Add role ARN support for OIDC identity provider (#13651)

- Allows setting a role policy parameter when configuring OIDC provider

- When role policy is set, the server prints a role ARN usable in STS API requests

- The given role policy is applied to STS API requests when the roleARN parameter is provided.

- Service accounts for role policy are also possible and work as expected.

internal/arn/arn.go

@@ -0,0 +1,147 @@
+// Copyright (c) 2015-2021 MinIO, Inc.
+//
+// This file is part of MinIO Object Storage stack
+//
+// This program is free software: you can redistribute it and/or modify
+// it under the terms of the GNU Affero General Public License as published by
+// the Free Software Foundation, either version 3 of the License, or
+// (at your option) any later version.
+//
+// This program is distributed in the hope that it will be useful
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU Affero General Public License for more details.
+//
+// You should have received a copy of the GNU Affero General Public License
+// along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+package arn
+
+import (
+	"fmt"
+	"regexp"
+	"strings"
+)
+
+// ARN structure:
+//
+// arn:partition:service:region:account-id:resource-type/resource-id
+//
+// In this implementation, account-id is empty.
+//
+// Reference: https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html
+
+type arnPartition string
+
+const (
+	arnPartitionMinio arnPartition = "minio"
+)
+
+type arnService string
+
+const (
+	arnServiceIAM arnService = "iam"
+)
+
+type arnResourceType string
+
+const (
+	arnResourceTypeRole arnResourceType = "role"
+)
+
+// ARN - representation of resources based on AWS ARNs.
+type ARN struct {
+	Partition    arnPartition
+	Service      arnService
+	Region       string
+	ResourceType arnResourceType
+	ResourceID   string
+}
+
+var (
+	// Allows lower-case chars, numbers, '.', '-', '_' and '/'. Starts with
+	// a letter or digit. At least 1 character long.
+	validResourceIDRegex = regexp.MustCompile(`^[a-z0-9][a-z0-9_/\.-]*$`)
+)
+
+// NewIAMRoleARN - returns an ARN for a role in MinIO.
+func NewIAMRoleARN(resourceID, serverRegion string) (ARN, error) {
+	if !validResourceIDRegex.MatchString(resourceID) {
+		return ARN{}, fmt.Errorf("Invalid resource ID: %s", resourceID)
+	}
+	return ARN{
+		Partition:    arnPartitionMinio,
+		Service:      arnServiceIAM,
+		Region:       serverRegion,
+		ResourceType: arnResourceTypeRole,
+		ResourceID:   resourceID,
+	}, nil
+}
+
+// String - returns string representation of the ARN.
+func (arn ARN) String() string {
+	return strings.Join(
+		[]string{
+			"arn",
+			string(arn.Partition),
+			string(arn.Service),
+			arn.Region,
+			"", // account-id is always empty in this implementation
+			string(arn.ResourceType) + "/" + arn.ResourceID,
+		},
+		":",
+	)
+}
+
+// Parse - parses an ARN string into a type.
+func Parse(arnStr string) (arn ARN, err error) {
+	ps := strings.Split(arnStr, ":")
+	if len(ps) != 6 ||
+		ps[0] != "arn" {
+		err = fmt.Errorf("Invalid ARN string format")
+		return
+	}
+
+	if ps[1] != string(arnPartitionMinio) {
+		err = fmt.Errorf("Invalid ARN - bad partition field")
+		return
+	}
+
+	if ps[2] != string(arnServiceIAM) {
+		err = fmt.Errorf("Invalid ARN - bad service field")
+		return
+	}
+
+	// ps[3] is region and is not validated here. If the region is invalid,
+	// the ARN would not match any configured ARNs in the server.
+
+	if ps[4] != "" {
+		err = fmt.Errorf("Invalid ARN - unsupported account-id field")
+		return
+	}
+
+	res := strings.SplitN(ps[5], "/", 2)
+	if len(res) != 2 {
+		err = fmt.Errorf("Invalid ARN - resource does not contain a \"/\"")
+		return
+	}
+
+	if res[0] != string(arnResourceTypeRole) {
+		err = fmt.Errorf("Invalid ARN: resource type is invalid.")
+		return
+	}
+
+	if !validResourceIDRegex.MatchString(res[1]) {
+		err = fmt.Errorf("Invalid resource ID: %s", res[1])
+		return
+	}
+
+	arn = ARN{
+		Partition:    arnPartitionMinio,
+		Service:      arnServiceIAM,
+		Region:       ps[3],
+		ResourceType: arnResourceTypeRole,
+		ResourceID:   res[1],
+	}
+	return
+}

internal/config/identity/openid/help.go

@@ -50,6 +50,12 @@ var (
 			Optional:    true,
 			Type:        "on|off",
 		},
+		config.HelpKV{
+			Key:         RolePolicy,
+			Description: `Set the IAM access policies applicable to this client application and IDP e.g. "app-bucket-write,app-bucket-list"`,
+			Optional:    true,
+			Type:        "string",
+		},
 		config.HelpKV{
 			Key:         Scopes,
 			Description: `Comma separated list of OpenID scopes for server, defaults to advertised scopes from discovery document e.g. "email,admin"`,
@@ -98,5 +104,17 @@ var (
 			Optional:    true,
 			Type:        "sentence",
 		},
+		config.HelpKV{
+			Key:         ClaimPrefix,
+			Description: `[DEPRECATED use 'claim_name'] JWT claim namespace prefix e.g. "customer1/"`,
+			Optional:    true,
+			Type:        "string",
+		},
+		config.HelpKV{
+			Key:         RedirectURI,
+			Description: `[DEPRECATED use env 'MINIO_BROWSER_REDIRECT_URL'] Configure custom redirect_uri for OpenID login flow callback`,
+			Optional:    true,
+			Type:        "string",
+		},
 	}
 )

internal/config/identity/openid/jwt.go

@@ -23,6 +23,7 @@ import (
 	"errors"
 	"fmt"
 	"io"
+	"net"
 	"net/http"
 	"strconv"
 	"strings"
@@ -30,6 +31,7 @@ import (
 	"time"
 
 	jwtgo "github.com/golang-jwt/jwt/v4"
+	"github.com/minio/minio/internal/arn"
 	"github.com/minio/minio/internal/auth"
 	"github.com/minio/minio/internal/config"
 	"github.com/minio/minio/internal/config/identity/openid/provider"
@@ -56,7 +58,9 @@ type Config struct {
 	DiscoveryDoc       DiscoveryDoc
 	ClientID           string
 	ClientSecret       string
+	RolePolicy         string
 
+	roleArn     arn.ARN
 	provider    provider.Provider
 	publicKeys  map[string]crypto.PublicKey
 	transport   *http.Transport
@@ -167,6 +171,12 @@ func (r Config) ProviderEnabled() bool {
 	return r.Enabled && r.provider != nil
 }
 
+// GetRoleInfo - returns role ARN and policy if present, otherwise returns false
+// boolean.
+func (r Config) GetRoleInfo() (arn.ARN, string, bool) {
+	return r.roleArn, r.RolePolicy, r.RolePolicy != ""
+}
+
 // InitializeKeycloakProvider - initializes keycloak provider
 func (r *Config) InitializeKeycloakProvider(adminURL, realm string) error {
 	var err error
@@ -366,6 +376,7 @@ const (
 	ClaimPrefix   = "claim_prefix"
 	ClientID      = "client_id"
 	ClientSecret  = "client_secret"
+	RolePolicy    = "role_policy"
 
 	Vendor             = "vendor"
 	Scopes             = "scopes"
@@ -383,6 +394,7 @@ const (
 	EnvIdentityOpenIDClaimName          = "MINIO_IDENTITY_OPENID_CLAIM_NAME"
 	EnvIdentityOpenIDClaimUserInfo      = "MINIO_IDENTITY_OPENID_CLAIM_USERINFO"
 	EnvIdentityOpenIDClaimPrefix        = "MINIO_IDENTITY_OPENID_CLAIM_PREFIX"
+	EnvIdentityOpenIDRolePolicy         = "MINIO_IDENTITY_OPENID_ROLE_POLICY"
 	EnvIdentityOpenIDRedirectURI        = "MINIO_IDENTITY_OPENID_REDIRECT_URI"
 	EnvIdentityOpenIDRedirectURIDynamic = "MINIO_IDENTITY_OPENID_REDIRECT_URI_DYNAMIC"
 	EnvIdentityOpenIDScopes             = "MINIO_IDENTITY_OPENID_SCOPES"
@@ -458,6 +470,10 @@ var (
 			Key:   ClaimUserinfo,
 			Value: "",
 		},
+		config.KV{
+			Key:   RolePolicy,
+			Value: "",
+		},
 		config.KV{
 			Key:   ClaimPrefix,
 			Value: "",
@@ -483,7 +499,7 @@ func Enabled(kvs config.KVS) bool {
 }
 
 // LookupConfig lookup jwks from config, override with any ENVs.
-func LookupConfig(kvs config.KVS, transport *http.Transport, closeRespFn func(io.ReadCloser)) (c Config, err error) {
+func LookupConfig(kvs config.KVS, transport *http.Transport, closeRespFn func(io.ReadCloser), serverRegion string) (c Config, err error) {
 	// remove this since we have removed this already.
 	kvs.Delete(JwksURL)
 
@@ -501,16 +517,19 @@ func LookupConfig(kvs config.KVS, transport *http.Transport, closeRespFn func(io
 		publicKeys:         make(map[string]crypto.PublicKey),
 		ClientID:           env.Get(EnvIdentityOpenIDClientID, kvs.Get(ClientID)),
 		ClientSecret:       env.Get(EnvIdentityOpenIDClientSecret, kvs.Get(ClientSecret)),
+		RolePolicy:         env.Get(EnvIdentityOpenIDRolePolicy, kvs.Get(RolePolicy)),
 		transport:          transport,
 		closeRespFn:        closeRespFn,
 	}
 
 	configURL := env.Get(EnvIdentityOpenIDURL, kvs.Get(ConfigURL))
+	var configURLDomain string
 	if configURL != "" {
 		c.URL, err = xnet.ParseHTTPURL(configURL)
 		if err != nil {
 			return c, err
 		}
+		configURLDomain, _, _ = net.SplitHostPort(c.URL.Host)
 		c.DiscoveryDoc, err = parseDiscoveryDoc(c.URL, transport, closeRespFn)
 		if err != nil {
 			return c, err
@@ -534,8 +553,38 @@ func LookupConfig(kvs config.KVS, transport *http.Transport, closeRespFn func(io
 		c.DiscoveryDoc.ScopesSupported = scopes
 	}
 
-	if c.ClaimName == "" {
-		c.ClaimName = iampolicy.PolicyName
+	// Check if claim name is the non-default value and role policy is set.
+	if c.ClaimName != iampolicy.PolicyName && c.RolePolicy != "" {
+		// In the unlikely event that the user specifies
+		// `iampolicy.PolicyName` as the claim name explicitly and sets
+		// a role policy, this check is thwarted, but we will be using
+		// the role policy anyway.
+		return c, config.Errorf("Role Policy and Claim Name cannot both be set.")
+	}
+
+	if c.RolePolicy != "" {
+		// RolePolicy is valided by IAM System during its
+		// initialization.
+
+		// Generate role ARN as combination of provider domain and
+		// prefix of client ID.
+		domain := configURLDomain
+		if domain == "" {
+			// Attempt to parse the JWKs URI.
+			domain, _, _ = net.SplitHostPort(c.JWKS.URL.Host)
+			if domain == "" {
+				return c, config.Errorf("unable to generate a domain from the OpenID config.")
+			}
+		}
+		clientIDFragment := c.ClientID[:8]
+		if clientIDFragment == "" {
+			return c, config.Errorf("unable to get a non-empty clientID fragment from the OpenID config.")
+		}
+		resourceID := domain + "_" + clientIDFragment
+		c.roleArn, err = arn.NewIAMRoleARN(resourceID, serverRegion)
+		if err != nil {
+			return c, config.Errorf("unable to generate ARN from the OpenID config: %v", err)
+		}
 	}
 
 	jwksURL := c.DiscoveryDoc.JwksURI