maxmustermann/minio
1
0
Fork 0
Code Issues Pull requests Projects Releases Wiki Activity

Rename iam/validator -> iam/openid and add tests (#8340)

Browse source 
Refactor as part of config migration
This commit is contained in:
Harshavardhana 2019-10-01 15:07:20 -07:00 committed by kannappanr
parent ff5bf51952
commit fb1374f2f7
12 changed files with 69 additions and 28 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

14
cmd/config-current.go
View file

@ -30,8 +30,8 @@ import (
"github.com/minio/minio/pkg/auth"
"github.com/minio/minio/pkg/event"
"github.com/minio/minio/pkg/event/target"
"github.com/minio/minio/pkg/iam/openid"
iampolicy "github.com/minio/minio/pkg/iam/policy"
"github.com/minio/minio/pkg/iam/validator"
xnet "github.com/minio/minio/pkg/net"
)
@ -571,7 +571,7 @@ func (s *serverConfig) loadToCachedConfigs() {
"Unable to populate public key from JWKS URL %s", s.OpenID.JWKS.URL)
}
globalIAMValidators = getAuthValidators(s)
globalIAMValidators = getOpenIDValidators(s)
if s.Policy.OPA.URL != nil && s.Policy.OPA.URL.String() != "" {
opaArgs := iampolicy.OpaArgs{
@ -638,15 +638,15 @@ func loadConfig(objAPI ObjectLayer) error {
return nil
}
// getAuthValidators - returns ValidatorList which contains
// getOpenIDValidators - returns ValidatorList which contains
// enabled providers in server config.
// A new authentication provider is added like below
// * Add a new provider in pkg/iam/validator package.
func getAuthValidators(config *serverConfig) *validator.Validators {
validators := validator.NewValidators()
// * Add a new provider in pkg/iam/openid package.
func getOpenIDValidators(config *serverConfig) *openid.Validators {
validators := openid.NewValidators()
if config.OpenID.JWKS.URL != nil {
validators.Add(validator.NewJWT(config.OpenID.JWKS))
validators.Add(openid.NewJWT(config.OpenID.JWKS))
}
return validators

4
cmd/config-migrate.go
View file

@ -29,8 +29,8 @@ import (
"github.com/minio/minio/pkg/auth"
"github.com/minio/minio/pkg/event"
"github.com/minio/minio/pkg/event/target"
"github.com/minio/minio/pkg/iam/openid"
iampolicy "github.com/minio/minio/pkg/iam/policy"
"github.com/minio/minio/pkg/iam/validator"
xnet "github.com/minio/minio/pkg/net"
"github.com/minio/minio/pkg/quick"
)
@ -2654,7 +2654,7 @@ func migrateV30ToV31MinioSys(objAPI ObjectLayer) error {
}
cfg.Version = "31"
cfg.OpenID.JWKS = validator.JWKSArgs{
cfg.OpenID.JWKS = openid.JWKSArgs{
URL: &xnet.URL{},
}
cfg.Policy.OPA = iampolicy.OpaArgs{

8
cmd/config-versions.go
View file

@ -22,8 +22,8 @@ import (
"github.com/minio/minio/cmd/crypto"
"github.com/minio/minio/pkg/auth"
"github.com/minio/minio/pkg/event/target"
"github.com/minio/minio/pkg/iam/openid"
iampolicy "github.com/minio/minio/pkg/iam/policy"
"github.com/minio/minio/pkg/iam/validator"
"github.com/minio/minio/pkg/quick"
)
@ -817,7 +817,7 @@ type serverConfigV31 struct {
// OpenID configuration
OpenID struct {
// JWKS validator config.
JWKS validator.JWKSArgs `json:"jwks"`
JWKS openid.JWKSArgs `json:"jwks"`
} `json:"openid"`
// External policy enforcements.
@ -872,7 +872,7 @@ type serverConfigV32 struct {
// OpenID configuration
OpenID struct {
// JWKS validator config.
JWKS validator.JWKSArgs `json:"jwks"`
JWKS openid.JWKSArgs `json:"jwks"`
} `json:"openid"`
// External policy enforcements.
@ -916,7 +916,7 @@ type serverConfigV33 struct {
// OpenID configuration
OpenID struct {
// JWKS validator config.
JWKS validator.JWKSArgs `json:"jwks"`
JWKS openid.JWKSArgs `json:"jwks"`
} `json:"openid"`
// External policy enforcements.

4
cmd/globals.go
View file

@ -33,8 +33,8 @@ import (
"github.com/minio/minio/pkg/auth"
"github.com/minio/minio/pkg/certs"
"github.com/minio/minio/pkg/dns"
"github.com/minio/minio/pkg/iam/openid"
iampolicy "github.com/minio/minio/pkg/iam/policy"
"github.com/minio/minio/pkg/iam/validator"
"github.com/minio/minio/pkg/pubsub"
)
@ -269,7 +269,7 @@ var (
standardExcludeCompressContentTypes = []string{"video/*", "audio/*", "application/zip", "application/x-gzip", "application/x-zip-compressed", " application/x-compress", "application/x-spoon"}
// Authorization validators list.
globalIAMValidators *validator.Validators
globalIAMValidators *openid.Validators
// OPA policy system.
globalPolicyOPA *iampolicy.Opa

3
cmd/signature-v4-utils_test.go
View file

@ -17,9 +17,10 @@
package cmd
import (
"github.com/minio/minio/cmd/crypto"
"net/http"
"testing"
"github.com/minio/minio/cmd/crypto"
)
// TestSkipContentSha256Cksum - Test validate the logic which decides whether

8
cmd/sts-handlers.go
View file

@ -27,8 +27,8 @@ import (
xhttp "github.com/minio/minio/cmd/http"
"github.com/minio/minio/cmd/logger"
"github.com/minio/minio/pkg/auth"
"github.com/minio/minio/pkg/iam/openid"
iampolicy "github.com/minio/minio/pkg/iam/policy"
"github.com/minio/minio/pkg/iam/validator"
"github.com/minio/minio/pkg/wildcard"
ldap "gopkg.in/ldap.v3"
)
@ -181,7 +181,7 @@ func (sts *stsAPIHandlers) AssumeRole(w http.ResponseWriter, r *http.Request) {
var err error
m := make(map[string]interface{})
m["exp"], err = validator.GetDefaultExpiration(r.Form.Get("DurationSeconds"))
m["exp"], err = openid.GetDefaultExpiration(r.Form.Get("DurationSeconds"))
if err != nil {
writeSTSErrorResponse(ctx, w, ErrSTSInvalidParameterValue, err)
return
@ -282,7 +282,7 @@ func (sts *stsAPIHandlers) AssumeRoleWithJWT(w http.ResponseWriter, r *http.Requ
m, err := v.Validate(token, r.Form.Get("DurationSeconds"))
if err != nil {
switch err {
case validator.ErrTokenExpired:
case openid.ErrTokenExpired:
switch action {
case clientGrants:
writeSTSErrorResponse(ctx, w, ErrSTSClientGrantsExpiredToken, err)
@ -290,7 +290,7 @@ func (sts *stsAPIHandlers) AssumeRoleWithJWT(w http.ResponseWriter, r *http.Requ
writeSTSErrorResponse(ctx, w, ErrSTSWebIdentityExpiredToken, err)
}
return
case validator.ErrInvalidDuration:
case openid.ErrInvalidDuration:
writeSTSErrorResponse(ctx, w, ErrSTSInvalidParameterValue, err)
return
}

2
pkg/iam/validator/jwks.go → pkg/iam/openid/jwks.go
View file

@ -14,7 +14,7 @@
* limitations under the License.
*/
package validator
package openid
import (
"crypto"

2
pkg/iam/validator/jwks_test.go → pkg/iam/openid/jwks_test.go
View file

@ -14,7 +14,7 @@
* limitations under the License.
*/
package validator
package openid
import (
"bytes"

2
pkg/iam/validator/jwt.go → pkg/iam/openid/jwt.go
View file

@ -14,7 +14,7 @@
* limitations under the License.
*/
package validator
package openid
import (
"crypto"

2
pkg/iam/validator/jwt_test.go → pkg/iam/openid/jwt_test.go
View file

@ -14,7 +14,7 @@
* limitations under the License.
*/
package validator
package openid
import (
"crypto"

2
pkg/iam/validator/validators.go → pkg/iam/openid/validators.go
View file

@ -14,7 +14,7 @@
* limitations under the License.
*/
package validator
package openid
import (
"errors"

46
pkg/iam/validator/validators_test.go → pkg/iam/openid/validators_test.go
View file

@ -14,10 +14,14 @@
* limitations under the License.
*/
package validator
package openid
import (
"net/http"
"net/http/httptest"
"testing"
xnet "github.com/minio/minio/pkg/net"
)
type errorValidator struct{}
@ -31,7 +35,32 @@ func (e errorValidator) ID() ID {
}
func TestValidators(t *testing.T) {
ts := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
w.Header().Set("content-type", "application/json")
w.Write([]byte(`{
"keys" : [ {
"kty" : "RSA",
"kid" : "1438289820780",
"use" : "sig",
"alg" : "RS256",
"n" : "idWPro_QiAFOdMsJD163lcDIPogOwXogRo3Pct2MMyeE2GAGqV20Sc8QUbuLDfPl-7Hi9IfFOz--JY6QL5l92eV-GJXkTmidUEooZxIZSp3ghRxLCqlyHeF5LuuM5LPRFDeF4YWFQT_D2eNo_w95g6qYSeOwOwGIfaHa2RMPcQAiM6LX4ot-Z7Po9z0_3ztFa02m3xejEFr2rLRqhFl3FZJaNnwTUk6an6XYsunxMk3Ya3lRaKJReeXeFtfTpShgtPiAl7lIfLJH9h26h2OAlww531DpxHSm1gKXn6bjB0NTC55vJKft4wXoc_0xKZhnWmjQE8d9xE8e1Z3Ll1LYbw",
"e" : "AQAB"
}, {
"kty" : "RSA",
"kid" : "1438289856256",
"use" : "sig",
"alg" : "RS256",
"n" : "zo5cKcbFECeiH8eGx2D-DsFSpjSKbTVlXD6uL5JAy9rYIv7eYEP6vrKeX-x1z70yEdvgk9xbf9alc8siDfAz3rLCknqlqL7XGVAQL0ZP63UceDmD60LHOzMrx4eR6p49B3rxFfjvX2SWSV3-1H6XNyLk_ALbG6bGCFGuWBQzPJB4LMKCrOFq-6jtRKOKWBXYgkYkaYs5dG-3e2ULbq-y2RdgxYh464y_-MuxDQfvUgP787XKfcXP_XjJZvyuOEANjVyJYZSOyhHUlSGJapQ8ztHdF-swsnf7YkePJ2eR9fynWV2ZoMaXOdidgZtGTa4R1Z4BgH2C0hKJiqRy9fB7Gw",
"e" : "AQAB"
} ]
}
`))
w.(http.Flusher).Flush()
}))
defer ts.Close()
vrs := NewValidators()
if err := vrs.Add(&errorValidator{}); err != nil {
t.Fatal(err)
}
@ -58,7 +87,18 @@ func TestValidators(t *testing.T) {
t.Fatalf("Unexpected number of vids %v", vids)
}
if vids[0] != "err" {
t.Fatalf("Unexpected vid %v", vids[0])
u, err := xnet.ParseURL(ts.URL)
if err != nil {
t.Fatal(err)
}
if err = vrs.Add(NewJWT(JWKSArgs{
URL: u,
})); err != nil {
t.Fatal(err)
}
if _, err = vrs.Get("jwt"); err != nil {
t.Fatal(err)
}
}