ldap: Create services accounts for LDAP and STS temp accounts (#11808)

pkg/auth/credentials.go

@@ -28,6 +28,7 @@ import (
 	"time"
 
 	jwtgo "github.com/dgrijalva/jwt-go"
+	"github.com/minio/minio/cmd/jwt"
 )
 
 const (
@@ -210,16 +211,33 @@ func GetNewCredentialsWithMetadata(m map[string]interface{}, tokenSecret string)
 	for i := 0; i < accessKeyMaxLen; i++ {
 		keyBytes[i] = alphaNumericTable[keyBytes[i]%alphaNumericTableLen]
 	}
-	cred.AccessKey = string(keyBytes)
+	accessKey := string(keyBytes)
 
 	// Generate secret key.
 	keyBytes, err = readBytes(secretKeyMaxLen)
 	if err != nil {
 		return cred, err
 	}
-	cred.SecretKey = strings.Replace(string([]byte(base64.StdEncoding.EncodeToString(keyBytes))[:secretKeyMaxLen]),
+
+	secretKey := strings.Replace(string([]byte(base64.StdEncoding.EncodeToString(keyBytes))[:secretKeyMaxLen]),
 		"/", "+", -1)
 
+	return CreateNewCredentialsWithMetadata(accessKey, secretKey, m, tokenSecret)
+}
+
+// CreateNewCredentialsWithMetadata - creates new credentials using the specified access & secret keys
+// and generate a session token if a secret token is provided.
+func CreateNewCredentialsWithMetadata(accessKey, secretKey string, m map[string]interface{}, tokenSecret string) (cred Credentials, err error) {
+	if len(accessKey) < accessKeyMinLen || len(accessKey) > accessKeyMaxLen {
+		return Credentials{}, fmt.Errorf("access key length should be between %d and %d", accessKeyMinLen, accessKeyMaxLen)
+	}
+
+	if len(secretKey) < secretKeyMinLen || len(secretKey) > secretKeyMaxLen {
+		return Credentials{}, fmt.Errorf("secret key length should be between %d and %d", secretKeyMinLen, secretKeyMaxLen)
+	}
+
+	cred.AccessKey = accessKey
+	cred.SecretKey = secretKey
 	cred.Status = AccountOn
 
 	if tokenSecret == "" {
@@ -231,12 +249,9 @@ func GetNewCredentialsWithMetadata(m map[string]interface{}, tokenSecret string)
 	if err != nil {
 		return cred, err
 	}
-
-	m["accessKey"] = cred.AccessKey
-	jwt := jwtgo.NewWithClaims(jwtgo.SigningMethodHS512, jwtgo.MapClaims(m))
-
 	cred.Expiration = time.Unix(expiry, 0).UTC()
-	cred.SessionToken, err = jwt.SignedString([]byte(tokenSecret))
+
+	cred.SessionToken, err = JWTSignWithAccessKey(cred.AccessKey, m, tokenSecret)
 	if err != nil {
 		return cred, err
 	}
@@ -244,6 +259,31 @@ func GetNewCredentialsWithMetadata(m map[string]interface{}, tokenSecret string)
 	return cred, nil
 }
 
+// JWTSignWithAccessKey - generates a session token.
+func JWTSignWithAccessKey(accessKey string, m map[string]interface{}, tokenSecret string) (string, error) {
+	m["accessKey"] = accessKey
+	jwt := jwtgo.NewWithClaims(jwtgo.SigningMethodHS512, jwtgo.MapClaims(m))
+	return jwt.SignedString([]byte(tokenSecret))
+}
+
+// ExtractClaims extracts JWT claims from a security token using a secret key
+func ExtractClaims(token, secretKey string) (*jwt.MapClaims, error) {
+	if token == "" || secretKey == "" {
+		return nil, errors.New("invalid argument")
+	}
+
+	claims := jwt.NewMapClaims()
+	stsTokenCallback := func(claims *jwt.MapClaims) ([]byte, error) {
+		return []byte(secretKey), nil
+	}
+
+	if err := jwt.ParseWithClaims(token, claims, stsTokenCallback); err != nil {
+		return nil, err
+	}
+
+	return claims, nil
+}
+
 // GetNewCredentials generates and returns new credential.
 func GetNewCredentials() (cred Credentials, err error) {
 	return GetNewCredentialsWithMetadata(map[string]interface{}{}, "")