minio/cmd/jwt.go

/*
 * Minio Cloud Storage, (C) 2016, 2017 Minio, Inc.
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
 * You may obtain a copy of the License at
 *
 *     http://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the License for the specific language governing permissions and
 * limitations under the License.
 */

package cmd

import (
	"errors"
	"fmt"
	"net/http"
	"time"

	jwtgo "github.com/dgrijalva/jwt-go"
	jwtreq "github.com/dgrijalva/jwt-go/request"
)

const (
	jwtAlgorithm = "Bearer"

	// Default JWT token for web handlers is one day.
	defaultJWTExpiry = 24 * time.Hour

	// Inter-node JWT token expiry is 100 years approx.
	defaultInterNodeJWTExpiry = 100 * 365 * 24 * time.Hour

	// URL JWT token expiry is one minute (might be exposed).
	defaultURLJWTExpiry = time.Minute
)

var (
	errInvalidAccessKeyID   = errors.New("The access key ID you provided does not exist in our records")
	errChangeCredNotAllowed = errors.New("Changing access key and secret key not allowed")
	errAuthentication       = errors.New("Authentication failed, check your access credentials")
	errNoAuthToken          = errors.New("JWT token missing")
)

func authenticateJWT(accessKey, secretKey string, expiry time.Duration) (string, error) {
	passedCredential, err := createCredential(accessKey, secretKey)
	if err != nil {
		return "", err
	}

	serverCred := serverConfig.GetCredential()

	if serverCred.AccessKey != passedCredential.AccessKey {
		return "", errInvalidAccessKeyID
	}

	if !serverCred.Equal(passedCredential) {
		return "", errAuthentication
	}

	utcNow := UTCNow()
	token := jwtgo.NewWithClaims(jwtgo.SigningMethodHS512, jwtgo.MapClaims{
		"exp": utcNow.Add(expiry).Unix(),
		"iat": utcNow.Unix(),
		"sub": accessKey,
	})

	return token.SignedString([]byte(serverCred.SecretKey))
}

func authenticateNode(accessKey, secretKey string) (string, error) {
	return authenticateJWT(accessKey, secretKey, defaultInterNodeJWTExpiry)
}

func authenticateWeb(accessKey, secretKey string) (string, error) {
	return authenticateJWT(accessKey, secretKey, defaultJWTExpiry)
}

func authenticateURL(accessKey, secretKey string) (string, error) {
	return authenticateJWT(accessKey, secretKey, defaultURLJWTExpiry)
}

func keyFuncCallback(jwtToken *jwtgo.Token) (interface{}, error) {
	if _, ok := jwtToken.Method.(*jwtgo.SigningMethodHMAC); !ok {
		return nil, fmt.Errorf("Unexpected signing method: %v", jwtToken.Header["alg"])
	}

	return []byte(serverConfig.GetCredential().SecretKey), nil
}

func isAuthTokenValid(tokenString string) bool {
	jwtToken, err := jwtgo.Parse(tokenString, keyFuncCallback)
	if err != nil {
		errorIf(err, "Unable to parse JWT token string")
		return false
	}

	return jwtToken.Valid
}

func isHTTPRequestValid(req *http.Request) bool {
	return webRequestAuthenticate(req) == nil
}

// Check if the request is authenticated.
// Returns nil if the request is authenticated. errNoAuthToken if token missing.
// Returns errAuthentication for all other errors.
func webRequestAuthenticate(req *http.Request) error {
	jwtToken, err := jwtreq.ParseFromRequest(req, jwtreq.AuthorizationHeaderExtractor, keyFuncCallback)
	if err != nil {
		if err == jwtreq.ErrNoTokenInRequest {
			return errNoAuthToken
		}
		return errAuthentication
	}

	if !jwtToken.Valid {
		return errAuthentication
	}
	return nil
}
Have simpler JWT authentication. (#3501) 2016-12-27 17:28:10 +01:00			`/*`
Simplify credential usage. (#3893) 2017-03-16 08:16:06 +01:00			`* Minio Cloud Storage, (C) 2016, 2017 Minio, Inc.`
Have simpler JWT authentication. (#3501) 2016-12-27 17:28:10 +01:00			`*`
			`* Licensed under the Apache License, Version 2.0 (the "License");`
			`* you may not use this file except in compliance with the License.`
			`* You may obtain a copy of the License at`
			`*`
			`* http://www.apache.org/licenses/LICENSE-2.0`
			`*`
			`* Unless required by applicable law or agreed to in writing, software`
			`* distributed under the License is distributed on an "AS IS" BASIS,`
			`* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.`
			`* See the License for the specific language governing permissions and`
			`* limitations under the License.`
			`*/`

			`package cmd`

			`import (`
			`"errors"`
			`"fmt"`
			`"net/http"`
			`"time"`

			`jwtgo "github.com/dgrijalva/jwt-go"`
			`jwtreq "github.com/dgrijalva/jwt-go/request"`
			`)`

			`const (`
			`jwtAlgorithm = "Bearer"`

			`// Default JWT token for web handlers is one day.`
			`defaultJWTExpiry = 24 * time.Hour`

			`// Inter-node JWT token expiry is 100 years approx.`
			`defaultInterNodeJWTExpiry = 100 * 365 * 24 * time.Hour`
jwt,browser: allow short-expiry tokens for GETs (#4684) This commit fixes a potential security issue, whereby a full-access token to the server would be available in the GET URL of a download request. This fixes that issue by introducing short-expiry tokens, which are only valid for one minute, and are regenerated for every download request. This commit specifically introduces the short-lived tokens, adds tests for the tokens, adds an RPC call for generating a token given a full-access token, updates the browser to use the new tokens for requests where the token is passed as a GET parameter, and adds some tests with the new temporary tokens. Refs: https://github.com/minio/minio/pull/4673 2017-07-24 21:46:37 +02:00
			`// URL JWT token expiry is one minute (might be exposed).`
			`defaultURLJWTExpiry = time.Minute`
Have simpler JWT authentication. (#3501) 2016-12-27 17:28:10 +01:00			`)`

Honor envs properly for access and secret key. (#3703) Also changes the behavior of `secretKeyHash` which is not necessary to be sent over the network, each node has its own secretKeyHash to validate. Fixes #3696 Partial(fix) #3700 (More changes needed with some code cleanup) 2017-02-07 21:51:43 +01:00			`var (`
			`errInvalidAccessKeyID = errors.New("The access key ID you provided does not exist in our records")`
			`errChangeCredNotAllowed = errors.New("Changing access key and secret key not allowed")`
			`errAuthentication = errors.New("Authentication failed, check your access credentials")`
			`errNoAuthToken = errors.New("JWT token missing")`
			`)`
Have simpler JWT authentication. (#3501) 2016-12-27 17:28:10 +01:00
			`func authenticateJWT(accessKey, secretKey string, expiry time.Duration) (string, error) {`
Simplify credential usage. (#3893) 2017-03-16 08:16:06 +01:00			`passedCredential, err := createCredential(accessKey, secretKey)`
			`if err != nil {`
			`return "", err`
Have simpler JWT authentication. (#3501) 2016-12-27 17:28:10 +01:00			`}`

			`serverCred := serverConfig.GetCredential()`

Simplify credential usage. (#3893) 2017-03-16 08:16:06 +01:00			`if serverCred.AccessKey != passedCredential.AccessKey {`
Have simpler JWT authentication. (#3501) 2016-12-27 17:28:10 +01:00			`return "", errInvalidAccessKeyID`
			`}`

Simplify credential usage. (#3893) 2017-03-16 08:16:06 +01:00			`if !serverCred.Equal(passedCredential) {`
			`return "", errAuthentication`
Have simpler JWT authentication. (#3501) 2016-12-27 17:28:10 +01:00			`}`

Add UTCNow() function. (#3931) This patch adds UTCNow() function which returns current UTC time. This is equivalent of UTCNow() == time.Now().UTC() 2017-03-18 19:28:41 +01:00			`utcNow := UTCNow()`
Have simpler JWT authentication. (#3501) 2016-12-27 17:28:10 +01:00			`token := jwtgo.NewWithClaims(jwtgo.SigningMethodHS512, jwtgo.MapClaims{`
			`"exp": utcNow.Add(expiry).Unix(),`
			`"iat": utcNow.Unix(),`
			`"sub": accessKey,`
			`})`

			`return token.SignedString([]byte(serverCred.SecretKey))`
			`}`

			`func authenticateNode(accessKey, secretKey string) (string, error) {`
			`return authenticateJWT(accessKey, secretKey, defaultInterNodeJWTExpiry)`
			`}`

			`func authenticateWeb(accessKey, secretKey string) (string, error) {`
			`return authenticateJWT(accessKey, secretKey, defaultJWTExpiry)`
			`}`

jwt,browser: allow short-expiry tokens for GETs (#4684) This commit fixes a potential security issue, whereby a full-access token to the server would be available in the GET URL of a download request. This fixes that issue by introducing short-expiry tokens, which are only valid for one minute, and are regenerated for every download request. This commit specifically introduces the short-lived tokens, adds tests for the tokens, adds an RPC call for generating a token given a full-access token, updates the browser to use the new tokens for requests where the token is passed as a GET parameter, and adds some tests with the new temporary tokens. Refs: https://github.com/minio/minio/pull/4673 2017-07-24 21:46:37 +02:00			`func authenticateURL(accessKey, secretKey string) (string, error) {`
			`return authenticateJWT(accessKey, secretKey, defaultURLJWTExpiry)`
			`}`

Have simpler JWT authentication. (#3501) 2016-12-27 17:28:10 +01:00			`func keyFuncCallback(jwtToken *jwtgo.Token) (interface{}, error) {`
			`if _, ok := jwtToken.Method.(*jwtgo.SigningMethodHMAC); !ok {`
			`return nil, fmt.Errorf("Unexpected signing method: %v", jwtToken.Header["alg"])`
			`}`

			`return []byte(serverConfig.GetCredential().SecretKey), nil`
			`}`

			`func isAuthTokenValid(tokenString string) bool {`
			`jwtToken, err := jwtgo.Parse(tokenString, keyFuncCallback)`
			`if err != nil {`
			`errorIf(err, "Unable to parse JWT token string")`
			`return false`
			`}`

			`return jwtToken.Valid`
			`}`

			`func isHTTPRequestValid(req *http.Request) bool {`
Require content-length in POST & Upload requests (#3671) Avoid passing size = -1 to PutObject API by requiring content-length header in POST request (as AWS S3 does) and in Upload web handler. Post handler is modified to completely store multipart file to know its size before sending it to PutObject(). 2017-02-02 19:45:00 +01:00			`return webRequestAuthenticate(req) == nil`
browser: Allow anonymous browsing of readable buckets. (#3515) 2017-01-11 22:26:42 +01:00			`}`

			`// Check if the request is authenticated.`
			`// Returns nil if the request is authenticated. errNoAuthToken if token missing.`
			`// Returns errAuthentication for all other errors.`
Require content-length in POST & Upload requests (#3671) Avoid passing size = -1 to PutObject API by requiring content-length header in POST request (as AWS S3 does) and in Upload web handler. Post handler is modified to completely store multipart file to know its size before sending it to PutObject(). 2017-02-02 19:45:00 +01:00			`func webRequestAuthenticate(req *http.Request) error {`
Have simpler JWT authentication. (#3501) 2016-12-27 17:28:10 +01:00			`jwtToken, err := jwtreq.ParseFromRequest(req, jwtreq.AuthorizationHeaderExtractor, keyFuncCallback)`
			`if err != nil {`
browser: Allow anonymous browsing of readable buckets. (#3515) 2017-01-11 22:26:42 +01:00			`if err == jwtreq.ErrNoTokenInRequest {`
			`return errNoAuthToken`
			`}`
			`return errAuthentication`
Have simpler JWT authentication. (#3501) 2016-12-27 17:28:10 +01:00			`}`

browser: Allow anonymous browsing of readable buckets. (#3515) 2017-01-11 22:26:42 +01:00			`if !jwtToken.Valid {`
			`return errAuthentication`
			`}`
			`return nil`
Have simpler JWT authentication. (#3501) 2016-12-27 17:28:10 +01:00			`}`