Add new API endpoint to revoke STS tokens (#21072)

cmd/sts-handlers_test.go

@@ -46,6 +46,7 @@ func runAllIAMSTSTests(suite *TestSuiteIAM, c *check) {
 	suite.TestSTSWithTags(c)
 	suite.TestSTSServiceAccountsWithUsername(c)
 	suite.TestSTSWithGroupPolicy(c)
+	suite.TestSTSTokenRevoke(c)
 	suite.TearDownSuite(c)
 }
 
@@ -657,6 +658,129 @@ func (s *TestSuiteIAM) TestSTSForRoot(c *check) {
 	}
 }
 
+// TestSTSTokenRevoke - tests the token revoke API
+func (s *TestSuiteIAM) TestSTSTokenRevoke(c *check) {
+	ctx, cancel := context.WithTimeout(context.Background(), 100*testDefaultTimeout)
+	defer cancel()
+
+	bucket := getRandomBucketName()
+	err := s.client.MakeBucket(ctx, bucket, minio.MakeBucketOptions{})
+	if err != nil {
+		c.Fatalf("bucket create error: %v", err)
+	}
+
+	// Create policy, user and associate policy
+	policy := "mypolicy"
+	policyBytes := []byte(fmt.Sprintf(`{
+ "Version": "2012-10-17",
+ "Statement": [
+  {
+   "Effect": "Allow",
+   "Action": [
+    "s3:PutObject",
+    "s3:GetObject",
+    "s3:ListBucket"
+   ],
+   "Resource": [
+    "arn:aws:s3:::%s/*"
+   ]
+  }
+ ]
+}`, bucket))
+	err = s.adm.AddCannedPolicy(ctx, policy, policyBytes)
+	if err != nil {
+		c.Fatalf("policy add error: %v", err)
+	}
+
+	accessKey, secretKey := mustGenerateCredentials(c)
+	err = s.adm.SetUser(ctx, accessKey, secretKey, madmin.AccountEnabled)
+	if err != nil {
+		c.Fatalf("Unable to set user: %v", err)
+	}
+
+	_, err = s.adm.AttachPolicy(ctx, madmin.PolicyAssociationReq{
+		Policies: []string{policy},
+		User:     accessKey,
+	})
+	if err != nil {
+		c.Fatalf("Unable to attach policy: %v", err)
+	}
+
+	cases := []struct {
+		tokenType  string
+		fullRevoke bool
+		selfRevoke bool
+	}{
+		{"", true, false},        // Case 1
+		{"", true, true},         // Case 2
+		{"type-1", false, false}, // Case 3
+		{"type-2", false, true},  // Case 4
+		{"type-2", true, true},   // Case 5 - repeat type 2 to ensure previous revoke does not affect it.
+	}
+
+	for i, tc := range cases {
+		// Create STS user.
+		assumeRole := cr.STSAssumeRole{
+			Client:      s.TestSuiteCommon.client,
+			STSEndpoint: s.endPoint,
+			Options: cr.STSAssumeRoleOptions{
+				AccessKey:       accessKey,
+				SecretKey:       secretKey,
+				TokenRevokeType: tc.tokenType,
+			},
+		}
+
+		value, err := assumeRole.Retrieve()
+		if err != nil {
+			c.Fatalf("err calling assumeRole: %v", err)
+		}
+
+		minioClient, err := minio.New(s.endpoint, &minio.Options{
+			Creds:     cr.NewStaticV4(value.AccessKeyID, value.SecretAccessKey, value.SessionToken),
+			Secure:    s.secure,
+			Transport: s.TestSuiteCommon.client.Transport,
+		})
+		if err != nil {
+			c.Fatalf("Error initializing client: %v", err)
+		}
+
+		// Validate that the client from sts creds can access the bucket.
+		c.mustListObjects(ctx, minioClient, bucket)
+
+		// Set up revocation
+		user := accessKey
+		tokenType := tc.tokenType
+		reqAdmClient := s.adm
+		if tc.fullRevoke {
+			tokenType = ""
+		}
+		if tc.selfRevoke {
+			user = ""
+			tokenType = ""
+			reqAdmClient, err = madmin.NewWithOptions(s.endpoint, &madmin.Options{
+				Creds:  cr.NewStaticV4(value.AccessKeyID, value.SecretAccessKey, value.SessionToken),
+				Secure: s.secure,
+			})
+			if err != nil {
+				c.Fatalf("Err creating user admin client: %v", err)
+			}
+			reqAdmClient.SetCustomTransport(s.TestSuiteCommon.client.Transport)
+		}
+
+		err = reqAdmClient.RevokeTokens(ctx, madmin.RevokeTokensReq{
+			User:            user,
+			TokenRevokeType: tokenType,
+			FullRevoke:      tc.fullRevoke,
+		})
+		if err != nil {
+			c.Fatalf("Case %d: unexpected error: %v", i+1, err)
+		}
+
+		// Validate that the client cannot access the bucket after revocation.
+		c.mustNotListObjects(ctx, minioClient, bucket)
+	}
+}
+
 // SetUpLDAP - expects to setup an LDAP test server using the test LDAP
 // container and canned data from https://github.com/minio/minio-ldap-testing
 func (s *TestSuiteIAM) SetUpLDAP(c *check, serverAddr string) {