minio/docs/sts/client-grants.go

// +build ignore

/*
 * MinIO Cloud Storage, (C) 2018 MinIO, Inc.
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
 * You may obtain a copy of the License at
 *
 *     http://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the License for the specific language governing permissions and
 * limitations under the License.
 */

package main

import (
	"bytes"
	"crypto/tls"
	"encoding/json"
	"flag"
	"fmt"
	"log"
	"net/http"
	"net/url"
	"strings"

	minio "github.com/minio/minio-go/v6"
	"github.com/minio/minio-go/v6/pkg/credentials"
)

// JWTToken - parses the output from IDP access token.
type JWTToken struct {
	AccessToken string `json:"access_token"`
	Expiry      int    `json:"expires_in"`
}

var (
	stsEndpoint  string
	idpEndpoint  string
	clientID     string
	clientSecret string
)

func init() {
	flag.StringVar(&stsEndpoint, "sts-ep", "http://localhost:9000", "STS endpoint")
	flag.StringVar(&idpEndpoint, "idp-ep", "https://localhost:9443/oauth2/token", "IDP endpoint")
	flag.StringVar(&clientID, "cid", "", "Client ID")
	flag.StringVar(&clientSecret, "csec", "", "Client secret")
}

func getTokenExpiry() (*credentials.ClientGrantsToken, error) {
	data := url.Values{}
	data.Set("grant_type", "client_credentials")
	req, err := http.NewRequest(http.MethodPost, idpEndpoint, strings.NewReader(data.Encode()))
	if err != nil {
		return nil, err
	}
	req.Header.Set("Content-Type", "application/x-www-form-urlencoded")
	req.SetBasicAuth(clientID, clientSecret)
	t := &http.Transport{
		TLSClientConfig: &tls.Config{
			InsecureSkipVerify: true,
		},
	}
	hclient := http.Client{
		Transport: t,
	}
	resp, err := hclient.Do(req)
	if err != nil {
		return nil, err
	}
	defer resp.Body.Close()
	if resp.StatusCode != http.StatusOK {
		return nil, fmt.Errorf("%s", resp.Status)
	}

	var idpToken JWTToken
	if err = json.NewDecoder(resp.Body).Decode(&idpToken); err != nil {
		return nil, err
	}

	return &credentials.ClientGrantsToken{Token: idpToken.AccessToken, Expiry: idpToken.Expiry}, nil
}

func main() {
	flag.Parse()
	if clientID == "" || clientSecret == "" {
		flag.PrintDefaults()
		return
	}

	sts, err := credentials.NewSTSClientGrants(stsEndpoint, getTokenExpiry)
	if err != nil {
		log.Fatal(err)
	}

	// Uncomment this to use MinIO API operations by initializing minio
	// client with obtained credentials.

	opts := &minio.Options{
		Creds:        sts,
		BucketLookup: minio.BucketLookupAuto,
	}

	u, err := url.Parse(stsEndpoint)
	if err != nil {
		log.Fatal(err)
	}

	clnt, err := minio.NewWithOptions(u.Host, opts)
	if err != nil {
		log.Fatal(err)
	}

	d := bytes.NewReader([]byte("Hello, World"))
	n, err := clnt.PutObject("my-bucketname", "my-objectname", d, d.Size(), minio.PutObjectOptions{})
	if err != nil {
		log.Fatalln(err)
	}

	log.Println("Uploaded", "my-objectname", " of size: ", n, "Successfully.")
}
Add support for AssumeRoleWithWebIdentity (#6985) 2019-01-04 22:48:12 +01:00			`// +build ignore`

Introduce STS client grants API and OPA policy integration (#6168) This PR introduces two new features - AWS STS compatible STS API named AssumeRoleWithClientGrants ``` POST /?Action=AssumeRoleWithClientGrants&Token=<jwt> ``` This API endpoint returns temporary access credentials, access tokens signature types supported by this API - RSA keys - ECDSA keys Fetches the required public key from the JWKS endpoints, provides them as rsa or ecdsa public keys. - External policy engine support, in this case OPA policy engine - Credentials are stored on disks 2018-10-09 23:00:01 +02:00			`/*`
Replace Minio refs in docs with MinIO and links (#7494) 2019-04-09 20:39:42 +02:00			`* MinIO Cloud Storage, (C) 2018 MinIO, Inc.`
Introduce STS client grants API and OPA policy integration (#6168) This PR introduces two new features - AWS STS compatible STS API named AssumeRoleWithClientGrants ``` POST /?Action=AssumeRoleWithClientGrants&Token=<jwt> ``` This API endpoint returns temporary access credentials, access tokens signature types supported by this API - RSA keys - ECDSA keys Fetches the required public key from the JWKS endpoints, provides them as rsa or ecdsa public keys. - External policy engine support, in this case OPA policy engine - Credentials are stored on disks 2018-10-09 23:00:01 +02:00			`*`
			`* Licensed under the Apache License, Version 2.0 (the "License");`
			`* you may not use this file except in compliance with the License.`
			`* You may obtain a copy of the License at`
			`*`
			`* http://www.apache.org/licenses/LICENSE-2.0`
			`*`
			`* Unless required by applicable law or agreed to in writing, software`
			`* distributed under the License is distributed on an "AS IS" BASIS,`
			`* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.`
			`* See the License for the specific language governing permissions and`
			`* limitations under the License.`
			`*/`

			`package main`

			`import (`
			`"bytes"`
			`"crypto/tls"`
			`"encoding/json"`
			`"flag"`
			`"fmt"`
			`"log"`
			`"net/http"`
			`"net/url"`
			`"strings"`

Update go mod with sem versions of our libraries (#7687) 2019-05-30 01:35:12 +02:00			`minio "github.com/minio/minio-go/v6"`
			`"github.com/minio/minio-go/v6/pkg/credentials"`
Introduce STS client grants API and OPA policy integration (#6168) This PR introduces two new features - AWS STS compatible STS API named AssumeRoleWithClientGrants ``` POST /?Action=AssumeRoleWithClientGrants&Token=<jwt> ``` This API endpoint returns temporary access credentials, access tokens signature types supported by this API - RSA keys - ECDSA keys Fetches the required public key from the JWKS endpoints, provides them as rsa or ecdsa public keys. - External policy engine support, in this case OPA policy engine - Credentials are stored on disks 2018-10-09 23:00:01 +02:00			`)`

			`// JWTToken - parses the output from IDP access token.`
			`type JWTToken struct {`
			AccessToken string `json:"access_token"`
			Expiry int `json:"expires_in"`
			`}`

			`var (`
			`stsEndpoint string`
			`idpEndpoint string`
			`clientID string`
			`clientSecret string`
			`)`

			`func init() {`
			`flag.StringVar(&stsEndpoint, "sts-ep", "http://localhost:9000", "STS endpoint")`
			`flag.StringVar(&idpEndpoint, "idp-ep", "https://localhost:9443/oauth2/token", "IDP endpoint")`
			`flag.StringVar(&clientID, "cid", "", "Client ID")`
			`flag.StringVar(&clientSecret, "csec", "", "Client secret")`
			`}`

Vendorize all recent changes to minio-go (#7135) - Default support for S3 dualstack endpoints (IPv6 support) - Support granular policy conditionals in List operations - Support proxy cookies for stickiness 2019-01-23 14:52:09 +01:00			`func getTokenExpiry() (*credentials.ClientGrantsToken, error) {`
Introduce STS client grants API and OPA policy integration (#6168) This PR introduces two new features - AWS STS compatible STS API named AssumeRoleWithClientGrants ``` POST /?Action=AssumeRoleWithClientGrants&Token=<jwt> ``` This API endpoint returns temporary access credentials, access tokens signature types supported by this API - RSA keys - ECDSA keys Fetches the required public key from the JWKS endpoints, provides them as rsa or ecdsa public keys. - External policy engine support, in this case OPA policy engine - Credentials are stored on disks 2018-10-09 23:00:01 +02:00			`data := url.Values{}`
			`data.Set("grant_type", "client_credentials")`
			`req, err := http.NewRequest(http.MethodPost, idpEndpoint, strings.NewReader(data.Encode()))`
			`if err != nil {`
Vendorize all recent changes to minio-go (#7135) - Default support for S3 dualstack endpoints (IPv6 support) - Support granular policy conditionals in List operations - Support proxy cookies for stickiness 2019-01-23 14:52:09 +01:00			`return nil, err`
Introduce STS client grants API and OPA policy integration (#6168) This PR introduces two new features - AWS STS compatible STS API named AssumeRoleWithClientGrants ``` POST /?Action=AssumeRoleWithClientGrants&Token=<jwt> ``` This API endpoint returns temporary access credentials, access tokens signature types supported by this API - RSA keys - ECDSA keys Fetches the required public key from the JWKS endpoints, provides them as rsa or ecdsa public keys. - External policy engine support, in this case OPA policy engine - Credentials are stored on disks 2018-10-09 23:00:01 +02:00			`}`
			`req.Header.Set("Content-Type", "application/x-www-form-urlencoded")`
			`req.SetBasicAuth(clientID, clientSecret)`
			`t := &http.Transport{`
			`TLSClientConfig: &tls.Config{`
			`InsecureSkipVerify: true,`
			`},`
			`}`
			`hclient := http.Client{`
			`Transport: t,`
			`}`
			`resp, err := hclient.Do(req)`
			`if err != nil {`
Vendorize all recent changes to minio-go (#7135) - Default support for S3 dualstack endpoints (IPv6 support) - Support granular policy conditionals in List operations - Support proxy cookies for stickiness 2019-01-23 14:52:09 +01:00			`return nil, err`
Introduce STS client grants API and OPA policy integration (#6168) This PR introduces two new features - AWS STS compatible STS API named AssumeRoleWithClientGrants ``` POST /?Action=AssumeRoleWithClientGrants&Token=<jwt> ``` This API endpoint returns temporary access credentials, access tokens signature types supported by this API - RSA keys - ECDSA keys Fetches the required public key from the JWKS endpoints, provides them as rsa or ecdsa public keys. - External policy engine support, in this case OPA policy engine - Credentials are stored on disks 2018-10-09 23:00:01 +02:00			`}`
			`defer resp.Body.Close()`
			`if resp.StatusCode != http.StatusOK {`
Vendorize all recent changes to minio-go (#7135) - Default support for S3 dualstack endpoints (IPv6 support) - Support granular policy conditionals in List operations - Support proxy cookies for stickiness 2019-01-23 14:52:09 +01:00			`return nil, fmt.Errorf("%s", resp.Status)`
Introduce STS client grants API and OPA policy integration (#6168) This PR introduces two new features - AWS STS compatible STS API named AssumeRoleWithClientGrants ``` POST /?Action=AssumeRoleWithClientGrants&Token=<jwt> ``` This API endpoint returns temporary access credentials, access tokens signature types supported by this API - RSA keys - ECDSA keys Fetches the required public key from the JWKS endpoints, provides them as rsa or ecdsa public keys. - External policy engine support, in this case OPA policy engine - Credentials are stored on disks 2018-10-09 23:00:01 +02:00			`}`

			`var idpToken JWTToken`
			`if err = json.NewDecoder(resp.Body).Decode(&idpToken); err != nil {`
Vendorize all recent changes to minio-go (#7135) - Default support for S3 dualstack endpoints (IPv6 support) - Support granular policy conditionals in List operations - Support proxy cookies for stickiness 2019-01-23 14:52:09 +01:00			`return nil, err`
Introduce STS client grants API and OPA policy integration (#6168) This PR introduces two new features - AWS STS compatible STS API named AssumeRoleWithClientGrants ``` POST /?Action=AssumeRoleWithClientGrants&Token=<jwt> ``` This API endpoint returns temporary access credentials, access tokens signature types supported by this API - RSA keys - ECDSA keys Fetches the required public key from the JWKS endpoints, provides them as rsa or ecdsa public keys. - External policy engine support, in this case OPA policy engine - Credentials are stored on disks 2018-10-09 23:00:01 +02:00			`}`

Vendorize all recent changes to minio-go (#7135) - Default support for S3 dualstack endpoints (IPv6 support) - Support granular policy conditionals in List operations - Support proxy cookies for stickiness 2019-01-23 14:52:09 +01:00			`return &credentials.ClientGrantsToken{Token: idpToken.AccessToken, Expiry: idpToken.Expiry}, nil`
			`}`
Introduce STS client grants API and OPA policy integration (#6168) This PR introduces two new features - AWS STS compatible STS API named AssumeRoleWithClientGrants ``` POST /?Action=AssumeRoleWithClientGrants&Token=<jwt> ``` This API endpoint returns temporary access credentials, access tokens signature types supported by this API - RSA keys - ECDSA keys Fetches the required public key from the JWKS endpoints, provides them as rsa or ecdsa public keys. - External policy engine support, in this case OPA policy engine - Credentials are stored on disks 2018-10-09 23:00:01 +02:00
Vendorize all recent changes to minio-go (#7135) - Default support for S3 dualstack endpoints (IPv6 support) - Support granular policy conditionals in List operations - Support proxy cookies for stickiness 2019-01-23 14:52:09 +01:00			`func main() {`
			`flag.Parse()`
			`if clientID == "" \|\| clientSecret == "" {`
			`flag.PrintDefaults()`
			`return`
Introduce STS client grants API and OPA policy integration (#6168) This PR introduces two new features - AWS STS compatible STS API named AssumeRoleWithClientGrants ``` POST /?Action=AssumeRoleWithClientGrants&Token=<jwt> ``` This API endpoint returns temporary access credentials, access tokens signature types supported by this API - RSA keys - ECDSA keys Fetches the required public key from the JWKS endpoints, provides them as rsa or ecdsa public keys. - External policy engine support, in this case OPA policy engine - Credentials are stored on disks 2018-10-09 23:00:01 +02:00			`}`

Vendorize all recent changes to minio-go (#7135) - Default support for S3 dualstack endpoints (IPv6 support) - Support granular policy conditionals in List operations - Support proxy cookies for stickiness 2019-01-23 14:52:09 +01:00			`sts, err := credentials.NewSTSClientGrants(stsEndpoint, getTokenExpiry)`
Introduce STS client grants API and OPA policy integration (#6168) This PR introduces two new features - AWS STS compatible STS API named AssumeRoleWithClientGrants ``` POST /?Action=AssumeRoleWithClientGrants&Token=<jwt> ``` This API endpoint returns temporary access credentials, access tokens signature types supported by this API - RSA keys - ECDSA keys Fetches the required public key from the JWKS endpoints, provides them as rsa or ecdsa public keys. - External policy engine support, in this case OPA policy engine - Credentials are stored on disks 2018-10-09 23:00:01 +02:00			`if err != nil {`
			`log.Fatal(err)`
			`}`

Fix LDAP responseXML to be named appropriately (#8285) This PR additionally also adds support for missing - Session policy support for AD/LDAP - Add API request/response parameters detail - Update example to take ldap username, password input from the command line - Fixes session policy handling for ClientGrants and WebIdentity 2019-09-24 00:21:16 +02:00			`// Uncomment this to use MinIO API operations by initializing minio`
Introduce STS client grants API and OPA policy integration (#6168) This PR introduces two new features - AWS STS compatible STS API named AssumeRoleWithClientGrants ``` POST /?Action=AssumeRoleWithClientGrants&Token=<jwt> ``` This API endpoint returns temporary access credentials, access tokens signature types supported by this API - RSA keys - ECDSA keys Fetches the required public key from the JWKS endpoints, provides them as rsa or ecdsa public keys. - External policy engine support, in this case OPA policy engine - Credentials are stored on disks 2018-10-09 23:00:01 +02:00			`// client with obtained credentials.`

			`opts := &minio.Options{`
Vendorize all recent changes to minio-go (#7135) - Default support for S3 dualstack endpoints (IPv6 support) - Support granular policy conditionals in List operations - Support proxy cookies for stickiness 2019-01-23 14:52:09 +01:00			`Creds: sts,`
Introduce STS client grants API and OPA policy integration (#6168) This PR introduces two new features - AWS STS compatible STS API named AssumeRoleWithClientGrants ``` POST /?Action=AssumeRoleWithClientGrants&Token=<jwt> ``` This API endpoint returns temporary access credentials, access tokens signature types supported by this API - RSA keys - ECDSA keys Fetches the required public key from the JWKS endpoints, provides them as rsa or ecdsa public keys. - External policy engine support, in this case OPA policy engine - Credentials are stored on disks 2018-10-09 23:00:01 +02:00			`BucketLookup: minio.BucketLookupAuto,`
			`}`

Vendorize all recent changes to minio-go (#7135) - Default support for S3 dualstack endpoints (IPv6 support) - Support granular policy conditionals in List operations - Support proxy cookies for stickiness 2019-01-23 14:52:09 +01:00			`u, err := url.Parse(stsEndpoint)`
			`if err != nil {`
			`log.Fatal(err)`
			`}`

Introduce STS client grants API and OPA policy integration (#6168) This PR introduces two new features - AWS STS compatible STS API named AssumeRoleWithClientGrants ``` POST /?Action=AssumeRoleWithClientGrants&Token=<jwt> ``` This API endpoint returns temporary access credentials, access tokens signature types supported by this API - RSA keys - ECDSA keys Fetches the required public key from the JWKS endpoints, provides them as rsa or ecdsa public keys. - External policy engine support, in this case OPA policy engine - Credentials are stored on disks 2018-10-09 23:00:01 +02:00			`clnt, err := minio.NewWithOptions(u.Host, opts)`
			`if err != nil {`
			`log.Fatal(err)`
			`}`

			`d := bytes.NewReader([]byte("Hello, World"))`
			`n, err := clnt.PutObject("my-bucketname", "my-objectname", d, d.Size(), minio.PutObjectOptions{})`
			`if err != nil {`
			`log.Fatalln(err)`
			`}`

			`log.Println("Uploaded", "my-objectname", " of size: ", n, "Successfully.")`
			`}`