Add new API endpoint to revoke STS tokens (#21072)

2025-04-05 20:30:32 -04:00 · 2025-03-31 14:51:24 -04:00 · 2025-03-31 14:51:24 -04:00 · 53d40e41bc
commit 53d40e41bc
parent e88d494775
11 changed files with 555 additions and 205 deletions
--- a/cmd/admin-handlers-users.go
+++ b/cmd/admin-handlers-users.go
@ -1990,6 +1990,84 @@ func (a adminAPIHandlers) AttachDetachPolicyBuiltin(w http.ResponseWriter, r *ht
 	writeSuccessResponseJSON(w, encryptedData)
 }

+// RevokeTokens - POST /minio/admin/v3/revoke-tokens/{userProvider}
+func (a adminAPIHandlers) RevokeTokens(w http.ResponseWriter, r *http.Request) {
+	ctx := r.Context()
+
+	// Get current object layer instance.
+	objectAPI := newObjectLayerFn()
+	if objectAPI == nil || globalNotificationSys == nil {
+		writeErrorResponseJSON(ctx, w, errorCodes.ToAPIErr(ErrServerNotInitialized), r.URL)
+		return
+	}
+
+	cred, owner, s3Err := validateAdminSignature(ctx, r, "")
+	if s3Err != ErrNone {
+		writeErrorResponseJSON(ctx, w, errorCodes.ToAPIErr(s3Err), r.URL)
+		return
+	}
+
+	userProvider := mux.Vars(r)["userProvider"]
+
+	user := r.Form.Get("user")
+	tokenRevokeType := r.Form.Get("tokenRevokeType")
+	fullRevoke := r.Form.Get("fullRevoke") == "true"
+	isTokenSelfRevoke := user == ""
+	if !isTokenSelfRevoke {
+		var err error
+		user, err = getUserWithProvider(ctx, userProvider, user, false)
+		if err != nil {
+			writeErrorResponseJSON(ctx, w, toAdminAPIErr(ctx, err), r.URL)
+			return
+		}
+	}
+
+	if (user != "" && tokenRevokeType == "" && !fullRevoke) || (tokenRevokeType != "" && fullRevoke) {
+		writeErrorResponseJSON(ctx, w, errorCodes.ToAPIErr(ErrInvalidRequest), r.URL)
+		return
+	}
+
+	adminPrivilege := globalIAMSys.IsAllowed(policy.Args{
+		AccountName:     cred.AccessKey,
+		Groups:          cred.Groups,
+		Action:          policy.RemoveServiceAccountAdminAction,
+		ConditionValues: getConditionValues(r, "", cred),
+		IsOwner:         owner,
+		Claims:          cred.Claims,
+	})
+
+	if !adminPrivilege || isTokenSelfRevoke {
+		parentUser := cred.AccessKey
+		if cred.ParentUser != "" {
+			parentUser = cred.ParentUser
+		}
+		if !isTokenSelfRevoke && user != parentUser {
+			writeErrorResponseJSON(ctx, w, errorCodes.ToAPIErr(ErrAccessDenied), r.URL)
+			return
+		}
+		user = parentUser
+	}
+
+	// Infer token revoke type from the request if requestor is STS.
+	if isTokenSelfRevoke && tokenRevokeType == "" && !fullRevoke {
+		if cred.IsTemp() {
+			tokenRevokeType, _ = cred.Claims[tokenRevokeTypeClaim].(string)
+		}
+		if tokenRevokeType == "" {
+			writeErrorResponseJSON(ctx, w, errorCodes.ToAPIErr(ErrNoTokenRevokeType), r.URL)
+			return
+		}
+	}
+
+	err := globalIAMSys.RevokeTokens(ctx, user, tokenRevokeType)
+	if err != nil {
+		writeErrorResponseJSON(ctx, w, toAdminAPIErr(ctx, err), r.URL)
+		return
+	}
+
+	writeSuccessNoContent(w)
+}
+
 const (
 	allPoliciesFile           = "policies.json"
 	allUsersFile              = "users.json"
--- a/cmd/admin-router.go
+++ b/cmd/admin-router.go
@ -424,6 +424,9 @@ func registerAdminRouter(router *mux.Router, enableConfigOps bool) {
 		// -- Health API --
 		adminRouter.Methods(http.MethodGet).Path(adminVersion + "/healthinfo").
 			HandlerFunc(adminMiddleware(adminAPI.HealthInfoHandler))
+
+		// STS Revocation
+		adminRouter.Methods(http.MethodPost).Path(adminVersion + "/revoke-tokens/{userProvider}").HandlerFunc(adminMiddleware(adminAPI.RevokeTokens))
 	}

 	// If none of the routes match add default error handler routes
--- a/cmd/api-errors.go
+++ b/cmd/api-errors.go
@ -214,6 +214,7 @@ const (
 	ErrPolicyNotAttached
 	ErrExcessData
 	ErrPolicyInvalidName
+	ErrNoTokenRevokeType
 	// Add new error codes here.

 	// SSE-S3/SSE-KMS related API errors
@ -1264,6 +1265,11 @@ var errorCodes = errorCodeMap{
 		Description:    "The security token included in the request is invalid",
 		HTTPStatusCode: http.StatusForbidden,
 	},
+	ErrNoTokenRevokeType: {
+		Code:           "InvalidArgument",
+		Description:    "No token revoke type specified and one could not be inferred from the request",
+		HTTPStatusCode: http.StatusBadRequest,
+	},

 	// S3 extensions.
 	ErrContentSHA256Mismatch: {
--- a/cmd/apierrorcode_string.go
+++ b/cmd/apierrorcode_string.go
--- a/cmd/iam-store.go
+++ b/cmd/iam-store.go
@ -2032,6 +2032,50 @@ func (store *IAMStoreSys) SetTempUser(ctx context.Context, accessKey string, cre
 	return u.UpdatedAt, nil
 }

+// RevokeTokens - revokes all temporary credentials, or those with matching type,
+// associated with the parent user.
+func (store *IAMStoreSys) RevokeTokens(ctx context.Context, parentUser string, tokenRevokeType string) error {
+	if parentUser == "" {
+		return errInvalidArgument
+	}
+
+	cache := store.lock()
+	defer store.unlock()
+
+	secret, err := getTokenSigningKey()
+	if err != nil {
+		return err
+	}
+
+	var revoked bool
+	for _, ui := range cache.iamSTSAccountsMap {
+		if ui.Credentials.ParentUser != parentUser {
+			continue
+		}
+		if tokenRevokeType != "" {
+			claims, err := getClaimsFromTokenWithSecret(ui.Credentials.SessionToken, secret)
+			if err != nil {
+				continue // skip if token is invalid
+			}
+			// skip if token type is given and does not match
+			if v, _ := claims.Lookup(tokenRevokeTypeClaim); v != tokenRevokeType {
+				continue
+			}
+		}
+		if err := store.deleteUserIdentity(ctx, ui.Credentials.AccessKey, stsUser); err != nil {
+			return err
+		}
+		delete(cache.iamSTSAccountsMap, ui.Credentials.AccessKey)
+		revoked = true
+	}
+
+	if revoked {
+		cache.updatedAt = time.Now()
+	}
+
+	return nil
+}
+
 // DeleteUsers - given a set of users or access keys, deletes them along with
 // any derived credentials (STS or service accounts) and any associated policy
 // mappings.
--- a/cmd/iam.go
+++ b/cmd/iam.go
@ -662,6 +662,16 @@ func (sys *IAMSys) SetPolicy(ctx context.Context, policyName string, p policy.Po
 	return updatedAt, nil
 }

+// RevokeTokens - revokes all STS tokens, or those of specified type, for a user
+// If `tokenRevokeType` is empty, all tokens are revoked.
+func (sys *IAMSys) RevokeTokens(ctx context.Context, accessKey, tokenRevokeType string) error {
+	if !sys.Initialized() {
+		return errServerNotInitialized
+	}
+
+	return sys.store.RevokeTokens(ctx, accessKey, tokenRevokeType)
+}
+
 // DeleteUser - delete user (only for long-term users not STS users).
 func (sys *IAMSys) DeleteUser(ctx context.Context, accessKey string, notifyPeers bool) error {
 	if !sys.Initialized() {
--- a/cmd/sts-handlers.go
+++ b/cmd/sts-handlers.go
@ -55,6 +55,7 @@ const (
 	stsDurationSeconds        = "DurationSeconds"
 	stsLDAPUsername           = "LDAPUsername"
 	stsLDAPPassword           = "LDAPPassword"
+	stsRevokeTokenType        = "TokenRevokeType"

 	// STS API action constants
 	clientGrants        = "AssumeRoleWithClientGrants"
@ -85,6 +86,9 @@ const (
 	// Role Claim key
 	roleArnClaim = "roleArn"

+	// STS revoke type claim key
+	tokenRevokeTypeClaim = "tokenRevokeType"
+
 	// maximum supported STS session policy size
 	maxSTSSessionPolicySize = 2048
 )
@ -307,6 +311,11 @@ func (sts *stsAPIHandlers) AssumeRole(w http.ResponseWriter, r *http.Request) {
 	claims[expClaim] = UTCNow().Add(duration).Unix()
 	claims[parentClaim] = user.AccessKey

+	tokenRevokeType := r.Form.Get(stsRevokeTokenType)
+	if tokenRevokeType != "" {
+		claims[tokenRevokeTypeClaim] = tokenRevokeType
+	}
+
 	// Validate that user.AccessKey's policies can be retrieved - it may not
 	// be in case the user is disabled.
 	if _, err = globalIAMSys.PolicyDBGet(user.AccessKey, user.Groups...); err != nil {
@ -471,6 +480,11 @@ func (sts *stsAPIHandlers) AssumeRoleWithSSO(w http.ResponseWriter, r *http.Requ
 		claims[iamPolicyClaimNameOpenID()] = policyName
 	}

+	tokenRevokeType := r.Form.Get(stsRevokeTokenType)
+	if tokenRevokeType != "" {
+		claims[tokenRevokeTypeClaim] = tokenRevokeType
+	}
+
 	if err := claims.populateSessionPolicy(r.Form); err != nil {
 		writeSTSErrorResponse(ctx, w, ErrSTSInvalidParameterValue, err)
 		return
@ -691,6 +705,10 @@ func (sts *stsAPIHandlers) AssumeRoleWithLDAPIdentity(w http.ResponseWriter, r *
 	for attrib, value := range lookupResult.Attributes {
 		claims[ldapAttribPrefix+attrib] = value
 	}
+	tokenRevokeType := r.Form.Get(stsRevokeTokenType)
+	if tokenRevokeType != "" {
+		claims[tokenRevokeTypeClaim] = tokenRevokeType
+	}

 	secret, err := getTokenSigningKey()
 	if err != nil {
@ -887,6 +905,11 @@ func (sts *stsAPIHandlers) AssumeRoleWithCertificate(w http.ResponseWriter, r *h
 	claims[audClaim] = certificate.Subject.Organization
 	claims[issClaim] = certificate.Issuer.CommonName
 	claims[parentClaim] = parentUser
+	tokenRevokeType := r.Form.Get(stsRevokeTokenType)
+	if tokenRevokeType != "" {
+		claims[tokenRevokeTypeClaim] = tokenRevokeType
+	}
+
 	secretKey, err := getTokenSigningKey()
 	if err != nil {
 		writeSTSErrorResponse(ctx, w, ErrSTSInternalError, err)
@ -1012,6 +1035,10 @@ func (sts *stsAPIHandlers) AssumeRoleWithCustomToken(w http.ResponseWriter, r *h
 	claims[subClaim] = parentUser
 	claims[roleArnClaim] = roleArn.String()
 	claims[parentClaim] = parentUser
+	tokenRevokeType := r.Form.Get(stsRevokeTokenType)
+	if tokenRevokeType != "" {
+		claims[tokenRevokeTypeClaim] = tokenRevokeType
+	}

 	// Add all other claims from the plugin **without** replacing any
 	// existing claims.
--- a/cmd/sts-handlers_test.go
+++ b/cmd/sts-handlers_test.go
@ -46,6 +46,7 @@ func runAllIAMSTSTests(suite *TestSuiteIAM, c *check) {
 	suite.TestSTSWithTags(c)
 	suite.TestSTSServiceAccountsWithUsername(c)
 	suite.TestSTSWithGroupPolicy(c)
+	suite.TestSTSTokenRevoke(c)
 	suite.TearDownSuite(c)
 }

@ -657,6 +658,129 @@ func (s *TestSuiteIAM) TestSTSForRoot(c *check) {
 	}
 }

+// TestSTSTokenRevoke - tests the token revoke API
+func (s *TestSuiteIAM) TestSTSTokenRevoke(c *check) {
+	ctx, cancel := context.WithTimeout(context.Background(), 100*testDefaultTimeout)
+	defer cancel()
+
+	bucket := getRandomBucketName()
+	err := s.client.MakeBucket(ctx, bucket, minio.MakeBucketOptions{})
+	if err != nil {
+		c.Fatalf("bucket create error: %v", err)
+	}
+
+	// Create policy, user and associate policy
+	policy := "mypolicy"
+	policyBytes := []byte(fmt.Sprintf(`{
+ "Version": "2012-10-17",
+ "Statement": [
+  {
+   "Effect": "Allow",
+   "Action": [
+    "s3:PutObject",
+    "s3:GetObject",
+    "s3:ListBucket"
+   ],
+   "Resource": [
+    "arn:aws:s3:::%s/*"
+   ]
+  }
+ ]
+}`, bucket))
+	err = s.adm.AddCannedPolicy(ctx, policy, policyBytes)
+	if err != nil {
+		c.Fatalf("policy add error: %v", err)
+	}
+
+	accessKey, secretKey := mustGenerateCredentials(c)
+	err = s.adm.SetUser(ctx, accessKey, secretKey, madmin.AccountEnabled)
+	if err != nil {
+		c.Fatalf("Unable to set user: %v", err)
+	}
+
+	_, err = s.adm.AttachPolicy(ctx, madmin.PolicyAssociationReq{
+		Policies: []string{policy},
+		User:     accessKey,
+	})
+	if err != nil {
+		c.Fatalf("Unable to attach policy: %v", err)
+	}
+
+	cases := []struct {
+		tokenType  string
+		fullRevoke bool
+		selfRevoke bool
+	}{
+		{"", true, false},        // Case 1
+		{"", true, true},         // Case 2
+		{"type-1", false, false}, // Case 3
+		{"type-2", false, true},  // Case 4
+		{"type-2", true, true},   // Case 5 - repeat type 2 to ensure previous revoke does not affect it.
+	}
+
+	for i, tc := range cases {
+		// Create STS user.
+		assumeRole := cr.STSAssumeRole{
+			Client:      s.TestSuiteCommon.client,
+			STSEndpoint: s.endPoint,
+			Options: cr.STSAssumeRoleOptions{
+				AccessKey:       accessKey,
+				SecretKey:       secretKey,
+				TokenRevokeType: tc.tokenType,
+			},
+		}
+
+		value, err := assumeRole.Retrieve()
+		if err != nil {
+			c.Fatalf("err calling assumeRole: %v", err)
+		}
+
+		minioClient, err := minio.New(s.endpoint, &minio.Options{
+			Creds:     cr.NewStaticV4(value.AccessKeyID, value.SecretAccessKey, value.SessionToken),
+			Secure:    s.secure,
+			Transport: s.TestSuiteCommon.client.Transport,
+		})
+		if err != nil {
+			c.Fatalf("Error initializing client: %v", err)
+		}
+
+		// Validate that the client from sts creds can access the bucket.
+		c.mustListObjects(ctx, minioClient, bucket)
+
+		// Set up revocation
+		user := accessKey
+		tokenType := tc.tokenType
+		reqAdmClient := s.adm
+		if tc.fullRevoke {
+			tokenType = ""
+		}
+		if tc.selfRevoke {
+			user = ""
+			tokenType = ""
+			reqAdmClient, err = madmin.NewWithOptions(s.endpoint, &madmin.Options{
+				Creds:  cr.NewStaticV4(value.AccessKeyID, value.SecretAccessKey, value.SessionToken),
+				Secure: s.secure,
+			})
+			if err != nil {
+				c.Fatalf("Err creating user admin client: %v", err)
+			}
+			reqAdmClient.SetCustomTransport(s.TestSuiteCommon.client.Transport)
+		}
+
+		err = reqAdmClient.RevokeTokens(ctx, madmin.RevokeTokensReq{
+			User:            user,
+			TokenRevokeType: tokenType,
+			FullRevoke:      tc.fullRevoke,
+		})
+		if err != nil {
+			c.Fatalf("Case %d: unexpected error: %v", i+1, err)
+		}
+
+		// Validate that the client cannot access the bucket after revocation.
+		c.mustNotListObjects(ctx, minioClient, bucket)
+	}
+}
+
 // SetUpLDAP - expects to setup an LDAP test server using the test LDAP
 // container and canned data from https://github.com/minio/minio-ldap-testing
 func (s *TestSuiteIAM) SetUpLDAP(c *check, serverAddr string) {
--- a/cmd/user-provider-utils.go
+++ b/cmd/user-provider-utils.go
@ -0,0 +1,57 @@
+// Copyright (c) 2015-2023 MinIO, Inc.
+//
+// This file is part of MinIO Object Storage stack
+//
+// This program is free software: you can redistribute it and/or modify
+// it under the terms of the GNU Affero General Public License as published by
+// the Free Software Foundation, either version 3 of the License, or
+// (at your option) any later version.
+//
+// This program is distributed in the hope that it will be useful
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU Affero General Public License for more details.
+//
+// You should have received a copy of the GNU Affero General Public License
+// along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+package cmd
+
+import (
+	"context"
+
+	"github.com/minio/madmin-go/v3"
+)
+
+// getUserWithProvider - returns the appropriate internal username based on the user provider.
+// if validate is true, an error is returned if the user does not exist.
+func getUserWithProvider(ctx context.Context, userProvider, user string, validate bool) (string, error) {
+	switch userProvider {
+	case madmin.BuiltinProvider:
+		if validate {
+			if _, ok := globalIAMSys.GetUser(ctx, user); !ok {
+				return "", errNoSuchUser
+			}
+		}
+		return user, nil
+	case madmin.LDAPProvider:
+		if globalIAMSys.GetUsersSysType() != LDAPUsersSysType {
+			return "", errIAMActionNotAllowed
+		}
+		res, err := globalIAMSys.LDAPConfig.GetValidatedDNForUsername(user)
+		if res == nil {
+			err = errNoSuchUser
+		}
+		if err != nil {
+			if validate {
+				return "", err
+			}
+			if !globalIAMSys.LDAPConfig.ParsesAsDN(user) {
+				return "", errNoSuchUser
+			}
+		}
+		return res.NormDN, nil
+	default:
+		return "", errIAMActionNotAllowed
+	}
+}
--- a/go.mod
+++ b/go.mod
@ -51,8 +51,8 @@ require (
 	github.com/minio/highwayhash v1.0.3
 	github.com/minio/kms-go/kes v0.3.1
 	github.com/minio/kms-go/kms v0.4.0
-	github.com/minio/madmin-go/v3 v3.0.97
-	github.com/minio/minio-go/v7 v7.0.88
+	github.com/minio/madmin-go/v3 v3.0.102
+	github.com/minio/minio-go/v7 v7.0.89
 	github.com/minio/mux v1.9.2
 	github.com/minio/pkg/v3 v3.1.0
 	github.com/minio/selfupdate v0.6.0
--- a/go.sum
+++ b/go.sum
@ -436,15 +436,15 @@ github.com/minio/kms-go/kes v0.3.1 h1:K3sPFAvFbJx33XlCTUBnQo8JRmSZyDvT6T2/MQ2iC3
 github.com/minio/kms-go/kes v0.3.1/go.mod h1:Q9Ct0KUAuN9dH0hSVa0eva45Jg99cahbZpPxeqR9rOQ=
 github.com/minio/kms-go/kms v0.4.0 h1:cLPZceEp+05xHotVBaeFJrgL7JcXM4lBy6PU0idkE7I=
 github.com/minio/kms-go/kms v0.4.0/go.mod h1:q12CehiIy2qgBnDKq6Q7wmPi2PHSyRVug5DKp0HAVeE=
-github.com/minio/madmin-go/v3 v3.0.97 h1:P7XO+ofPexkXy9akxG9Xoif1zIkbmWKeKtG3AquVzEY=
-github.com/minio/madmin-go/v3 v3.0.97/go.mod h1:pMLdj9OtN0CANNs5tdm6opvOlDFfj0WhbztboZAjRWE=
+github.com/minio/madmin-go/v3 v3.0.102 h1:bqy15D6d9uQOh/3B/sLfzRtWSJgZeuKnAI5VRDhvRQw=
+github.com/minio/madmin-go/v3 v3.0.102/go.mod h1:pMLdj9OtN0CANNs5tdm6opvOlDFfj0WhbztboZAjRWE=
 github.com/minio/mc v0.0.0-20250312172924-c1d5d4cbb4ca h1:Zeu+Gbsw/yoqJofAFaU3zbIVr51j9LULUrQqKFLQnGA=
 github.com/minio/mc v0.0.0-20250312172924-c1d5d4cbb4ca/go.mod h1:h5UQZ+5Qfq6XV81E4iZSgStPZ6Hy+gMuHMkLkjq4Gys=
 github.com/minio/md5-simd v1.1.2 h1:Gdi1DZK69+ZVMoNHRXJyNcxrMA4dSxoYHZSQbirFg34=
 github.com/minio/md5-simd v1.1.2/go.mod h1:MzdKDxYpY2BT9XQFocsiZf/NKVtR7nkE4RoEpN+20RM=
 github.com/minio/minio-go/v6 v6.0.46/go.mod h1:qD0lajrGW49lKZLtXKtCB4X/qkMf0a5tBvN2PaZg7Gg=
-github.com/minio/minio-go/v7 v7.0.88 h1:v8MoIJjwYxOkehp+eiLIuvXk87P2raUtoU5klrAAshs=
-github.com/minio/minio-go/v7 v7.0.88/go.mod h1:33+O8h0tO7pCeCWwBVa07RhVVfB/3vS4kEX7rwYKmIg=
+github.com/minio/minio-go/v7 v7.0.89 h1:hx4xV5wwTUfyv8LarhJAwNecnXpoTsj9v3f3q/ZkiJU=
+github.com/minio/minio-go/v7 v7.0.89/go.mod h1:2rFnGAp02p7Dddo1Fq4S2wYOfpF0MUTSeLTRC90I204=
 github.com/minio/mux v1.9.2 h1:dQchne49BUBgOlxIHjx5wVe1gl5VXF2sxd4YCXkikTw=
 github.com/minio/mux v1.9.2/go.mod h1:OuHAsZsux+e562bcO2P3Zv/P0LMo6fPQ310SmoyG7mQ=
 github.com/minio/pkg/v3 v3.1.0 h1:RoR1TMXV5y4LvKPkaB1WoeuM6CO7A+I55xYb1tzrvLQ=