minio/cmd/jwt.go

/*
 * Minio Cloud Storage, (C) 2016, 2017 Minio, Inc.
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
 * You may obtain a copy of the License at
 *
 *     http://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the License for the specific language governing permissions and
 * limitations under the License.
 */

package cmd

import (
	"context"
	"errors"
	"fmt"
	"net/http"
	"time"

	jwtgo "github.com/dgrijalva/jwt-go"
	jwtreq "github.com/dgrijalva/jwt-go/request"
	"github.com/minio/minio/cmd/logger"
	"github.com/minio/minio/pkg/auth"
)

const (
	jwtAlgorithm = "Bearer"

	// Default JWT token for web handlers is one day.
	defaultJWTExpiry = 24 * time.Hour

	// Inter-node JWT token expiry is 100 years approx.
	defaultInterNodeJWTExpiry = 100 * 365 * 24 * time.Hour

	// URL JWT token expiry is one minute (might be exposed).
	defaultURLJWTExpiry = time.Minute
)

var (
	errInvalidAccessKeyID   = errors.New("The access key ID you provided does not exist in our records")
	errChangeCredNotAllowed = errors.New("Changing access key and secret key not allowed")
	errAuthentication       = errors.New("Authentication failed, check your access credentials")
	errNoAuthToken          = errors.New("JWT token missing")
)

func authenticateJWT(accessKey, secretKey string, expiry time.Duration) (string, error) {
	passedCredential, err := auth.CreateCredentials(accessKey, secretKey)
	if err != nil {
		return "", err
	}

	serverCred := globalServerConfig.GetCredential()

	if serverCred.AccessKey != passedCredential.AccessKey {
		return "", errInvalidAccessKeyID
	}

	if !serverCred.Equal(passedCredential) {
		return "", errAuthentication
	}

	jwt := jwtgo.NewWithClaims(jwtgo.SigningMethodHS512, jwtgo.StandardClaims{
		ExpiresAt: UTCNow().Add(expiry).Unix(),
		Subject:   accessKey,
	})
	return jwt.SignedString([]byte(serverCred.SecretKey))
}

func authenticateNode(accessKey, secretKey string) (string, error) {
	return authenticateJWT(accessKey, secretKey, defaultInterNodeJWTExpiry)
}

func authenticateWeb(accessKey, secretKey string) (string, error) {
	return authenticateJWT(accessKey, secretKey, defaultJWTExpiry)
}

func authenticateURL(accessKey, secretKey string) (string, error) {
	return authenticateJWT(accessKey, secretKey, defaultURLJWTExpiry)
}

func keyFuncCallback(jwtToken *jwtgo.Token) (interface{}, error) {
	if _, ok := jwtToken.Method.(*jwtgo.SigningMethodHMAC); !ok {
		return nil, fmt.Errorf("Unexpected signing method: %v", jwtToken.Header["alg"])
	}

	return []byte(globalServerConfig.GetCredential().SecretKey), nil
}

func isAuthTokenValid(tokenString string) bool {
	if tokenString == "" {
		return false
	}
	var claims jwtgo.StandardClaims
	jwtToken, err := jwtgo.ParseWithClaims(tokenString, &claims, keyFuncCallback)
	if err != nil {
		logger.LogIf(context.Background(), err)
		return false
	}
	if err = claims.Valid(); err != nil {
		logger.LogIf(context.Background(), err)
		return false
	}
	return jwtToken.Valid && claims.Subject == globalServerConfig.GetCredential().AccessKey
}

func isHTTPRequestValid(req *http.Request) bool {
	return webRequestAuthenticate(req) == nil
}

// Check if the request is authenticated.
// Returns nil if the request is authenticated. errNoAuthToken if token missing.
// Returns errAuthentication for all other errors.
func webRequestAuthenticate(req *http.Request) error {
	var claims jwtgo.StandardClaims
	jwtToken, err := jwtreq.ParseFromRequestWithClaims(req, jwtreq.AuthorizationHeaderExtractor, &claims, keyFuncCallback)
	if err != nil {
		if err == jwtreq.ErrNoTokenInRequest {
			return errNoAuthToken
		}
		return errAuthentication
	}
	if err = claims.Valid(); err != nil {
		return errAuthentication
	}
	if claims.Subject != globalServerConfig.GetCredential().AccessKey {
		return errInvalidAccessKeyID
	}
	if !jwtToken.Valid {
		return errAuthentication
	}
	return nil
}
Have simpler JWT authentication. (#3501) 2016-12-27 17:28:10 +01:00			`/*`
Simplify credential usage. (#3893) 2017-03-16 08:16:06 +01:00			`* Minio Cloud Storage, (C) 2016, 2017 Minio, Inc.`
Have simpler JWT authentication. (#3501) 2016-12-27 17:28:10 +01:00			`*`
			`* Licensed under the Apache License, Version 2.0 (the "License");`
			`* you may not use this file except in compliance with the License.`
			`* You may obtain a copy of the License at`
			`*`
			`* http://www.apache.org/licenses/LICENSE-2.0`
			`*`
			`* Unless required by applicable law or agreed to in writing, software`
			`* distributed under the License is distributed on an "AS IS" BASIS,`
			`* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.`
			`* See the License for the specific language governing permissions and`
			`* limitations under the License.`
			`*/`

			`package cmd`

			`import (`
Create logger package and rename errorIf to LogIf (#5678) Removing message from error logging Replace errors.Trace with LogIf 2018-04-06 00:04:40 +02:00			`"context"`
Have simpler JWT authentication. (#3501) 2016-12-27 17:28:10 +01:00			`"errors"`
			`"fmt"`
			`"net/http"`
			`"time"`

			`jwtgo "github.com/dgrijalva/jwt-go"`
			`jwtreq "github.com/dgrijalva/jwt-go/request"`
Create logger package and rename errorIf to LogIf (#5678) Removing message from error logging Replace errors.Trace with LogIf 2018-04-06 00:04:40 +02:00			`"github.com/minio/minio/cmd/logger"`
move credentials as separate package (#5115) 2017-10-31 19:54:32 +01:00			`"github.com/minio/minio/pkg/auth"`
Have simpler JWT authentication. (#3501) 2016-12-27 17:28:10 +01:00			`)`

			`const (`
			`jwtAlgorithm = "Bearer"`

			`// Default JWT token for web handlers is one day.`
			`defaultJWTExpiry = 24 * time.Hour`

			`// Inter-node JWT token expiry is 100 years approx.`
			`defaultInterNodeJWTExpiry = 100 * 365 * 24 * time.Hour`
jwt,browser: allow short-expiry tokens for GETs (#4684) This commit fixes a potential security issue, whereby a full-access token to the server would be available in the GET URL of a download request. This fixes that issue by introducing short-expiry tokens, which are only valid for one minute, and are regenerated for every download request. This commit specifically introduces the short-lived tokens, adds tests for the tokens, adds an RPC call for generating a token given a full-access token, updates the browser to use the new tokens for requests where the token is passed as a GET parameter, and adds some tests with the new temporary tokens. Refs: https://github.com/minio/minio/pull/4673 2017-07-24 21:46:37 +02:00
			`// URL JWT token expiry is one minute (might be exposed).`
			`defaultURLJWTExpiry = time.Minute`
Have simpler JWT authentication. (#3501) 2016-12-27 17:28:10 +01:00			`)`

Honor envs properly for access and secret key. (#3703) Also changes the behavior of `secretKeyHash` which is not necessary to be sent over the network, each node has its own secretKeyHash to validate. Fixes #3696 Partial(fix) #3700 (More changes needed with some code cleanup) 2017-02-07 21:51:43 +01:00			`var (`
			`errInvalidAccessKeyID = errors.New("The access key ID you provided does not exist in our records")`
			`errChangeCredNotAllowed = errors.New("Changing access key and secret key not allowed")`
			`errAuthentication = errors.New("Authentication failed, check your access credentials")`
			`errNoAuthToken = errors.New("JWT token missing")`
			`)`
Have simpler JWT authentication. (#3501) 2016-12-27 17:28:10 +01:00
			`func authenticateJWT(accessKey, secretKey string, expiry time.Duration) (string, error) {`
move credentials as separate package (#5115) 2017-10-31 19:54:32 +01:00			`passedCredential, err := auth.CreateCredentials(accessKey, secretKey)`
Simplify credential usage. (#3893) 2017-03-16 08:16:06 +01:00			`if err != nil {`
			`return "", err`
Have simpler JWT authentication. (#3501) 2016-12-27 17:28:10 +01:00			`}`

Simplify the steps to make changes to config.json (#5186) This change introduces following simplified steps to follow during config migration. ``` // Steps to move from version N to version N+1 // 1. Add new struct serverConfigVN+1 in config-versions.go // 2. Set configCurrentVersion to "N+1" // 3. Set serverConfigCurrent to serverConfigVN+1 // 4. Add new migration function (ex. func migrateVNToVN+1()) in config-migrate.go // 5. Call migrateVNToVN+1() from migrateConfig() in config-migrate.go // 6. Make changes in config-current_test.go for any test change ``` 2017-11-29 22:12:47 +01:00			`serverCred := globalServerConfig.GetCredential()`
Have simpler JWT authentication. (#3501) 2016-12-27 17:28:10 +01:00
Simplify credential usage. (#3893) 2017-03-16 08:16:06 +01:00			`if serverCred.AccessKey != passedCredential.AccessKey {`
Have simpler JWT authentication. (#3501) 2016-12-27 17:28:10 +01:00			`return "", errInvalidAccessKeyID`
			`}`

Simplify credential usage. (#3893) 2017-03-16 08:16:06 +01:00			`if !serverCred.Equal(passedCredential) {`
			`return "", errAuthentication`
Have simpler JWT authentication. (#3501) 2016-12-27 17:28:10 +01:00			`}`

Remove requirement for issued at JWT claims (#5364) Remove the requirement for IssuedAt claims from JWT for now, since we do not currently have a way to provide a leeway window for validating the claims. Expiry does the same checks as IssuedAt with an expiry window. We do not need it right now since we have clock skew check in our RPC layer to handle this correctly. rpc-common.go ``` func isRequestTimeAllowed(requestTime time.Time) bool { // Check whether request time is within acceptable skew time. utcNow := UTCNow() return !(requestTime.Sub(utcNow) > rpcSkewTimeAllowed \|\| utcNow.Sub(requestTime) > rpcSkewTimeAllowed) } ``` Once the PR upstream is merged https://github.com/dgrijalva/jwt-go/pull/139 We can bring in support for leeway later. Fixes #5237 2018-01-10 19:34:00 +01:00			`jwt := jwtgo.NewWithClaims(jwtgo.SigningMethodHS512, jwtgo.StandardClaims{`
			`ExpiresAt: UTCNow().Add(expiry).Unix(),`
[security] rpc: Do not transfer access/secret key. (#4857) This is an improvement upon existing implementation by avoiding transfer of access and secret keys over the network. This change only exchanges JWT tokens generated by an rpc client. Even if the JWT can be traced over the network on a non-TLS connection, this change makes sure that we never really expose the secret key over the network. 2017-09-19 21:37:56 +02:00			`Subject: accessKey,`
Have simpler JWT authentication. (#3501) 2016-12-27 17:28:10 +01:00			`})`
Remove requirement for issued at JWT claims (#5364) Remove the requirement for IssuedAt claims from JWT for now, since we do not currently have a way to provide a leeway window for validating the claims. Expiry does the same checks as IssuedAt with an expiry window. We do not need it right now since we have clock skew check in our RPC layer to handle this correctly. rpc-common.go ``` func isRequestTimeAllowed(requestTime time.Time) bool { // Check whether request time is within acceptable skew time. utcNow := UTCNow() return !(requestTime.Sub(utcNow) > rpcSkewTimeAllowed \|\| utcNow.Sub(requestTime) > rpcSkewTimeAllowed) } ``` Once the PR upstream is merged https://github.com/dgrijalva/jwt-go/pull/139 We can bring in support for leeway later. Fixes #5237 2018-01-10 19:34:00 +01:00			`return jwt.SignedString([]byte(serverCred.SecretKey))`
Have simpler JWT authentication. (#3501) 2016-12-27 17:28:10 +01:00			`}`

			`func authenticateNode(accessKey, secretKey string) (string, error) {`
			`return authenticateJWT(accessKey, secretKey, defaultInterNodeJWTExpiry)`
			`}`

			`func authenticateWeb(accessKey, secretKey string) (string, error) {`
			`return authenticateJWT(accessKey, secretKey, defaultJWTExpiry)`
			`}`

jwt,browser: allow short-expiry tokens for GETs (#4684) This commit fixes a potential security issue, whereby a full-access token to the server would be available in the GET URL of a download request. This fixes that issue by introducing short-expiry tokens, which are only valid for one minute, and are regenerated for every download request. This commit specifically introduces the short-lived tokens, adds tests for the tokens, adds an RPC call for generating a token given a full-access token, updates the browser to use the new tokens for requests where the token is passed as a GET parameter, and adds some tests with the new temporary tokens. Refs: https://github.com/minio/minio/pull/4673 2017-07-24 21:46:37 +02:00			`func authenticateURL(accessKey, secretKey string) (string, error) {`
			`return authenticateJWT(accessKey, secretKey, defaultURLJWTExpiry)`
			`}`

Have simpler JWT authentication. (#3501) 2016-12-27 17:28:10 +01:00			`func keyFuncCallback(jwtToken *jwtgo.Token) (interface{}, error) {`
			`if _, ok := jwtToken.Method.(*jwtgo.SigningMethodHMAC); !ok {`
			`return nil, fmt.Errorf("Unexpected signing method: %v", jwtToken.Header["alg"])`
			`}`

Simplify the steps to make changes to config.json (#5186) This change introduces following simplified steps to follow during config migration. ``` // Steps to move from version N to version N+1 // 1. Add new struct serverConfigVN+1 in config-versions.go // 2. Set configCurrentVersion to "N+1" // 3. Set serverConfigCurrent to serverConfigVN+1 // 4. Add new migration function (ex. func migrateVNToVN+1()) in config-migrate.go // 5. Call migrateVNToVN+1() from migrateConfig() in config-migrate.go // 6. Make changes in config-current_test.go for any test change ``` 2017-11-29 22:12:47 +01:00			`return []byte(globalServerConfig.GetCredential().SecretKey), nil`
Have simpler JWT authentication. (#3501) 2016-12-27 17:28:10 +01:00			`}`

			`func isAuthTokenValid(tokenString string) bool {`
Do not attempt to generate URLToken for anonymous downloads (#5078) This is a regression since last release - fixes #5076 2017-10-18 07:44:27 +02:00			`if tokenString == "" {`
			`return false`
			`}`
[security] rpc: Do not transfer access/secret key. (#4857) This is an improvement upon existing implementation by avoiding transfer of access and secret keys over the network. This change only exchanges JWT tokens generated by an rpc client. Even if the JWT can be traced over the network on a non-TLS connection, this change makes sure that we never really expose the secret key over the network. 2017-09-19 21:37:56 +02:00			`var claims jwtgo.StandardClaims`
			`jwtToken, err := jwtgo.ParseWithClaims(tokenString, &claims, keyFuncCallback)`
Have simpler JWT authentication. (#3501) 2016-12-27 17:28:10 +01:00			`if err != nil {`
Create logger package and rename errorIf to LogIf (#5678) Removing message from error logging Replace errors.Trace with LogIf 2018-04-06 00:04:40 +02:00			`logger.LogIf(context.Background(), err)`
Have simpler JWT authentication. (#3501) 2016-12-27 17:28:10 +01:00			`return false`
			`}`
[security] rpc: Do not transfer access/secret key. (#4857) This is an improvement upon existing implementation by avoiding transfer of access and secret keys over the network. This change only exchanges JWT tokens generated by an rpc client. Even if the JWT can be traced over the network on a non-TLS connection, this change makes sure that we never really expose the secret key over the network. 2017-09-19 21:37:56 +02:00			`if err = claims.Valid(); err != nil {`
Create logger package and rename errorIf to LogIf (#5678) Removing message from error logging Replace errors.Trace with LogIf 2018-04-06 00:04:40 +02:00			`logger.LogIf(context.Background(), err)`
[security] rpc: Do not transfer access/secret key. (#4857) This is an improvement upon existing implementation by avoiding transfer of access and secret keys over the network. This change only exchanges JWT tokens generated by an rpc client. Even if the JWT can be traced over the network on a non-TLS connection, this change makes sure that we never really expose the secret key over the network. 2017-09-19 21:37:56 +02:00			`return false`
			`}`
Simplify the steps to make changes to config.json (#5186) This change introduces following simplified steps to follow during config migration. ``` // Steps to move from version N to version N+1 // 1. Add new struct serverConfigVN+1 in config-versions.go // 2. Set configCurrentVersion to "N+1" // 3. Set serverConfigCurrent to serverConfigVN+1 // 4. Add new migration function (ex. func migrateVNToVN+1()) in config-migrate.go // 5. Call migrateVNToVN+1() from migrateConfig() in config-migrate.go // 6. Make changes in config-current_test.go for any test change ``` 2017-11-29 22:12:47 +01:00			`return jwtToken.Valid && claims.Subject == globalServerConfig.GetCredential().AccessKey`
Have simpler JWT authentication. (#3501) 2016-12-27 17:28:10 +01:00			`}`

			`func isHTTPRequestValid(req *http.Request) bool {`
Require content-length in POST & Upload requests (#3671) Avoid passing size = -1 to PutObject API by requiring content-length header in POST request (as AWS S3 does) and in Upload web handler. Post handler is modified to completely store multipart file to know its size before sending it to PutObject(). 2017-02-02 19:45:00 +01:00			`return webRequestAuthenticate(req) == nil`
browser: Allow anonymous browsing of readable buckets. (#3515) 2017-01-11 22:26:42 +01:00			`}`

			`// Check if the request is authenticated.`
			`// Returns nil if the request is authenticated. errNoAuthToken if token missing.`
			`// Returns errAuthentication for all other errors.`
Require content-length in POST & Upload requests (#3671) Avoid passing size = -1 to PutObject API by requiring content-length header in POST request (as AWS S3 does) and in Upload web handler. Post handler is modified to completely store multipart file to know its size before sending it to PutObject(). 2017-02-02 19:45:00 +01:00			`func webRequestAuthenticate(req *http.Request) error {`
[security] rpc: Do not transfer access/secret key. (#4857) This is an improvement upon existing implementation by avoiding transfer of access and secret keys over the network. This change only exchanges JWT tokens generated by an rpc client. Even if the JWT can be traced over the network on a non-TLS connection, this change makes sure that we never really expose the secret key over the network. 2017-09-19 21:37:56 +02:00			`var claims jwtgo.StandardClaims`
			`jwtToken, err := jwtreq.ParseFromRequestWithClaims(req, jwtreq.AuthorizationHeaderExtractor, &claims, keyFuncCallback)`
Have simpler JWT authentication. (#3501) 2016-12-27 17:28:10 +01:00			`if err != nil {`
browser: Allow anonymous browsing of readable buckets. (#3515) 2017-01-11 22:26:42 +01:00			`if err == jwtreq.ErrNoTokenInRequest {`
			`return errNoAuthToken`
			`}`
			`return errAuthentication`
Have simpler JWT authentication. (#3501) 2016-12-27 17:28:10 +01:00			`}`
[security] rpc: Do not transfer access/secret key. (#4857) This is an improvement upon existing implementation by avoiding transfer of access and secret keys over the network. This change only exchanges JWT tokens generated by an rpc client. Even if the JWT can be traced over the network on a non-TLS connection, this change makes sure that we never really expose the secret key over the network. 2017-09-19 21:37:56 +02:00			`if err = claims.Valid(); err != nil {`
Remove requirement for issued at JWT claims (#5364) Remove the requirement for IssuedAt claims from JWT for now, since we do not currently have a way to provide a leeway window for validating the claims. Expiry does the same checks as IssuedAt with an expiry window. We do not need it right now since we have clock skew check in our RPC layer to handle this correctly. rpc-common.go ``` func isRequestTimeAllowed(requestTime time.Time) bool { // Check whether request time is within acceptable skew time. utcNow := UTCNow() return !(requestTime.Sub(utcNow) > rpcSkewTimeAllowed \|\| utcNow.Sub(requestTime) > rpcSkewTimeAllowed) } ``` Once the PR upstream is merged https://github.com/dgrijalva/jwt-go/pull/139 We can bring in support for leeway later. Fixes #5237 2018-01-10 19:34:00 +01:00			`return errAuthentication`
[security] rpc: Do not transfer access/secret key. (#4857) This is an improvement upon existing implementation by avoiding transfer of access and secret keys over the network. This change only exchanges JWT tokens generated by an rpc client. Even if the JWT can be traced over the network on a non-TLS connection, this change makes sure that we never really expose the secret key over the network. 2017-09-19 21:37:56 +02:00			`}`
Simplify the steps to make changes to config.json (#5186) This change introduces following simplified steps to follow during config migration. ``` // Steps to move from version N to version N+1 // 1. Add new struct serverConfigVN+1 in config-versions.go // 2. Set configCurrentVersion to "N+1" // 3. Set serverConfigCurrent to serverConfigVN+1 // 4. Add new migration function (ex. func migrateVNToVN+1()) in config-migrate.go // 5. Call migrateVNToVN+1() from migrateConfig() in config-migrate.go // 6. Make changes in config-current_test.go for any test change ``` 2017-11-29 22:12:47 +01:00			`if claims.Subject != globalServerConfig.GetCredential().AccessKey {`
[security] rpc: Do not transfer access/secret key. (#4857) This is an improvement upon existing implementation by avoiding transfer of access and secret keys over the network. This change only exchanges JWT tokens generated by an rpc client. Even if the JWT can be traced over the network on a non-TLS connection, this change makes sure that we never really expose the secret key over the network. 2017-09-19 21:37:56 +02:00			`return errInvalidAccessKeyID`
			`}`
browser: Allow anonymous browsing of readable buckets. (#3515) 2017-01-11 22:26:42 +01:00			`if !jwtToken.Valid {`
			`return errAuthentication`
			`}`
			`return nil`
Have simpler JWT authentication. (#3501) 2016-12-27 17:28:10 +01:00			`}`