maxmustermann/minio
1
0
Fork 0
Code Issues Pull requests Projects Releases Wiki Activity
minio/cmd/jwt.go

224 lines
6.4 KiB
Go
Raw Normal View History

Have simpler JWT authentication. (#3501)
2016-12-27 17:28:10 +01:00
/*
Replace Minio refs in docs with MinIO and links (#7494)
2019-04-09 20:39:42 +02:00
* MinIO Cloud Storage, (C) 2016, 2017 MinIO, Inc.
Have simpler JWT authentication. (#3501)
2016-12-27 17:28:10 +01:00
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package cmd
import (
Create logger package and rename errorIf to LogIf (#5678) Removing message from error logging Replace errors.Trace with LogIf
2018-04-06 00:04:40 +02:00
"context"
Have simpler JWT authentication. (#3501)
2016-12-27 17:28:10 +01:00
"errors"
"fmt"
"net/http"
"time"
jwtgo "github.com/dgrijalva/jwt-go"
jwtreq "github.com/dgrijalva/jwt-go/request"
Create logger package and rename errorIf to LogIf (#5678) Removing message from error logging Replace errors.Trace with LogIf
2018-04-06 00:04:40 +02:00
"github.com/minio/minio/cmd/logger"
move credentials as separate package (#5115)
2017-10-31 19:54:32 +01:00
"github.com/minio/minio/pkg/auth"
Have simpler JWT authentication. (#3501)
2016-12-27 17:28:10 +01:00
)
const (
jwtAlgorithm = "Bearer"
// Default JWT token for web handlers is one day.
defaultJWTExpiry = 24 * time.Hour
// Inter-node JWT token expiry is 100 years approx.
defaultInterNodeJWTExpiry = 100 * 365 * 24 * time.Hour
jwt,browser: allow short-expiry tokens for GETs (#4684) This commit fixes a potential security issue, whereby a full-access token to the server would be available in the GET URL of a download request. This fixes that issue by introducing short-expiry tokens, which are only valid for one minute, and are regenerated for every download request. This commit specifically introduces the short-lived tokens, adds tests for the tokens, adds an RPC call for generating a token given a full-access token, updates the browser to use the new tokens for requests where the token is passed as a GET parameter, and adds some tests with the new temporary tokens. Refs: https://github.com/minio/minio/pull/4673
2017-07-24 21:46:37 +02:00
// URL JWT token expiry is one minute (might be exposed).
defaultURLJWTExpiry = time.Minute
Have simpler JWT authentication. (#3501)
2016-12-27 17:28:10 +01:00
)
Honor envs properly for access and secret key. (#3703) Also changes the behavior of `secretKeyHash` which is not necessary to be sent over the network, each node has its own secretKeyHash to validate. Fixes #3696 Partial(fix) #3700 (More changes needed with some code cleanup)
2017-02-07 21:51:43 +01:00
var (
errInvalidAccessKeyID = errors.New("The access key ID you provided does not exist in our records")
errChangeCredNotAllowed = errors.New("Changing access key and secret key not allowed")
errAuthentication = errors.New("Authentication failed, check your access credentials")
errNoAuthToken = errors.New("JWT token missing")
allow users to change password through browser (#7683) Allow IAM users to change the password using browser UI.
2019-05-29 22:18:46 +02:00
errIncorrectCreds = errors.New("Current access key or secret key is incorrect")
Honor envs properly for access and secret key. (#3703) Also changes the behavior of `secretKeyHash` which is not necessary to be sent over the network, each node has its own secretKeyHash to validate. Fixes #3696 Partial(fix) #3700 (More changes needed with some code cleanup)
2017-02-07 21:51:43 +01:00
)
Have simpler JWT authentication. (#3501)
2016-12-27 17:28:10 +01:00
Fix browser login with multi users (#6644)
2018-10-17 03:44:58 +02:00
func authenticateJWTUsers(accessKey, secretKey string, expiry time.Duration) (string, error) {
passedCredential, err := auth.CreateCredentials(accessKey, secretKey)
if err != nil {
return "", err
}
serverCred := globalServerConfig.GetCredential()
if serverCred.AccessKey != passedCredential.AccessKey {
var ok bool
serverCred, ok = globalIAMSys.GetUser(accessKey)
if !ok {
return "", errInvalidAccessKeyID
}
}
if !serverCred.Equal(passedCredential) {
return "", errAuthentication
}
jwt := jwtgo.NewWithClaims(jwtgo.SigningMethodHS512, jwtgo.StandardClaims{
ExpiresAt: UTCNow().Add(expiry).Unix(),
Subject: accessKey,
})
return jwt.SignedString([]byte(serverCred.SecretKey))
}
func authenticateJWTAdmin(accessKey, secretKey string, expiry time.Duration) (string, error) {
move credentials as separate package (#5115)
2017-10-31 19:54:32 +01:00
passedCredential, err := auth.CreateCredentials(accessKey, secretKey)
Simplify credential usage. (#3893)
2017-03-16 08:16:06 +01:00
if err != nil {
return "", err
Have simpler JWT authentication. (#3501)
2016-12-27 17:28:10 +01:00
}
Simplify the steps to make changes to config.json (#5186) This change introduces following simplified steps to follow during config migration. ``` // Steps to move from version N to version N+1 // 1. Add new struct serverConfigVN+1 in config-versions.go // 2. Set configCurrentVersion to "N+1" // 3. Set serverConfigCurrent to serverConfigVN+1 // 4. Add new migration function (ex. func migrateVNToVN+1()) in config-migrate.go // 5. Call migrateVNToVN+1() from migrateConfig() in config-migrate.go // 6. Make changes in config-current_test.go for any test change ```
2017-11-29 22:12:47 +01:00
serverCred := globalServerConfig.GetCredential()
Have simpler JWT authentication. (#3501)
2016-12-27 17:28:10 +01:00
Simplify credential usage. (#3893)
2017-03-16 08:16:06 +01:00
if serverCred.AccessKey != passedCredential.AccessKey {
Have simpler JWT authentication. (#3501)
2016-12-27 17:28:10 +01:00
return "", errInvalidAccessKeyID
}
Simplify credential usage. (#3893)
2017-03-16 08:16:06 +01:00
if !serverCred.Equal(passedCredential) {
return "", errAuthentication
Have simpler JWT authentication. (#3501)
2016-12-27 17:28:10 +01:00
}
Remove requirement for issued at JWT claims (#5364) Remove the requirement for IssuedAt claims from JWT for now, since we do not currently have a way to provide a leeway window for validating the claims. Expiry does the same checks as IssuedAt with an expiry window. We do not need it right now since we have clock skew check in our RPC layer to handle this correctly. rpc-common.go ``` func isRequestTimeAllowed(requestTime time.Time) bool { // Check whether request time is within acceptable skew time. utcNow := UTCNow() return !(requestTime.Sub(utcNow) > rpcSkewTimeAllowed || utcNow.Sub(requestTime) > rpcSkewTimeAllowed) } ``` Once the PR upstream is merged https://github.com/dgrijalva/jwt-go/pull/139 We can bring in support for leeway later. Fixes #5237
2018-01-10 19:34:00 +01:00
jwt := jwtgo.NewWithClaims(jwtgo.SigningMethodHS512, jwtgo.StandardClaims{
ExpiresAt: UTCNow().Add(expiry).Unix(),
[security] rpc: Do not transfer access/secret key. (#4857) This is an improvement upon existing implementation by avoiding transfer of access and secret keys over the network. This change only exchanges JWT tokens generated by an rpc client. Even if the JWT can be traced over the network on a non-TLS connection, this change makes sure that we never really expose the secret key over the network.
2017-09-19 21:37:56 +02:00
Subject: accessKey,
Have simpler JWT authentication. (#3501)
2016-12-27 17:28:10 +01:00
})
Remove requirement for issued at JWT claims (#5364) Remove the requirement for IssuedAt claims from JWT for now, since we do not currently have a way to provide a leeway window for validating the claims. Expiry does the same checks as IssuedAt with an expiry window. We do not need it right now since we have clock skew check in our RPC layer to handle this correctly. rpc-common.go ``` func isRequestTimeAllowed(requestTime time.Time) bool { // Check whether request time is within acceptable skew time. utcNow := UTCNow() return !(requestTime.Sub(utcNow) > rpcSkewTimeAllowed || utcNow.Sub(requestTime) > rpcSkewTimeAllowed) } ``` Once the PR upstream is merged https://github.com/dgrijalva/jwt-go/pull/139 We can bring in support for leeway later. Fixes #5237
2018-01-10 19:34:00 +01:00
return jwt.SignedString([]byte(serverCred.SecretKey))
Have simpler JWT authentication. (#3501)
2016-12-27 17:28:10 +01:00
}
func authenticateNode(accessKey, secretKey string) (string, error) {
Fix browser login with multi users (#6644)
2018-10-17 03:44:58 +02:00
return authenticateJWTAdmin(accessKey, secretKey, defaultInterNodeJWTExpiry)
Have simpler JWT authentication. (#3501)
2016-12-27 17:28:10 +01:00
}
func authenticateWeb(accessKey, secretKey string) (string, error) {
Fix browser login with multi users (#6644)
2018-10-17 03:44:58 +02:00
return authenticateJWTUsers(accessKey, secretKey, defaultJWTExpiry)
Have simpler JWT authentication. (#3501)
2016-12-27 17:28:10 +01:00
}
jwt,browser: allow short-expiry tokens for GETs (#4684) This commit fixes a potential security issue, whereby a full-access token to the server would be available in the GET URL of a download request. This fixes that issue by introducing short-expiry tokens, which are only valid for one minute, and are regenerated for every download request. This commit specifically introduces the short-lived tokens, adds tests for the tokens, adds an RPC call for generating a token given a full-access token, updates the browser to use the new tokens for requests where the token is passed as a GET parameter, and adds some tests with the new temporary tokens. Refs: https://github.com/minio/minio/pull/4673
2017-07-24 21:46:37 +02:00
func authenticateURL(accessKey, secretKey string) (string, error) {
Fix browser login with multi users (#6644)
2018-10-17 03:44:58 +02:00
return authenticateJWTUsers(accessKey, secretKey, defaultURLJWTExpiry)
jwt,browser: allow short-expiry tokens for GETs (#4684) This commit fixes a potential security issue, whereby a full-access token to the server would be available in the GET URL of a download request. This fixes that issue by introducing short-expiry tokens, which are only valid for one minute, and are regenerated for every download request. This commit specifically introduces the short-lived tokens, adds tests for the tokens, adds an RPC call for generating a token given a full-access token, updates the browser to use the new tokens for requests where the token is passed as a GET parameter, and adds some tests with the new temporary tokens. Refs: https://github.com/minio/minio/pull/4673
2017-07-24 21:46:37 +02:00
}
Introduce STS client grants API and OPA policy integration (#6168) This PR introduces two new features - AWS STS compatible STS API named AssumeRoleWithClientGrants ``` POST /?Action=AssumeRoleWithClientGrants&Token=<jwt> ``` This API endpoint returns temporary access credentials, access tokens signature types supported by this API - RSA keys - ECDSA keys Fetches the required public key from the JWKS endpoints, provides them as rsa or ecdsa public keys. - External policy engine support, in this case OPA policy engine - Credentials are stored on disks
2018-10-09 23:00:01 +02:00
// Callback function used for parsing
func webTokenCallback(jwtToken *jwtgo.Token) (interface{}, error) {
if _, ok := jwtToken.Method.(*jwtgo.SigningMethodHMAC); !ok {
return nil, fmt.Errorf("Unexpected signing method: %v", jwtToken.Header["alg"])
}
if err := jwtToken.Claims.Valid(); err != nil {
return nil, errAuthentication
}
if claims, ok := jwtToken.Claims.(*jwtgo.StandardClaims); ok {
if claims.Subject == globalServerConfig.GetCredential().AccessKey {
return []byte(globalServerConfig.GetCredential().SecretKey), nil
}
if globalIAMSys == nil {
return nil, errInvalidAccessKeyID
}
cred, ok := globalIAMSys.GetUser(claims.Subject)
if !ok {
return nil, errInvalidAccessKeyID
}
return []byte(cred.SecretKey), nil
Do not attempt to generate URLToken for anonymous downloads (#5078) This is a regression since last release - fixes #5076
2017-10-18 07:44:27 +02:00
}
Introduce STS client grants API and OPA policy integration (#6168) This PR introduces two new features - AWS STS compatible STS API named AssumeRoleWithClientGrants ``` POST /?Action=AssumeRoleWithClientGrants&Token=<jwt> ``` This API endpoint returns temporary access credentials, access tokens signature types supported by this API - RSA keys - ECDSA keys Fetches the required public key from the JWKS endpoints, provides them as rsa or ecdsa public keys. - External policy engine support, in this case OPA policy engine - Credentials are stored on disks
2018-10-09 23:00:01 +02:00
return nil, errAuthentication
}
func parseJWTWithClaims(tokenString string, claims jwtgo.Claims) (*jwtgo.Token, error) {
p := &jwtgo.Parser{
SkipClaimsValidation: true,
}
jwtToken, err := p.ParseWithClaims(tokenString, claims, webTokenCallback)
Have simpler JWT authentication. (#3501)
2016-12-27 17:28:10 +01:00
if err != nil {
Introduce STS client grants API and OPA policy integration (#6168) This PR introduces two new features - AWS STS compatible STS API named AssumeRoleWithClientGrants ``` POST /?Action=AssumeRoleWithClientGrants&Token=<jwt> ``` This API endpoint returns temporary access credentials, access tokens signature types supported by this API - RSA keys - ECDSA keys Fetches the required public key from the JWKS endpoints, provides them as rsa or ecdsa public keys. - External policy engine support, in this case OPA policy engine - Credentials are stored on disks
2018-10-09 23:00:01 +02:00
switch e := err.(type) {
case *jwtgo.ValidationError:
if e.Inner == nil {
return nil, errAuthentication
}
return nil, e.Inner
}
return nil, errAuthentication
Have simpler JWT authentication. (#3501)
2016-12-27 17:28:10 +01:00
}
Introduce STS client grants API and OPA policy integration (#6168) This PR introduces two new features - AWS STS compatible STS API named AssumeRoleWithClientGrants ``` POST /?Action=AssumeRoleWithClientGrants&Token=<jwt> ``` This API endpoint returns temporary access credentials, access tokens signature types supported by this API - RSA keys - ECDSA keys Fetches the required public key from the JWKS endpoints, provides them as rsa or ecdsa public keys. - External policy engine support, in this case OPA policy engine - Credentials are stored on disks
2018-10-09 23:00:01 +02:00
return jwtToken, nil
}
func isAuthTokenValid(token string) bool {
_, _, err := webTokenAuthenticate(token)
return err == nil
}
Add support for {jwt:sub} substitutions for policies (#8393) Fixes #8345
2019-10-16 17:59:59 +02:00
func webTokenAuthenticate(token string) (standardClaims, bool, error) {
Introduce STS client grants API and OPA policy integration (#6168) This PR introduces two new features - AWS STS compatible STS API named AssumeRoleWithClientGrants ``` POST /?Action=AssumeRoleWithClientGrants&Token=<jwt> ``` This API endpoint returns temporary access credentials, access tokens signature types supported by this API - RSA keys - ECDSA keys Fetches the required public key from the JWKS endpoints, provides them as rsa or ecdsa public keys. - External policy engine support, in this case OPA policy engine - Credentials are stored on disks
2018-10-09 23:00:01 +02:00
var claims = jwtgo.StandardClaims{}
if token == "" {
Add support for {jwt:sub} substitutions for policies (#8393) Fixes #8345
2019-10-16 17:59:59 +02:00
return standardClaims{claims}, false, errNoAuthToken
[security] rpc: Do not transfer access/secret key. (#4857) This is an improvement upon existing implementation by avoiding transfer of access and secret keys over the network. This change only exchanges JWT tokens generated by an rpc client. Even if the JWT can be traced over the network on a non-TLS connection, this change makes sure that we never really expose the secret key over the network.
2017-09-19 21:37:56 +02:00
}
Introduce STS client grants API and OPA policy integration (#6168) This PR introduces two new features - AWS STS compatible STS API named AssumeRoleWithClientGrants ``` POST /?Action=AssumeRoleWithClientGrants&Token=<jwt> ``` This API endpoint returns temporary access credentials, access tokens signature types supported by this API - RSA keys - ECDSA keys Fetches the required public key from the JWKS endpoints, provides them as rsa or ecdsa public keys. - External policy engine support, in this case OPA policy engine - Credentials are stored on disks
2018-10-09 23:00:01 +02:00
jwtToken, err := parseJWTWithClaims(token, &claims)
if err != nil {
Add support for {jwt:sub} substitutions for policies (#8393) Fixes #8345
2019-10-16 17:59:59 +02:00
return standardClaims{claims}, false, err
Introduce STS client grants API and OPA policy integration (#6168) This PR introduces two new features - AWS STS compatible STS API named AssumeRoleWithClientGrants ``` POST /?Action=AssumeRoleWithClientGrants&Token=<jwt> ``` This API endpoint returns temporary access credentials, access tokens signature types supported by this API - RSA keys - ECDSA keys Fetches the required public key from the JWKS endpoints, provides them as rsa or ecdsa public keys. - External policy engine support, in this case OPA policy engine - Credentials are stored on disks
2018-10-09 23:00:01 +02:00
}
if !jwtToken.Valid {
Add support for {jwt:sub} substitutions for policies (#8393) Fixes #8345
2019-10-16 17:59:59 +02:00
return standardClaims{claims}, false, errAuthentication
Introduce STS client grants API and OPA policy integration (#6168) This PR introduces two new features - AWS STS compatible STS API named AssumeRoleWithClientGrants ``` POST /?Action=AssumeRoleWithClientGrants&Token=<jwt> ``` This API endpoint returns temporary access credentials, access tokens signature types supported by this API - RSA keys - ECDSA keys Fetches the required public key from the JWKS endpoints, provides them as rsa or ecdsa public keys. - External policy engine support, in this case OPA policy engine - Credentials are stored on disks
2018-10-09 23:00:01 +02:00
}
owner := claims.Subject == globalServerConfig.GetCredential().AccessKey
Add support for {jwt:sub} substitutions for policies (#8393) Fixes #8345
2019-10-16 17:59:59 +02:00
return standardClaims{claims}, owner, nil
}
// jwt standardClaims
type standardClaims struct {
jwtgo.StandardClaims
}
func (s standardClaims) Map() map[string]interface{} {
m := make(map[string]interface{})
m["sub"] = s.Subject
m["iss"] = s.Issuer
m["aud"] = s.Audience
m["jti"] = s.Id
return m
Have simpler JWT authentication. (#3501)
2016-12-27 17:28:10 +01:00
}
browser: Allow anonymous browsing of readable buckets. (#3515)
2017-01-11 22:26:42 +01:00
// Check if the request is authenticated.
// Returns nil if the request is authenticated. errNoAuthToken if token missing.
// Returns errAuthentication for all other errors.
Add support for {jwt:sub} substitutions for policies (#8393) Fixes #8345
2019-10-16 17:59:59 +02:00
func webRequestAuthenticate(req *http.Request) (standardClaims, bool, error) {
Introduce STS client grants API and OPA policy integration (#6168) This PR introduces two new features - AWS STS compatible STS API named AssumeRoleWithClientGrants ``` POST /?Action=AssumeRoleWithClientGrants&Token=<jwt> ``` This API endpoint returns temporary access credentials, access tokens signature types supported by this API - RSA keys - ECDSA keys Fetches the required public key from the JWKS endpoints, provides them as rsa or ecdsa public keys. - External policy engine support, in this case OPA policy engine - Credentials are stored on disks
2018-10-09 23:00:01 +02:00
var claims = jwtgo.StandardClaims{}
tokStr, err := jwtreq.AuthorizationHeaderExtractor.ExtractToken(req)
Have simpler JWT authentication. (#3501)
2016-12-27 17:28:10 +01:00
if err != nil {
browser: Allow anonymous browsing of readable buckets. (#3515)
2017-01-11 22:26:42 +01:00
if err == jwtreq.ErrNoTokenInRequest {
Add support for {jwt:sub} substitutions for policies (#8393) Fixes #8345
2019-10-16 17:59:59 +02:00
return standardClaims{claims}, false, errNoAuthToken
browser: Allow anonymous browsing of readable buckets. (#3515)
2017-01-11 22:26:42 +01:00
}
Add support for {jwt:sub} substitutions for policies (#8393) Fixes #8345
2019-10-16 17:59:59 +02:00
return standardClaims{claims}, false, err
[security] rpc: Do not transfer access/secret key. (#4857) This is an improvement upon existing implementation by avoiding transfer of access and secret keys over the network. This change only exchanges JWT tokens generated by an rpc client. Even if the JWT can be traced over the network on a non-TLS connection, this change makes sure that we never really expose the secret key over the network.
2017-09-19 21:37:56 +02:00
}
Introduce STS client grants API and OPA policy integration (#6168) This PR introduces two new features - AWS STS compatible STS API named AssumeRoleWithClientGrants ``` POST /?Action=AssumeRoleWithClientGrants&Token=<jwt> ``` This API endpoint returns temporary access credentials, access tokens signature types supported by this API - RSA keys - ECDSA keys Fetches the required public key from the JWKS endpoints, provides them as rsa or ecdsa public keys. - External policy engine support, in this case OPA policy engine - Credentials are stored on disks
2018-10-09 23:00:01 +02:00
jwtToken, err := parseJWTWithClaims(tokStr, &claims)
if err != nil {
Add support for {jwt:sub} substitutions for policies (#8393) Fixes #8345
2019-10-16 17:59:59 +02:00
return standardClaims{claims}, false, err
[security] rpc: Do not transfer access/secret key. (#4857) This is an improvement upon existing implementation by avoiding transfer of access and secret keys over the network. This change only exchanges JWT tokens generated by an rpc client. Even if the JWT can be traced over the network on a non-TLS connection, this change makes sure that we never really expose the secret key over the network.
2017-09-19 21:37:56 +02:00
}
browser: Allow anonymous browsing of readable buckets. (#3515)
2017-01-11 22:26:42 +01:00
if !jwtToken.Valid {
Add support for {jwt:sub} substitutions for policies (#8393) Fixes #8345
2019-10-16 17:59:59 +02:00
return standardClaims{claims}, false, errAuthentication
browser: Allow anonymous browsing of readable buckets. (#3515)
2017-01-11 22:26:42 +01:00
}
Introduce STS client grants API and OPA policy integration (#6168) This PR introduces two new features - AWS STS compatible STS API named AssumeRoleWithClientGrants ``` POST /?Action=AssumeRoleWithClientGrants&Token=<jwt> ``` This API endpoint returns temporary access credentials, access tokens signature types supported by this API - RSA keys - ECDSA keys Fetches the required public key from the JWKS endpoints, provides them as rsa or ecdsa public keys. - External policy engine support, in this case OPA policy engine - Credentials are stored on disks
2018-10-09 23:00:01 +02:00
owner := claims.Subject == globalServerConfig.GetCredential().AccessKey
Add support for {jwt:sub} substitutions for policies (#8393) Fixes #8345
2019-10-16 17:59:59 +02:00
return standardClaims{claims}, owner, nil
Have simpler JWT authentication. (#3501)
2016-12-27 17:28:10 +01:00
}
Implement HTTP POST based RPC (#5840) Added support for new RPC support using HTTP POST. RPC's arguments and reply are Gob encoded and sent as HTTP request/response body. This patch also removes Go RPC based implementation.
2018-06-06 10:51:56 +02:00
func newAuthToken() string {
cred := globalServerConfig.GetCredential()
token, err := authenticateNode(cred.AccessKey, cred.SecretKey)
logger.CriticalIf(context.Background(), err)
return token
}
Reference in a new issue Copy permalink