Introduce STS client grants API and OPA policy integration (#6168)

This PR introduces two new features - AWS STS compatible STS API named AssumeRoleWithClientGrants ``` POST /?Action=AssumeRoleWithClientGrants&Token=<jwt> ``` This API endpoint returns temporary access credentials, access tokens signature types supported by this API - RSA keys - ECDSA keys Fetches the required public key from the JWKS endpoints, provides them as rsa or ecdsa public keys. - External policy engine support, in this case OPA policy engine - Credentials are stored on disks
2025-11-07 12:52:58 -05:00 · 2018-10-09 14:00:01 -07:00
parent 16a100b597
commit 54ae364def
76 changed files with 7249 additions and 713 deletions
--- a/cmd/jwt.go
+++ b/cmd/jwt.go
@@ -84,57 +84,127 @@ func authenticateURL(accessKey, secretKey string) (string, error) {
 	return authenticateJWT(accessKey, secretKey, defaultURLJWTExpiry)
 }

-func keyFuncCallback(jwtToken *jwtgo.Token) (interface{}, error) {
+func stsTokenCallback(jwtToken *jwtgo.Token) (interface{}, error) {
 	if _, ok := jwtToken.Method.(*jwtgo.SigningMethodHMAC); !ok {
 		return nil, fmt.Errorf("Unexpected signing method: %v", jwtToken.Header["alg"])
 	}

-	return []byte(globalServerConfig.GetCredential().SecretKey), nil
+	if err := jwtToken.Claims.Valid(); err != nil {
+		return nil, errAuthentication
+	}
+	if claims, ok := jwtToken.Claims.(jwtgo.MapClaims); ok {
+		accessKey, ok := claims["accessKey"].(string)
+		if !ok {
+			return nil, errInvalidAccessKeyID
+		}
+		if accessKey == globalServerConfig.GetCredential().AccessKey {
+			return []byte(globalServerConfig.GetCredential().SecretKey), nil
+		}
+		if globalIAMSys == nil {
+			return nil, errInvalidAccessKeyID
+		}
+		_, ok = globalIAMSys.GetUser(accessKey)
+		if !ok {
+			return nil, errInvalidAccessKeyID
+		}
+		return []byte(globalServerConfig.GetCredential().SecretKey), nil
+	}
+	return nil, errAuthentication
 }

-func isAuthTokenValid(tokenString string) bool {
-	if tokenString == "" {
-		return false
+// Callback function used for parsing
+func webTokenCallback(jwtToken *jwtgo.Token) (interface{}, error) {
+	if _, ok := jwtToken.Method.(*jwtgo.SigningMethodHMAC); !ok {
+		return nil, fmt.Errorf("Unexpected signing method: %v", jwtToken.Header["alg"])
 	}
-	var claims jwtgo.StandardClaims
-	jwtToken, err := jwtgo.ParseWithClaims(tokenString, &claims, keyFuncCallback)
+
+	if err := jwtToken.Claims.Valid(); err != nil {
+		return nil, errAuthentication
+	}
+
+	if claims, ok := jwtToken.Claims.(*jwtgo.StandardClaims); ok {
+		if claims.Subject == globalServerConfig.GetCredential().AccessKey {
+			return []byte(globalServerConfig.GetCredential().SecretKey), nil
+		}
+		if globalIAMSys == nil {
+			return nil, errInvalidAccessKeyID
+		}
+		cred, ok := globalIAMSys.GetUser(claims.Subject)
+		if !ok {
+			return nil, errInvalidAccessKeyID
+		}
+		return []byte(cred.SecretKey), nil
+	}
+
+	return nil, errAuthentication
+}
+
+func parseJWTWithClaims(tokenString string, claims jwtgo.Claims) (*jwtgo.Token, error) {
+	p := &jwtgo.Parser{
+		SkipClaimsValidation: true,
+	}
+	jwtToken, err := p.ParseWithClaims(tokenString, claims, webTokenCallback)
 	if err != nil {
-		logger.LogIf(context.Background(), err)
-		return false
+		switch e := err.(type) {
+		case *jwtgo.ValidationError:
+			if e.Inner == nil {
+				return nil, errAuthentication
+			}
+			return nil, e.Inner
+		}
+		return nil, errAuthentication
 	}
-	if err = claims.Valid(); err != nil {
-		logger.LogIf(context.Background(), err)
-		return false
+	return jwtToken, nil
+}
+
+func isAuthTokenValid(token string) bool {
+	_, _, err := webTokenAuthenticate(token)
+	return err == nil
+}
+
+func webTokenAuthenticate(token string) (jwtgo.StandardClaims, bool, error) {
+	var claims = jwtgo.StandardClaims{}
+	if token == "" {
+		return claims, false, errNoAuthToken
 	}
-	return jwtToken.Valid && claims.Subject == globalServerConfig.GetCredential().AccessKey
+
+	jwtToken, err := parseJWTWithClaims(token, &claims)
+	if err != nil {
+		return claims, false, err
+	}
+	if !jwtToken.Valid {
+		return claims, false, errAuthentication
+	}
+	owner := claims.Subject == globalServerConfig.GetCredential().AccessKey
+	return claims, owner, nil
 }

 func isHTTPRequestValid(req *http.Request) bool {
-	return webRequestAuthenticate(req) == nil
+	_, _, err := webRequestAuthenticate(req)
+	return err == nil
 }

 // Check if the request is authenticated.
 // Returns nil if the request is authenticated. errNoAuthToken if token missing.
 // Returns errAuthentication for all other errors.
-func webRequestAuthenticate(req *http.Request) error {
-	var claims jwtgo.StandardClaims
-	jwtToken, err := jwtreq.ParseFromRequestWithClaims(req, jwtreq.AuthorizationHeaderExtractor, &claims, keyFuncCallback)
+func webRequestAuthenticate(req *http.Request) (jwtgo.StandardClaims, bool, error) {
+	var claims = jwtgo.StandardClaims{}
+	tokStr, err := jwtreq.AuthorizationHeaderExtractor.ExtractToken(req)
 	if err != nil {
 		if err == jwtreq.ErrNoTokenInRequest {
-			return errNoAuthToken
+			return claims, false, errNoAuthToken
 		}
-		return errAuthentication
+		return claims, false, err
 	}
-	if err = claims.Valid(); err != nil {
-		return errAuthentication
-	}
-	if claims.Subject != globalServerConfig.GetCredential().AccessKey {
-		return errInvalidAccessKeyID
+	jwtToken, err := parseJWTWithClaims(tokStr, &claims)
+	if err != nil {
+		return claims, false, err
 	}
 	if !jwtToken.Valid {
-		return errAuthentication
+		return claims, false, errAuthentication
 	}
-	return nil
+	owner := claims.Subject == globalServerConfig.GetCredential().AccessKey
+	return claims, owner, nil
 }

 func newAuthToken() string {