minio/cmd/jwt.go

/*
 * Minio Cloud Storage, (C) 2016 Minio, Inc.
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
 * You may obtain a copy of the License at
 *
 *     http://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the License for the specific language governing permissions and
 * limitations under the License.
 */

package cmd

import (
	"errors"
	"fmt"
	"net/http"
	"strings"
	"time"

	jwtgo "github.com/dgrijalva/jwt-go"
	jwtreq "github.com/dgrijalva/jwt-go/request"
	"golang.org/x/crypto/bcrypt"
)

const (
	jwtAlgorithm = "Bearer"

	// Default JWT token for web handlers is one day.
	defaultJWTExpiry = 24 * time.Hour

	// Inter-node JWT token expiry is 100 years approx.
	defaultInterNodeJWTExpiry = 100 * 365 * 24 * time.Hour
)

var errInvalidAccessKeyLength = errors.New("Invalid access key, access key should be 5 to 20 characters in length")
var errInvalidSecretKeyLength = errors.New("Invalid secret key, secret key should be 8 to 40 characters in length")

var errInvalidAccessKeyID = errors.New("The access key ID you provided does not exist in our records")
var errAuthentication = errors.New("Authentication failed, check your access credentials")

func authenticateJWT(accessKey, secretKey string, expiry time.Duration) (string, error) {
	// Trim spaces.
	accessKey = strings.TrimSpace(accessKey)

	if !isAccessKeyValid(accessKey) {
		return "", errInvalidAccessKeyLength
	}
	if !isSecretKeyValid(secretKey) {
		return "", errInvalidSecretKeyLength
	}

	serverCred := serverConfig.GetCredential()

	// Validate access key.
	if accessKey != serverCred.AccessKey {
		return "", errInvalidAccessKeyID
	}

	// Validate secret key.
	// Using bcrypt to avoid timing attacks.
	hashedSecretKey, _ := bcrypt.GenerateFromPassword([]byte(serverCred.SecretKey), bcrypt.DefaultCost)
	if bcrypt.CompareHashAndPassword(hashedSecretKey, []byte(secretKey)) != nil {
		return "", errAuthentication
	}

	utcNow := time.Now().UTC()
	token := jwtgo.NewWithClaims(jwtgo.SigningMethodHS512, jwtgo.MapClaims{
		"exp": utcNow.Add(expiry).Unix(),
		"iat": utcNow.Unix(),
		"sub": accessKey,
	})

	return token.SignedString([]byte(serverCred.SecretKey))
}

func authenticateNode(accessKey, secretKey string) (string, error) {
	return authenticateJWT(accessKey, secretKey, defaultInterNodeJWTExpiry)
}

func authenticateWeb(accessKey, secretKey string) (string, error) {
	return authenticateJWT(accessKey, secretKey, defaultJWTExpiry)
}

func keyFuncCallback(jwtToken *jwtgo.Token) (interface{}, error) {
	if _, ok := jwtToken.Method.(*jwtgo.SigningMethodHMAC); !ok {
		return nil, fmt.Errorf("Unexpected signing method: %v", jwtToken.Header["alg"])
	}

	return []byte(serverConfig.GetCredential().SecretKey), nil
}

func isAuthTokenValid(tokenString string) bool {
	jwtToken, err := jwtgo.Parse(tokenString, keyFuncCallback)
	if err != nil {
		errorIf(err, "Unable to parse JWT token string")
		return false
	}

	return jwtToken.Valid
}

func isHTTPRequestValid(req *http.Request) bool {
	jwtToken, err := jwtreq.ParseFromRequest(req, jwtreq.AuthorizationHeaderExtractor, keyFuncCallback)
	if err != nil {
		errorIf(err, "Unable to parse JWT token string")
		return false
	}

	return jwtToken.Valid
}
Have simpler JWT authentication. (#3501) 2016-12-27 17:28:10 +01:00			`/*`
			`* Minio Cloud Storage, (C) 2016 Minio, Inc.`
			`*`
			`* Licensed under the Apache License, Version 2.0 (the "License");`
			`* you may not use this file except in compliance with the License.`
			`* You may obtain a copy of the License at`
			`*`
			`* http://www.apache.org/licenses/LICENSE-2.0`
			`*`
			`* Unless required by applicable law or agreed to in writing, software`
			`* distributed under the License is distributed on an "AS IS" BASIS,`
			`* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.`
			`* See the License for the specific language governing permissions and`
			`* limitations under the License.`
			`*/`

			`package cmd`

			`import (`
			`"errors"`
			`"fmt"`
			`"net/http"`
			`"strings"`
			`"time"`

			`jwtgo "github.com/dgrijalva/jwt-go"`
			`jwtreq "github.com/dgrijalva/jwt-go/request"`
			`"golang.org/x/crypto/bcrypt"`
			`)`

			`const (`
			`jwtAlgorithm = "Bearer"`

			`// Default JWT token for web handlers is one day.`
			`defaultJWTExpiry = 24 * time.Hour`

			`// Inter-node JWT token expiry is 100 years approx.`
			`defaultInterNodeJWTExpiry = 100 * 365 * 24 * time.Hour`
			`)`

			`var errInvalidAccessKeyLength = errors.New("Invalid access key, access key should be 5 to 20 characters in length")`
			`var errInvalidSecretKeyLength = errors.New("Invalid secret key, secret key should be 8 to 40 characters in length")`

			`var errInvalidAccessKeyID = errors.New("The access key ID you provided does not exist in our records")`
			`var errAuthentication = errors.New("Authentication failed, check your access credentials")`

			`func authenticateJWT(accessKey, secretKey string, expiry time.Duration) (string, error) {`
			`// Trim spaces.`
			`accessKey = strings.TrimSpace(accessKey)`

			`if !isAccessKeyValid(accessKey) {`
			`return "", errInvalidAccessKeyLength`
			`}`
			`if !isSecretKeyValid(secretKey) {`
			`return "", errInvalidSecretKeyLength`
			`}`

			`serverCred := serverConfig.GetCredential()`

			`// Validate access key.`
			`if accessKey != serverCred.AccessKey {`
			`return "", errInvalidAccessKeyID`
			`}`

			`// Validate secret key.`
			`// Using bcrypt to avoid timing attacks.`
			`hashedSecretKey, _ := bcrypt.GenerateFromPassword([]byte(serverCred.SecretKey), bcrypt.DefaultCost)`
			`if bcrypt.CompareHashAndPassword(hashedSecretKey, []byte(secretKey)) != nil {`
			`return "", errAuthentication`
			`}`

			`utcNow := time.Now().UTC()`
			`token := jwtgo.NewWithClaims(jwtgo.SigningMethodHS512, jwtgo.MapClaims{`
			`"exp": utcNow.Add(expiry).Unix(),`
			`"iat": utcNow.Unix(),`
			`"sub": accessKey,`
			`})`

			`return token.SignedString([]byte(serverCred.SecretKey))`
			`}`

			`func authenticateNode(accessKey, secretKey string) (string, error) {`
			`return authenticateJWT(accessKey, secretKey, defaultInterNodeJWTExpiry)`
			`}`

			`func authenticateWeb(accessKey, secretKey string) (string, error) {`
			`return authenticateJWT(accessKey, secretKey, defaultJWTExpiry)`
			`}`

			`func keyFuncCallback(jwtToken *jwtgo.Token) (interface{}, error) {`
			`if _, ok := jwtToken.Method.(*jwtgo.SigningMethodHMAC); !ok {`
			`return nil, fmt.Errorf("Unexpected signing method: %v", jwtToken.Header["alg"])`
			`}`

			`return []byte(serverConfig.GetCredential().SecretKey), nil`
			`}`

			`func isAuthTokenValid(tokenString string) bool {`
			`jwtToken, err := jwtgo.Parse(tokenString, keyFuncCallback)`
			`if err != nil {`
			`errorIf(err, "Unable to parse JWT token string")`
			`return false`
			`}`

			`return jwtToken.Valid`
			`}`

			`func isHTTPRequestValid(req *http.Request) bool {`
			`jwtToken, err := jwtreq.ParseFromRequest(req, jwtreq.AuthorizationHeaderExtractor, keyFuncCallback)`
			`if err != nil {`
			`errorIf(err, "Unable to parse JWT token string")`
			`return false`
			`}`

			`return jwtToken.Valid`
			`}`