2021-04-18 15:41:13 -04:00
|
|
|
// Copyright (c) 2015-2021 MinIO, Inc.
|
|
|
|
//
|
|
|
|
// This file is part of MinIO Object Storage stack
|
|
|
|
//
|
|
|
|
// This program is free software: you can redistribute it and/or modify
|
|
|
|
// it under the terms of the GNU Affero General Public License as published by
|
|
|
|
// the Free Software Foundation, either version 3 of the License, or
|
|
|
|
// (at your option) any later version.
|
|
|
|
//
|
|
|
|
// This program is distributed in the hope that it will be useful
|
|
|
|
// but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
|
|
// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
|
|
// GNU Affero General Public License for more details.
|
|
|
|
//
|
|
|
|
// You should have received a copy of the GNU Affero General Public License
|
|
|
|
// along with this program. If not, see <http://www.gnu.org/licenses/>.
|
2016-12-27 11:28:10 -05:00
|
|
|
|
|
|
|
package cmd
|
|
|
|
|
|
|
|
import (
|
|
|
|
"errors"
|
|
|
|
"net/http"
|
|
|
|
"time"
|
|
|
|
|
2021-11-05 15:20:08 -04:00
|
|
|
jwtgo "github.com/golang-jwt/jwt/v4"
|
|
|
|
jwtreq "github.com/golang-jwt/jwt/v4/request"
|
2021-06-01 17:59:40 -04:00
|
|
|
"github.com/minio/minio/internal/auth"
|
|
|
|
xjwt "github.com/minio/minio/internal/jwt"
|
2024-05-24 19:05:23 -04:00
|
|
|
"github.com/minio/pkg/v3/policy"
|
2016-12-27 11:28:10 -05:00
|
|
|
)
|
|
|
|
|
|
|
|
const (
|
|
|
|
jwtAlgorithm = "Bearer"
|
|
|
|
|
|
|
|
// Default JWT token for web handlers is one day.
|
|
|
|
defaultJWTExpiry = 24 * time.Hour
|
|
|
|
|
2024-07-22 03:04:48 -04:00
|
|
|
// Inter-node JWT token expiry is 100 years approx.
|
|
|
|
defaultInterNodeJWTExpiry = 100 * 365 * 24 * time.Hour
|
2016-12-27 11:28:10 -05:00
|
|
|
)
|
|
|
|
|
2017-02-07 15:51:43 -05:00
|
|
|
var (
|
2021-06-17 23:27:04 -04:00
|
|
|
errInvalidAccessKeyID = errors.New("The access key ID you provided does not exist in our records")
|
2023-04-28 15:24:14 -04:00
|
|
|
errAccessKeyDisabled = errors.New("The access key you provided is disabled")
|
2021-06-17 23:27:04 -04:00
|
|
|
errAuthentication = errors.New("Authentication failed, check your access credentials")
|
|
|
|
errNoAuthToken = errors.New("JWT token missing")
|
2024-02-16 13:48:30 -05:00
|
|
|
errSkewedAuthTime = errors.New("Skewed authentication date/time")
|
2023-07-14 21:34:55 -04:00
|
|
|
errMalformedAuth = errors.New("Malformed authentication input")
|
2017-02-07 15:51:43 -05:00
|
|
|
)
|
2016-12-27 11:28:10 -05:00
|
|
|
|
2024-07-22 03:04:48 -04:00
|
|
|
func authenticateNode(accessKey, secretKey string) (string, error) {
|
2020-01-30 21:59:22 -05:00
|
|
|
claims := xjwt.NewStandardClaims()
|
|
|
|
claims.SetExpiry(UTCNow().Add(defaultInterNodeJWTExpiry))
|
|
|
|
claims.SetAccessKey(accessKey)
|
2019-10-23 01:59:13 -04:00
|
|
|
|
|
|
|
jwt := jwtgo.NewWithClaims(jwtgo.SigningMethodHS512, claims)
|
2020-01-30 21:59:22 -05:00
|
|
|
return jwt.SignedString([]byte(secretKey))
|
2016-12-27 11:28:10 -05:00
|
|
|
}
|
|
|
|
|
2017-01-11 16:26:42 -05:00
|
|
|
// Check if the request is authenticated.
|
|
|
|
// Returns nil if the request is authenticated. errNoAuthToken if token missing.
|
|
|
|
// Returns errAuthentication for all other errors.
|
2022-03-14 12:09:22 -04:00
|
|
|
func metricsRequestAuthenticate(req *http.Request) (*xjwt.MapClaims, []string, bool, error) {
|
2020-01-30 21:59:22 -05:00
|
|
|
token, err := jwtreq.AuthorizationHeaderExtractor.ExtractToken(req)
|
2016-12-27 11:28:10 -05:00
|
|
|
if err != nil {
|
2017-01-11 16:26:42 -05:00
|
|
|
if err == jwtreq.ErrNoTokenInRequest {
|
2022-01-27 00:53:36 -05:00
|
|
|
return nil, nil, false, errNoAuthToken
|
2017-01-11 16:26:42 -05:00
|
|
|
}
|
2022-01-27 00:53:36 -05:00
|
|
|
return nil, nil, false, err
|
2017-09-19 15:37:56 -04:00
|
|
|
}
|
2020-01-30 21:59:22 -05:00
|
|
|
claims := xjwt.NewMapClaims()
|
2021-08-20 14:32:01 -04:00
|
|
|
if err := xjwt.ParseWithClaims(token, claims, func(claims *xjwt.MapClaims) ([]byte, error) {
|
2023-04-28 15:24:14 -04:00
|
|
|
if claims.AccessKey != globalActiveCred.AccessKey {
|
|
|
|
u, ok := globalIAMSys.GetUser(req.Context(), claims.AccessKey)
|
|
|
|
if !ok {
|
|
|
|
// Credentials will be invalid but for disabled
|
|
|
|
// return a different error in such a scenario.
|
|
|
|
if u.Credentials.Status == auth.AccountOff {
|
|
|
|
return nil, errAccessKeyDisabled
|
|
|
|
}
|
|
|
|
return nil, errInvalidAccessKeyID
|
|
|
|
}
|
|
|
|
cred := u.Credentials
|
2024-02-19 10:34:10 -05:00
|
|
|
// Expired credentials return error.
|
|
|
|
if cred.IsTemp() && cred.IsExpired() {
|
|
|
|
return nil, errInvalidAccessKeyID
|
|
|
|
}
|
2023-04-28 15:24:14 -04:00
|
|
|
return []byte(cred.SecretKey), nil
|
|
|
|
} // this means claims.AccessKey == rootAccessKey
|
|
|
|
if !globalAPIConfig.permitRootAccess() {
|
|
|
|
// if root access is disabled, fail this request.
|
|
|
|
return nil, errAccessKeyDisabled
|
2021-08-20 14:32:01 -04:00
|
|
|
}
|
2023-04-28 15:24:14 -04:00
|
|
|
return []byte(globalActiveCred.SecretKey), nil
|
2021-08-20 14:32:01 -04:00
|
|
|
}); err != nil {
|
2022-01-27 00:53:36 -05:00
|
|
|
return claims, nil, false, errAuthentication
|
2017-01-11 16:26:42 -05:00
|
|
|
}
|
2021-08-20 14:32:01 -04:00
|
|
|
owner := true
|
2022-01-27 00:53:36 -05:00
|
|
|
var groups []string
|
2021-08-20 14:32:01 -04:00
|
|
|
if globalActiveCred.AccessKey != claims.AccessKey {
|
|
|
|
// Check if the access key is part of users credentials.
|
2022-07-01 16:19:13 -04:00
|
|
|
u, ok := globalIAMSys.GetUser(req.Context(), claims.AccessKey)
|
2021-08-20 14:32:01 -04:00
|
|
|
if !ok {
|
2022-01-27 00:53:36 -05:00
|
|
|
return nil, nil, false, errInvalidAccessKeyID
|
2021-08-20 14:32:01 -04:00
|
|
|
}
|
2022-07-01 16:19:13 -04:00
|
|
|
ucred := u.Credentials
|
2021-08-20 14:32:01 -04:00
|
|
|
// get embedded claims
|
|
|
|
eclaims, s3Err := checkClaimsFromToken(req, ucred)
|
|
|
|
if s3Err != ErrNone {
|
2022-01-27 00:53:36 -05:00
|
|
|
return nil, nil, false, errAuthentication
|
2021-08-20 14:32:01 -04:00
|
|
|
}
|
|
|
|
|
|
|
|
for k, v := range eclaims {
|
|
|
|
claims.MapClaims[k] = v
|
|
|
|
}
|
|
|
|
|
2023-04-28 15:24:14 -04:00
|
|
|
// if root access is disabled, disable all its service accounts and temporary credentials.
|
|
|
|
if ucred.ParentUser == globalActiveCred.AccessKey && !globalAPIConfig.permitRootAccess() {
|
|
|
|
return nil, nil, false, errAccessKeyDisabled
|
|
|
|
}
|
|
|
|
|
2021-08-20 14:32:01 -04:00
|
|
|
// Now check if we have a sessionPolicy.
|
2023-09-14 17:50:16 -04:00
|
|
|
if _, ok = eclaims[policy.SessionPolicyName]; ok {
|
2021-08-20 14:32:01 -04:00
|
|
|
owner = false
|
|
|
|
} else {
|
|
|
|
owner = globalActiveCred.AccessKey == ucred.ParentUser
|
|
|
|
}
|
2022-01-27 00:53:36 -05:00
|
|
|
|
|
|
|
groups = ucred.Groups
|
2021-08-20 14:32:01 -04:00
|
|
|
}
|
|
|
|
|
2022-01-27 00:53:36 -05:00
|
|
|
return claims, groups, owner, nil
|
2016-12-27 11:28:10 -05:00
|
|
|
}
|
2018-06-06 04:51:56 -04:00
|
|
|
|
2024-07-22 03:04:48 -04:00
|
|
|
// newCachedAuthToken returns the cached token.
|
|
|
|
func newCachedAuthToken() func() string {
|
|
|
|
return func() string {
|
|
|
|
return globalNodeAuthToken
|
2021-11-23 12:51:53 -05:00
|
|
|
}
|
2018-06-06 04:51:56 -04:00
|
|
|
}
|