creds: Secretkey should be generated upto 40 characters in length. (#4471)

Current code allowed it wrongly to generate secret key upto 100
we should only use 100 as a value to validate but for generating
it should be 40.

Fixes #4470

cmd/credential.go

@@ -25,19 +25,35 @@ import (
 )
 
 const (
+	// Minimum length for Minio access key.
 	accessKeyMinLen = 5
+
+	// Maximum length for Minio access key.
 	accessKeyMaxLen = 20
+
+	// Minimum length for Minio secret key for both server and gateway mode.
 	secretKeyMinLen = 8
-	secretKeyMaxLenAmazon = 100
+
+	// Maximum secret key length for Minio, this
+	// is used when autogenerating new credentials.
+	secretKeyMaxLenMinio = 40
+
+	// Maximum secret key length allowed from client side
+	// caters for both server and gateway mode.
+	secretKeyMaxLen = 100
+
+	// Alpha numeric table used for generating access keys.
 	alphaNumericTable = "0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ"
+
+	// Total length of the alpha numeric table.
 	alphaNumericTableLen = byte(len(alphaNumericTable))
 )
 
+// Common errors generated for access and secret key validation.
 var (
 	errInvalidAccessKeyLength = errors.New("Invalid access key, access key should be 5 to 20 characters in length")
 	errInvalidSecretKeyLength = errors.New("Invalid secret key, secret key should be 8 to 100 characters in length")
 )
-var secretKeyMaxLen = secretKeyMaxLenAmazon
 
 // isAccessKeyValid - validate access key for right length.
 func isAccessKeyValid(accessKey string) bool {
@@ -111,10 +127,10 @@ func mustGetNewCredential() credential {
 	accessKey := string(keyBytes)
 
 	// Generate secret key.
-	keyBytes = make([]byte, secretKeyMaxLen)
+	keyBytes = make([]byte, secretKeyMaxLenMinio)
 	_, err = rand.Read(keyBytes)
 	fatalIf(err, "Unable to generate secret key.")
-	secretKey := string([]byte(base64.StdEncoding.EncodeToString(keyBytes))[:secretKeyMaxLen])
+	secretKey := string([]byte(base64.StdEncoding.EncodeToString(keyBytes))[:secretKeyMaxLenMinio])
 
 	cred, err := createCredential(accessKey, secretKey)
 	fatalIf(err, "Unable to generate new credential.")

cmd/credential_test.go

@@ -23,6 +23,9 @@ func TestMustGetNewCredential(t *testing.T) {
 	if !cred.IsValid() {
 		t.Fatalf("Failed to get new valid credential")
 	}
+	if len(cred.SecretKey) != secretKeyMaxLenMinio {
+		t.Fatalf("Invalid length %d of the secretKey credential generated, expected %d", len(cred.SecretKey), secretKeyMaxLenMinio)
+	}
 }
 
 func TestCreateCredential(t *testing.T) {

cmd/gateway-main.go

@@ -19,11 +19,12 @@ package cmd
 import (
 	"errors"
 	"fmt"
-	"github.com/gorilla/mux"
-	"github.com/minio/cli"
 	"net/url"
 	"os"
 	"strings"
+
+	"github.com/gorilla/mux"
+	"github.com/minio/cli"
 )
 
 var gatewayTemplate = `NAME:

cmd/server_test.go

@@ -93,13 +93,6 @@ func (s *TestSuiteCommon) TearDownSuite(c *C) {
 	s.testServer.Stop()
 }
 
-func (s *TestSuiteCommon) TestAuth(c *C) {
-	cred := mustGetNewCredential()
-
-	c.Assert(len(cred.AccessKey), Equals, accessKeyMaxLen)
-	c.Assert(len(cred.SecretKey), Equals, secretKeyMaxLen)
-}
-
 func (s *TestSuiteCommon) TestBucketSQSNotificationWebHook(c *C) {
 	// Sample bucket notification.
 	bucketNotificationBuf := `<NotificationConfiguration><QueueConfiguration><Event>s3:ObjectCreated:Put</Event><Filter><S3Key><FilterRule><Name>prefix</Name><Value>images/</Value></FilterRule></S3Key></Filter><Id>1</Id><Queue>arn:minio:sqs:us-east-1:444455556666:webhook</Queue></QueueConfiguration></NotificationConfiguration>`