minio/cmd/credential.go

/*
 * Minio Cloud Storage, (C) 2015, 2016 Minio, Inc.
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
 * You may obtain a copy of the License at
 *
 *     http://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the License for the specific language governing permissions and
 * limitations under the License.
 */

package cmd

import (
	"crypto/rand"
	"encoding/base64"
	"errors"
	"os"

	"github.com/minio/mc/pkg/console"

	"golang.org/x/crypto/bcrypt"
)

const (
	accessKeyMinLen = 5
	accessKeyMaxLen = 20
	secretKeyMinLen = 8
	secretKeyMaxLen = 40

	alphaNumericTable    = "0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ"
	alphaNumericTableLen = byte(len(alphaNumericTable))
)

func mustGetAccessKey() string {
	keyBytes := make([]byte, accessKeyMaxLen)
	if _, err := rand.Read(keyBytes); err != nil {
		console.Fatalf("Unable to generate access key. Err: %s.\n", err)
	}

	for i := 0; i < accessKeyMaxLen; i++ {
		keyBytes[i] = alphaNumericTable[keyBytes[i]%alphaNumericTableLen]
	}

	return string(keyBytes)
}

func mustGetSecretKey() string {
	keyBytes := make([]byte, secretKeyMaxLen)
	if _, err := rand.Read(keyBytes); err != nil {
		console.Fatalf("Unable to generate secret key. Err: %s.\n", err)
	}

	return string([]byte(base64.StdEncoding.EncodeToString(keyBytes))[:secretKeyMaxLen])
}

// isAccessKeyValid - validate access key for right length.
func isAccessKeyValid(accessKey string) bool {
	return len(accessKey) >= accessKeyMinLen && len(accessKey) <= accessKeyMaxLen
}

// isSecretKeyValid - validate secret key for right length.
func isSecretKeyValid(secretKey string) bool {
	return len(secretKey) >= secretKeyMinLen && len(secretKey) <= secretKeyMaxLen
}

// credential container for access and secret keys.
type credential struct {
	AccessKey     string `json:"accessKey,omitempty"`
	SecretKey     string `json:"secretKey,omitempty"`
	secretKeyHash []byte
}

func (c *credential) Validate() error {
	if !isAccessKeyValid(c.AccessKey) {
		return errors.New("Invalid access key")
	}
	if !isSecretKeyValid(c.SecretKey) {
		return errors.New("Invalid secret key")
	}
	return nil
}

// Generate a bcrypt hashed key for input secret key.
func mustGetHashedSecretKey(secretKey string) []byte {
	hashedSecretKey, err := bcrypt.GenerateFromPassword([]byte(secretKey), bcrypt.DefaultCost)
	if err != nil {
		console.Fatalf("Unable to generate secret hash for secret key. Err: %s.\n", err)
	}
	return hashedSecretKey
}

// Initialize a new credential object
func newCredential() credential {
	return newCredentialWithKeys(mustGetAccessKey(), mustGetSecretKey())
}

func newCredentialWithKeys(accessKey, secretKey string) credential {
	secretHash := mustGetHashedSecretKey(secretKey)
	return credential{accessKey, secretKey, secretHash}
}

// Validate incoming auth keys.
func validateAuthKeys(accessKey, secretKey string) error {
	// Validate the env values before proceeding.
	if !isAccessKeyValid(accessKey) {
		return errInvalidAccessKeyLength
	}
	if !isSecretKeyValid(secretKey) {
		return errInvalidSecretKeyLength
	}
	return nil
}

// Variant of getCredentialFromEnv but upon error fails right here.
func mustGetCredentialFromEnv() credential {
	creds, err := getCredentialFromEnv()
	if err != nil {
		console.Fatalf("Unable to load credentials from environment. Err: %s.\n", err)
	}
	return creds
}

// Converts accessKey and secretKeys into credential object which
// contains bcrypt secret key hash for future validation.
func getCredentialFromEnv() (credential, error) {
	// Fetch access keys from environment variables and update the config.
	accessKey := os.Getenv("MINIO_ACCESS_KEY")
	secretKey := os.Getenv("MINIO_SECRET_KEY")

	// Envs are set globally.
	globalIsEnvCreds = accessKey != "" && secretKey != ""

	if globalIsEnvCreds {
		// Validate the env values before proceeding.
		if err := validateAuthKeys(accessKey, secretKey); err != nil {
			return credential{}, err
		}

		// Return credential object.
		return newCredentialWithKeys(accessKey, secretKey), nil
	}

	return credential{}, nil
}
Generate and use access/secret keys properly (#3498) 2016-12-26 13:21:23 -05:00			`/*`
			`* Minio Cloud Storage, (C) 2015, 2016 Minio, Inc.`
			`*`
			`* Licensed under the Apache License, Version 2.0 (the "License");`
			`* you may not use this file except in compliance with the License.`
			`* You may obtain a copy of the License at`
			`*`
			`* http://www.apache.org/licenses/LICENSE-2.0`
			`*`
			`* Unless required by applicable law or agreed to in writing, software`
			`* distributed under the License is distributed on an "AS IS" BASIS,`
			`* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.`
			`* See the License for the specific language governing permissions and`
			`* limitations under the License.`
			`*/`

			`package cmd`

			`import (`
			`"crypto/rand"`
			`"encoding/base64"`
config: Check for duplicated entries in all scopes (#3872) Validate Minio config by checking if there is double json key in any scope level. The returned error contains the json path to the duplicated key. 2017-03-15 19:30:34 -04:00			`"errors"`
Honor envs properly for access and secret key. (#3703) Also changes the behavior of `secretKeyHash` which is not necessary to be sent over the network, each node has its own secretKeyHash to validate. Fixes #3696 Partial(fix) #3700 (More changes needed with some code cleanup) 2017-02-07 15:51:43 -05:00			`"os"`

			`"github.com/minio/mc/pkg/console"`
jwt: Cache the bcrypt password hash. (#3526) Creds don't require secretKeyHash to be calculated everytime, cache it instead and re-use. This is an optimization for bcrypt. Relevant results from the benchmark done locally, negative value means improvement in this scenario. ``` benchmark old ns/op new ns/op delta BenchmarkAuthenticateNode-4 160590992 80125647 -50.11% BenchmarkAuthenticateWeb-4 160556692 80432144 -49.90% benchmark old allocs new allocs delta BenchmarkAuthenticateNode-4 87 75 -13.79% BenchmarkAuthenticateWeb-4 87 75 -13.79% benchmark old bytes new bytes delta BenchmarkAuthenticateNode-4 15222 9785 -35.72% BenchmarkAuthenticateWeb-4 15222 9785 -35.72% ``` 2017-01-26 19:51:51 -05:00
			`"golang.org/x/crypto/bcrypt"`
Generate and use access/secret keys properly (#3498) 2016-12-26 13:21:23 -05:00			`)`

			`const (`
			`accessKeyMinLen = 5`
			`accessKeyMaxLen = 20`
			`secretKeyMinLen = 8`
			`secretKeyMaxLen = 40`

			`alphaNumericTable = "0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ"`
			`alphaNumericTableLen = byte(len(alphaNumericTable))`
			`)`

			`func mustGetAccessKey() string {`
			`keyBytes := make([]byte, accessKeyMaxLen)`
			`if _, err := rand.Read(keyBytes); err != nil {`
Honor envs properly for access and secret key. (#3703) Also changes the behavior of `secretKeyHash` which is not necessary to be sent over the network, each node has its own secretKeyHash to validate. Fixes #3696 Partial(fix) #3700 (More changes needed with some code cleanup) 2017-02-07 15:51:43 -05:00			`console.Fatalf("Unable to generate access key. Err: %s.\n", err)`
Generate and use access/secret keys properly (#3498) 2016-12-26 13:21:23 -05:00			`}`

			`for i := 0; i < accessKeyMaxLen; i++ {`
			`keyBytes[i] = alphaNumericTable[keyBytes[i]%alphaNumericTableLen]`
			`}`

			`return string(keyBytes)`
			`}`

			`func mustGetSecretKey() string {`
			`keyBytes := make([]byte, secretKeyMaxLen)`
			`if _, err := rand.Read(keyBytes); err != nil {`
Honor envs properly for access and secret key. (#3703) Also changes the behavior of `secretKeyHash` which is not necessary to be sent over the network, each node has its own secretKeyHash to validate. Fixes #3696 Partial(fix) #3700 (More changes needed with some code cleanup) 2017-02-07 15:51:43 -05:00			`console.Fatalf("Unable to generate secret key. Err: %s.\n", err)`
Generate and use access/secret keys properly (#3498) 2016-12-26 13:21:23 -05:00			`}`

			`return string([]byte(base64.StdEncoding.EncodeToString(keyBytes))[:secretKeyMaxLen])`
			`}`

			`// isAccessKeyValid - validate access key for right length.`
			`func isAccessKeyValid(accessKey string) bool {`
			`return len(accessKey) >= accessKeyMinLen && len(accessKey) <= accessKeyMaxLen`
			`}`

			`// isSecretKeyValid - validate secret key for right length.`
			`func isSecretKeyValid(secretKey string) bool {`
			`return len(secretKey) >= secretKeyMinLen && len(secretKey) <= secretKeyMaxLen`
			`}`

			`// credential container for access and secret keys.`
			`type credential struct {`
jwt: Cache the bcrypt password hash. (#3526) Creds don't require secretKeyHash to be calculated everytime, cache it instead and re-use. This is an optimization for bcrypt. Relevant results from the benchmark done locally, negative value means improvement in this scenario. ``` benchmark old ns/op new ns/op delta BenchmarkAuthenticateNode-4 160590992 80125647 -50.11% BenchmarkAuthenticateWeb-4 160556692 80432144 -49.90% benchmark old allocs new allocs delta BenchmarkAuthenticateNode-4 87 75 -13.79% BenchmarkAuthenticateWeb-4 87 75 -13.79% benchmark old bytes new bytes delta BenchmarkAuthenticateNode-4 15222 9785 -35.72% BenchmarkAuthenticateWeb-4 15222 9785 -35.72% ``` 2017-01-26 19:51:51 -05:00			AccessKey string `json:"accessKey,omitempty"`
			SecretKey string `json:"secretKey,omitempty"`
Honor envs properly for access and secret key. (#3703) Also changes the behavior of `secretKeyHash` which is not necessary to be sent over the network, each node has its own secretKeyHash to validate. Fixes #3696 Partial(fix) #3700 (More changes needed with some code cleanup) 2017-02-07 15:51:43 -05:00			`secretKeyHash []byte`
jwt: Cache the bcrypt password hash. (#3526) Creds don't require secretKeyHash to be calculated everytime, cache it instead and re-use. This is an optimization for bcrypt. Relevant results from the benchmark done locally, negative value means improvement in this scenario. ``` benchmark old ns/op new ns/op delta BenchmarkAuthenticateNode-4 160590992 80125647 -50.11% BenchmarkAuthenticateWeb-4 160556692 80432144 -49.90% benchmark old allocs new allocs delta BenchmarkAuthenticateNode-4 87 75 -13.79% BenchmarkAuthenticateWeb-4 87 75 -13.79% benchmark old bytes new bytes delta BenchmarkAuthenticateNode-4 15222 9785 -35.72% BenchmarkAuthenticateWeb-4 15222 9785 -35.72% ``` 2017-01-26 19:51:51 -05:00			`}`

config: Check for duplicated entries in all scopes (#3872) Validate Minio config by checking if there is double json key in any scope level. The returned error contains the json path to the duplicated key. 2017-03-15 19:30:34 -04:00			`func (c *credential) Validate() error {`
			`if !isAccessKeyValid(c.AccessKey) {`
			`return errors.New("Invalid access key")`
			`}`
			`if !isSecretKeyValid(c.SecretKey) {`
			`return errors.New("Invalid secret key")`
			`}`
			`return nil`
			`}`

jwt: Cache the bcrypt password hash. (#3526) Creds don't require secretKeyHash to be calculated everytime, cache it instead and re-use. This is an optimization for bcrypt. Relevant results from the benchmark done locally, negative value means improvement in this scenario. ``` benchmark old ns/op new ns/op delta BenchmarkAuthenticateNode-4 160590992 80125647 -50.11% BenchmarkAuthenticateWeb-4 160556692 80432144 -49.90% benchmark old allocs new allocs delta BenchmarkAuthenticateNode-4 87 75 -13.79% BenchmarkAuthenticateWeb-4 87 75 -13.79% benchmark old bytes new bytes delta BenchmarkAuthenticateNode-4 15222 9785 -35.72% BenchmarkAuthenticateWeb-4 15222 9785 -35.72% ``` 2017-01-26 19:51:51 -05:00			`// Generate a bcrypt hashed key for input secret key.`
			`func mustGetHashedSecretKey(secretKey string) []byte {`
			`hashedSecretKey, err := bcrypt.GenerateFromPassword([]byte(secretKey), bcrypt.DefaultCost)`
			`if err != nil {`
Honor envs properly for access and secret key. (#3703) Also changes the behavior of `secretKeyHash` which is not necessary to be sent over the network, each node has its own secretKeyHash to validate. Fixes #3696 Partial(fix) #3700 (More changes needed with some code cleanup) 2017-02-07 15:51:43 -05:00			`console.Fatalf("Unable to generate secret hash for secret key. Err: %s.\n", err)`
jwt: Cache the bcrypt password hash. (#3526) Creds don't require secretKeyHash to be calculated everytime, cache it instead and re-use. This is an optimization for bcrypt. Relevant results from the benchmark done locally, negative value means improvement in this scenario. ``` benchmark old ns/op new ns/op delta BenchmarkAuthenticateNode-4 160590992 80125647 -50.11% BenchmarkAuthenticateWeb-4 160556692 80432144 -49.90% benchmark old allocs new allocs delta BenchmarkAuthenticateNode-4 87 75 -13.79% BenchmarkAuthenticateWeb-4 87 75 -13.79% benchmark old bytes new bytes delta BenchmarkAuthenticateNode-4 15222 9785 -35.72% BenchmarkAuthenticateWeb-4 15222 9785 -35.72% ``` 2017-01-26 19:51:51 -05:00			`}`
			`return hashedSecretKey`
Generate and use access/secret keys properly (#3498) 2016-12-26 13:21:23 -05:00			`}`

Honor envs properly for access and secret key. (#3703) Also changes the behavior of `secretKeyHash` which is not necessary to be sent over the network, each node has its own secretKeyHash to validate. Fixes #3696 Partial(fix) #3700 (More changes needed with some code cleanup) 2017-02-07 15:51:43 -05:00			`// Initialize a new credential object`
Generate and use access/secret keys properly (#3498) 2016-12-26 13:21:23 -05:00			`func newCredential() credential {`
Honor envs properly for access and secret key. (#3703) Also changes the behavior of `secretKeyHash` which is not necessary to be sent over the network, each node has its own secretKeyHash to validate. Fixes #3696 Partial(fix) #3700 (More changes needed with some code cleanup) 2017-02-07 15:51:43 -05:00			`return newCredentialWithKeys(mustGetAccessKey(), mustGetSecretKey())`
			`}`
jwt: Cache the bcrypt password hash. (#3526) Creds don't require secretKeyHash to be calculated everytime, cache it instead and re-use. This is an optimization for bcrypt. Relevant results from the benchmark done locally, negative value means improvement in this scenario. ``` benchmark old ns/op new ns/op delta BenchmarkAuthenticateNode-4 160590992 80125647 -50.11% BenchmarkAuthenticateWeb-4 160556692 80432144 -49.90% benchmark old allocs new allocs delta BenchmarkAuthenticateNode-4 87 75 -13.79% BenchmarkAuthenticateWeb-4 87 75 -13.79% benchmark old bytes new bytes delta BenchmarkAuthenticateNode-4 15222 9785 -35.72% BenchmarkAuthenticateWeb-4 15222 9785 -35.72% ``` 2017-01-26 19:51:51 -05:00
Honor envs properly for access and secret key. (#3703) Also changes the behavior of `secretKeyHash` which is not necessary to be sent over the network, each node has its own secretKeyHash to validate. Fixes #3696 Partial(fix) #3700 (More changes needed with some code cleanup) 2017-02-07 15:51:43 -05:00			`func newCredentialWithKeys(accessKey, secretKey string) credential {`
jwt: Cache the bcrypt password hash. (#3526) Creds don't require secretKeyHash to be calculated everytime, cache it instead and re-use. This is an optimization for bcrypt. Relevant results from the benchmark done locally, negative value means improvement in this scenario. ``` benchmark old ns/op new ns/op delta BenchmarkAuthenticateNode-4 160590992 80125647 -50.11% BenchmarkAuthenticateWeb-4 160556692 80432144 -49.90% benchmark old allocs new allocs delta BenchmarkAuthenticateNode-4 87 75 -13.79% BenchmarkAuthenticateWeb-4 87 75 -13.79% benchmark old bytes new bytes delta BenchmarkAuthenticateNode-4 15222 9785 -35.72% BenchmarkAuthenticateWeb-4 15222 9785 -35.72% ``` 2017-01-26 19:51:51 -05:00			`secretHash := mustGetHashedSecretKey(secretKey)`
			`return credential{accessKey, secretKey, secretHash}`
Generate and use access/secret keys properly (#3498) 2016-12-26 13:21:23 -05:00			`}`
Have simpler JWT authentication. (#3501) 2016-12-27 11:28:10 -05:00
Honor envs properly for access and secret key. (#3703) Also changes the behavior of `secretKeyHash` which is not necessary to be sent over the network, each node has its own secretKeyHash to validate. Fixes #3696 Partial(fix) #3700 (More changes needed with some code cleanup) 2017-02-07 15:51:43 -05:00			`// Validate incoming auth keys.`
			`func validateAuthKeys(accessKey, secretKey string) error {`
			`// Validate the env values before proceeding.`
Have simpler JWT authentication. (#3501) 2016-12-27 11:28:10 -05:00			`if !isAccessKeyValid(accessKey) {`
Honor envs properly for access and secret key. (#3703) Also changes the behavior of `secretKeyHash` which is not necessary to be sent over the network, each node has its own secretKeyHash to validate. Fixes #3696 Partial(fix) #3700 (More changes needed with some code cleanup) 2017-02-07 15:51:43 -05:00			`return errInvalidAccessKeyLength`
Have simpler JWT authentication. (#3501) 2016-12-27 11:28:10 -05:00			`}`
			`if !isSecretKeyValid(secretKey) {`
Honor envs properly for access and secret key. (#3703) Also changes the behavior of `secretKeyHash` which is not necessary to be sent over the network, each node has its own secretKeyHash to validate. Fixes #3696 Partial(fix) #3700 (More changes needed with some code cleanup) 2017-02-07 15:51:43 -05:00			`return errInvalidSecretKeyLength`
Have simpler JWT authentication. (#3501) 2016-12-27 11:28:10 -05:00			`}`
Honor envs properly for access and secret key. (#3703) Also changes the behavior of `secretKeyHash` which is not necessary to be sent over the network, each node has its own secretKeyHash to validate. Fixes #3696 Partial(fix) #3700 (More changes needed with some code cleanup) 2017-02-07 15:51:43 -05:00			`return nil`
			`}`
Have simpler JWT authentication. (#3501) 2016-12-27 11:28:10 -05:00
Honor envs properly for access and secret key. (#3703) Also changes the behavior of `secretKeyHash` which is not necessary to be sent over the network, each node has its own secretKeyHash to validate. Fixes #3696 Partial(fix) #3700 (More changes needed with some code cleanup) 2017-02-07 15:51:43 -05:00			`// Variant of getCredentialFromEnv but upon error fails right here.`
			`func mustGetCredentialFromEnv() credential {`
			`creds, err := getCredentialFromEnv()`
			`if err != nil {`
			`console.Fatalf("Unable to load credentials from environment. Err: %s.\n", err)`
			`}`
			`return creds`
			`}`

			`// Converts accessKey and secretKeys into credential object which`
			`// contains bcrypt secret key hash for future validation.`
			`func getCredentialFromEnv() (credential, error) {`
			`// Fetch access keys from environment variables and update the config.`
			`accessKey := os.Getenv("MINIO_ACCESS_KEY")`
			`secretKey := os.Getenv("MINIO_SECRET_KEY")`

			`// Envs are set globally.`
			`globalIsEnvCreds = accessKey != "" && secretKey != ""`

			`if globalIsEnvCreds {`
			`// Validate the env values before proceeding.`
			`if err := validateAuthKeys(accessKey, secretKey); err != nil {`
			`return credential{}, err`
			`}`

			`// Return credential object.`
			`return newCredentialWithKeys(accessKey, secretKey), nil`
			`}`

			`return credential{}, nil`
Have simpler JWT authentication. (#3501) 2016-12-27 11:28:10 -05:00			`}`