MyFavMirrors
/
minio
mirror of https://github.com/minio/minio.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
minio/cmd/sts-handlers.go

818 lines
28 KiB
Go
Raw Normal View History

fix: correct parentUser lookup for OIDC auto expiration (#14154) fixes #14026 This is a regression from #13884
2022-01-22 19:36:11 -05:00
/// Copyright (c) 2015-2021 MinIO, Inc.
update license change for MinIO Signed-off-by: Harshavardhana <harsha@minio.io>
2021-04-18 15:41:13 -04:00
//
// This file is part of MinIO Object Storage stack
//
// This program is free software: you can redistribute it and/or modify
// it under the terms of the GNU Affero General Public License as published by
// the Free Software Foundation, either version 3 of the License, or
// (at your option) any later version.
//
// This program is distributed in the hope that it will be useful
// but WITHOUT ANY WARRANTY; without even the implied warranty of
// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
// GNU Affero General Public License for more details.
//
// You should have received a copy of the GNU Affero General Public License
// along with this program. If not, see <http://www.gnu.org/licenses/>.
Introduce STS client grants API and OPA policy integration (#6168) This PR introduces two new features - AWS STS compatible STS API named AssumeRoleWithClientGrants ``` POST /?Action=AssumeRoleWithClientGrants&Token=<jwt> ``` This API endpoint returns temporary access credentials, access tokens signature types supported by this API - RSA keys - ECDSA keys Fetches the required public key from the JWKS endpoints, provides them as rsa or ecdsa public keys. - External policy engine support, in this case OPA policy engine - Credentials are stored on disks
2018-10-09 17:00:01 -04:00
package cmd
import (
Add support for session policies in STS APIs (#7747) This PR adds support for adding session policies for further restrictions on STS credentials, useful in situations when applications want to generate creds for multiple interested parties with different set of policy restrictions. This session policy is not mandatory, but optional. Fixes #7732
2019-06-20 18:28:33 -04:00
"bytes"
Implement AssumeRole API for Minio users (#7267) For actual API reference read here https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRole.html Documentation is added and updated as well at docs/sts/assume-role.md Fixes #6381
2019-02-27 20:46:55 -05:00
"context"
Map policy to parent for STS (#13884) When STS credentials are created for a user, a unique (hopefully stable) parent user value exists for the credential, which corresponds to the user for whom the credentials are created. The access policy is mapped to this parent-user and is persisted. This helps ensure that all STS credentials of a user have the same policy assignment at all times. Before this change, for an OIDC STS credential, when the policy claim changes in the provider (when not using RoleARNs), the change would not take effect on existing credentials, but only on new ones. To support existing STS credentials without parent-user policy mappings, we lookup the policy in the policy claim value. This behavior should be deprecated when such support is no longer required, as it can still lead to stale policy mappings. Additionally this change also simplifies the implementation for all non-RoleARN STS credentials. Specifically, for AssumeRole (internal IDP) STS credentials, policies are picked up from the parent user's policies; for AssumeRoleWithCertificate STS credentials, policies are picked up from the parent user mapping created when the STS credential is generated. AssumeRoleWithLDAP already picks up policies mapped to the virtual parent user.
2021-12-17 03:46:30 -05:00
"crypto/sha256"
sts: add support for certificate-based authentication (#12748) This commit adds a new STS API for X.509 certificate authentication. A client can make an HTTP POST request over a TLS connection and MinIO will verify the provided client certificate, map it to an S3 policy and return temp. S3 credentials to the client. So, this STS API allows clients to authenticate with X.509 certificates over TLS and obtain temp. S3 credentials. For more details and examples refer to the docs/sts/tls.md documentation. Signed-off-by: Andreas Auernhammer <hi@aead.dev>
2021-09-07 22:03:48 -04:00
"crypto/x509"
Add support for session policies in STS APIs (#7747) This PR adds support for adding session policies for further restrictions on STS credentials, useful in situations when applications want to generate creds for multiple interested parties with different set of policy restrictions. This session policy is not mandatory, but optional. Fixes #7732
2019-06-20 18:28:33 -04:00
"encoding/base64"
support service accounts for OpenID connect properly (#12178) OpenID connect generated service accounts do not work properly after console logout, since the parentUser state is lost - instead use sub+iss claims for parentUser, according to OIDC spec both the claims provide the necessary stability across logins etc.
2021-04-29 16:01:42 -04:00
"errors"
Added support for reading body in STS API (#7188) STS API supports both URL query params and reading from a body.
2019-02-05 18:47:11 -05:00
"fmt"
Introduce STS client grants API and OPA policy integration (#6168) This PR introduces two new features - AWS STS compatible STS API named AssumeRoleWithClientGrants ``` POST /?Action=AssumeRoleWithClientGrants&Token=<jwt> ``` This API endpoint returns temporary access credentials, access tokens signature types supported by this API - RSA keys - ECDSA keys Fetches the required public key from the JWKS endpoints, provides them as rsa or ecdsa public keys. - External policy engine support, in this case OPA policy engine - Credentials are stored on disks
2018-10-09 17:00:01 -04:00
"net/http"
fix: add service account support for AssumeRole/LDAPIdentity creds (#9451) allow generating service accounts for temporary credentials which have a designated parent, currently OpenID is not yet supported. added checks to ensure that service account cannot generate further service accounts for itself, service accounts can never be a parent to any credential.
2020-04-28 15:49:56 -04:00
"strings"
sts: add support for certificate-based authentication (#12748) This commit adds a new STS API for X.509 certificate authentication. A client can make an HTTP POST request over a TLS connection and MinIO will verify the provided client certificate, map it to an S3 policy and return temp. S3 credentials to the client. So, this STS API allows clients to authenticate with X.509 certificates over TLS and obtain temp. S3 credentials. For more details and examples refer to the docs/sts/tls.md documentation. Signed-off-by: Andreas Auernhammer <hi@aead.dev>
2021-09-07 22:03:48 -04:00
"time"
Introduce STS client grants API and OPA policy integration (#6168) This PR introduces two new features - AWS STS compatible STS API named AssumeRoleWithClientGrants ``` POST /?Action=AssumeRoleWithClientGrants&Token=<jwt> ``` This API endpoint returns temporary access credentials, access tokens signature types supported by this API - RSA keys - ECDSA keys Fetches the required public key from the JWKS endpoints, provides them as rsa or ecdsa public keys. - External policy engine support, in this case OPA policy engine - Credentials are stored on disks
2018-10-09 17:00:01 -04:00
"github.com/gorilla/mux"
Add new site replication feature (#13311) This change allows a set of MinIO sites (clusters) to be configured for mutual replication of all buckets (including bucket policies, tags, object-lock configuration and bucket encryption), IAM policies, LDAP service accounts and LDAP STS accounts.
2021-10-06 19:36:31 -04:00
"github.com/minio/madmin-go"
rename all remaining packages to internal/ (#12418) This is to ensure that there are no projects that try to import `minio/minio/pkg` into their own repo. Any such common packages should go to `https://github.com/minio/pkg`
2021-06-01 17:59:40 -04:00
"github.com/minio/minio/internal/auth"
"github.com/minio/minio/internal/config/identity/openid"
xhttp "github.com/minio/minio/internal/http"
"github.com/minio/minio/internal/logger"
move to iam, bucket policy from minio/pkg (#12400)
2021-05-30 00:16:42 -04:00
iampolicy "github.com/minio/pkg/iam/policy"
move the dependency to minio/pkg for common libraries (#12397)
2021-05-28 18:17:01 -04:00
"github.com/minio/pkg/wildcard"
Introduce STS client grants API and OPA policy integration (#6168) This PR introduces two new features - AWS STS compatible STS API named AssumeRoleWithClientGrants ``` POST /?Action=AssumeRoleWithClientGrants&Token=<jwt> ``` This API endpoint returns temporary access credentials, access tokens signature types supported by this API - RSA keys - ECDSA keys Fetches the required public key from the JWKS endpoints, provides them as rsa or ecdsa public keys. - External policy engine support, in this case OPA policy engine - Credentials are stored on disks
2018-10-09 17:00:01 -04:00
)
const (
// STS API version.
add userinfo support for OpenID (#12469) Some identity providers like GitLab do not provide information about group membership as part of the identity token claims. They only expose it via OIDC compatible '/oauth/userinfo' endpoint, as described in the OpenID Connect 1.0 sepcification. But this of course requires application to make sure to add additional accessToken, since idToken cannot be re-used to perform the same 'userinfo' call. This is why this is specialized requirement. Gitlab seems to be the only OpenID vendor that requires this support for the time being. fixes #12367
2021-09-13 19:22:14 -04:00
stsAPIVersion = "2011-06-15"
stsVersion = "Version"
stsAction = "Action"
stsPolicy = "Policy"
stsToken = "Token"
Add role ARN support for OIDC identity provider (#13651) - Allows setting a role policy parameter when configuring OIDC provider - When role policy is set, the server prints a role ARN usable in STS API requests - The given role policy is applied to STS API requests when the roleARN parameter is provided. - Service accounts for role policy are also possible and work as expected.
2021-11-26 22:22:40 -05:00
stsRoleArn = "RoleArn"
add userinfo support for OpenID (#12469) Some identity providers like GitLab do not provide information about group membership as part of the identity token claims. They only expose it via OIDC compatible '/oauth/userinfo' endpoint, as described in the OpenID Connect 1.0 sepcification. But this of course requires application to make sure to add additional accessToken, since idToken cannot be re-used to perform the same 'userinfo' call. This is why this is specialized requirement. Gitlab seems to be the only OpenID vendor that requires this support for the time being. fixes #12367
2021-09-13 19:22:14 -04:00
stsWebIdentityToken = "WebIdentityToken"
stsWebIdentityAccessToken = "WebIdentityAccessToken" // only valid if UserInfo is enabled.
stsDurationSeconds = "DurationSeconds"
stsLDAPUsername = "LDAPUsername"
stsLDAPPassword = "LDAPPassword"
Added support for reading body in STS API (#7188) STS API supports both URL query params and reading from a body.
2019-02-05 18:47:11 -05:00
// STS API action constants
sts: add support for certificate-based authentication (#12748) This commit adds a new STS API for X.509 certificate authentication. A client can make an HTTP POST request over a TLS connection and MinIO will verify the provided client certificate, map it to an S3 policy and return temp. S3 credentials to the client. So, this STS API allows clients to authenticate with X.509 certificates over TLS and obtain temp. S3 credentials. For more details and examples refer to the docs/sts/tls.md documentation. Signed-off-by: Andreas Auernhammer <hi@aead.dev>
2021-09-07 22:03:48 -04:00
clientGrants = "AssumeRoleWithClientGrants"
webIdentity = "AssumeRoleWithWebIdentity"
ldapIdentity = "AssumeRoleWithLDAPIdentity"
clientCertificate = "AssumeRoleWithCertificate"
assumeRole = "AssumeRole"
fix DoS vulnerability in the content SHA-256 processing (#8026) This commit fixes a DoS issue that is caused by an incorrect SHA-256 content verification during STS requests. Before that fix clients could write arbitrary many bytes to the server memory. This commit fixes this by limiting the request body size.
2019-08-05 13:06:40 -04:00
stsRequestBodyLimit = 10 * (1 << 20) // 10 MiB
LDAP STS API (#8091) Add LDAP based users-groups system This change adds support to integrate an LDAP server for user authentication. This works via a custom STS API for LDAP. Each user accessing the MinIO who can be authenticated via LDAP receives temporary credentials to access the MinIO server. LDAP is enabled only over TLS. User groups are also supported via LDAP. The administrator may configure an LDAP search query to find the group attribute of a user - this may correspond to any attribute in the LDAP tree (that the user has access to view). One or more groups may be returned by such a query. A group is mapped to an IAM policy in the usual way, and the server enforces a policy corresponding to all the groups and the user's own mapped policy. When LDAP is configured, the internal MinIO users system is disabled.
2019-09-09 19:12:29 -04:00
Honor DurationSeconds properly for WebIdentity (#8581) Also cleanup code to add various constants for verbatim strings across the code base. Fixes #8482
2019-11-29 08:27:54 -05:00
// JWT claim keys
expClaim = "exp"
subClaim = "sub"
always validate JWT token audience (#12797) audience for the JWT token should match the configured client_id, this allows rejecting valid JWTs not meant for MinIO.
2021-07-26 22:40:15 -04:00
audClaim = "aud"
support service accounts for OpenID connect properly (#12178) OpenID connect generated service accounts do not work properly after console logout, since the parentUser state is lost - instead use sub+iss claims for parentUser, according to OIDC spec both the claims provide the necessary stability across logins etc.
2021-04-29 16:01:42 -04:00
issClaim = "iss"
Honor DurationSeconds properly for WebIdentity (#8581) Also cleanup code to add various constants for verbatim strings across the code base. Fixes #8482
2019-11-29 08:27:54 -05:00
Add service account type in IAM (#9029)
2020-03-17 13:36:13 -04:00
// JWT claim to check the parent user
parentClaim = "parent"
LDAP STS API (#8091) Add LDAP based users-groups system This change adds support to integrate an LDAP server for user authentication. This works via a custom STS API for LDAP. Each user accessing the MinIO who can be authenticated via LDAP receives temporary credentials to access the MinIO server. LDAP is enabled only over TLS. User groups are also supported via LDAP. The administrator may configure an LDAP search query to find the group attribute of a user - this may correspond to any attribute in the LDAP tree (that the user has access to view). One or more groups may be returned by such a query. A group is mapped to an IAM policy in the usual way, and the server enforces a policy corresponding to all the groups and the user's own mapped policy. When LDAP is configured, the internal MinIO users system is disabled.
2019-09-09 19:12:29 -04:00
// LDAP claim keys
fix: ldap:username variable substitution in policies
2021-07-11 21:38:52 -04:00
ldapUser = "ldapUser"
ldapUserN = "ldapUsername"
Add role ARN support for OIDC identity provider (#13651) - Allows setting a role policy parameter when configuring OIDC provider - When role policy is set, the server prints a role ARN usable in STS API requests - The given role policy is applied to STS API requests when the roleARN parameter is provided. - Service accounts for role policy are also possible and work as expected.
2021-11-26 22:22:40 -05:00
// Role Claim key
roleArnClaim = "roleArn"
Introduce STS client grants API and OPA policy integration (#6168) This PR introduces two new features - AWS STS compatible STS API named AssumeRoleWithClientGrants ``` POST /?Action=AssumeRoleWithClientGrants&Token=<jwt> ``` This API endpoint returns temporary access credentials, access tokens signature types supported by this API - RSA keys - ECDSA keys Fetches the required public key from the JWKS endpoints, provides them as rsa or ecdsa public keys. - External policy engine support, in this case OPA policy engine - Credentials are stored on disks
2018-10-09 17:00:01 -04:00
)
// stsAPIHandlers implements and provides http handlers for AWS STS API.
type stsAPIHandlers struct{}
// registerSTSRouter - registers AWS STS compatible APIs.
func registerSTSRouter(router *mux.Router) {
// Initialize STS.
sts := &stsAPIHandlers{}
// STS Router
Use const slashSeparator instead of "/" everywhere (#8028)
2019-08-06 15:08:58 -04:00
stsRouter := router.NewRoute().PathPrefix(SlashSeparator).Subrouter()
Introduce STS client grants API and OPA policy integration (#6168) This PR introduces two new features - AWS STS compatible STS API named AssumeRoleWithClientGrants ``` POST /?Action=AssumeRoleWithClientGrants&Token=<jwt> ``` This API endpoint returns temporary access credentials, access tokens signature types supported by this API - RSA keys - ECDSA keys Fetches the required public key from the JWKS endpoints, provides them as rsa or ecdsa public keys. - External policy engine support, in this case OPA policy engine - Credentials are stored on disks
2018-10-09 17:00:01 -04:00
Implement AssumeRole API for Minio users (#7267) For actual API reference read here https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRole.html Documentation is added and updated as well at docs/sts/assume-role.md Fixes #6381
2019-02-27 20:46:55 -05:00
// Assume roles with no JWT, handles AssumeRole.
Ensure that we use constants everywhere (#7845) This allows for canonicalization of the strings throughout our code and provides a common space for all these constants to reside. This list is rather non-exhaustive but captures all the headers used in AWS S3 API operations
2019-07-03 01:34:32 -04:00
stsRouter.Methods(http.MethodPost).MatcherFunc(func(r *http.Request, rm *mux.RouteMatch) bool {
ctypeOk := wildcard.MatchSimple("application/x-www-form-urlencoded*", r.Header.Get(xhttp.ContentType))
authOk := wildcard.MatchSimple(signV4Algorithm+"*", r.Header.Get(xhttp.Authorization))
use ParseForm() to allow query param lookups once (#12900) ``` cpu: Intel(R) Core(TM) i5-7200U CPU @ 2.50GHz BenchmarkURLQueryForm BenchmarkURLQueryForm-4 247099363 4.809 ns/op 0 B/op 0 allocs/op BenchmarkURLQuery BenchmarkURLQuery-4 2517624 462.1 ns/op 432 B/op 4 allocs/op PASS ok github.com/minio/minio/cmd 3.848s ```
2021-08-08 01:43:01 -04:00
noQueries := len(r.URL.RawQuery) == 0
Fix STS AssumeRole route conflict with MultipartUpload (#7574) Since AssumeRole API was introduced we have a wrong route match which results in certain clients failing to upload objects using multipart because, multipart POST conflicts with STS POST AssumeRole API. Write a proper matcher function which verifies the route more appropriately such that both can co-exist.
2019-04-23 18:55:41 -04:00
return ctypeOk && authOk && noQueries
}).HandlerFunc(httpTraceAll(sts.AssumeRole))
Implement AssumeRole API for Minio users (#7267) For actual API reference read here https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRole.html Documentation is added and updated as well at docs/sts/assume-role.md Fixes #6381
2019-02-27 20:46:55 -05:00
Added support for reading body in STS API (#7188) STS API supports both URL query params and reading from a body.
2019-02-05 18:47:11 -05:00
// Assume roles with JWT handler, handles both ClientGrants and WebIdentity.
Honor DurationSeconds properly for WebIdentity (#8581) Also cleanup code to add various constants for verbatim strings across the code base. Fixes #8482
2019-11-29 08:27:54 -05:00
stsRouter.Methods(http.MethodPost).MatcherFunc(func(r *http.Request, rm *mux.RouteMatch) bool {
Ensure that we use constants everywhere (#7845) This allows for canonicalization of the strings throughout our code and provides a common space for all these constants to reside. This list is rather non-exhaustive but captures all the headers used in AWS S3 API operations
2019-07-03 01:34:32 -04:00
ctypeOk := wildcard.MatchSimple("application/x-www-form-urlencoded*", r.Header.Get(xhttp.ContentType))
use ParseForm() to allow query param lookups once (#12900) ``` cpu: Intel(R) Core(TM) i5-7200U CPU @ 2.50GHz BenchmarkURLQueryForm BenchmarkURLQueryForm-4 247099363 4.809 ns/op 0 B/op 0 allocs/op BenchmarkURLQuery BenchmarkURLQuery-4 2517624 462.1 ns/op 432 B/op 4 allocs/op PASS ok github.com/minio/minio/cmd 3.848s ```
2021-08-08 01:43:01 -04:00
noQueries := len(r.URL.RawQuery) == 0
Fix STS AssumeRole route conflict with MultipartUpload (#7574) Since AssumeRole API was introduced we have a wrong route match which results in certain clients failing to upload objects using multipart because, multipart POST conflicts with STS POST AssumeRole API. Write a proper matcher function which verifies the route more appropriately such that both can co-exist.
2019-04-23 18:55:41 -04:00
return ctypeOk && noQueries
fix: allow LDAP identity to support form body POST (#10468) similar to other STS APIs
2020-09-12 02:02:32 -04:00
}).HandlerFunc(httpTraceAll(sts.AssumeRoleWithSSO))
Added support for reading body in STS API (#7188) STS API supports both URL query params and reading from a body.
2019-02-05 18:47:11 -05:00
Introduce STS client grants API and OPA policy integration (#6168) This PR introduces two new features - AWS STS compatible STS API named AssumeRoleWithClientGrants ``` POST /?Action=AssumeRoleWithClientGrants&Token=<jwt> ``` This API endpoint returns temporary access credentials, access tokens signature types supported by this API - RSA keys - ECDSA keys Fetches the required public key from the JWKS endpoints, provides them as rsa or ecdsa public keys. - External policy engine support, in this case OPA policy engine - Credentials are stored on disks
2018-10-09 17:00:01 -04:00
// AssumeRoleWithClientGrants
Honor DurationSeconds properly for WebIdentity (#8581) Also cleanup code to add various constants for verbatim strings across the code base. Fixes #8482
2019-11-29 08:27:54 -05:00
stsRouter.Methods(http.MethodPost).HandlerFunc(httpTraceAll(sts.AssumeRoleWithClientGrants)).
Queries(stsAction, clientGrants).
Queries(stsVersion, stsAPIVersion).
Queries(stsToken, "{Token:.*}")
Introduce STS client grants API and OPA policy integration (#6168) This PR introduces two new features - AWS STS compatible STS API named AssumeRoleWithClientGrants ``` POST /?Action=AssumeRoleWithClientGrants&Token=<jwt> ``` This API endpoint returns temporary access credentials, access tokens signature types supported by this API - RSA keys - ECDSA keys Fetches the required public key from the JWKS endpoints, provides them as rsa or ecdsa public keys. - External policy engine support, in this case OPA policy engine - Credentials are stored on disks
2018-10-09 17:00:01 -04:00
Add support for AssumeRoleWithWebIdentity (#6985)
2019-01-04 16:48:12 -05:00
// AssumeRoleWithWebIdentity
Honor DurationSeconds properly for WebIdentity (#8581) Also cleanup code to add various constants for verbatim strings across the code base. Fixes #8482
2019-11-29 08:27:54 -05:00
stsRouter.Methods(http.MethodPost).HandlerFunc(httpTraceAll(sts.AssumeRoleWithWebIdentity)).
Queries(stsAction, webIdentity).
Queries(stsVersion, stsAPIVersion).
Queries(stsWebIdentityToken, "{Token:.*}")
Introduce STS client grants API and OPA policy integration (#6168) This PR introduces two new features - AWS STS compatible STS API named AssumeRoleWithClientGrants ``` POST /?Action=AssumeRoleWithClientGrants&Token=<jwt> ``` This API endpoint returns temporary access credentials, access tokens signature types supported by this API - RSA keys - ECDSA keys Fetches the required public key from the JWKS endpoints, provides them as rsa or ecdsa public keys. - External policy engine support, in this case OPA policy engine - Credentials are stored on disks
2018-10-09 17:00:01 -04:00
LDAP STS API (#8091) Add LDAP based users-groups system This change adds support to integrate an LDAP server for user authentication. This works via a custom STS API for LDAP. Each user accessing the MinIO who can be authenticated via LDAP receives temporary credentials to access the MinIO server. LDAP is enabled only over TLS. User groups are also supported via LDAP. The administrator may configure an LDAP search query to find the group attribute of a user - this may correspond to any attribute in the LDAP tree (that the user has access to view). One or more groups may be returned by such a query. A group is mapped to an IAM policy in the usual way, and the server enforces a policy corresponding to all the groups and the user's own mapped policy. When LDAP is configured, the internal MinIO users system is disabled.
2019-09-09 19:12:29 -04:00
// AssumeRoleWithLDAPIdentity
Honor DurationSeconds properly for WebIdentity (#8581) Also cleanup code to add various constants for verbatim strings across the code base. Fixes #8482
2019-11-29 08:27:54 -05:00
stsRouter.Methods(http.MethodPost).HandlerFunc(httpTraceAll(sts.AssumeRoleWithLDAPIdentity)).
Queries(stsAction, ldapIdentity).
Queries(stsVersion, stsAPIVersion).
Queries(stsLDAPUsername, "{LDAPUsername:.*}").
Queries(stsLDAPPassword, "{LDAPPassword:.*}")
sts: add support for certificate-based authentication (#12748) This commit adds a new STS API for X.509 certificate authentication. A client can make an HTTP POST request over a TLS connection and MinIO will verify the provided client certificate, map it to an S3 policy and return temp. S3 credentials to the client. So, this STS API allows clients to authenticate with X.509 certificates over TLS and obtain temp. S3 credentials. For more details and examples refer to the docs/sts/tls.md documentation. Signed-off-by: Andreas Auernhammer <hi@aead.dev>
2021-09-07 22:03:48 -04:00
// AssumeRoleWithCertificate
stsRouter.Methods(http.MethodPost).HandlerFunc(httpTraceAll(sts.AssumeRoleWithCertificate)).
Queries(stsAction, clientCertificate).
Queries(stsVersion, stsAPIVersion)
Introduce STS client grants API and OPA policy integration (#6168) This PR introduces two new features - AWS STS compatible STS API named AssumeRoleWithClientGrants ``` POST /?Action=AssumeRoleWithClientGrants&Token=<jwt> ``` This API endpoint returns temporary access credentials, access tokens signature types supported by this API - RSA keys - ECDSA keys Fetches the required public key from the JWKS endpoints, provides them as rsa or ecdsa public keys. - External policy engine support, in this case OPA policy engine - Credentials are stored on disks
2018-10-09 17:00:01 -04:00
}
fixes misleading assume role error msgs (#9642)
2020-05-21 12:09:18 -04:00
func checkAssumeRoleAuth(ctx context.Context, r *http.Request) (user auth.Credentials, isErrCodeSTS bool, stsErr STSErrorCode) {
Ensure that AssumeRole calls are sent to Audit log (#14202) When authentication fails MinIO was not sending out an Audit log event for this STS call
2022-01-27 19:17:11 -05:00
if !isRequestSignatureV4(r) {
fixes misleading assume role error msgs (#9642)
2020-05-21 12:09:18 -04:00
return user, true, ErrSTSAccessDenied
Ensure that AssumeRole calls are sent to Audit log (#14202) When authentication fails MinIO was not sending out an Audit log event for this STS call
2022-01-27 19:17:11 -05:00
}
fix: allow root credentials to generate STS, service accounts (#12210)
2021-05-04 14:58:19 -04:00
Ensure that AssumeRole calls are sent to Audit log (#14202) When authentication fails MinIO was not sending out an Audit log event for this STS call
2022-01-27 19:17:11 -05:00
s3Err := isReqAuthenticated(ctx, r, globalSite.Region, serviceSTS)
if s3Err != ErrNone {
return user, false, STSErrorCode(s3Err)
}
fix: allow root credentials to generate STS, service accounts (#12210)
2021-05-04 14:58:19 -04:00
Ensure that AssumeRole calls are sent to Audit log (#14202) When authentication fails MinIO was not sending out an Audit log event for this STS call
2022-01-27 19:17:11 -05:00
user, _, s3Err = getReqAccessKeyV4(r, globalSite.Region, serviceSTS)
if s3Err != ErrNone {
return user, false, STSErrorCode(s3Err)
}
// Temporary credentials or Service accounts cannot generate further temporary credentials.
if user.IsTemp() || user.IsServiceAccount() {
return user, true, ErrSTSAccessDenied
Implement AssumeRole API for Minio users (#7267) For actual API reference read here https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRole.html Documentation is added and updated as well at docs/sts/assume-role.md Fixes #6381
2019-02-27 20:46:55 -05:00
}
// Session tokens are not allowed in STS AssumeRole requests.
if getSessionToken(r) != "" {
fixes misleading assume role error msgs (#9642)
2020-05-21 12:09:18 -04:00
return user, true, ErrSTSAccessDenied
Implement AssumeRole API for Minio users (#7267) For actual API reference read here https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRole.html Documentation is added and updated as well at docs/sts/assume-role.md Fixes #6381
2019-02-27 20:46:55 -05:00
}
fixes misleading assume role error msgs (#9642)
2020-05-21 12:09:18 -04:00
return user, true, ErrSTSNone
Implement AssumeRole API for Minio users (#7267) For actual API reference read here https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRole.html Documentation is added and updated as well at docs/sts/assume-role.md Fixes #6381
2019-02-27 20:46:55 -05:00
}
use ParseForm() to allow query param lookups once (#12900) ``` cpu: Intel(R) Core(TM) i5-7200U CPU @ 2.50GHz BenchmarkURLQueryForm BenchmarkURLQueryForm-4 247099363 4.809 ns/op 0 B/op 0 allocs/op BenchmarkURLQuery BenchmarkURLQuery-4 2517624 462.1 ns/op 432 B/op 4 allocs/op PASS ok github.com/minio/minio/cmd 3.848s ```
2021-08-08 01:43:01 -04:00
func parseForm(r *http.Request) error {
if err := r.ParseForm(); err != nil {
return err
}
for k, v := range r.PostForm {
if _, ok := r.Form[k]; !ok {
r.Form[k] = v
}
}
return nil
}
Implement AssumeRole API for Minio users (#7267) For actual API reference read here https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRole.html Documentation is added and updated as well at docs/sts/assume-role.md Fixes #6381
2019-02-27 20:46:55 -05:00
// AssumeRole - implementation of AWS STS API AssumeRole to get temporary
// credentials for regular users on Minio.
// https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRole.html
func (sts *stsAPIHandlers) AssumeRole(w http.ResponseWriter, r *http.Request) {
ctx := newContext(r, w, "AssumeRole")
Ensure that AssumeRole calls are sent to Audit log (#14202) When authentication fails MinIO was not sending out an Audit log event for this STS call
2022-01-27 19:17:11 -05:00
// Check auth here (otherwise r.Form will have unexpected values from
// the call to `parseForm` below), but return failure only after we are
// able to validate that it is a valid STS request, so that we are able
// to send an appropriate audit log.
fixes misleading assume role error msgs (#9642)
2020-05-21 12:09:18 -04:00
user, isErrCodeSTS, stsErr := checkAssumeRoleAuth(ctx, r)
fix: allow root credentials to generate STS, service accounts (#12210)
2021-05-04 14:58:19 -04:00
use ParseForm() to allow query param lookups once (#12900) ``` cpu: Intel(R) Core(TM) i5-7200U CPU @ 2.50GHz BenchmarkURLQueryForm BenchmarkURLQueryForm-4 247099363 4.809 ns/op 0 B/op 0 allocs/op BenchmarkURLQuery BenchmarkURLQuery-4 2517624 462.1 ns/op 432 B/op 4 allocs/op PASS ok github.com/minio/minio/cmd 3.848s ```
2021-08-08 01:43:01 -04:00
if err := parseForm(r); err != nil {
fixes misleading assume role error msgs (#9642)
2020-05-21 12:09:18 -04:00
writeSTSErrorResponse(ctx, w, true, ErrSTSInvalidParameterValue, err)
Implement AssumeRole API for Minio users (#7267) For actual API reference read here https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRole.html Documentation is added and updated as well at docs/sts/assume-role.md Fixes #6381
2019-02-27 20:46:55 -05:00
return
}
Honor DurationSeconds properly for WebIdentity (#8581) Also cleanup code to add various constants for verbatim strings across the code base. Fixes #8482
2019-11-29 08:27:54 -05:00
if r.Form.Get(stsVersion) != stsAPIVersion {
fixes misleading assume role error msgs (#9642)
2020-05-21 12:09:18 -04:00
writeSTSErrorResponse(ctx, w, true, ErrSTSMissingParameter, fmt.Errorf("Invalid STS API version %s, expecting %s", r.Form.Get(stsVersion), stsAPIVersion))
Implement AssumeRole API for Minio users (#7267) For actual API reference read here https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRole.html Documentation is added and updated as well at docs/sts/assume-role.md Fixes #6381
2019-02-27 20:46:55 -05:00
return
}
Honor DurationSeconds properly for WebIdentity (#8581) Also cleanup code to add various constants for verbatim strings across the code base. Fixes #8482
2019-11-29 08:27:54 -05:00
action := r.Form.Get(stsAction)
Implement AssumeRole API for Minio users (#7267) For actual API reference read here https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRole.html Documentation is added and updated as well at docs/sts/assume-role.md Fixes #6381
2019-02-27 20:46:55 -05:00
switch action {
case assumeRole:
default:
fixes misleading assume role error msgs (#9642)
2020-05-21 12:09:18 -04:00
writeSTSErrorResponse(ctx, w, true, ErrSTSInvalidParameterValue, fmt.Errorf("Unsupported action %s", action))
Implement AssumeRole API for Minio users (#7267) For actual API reference read here https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRole.html Documentation is added and updated as well at docs/sts/assume-role.md Fixes #6381
2019-02-27 20:46:55 -05:00
return
}
ctx = newContext(r, w, action)
audit: per object send pool number, set number and servers per operation (#11233)
2021-01-26 16:21:51 -05:00
defer logger.AuditLog(ctx, w, r, nil)
Implement AssumeRole API for Minio users (#7267) For actual API reference read here https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRole.html Documentation is added and updated as well at docs/sts/assume-role.md Fixes #6381
2019-02-27 20:46:55 -05:00
Ensure that AssumeRole calls are sent to Audit log (#14202) When authentication fails MinIO was not sending out an Audit log event for this STS call
2022-01-27 19:17:11 -05:00
// Validate the authentication result here so that failures will be
// audit-logged.
if stsErr != ErrSTSNone {
writeSTSErrorResponse(ctx, w, isErrCodeSTS, stsErr, nil)
return
}
Honor DurationSeconds properly for WebIdentity (#8581) Also cleanup code to add various constants for verbatim strings across the code base. Fixes #8482
2019-11-29 08:27:54 -05:00
sessionPolicyStr := r.Form.Get(stsPolicy)
Add support for session policies in STS APIs (#7747) This PR adds support for adding session policies for further restrictions on STS credentials, useful in situations when applications want to generate creds for multiple interested parties with different set of policy restrictions. This session policy is not mandatory, but optional. Fixes #7732
2019-06-20 18:28:33 -04:00
// https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRole.html
// The plain text that you use for both inline and managed session
// policies shouldn't exceed 2048 characters.
if len(sessionPolicyStr) > 2048 {
fixes misleading assume role error msgs (#9642)
2020-05-21 12:09:18 -04:00
writeSTSErrorResponse(ctx, w, true, ErrSTSInvalidParameterValue, fmt.Errorf("Session policy shouldn't exceed 2048 characters"))
Add support for session policies in STS APIs (#7747) This PR adds support for adding session policies for further restrictions on STS credentials, useful in situations when applications want to generate creds for multiple interested parties with different set of policy restrictions. This session policy is not mandatory, but optional. Fixes #7732
2019-06-20 18:28:33 -04:00
return
}
if len(sessionPolicyStr) > 0 {
sessionPolicy, err := iampolicy.ParseConfig(bytes.NewReader([]byte(sessionPolicyStr)))
if err != nil {
fixes misleading assume role error msgs (#9642)
2020-05-21 12:09:18 -04:00
writeSTSErrorResponse(ctx, w, true, ErrSTSInvalidParameterValue, err)
Add support for session policies in STS APIs (#7747) This PR adds support for adding session policies for further restrictions on STS credentials, useful in situations when applications want to generate creds for multiple interested parties with different set of policy restrictions. This session policy is not mandatory, but optional. Fixes #7732
2019-06-20 18:28:33 -04:00
return
}
// Version in policy must not be empty
if sessionPolicy.Version == "" {
fixes misleading assume role error msgs (#9642)
2020-05-21 12:09:18 -04:00
writeSTSErrorResponse(ctx, w, true, ErrSTSInvalidParameterValue, fmt.Errorf("Version cannot be empty expecting '2012-10-17'"))
Add support for session policies in STS APIs (#7747) This PR adds support for adding session policies for further restrictions on STS credentials, useful in situations when applications want to generate creds for multiple interested parties with different set of policy restrictions. This session policy is not mandatory, but optional. Fixes #7732
2019-06-20 18:28:33 -04:00
return
}
}
move to jwt-go v4 with correct releases (#13586)
2021-11-05 15:20:08 -04:00
duration, err := openid.GetDefaultExpiration(r.Form.Get(stsDurationSeconds))
Implement AssumeRole API for Minio users (#7267) For actual API reference read here https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRole.html Documentation is added and updated as well at docs/sts/assume-role.md Fixes #6381
2019-02-27 20:46:55 -05:00
if err != nil {
fixes misleading assume role error msgs (#9642)
2020-05-21 12:09:18 -04:00
writeSTSErrorResponse(ctx, w, true, ErrSTSInvalidParameterValue, err)
Implement AssumeRole API for Minio users (#7267) For actual API reference read here https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRole.html Documentation is added and updated as well at docs/sts/assume-role.md Fixes #6381
2019-02-27 20:46:55 -05:00
return
}
move to jwt-go v4 with correct releases (#13586)
2021-11-05 15:20:08 -04:00
m := map[string]interface{}{
Map policy to parent for STS (#13884) When STS credentials are created for a user, a unique (hopefully stable) parent user value exists for the credential, which corresponds to the user for whom the credentials are created. The access policy is mapped to this parent-user and is persisted. This helps ensure that all STS credentials of a user have the same policy assignment at all times. Before this change, for an OIDC STS credential, when the policy claim changes in the provider (when not using RoleARNs), the change would not take effect on existing credentials, but only on new ones. To support existing STS credentials without parent-user policy mappings, we lookup the policy in the policy claim value. This behavior should be deprecated when such support is no longer required, as it can still lead to stale policy mappings. Additionally this change also simplifies the implementation for all non-RoleARN STS credentials. Specifically, for AssumeRole (internal IDP) STS credentials, policies are picked up from the parent user's policies; for AssumeRoleWithCertificate STS credentials, policies are picked up from the parent user mapping created when the STS credential is generated. AssumeRoleWithLDAP already picks up policies mapped to the virtual parent user.
2021-12-17 03:46:30 -05:00
expClaim: UTCNow().Add(duration).Unix(),
parentClaim: user.AccessKey,
move to jwt-go v4 with correct releases (#13586)
2021-11-05 15:20:08 -04:00
}
Map policy to parent for STS (#13884) When STS credentials are created for a user, a unique (hopefully stable) parent user value exists for the credential, which corresponds to the user for whom the credentials are created. The access policy is mapped to this parent-user and is persisted. This helps ensure that all STS credentials of a user have the same policy assignment at all times. Before this change, for an OIDC STS credential, when the policy claim changes in the provider (when not using RoleARNs), the change would not take effect on existing credentials, but only on new ones. To support existing STS credentials without parent-user policy mappings, we lookup the policy in the policy claim value. This behavior should be deprecated when such support is no longer required, as it can still lead to stale policy mappings. Additionally this change also simplifies the implementation for all non-RoleARN STS credentials. Specifically, for AssumeRole (internal IDP) STS credentials, policies are picked up from the parent user's policies; for AssumeRoleWithCertificate STS credentials, policies are picked up from the parent user mapping created when the STS credential is generated. AssumeRoleWithLDAP already picks up policies mapped to the virtual parent user.
2021-12-17 03:46:30 -05:00
// Validate that user.AccessKey's policies can be retrieved - it may not
// be in case the user is disabled.
_, err = globalIAMSys.PolicyDBGet(user.AccessKey, false)
Implement AssumeRole API for Minio users (#7267) For actual API reference read here https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRole.html Documentation is added and updated as well at docs/sts/assume-role.md Fixes #6381
2019-02-27 20:46:55 -05:00
if err != nil {
fixes misleading assume role error msgs (#9642)
2020-05-21 12:09:18 -04:00
writeSTSErrorResponse(ctx, w, true, ErrSTSInvalidParameterValue, err)
Implement AssumeRole API for Minio users (#7267) For actual API reference read here https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRole.html Documentation is added and updated as well at docs/sts/assume-role.md Fixes #6381
2019-02-27 20:46:55 -05:00
return
}
Add support for session policies in STS APIs (#7747) This PR adds support for adding session policies for further restrictions on STS credentials, useful in situations when applications want to generate creds for multiple interested parties with different set of policy restrictions. This session policy is not mandatory, but optional. Fixes #7732
2019-06-20 18:28:33 -04:00
if len(sessionPolicyStr) > 0 {
m[iampolicy.SessionPolicyName] = base64.StdEncoding.EncodeToString([]byte(sessionPolicyStr))
}
Implement AssumeRole API for Minio users (#7267) For actual API reference read here https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRole.html Documentation is added and updated as well at docs/sts/assume-role.md Fixes #6381
2019-02-27 20:46:55 -05:00
Migrate config to KV data format (#8392) - adding oauth support to MinIO browser (#8400) by @kanagaraj - supports multi-line get/set/del for all config fields - add support for comments, allow toggle - add extensive validation of config before saving - support MinIO browser to support proper claims, using STS tokens - env support for all config parameters, legacy envs are also supported with all documentation now pointing to latest ENVs - preserve accessKey/secretKey from FS mode setups - add history support implements three APIs - ClearHistory - RestoreHistory - ListHistory - add help command support for each config parameters - all the bug fixes after migration to KV, and other bug fixes encountered during testing.
2019-10-23 01:59:13 -04:00
secret := globalActiveCred.SecretKey
Implement AssumeRole API for Minio users (#7267) For actual API reference read here https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRole.html Documentation is added and updated as well at docs/sts/assume-role.md Fixes #6381
2019-02-27 20:46:55 -05:00
cred, err := auth.GetNewCredentialsWithMetadata(m, secret)
if err != nil {
fixes misleading assume role error msgs (#9642)
2020-05-21 12:09:18 -04:00
writeSTSErrorResponse(ctx, w, true, ErrSTSInternalError, err)
Implement AssumeRole API for Minio users (#7267) For actual API reference read here https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRole.html Documentation is added and updated as well at docs/sts/assume-role.md Fixes #6381
2019-02-27 20:46:55 -05:00
return
}
Map policy to parent for STS (#13884) When STS credentials are created for a user, a unique (hopefully stable) parent user value exists for the credential, which corresponds to the user for whom the credentials are created. The access policy is mapped to this parent-user and is persisted. This helps ensure that all STS credentials of a user have the same policy assignment at all times. Before this change, for an OIDC STS credential, when the policy claim changes in the provider (when not using RoleARNs), the change would not take effect on existing credentials, but only on new ones. To support existing STS credentials without parent-user policy mappings, we lookup the policy in the policy claim value. This behavior should be deprecated when such support is no longer required, as it can still lead to stale policy mappings. Additionally this change also simplifies the implementation for all non-RoleARN STS credentials. Specifically, for AssumeRole (internal IDP) STS credentials, policies are picked up from the parent user's policies; for AssumeRoleWithCertificate STS credentials, policies are picked up from the parent user mapping created when the STS credential is generated. AssumeRoleWithLDAP already picks up policies mapped to the virtual parent user.
2021-12-17 03:46:30 -05:00
// Set the parent of the temporary access key, so that it's access
// policy is inherited from `user.AccessKey`.
fix: add service account support for AssumeRole/LDAPIdentity creds (#9451) allow generating service accounts for temporary credentials which have a designated parent, currently OpenID is not yet supported. added checks to ensure that service account cannot generate further service accounts for itself, service accounts can never be a parent to any credential.
2020-04-28 15:49:56 -04:00
cred.ParentUser = user.AccessKey
Implement AssumeRole API for Minio users (#7267) For actual API reference read here https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRole.html Documentation is added and updated as well at docs/sts/assume-role.md Fixes #6381
2019-02-27 20:46:55 -05:00
// Set the newly generated credentials.
Map policy to parent for STS (#13884) When STS credentials are created for a user, a unique (hopefully stable) parent user value exists for the credential, which corresponds to the user for whom the credentials are created. The access policy is mapped to this parent-user and is persisted. This helps ensure that all STS credentials of a user have the same policy assignment at all times. Before this change, for an OIDC STS credential, when the policy claim changes in the provider (when not using RoleARNs), the change would not take effect on existing credentials, but only on new ones. To support existing STS credentials without parent-user policy mappings, we lookup the policy in the policy claim value. This behavior should be deprecated when such support is no longer required, as it can still lead to stale policy mappings. Additionally this change also simplifies the implementation for all non-RoleARN STS credentials. Specifically, for AssumeRole (internal IDP) STS credentials, policies are picked up from the parent user's policies; for AssumeRoleWithCertificate STS credentials, policies are picked up from the parent user mapping created when the STS credential is generated. AssumeRoleWithLDAP already picks up policies mapped to the virtual parent user.
2021-12-17 03:46:30 -05:00
if err = globalIAMSys.SetTempUser(ctx, cred.AccessKey, cred, ""); err != nil {
fixes misleading assume role error msgs (#9642)
2020-05-21 12:09:18 -04:00
writeSTSErrorResponse(ctx, w, true, ErrSTSInternalError, err)
Implement AssumeRole API for Minio users (#7267) For actual API reference read here https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRole.html Documentation is added and updated as well at docs/sts/assume-role.md Fixes #6381
2019-02-27 20:46:55 -05:00
return
}
Add internal IDP and OIDC users support for site-replication (#14041) - This allows site-replication to be configured when using OpenID or the internal IDentity Provider. - Internal IDP IAM users and groups will now be replicated to all members of the set of replicated sites. - When using OpenID as the external identity provider, STS and service accounts are replicated. - Currently this change dis-allows root service accounts from being replicated (TODO: discuss security implications).
2022-01-06 18:52:43 -05:00
// Call hook for site replication.
if cred.ParentUser != globalActiveCred.AccessKey {
if err := globalSiteReplicationSys.IAMChangeHook(ctx, madmin.SRIAMItem{
Type: madmin.SRIAMItemSTSAcc,
STSCredential: &madmin.SRSTSCredential{
AccessKey: cred.AccessKey,
SecretKey: cred.SecretKey,
SessionToken: cred.SessionToken,
ParentUser: cred.ParentUser,
},
}); err != nil {
Relax site replication syncing of service accounts (#14955) Synchronous replication of service/sts accounts can be relaxed as site replication healing should catch up when peer clusters are back online.
2022-05-20 22:09:11 -04:00
logger.LogIf(ctx, err)
Add internal IDP and OIDC users support for site-replication (#14041) - This allows site-replication to be configured when using OpenID or the internal IDentity Provider. - Internal IDP IAM users and groups will now be replicated to all members of the set of replicated sites. - When using OpenID as the external identity provider, STS and service accounts are replicated. - Currently this change dis-allows root service accounts from being replicated (TODO: discuss security implications).
2022-01-06 18:52:43 -05:00
}
}
Implement AssumeRole API for Minio users (#7267) For actual API reference read here https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRole.html Documentation is added and updated as well at docs/sts/assume-role.md Fixes #6381
2019-02-27 20:46:55 -05:00
assumeRoleResponse := &AssumeRoleResponse{
Result: AssumeRoleResult{
Credentials: cred,
},
}
Ensure that we use constants everywhere (#7845) This allows for canonicalization of the strings throughout our code and provides a common space for all these constants to reside. This list is rather non-exhaustive but captures all the headers used in AWS S3 API operations
2019-07-03 01:34:32 -04:00
assumeRoleResponse.ResponseMetadata.RequestID = w.Header().Get(xhttp.AmzRequestID)
Implement AssumeRole API for Minio users (#7267) For actual API reference read here https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRole.html Documentation is added and updated as well at docs/sts/assume-role.md Fixes #6381
2019-02-27 20:46:55 -05:00
writeSuccessResponseXML(w, encodeResponse(assumeRoleResponse))
}
fix: allow LDAP identity to support form body POST (#10468) similar to other STS APIs
2020-09-12 02:02:32 -04:00
func (sts *stsAPIHandlers) AssumeRoleWithSSO(w http.ResponseWriter, r *http.Request) {
ctx := newContext(r, w, "AssumeRoleSSOCommon")
Add support for AssumeRoleWithWebIdentity (#6985)
2019-01-04 16:48:12 -05:00
Added support for reading body in STS API (#7188) STS API supports both URL query params and reading from a body.
2019-02-05 18:47:11 -05:00
// Parse the incoming form data.
use ParseForm() to allow query param lookups once (#12900) ``` cpu: Intel(R) Core(TM) i5-7200U CPU @ 2.50GHz BenchmarkURLQueryForm BenchmarkURLQueryForm-4 247099363 4.809 ns/op 0 B/op 0 allocs/op BenchmarkURLQuery BenchmarkURLQuery-4 2517624 462.1 ns/op 432 B/op 4 allocs/op PASS ok github.com/minio/minio/cmd 3.848s ```
2021-08-08 01:43:01 -04:00
if err := parseForm(r); err != nil {
fixes misleading assume role error msgs (#9642)
2020-05-21 12:09:18 -04:00
writeSTSErrorResponse(ctx, w, true, ErrSTSInvalidParameterValue, err)
Add support for AssumeRoleWithWebIdentity (#6985)
2019-01-04 16:48:12 -05:00
return
}
Honor DurationSeconds properly for WebIdentity (#8581) Also cleanup code to add various constants for verbatim strings across the code base. Fixes #8482
2019-11-29 08:27:54 -05:00
if r.Form.Get(stsVersion) != stsAPIVersion {
fixes misleading assume role error msgs (#9642)
2020-05-21 12:09:18 -04:00
writeSTSErrorResponse(ctx, w, true, ErrSTSMissingParameter, fmt.Errorf("Invalid STS API version %s, expecting %s", r.Form.Get("Version"), stsAPIVersion))
Add support for AssumeRoleWithWebIdentity (#6985)
2019-01-04 16:48:12 -05:00
return
}
Honor DurationSeconds properly for WebIdentity (#8581) Also cleanup code to add various constants for verbatim strings across the code base. Fixes #8482
2019-11-29 08:27:54 -05:00
action := r.Form.Get(stsAction)
Added support for reading body in STS API (#7188) STS API supports both URL query params and reading from a body.
2019-02-05 18:47:11 -05:00
switch action {
fix: allow LDAP identity to support form body POST (#10468) similar to other STS APIs
2020-09-12 02:02:32 -04:00
case ldapIdentity:
sts.AssumeRoleWithLDAPIdentity(w, r)
return
Added support for reading body in STS API (#7188) STS API supports both URL query params and reading from a body.
2019-02-05 18:47:11 -05:00
case clientGrants, webIdentity:
default:
fixes misleading assume role error msgs (#9642)
2020-05-21 12:09:18 -04:00
writeSTSErrorResponse(ctx, w, true, ErrSTSInvalidParameterValue, fmt.Errorf("Unsupported action %s", action))
Add support for AssumeRoleWithWebIdentity (#6985)
2019-01-04 16:48:12 -05:00
return
}
Added support for reading body in STS API (#7188) STS API supports both URL query params and reading from a body.
2019-02-05 18:47:11 -05:00
ctx = newContext(r, w, action)
audit: per object send pool number, set number and servers per operation (#11233)
2021-01-26 16:21:51 -05:00
defer logger.AuditLog(ctx, w, r, nil)
Audit log claims from token (#6847)
2018-11-21 23:03:24 -05:00
Honor DurationSeconds properly for WebIdentity (#8581) Also cleanup code to add various constants for verbatim strings across the code base. Fixes #8482
2019-11-29 08:27:54 -05:00
token := r.Form.Get(stsToken)
Added support for reading body in STS API (#7188) STS API supports both URL query params and reading from a body.
2019-02-05 18:47:11 -05:00
if token == "" {
Honor DurationSeconds properly for WebIdentity (#8581) Also cleanup code to add various constants for verbatim strings across the code base. Fixes #8482
2019-11-29 08:27:54 -05:00
token = r.Form.Get(stsWebIdentityToken)
Added support for reading body in STS API (#7188) STS API supports both URL query params and reading from a body.
2019-02-05 18:47:11 -05:00
}
add userinfo support for OpenID (#12469) Some identity providers like GitLab do not provide information about group membership as part of the identity token claims. They only expose it via OIDC compatible '/oauth/userinfo' endpoint, as described in the OpenID Connect 1.0 sepcification. But this of course requires application to make sure to add additional accessToken, since idToken cannot be re-used to perform the same 'userinfo' call. This is why this is specialized requirement. Gitlab seems to be the only OpenID vendor that requires this support for the time being. fixes #12367
2021-09-13 19:22:14 -04:00
accessToken := r.Form.Get(stsWebIdentityAccessToken)
Add support for multiple OpenID providers with role policies (#14223) - When using multiple providers, claim-based providers are not allowed. All providers must use role policies. - Update markdown config to allow `details` HTML element
2022-04-28 21:27:09 -04:00
roleArn := openid.DummyRoleARN
if globalIAMSys.HasRolePolicy() {
var err error
roleArnStr := r.Form.Get(stsRoleArn)
roleArn, _, err = globalIAMSys.GetRolePolicy(roleArnStr)
if err != nil {
writeSTSErrorResponse(ctx, w, true, ErrSTSInvalidParameterValue,
fmt.Errorf("Error processing %s parameter: %v", stsRoleArn, err))
return
}
}
// Validate JWT; check clientID in claims matches the one associated with the roleArn
m, err := globalOpenIDConfig.Validate(roleArn, token, accessToken, r.Form.Get(stsDurationSeconds))
Introduce STS client grants API and OPA policy integration (#6168) This PR introduces two new features - AWS STS compatible STS API named AssumeRoleWithClientGrants ``` POST /?Action=AssumeRoleWithClientGrants&Token=<jwt> ``` This API endpoint returns temporary access credentials, access tokens signature types supported by this API - RSA keys - ECDSA keys Fetches the required public key from the JWKS endpoints, provides them as rsa or ecdsa public keys. - External policy engine support, in this case OPA policy engine - Credentials are stored on disks
2018-10-09 17:00:01 -04:00
if err != nil {
switch err {
Rename iam/validator -> iam/openid and add tests (#8340) Refactor as part of config migration
2019-10-01 18:07:20 -04:00
case openid.ErrTokenExpired:
Added support for reading body in STS API (#7188) STS API supports both URL query params and reading from a body.
2019-02-05 18:47:11 -05:00
switch action {
case clientGrants:
fixes misleading assume role error msgs (#9642)
2020-05-21 12:09:18 -04:00
writeSTSErrorResponse(ctx, w, true, ErrSTSClientGrantsExpiredToken, err)
Added support for reading body in STS API (#7188) STS API supports both URL query params and reading from a body.
2019-02-05 18:47:11 -05:00
case webIdentity:
fixes misleading assume role error msgs (#9642)
2020-05-21 12:09:18 -04:00
writeSTSErrorResponse(ctx, w, true, ErrSTSWebIdentityExpiredToken, err)
Added support for reading body in STS API (#7188) STS API supports both URL query params and reading from a body.
2019-02-05 18:47:11 -05:00
}
return
Honor DurationSeconds properly for WebIdentity (#8581) Also cleanup code to add various constants for verbatim strings across the code base. Fixes #8482
2019-11-29 08:27:54 -05:00
case auth.ErrInvalidDuration:
fixes misleading assume role error msgs (#9642)
2020-05-21 12:09:18 -04:00
writeSTSErrorResponse(ctx, w, true, ErrSTSInvalidParameterValue, err)
Added support for reading body in STS API (#7188) STS API supports both URL query params and reading from a body.
2019-02-05 18:47:11 -05:00
return
Introduce STS client grants API and OPA policy integration (#6168) This PR introduces two new features - AWS STS compatible STS API named AssumeRoleWithClientGrants ``` POST /?Action=AssumeRoleWithClientGrants&Token=<jwt> ``` This API endpoint returns temporary access credentials, access tokens signature types supported by this API - RSA keys - ECDSA keys Fetches the required public key from the JWKS endpoints, provides them as rsa or ecdsa public keys. - External policy engine support, in this case OPA policy engine - Credentials are stored on disks
2018-10-09 17:00:01 -04:00
}
fixes misleading assume role error msgs (#9642)
2020-05-21 12:09:18 -04:00
writeSTSErrorResponse(ctx, w, true, ErrSTSInvalidParameterValue, err)
Introduce STS client grants API and OPA policy integration (#6168) This PR introduces two new features - AWS STS compatible STS API named AssumeRoleWithClientGrants ``` POST /?Action=AssumeRoleWithClientGrants&Token=<jwt> ``` This API endpoint returns temporary access credentials, access tokens signature types supported by this API - RSA keys - ECDSA keys Fetches the required public key from the JWKS endpoints, provides them as rsa or ecdsa public keys. - External policy engine support, in this case OPA policy engine - Credentials are stored on disks
2018-10-09 17:00:01 -04:00
return
}
allow claims to be optional in STS (#10078) not all claims need to be present for the JWT claim, let the policies not exist and only apply which are present when generating the credentials once credentials are generated then those policies should exist, otherwise the request will fail.
2020-07-19 18:34:01 -04:00
var policyName string
If role policy is configured, require that role ARN be set in STS (#13814)
2021-12-02 18:43:39 -05:00
if globalIAMSys.HasRolePolicy() {
Add role ARN support for OIDC identity provider (#13651) - Allows setting a role policy parameter when configuring OIDC provider - When role policy is set, the server prints a role ARN usable in STS API requests - The given role policy is applied to STS API requests when the roleARN parameter is provided. - Service accounts for role policy are also possible and work as expected.
2021-11-26 22:22:40 -05:00
// If roleArn is used, we set it as a claim, and use the
// associated policy when credentials are used.
Add support for multiple OpenID providers with role policies (#14223) - When using multiple providers, claim-based providers are not allowed. All providers must use role policies. - Update markdown config to allow `details` HTML element
2022-04-28 21:27:09 -04:00
m[roleArnClaim] = roleArn.String()
Add role ARN support for OIDC identity provider (#13651) - Allows setting a role policy parameter when configuring OIDC provider - When role policy is set, the server prints a role ARN usable in STS API requests - The given role policy is applied to STS API requests when the roleARN parameter is provided. - Service accounts for role policy are also possible and work as expected.
2021-11-26 22:22:40 -05:00
} else {
If role policy is configured, require that role ARN be set in STS (#13814)
2021-12-02 18:43:39 -05:00
// If no role policy is configured, then we use claims from the
// JWT. This is a MinIO STS API specific value, this value
// should be set and configured on your identity provider as
// part of JWT custom claims.
Add role ARN support for OIDC identity provider (#13651) - Allows setting a role policy parameter when configuring OIDC provider - When role policy is set, the server prints a role ARN usable in STS API requests - The given role policy is applied to STS API requests when the roleARN parameter is provided. - Service accounts for role policy are also possible and work as expected.
2021-11-26 22:22:40 -05:00
policySet, ok := iampolicy.GetPoliciesFromClaims(m, iamPolicyClaimNameOpenID())
policies := strings.Join(policySet.ToSlice(), ",")
if ok {
policyName = globalIAMSys.CurrentPolicies(policies)
}
Add support for Access Management Plugin (#14875) - This change renames the OPA integration as Access Management Plugin - there is nothing specific to OPA in the integration, it is just a webhook. - OPA configuration is automatically migrated to Access Management Plugin and OPA specific configuration is marked as deprecated. - OPA doc is updated and moved.
2022-05-10 20:14:55 -04:00
if globalAuthZPlugin == nil {
Add role ARN support for OIDC identity provider (#13651) - Allows setting a role policy parameter when configuring OIDC provider - When role policy is set, the server prints a role ARN usable in STS API requests - The given role policy is applied to STS API requests when the roleARN parameter is provided. - Service accounts for role policy are also possible and work as expected.
2021-11-26 22:22:40 -05:00
if !ok {
writeSTSErrorResponse(ctx, w, true, ErrSTSInvalidParameterValue,
fmt.Errorf("%s claim missing from the JWT token, credentials will not be generated", iamPolicyClaimNameOpenID()))
return
} else if policyName == "" {
writeSTSErrorResponse(ctx, w, true, ErrSTSInvalidParameterValue,
fmt.Errorf("None of the given policies (`%s`) are defined, credentials will not be generated", policies))
return
}
}
m[iamPolicyClaimNameOpenID()] = policyName
allow claims to be optional in STS (#10078) not all claims need to be present for the JWT claim, let the policies not exist and only apply which are present when generating the credentials once credentials are generated then those policies should exist, otherwise the request will fail.
2020-07-19 18:34:01 -04:00
}
Honor DurationSeconds properly for WebIdentity (#8581) Also cleanup code to add various constants for verbatim strings across the code base. Fixes #8482
2019-11-29 08:27:54 -05:00
sessionPolicyStr := r.Form.Get(stsPolicy)
Add support for session policies in STS APIs (#7747) This PR adds support for adding session policies for further restrictions on STS credentials, useful in situations when applications want to generate creds for multiple interested parties with different set of policy restrictions. This session policy is not mandatory, but optional. Fixes #7732
2019-06-20 18:28:33 -04:00
// https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRoleWithWebIdentity.html
// The plain text that you use for both inline and managed session
// policies shouldn't exceed 2048 characters.
if len(sessionPolicyStr) > 2048 {
fixes misleading assume role error msgs (#9642)
2020-05-21 12:09:18 -04:00
writeSTSErrorResponse(ctx, w, true, ErrSTSInvalidParameterValue, fmt.Errorf("Session policy should not exceed 2048 characters"))
Add support for session policies in STS APIs (#7747) This PR adds support for adding session policies for further restrictions on STS credentials, useful in situations when applications want to generate creds for multiple interested parties with different set of policy restrictions. This session policy is not mandatory, but optional. Fixes #7732
2019-06-20 18:28:33 -04:00
return
}
if len(sessionPolicyStr) > 0 {
sessionPolicy, err := iampolicy.ParseConfig(bytes.NewReader([]byte(sessionPolicyStr)))
if err != nil {
fixes misleading assume role error msgs (#9642)
2020-05-21 12:09:18 -04:00
writeSTSErrorResponse(ctx, w, true, ErrSTSInvalidParameterValue, err)
Add support for session policies in STS APIs (#7747) This PR adds support for adding session policies for further restrictions on STS credentials, useful in situations when applications want to generate creds for multiple interested parties with different set of policy restrictions. This session policy is not mandatory, but optional. Fixes #7732
2019-06-20 18:28:33 -04:00
return
}
// Version in policy must not be empty
if sessionPolicy.Version == "" {
fixes misleading assume role error msgs (#9642)
2020-05-21 12:09:18 -04:00
writeSTSErrorResponse(ctx, w, true, ErrSTSInvalidParameterValue, fmt.Errorf("Invalid session policy version"))
Add support for session policies in STS APIs (#7747) This PR adds support for adding session policies for further restrictions on STS credentials, useful in situations when applications want to generate creds for multiple interested parties with different set of policy restrictions. This session policy is not mandatory, but optional. Fixes #7732
2019-06-20 18:28:33 -04:00
return
}
Fix LDAP responseXML to be named appropriately (#8285) This PR additionally also adds support for missing - Session policy support for AD/LDAP - Add API request/response parameters detail - Update example to take ldap username, password input from the command line - Fixes session policy handling for ClientGrants and WebIdentity
2019-09-23 18:21:16 -04:00
m[iampolicy.SessionPolicyName] = base64.StdEncoding.EncodeToString([]byte(sessionPolicyStr))
}
Migrate config to KV data format (#8392) - adding oauth support to MinIO browser (#8400) by @kanagaraj - supports multi-line get/set/del for all config fields - add support for comments, allow toggle - add extensive validation of config before saving - support MinIO browser to support proper claims, using STS tokens - env support for all config parameters, legacy envs are also supported with all documentation now pointing to latest ENVs - preserve accessKey/secretKey from FS mode setups - add history support implements three APIs - ClearHistory - RestoreHistory - ListHistory - add help command support for each config parameters - all the bug fixes after migration to KV, and other bug fixes encountered during testing.
2019-10-23 01:59:13 -04:00
secret := globalActiveCred.SecretKey
Introduce STS client grants API and OPA policy integration (#6168) This PR introduces two new features - AWS STS compatible STS API named AssumeRoleWithClientGrants ``` POST /?Action=AssumeRoleWithClientGrants&Token=<jwt> ``` This API endpoint returns temporary access credentials, access tokens signature types supported by this API - RSA keys - ECDSA keys Fetches the required public key from the JWKS endpoints, provides them as rsa or ecdsa public keys. - External policy engine support, in this case OPA policy engine - Credentials are stored on disks
2018-10-09 17:00:01 -04:00
cred, err := auth.GetNewCredentialsWithMetadata(m, secret)
if err != nil {
fixes misleading assume role error msgs (#9642)
2020-05-21 12:09:18 -04:00
writeSTSErrorResponse(ctx, w, true, ErrSTSInternalError, err)
Introduce STS client grants API and OPA policy integration (#6168) This PR introduces two new features - AWS STS compatible STS API named AssumeRoleWithClientGrants ``` POST /?Action=AssumeRoleWithClientGrants&Token=<jwt> ``` This API endpoint returns temporary access credentials, access tokens signature types supported by this API - RSA keys - ECDSA keys Fetches the required public key from the JWKS endpoints, provides them as rsa or ecdsa public keys. - External policy engine support, in this case OPA policy engine - Credentials are stored on disks
2018-10-09 17:00:01 -04:00
return
}
support service accounts for OpenID connect properly (#12178) OpenID connect generated service accounts do not work properly after console logout, since the parentUser state is lost - instead use sub+iss claims for parentUser, according to OIDC spec both the claims provide the necessary stability across logins etc.
2021-04-29 16:01:42 -04:00
// https://openid.net/specs/openid-connect-core-1_0.html#ClaimStability
// claim is only considered stable when subject and iss are used together
// this is to ensure that ParentUser doesn't change and we get to use
// parentUser as per the requirements for service accounts for OpenID
// based logins.
Add role ARN support for OIDC identity provider (#13651) - Allows setting a role policy parameter when configuring OIDC provider - When role policy is set, the server prints a role ARN usable in STS API requests - The given role policy is applied to STS API requests when the roleARN parameter is provided. - Service accounts for role policy are also possible and work as expected.
2021-11-26 22:22:40 -05:00
var subFromToken string
if v, ok := m[subClaim]; ok {
subFromToken, _ = v.(string)
}
if subFromToken == "" {
writeSTSErrorResponse(ctx, w, true, ErrSTSInvalidParameterValue,
errors.New("STS JWT Token has `sub` claim missing, `sub` claim is mandatory"))
return
}
var issFromToken string
if v, ok := m[issClaim]; ok {
issFromToken, _ = v.(string)
}
Map policy to parent for STS (#13884) When STS credentials are created for a user, a unique (hopefully stable) parent user value exists for the credential, which corresponds to the user for whom the credentials are created. The access policy is mapped to this parent-user and is persisted. This helps ensure that all STS credentials of a user have the same policy assignment at all times. Before this change, for an OIDC STS credential, when the policy claim changes in the provider (when not using RoleARNs), the change would not take effect on existing credentials, but only on new ones. To support existing STS credentials without parent-user policy mappings, we lookup the policy in the policy claim value. This behavior should be deprecated when such support is no longer required, as it can still lead to stale policy mappings. Additionally this change also simplifies the implementation for all non-RoleARN STS credentials. Specifically, for AssumeRole (internal IDP) STS credentials, policies are picked up from the parent user's policies; for AssumeRoleWithCertificate STS credentials, policies are picked up from the parent user mapping created when the STS credential is generated. AssumeRoleWithLDAP already picks up policies mapped to the virtual parent user.
2021-12-17 03:46:30 -05:00
// Since issFromToken can have `/` characters (it is typically the
// provider URL), we hash and encode it to base64 here. This is needed
// because there will be a policy mapping stored on drives whose
// filename is this parentUser: therefore, it needs to have only valid
// filename characters and needs to have bounded length.
{
h := sha256.New()
h.Write([]byte("openid:" + subFromToken + ":" + issFromToken))
bs := h.Sum(nil)
cred.ParentUser = base64.RawURLEncoding.EncodeToString(bs)
}
Add support for AssumeRoleWithWebIdentity (#6985)
2019-01-04 16:48:12 -05:00
Introduce STS client grants API and OPA policy integration (#6168) This PR introduces two new features - AWS STS compatible STS API named AssumeRoleWithClientGrants ``` POST /?Action=AssumeRoleWithClientGrants&Token=<jwt> ``` This API endpoint returns temporary access credentials, access tokens signature types supported by this API - RSA keys - ECDSA keys Fetches the required public key from the JWKS endpoints, provides them as rsa or ecdsa public keys. - External policy engine support, in this case OPA policy engine - Credentials are stored on disks
2018-10-09 17:00:01 -04:00
// Set the newly generated credentials.
add thread context in surrounding function into IAM functions (#13658)
2021-11-15 17:14:22 -05:00
if err = globalIAMSys.SetTempUser(ctx, cred.AccessKey, cred, policyName); err != nil {
fixes misleading assume role error msgs (#9642)
2020-05-21 12:09:18 -04:00
writeSTSErrorResponse(ctx, w, true, ErrSTSInternalError, err)
Introduce STS client grants API and OPA policy integration (#6168) This PR introduces two new features - AWS STS compatible STS API named AssumeRoleWithClientGrants ``` POST /?Action=AssumeRoleWithClientGrants&Token=<jwt> ``` This API endpoint returns temporary access credentials, access tokens signature types supported by this API - RSA keys - ECDSA keys Fetches the required public key from the JWKS endpoints, provides them as rsa or ecdsa public keys. - External policy engine support, in this case OPA policy engine - Credentials are stored on disks
2018-10-09 17:00:01 -04:00
return
}
Add internal IDP and OIDC users support for site-replication (#14041) - This allows site-replication to be configured when using OpenID or the internal IDentity Provider. - Internal IDP IAM users and groups will now be replicated to all members of the set of replicated sites. - When using OpenID as the external identity provider, STS and service accounts are replicated. - Currently this change dis-allows root service accounts from being replicated (TODO: discuss security implications).
2022-01-06 18:52:43 -05:00
// Call hook for site replication.
if err := globalSiteReplicationSys.IAMChangeHook(ctx, madmin.SRIAMItem{
Type: madmin.SRIAMItemSTSAcc,
STSCredential: &madmin.SRSTSCredential{
AccessKey: cred.AccessKey,
SecretKey: cred.SecretKey,
SessionToken: cred.SessionToken,
ParentUser: cred.ParentUser,
ParentPolicyMapping: policyName,
},
}); err != nil {
Relax site replication syncing of service accounts (#14955) Synchronous replication of service/sts accounts can be relaxed as site replication healing should catch up when peer clusters are back online.
2022-05-20 22:09:11 -04:00
logger.LogIf(ctx, err)
Add internal IDP and OIDC users support for site-replication (#14041) - This allows site-replication to be configured when using OpenID or the internal IDentity Provider. - Internal IDP IAM users and groups will now be replicated to all members of the set of replicated sites. - When using OpenID as the external identity provider, STS and service accounts are replicated. - Currently this change dis-allows root service accounts from being replicated (TODO: discuss security implications).
2022-01-06 18:52:43 -05:00
}
Added support for reading body in STS API (#7188) STS API supports both URL query params and reading from a body.
2019-02-05 18:47:11 -05:00
var encodedSuccessResponse []byte
switch action {
case clientGrants:
Implement AssumeRole API for Minio users (#7267) For actual API reference read here https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRole.html Documentation is added and updated as well at docs/sts/assume-role.md Fixes #6381
2019-02-27 20:46:55 -05:00
clientGrantsResponse := &AssumeRoleWithClientGrantsResponse{
Added support for reading body in STS API (#7188) STS API supports both URL query params and reading from a body.
2019-02-05 18:47:11 -05:00
Result: ClientGrantsResult{
Credentials: cred,
SubjectFromToken: subFromToken,
},
Implement AssumeRole API for Minio users (#7267) For actual API reference read here https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRole.html Documentation is added and updated as well at docs/sts/assume-role.md Fixes #6381
2019-02-27 20:46:55 -05:00
}
Ensure that we use constants everywhere (#7845) This allows for canonicalization of the strings throughout our code and provides a common space for all these constants to reside. This list is rather non-exhaustive but captures all the headers used in AWS S3 API operations
2019-07-03 01:34:32 -04:00
clientGrantsResponse.ResponseMetadata.RequestID = w.Header().Get(xhttp.AmzRequestID)
Implement AssumeRole API for Minio users (#7267) For actual API reference read here https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRole.html Documentation is added and updated as well at docs/sts/assume-role.md Fixes #6381
2019-02-27 20:46:55 -05:00
encodedSuccessResponse = encodeResponse(clientGrantsResponse)
Added support for reading body in STS API (#7188) STS API supports both URL query params and reading from a body.
2019-02-05 18:47:11 -05:00
case webIdentity:
Implement AssumeRole API for Minio users (#7267) For actual API reference read here https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRole.html Documentation is added and updated as well at docs/sts/assume-role.md Fixes #6381
2019-02-27 20:46:55 -05:00
webIdentityResponse := &AssumeRoleWithWebIdentityResponse{
Added support for reading body in STS API (#7188) STS API supports both URL query params and reading from a body.
2019-02-05 18:47:11 -05:00
Result: WebIdentityResult{
Credentials: cred,
SubjectFromWebIdentityToken: subFromToken,
},
Implement AssumeRole API for Minio users (#7267) For actual API reference read here https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRole.html Documentation is added and updated as well at docs/sts/assume-role.md Fixes #6381
2019-02-27 20:46:55 -05:00
}
Ensure that we use constants everywhere (#7845) This allows for canonicalization of the strings throughout our code and provides a common space for all these constants to reside. This list is rather non-exhaustive but captures all the headers used in AWS S3 API operations
2019-07-03 01:34:32 -04:00
webIdentityResponse.ResponseMetadata.RequestID = w.Header().Get(xhttp.AmzRequestID)
Implement AssumeRole API for Minio users (#7267) For actual API reference read here https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRole.html Documentation is added and updated as well at docs/sts/assume-role.md Fixes #6381
2019-02-27 20:46:55 -05:00
encodedSuccessResponse = encodeResponse(webIdentityResponse)
Added support for reading body in STS API (#7188) STS API supports both URL query params and reading from a body.
2019-02-05 18:47:11 -05:00
}
Introduce STS client grants API and OPA policy integration (#6168) This PR introduces two new features - AWS STS compatible STS API named AssumeRoleWithClientGrants ``` POST /?Action=AssumeRoleWithClientGrants&Token=<jwt> ``` This API endpoint returns temporary access credentials, access tokens signature types supported by this API - RSA keys - ECDSA keys Fetches the required public key from the JWKS endpoints, provides them as rsa or ecdsa public keys. - External policy engine support, in this case OPA policy engine - Credentials are stored on disks
2018-10-09 17:00:01 -04:00
writeSuccessResponseXML(w, encodedSuccessResponse)
}
Added support for reading body in STS API (#7188) STS API supports both URL query params and reading from a body.
2019-02-05 18:47:11 -05:00
// AssumeRoleWithWebIdentity - implementation of AWS STS API supporting OAuth2.0
// users from web identity provider such as Facebook, Google, or any OpenID
// Connect-compatible identity provider.
//
// Eg:-
// $ curl https://minio:9000/?Action=AssumeRoleWithWebIdentity&WebIdentityToken=<jwt>
func (sts *stsAPIHandlers) AssumeRoleWithWebIdentity(w http.ResponseWriter, r *http.Request) {
fix: allow LDAP identity to support form body POST (#10468) similar to other STS APIs
2020-09-12 02:02:32 -04:00
sts.AssumeRoleWithSSO(w, r)
Added support for reading body in STS API (#7188) STS API supports both URL query params and reading from a body.
2019-02-05 18:47:11 -05:00
}
// AssumeRoleWithClientGrants - implementation of AWS STS extension API supporting
// OAuth2.0 client credential grants.
//
// Eg:-
// $ curl https://minio:9000/?Action=AssumeRoleWithClientGrants&Token=<jwt>
func (sts *stsAPIHandlers) AssumeRoleWithClientGrants(w http.ResponseWriter, r *http.Request) {
fix: allow LDAP identity to support form body POST (#10468) similar to other STS APIs
2020-09-12 02:02:32 -04:00
sts.AssumeRoleWithSSO(w, r)
Added support for reading body in STS API (#7188) STS API supports both URL query params and reading from a body.
2019-02-05 18:47:11 -05:00
}
LDAP STS API (#8091) Add LDAP based users-groups system This change adds support to integrate an LDAP server for user authentication. This works via a custom STS API for LDAP. Each user accessing the MinIO who can be authenticated via LDAP receives temporary credentials to access the MinIO server. LDAP is enabled only over TLS. User groups are also supported via LDAP. The administrator may configure an LDAP search query to find the group attribute of a user - this may correspond to any attribute in the LDAP tree (that the user has access to view). One or more groups may be returned by such a query. A group is mapped to an IAM policy in the usual way, and the server enforces a policy corresponding to all the groups and the user's own mapped policy. When LDAP is configured, the internal MinIO users system is disabled.
2019-09-09 19:12:29 -04:00
// AssumeRoleWithLDAPIdentity - implements user auth against LDAP server
func (sts *stsAPIHandlers) AssumeRoleWithLDAPIdentity(w http.ResponseWriter, r *http.Request) {
ctx := newContext(r, w, "AssumeRoleWithLDAPIdentity")
audit: per object send pool number, set number and servers per operation (#11233)
2021-01-26 16:21:51 -05:00
defer logger.AuditLog(ctx, w, r, nil, stsLDAPPassword)
fix remove LDAPPassword from audit logs (#9773) the previous fix for #9707 was not correct, fix this properly passing the right filter keys to be filtered from the audit log output. Fixes #9767
2020-06-05 01:07:55 -04:00
LDAP STS API (#8091) Add LDAP based users-groups system This change adds support to integrate an LDAP server for user authentication. This works via a custom STS API for LDAP. Each user accessing the MinIO who can be authenticated via LDAP receives temporary credentials to access the MinIO server. LDAP is enabled only over TLS. User groups are also supported via LDAP. The administrator may configure an LDAP search query to find the group attribute of a user - this may correspond to any attribute in the LDAP tree (that the user has access to view). One or more groups may be returned by such a query. A group is mapped to an IAM policy in the usual way, and the server enforces a policy corresponding to all the groups and the user's own mapped policy. When LDAP is configured, the internal MinIO users system is disabled.
2019-09-09 19:12:29 -04:00
// Parse the incoming form data.
use ParseForm() to allow query param lookups once (#12900) ``` cpu: Intel(R) Core(TM) i5-7200U CPU @ 2.50GHz BenchmarkURLQueryForm BenchmarkURLQueryForm-4 247099363 4.809 ns/op 0 B/op 0 allocs/op BenchmarkURLQuery BenchmarkURLQuery-4 2517624 462.1 ns/op 432 B/op 4 allocs/op PASS ok github.com/minio/minio/cmd 3.848s ```
2021-08-08 01:43:01 -04:00
if err := parseForm(r); err != nil {
fixes misleading assume role error msgs (#9642)
2020-05-21 12:09:18 -04:00
writeSTSErrorResponse(ctx, w, true, ErrSTSInvalidParameterValue, err)
LDAP STS API (#8091) Add LDAP based users-groups system This change adds support to integrate an LDAP server for user authentication. This works via a custom STS API for LDAP. Each user accessing the MinIO who can be authenticated via LDAP receives temporary credentials to access the MinIO server. LDAP is enabled only over TLS. User groups are also supported via LDAP. The administrator may configure an LDAP search query to find the group attribute of a user - this may correspond to any attribute in the LDAP tree (that the user has access to view). One or more groups may be returned by such a query. A group is mapped to an IAM policy in the usual way, and the server enforces a policy corresponding to all the groups and the user's own mapped policy. When LDAP is configured, the internal MinIO users system is disabled.
2019-09-09 19:12:29 -04:00
return
}
Honor DurationSeconds properly for WebIdentity (#8581) Also cleanup code to add various constants for verbatim strings across the code base. Fixes #8482
2019-11-29 08:27:54 -05:00
if r.Form.Get(stsVersion) != stsAPIVersion {
fix remove LDAPPassword from audit logs (#9773) the previous fix for #9707 was not correct, fix this properly passing the right filter keys to be filtered from the audit log output. Fixes #9767
2020-06-05 01:07:55 -04:00
writeSTSErrorResponse(ctx, w, true, ErrSTSMissingParameter,
fmt.Errorf("Invalid STS API version %s, expecting %s", r.Form.Get("Version"), stsAPIVersion))
LDAP STS API (#8091) Add LDAP based users-groups system This change adds support to integrate an LDAP server for user authentication. This works via a custom STS API for LDAP. Each user accessing the MinIO who can be authenticated via LDAP receives temporary credentials to access the MinIO server. LDAP is enabled only over TLS. User groups are also supported via LDAP. The administrator may configure an LDAP search query to find the group attribute of a user - this may correspond to any attribute in the LDAP tree (that the user has access to view). One or more groups may be returned by such a query. A group is mapped to an IAM policy in the usual way, and the server enforces a policy corresponding to all the groups and the user's own mapped policy. When LDAP is configured, the internal MinIO users system is disabled.
2019-09-09 19:12:29 -04:00
return
}
Honor DurationSeconds properly for WebIdentity (#8581) Also cleanup code to add various constants for verbatim strings across the code base. Fixes #8482
2019-11-29 08:27:54 -05:00
ldapUsername := r.Form.Get(stsLDAPUsername)
ldapPassword := r.Form.Get(stsLDAPPassword)
LDAP STS API (#8091) Add LDAP based users-groups system This change adds support to integrate an LDAP server for user authentication. This works via a custom STS API for LDAP. Each user accessing the MinIO who can be authenticated via LDAP receives temporary credentials to access the MinIO server. LDAP is enabled only over TLS. User groups are also supported via LDAP. The administrator may configure an LDAP search query to find the group attribute of a user - this may correspond to any attribute in the LDAP tree (that the user has access to view). One or more groups may be returned by such a query. A group is mapped to an IAM policy in the usual way, and the server enforces a policy corresponding to all the groups and the user's own mapped policy. When LDAP is configured, the internal MinIO users system is disabled.
2019-09-09 19:12:29 -04:00
if ldapUsername == "" || ldapPassword == "" {
fixes misleading assume role error msgs (#9642)
2020-05-21 12:09:18 -04:00
writeSTSErrorResponse(ctx, w, true, ErrSTSMissingParameter, fmt.Errorf("LDAPUsername and LDAPPassword cannot be empty"))
LDAP STS API (#8091) Add LDAP based users-groups system This change adds support to integrate an LDAP server for user authentication. This works via a custom STS API for LDAP. Each user accessing the MinIO who can be authenticated via LDAP receives temporary credentials to access the MinIO server. LDAP is enabled only over TLS. User groups are also supported via LDAP. The administrator may configure an LDAP search query to find the group attribute of a user - this may correspond to any attribute in the LDAP tree (that the user has access to view). One or more groups may be returned by such a query. A group is mapped to an IAM policy in the usual way, and the server enforces a policy corresponding to all the groups and the user's own mapped policy. When LDAP is configured, the internal MinIO users system is disabled.
2019-09-09 19:12:29 -04:00
return
}
fix remove LDAPPassword from audit logs (#9773) the previous fix for #9707 was not correct, fix this properly passing the right filter keys to be filtered from the audit log output. Fixes #9767
2020-06-05 01:07:55 -04:00
action := r.Form.Get(stsAction)
switch action {
case ldapIdentity:
default:
writeSTSErrorResponse(ctx, w, true, ErrSTSInvalidParameterValue, fmt.Errorf("Unsupported action %s", action))
return
}
Honor DurationSeconds properly for WebIdentity (#8581) Also cleanup code to add various constants for verbatim strings across the code base. Fixes #8482
2019-11-29 08:27:54 -05:00
sessionPolicyStr := r.Form.Get(stsPolicy)
Fix LDAP responseXML to be named appropriately (#8285) This PR additionally also adds support for missing - Session policy support for AD/LDAP - Add API request/response parameters detail - Update example to take ldap username, password input from the command line - Fixes session policy handling for ClientGrants and WebIdentity
2019-09-23 18:21:16 -04:00
// https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRole.html
// The plain text that you use for both inline and managed session
// policies shouldn't exceed 2048 characters.
if len(sessionPolicyStr) > 2048 {
fixes misleading assume role error msgs (#9642)
2020-05-21 12:09:18 -04:00
writeSTSErrorResponse(ctx, w, true, ErrSTSInvalidParameterValue, fmt.Errorf("Session policy should not exceed 2048 characters"))
Fix LDAP responseXML to be named appropriately (#8285) This PR additionally also adds support for missing - Session policy support for AD/LDAP - Add API request/response parameters detail - Update example to take ldap username, password input from the command line - Fixes session policy handling for ClientGrants and WebIdentity
2019-09-23 18:21:16 -04:00
return
}
if len(sessionPolicyStr) > 0 {
sessionPolicy, err := iampolicy.ParseConfig(bytes.NewReader([]byte(sessionPolicyStr)))
if err != nil {
fixes misleading assume role error msgs (#9642)
2020-05-21 12:09:18 -04:00
writeSTSErrorResponse(ctx, w, true, ErrSTSInvalidParameterValue, err)
Fix LDAP responseXML to be named appropriately (#8285) This PR additionally also adds support for missing - Session policy support for AD/LDAP - Add API request/response parameters detail - Update example to take ldap username, password input from the command line - Fixes session policy handling for ClientGrants and WebIdentity
2019-09-23 18:21:16 -04:00
return
}
// Version in policy must not be empty
if sessionPolicy.Version == "" {
fixes misleading assume role error msgs (#9642)
2020-05-21 12:09:18 -04:00
writeSTSErrorResponse(ctx, w, true, ErrSTSInvalidParameterValue, fmt.Errorf("Version needs to be specified in session policy"))
Fix LDAP responseXML to be named appropriately (#8285) This PR additionally also adds support for missing - Session policy support for AD/LDAP - Add API request/response parameters detail - Update example to take ldap username, password input from the command line - Fixes session policy handling for ClientGrants and WebIdentity
2019-09-23 18:21:16 -04:00
return
}
}
Return group DN instead of group name in LDAP STS (#11501) - Additionally, check if the user or their groups has a policy attached during the STS call. - Remove the group name attribute configuration value.
2021-02-10 19:52:49 -05:00
ldapUserDN, groupDistNames, err := globalLDAPConfig.Bind(ldapUsername, ldapPassword)
LDAP STS API (#8091) Add LDAP based users-groups system This change adds support to integrate an LDAP server for user authentication. This works via a custom STS API for LDAP. Each user accessing the MinIO who can be authenticated via LDAP receives temporary credentials to access the MinIO server. LDAP is enabled only over TLS. User groups are also supported via LDAP. The administrator may configure an LDAP search query to find the group attribute of a user - this may correspond to any attribute in the LDAP tree (that the user has access to view). One or more groups may be returned by such a query. A group is mapped to an IAM policy in the usual way, and the server enforces a policy corresponding to all the groups and the user's own mapped policy. When LDAP is configured, the internal MinIO users system is disabled.
2019-09-09 19:12:29 -04:00
if err != nil {
Fix support for multiple LDAP user formats (#11276) Fixes support for using multiple base DNs for user search in the LDAP directory allowing users from different subtrees in the LDAP hierarchy to request credentials. - The username in the produced credentials is now the full DN of the LDAP user to disambiguate users in different base DNs.
2021-01-18 00:54:32 -05:00
err = fmt.Errorf("LDAP server error: %w", err)
fixes misleading assume role error msgs (#9642)
2020-05-21 12:09:18 -04:00
writeSTSErrorResponse(ctx, w, true, ErrSTSInvalidParameterValue, err)
LDAP STS API (#8091) Add LDAP based users-groups system This change adds support to integrate an LDAP server for user authentication. This works via a custom STS API for LDAP. Each user accessing the MinIO who can be authenticated via LDAP receives temporary credentials to access the MinIO server. LDAP is enabled only over TLS. User groups are also supported via LDAP. The administrator may configure an LDAP search query to find the group attribute of a user - this may correspond to any attribute in the LDAP tree (that the user has access to view). One or more groups may be returned by such a query. A group is mapped to an IAM policy in the usual way, and the server enforces a policy corresponding to all the groups and the user's own mapped policy. When LDAP is configured, the internal MinIO users system is disabled.
2019-09-09 19:12:29 -04:00
return
}
Return group DN instead of group name in LDAP STS (#11501) - Additionally, check if the user or their groups has a policy attached during the STS call. - Remove the group name attribute configuration value.
2021-02-10 19:52:49 -05:00
// Check if this user or their groups have a policy applied.
Converge PolicyDBGet functions in IAM (#11891)
2021-03-25 03:38:15 -04:00
ldapPolicies, _ := globalIAMSys.PolicyDBGet(ldapUserDN, false, groupDistNames...)
Add support for Access Management Plugin (#14875) - This change renames the OPA integration as Access Management Plugin - there is nothing specific to OPA in the integration, it is just a webhook. - OPA configuration is automatically migrated to Access Management Plugin and OPA specific configuration is marked as deprecated. - OPA doc is updated and moved.
2022-05-10 20:14:55 -04:00
if len(ldapPolicies) == 0 && globalAuthZPlugin == nil {
fix: LDAP groups handling and group mapping (#11855) comprehensively handle group mapping for LDAP users across IAM sub-subsytem.
2021-03-23 18:15:51 -04:00
writeSTSErrorResponse(ctx, w, true, ErrSTSInvalidParameterValue,
fmt.Errorf("expecting a policy to be set for user `%s` or one of their groups: `%s` - rejecting this request",
ldapUserDN, strings.Join(groupDistNames, "`,`")))
Return group DN instead of group name in LDAP STS (#11501) - Additionally, check if the user or their groups has a policy attached during the STS call. - Remove the group name attribute configuration value.
2021-02-10 19:52:49 -05:00
return
}
fix: Add support for DurationSeconds in LDAP STS API (#12778)
2021-07-22 15:13:21 -04:00
expiryDur, err := globalLDAPConfig.GetExpiryDuration(r.Form.Get(stsDurationSeconds))
if err != nil {
writeSTSErrorResponse(ctx, w, true, ErrSTSInvalidParameterValue, err)
return
}
LDAP STS API (#8091) Add LDAP based users-groups system This change adds support to integrate an LDAP server for user authentication. This works via a custom STS API for LDAP. Each user accessing the MinIO who can be authenticated via LDAP receives temporary credentials to access the MinIO server. LDAP is enabled only over TLS. User groups are also supported via LDAP. The administrator may configure an LDAP search query to find the group attribute of a user - this may correspond to any attribute in the LDAP tree (that the user has access to view). One or more groups may be returned by such a query. A group is mapped to an IAM policy in the usual way, and the server enforces a policy corresponding to all the groups and the user's own mapped policy. When LDAP is configured, the internal MinIO users system is disabled.
2019-09-09 19:12:29 -04:00
m := map[string]interface{}{
fix: ldap:username variable substitution in policies
2021-07-11 21:38:52 -04:00
expClaim: UTCNow().Add(expiryDur).Unix(),
ldapUser: ldapUserDN,
ldapUserN: ldapUsername,
LDAP STS API (#8091) Add LDAP based users-groups system This change adds support to integrate an LDAP server for user authentication. This works via a custom STS API for LDAP. Each user accessing the MinIO who can be authenticated via LDAP receives temporary credentials to access the MinIO server. LDAP is enabled only over TLS. User groups are also supported via LDAP. The administrator may configure an LDAP search query to find the group attribute of a user - this may correspond to any attribute in the LDAP tree (that the user has access to view). One or more groups may be returned by such a query. A group is mapped to an IAM policy in the usual way, and the server enforces a policy corresponding to all the groups and the user's own mapped policy. When LDAP is configured, the internal MinIO users system is disabled.
2019-09-09 19:12:29 -04:00
}
Fix LDAP responseXML to be named appropriately (#8285) This PR additionally also adds support for missing - Session policy support for AD/LDAP - Add API request/response parameters detail - Update example to take ldap username, password input from the command line - Fixes session policy handling for ClientGrants and WebIdentity
2019-09-23 18:21:16 -04:00
if len(sessionPolicyStr) > 0 {
m[iampolicy.SessionPolicyName] = base64.StdEncoding.EncodeToString([]byte(sessionPolicyStr))
}
Migrate config to KV data format (#8392) - adding oauth support to MinIO browser (#8400) by @kanagaraj - supports multi-line get/set/del for all config fields - add support for comments, allow toggle - add extensive validation of config before saving - support MinIO browser to support proper claims, using STS tokens - env support for all config parameters, legacy envs are also supported with all documentation now pointing to latest ENVs - preserve accessKey/secretKey from FS mode setups - add history support implements three APIs - ClearHistory - RestoreHistory - ListHistory - add help command support for each config parameters - all the bug fixes after migration to KV, and other bug fixes encountered during testing.
2019-10-23 01:59:13 -04:00
secret := globalActiveCred.SecretKey
LDAP STS API (#8091) Add LDAP based users-groups system This change adds support to integrate an LDAP server for user authentication. This works via a custom STS API for LDAP. Each user accessing the MinIO who can be authenticated via LDAP receives temporary credentials to access the MinIO server. LDAP is enabled only over TLS. User groups are also supported via LDAP. The administrator may configure an LDAP search query to find the group attribute of a user - this may correspond to any attribute in the LDAP tree (that the user has access to view). One or more groups may be returned by such a query. A group is mapped to an IAM policy in the usual way, and the server enforces a policy corresponding to all the groups and the user's own mapped policy. When LDAP is configured, the internal MinIO users system is disabled.
2019-09-09 19:12:29 -04:00
cred, err := auth.GetNewCredentialsWithMetadata(m, secret)
if err != nil {
fixes misleading assume role error msgs (#9642)
2020-05-21 12:09:18 -04:00
writeSTSErrorResponse(ctx, w, true, ErrSTSInternalError, err)
LDAP STS API (#8091) Add LDAP based users-groups system This change adds support to integrate an LDAP server for user authentication. This works via a custom STS API for LDAP. Each user accessing the MinIO who can be authenticated via LDAP receives temporary credentials to access the MinIO server. LDAP is enabled only over TLS. User groups are also supported via LDAP. The administrator may configure an LDAP search query to find the group attribute of a user - this may correspond to any attribute in the LDAP tree (that the user has access to view). One or more groups may be returned by such a query. A group is mapped to an IAM policy in the usual way, and the server enforces a policy corresponding to all the groups and the user's own mapped policy. When LDAP is configured, the internal MinIO users system is disabled.
2019-09-09 19:12:29 -04:00
return
}
fix: add service account support for AssumeRole/LDAPIdentity creds (#9451) allow generating service accounts for temporary credentials which have a designated parent, currently OpenID is not yet supported. added checks to ensure that service account cannot generate further service accounts for itself, service accounts can never be a parent to any credential.
2020-04-28 15:49:56 -04:00
// Set the parent of the temporary access key, this is useful
// in obtaining service accounts by this cred.
Fix support for multiple LDAP user formats (#11276) Fixes support for using multiple base DNs for user search in the LDAP directory allowing users from different subtrees in the LDAP hierarchy to request credentials. - The username in the produced credentials is now the full DN of the LDAP user to disambiguate users in different base DNs.
2021-01-18 00:54:32 -05:00
cred.ParentUser = ldapUserDN
fix: add service account support for AssumeRole/LDAPIdentity creds (#9451) allow generating service accounts for temporary credentials which have a designated parent, currently OpenID is not yet supported. added checks to ensure that service account cannot generate further service accounts for itself, service accounts can never be a parent to any credential.
2020-04-28 15:49:56 -04:00
fix: remove LDAP groups claim and store them on server (#9637) Groups information shall be now stored as part of the credential data structure, this is a more idiomatic way to support large LDAP groups. Avoids the complication of setups where LDAP groups can be in the range of 150+ which may lead to excess HTTP header size > 8KiB, to reduce such an occurrence we shall save the group information on the server as part of the credential data structure. Bonus change support multiple mapped policies, across all types of users.
2020-05-20 14:33:35 -04:00
// Set this value to LDAP groups, LDAP user can be part
// of large number of groups
Return group DN instead of group name in LDAP STS (#11501) - Additionally, check if the user or their groups has a policy attached during the STS call. - Remove the group name attribute configuration value.
2021-02-10 19:52:49 -05:00
cred.Groups = groupDistNames
fix: remove LDAP groups claim and store them on server (#9637) Groups information shall be now stored as part of the credential data structure, this is a more idiomatic way to support large LDAP groups. Avoids the complication of setups where LDAP groups can be in the range of 150+ which may lead to excess HTTP header size > 8KiB, to reduce such an occurrence we shall save the group information on the server as part of the credential data structure. Bonus change support multiple mapped policies, across all types of users.
2020-05-20 14:33:35 -04:00
fix: add service account support for AssumeRole/LDAPIdentity creds (#9451) allow generating service accounts for temporary credentials which have a designated parent, currently OpenID is not yet supported. added checks to ensure that service account cannot generate further service accounts for itself, service accounts can never be a parent to any credential.
2020-04-28 15:49:56 -04:00
// Set the newly generated credentials, policyName is empty on purpose
// LDAP policies are applied automatically using their ldapUser, ldapGroups
// mapping.
add thread context in surrounding function into IAM functions (#13658)
2021-11-15 17:14:22 -05:00
if err = globalIAMSys.SetTempUser(ctx, cred.AccessKey, cred, ""); err != nil {
fixes misleading assume role error msgs (#9642)
2020-05-21 12:09:18 -04:00
writeSTSErrorResponse(ctx, w, true, ErrSTSInternalError, err)
LDAP STS API (#8091) Add LDAP based users-groups system This change adds support to integrate an LDAP server for user authentication. This works via a custom STS API for LDAP. Each user accessing the MinIO who can be authenticated via LDAP receives temporary credentials to access the MinIO server. LDAP is enabled only over TLS. User groups are also supported via LDAP. The administrator may configure an LDAP search query to find the group attribute of a user - this may correspond to any attribute in the LDAP tree (that the user has access to view). One or more groups may be returned by such a query. A group is mapped to an IAM policy in the usual way, and the server enforces a policy corresponding to all the groups and the user's own mapped policy. When LDAP is configured, the internal MinIO users system is disabled.
2019-09-09 19:12:29 -04:00
return
}
Add internal IDP and OIDC users support for site-replication (#14041) - This allows site-replication to be configured when using OpenID or the internal IDentity Provider. - Internal IDP IAM users and groups will now be replicated to all members of the set of replicated sites. - When using OpenID as the external identity provider, STS and service accounts are replicated. - Currently this change dis-allows root service accounts from being replicated (TODO: discuss security implications).
2022-01-06 18:52:43 -05:00
// Call hook for site replication.
Add new site replication feature (#13311) This change allows a set of MinIO sites (clusters) to be configured for mutual replication of all buckets (including bucket policies, tags, object-lock configuration and bucket encryption), IAM policies, LDAP service accounts and LDAP STS accounts.
2021-10-06 19:36:31 -04:00
if err := globalSiteReplicationSys.IAMChangeHook(ctx, madmin.SRIAMItem{
Type: madmin.SRIAMItemSTSAcc,
STSCredential: &madmin.SRSTSCredential{
AccessKey: cred.AccessKey,
SecretKey: cred.SecretKey,
SessionToken: cred.SessionToken,
Add internal IDP and OIDC users support for site-replication (#14041) - This allows site-replication to be configured when using OpenID or the internal IDentity Provider. - Internal IDP IAM users and groups will now be replicated to all members of the set of replicated sites. - When using OpenID as the external identity provider, STS and service accounts are replicated. - Currently this change dis-allows root service accounts from being replicated (TODO: discuss security implications).
2022-01-06 18:52:43 -05:00
ParentUser: cred.ParentUser,
Add new site replication feature (#13311) This change allows a set of MinIO sites (clusters) to be configured for mutual replication of all buckets (including bucket policies, tags, object-lock configuration and bucket encryption), IAM policies, LDAP service accounts and LDAP STS accounts.
2021-10-06 19:36:31 -04:00
},
}); err != nil {
Relax site replication syncing of service accounts (#14955) Synchronous replication of service/sts accounts can be relaxed as site replication healing should catch up when peer clusters are back online.
2022-05-20 22:09:11 -04:00
logger.LogIf(ctx, err)
Add new site replication feature (#13311) This change allows a set of MinIO sites (clusters) to be configured for mutual replication of all buckets (including bucket policies, tags, object-lock configuration and bucket encryption), IAM policies, LDAP service accounts and LDAP STS accounts.
2021-10-06 19:36:31 -04:00
}
LDAP STS API (#8091) Add LDAP based users-groups system This change adds support to integrate an LDAP server for user authentication. This works via a custom STS API for LDAP. Each user accessing the MinIO who can be authenticated via LDAP receives temporary credentials to access the MinIO server. LDAP is enabled only over TLS. User groups are also supported via LDAP. The administrator may configure an LDAP search query to find the group attribute of a user - this may correspond to any attribute in the LDAP tree (that the user has access to view). One or more groups may be returned by such a query. A group is mapped to an IAM policy in the usual way, and the server enforces a policy corresponding to all the groups and the user's own mapped policy. When LDAP is configured, the internal MinIO users system is disabled.
2019-09-09 19:12:29 -04:00
ldapIdentityResponse := &AssumeRoleWithLDAPResponse{
Result: LDAPIdentityResult{
Credentials: cred,
},
}
ldapIdentityResponse.ResponseMetadata.RequestID = w.Header().Get(xhttp.AmzRequestID)
encodedSuccessResponse := encodeResponse(ldapIdentityResponse)
writeSuccessResponseXML(w, encodedSuccessResponse)
}
sts: add support for certificate-based authentication (#12748) This commit adds a new STS API for X.509 certificate authentication. A client can make an HTTP POST request over a TLS connection and MinIO will verify the provided client certificate, map it to an S3 policy and return temp. S3 credentials to the client. So, this STS API allows clients to authenticate with X.509 certificates over TLS and obtain temp. S3 credentials. For more details and examples refer to the docs/sts/tls.md documentation. Signed-off-by: Andreas Auernhammer <hi@aead.dev>
2021-09-07 22:03:48 -04:00
// AssumeRoleWithCertificate implements user authentication with client certificates.
// It verifies the client-provided X.509 certificate, maps the certificate to an S3 policy
// and returns temp. S3 credentials to the client.
//
// API endpoint: https://minio:9000?Action=AssumeRoleWithCertificate&Version=2011-06-15
func (sts *stsAPIHandlers) AssumeRoleWithCertificate(w http.ResponseWriter, r *http.Request) {
run gofumpt cleanup across code-base (#14015)
2022-01-02 12:15:06 -05:00
ctx := newContext(r, w, "AssumeRoleWithCertificate")
sts: add support for certificate-based authentication (#12748) This commit adds a new STS API for X.509 certificate authentication. A client can make an HTTP POST request over a TLS connection and MinIO will verify the provided client certificate, map it to an S3 policy and return temp. S3 credentials to the client. So, this STS API allows clients to authenticate with X.509 certificates over TLS and obtain temp. S3 credentials. For more details and examples refer to the docs/sts/tls.md documentation. Signed-off-by: Andreas Auernhammer <hi@aead.dev>
2021-09-07 22:03:48 -04:00
if !globalSTSTLSConfig.Enabled {
writeSTSErrorResponse(ctx, w, true, ErrSTSNotInitialized, errors.New("STS API 'AssumeRoleWithCertificate' is disabled"))
return
}
// We have to establish a TLS connection and the
// client must provide exactly one client certificate.
// Otherwise, we don't have a certificate to verify or
// the policy lookup would ambigious.
if r.TLS == nil {
writeSTSErrorResponse(ctx, w, true, ErrSTSInsecureConnection, errors.New("No TLS connection attempt"))
return
}
sts: allow clients to send certificate chain (#13235) This commit fixes an issue in the `AssumeRoleWithCertificate` handler. Before clients received an error when they send a chain of X.509 certificates (their client certificate as well as intermediate / root CAs). Now, client can send a certificate chain and the server will only consider non-CA / leaf certificates as possible client certificate candidates. However, the client still can only send one certificate. Signed-off-by: Andreas Auernhammer <hi@aead.dev>
2021-09-17 12:37:01 -04:00
// A client may send a certificate chain such that we end up
// with multiple peer certificates. However, we can only accept
// a single client certificate. Otherwise, the certificate to
// policy mapping would be ambigious.
// However, we can filter all CA certificates and only check
// whether they client has sent exactly one (non-CA) leaf certificate.
run gofumpt cleanup across code-base (#14015)
2022-01-02 12:15:06 -05:00
peerCertificates := make([]*x509.Certificate, 0, len(r.TLS.PeerCertificates))
sts: allow clients to send certificate chain (#13235) This commit fixes an issue in the `AssumeRoleWithCertificate` handler. Before clients received an error when they send a chain of X.509 certificates (their client certificate as well as intermediate / root CAs). Now, client can send a certificate chain and the server will only consider non-CA / leaf certificates as possible client certificate candidates. However, the client still can only send one certificate. Signed-off-by: Andreas Auernhammer <hi@aead.dev>
2021-09-17 12:37:01 -04:00
for _, cert := range r.TLS.PeerCertificates {
if cert.IsCA {
continue
}
peerCertificates = append(peerCertificates, cert)
}
r.TLS.PeerCertificates = peerCertificates
// Now, we have to check that the client has provided exactly one leaf
// certificate that we can map to a policy.
sts: add support for certificate-based authentication (#12748) This commit adds a new STS API for X.509 certificate authentication. A client can make an HTTP POST request over a TLS connection and MinIO will verify the provided client certificate, map it to an S3 policy and return temp. S3 credentials to the client. So, this STS API allows clients to authenticate with X.509 certificates over TLS and obtain temp. S3 credentials. For more details and examples refer to the docs/sts/tls.md documentation. Signed-off-by: Andreas Auernhammer <hi@aead.dev>
2021-09-07 22:03:48 -04:00
if len(r.TLS.PeerCertificates) == 0 {
writeSTSErrorResponse(ctx, w, true, ErrSTSMissingParameter, errors.New("No client certificate provided"))
return
}
if len(r.TLS.PeerCertificates) > 1 {
writeSTSErrorResponse(ctx, w, true, ErrSTSInvalidParameterValue, errors.New("More than one client certificate provided"))
return
}
run gofumpt cleanup across code-base (#14015)
2022-01-02 12:15:06 -05:00
certificate := r.TLS.PeerCertificates[0]
sts: allow clients to send certificate chain (#13235) This commit fixes an issue in the `AssumeRoleWithCertificate` handler. Before clients received an error when they send a chain of X.509 certificates (their client certificate as well as intermediate / root CAs). Now, client can send a certificate chain and the server will only consider non-CA / leaf certificates as possible client certificate candidates. However, the client still can only send one certificate. Signed-off-by: Andreas Auernhammer <hi@aead.dev>
2021-09-17 12:37:01 -04:00
if !globalSTSTLSConfig.InsecureSkipVerify { // Verify whether the client certificate has been issued by a trusted CA.
sts: add support for certificate-based authentication (#12748) This commit adds a new STS API for X.509 certificate authentication. A client can make an HTTP POST request over a TLS connection and MinIO will verify the provided client certificate, map it to an S3 policy and return temp. S3 credentials to the client. So, this STS API allows clients to authenticate with X.509 certificates over TLS and obtain temp. S3 credentials. For more details and examples refer to the docs/sts/tls.md documentation. Signed-off-by: Andreas Auernhammer <hi@aead.dev>
2021-09-07 22:03:48 -04:00
_, err := certificate.Verify(x509.VerifyOptions{
KeyUsages: []x509.ExtKeyUsage{
x509.ExtKeyUsageClientAuth,
},
Roots: globalRootCAs,
})
if err != nil {
writeSTSErrorResponse(ctx, w, true, ErrSTSInvalidClientCertificate, err)
return
}
sts: always verify the key usage of client certificates (#13583) This commit makes the MinIO server behavior more consistent w.r.t. key usage verification. When MinIO verifies the client certificates it also checks that the client certificate is valid of client authentication (or any (i.e. wildcard) usage). However, the MinIO server used to not verify the client key usage when client certificate verification was disabled. Now, the MinIO server verifies the client key usage even when client certificate verification has been disabled. This makes the MinIO behavior more consistent from a client's perspective. Now, a client certificate has to be valid for client authentication in all cases. Signed-off-by: Andreas Auernhammer <hi@aead.dev>
2021-11-05 05:16:26 -04:00
} else {
// Technically, there is no security argument for verifying the key usage
// when we don't verify that the certificate has been issued by a trusted CA.
// Any client can create a certificate with arbitrary key usage settings.
//
// However, this check ensures that a certificate with an invalid key usage
// gets rejected even when we skip certificate verification. This helps
// clients detect malformed certificates during testing instead of e.g.
// a self-signed certificate that works while a comparable certificate
// issued by a trusted CA fails due to the MinIO server being less strict
// w.r.t. key usage verification.
//
// Basically, MinIO is more consistent (from a client perspective) when
// we verify the key usage all the time.
var validKeyUsage bool
for _, usage := range certificate.ExtKeyUsage {
if usage == x509.ExtKeyUsageAny || usage == x509.ExtKeyUsageClientAuth {
validKeyUsage = true
break
}
}
if !validKeyUsage {
writeSTSErrorResponse(ctx, w, true, ErrSTSMissingParameter, errors.New("certificate is not valid for client authentication"))
return
}
sts: add support for certificate-based authentication (#12748) This commit adds a new STS API for X.509 certificate authentication. A client can make an HTTP POST request over a TLS connection and MinIO will verify the provided client certificate, map it to an S3 policy and return temp. S3 credentials to the client. So, this STS API allows clients to authenticate with X.509 certificates over TLS and obtain temp. S3 credentials. For more details and examples refer to the docs/sts/tls.md documentation. Signed-off-by: Andreas Auernhammer <hi@aead.dev>
2021-09-07 22:03:48 -04:00
}
// We map the X.509 subject common name to the policy. So, a client
// with the common name "foo" will be associated with the policy "foo".
// Other mapping functions - e.g. public-key hash based mapping - are
// possible but not implemented.
//
// Group mapping is not possible with standard X.509 certificates.
if certificate.Subject.CommonName == "" {
writeSTSErrorResponse(ctx, w, true, ErrSTSMissingParameter, errors.New("certificate subject CN cannot be empty"))
return
}
expiry, err := globalSTSTLSConfig.GetExpiryDuration(r.Form.Get(stsDurationSeconds))
if err != nil {
writeSTSErrorResponse(ctx, w, true, ErrSTSMissingParameter, err)
return
}
// We set the expiry of the temp. credentials to the minimum of the
// configured expiry and the duration until the certificate itself
// expires.
// We must not issue credentials that out-live the certificate.
if validUntil := time.Until(certificate.NotAfter); validUntil < expiry {
expiry = validUntil
}
// Associate any service accounts to the certificate CN
parentUser := "tls:" + certificate.Subject.CommonName
tmpCredentials, err := auth.GetNewCredentialsWithMetadata(map[string]interface{}{
Map policy to parent for STS (#13884) When STS credentials are created for a user, a unique (hopefully stable) parent user value exists for the credential, which corresponds to the user for whom the credentials are created. The access policy is mapped to this parent-user and is persisted. This helps ensure that all STS credentials of a user have the same policy assignment at all times. Before this change, for an OIDC STS credential, when the policy claim changes in the provider (when not using RoleARNs), the change would not take effect on existing credentials, but only on new ones. To support existing STS credentials without parent-user policy mappings, we lookup the policy in the policy claim value. This behavior should be deprecated when such support is no longer required, as it can still lead to stale policy mappings. Additionally this change also simplifies the implementation for all non-RoleARN STS credentials. Specifically, for AssumeRole (internal IDP) STS credentials, policies are picked up from the parent user's policies; for AssumeRoleWithCertificate STS credentials, policies are picked up from the parent user mapping created when the STS credential is generated. AssumeRoleWithLDAP already picks up policies mapped to the virtual parent user.
2021-12-17 03:46:30 -05:00
expClaim: UTCNow().Add(expiry).Unix(),
parentClaim: parentUser,
subClaim: certificate.Subject.CommonName,
audClaim: certificate.Subject.Organization,
issClaim: certificate.Issuer.CommonName,
sts: add support for certificate-based authentication (#12748) This commit adds a new STS API for X.509 certificate authentication. A client can make an HTTP POST request over a TLS connection and MinIO will verify the provided client certificate, map it to an S3 policy and return temp. S3 credentials to the client. So, this STS API allows clients to authenticate with X.509 certificates over TLS and obtain temp. S3 credentials. For more details and examples refer to the docs/sts/tls.md documentation. Signed-off-by: Andreas Auernhammer <hi@aead.dev>
2021-09-07 22:03:48 -04:00
}, globalActiveCred.SecretKey)
if err != nil {
writeSTSErrorResponse(ctx, w, true, ErrSTSInternalError, err)
return
}
tmpCredentials.ParentUser = parentUser
Add internal IDP and OIDC users support for site-replication (#14041) - This allows site-replication to be configured when using OpenID or the internal IDentity Provider. - Internal IDP IAM users and groups will now be replicated to all members of the set of replicated sites. - When using OpenID as the external identity provider, STS and service accounts are replicated. - Currently this change dis-allows root service accounts from being replicated (TODO: discuss security implications).
2022-01-06 18:52:43 -05:00
policyName := certificate.Subject.CommonName
err = globalIAMSys.SetTempUser(ctx, tmpCredentials.AccessKey, tmpCredentials, policyName)
sts: add support for certificate-based authentication (#12748) This commit adds a new STS API for X.509 certificate authentication. A client can make an HTTP POST request over a TLS connection and MinIO will verify the provided client certificate, map it to an S3 policy and return temp. S3 credentials to the client. So, this STS API allows clients to authenticate with X.509 certificates over TLS and obtain temp. S3 credentials. For more details and examples refer to the docs/sts/tls.md documentation. Signed-off-by: Andreas Auernhammer <hi@aead.dev>
2021-09-07 22:03:48 -04:00
if err != nil {
writeSTSErrorResponse(ctx, w, true, ErrSTSInternalError, err)
return
}
Add internal IDP and OIDC users support for site-replication (#14041) - This allows site-replication to be configured when using OpenID or the internal IDentity Provider. - Internal IDP IAM users and groups will now be replicated to all members of the set of replicated sites. - When using OpenID as the external identity provider, STS and service accounts are replicated. - Currently this change dis-allows root service accounts from being replicated (TODO: discuss security implications).
2022-01-06 18:52:43 -05:00
// Call hook for site replication.
if err := globalSiteReplicationSys.IAMChangeHook(ctx, madmin.SRIAMItem{
Type: madmin.SRIAMItemSTSAcc,
STSCredential: &madmin.SRSTSCredential{
AccessKey: tmpCredentials.AccessKey,
SecretKey: tmpCredentials.SecretKey,
SessionToken: tmpCredentials.SessionToken,
ParentUser: tmpCredentials.ParentUser,
ParentPolicyMapping: policyName,
},
}); err != nil {
Relax site replication syncing of service accounts (#14955) Synchronous replication of service/sts accounts can be relaxed as site replication healing should catch up when peer clusters are back online.
2022-05-20 22:09:11 -04:00
logger.LogIf(ctx, err)
Add internal IDP and OIDC users support for site-replication (#14041) - This allows site-replication to be configured when using OpenID or the internal IDentity Provider. - Internal IDP IAM users and groups will now be replicated to all members of the set of replicated sites. - When using OpenID as the external identity provider, STS and service accounts are replicated. - Currently this change dis-allows root service accounts from being replicated (TODO: discuss security implications).
2022-01-06 18:52:43 -05:00
}
run gofumpt cleanup across code-base (#14015)
2022-01-02 12:15:06 -05:00
response := new(AssumeRoleWithCertificateResponse)
sts: add support for certificate-based authentication (#12748) This commit adds a new STS API for X.509 certificate authentication. A client can make an HTTP POST request over a TLS connection and MinIO will verify the provided client certificate, map it to an S3 policy and return temp. S3 credentials to the client. So, this STS API allows clients to authenticate with X.509 certificates over TLS and obtain temp. S3 credentials. For more details and examples refer to the docs/sts/tls.md documentation. Signed-off-by: Andreas Auernhammer <hi@aead.dev>
2021-09-07 22:03:48 -04:00
response.Result.Credentials = tmpCredentials
response.Metadata.RequestID = w.Header().Get(xhttp.AmzRequestID)
writeSuccessResponseXML(w, encodeResponse(response))
}