request) {
fix: allow LDAP identity to support form body POST (#10468) similar to other STS APIs
2020-09-12 14:02:32 +08:00
sts.AssumeRoleWithSSO(w, r)
Added support for reading body in STS API (#7188) STS API supports both URL query params and reading from a body.
2019-02-06 07:47:11 +08:00
}
LDAP STS API (#8091) Add LDAP based users-groups system This change adds support to integrate an LDAP server for user authentication. This works via a custom STS API for LDAP. Each user accessing the MinIO who can be authenticated via LDAP receives temporary credentials to access the MinIO server. LDAP is enabled only over TLS. User groups are also supported via LDAP. The administrator may configure an LDAP search query to find the group attribute of a user - this may correspond to any attribute in the LDAP tree (that the user has access to view). One or more groups may be returned by such a query. A group is mapped to an IAM policy in the usual way, and the server enforces a policy corresponding to all the groups and the user's own mapped policy. When LDAP is configured, the internal MinIO users system is disabled.
2019-09-10 07:12:29 +08:00
// AssumeRoleWithLDAPIdentity - implements user auth against LDAP server
func (sts *stsAPIHandlers) AssumeRoleWithLDAPIdentity(w http.ResponseWriter, r *http.Request) {
ctx := newContext(r, w, "AssumeRoleWithLDAPIdentity")
audit: per object send pool number, set number and servers per operation (#11233)
2021-01-27 05:21:51 +08:00
defer logger.AuditLog(ctx, w, r, nil, stsLDAPPassword)
fix remove LDAPPassword from audit logs (#9773) the previous fix for #9707 was not correct, fix this properly passing the right filter keys to be filtered from the audit log output. Fixes #9767
2020-06-05 13:07:55 +08:00
LDAP STS API (#8091) Add LDAP based users-groups system This change adds support to integrate an LDAP server for user authentication. This works via a custom STS API for LDAP. Each user accessing the MinIO who can be authenticated via LDAP receives temporary credentials to access the MinIO server. LDAP is enabled only over TLS. User groups are also supported via LDAP. The administrator may configure an LDAP search query to find the group attribute of a user - this may correspond to any attribute in the LDAP tree (that the user has access to view). One or more groups may be returned by such a query. A group is mapped to an IAM policy in the usual way, and the server enforces a policy corresponding to all the groups and the user's own mapped policy. When LDAP is configured, the internal MinIO users system is disabled.
2019-09-10 07:12:29 +08:00
// Parse the incoming form data.
use ParseForm() to allow query param lookups once (#12900) ``` cpu: Intel(R) Core(TM) i5-7200U CPU @ 2.50GHz BenchmarkURLQueryForm BenchmarkURLQueryForm-4 247099363 4.809 ns/op 0 B/op 0 allocs/op BenchmarkURLQuery BenchmarkURLQuery-4 2517624 462.1 ns/op 432 B/op 4 allocs/op PASS ok github.com/minio/minio/cmd 3.848s ```
2021-08-08 13:43:01 +08:00
if err := parseForm(r); err != nil {
fixes misleading assume role error msgs (#9642)
2020-05-22 00:09:18 +08:00
writeSTSErrorResponse(ctx, w, true, ErrSTSInvalidParameterValue, err)
LDAP STS API (#8091) Add LDAP based users-groups system This change adds support to integrate an LDAP server for user authentication. This works via a custom STS API for LDAP. Each user accessing the MinIO who can be authenticated via LDAP receives temporary credentials to access the MinIO server. LDAP is enabled only over TLS. User groups are also supported via LDAP. The administrator may configure an LDAP search query to find the group attribute of a user - this may correspond to any attribute in the LDAP tree (that the user has access to view). One or more groups may be returned by such a query. A group is mapped to an IAM policy in the usual way, and the server enforces a policy corresponding to all the groups and the user's own mapped policy. When LDAP is configured, the internal MinIO users system is disabled.
2019-09-10 07:12:29 +08:00
return
}
Honor DurationSeconds properly for WebIdentity (#8581) Also cleanup code to add various constants for verbatim strings across the code base. Fixes #8482
2019-11-29 21:27:54 +08:00
if r.Form.Get(stsVersion) != stsAPIVersion {
fix remove LDAPPassword from audit logs (#9773) the previous fix for #9707 was not correct, fix this properly passing the right filter keys to be filtered from the audit log output. Fixes #9767
2020-06-05 13:07:55 +08:00
writeSTSErrorResponse(ctx, w, true, ErrSTSMissingParameter,
fmt.Errorf("Invalid STS API version %s, expecting %s", r.Form.Get("Version"), stsAPIVersion))
LDAP STS API (#8091) Add LDAP based users-groups system This change adds support to integrate an LDAP server for user authentication. This works via a custom STS API for LDAP. Each user accessing the MinIO who can be authenticated via LDAP receives temporary credentials to access the MinIO server. LDAP is enabled only over TLS. User groups are also supported via LDAP. The administrator may configure an LDAP search query to find the group attribute of a user - this may correspond to any attribute in the LDAP tree (that the user has access to view). One or more groups may be returned by such a query. A group is mapped to an IAM policy in the usual way, and the server enforces a policy corresponding to all the groups and the user's own mapped policy. When LDAP is configured, the internal MinIO users system is disabled.
2019-09-10 07:12:29 +08:00
return
}
Honor DurationSeconds properly for WebIdentity (#8581) Also cleanup code to add various constants for verbatim strings across the code base. Fixes #8482
2019-11-29 21:27:54 +08:00
ldapUsername := r.Form.Get(stsLDAPUsername)
ldapPassword := r.Form.Get(stsLDAPPassword)
LDAP STS API (#8091) Add LDAP based users-groups system This change adds support to integrate an LDAP server for user authentication. This works via a custom STS API for LDAP. Each user accessing the MinIO who can be authenticated via LDAP receives temporary credentials to access the MinIO server. LDAP is enabled only over TLS. User groups are also supported via LDAP. The administrator may configure an LDAP search query to find the group attribute of a user - this may correspond to any attribute in the LDAP tree (that the user has access to view). One or more groups may be returned by such a query. A group is mapped to an IAM policy in the usual way, and the server enforces a policy corresponding to all the groups and the user's own mapped policy. When LDAP is configured, the internal MinIO users system is disabled.
2019-09-10 07:12:29 +08:00
if ldapUsername == "" || ldapPassword == "" {
fixes misleading assume role error msgs (#9642)
2020-05-22 00:09:18 +08:00
writeSTSErrorResponse(ctx, w, true, ErrSTSMissingParameter, fmt.Errorf("LDAPUsername and LDAPPassword cannot be empty"))
LDAP STS API (#8091) Add LDAP based users-groups system This change adds support to integrate an LDAP server for user authentication. This works via a custom STS API for LDAP. Each user accessing the MinIO who can be authenticated via LDAP receives temporary credentials to access the MinIO server. LDAP is enabled only over TLS. User groups are also supported via LDAP. The administrator may configure an LDAP search query to find the group attribute of a user - this may correspond to any attribute in the LDAP tree (that the user has access to view). One or more groups may be returned by such a query. A group is mapped to an IAM policy in the usual way, and the server enforces a policy corresponding to all the groups and the user's own mapped policy. When LDAP is configured, the internal MinIO users system is disabled.
2019-09-10 07:12:29 +08:00
return
}
fix remove LDAPPassword from audit logs (#9773) the previous fix for #9707 was not correct, fix this properly passing the right filter keys to be filtered from the audit log output. Fixes #9767
2020-06-05 13:07:55 +08:00
action := r.Form.Get(stsAction)
switch action {
case ldapIdentity:
default:
writeSTSErrorResponse(ctx, w, true, ErrSTSInvalidParameterValue, fmt.Errorf("Unsupported action %s", action))
return
}
Honor DurationSeconds properly for WebIdentity (#8581) Also cleanup code to add various constants for verbatim strings across the code base. Fixes #8482
2019-11-29 21:27:54 +08:00
sessionPolicyStr := r.Form.Get(stsPolicy)
Fix LDAP responseXML to be named appropriately (#8285) This PR additionally also adds support for missing - Session policy support for AD/LDAP - Add API request/response parameters detail - Update example to take ldap username, password input from the command line - Fixes session policy handling for ClientGrants and WebIdentity
2019-09-24 06:21:16 +08:00
// https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRole.html
// The plain text that you use for both inline and managed session
// policies shouldn't exceed 2048 characters.
if len(sessionPolicyStr) > 2048 {
fixes misleading assume role error msgs (#9642)
2020-05-22 00:09:18 +08:00
writeSTSErrorResponse(ctx, w, true, ErrSTSInvalidParameterValue, fmt.Errorf("Session policy should not exceed 2048 characters"))
Fix LDAP responseXML to be named appropriately (#8285) This PR additionally also adds support for missing - Session policy support for AD/LDAP - Add API request/response parameters detail - Update example to take ldap username, password input from the command line - Fixes session policy handling for ClientGrants and WebIdentity
2019-09-24 06:21:16 +08:00
return
}
if len(sessionPolicyStr) > 0 {
sessionPolicy, err := iampolicy.ParseConfig(bytes.NewReader([]byte(sessionPolicyStr)))
if err != nil {
fixes misleading assume role error msgs (#9642)
2020-05-22 00:09:18 +08:00
writeSTSErrorResponse(ctx, w, true, ErrSTSInvalidParameterValue, err)
Fix LDAP responseXML to be named appropriately (#8285) This PR additionally also adds support for missing - Session policy support for AD/LDAP - Add API request/response parameters detail - Update example to take ldap username, password input from the command line - Fixes session policy handling for ClientGrants and WebIdentity
2019-09-24 06:21:16 +08:00
return
}
// Version in policy must not be empty
if sessionPolicy.Version == "" {
fixes misleading assume role error msgs (#9642)
2020-05-22 00:09:18 +08:00
writeSTSErrorResponse(ctx, w, true, ErrSTSInvalidParameterValue, fmt.Errorf("Version needs to be specified in session policy"))
Fix LDAP responseXML to be named appropriately (#8285) This PR additionally also adds support for missing - Session policy support for AD/LDAP - Add API request/response parameters detail - Update example to take ldap username, password input from the command line - Fixes session policy handling for ClientGrants and WebIdentity
2019-09-24 06:21:16 +08:00
return
}
}
Return group DN instead of group name in LDAP STS (#11501) - Additionally, check if the user or their groups has a policy attached during the STS call. - Remove the group name attribute configuration value.
2021-02-11 08:52:49 +08:00
ldapUserDN, groupDistNames, err := globalLDAPConfig.Bind(ldapUsername, ldapPassword)
LDAP STS API (#8091) Add LDAP based users-groups system This change adds support to integrate an LDAP server for user authentication. This works via a custom STS API for LDAP. Each user accessing the MinIO who can be authenticated via LDAP receives temporary credentials to access the MinIO server. LDAP is enabled only over TLS. User groups are also supported via LDAP. The administrator may configure an LDAP search query to find the group attribute of a user - this may correspond to any attribute in the LDAP tree (that the user has access to view). One or more groups may be returned by such a query. A group is mapped to an IAM policy in the usual way, and the server enforces a policy corresponding to all the groups and the user's own mapped policy. When LDAP is configured, the internal MinIO users system is disabled.
2019-09-10 07:12:29 +08:00
if err != nil {
Fix support for multiple LDAP user formats (#11276) Fixes support for using multiple base DNs for user search in the LDAP directory allowing users from different subtrees in the LDAP hierarchy to request credentials. - The username in the produced credentials is now the full DN of the LDAP user to disambiguate users in different base DNs.
2021-01-18 13:54:32 +08:00
err = fmt.Errorf("LDAP server error: %w", err)
fixes misleading assume role error msgs (#9642)
2020-05-22 00:09:18 +08:00
writeSTSErrorResponse(ctx, w, true, ErrSTSInvalidParameterValue, err)
LDAP STS API (#8091) Add LDAP based users-groups system This change adds support to integrate an LDAP server for user authentication. This works via a custom STS API for LDAP. Each user accessing the MinIO who can be authenticated via LDAP receives temporary credentials to access the MinIO server. LDAP is enabled only over TLS. User groups are also supported via LDAP. The administrator may configure an LDAP search query to find the group attribute of a user - this may correspond to any attribute in the LDAP tree (that the user has access to view). One or more groups may be returned by such a query. A group is mapped to an IAM policy in the usual way, and the server enforces a policy corresponding to all the groups and the user's own mapped policy. When LDAP is configured, the internal MinIO users system is disabled.
2019-09-10 07:12:29 +08:00
return
}
Return group DN instead of group name in LDAP STS (#11501) - Additionally, check if the user or their groups has a policy attached during the STS call. - Remove the group name attribute configuration value.
2021-02-11 08:52:49 +08:00
// Check if this user or their groups have a policy applied.
Converge PolicyDBGet functions in IAM (#11891)
2021-03-25 15:38:15 +08:00
ldapPolicies, _ := globalIAMSys.PolicyDBGet(ldapUserDN, false, groupDistNames...)
allow OPA fallback for STS requests (#12568) fixes #12547
2021-06-25 03:00:06 +08:00
if len(ldapPolicies) == 0 && globalPolicyOPA == nil {
fix: LDAP groups handling and group mapping (#11855) comprehensively handle group mapping for LDAP users across IAM sub-subsytem.
2021-03-24 06:15:51 +08:00
writeSTSErrorResponse(ctx, w, true, ErrSTSInvalidParameterValue,
fmt.Errorf("expecting a policy to be set for user `%s` or one of their groups: `%s` - rejecting this request",
ldapUserDN, strings.Join(groupDistNames, "`,`")))
Return group DN instead of group name in LDAP STS (#11501) - Additionally, check if the user or their groups has a policy attached during the STS call. - Remove the group name attribute configuration value.
2021-02-11 08:52:49 +08:00
return
}
fix: Add support for DurationSeconds in LDAP STS API (#12778)
2021-07-23 03:13:21 +08:00
expiryDur, err := globalLDAPConfig.GetExpiryDuration(r.Form.Get(stsDurationSeconds))
if err != nil {
writeSTSErrorResponse(ctx, w, true, ErrSTSInvalidParameterValue, err)
return
}
LDAP STS API (#8091) Add LDAP based users-groups system This change adds support to integrate an LDAP server for user authentication. This works via a custom STS API for LDAP. Each user accessing the MinIO who can be authenticated via LDAP receives temporary credentials to access the MinIO server. LDAP is enabled only over TLS. User groups are also supported via LDAP. The administrator may configure an LDAP search query to find the group attribute of a user - this may correspond to any attribute in the LDAP tree (that the user has access to view). One or more groups may be returned by such a query. A group is mapped to an IAM policy in the usual way, and the server enforces a policy corresponding to all the groups and the user's own mapped policy. When LDAP is configured, the internal MinIO users system is disabled.
2019-09-10 07:12:29 +08:00
m := map[string]interface{}{
fix: ldap:username variable substitution in policies
2021-07-12 09:38:52 +08:00
expClaim: UTCNow().Add(expiryDur).Unix(),
ldapUser: ldapUserDN,
ldapUserN: ldapUsername,
LDAP STS API (#8091) Add LDAP based users-groups system This change adds support to integrate an LDAP server for user authentication. This works via a custom STS API for LDAP. Each user accessing the MinIO who can be authenticated via LDAP receives temporary credentials to access the MinIO server. LDAP is enabled only over TLS. User groups are also supported via LDAP. The administrator may configure an LDAP search query to find the group attribute of a user - this may correspond to any attribute in the LDAP tree (that the user has access to view). One or more groups may be returned by such a query. A group is mapped to an IAM policy in the usual way, and the server enforces a policy corresponding to all the groups and the user's own mapped policy. When LDAP is configured, the internal MinIO users system is disabled.
2019-09-10 07:12:29 +08:00
}
Fix LDAP responseXML to be named appropriately (#8285) This PR additionally also adds support for missing - Session policy support for AD/LDAP - Add API request/response parameters detail - Update example to take ldap username, password input from the command line - Fixes session policy handling for ClientGrants and WebIdentity
2019-09-24 06:21:16 +08:00
if len(sessionPolicyStr) > 0 {
m[iampolicy.SessionPolicyName] = base64.StdEncoding.EncodeToString([]byte(sessionPolicyStr))
}
Migrate config to KV data format (#8392) - adding oauth support to MinIO browser (#8400) by @kanagaraj - supports multi-line get/set/del for all config fields - add support for comments, allow toggle - add extensive validation of config before saving - support MinIO browser to support proper claims, using STS tokens - env support for all config parameters, legacy envs are also supported with all documentation now pointing to latest ENVs - preserve accessKey/secretKey from FS mode setups - add history support implements three APIs - ClearHistory - RestoreHistory - ListHistory - add help command support for each config parameters - all the bug fixes after migration to KV, and other bug fixes encountered during testing.
2019-10-23 13:59:13 +08:00
secret := globalActiveCred.SecretKey
LDAP STS API (#8091) Add LDAP based users-groups system This change adds support to integrate an LDAP server for user authentication. This works via a custom STS API for LDAP. Each user accessing the MinIO who can be authenticated via LDAP receives temporary credentials to access the MinIO server. LDAP is enabled only over TLS. User groups are also supported via LDAP. The administrator may configure an LDAP search query to find the group attribute of a user - this may correspond to any attribute in the LDAP tree (that the user has access to view). One or more groups may be returned by such a query. A group is mapped to an IAM policy in the usual way, and the server enforces a policy corresponding to all the groups and the user's own mapped policy. When LDAP is configured, the internal MinIO users system is disabled.
2019-09-10 07:12:29 +08:00
cred, err := auth.GetNewCredentialsWithMetadata(m, secret)
if err != nil {
fixes misleading assume role error msgs (#9642)
2020-05-22 00:09:18 +08:00
writeSTSErrorResponse(ctx, w, true, ErrSTSInternalError, err)
LDAP STS API (#8091) Add LDAP based users-groups system This change adds support to integrate an LDAP server for user authentication. This works via a custom STS API for LDAP. Each user accessing the MinIO who can be authenticated via LDAP receives temporary credentials to access the MinIO server. LDAP is enabled only over TLS. User groups are also supported via LDAP. The administrator may configure an LDAP search query to find the group attribute of a user - this may correspond to any attribute in the LDAP tree (that the user has access to view). One or more groups may be returned by such a query. A group is mapped to an IAM policy in the usual way, and the server enforces a policy corresponding to all the groups and the user's own mapped policy. When LDAP is configured, the internal MinIO users system is disabled.
2019-09-10 07:12:29 +08:00
return
}
fix: add service account support for AssumeRole/LDAPIdentity creds (#9451) allow generating service accounts for temporary credentials which have a designated parent, currently OpenID is not yet supported. added checks to ensure that service account cannot generate further service accounts for itself, service accounts can never be a parent to any credential.
2020-04-29 03:49:56 +08:00
// Set the parent of the temporary access key, this is useful
// in obtaining service accounts by this cred.
Fix support for multiple LDAP user formats (#11276) Fixes support for using multiple base DNs for user search in the LDAP directory allowing users from different subtrees in the LDAP hierarchy to request credentials. - The username in the produced credentials is now the full DN of the LDAP user to disambiguate users in different base DNs.
2021-01-18 13:54:32 +08:00
cred.ParentUser = ldapUserDN
fix: add service account support for AssumeRole/LDAPIdentity creds (#9451) allow generating service accounts for temporary credentials which have a designated parent, currently OpenID is not yet supported. added checks to ensure that service account cannot generate further service accounts for itself, service accounts can never be a parent to any credential.
2020-04-29 03:49:56 +08:00
fix: remove LDAP groups claim and store them on server (#9637) Groups information shall be now stored as part of the credential data structure, this is a more idiomatic way to support large LDAP groups. Avoids the complication of setups where LDAP groups can be in the range of 150+ which may lead to excess HTTP header size > 8KiB, to reduce such an occurrence we shall save the group information on the server as part of the credential data structure. Bonus change support multiple mapped policies, across all types of users.
2020-05-21 02:33:35 +08:00
// Set this value to LDAP groups, LDAP user can be part
// of large number of groups
Return group DN instead of group name in LDAP STS (#11501) - Additionally, check if the user or their groups has a policy attached during the STS call. - Remove the group name attribute configuration value.
2021-02-11 08:52:49 +08:00
cred.Groups = groupDistNames
fix: remove LDAP groups claim and store them on server (#9637) Groups information shall be now stored as part of the credential data structure, this is a more idiomatic way to support large LDAP groups. Avoids the complication of setups where LDAP groups can be in the range of 150+ which may lead to excess HTTP header size > 8KiB, to reduce such an occurrence we shall save the group information on the server as part of the credential data structure. Bonus change support multiple mapped policies, across all types of users.
2020-05-21 02:33:35 +08:00
fix: add service account support for AssumeRole/LDAPIdentity creds (#9451) allow generating service accounts for temporary credentials which have a designated parent, currently OpenID is not yet supported. added checks to ensure that service account cannot generate further service accounts for itself, service accounts can never be a parent to any credential.
2020-04-29 03:49:56 +08:00
// Set the newly generated credentials, policyName is empty on purpose
// LDAP policies are applied automatically using their ldapUser, ldapGroups
// mapping.
if err = globalIAMSys.SetTempUser(cred.AccessKey, cred, ""); err != nil {
fixes misleading assume role error msgs (#9642)
2020-05-22 00:09:18 +08:00
writeSTSErrorResponse(ctx, w, true, ErrSTSInternalError, err)
LDAP STS API (#8091) Add LDAP based users-groups system This change adds support to integrate an LDAP server for user authentication. This works via a custom STS API for LDAP. Each user accessing the MinIO who can be authenticated via LDAP receives temporary credentials to access the MinIO server. LDAP is enabled only over TLS. User groups are also supported via LDAP. The administrator may configure an LDAP search query to find the group attribute of a user - this may correspond to any attribute in the LDAP tree (that the user has access to view). One or more groups may be returned by such a query. A group is mapped to an IAM policy in the usual way, and the server enforces a policy corresponding to all the groups and the user's own mapped policy. When LDAP is configured, the internal MinIO users system is disabled.
2019-09-10 07:12:29 +08:00
return
}
// Notify all other MinIO peers to reload temp users
for _, nerr := range globalNotificationSys.LoadUser(cred.AccessKey, true) {
if nerr.Err != nil {
logger.GetReqInfo(ctx).SetTags("peerAddress", nerr.Host.String())
logger.LogIf(ctx, nerr.Err)
}
}
Add new site replication feature (#13311) This change allows a set of MinIO sites (clusters) to be configured for mutual replication of all buckets (including bucket policies, tags, object-lock configuration and bucket encryption), IAM policies, LDAP service accounts and LDAP STS accounts.
2021-10-07 07:36:31 +08:00
// Call hook for cluster-replication.
if err := globalSiteReplicationSys.IAMChangeHook(ctx, madmin.SRIAMItem{
Type: madmin.SRIAMItemSTSAcc,
STSCredential: &madmin.SRSTSCredential{
AccessKey: cred.AccessKey,
SecretKey: cred.SecretKey,
SessionToken: cred.SessionToken,
},
}); err != nil {
writeErrorResponseJSON(ctx, w, toAdminAPIErr(ctx, err), r.URL)
return
}
LDAP STS API (#8091) Add LDAP based users-groups system This change adds support to integrate an LDAP server for user authentication. This works via a custom STS API for LDAP. Each user accessing the MinIO who can be authenticated via LDAP receives temporary credentials to access the MinIO server. LDAP is enabled only over TLS. User groups are also supported via LDAP. The administrator may configure an LDAP search query to find the group attribute of a user - this may correspond to any attribute in the LDAP tree (that the user has access to view). One or more groups may be returned by such a query. A group is mapped to an IAM policy in the usual way, and the server enforces a policy corresponding to all the groups and the user's own mapped policy. When LDAP is configured, the internal MinIO users system is disabled.
2019-09-10 07:12:29 +08:00
ldapIdentityResponse := &AssumeRoleWithLDAPResponse{
Result: LDAPIdentityResult{
Credentials: cred,
},
}
ldapIdentityResponse.ResponseMetadata.RequestID = w.Header().Get(xhttp.AmzRequestID)
encodedSuccessResponse := encodeResponse(ldapIdentityResponse)
writeSuccessResponseXML(w, encodedSuccessResponse)
}
sts: add support for certificate-based authentication (#12748) This commit adds a new STS API for X.509 certificate authentication. A client can make an HTTP POST request over a TLS connection and MinIO will verify the provided client certificate, map it to an S3 policy and return temp. S3 credentials to the client. So, this STS API allows clients to authenticate with X.509 certificates over TLS and obtain temp. S3 credentials. For more details and examples refer to the docs/sts/tls.md documentation. Signed-off-by: Andreas Auernhammer <hi@aead.dev>
2021-09-08 10:03:48 +08:00
// AssumeRoleWithCertificate implements user authentication with client certificates.
// It verifies the client-provided X.509 certificate, maps the certificate to an S3 policy
// and returns temp. S3 credentials to the client.
//
// API endpoint: https://minio:9000?Action=AssumeRoleWithCertificate&Version=2011-06-15
func (sts *stsAPIHandlers) AssumeRoleWithCertificate(w http.ResponseWriter, r *http.Request) {
var ctx = newContext(r, w, "AssumeRoleWithCertificate")
if !globalSTSTLSConfig.Enabled {
writeSTSErrorResponse(ctx, w, true, ErrSTSNotInitialized, errors.New("STS API 'AssumeRoleWithCertificate' is disabled"))
return
}
// We have to establish a TLS connection and the
// client must provide exactly one client certificate.
// Otherwise, we don't have a certificate to verify or
// the policy lookup would ambigious.
if r.TLS == nil {
writeSTSErrorResponse(ctx, w, true, ErrSTSInsecureConnection, errors.New("No TLS connection attempt"))
return
}
sts: allow clients to send certificate chain (#13235) This commit fixes an issue in the `AssumeRoleWithCertificate` handler. Before clients received an error when they send a chain of X.509 certificates (their client certificate as well as intermediate / root CAs). Now, client can send a certificate chain and the server will only consider non-CA / leaf certificates as possible client certificate candidates. However, the client still can only send one certificate. Signed-off-by: Andreas Auernhammer <hi@aead.dev>
2021-09-18 00:37:01 +08:00
// A client may send a certificate chain such that we end up
// with multiple peer certificates. However, we can only accept
// a single client certificate. Otherwise, the certificate to
// policy mapping would be ambigious.
// However, we can filter all CA certificates and only check
// whether they client has sent exactly one (non-CA) leaf certificate.
var peerCertificates = make([]*x509.Certificate, 0, len(r.TLS.PeerCertificates))
for _, cert := range r.TLS.PeerCertificates {
if cert.IsCA {
continue
}
peerCertificates = append(peerCertificates, cert)
}
r.TLS.PeerCertificates = peerCertificates
// Now, we have to check that the client has provided exactly one leaf
// certificate that we can map to a policy.
sts: add support for certificate-based authentication (#12748) This commit adds a new STS API for X.509 certificate authentication. A client can make an HTTP POST request over a TLS connection and MinIO will verify the provided client certificate, map it to an S3 policy and return temp. S3 credentials to the client. So, this STS API allows clients to authenticate with X.509 certificates over TLS and obtain temp. S3 credentials. For more details and examples refer to the docs/sts/tls.md documentation. Signed-off-by: Andreas Auernhammer <hi@aead.dev>
2021-09-08 10:03:48 +08:00
if len(r.TLS.PeerCertificates) == 0 {
writeSTSErrorResponse(ctx, w, true, ErrSTSMissingParameter, errors.New("No client certificate provided"))
return
}
if len(r.TLS.PeerCertificates) > 1 {
writeSTSErrorResponse(ctx, w, true, ErrSTSInvalidParameterValue, errors.New("More than one client certificate provided"))
return
}
var certificate = r.TLS.PeerCertificates[0]
sts: allow clients to send certificate chain (#13235) This commit fixes an issue in the `AssumeRoleWithCertificate` handler. Before clients received an error when they send a chain of X.509 certificates (their client certificate as well as intermediate / root CAs). Now, client can send a certificate chain and the server will only consider non-CA / leaf certificates as possible client certificate candidates. However, the client still can only send one certificate. Signed-off-by: Andreas Auernhammer <hi@aead.dev>
2021-09-18 00:37:01 +08:00
if !globalSTSTLSConfig.InsecureSkipVerify { // Verify whether the client certificate has been issued by a trusted CA.
sts: add support for certificate-based authentication (#12748) This commit adds a new STS API for X.509 certificate authentication. A client can make an HTTP POST request over a TLS connection and MinIO will verify the provided client certificate, map it to an S3 policy and return temp. S3 credentials to the client. So, this STS API allows clients to authenticate with X.509 certificates over TLS and obtain temp. S3 credentials. For more details and examples refer to the docs/sts/tls.md documentation. Signed-off-by: Andreas Auernhammer <hi@aead.dev>
2021-09-08 10:03:48 +08:00
_, err := certificate.Verify(x509.VerifyOptions{
KeyUsages: []x509.ExtKeyUsage{
x509.ExtKeyUsageClientAuth,
},
Roots: globalRootCAs,
})
if err != nil {
writeSTSErrorResponse(ctx, w, true, ErrSTSInvalidClientCertificate, err)
return
}
}
// We map the X.509 subject common name to the policy. So, a client
// with the common name "foo" will be associated with the policy "foo".
// Other mapping functions - e.g. public-key hash based mapping - are
// possible but not implemented.
//
// Group mapping is not possible with standard X.509 certificates.
if certificate.Subject.CommonName == "" {
writeSTSErrorResponse(ctx, w, true, ErrSTSMissingParameter, errors.New("certificate subject CN cannot be empty"))
return
}
expiry, err := globalSTSTLSConfig.GetExpiryDuration(r.Form.Get(stsDurationSeconds))
if err != nil {
writeSTSErrorResponse(ctx, w, true, ErrSTSMissingParameter, err)
return
}
// We set the expiry of the temp. credentials to the minimum of the
// configured expiry and the duration until the certificate itself
// expires.
// We must not issue credentials that out-live the certificate.
if validUntil := time.Until(certificate.NotAfter); validUntil < expiry {
expiry = validUntil
}
// Associate any service accounts to the certificate CN
parentUser := "tls:" + certificate.Subject.CommonName
tmpCredentials, err := auth.GetNewCredentialsWithMetadata(map[string]interface{}{
fix: disallow invalid x-amz-security-token for root credentials (#13388) * fix: disallow invalid x-amz-security-token for root credentials fixes #13335 This was a regression added in #12947 when this part of the code was refactored to avoid privilege issues with service accounts with session policy. Bonus: - fix: AssumeRoleWithCertificate policy mapping and reload AssumeRoleWithCertificate was not mapping to correct policies even after successfully generating keys, since the claims associated with this API were never looked up properly. Ensure that policies are set appropriately. - GetUser() API was not loading policies correctly based on AccessKey based mapping which is true with OpenID and AssumeRoleWithCertificate API.
2021-10-10 13:00:23 +08:00
expClaim: time.Now().UTC().Add(expiry).Unix(),
parentClaim: parentUser,
subClaim: certificate.Subject.CommonName,
audClaim: certificate.Subject.Organization,
issClaim: certificate.Issuer.CommonName,
iamPolicyClaimNameOpenID(): certificate.Subject.CommonName,
sts: add support for certificate-based authentication (#12748) This commit adds a new STS API for X.509 certificate authentication. A client can make an HTTP POST request over a TLS connection and MinIO will verify the provided client certificate, map it to an S3 policy and return temp. S3 credentials to the client. So, this STS API allows clients to authenticate with X.509 certificates over TLS and obtain temp. S3 credentials. For more details and examples refer to the docs/sts/tls.md documentation. Signed-off-by: Andreas Auernhammer <hi@aead.dev>
2021-09-08 10:03:48 +08:00
}, globalActiveCred.SecretKey)
if err != nil {
writeSTSErrorResponse(ctx, w, true, ErrSTSInternalError, err)
return
}
tmpCredentials.ParentUser = parentUser
err = globalIAMSys.SetTempUser(tmpCredentials.AccessKey, tmpCredentials, certificate.Subject.CommonName)
if err != nil {
writeSTSErrorResponse(ctx, w, true, ErrSTSInternalError, err)
return
}
var response = new(AssumeRoleWithCertificateResponse)
response.Result.Credentials = tmpCredentials
response.Metadata.RequestID = w.Header().Get(xhttp.AmzRequestID)
writeSuccessResponseXML(w, encodeResponse(response))
}