31dff87903
Also changes the behavior of `secretKeyHash` which is not necessary to be sent over the network, each node has its own secretKeyHash to validate. Fixes #3696 Partial(fix) #3700 (More changes needed with some code cleanup)
139 lines
4 KiB
Go
139 lines
4 KiB
Go
/*
|
|
* Minio Cloud Storage, (C) 2016 Minio, Inc.
|
|
*
|
|
* Licensed under the Apache License, Version 2.0 (the "License");
|
|
* you may not use this file except in compliance with the License.
|
|
* You may obtain a copy of the License at
|
|
*
|
|
* http://www.apache.org/licenses/LICENSE-2.0
|
|
*
|
|
* Unless required by applicable law or agreed to in writing, software
|
|
* distributed under the License is distributed on an "AS IS" BASIS,
|
|
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
* See the License for the specific language governing permissions and
|
|
* limitations under the License.
|
|
*/
|
|
|
|
package cmd
|
|
|
|
import (
|
|
"errors"
|
|
"fmt"
|
|
"net/http"
|
|
"strings"
|
|
"time"
|
|
|
|
jwtgo "github.com/dgrijalva/jwt-go"
|
|
jwtreq "github.com/dgrijalva/jwt-go/request"
|
|
"golang.org/x/crypto/bcrypt"
|
|
)
|
|
|
|
const (
|
|
jwtAlgorithm = "Bearer"
|
|
|
|
// Default JWT token for web handlers is one day.
|
|
defaultJWTExpiry = 24 * time.Hour
|
|
|
|
// Inter-node JWT token expiry is 100 years approx.
|
|
defaultInterNodeJWTExpiry = 100 * 365 * 24 * time.Hour
|
|
)
|
|
|
|
var (
|
|
errInvalidAccessKeyLength = errors.New("Invalid access key, access key should be 5 to 20 characters in length")
|
|
errInvalidSecretKeyLength = errors.New("Invalid secret key, secret key should be 8 to 40 characters in length")
|
|
|
|
errInvalidAccessKeyID = errors.New("The access key ID you provided does not exist in our records")
|
|
errChangeCredNotAllowed = errors.New("Changing access key and secret key not allowed")
|
|
errAuthentication = errors.New("Authentication failed, check your access credentials")
|
|
errNoAuthToken = errors.New("JWT token missing")
|
|
)
|
|
|
|
func authenticateJWT(accessKey, secretKey string, expiry time.Duration) (string, error) {
|
|
// Trim spaces.
|
|
accessKey = strings.TrimSpace(accessKey)
|
|
|
|
if !isAccessKeyValid(accessKey) {
|
|
return "", errInvalidAccessKeyLength
|
|
}
|
|
if !isSecretKeyValid(secretKey) {
|
|
return "", errInvalidSecretKeyLength
|
|
}
|
|
|
|
serverCred := serverConfig.GetCredential()
|
|
|
|
// Validate access key.
|
|
if accessKey != serverCred.AccessKey {
|
|
return "", errInvalidAccessKeyID
|
|
}
|
|
|
|
// Validate secret key.
|
|
// Using bcrypt to avoid timing attacks.
|
|
if serverCred.secretKeyHash != nil {
|
|
if bcrypt.CompareHashAndPassword(serverCred.secretKeyHash, []byte(secretKey)) != nil {
|
|
return "", errAuthentication
|
|
}
|
|
} else {
|
|
// Secret key hash not set then generate and validate.
|
|
if bcrypt.CompareHashAndPassword(mustGetHashedSecretKey(serverCred.SecretKey), []byte(secretKey)) != nil {
|
|
return "", errAuthentication
|
|
}
|
|
}
|
|
|
|
utcNow := time.Now().UTC()
|
|
token := jwtgo.NewWithClaims(jwtgo.SigningMethodHS512, jwtgo.MapClaims{
|
|
"exp": utcNow.Add(expiry).Unix(),
|
|
"iat": utcNow.Unix(),
|
|
"sub": accessKey,
|
|
})
|
|
|
|
return token.SignedString([]byte(serverCred.SecretKey))
|
|
}
|
|
|
|
func authenticateNode(accessKey, secretKey string) (string, error) {
|
|
return authenticateJWT(accessKey, secretKey, defaultInterNodeJWTExpiry)
|
|
}
|
|
|
|
func authenticateWeb(accessKey, secretKey string) (string, error) {
|
|
return authenticateJWT(accessKey, secretKey, defaultJWTExpiry)
|
|
}
|
|
|
|
func keyFuncCallback(jwtToken *jwtgo.Token) (interface{}, error) {
|
|
if _, ok := jwtToken.Method.(*jwtgo.SigningMethodHMAC); !ok {
|
|
return nil, fmt.Errorf("Unexpected signing method: %v", jwtToken.Header["alg"])
|
|
}
|
|
|
|
return []byte(serverConfig.GetCredential().SecretKey), nil
|
|
}
|
|
|
|
func isAuthTokenValid(tokenString string) bool {
|
|
jwtToken, err := jwtgo.Parse(tokenString, keyFuncCallback)
|
|
if err != nil {
|
|
errorIf(err, "Unable to parse JWT token string")
|
|
return false
|
|
}
|
|
|
|
return jwtToken.Valid
|
|
}
|
|
|
|
func isHTTPRequestValid(req *http.Request) bool {
|
|
return webRequestAuthenticate(req) == nil
|
|
}
|
|
|
|
// Check if the request is authenticated.
|
|
// Returns nil if the request is authenticated. errNoAuthToken if token missing.
|
|
// Returns errAuthentication for all other errors.
|
|
func webRequestAuthenticate(req *http.Request) error {
|
|
jwtToken, err := jwtreq.ParseFromRequest(req, jwtreq.AuthorizationHeaderExtractor, keyFuncCallback)
|
|
if err != nil {
|
|
if err == jwtreq.ErrNoTokenInRequest {
|
|
return errNoAuthToken
|
|
}
|
|
return errAuthentication
|
|
}
|
|
|
|
if !jwtToken.Valid {
|
|
return errAuthentication
|
|
}
|
|
return nil
|
|
}
|