minio/cmd/sts-handlers.go

/*
 * Minio Cloud Storage, (C) 2018 Minio, Inc.
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
 * You may obtain a copy of the License at
 *
 *     http://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the License for the specific language governing permissions and
 * limitations under the License.
 */

package cmd

import (
	"net/http"

	"github.com/gorilla/mux"
	"github.com/minio/minio/cmd/logger"
	"github.com/minio/minio/pkg/auth"
	"github.com/minio/minio/pkg/iam/validator"
)

const (
	// STS API version.
	stsAPIVersion = "2011-06-15"
)

// stsAPIHandlers implements and provides http handlers for AWS STS API.
type stsAPIHandlers struct{}

// registerSTSRouter - registers AWS STS compatible APIs.
func registerSTSRouter(router *mux.Router) {
	// Initialize STS.
	sts := &stsAPIHandlers{}

	// STS Router
	stsRouter := router.NewRoute().PathPrefix("/").Subrouter()

	// AssumeRoleWithClientGrants
	stsRouter.Methods("POST").HandlerFunc(httpTraceAll(sts.AssumeRoleWithClientGrants)).
		Queries("Action", "AssumeRoleWithClientGrants").
		Queries("Version", stsAPIVersion).
		Queries("Token", "{Token:.*}")

	// AssumeRoleWithWebIdentity
	stsRouter.Methods("POST").HandlerFunc(httpTraceAll(sts.AssumeRoleWithWebIdentity)).
		Queries("Action", "AssumeRoleWithWebIdentity").
		Queries("Version", stsAPIVersion).
		Queries("WebIdentityToken", "{Token:.*}")

}

// AssumeRoleWithWebIdentity - implementation of AWS STS API supporting OAuth2.0
// users from web identity provider such as Facebook, Google, or any OpenID
// Connect-compatible identity provider.
//
// Eg:-
//    $ curl https://minio:9000/?Action=AssumeRoleWithWebIdentity&WebIdentityToken=<jwt>
func (sts *stsAPIHandlers) AssumeRoleWithWebIdentity(w http.ResponseWriter, r *http.Request) {
	ctx := newContext(r, w, "AssumeRoleWithWebIdentity")

	defer logger.AuditLog(w, r, "AssumeRoleWithWebIdentity", nil)

	if globalIAMValidators == nil {
		writeSTSErrorResponse(w, ErrSTSNotInitialized)
		return
	}

	// NOTE: this API only accepts JWT tokens.
	v, err := globalIAMValidators.Get("jwt")
	if err != nil {
		writeSTSErrorResponse(w, ErrSTSInvalidParameterValue)
		return
	}

	vars := mux.Vars(r)
	m, err := v.Validate(vars["Token"], r.URL.Query().Get("DurationSeconds"))
	if err != nil {
		switch err {
		case validator.ErrTokenExpired:
			writeSTSErrorResponse(w, ErrSTSWebIdentityExpiredToken)
		case validator.ErrInvalidDuration:
			writeSTSErrorResponse(w, ErrSTSInvalidParameterValue)
		default:
			logger.LogIf(ctx, err)
			writeSTSErrorResponse(w, ErrSTSInvalidParameterValue)
		}
		return
	}

	secret := globalServerConfig.GetCredential().SecretKey
	cred, err := auth.GetNewCredentialsWithMetadata(m, secret)
	if err != nil {
		logger.LogIf(ctx, err)
		writeSTSErrorResponse(w, ErrSTSInternalError)
		return
	}

	// JWT has requested a custom claim with policy value set.
	// This is a Minio STS API specific value, this value should
	// be set and configured on your identity provider as part of
	// JWT custom claims.
	var policyName string
	if v, ok := m["policy"]; ok {
		policyName, _ = v.(string)
	}

	var subFromToken string
	if v, ok := m["sub"]; ok {
		subFromToken, _ = v.(string)
	}

	// Set the newly generated credentials.
	if err = globalIAMSys.SetTempUser(cred.AccessKey, cred, policyName); err != nil {
		logger.LogIf(ctx, err)
		writeSTSErrorResponse(w, ErrSTSInternalError)
		return
	}

	// Notify all other Minio peers to reload temp users
	for _, nerr := range globalNotificationSys.LoadUsers() {
		if nerr.Err != nil {
			logger.GetReqInfo(ctx).SetTags("peerAddress", nerr.Host.String())
			logger.LogIf(ctx, nerr.Err)
		}
	}

	encodedSuccessResponse := encodeResponse(&AssumeRoleWithWebIdentityResponse{
		Result: WebIdentityResult{
			Credentials:                 cred,
			SubjectFromWebIdentityToken: subFromToken,
		},
	})

	writeSuccessResponseXML(w, encodedSuccessResponse)
}

// AssumeRoleWithClientGrants - implementation of AWS STS extension API supporting
// OAuth2.0 client credential grants.
//
// Eg:-
//    $ curl https://minio:9000/?Action=AssumeRoleWithClientGrants&Token=<jwt>
func (sts *stsAPIHandlers) AssumeRoleWithClientGrants(w http.ResponseWriter, r *http.Request) {
	ctx := newContext(r, w, "AssumeRoleWithClientGrants")

	defer logger.AuditLog(w, r, "AssumeRoleWithClientGrants", nil)

	if globalIAMValidators == nil {
		writeSTSErrorResponse(w, ErrSTSNotInitialized)
		return
	}

	// NOTE: this API only accepts JWT tokens.
	v, err := globalIAMValidators.Get("jwt")
	if err != nil {
		writeSTSErrorResponse(w, ErrSTSInvalidParameterValue)
		return
	}

	vars := mux.Vars(r)
	m, err := v.Validate(vars["Token"], r.URL.Query().Get("DurationSeconds"))
	if err != nil {
		switch err {
		case validator.ErrTokenExpired:
			writeSTSErrorResponse(w, ErrSTSClientGrantsExpiredToken)
		case validator.ErrInvalidDuration:
			writeSTSErrorResponse(w, ErrSTSInvalidParameterValue)
		default:
			logger.LogIf(ctx, err)
			writeSTSErrorResponse(w, ErrSTSInvalidParameterValue)
		}
		return
	}

	secret := globalServerConfig.GetCredential().SecretKey
	cred, err := auth.GetNewCredentialsWithMetadata(m, secret)
	if err != nil {
		logger.LogIf(ctx, err)
		writeSTSErrorResponse(w, ErrSTSInternalError)
		return
	}

	// JWT has requested a custom claim with policy value set.
	// This is a Minio STS API specific value, this value should
	// be set and configured on your identity provider as part of
	// JWT custom claims.
	var policyName string
	if v, ok := m["policy"]; ok {
		policyName, _ = v.(string)
	}

	var subFromToken string
	if v, ok := m["sub"]; ok {
		subFromToken, _ = v.(string)
	}

	// Set the newly generated credentials.
	if err = globalIAMSys.SetTempUser(cred.AccessKey, cred, policyName); err != nil {
		logger.LogIf(ctx, err)
		writeSTSErrorResponse(w, ErrSTSInternalError)
		return
	}

	// Notify all other Minio peers to reload temp users
	for _, nerr := range globalNotificationSys.LoadUsers() {
		if nerr.Err != nil {
			logger.GetReqInfo(ctx).SetTags("peerAddress", nerr.Host.String())
			logger.LogIf(ctx, nerr.Err)
		}
	}

	encodedSuccessResponse := encodeResponse(&AssumeRoleWithClientGrantsResponse{
		Result: ClientGrantsResult{
			Credentials:      cred,
			SubjectFromToken: subFromToken,
		},
	})

	writeSuccessResponseXML(w, encodedSuccessResponse)
}
Introduce STS client grants API and OPA policy integration (#6168) This PR introduces two new features - AWS STS compatible STS API named AssumeRoleWithClientGrants ``` POST /?Action=AssumeRoleWithClientGrants&Token=<jwt> ``` This API endpoint returns temporary access credentials, access tokens signature types supported by this API - RSA keys - ECDSA keys Fetches the required public key from the JWKS endpoints, provides them as rsa or ecdsa public keys. - External policy engine support, in this case OPA policy engine - Credentials are stored on disks 2018-10-09 23:00:01 +02:00			`/*`
			`* Minio Cloud Storage, (C) 2018 Minio, Inc.`
			`*`
			`* Licensed under the Apache License, Version 2.0 (the "License");`
			`* you may not use this file except in compliance with the License.`
			`* You may obtain a copy of the License at`
			`*`
			`* http://www.apache.org/licenses/LICENSE-2.0`
			`*`
			`* Unless required by applicable law or agreed to in writing, software`
			`* distributed under the License is distributed on an "AS IS" BASIS,`
			`* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.`
			`* See the License for the specific language governing permissions and`
			`* limitations under the License.`
			`*/`

			`package cmd`

			`import (`
			`"net/http"`

			`"github.com/gorilla/mux"`
			`"github.com/minio/minio/cmd/logger"`
			`"github.com/minio/minio/pkg/auth"`
			`"github.com/minio/minio/pkg/iam/validator"`
			`)`

			`const (`
			`// STS API version.`
			`stsAPIVersion = "2011-06-15"`
			`)`

			`// stsAPIHandlers implements and provides http handlers for AWS STS API.`
			`type stsAPIHandlers struct{}`

			`// registerSTSRouter - registers AWS STS compatible APIs.`
			`func registerSTSRouter(router *mux.Router) {`
			`// Initialize STS.`
			`sts := &stsAPIHandlers{}`

			`// STS Router`
			`stsRouter := router.NewRoute().PathPrefix("/").Subrouter()`

			`// AssumeRoleWithClientGrants`
			`stsRouter.Methods("POST").HandlerFunc(httpTraceAll(sts.AssumeRoleWithClientGrants)).`
			`Queries("Action", "AssumeRoleWithClientGrants").`
Add support for AssumeRoleWithWebIdentity (#6985) 2019-01-04 22:48:12 +01:00			`Queries("Version", stsAPIVersion).`
Introduce STS client grants API and OPA policy integration (#6168) This PR introduces two new features - AWS STS compatible STS API named AssumeRoleWithClientGrants ``` POST /?Action=AssumeRoleWithClientGrants&Token=<jwt> ``` This API endpoint returns temporary access credentials, access tokens signature types supported by this API - RSA keys - ECDSA keys Fetches the required public key from the JWKS endpoints, provides them as rsa or ecdsa public keys. - External policy engine support, in this case OPA policy engine - Credentials are stored on disks 2018-10-09 23:00:01 +02:00			`Queries("Token", "{Token:.*}")`

Add support for AssumeRoleWithWebIdentity (#6985) 2019-01-04 22:48:12 +01:00			`// AssumeRoleWithWebIdentity`
			`stsRouter.Methods("POST").HandlerFunc(httpTraceAll(sts.AssumeRoleWithWebIdentity)).`
			`Queries("Action", "AssumeRoleWithWebIdentity").`
			`Queries("Version", stsAPIVersion).`
			`Queries("WebIdentityToken", "{Token:.*}")`
Introduce STS client grants API and OPA policy integration (#6168) This PR introduces two new features - AWS STS compatible STS API named AssumeRoleWithClientGrants ``` POST /?Action=AssumeRoleWithClientGrants&Token=<jwt> ``` This API endpoint returns temporary access credentials, access tokens signature types supported by this API - RSA keys - ECDSA keys Fetches the required public key from the JWKS endpoints, provides them as rsa or ecdsa public keys. - External policy engine support, in this case OPA policy engine - Credentials are stored on disks 2018-10-09 23:00:01 +02:00
			`}`

Add support for AssumeRoleWithWebIdentity (#6985) 2019-01-04 22:48:12 +01:00			`// AssumeRoleWithWebIdentity - implementation of AWS STS API supporting OAuth2.0`
			`// users from web identity provider such as Facebook, Google, or any OpenID`
			`// Connect-compatible identity provider.`
			`//`
			`// Eg:-`
			`// $ curl https://minio:9000/?Action=AssumeRoleWithWebIdentity&WebIdentityToken=<jwt>`
			`func (sts stsAPIHandlers) AssumeRoleWithWebIdentity(w http.ResponseWriter, r http.Request) {`
			`ctx := newContext(r, w, "AssumeRoleWithWebIdentity")`

			`defer logger.AuditLog(w, r, "AssumeRoleWithWebIdentity", nil)`

			`if globalIAMValidators == nil {`
			`writeSTSErrorResponse(w, ErrSTSNotInitialized)`
			`return`
			`}`

			`// NOTE: this API only accepts JWT tokens.`
			`v, err := globalIAMValidators.Get("jwt")`
			`if err != nil {`
			`writeSTSErrorResponse(w, ErrSTSInvalidParameterValue)`
			`return`
			`}`

			`vars := mux.Vars(r)`
			`m, err := v.Validate(vars["Token"], r.URL.Query().Get("DurationSeconds"))`
			`if err != nil {`
			`switch err {`
			`case validator.ErrTokenExpired:`
			`writeSTSErrorResponse(w, ErrSTSWebIdentityExpiredToken)`
			`case validator.ErrInvalidDuration:`
			`writeSTSErrorResponse(w, ErrSTSInvalidParameterValue)`
			`default:`
			`logger.LogIf(ctx, err)`
			`writeSTSErrorResponse(w, ErrSTSInvalidParameterValue)`
			`}`
			`return`
			`}`

			`secret := globalServerConfig.GetCredential().SecretKey`
			`cred, err := auth.GetNewCredentialsWithMetadata(m, secret)`
			`if err != nil {`
			`logger.LogIf(ctx, err)`
			`writeSTSErrorResponse(w, ErrSTSInternalError)`
			`return`
			`}`

			`// JWT has requested a custom claim with policy value set.`
			`// This is a Minio STS API specific value, this value should`
			`// be set and configured on your identity provider as part of`
			`// JWT custom claims.`
			`var policyName string`
			`if v, ok := m["policy"]; ok {`
			`policyName, _ = v.(string)`
			`}`
Introduce STS client grants API and OPA policy integration (#6168) This PR introduces two new features - AWS STS compatible STS API named AssumeRoleWithClientGrants ``` POST /?Action=AssumeRoleWithClientGrants&Token=<jwt> ``` This API endpoint returns temporary access credentials, access tokens signature types supported by this API - RSA keys - ECDSA keys Fetches the required public key from the JWKS endpoints, provides them as rsa or ecdsa public keys. - External policy engine support, in this case OPA policy engine - Credentials are stored on disks 2018-10-09 23:00:01 +02:00
Add support for AssumeRoleWithWebIdentity (#6985) 2019-01-04 22:48:12 +01:00			`var subFromToken string`
			`if v, ok := m["sub"]; ok {`
			`subFromToken, _ = v.(string)`
			`}`

			`// Set the newly generated credentials.`
			`if err = globalIAMSys.SetTempUser(cred.AccessKey, cred, policyName); err != nil {`
			`logger.LogIf(ctx, err)`
			`writeSTSErrorResponse(w, ErrSTSInternalError)`
			`return`
			`}`

			`// Notify all other Minio peers to reload temp users`
Migrate all Peer communication to common Notification subsystem (#7031) Deprecate the use of Admin Peers concept and migrate all peer communication to Notification subsystem. This finally allows for a common subsystem for all peer notification in case of distributed server deployments. 2019-01-14 07:44:20 +01:00			`for _, nerr := range globalNotificationSys.LoadUsers() {`
			`if nerr.Err != nil {`
			`logger.GetReqInfo(ctx).SetTags("peerAddress", nerr.Host.String())`
			`logger.LogIf(ctx, nerr.Err)`
Add support for AssumeRoleWithWebIdentity (#6985) 2019-01-04 22:48:12 +01:00			`}`
			`}`

			`encodedSuccessResponse := encodeResponse(&AssumeRoleWithWebIdentityResponse{`
			`Result: WebIdentityResult{`
			`Credentials: cred,`
			`SubjectFromWebIdentityToken: subFromToken,`
			`},`
			`})`

			`writeSuccessResponseXML(w, encodedSuccessResponse)`
Introduce STS client grants API and OPA policy integration (#6168) This PR introduces two new features - AWS STS compatible STS API named AssumeRoleWithClientGrants ``` POST /?Action=AssumeRoleWithClientGrants&Token=<jwt> ``` This API endpoint returns temporary access credentials, access tokens signature types supported by this API - RSA keys - ECDSA keys Fetches the required public key from the JWKS endpoints, provides them as rsa or ecdsa public keys. - External policy engine support, in this case OPA policy engine - Credentials are stored on disks 2018-10-09 23:00:01 +02:00			`}`

			`// AssumeRoleWithClientGrants - implementation of AWS STS extension API supporting`
Add support for AssumeRoleWithWebIdentity (#6985) 2019-01-04 22:48:12 +01:00			`// OAuth2.0 client credential grants.`
Introduce STS client grants API and OPA policy integration (#6168) This PR introduces two new features - AWS STS compatible STS API named AssumeRoleWithClientGrants ``` POST /?Action=AssumeRoleWithClientGrants&Token=<jwt> ``` This API endpoint returns temporary access credentials, access tokens signature types supported by this API - RSA keys - ECDSA keys Fetches the required public key from the JWKS endpoints, provides them as rsa or ecdsa public keys. - External policy engine support, in this case OPA policy engine - Credentials are stored on disks 2018-10-09 23:00:01 +02:00			`//`
			`// Eg:-`
			`// $ curl https://minio:9000/?Action=AssumeRoleWithClientGrants&Token=<jwt>`
			`func (sts stsAPIHandlers) AssumeRoleWithClientGrants(w http.ResponseWriter, r http.Request) {`
			`ctx := newContext(r, w, "AssumeRoleWithClientGrants")`

Audit log claims from token (#6847) 2018-11-22 05:03:24 +01:00			`defer logger.AuditLog(w, r, "AssumeRoleWithClientGrants", nil)`

Introduce STS client grants API and OPA policy integration (#6168) This PR introduces two new features - AWS STS compatible STS API named AssumeRoleWithClientGrants ``` POST /?Action=AssumeRoleWithClientGrants&Token=<jwt> ``` This API endpoint returns temporary access credentials, access tokens signature types supported by this API - RSA keys - ECDSA keys Fetches the required public key from the JWKS endpoints, provides them as rsa or ecdsa public keys. - External policy engine support, in this case OPA policy engine - Credentials are stored on disks 2018-10-09 23:00:01 +02:00			`if globalIAMValidators == nil {`
			`writeSTSErrorResponse(w, ErrSTSNotInitialized)`
			`return`
			`}`

			`// NOTE: this API only accepts JWT tokens.`
			`v, err := globalIAMValidators.Get("jwt")`
			`if err != nil {`
			`writeSTSErrorResponse(w, ErrSTSInvalidParameterValue)`
			`return`
			`}`

			`vars := mux.Vars(r)`
			`m, err := v.Validate(vars["Token"], r.URL.Query().Get("DurationSeconds"))`
			`if err != nil {`
			`switch err {`
			`case validator.ErrTokenExpired:`
			`writeSTSErrorResponse(w, ErrSTSClientGrantsExpiredToken)`
			`case validator.ErrInvalidDuration:`
			`writeSTSErrorResponse(w, ErrSTSInvalidParameterValue)`
			`default:`
			`logger.LogIf(ctx, err)`
			`writeSTSErrorResponse(w, ErrSTSInvalidParameterValue)`
			`}`
			`return`
			`}`

			`secret := globalServerConfig.GetCredential().SecretKey`
			`cred, err := auth.GetNewCredentialsWithMetadata(m, secret)`
			`if err != nil {`
			`logger.LogIf(ctx, err)`
			`writeSTSErrorResponse(w, ErrSTSInternalError)`
			`return`
			`}`

Add policy claim support for JWT (#6660) This way temporary credentials can use canned policies on the server without configuring OPA. 2018-10-29 19:08:59 +01:00			`// JWT has requested a custom claim with policy value set.`
			`// This is a Minio STS API specific value, this value should`
			`// be set and configured on your identity provider as part of`
			`// JWT custom claims.`
			`var policyName string`
			`if v, ok := m["policy"]; ok {`
			`policyName, _ = v.(string)`
			`}`

Add support for AssumeRoleWithWebIdentity (#6985) 2019-01-04 22:48:12 +01:00			`var subFromToken string`
			`if v, ok := m["sub"]; ok {`
			`subFromToken, _ = v.(string)`
			`}`

Introduce STS client grants API and OPA policy integration (#6168) This PR introduces two new features - AWS STS compatible STS API named AssumeRoleWithClientGrants ``` POST /?Action=AssumeRoleWithClientGrants&Token=<jwt> ``` This API endpoint returns temporary access credentials, access tokens signature types supported by this API - RSA keys - ECDSA keys Fetches the required public key from the JWKS endpoints, provides them as rsa or ecdsa public keys. - External policy engine support, in this case OPA policy engine - Credentials are stored on disks 2018-10-09 23:00:01 +02:00			`// Set the newly generated credentials.`
Add policy claim support for JWT (#6660) This way temporary credentials can use canned policies on the server without configuring OPA. 2018-10-29 19:08:59 +01:00			`if err = globalIAMSys.SetTempUser(cred.AccessKey, cred, policyName); err != nil {`
Introduce STS client grants API and OPA policy integration (#6168) This PR introduces two new features - AWS STS compatible STS API named AssumeRoleWithClientGrants ``` POST /?Action=AssumeRoleWithClientGrants&Token=<jwt> ``` This API endpoint returns temporary access credentials, access tokens signature types supported by this API - RSA keys - ECDSA keys Fetches the required public key from the JWKS endpoints, provides them as rsa or ecdsa public keys. - External policy engine support, in this case OPA policy engine - Credentials are stored on disks 2018-10-09 23:00:01 +02:00			`logger.LogIf(ctx, err)`
			`writeSTSErrorResponse(w, ErrSTSInternalError)`
			`return`
			`}`

Add support for AssumeRoleWithWebIdentity (#6985) 2019-01-04 22:48:12 +01:00			`// Notify all other Minio peers to reload temp users`
Migrate all Peer communication to common Notification subsystem (#7031) Deprecate the use of Admin Peers concept and migrate all peer communication to Notification subsystem. This finally allows for a common subsystem for all peer notification in case of distributed server deployments. 2019-01-14 07:44:20 +01:00			`for _, nerr := range globalNotificationSys.LoadUsers() {`
			`if nerr.Err != nil {`
			`logger.GetReqInfo(ctx).SetTags("peerAddress", nerr.Host.String())`
			`logger.LogIf(ctx, nerr.Err)`
Add support for AssumeRoleWithWebIdentity (#6985) 2019-01-04 22:48:12 +01:00			`}`
			`}`

Introduce STS client grants API and OPA policy integration (#6168) This PR introduces two new features - AWS STS compatible STS API named AssumeRoleWithClientGrants ``` POST /?Action=AssumeRoleWithClientGrants&Token=<jwt> ``` This API endpoint returns temporary access credentials, access tokens signature types supported by this API - RSA keys - ECDSA keys Fetches the required public key from the JWKS endpoints, provides them as rsa or ecdsa public keys. - External policy engine support, in this case OPA policy engine - Credentials are stored on disks 2018-10-09 23:00:01 +02:00			`encodedSuccessResponse := encodeResponse(&AssumeRoleWithClientGrantsResponse{`
Add support for AssumeRoleWithWebIdentity (#6985) 2019-01-04 22:48:12 +01:00			`Result: ClientGrantsResult{`
			`Credentials: cred,`
			`SubjectFromToken: subFromToken,`
			`},`
Introduce STS client grants API and OPA policy integration (#6168) This PR introduces two new features - AWS STS compatible STS API named AssumeRoleWithClientGrants ``` POST /?Action=AssumeRoleWithClientGrants&Token=<jwt> ``` This API endpoint returns temporary access credentials, access tokens signature types supported by this API - RSA keys - ECDSA keys Fetches the required public key from the JWKS endpoints, provides them as rsa or ecdsa public keys. - External policy engine support, in this case OPA policy engine - Credentials are stored on disks 2018-10-09 23:00:01 +02:00			`})`

			`writeSuccessResponseXML(w, encodedSuccessResponse)`
			`}`