Introduce STS client grants API and OPA policy integration (#6168)

This PR introduces two new features

- AWS STS compatible STS API named AssumeRoleWithClientGrants

```
POST /?Action=AssumeRoleWithClientGrants&Token=<jwt>
```

This API endpoint returns temporary access credentials, access
tokens signature types supported by this API

  - RSA keys
  - ECDSA keys

Fetches the required public key from the JWKS endpoints, provides
them as rsa or ecdsa public keys.

- External policy engine support, in this case OPA policy engine

- Credentials are stored on disks

pkg/iam/validator/jwks.go

@@ -0,0 +1,137 @@
+/*
+ * Minio Cloud Storage, (C) 2018 Minio, Inc.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package validator
+
+import (
+	"crypto"
+	"crypto/ecdsa"
+	"crypto/elliptic"
+	"crypto/rsa"
+	"encoding/base64"
+	"encoding/binary"
+	"errors"
+	"fmt"
+	"math/big"
+	"strings"
+)
+
+// JWKS - https://tools.ietf.org/html/rfc7517
+type JWKS struct {
+	Keys []*JWKS `json:"keys,omitempty"`
+
+	Kty string `json:"kty"`
+	Use string `json:"use,omitempty"`
+	Kid string `json:"kid,omitempty"`
+	Alg string `json:"alg,omitempty"`
+
+	Crv string `json:"crv,omitempty"`
+	X   string `json:"x,omitempty"`
+	Y   string `json:"y,omitempty"`
+	D   string `json:"d,omitempty"`
+	N   string `json:"n,omitempty"`
+	E   string `json:"e,omitempty"`
+	K   string `json:"k,omitempty"`
+}
+
+func safeDecode(str string) ([]byte, error) {
+	lenMod4 := len(str) % 4
+	if lenMod4 > 0 {
+		str = str + strings.Repeat("=", 4-lenMod4)
+	}
+
+	return base64.URLEncoding.DecodeString(str)
+}
+
+var (
+	errMalformedJWKRSAKey = errors.New("malformed JWK RSA key")
+	errMalformedJWKECKey  = errors.New("malformed JWK EC key")
+)
+
+// DecodePublicKey - decodes JSON Web Key (JWK) as public key
+func (key *JWKS) DecodePublicKey() (crypto.PublicKey, error) {
+	switch key.Kty {
+	case "RSA":
+		if key.N == "" || key.E == "" {
+			return nil, errMalformedJWKRSAKey
+		}
+
+		// decode exponent
+		data, err := safeDecode(key.E)
+		if err != nil {
+			return nil, errMalformedJWKRSAKey
+		}
+
+		if len(data) < 4 {
+			ndata := make([]byte, 4)
+			copy(ndata[4-len(data):], data)
+			data = ndata
+		}
+
+		pubKey := &rsa.PublicKey{
+			N: &big.Int{},
+			E: int(binary.BigEndian.Uint32(data[:])),
+		}
+
+		data, err = safeDecode(key.N)
+		if err != nil {
+			return nil, errMalformedJWKRSAKey
+		}
+		pubKey.N.SetBytes(data)
+
+		return pubKey, nil
+	case "EC":
+		if key.Crv == "" || key.X == "" || key.Y == "" {
+			return nil, errMalformedJWKECKey
+		}
+
+		var curve elliptic.Curve
+		switch key.Crv {
+		case "P-224":
+			curve = elliptic.P224()
+		case "P-256":
+			curve = elliptic.P256()
+		case "P-384":
+			curve = elliptic.P384()
+		case "P-521":
+			curve = elliptic.P521()
+		default:
+			return nil, fmt.Errorf("Unknown curve type: %s", key.Crv)
+		}
+
+		pubKey := &ecdsa.PublicKey{
+			Curve: curve,
+			X:     &big.Int{},
+			Y:     &big.Int{},
+		}
+
+		data, err := safeDecode(key.X)
+		if err != nil {
+			return nil, errMalformedJWKECKey
+		}
+		pubKey.X.SetBytes(data)
+
+		data, err = safeDecode(key.Y)
+		if err != nil {
+			return nil, errMalformedJWKECKey
+		}
+		pubKey.Y.SetBytes(data)
+
+		return pubKey, nil
+	default:
+		return nil, fmt.Errorf("Unknown JWK key type %s", key.Kty)
+	}
+}

pkg/iam/validator/jwks_test.go

@@ -0,0 +1,103 @@
+/*
+ * Minio Cloud Storage, (C) 2018 Minio, Inc.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package validator
+
+import (
+	"bytes"
+	"crypto"
+	"crypto/ecdsa"
+	"crypto/elliptic"
+	"crypto/rsa"
+	"encoding/json"
+	"testing"
+)
+
+// A.1 - Example public keys
+func TestPublicKey(t *testing.T) {
+	const jsonkey = `{"keys":
+       [
+         {"kty":"EC",
+          "crv":"P-256",
+          "x":"MKBCTNIcKUSDii11ySs3526iDZ8AiTo7Tu6KPAqv7D4",
+          "y":"4Etl6SRW2YiLUrN5vfvVHuhp7x8PxltmWWlbbM4IFyM",
+          "use":"enc",
+          "kid":"1"},
+
+         {"kty":"RSA",
+          "n": "0vx7agoebGcQSuuPiLJXZptN9nndrQmbXEps2aiAFbWhM78LhWx4cbbfAAtVT86zwu1RK7aPFFxuhDR1L6tSoc_BJECPebWKRXjBZCiFV4n3oknjhMstn64tZ_2W-5JsGY4Hc5n9yBXArwl93lqt7_RN5w6Cf0h4QyQ5v-65YGjQR0_FDW2QvzqY368QQMicAtaSqzs8KJZgnYb9c7d0zgdAZHzu6qMQvRL5hajrn1n91CbOpbISD08qNLyrdkt-bFTWhAI4vMQFh6WeZu0fM4lFd2NcRwr3XPksINHaQ-G_xBniIqbw0Ls1jF44-csFCur-kEgU8awapJzKnqDKgw",
+          "e":"AQAB",
+          "alg":"RS256",
+          "kid":"2011-04-29"}
+       ]
+     }`
+
+	var jk JWKS
+	if err := json.Unmarshal([]byte(jsonkey), &jk); err != nil {
+		t.Fatal("Unmarshal: ", err)
+	} else if len(jk.Keys) != 2 {
+		t.Fatalf("Expected 2 keys, got %d", len(jk.Keys))
+	}
+
+	keys := make([]crypto.PublicKey, len(jk.Keys))
+	for ii, jks := range jk.Keys {
+		var err error
+		keys[ii], err = jks.DecodePublicKey()
+		if err != nil {
+			t.Fatalf("Failed to decode key %d: %v", ii, err)
+		}
+	}
+
+	if key0, ok := keys[0].(*ecdsa.PublicKey); !ok {
+		t.Fatalf("Expected ECDSA key[0], got %T", keys[0])
+	} else if key1, ok := keys[1].(*rsa.PublicKey); !ok {
+		t.Fatalf("Expected RSA key[1], got %T", keys[1])
+	} else if key0.Curve != elliptic.P256() {
+		t.Fatal("Key[0] is not using P-256 curve")
+	} else if !bytes.Equal(key0.X.Bytes(), []byte{0x30, 0xa0, 0x42, 0x4c, 0xd2,
+		0x1c, 0x29, 0x44, 0x83, 0x8a, 0x2d, 0x75, 0xc9, 0x2b, 0x37, 0xe7, 0x6e, 0xa2,
+		0xd, 0x9f, 0x0, 0x89, 0x3a, 0x3b, 0x4e, 0xee, 0x8a, 0x3c, 0xa, 0xaf, 0xec, 0x3e}) {
+		t.Fatalf("Bad key[0].X, got %v", key0.X.Bytes())
+	} else if !bytes.Equal(key0.Y.Bytes(), []byte{0xe0, 0x4b, 0x65, 0xe9, 0x24,
+		0x56, 0xd9, 0x88, 0x8b, 0x52, 0xb3, 0x79, 0xbd, 0xfb, 0xd5, 0x1e, 0xe8,
+		0x69, 0xef, 0x1f, 0xf, 0xc6, 0x5b, 0x66, 0x59, 0x69, 0x5b, 0x6c, 0xce,
+		0x8, 0x17, 0x23}) {
+		t.Fatalf("Bad key[0].Y, got %v", key0.Y.Bytes())
+	} else if key1.E != 0x10001 {
+		t.Fatalf("Bad key[1].E: %d", key1.E)
+	} else if !bytes.Equal(key1.N.Bytes(), []byte{0xd2, 0xfc, 0x7b, 0x6a, 0xa, 0x1e,
+		0x6c, 0x67, 0x10, 0x4a, 0xeb, 0x8f, 0x88, 0xb2, 0x57, 0x66, 0x9b, 0x4d, 0xf6,
+		0x79, 0xdd, 0xad, 0x9, 0x9b, 0x5c, 0x4a, 0x6c, 0xd9, 0xa8, 0x80, 0x15, 0xb5,
+		0xa1, 0x33, 0xbf, 0xb, 0x85, 0x6c, 0x78, 0x71, 0xb6, 0xdf, 0x0, 0xb, 0x55,
+		0x4f, 0xce, 0xb3, 0xc2, 0xed, 0x51, 0x2b, 0xb6, 0x8f, 0x14, 0x5c, 0x6e, 0x84,
+		0x34, 0x75, 0x2f, 0xab, 0x52, 0xa1, 0xcf, 0xc1, 0x24, 0x40, 0x8f, 0x79, 0xb5,
+		0x8a, 0x45, 0x78, 0xc1, 0x64, 0x28, 0x85, 0x57, 0x89, 0xf7, 0xa2, 0x49, 0xe3,
+		0x84, 0xcb, 0x2d, 0x9f, 0xae, 0x2d, 0x67, 0xfd, 0x96, 0xfb, 0x92, 0x6c, 0x19,
+		0x8e, 0x7, 0x73, 0x99, 0xfd, 0xc8, 0x15, 0xc0, 0xaf, 0x9, 0x7d, 0xde, 0x5a,
+		0xad, 0xef, 0xf4, 0x4d, 0xe7, 0xe, 0x82, 0x7f, 0x48, 0x78, 0x43, 0x24, 0x39,
+		0xbf, 0xee, 0xb9, 0x60, 0x68, 0xd0, 0x47, 0x4f, 0xc5, 0xd, 0x6d, 0x90, 0xbf,
+		0x3a, 0x98, 0xdf, 0xaf, 0x10, 0x40, 0xc8, 0x9c, 0x2, 0xd6, 0x92, 0xab, 0x3b,
+		0x3c, 0x28, 0x96, 0x60, 0x9d, 0x86, 0xfd, 0x73, 0xb7, 0x74, 0xce, 0x7, 0x40,
+		0x64, 0x7c, 0xee, 0xea, 0xa3, 0x10, 0xbd, 0x12, 0xf9, 0x85, 0xa8, 0xeb, 0x9f,
+		0x59, 0xfd, 0xd4, 0x26, 0xce, 0xa5, 0xb2, 0x12, 0xf, 0x4f, 0x2a, 0x34, 0xbc,
+		0xab, 0x76, 0x4b, 0x7e, 0x6c, 0x54, 0xd6, 0x84, 0x2, 0x38, 0xbc, 0xc4, 0x5, 0x87,
+		0xa5, 0x9e, 0x66, 0xed, 0x1f, 0x33, 0x89, 0x45, 0x77, 0x63, 0x5c, 0x47, 0xa,
+		0xf7, 0x5c, 0xf9, 0x2c, 0x20, 0xd1, 0xda, 0x43, 0xe1, 0xbf, 0xc4, 0x19, 0xe2,
+		0x22, 0xa6, 0xf0, 0xd0, 0xbb, 0x35, 0x8c, 0x5e, 0x38, 0xf9, 0xcb, 0x5, 0xa, 0xea,
+		0xfe, 0x90, 0x48, 0x14, 0xf1, 0xac, 0x1a, 0xa4, 0x9c, 0xca, 0x9e, 0xa0, 0xca, 0x83}) {
+		t.Fatalf("Bad key[1].N, got %v", key1.N.Bytes())
+	}
+}

pkg/iam/validator/jwt.go

@@ -0,0 +1,228 @@
+/*
+ * Minio Cloud Storage, (C) 2018 Minio, Inc.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package validator
+
+import (
+	"crypto"
+	"crypto/tls"
+	"encoding/json"
+	"errors"
+	"fmt"
+	"net"
+	"net/http"
+	"os"
+	"strconv"
+	"time"
+
+	jwtgo "github.com/dgrijalva/jwt-go"
+	xnet "github.com/minio/minio/pkg/net"
+)
+
+// JWKSArgs - RSA authentication target arguments
+type JWKSArgs struct {
+	URL       *xnet.URL `json:"url"`
+	publicKey crypto.PublicKey
+}
+
+// Validate JWT authentication target arguments
+func (r *JWKSArgs) Validate() error {
+	return nil
+}
+
+// PopulatePublicKey - populates a new publickey from the JWKS URL.
+func (r *JWKSArgs) PopulatePublicKey() error {
+	insecureClient := &http.Client{Transport: newCustomHTTPTransport(true)}
+	client := &http.Client{Transport: newCustomHTTPTransport(false)}
+	resp, err := client.Get(r.URL.String())
+	if err != nil {
+		resp, err = insecureClient.Get(r.URL.String())
+		if err != nil {
+			return err
+		}
+	}
+	defer resp.Body.Close()
+	if resp.StatusCode != http.StatusOK {
+		return errors.New(resp.Status)
+	}
+
+	var jwk JWKS
+	if err = json.NewDecoder(resp.Body).Decode(&jwk); err != nil {
+		return err
+	}
+
+	r.publicKey, err = jwk.Keys[0].DecodePublicKey()
+	if err != nil {
+		return err
+	}
+
+	return nil
+}
+
+// UnmarshalJSON - decodes JSON data.
+func (r *JWKSArgs) UnmarshalJSON(data []byte) error {
+	// subtype to avoid recursive call to UnmarshalJSON()
+	type subJWKSArgs JWKSArgs
+	var sr subJWKSArgs
+
+	// IAM related envs.
+	if jwksURL, ok := os.LookupEnv("MINIO_IAM_JWKS_URL"); ok {
+		u, err := xnet.ParseURL(jwksURL)
+		if err != nil {
+			return err
+		}
+		sr.URL = u
+	} else {
+		if err := json.Unmarshal(data, &sr); err != nil {
+			return err
+		}
+	}
+
+	ar := JWKSArgs(sr)
+	if ar.URL == nil || ar.URL.String() == "" {
+		*r = ar
+		return nil
+	}
+	if err := ar.Validate(); err != nil {
+		return err
+	}
+
+	if err := ar.PopulatePublicKey(); err != nil {
+		return err
+	}
+
+	*r = ar
+	return nil
+}
+
+// JWT - rs client grants provider details.
+type JWT struct {
+	args JWKSArgs
+}
+
+func expToInt64(expI interface{}) (expAt int64, err error) {
+	switch exp := expI.(type) {
+	case float64:
+		expAt = int64(exp)
+	case int64:
+		expAt = exp
+	case json.Number:
+		expAt, err = exp.Int64()
+		if err != nil {
+			return 0, err
+		}
+	default:
+		return 0, errors.New("invalid expiry value")
+	}
+	return expAt, nil
+}
+
+func getDefaultExpiration(dsecs string) (time.Duration, error) {
+	defaultExpiryDuration := time.Duration(60) * time.Minute // Defaults to 1hr.
+	if dsecs != "" {
+		expirySecs, err := strconv.ParseInt(dsecs, 10, 64)
+		if err != nil {
+			return 0, err
+		}
+		// The duration, in seconds, of the role session.
+		// The value can range from 900 seconds (15 minutes)
+		// to 12 hours.
+		if expirySecs < 900 || expirySecs > 43200 {
+			return 0, errors.New("out of range value for duration in seconds")
+		}
+
+		defaultExpiryDuration = time.Duration(expirySecs) * time.Second
+	}
+	return defaultExpiryDuration, nil
+}
+
+// newCustomHTTPTransport returns a new http configuration
+// used while communicating with the cloud backends.
+// This sets the value for MaxIdleConnsPerHost from 2 (go default)
+// to 100.
+func newCustomHTTPTransport(insecure bool) *http.Transport {
+	return &http.Transport{
+		Proxy: http.ProxyFromEnvironment,
+		DialContext: (&net.Dialer{
+			Timeout:   30 * time.Second,
+			KeepAlive: 30 * time.Second,
+		}).DialContext,
+		MaxIdleConns:          1024,
+		MaxIdleConnsPerHost:   1024,
+		IdleConnTimeout:       30 * time.Second,
+		TLSHandshakeTimeout:   10 * time.Second,
+		ExpectContinueTimeout: 1 * time.Second,
+		TLSClientConfig:       &tls.Config{InsecureSkipVerify: insecure},
+		DisableCompression:    true,
+	}
+}
+
+// Validate - validates the access token.
+func (p *JWT) Validate(token, dsecs string) (map[string]interface{}, error) {
+	keyFuncCallback := func(jwtToken *jwtgo.Token) (interface{}, error) {
+		if _, ok := jwtToken.Method.(*jwtgo.SigningMethodRSA); !ok {
+			if _, ok = jwtToken.Method.(*jwtgo.SigningMethodECDSA); ok {
+				return p.args.publicKey, nil
+			}
+			return nil, fmt.Errorf("Unexpected signing method: %v", jwtToken.Header["alg"])
+		}
+		return p.args.publicKey, nil
+	}
+
+	var claims jwtgo.MapClaims
+	jwtToken, err := jwtgo.ParseWithClaims(token, &claims, keyFuncCallback)
+	if err != nil {
+		return nil, err
+	}
+
+	if !jwtToken.Valid {
+		return nil, fmt.Errorf("Invalid token: %v", token)
+	}
+
+	expAt, err := expToInt64(claims["exp"])
+	if err != nil {
+		return nil, err
+	}
+
+	defaultExpiryDuration, err := getDefaultExpiration(dsecs)
+	if err != nil {
+		return nil, err
+	}
+
+	if time.Unix(expAt, 0).UTC().Sub(time.Now().UTC()) < defaultExpiryDuration {
+		defaultExpiryDuration = time.Unix(expAt, 0).UTC().Sub(time.Now().UTC())
+	}
+
+	expiry := time.Now().UTC().Add(defaultExpiryDuration).Unix()
+	if expAt < expiry {
+		claims["exp"] = strconv.FormatInt(expAt, 64)
+	}
+
+	return claims, nil
+
+}
+
+// ID returns the provider name and authentication type.
+func (p *JWT) ID() ID {
+	return "jwt"
+}
+
+// NewJWT - initialize new jwt authenticator.
+func NewJWT(args JWKSArgs) *JWT {
+	return &JWT{
+		args: args,
+	}
+}

pkg/iam/validator/jwt_test.go

@@ -0,0 +1,120 @@
+/*
+ * Minio Cloud Storage, (C) 2018 Minio, Inc.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package validator
+
+import (
+	"crypto"
+	"encoding/json"
+	"net/url"
+	"testing"
+	"time"
+
+	xnet "github.com/minio/minio/pkg/net"
+)
+
+func TestJWT(t *testing.T) {
+	const jsonkey = `{"keys":
+       [
+         {"kty":"RSA",
+          "n": "0vx7agoebGcQSuuPiLJXZptN9nndrQmbXEps2aiAFbWhM78LhWx4cbbfAAtVT86zwu1RK7aPFFxuhDR1L6tSoc_BJECPebWKRXjBZCiFV4n3oknjhMstn64tZ_2W-5JsGY4Hc5n9yBXArwl93lqt7_RN5w6Cf0h4QyQ5v-65YGjQR0_FDW2QvzqY368QQMicAtaSqzs8KJZgnYb9c7d0zgdAZHzu6qMQvRL5hajrn1n91CbOpbISD08qNLyrdkt-bFTWhAI4vMQFh6WeZu0fM4lFd2NcRwr3XPksINHaQ-G_xBniIqbw0Ls1jF44-csFCur-kEgU8awapJzKnqDKgw",
+          "e":"AQAB",
+          "alg":"RS256",
+          "kid":"2011-04-29"}
+       ]
+     }`
+
+	var jk JWKS
+	if err := json.Unmarshal([]byte(jsonkey), &jk); err != nil {
+		t.Fatal("Unmarshal: ", err)
+	} else if len(jk.Keys) != 1 {
+		t.Fatalf("Expected 1 keys, got %d", len(jk.Keys))
+	}
+
+	keys := make([]crypto.PublicKey, len(jk.Keys))
+	for ii, jks := range jk.Keys {
+		var err error
+		keys[ii], err = jks.DecodePublicKey()
+		if err != nil {
+			t.Fatalf("Failed to decode key %d: %v", ii, err)
+		}
+	}
+
+	u1, err := xnet.ParseURL("http://localhost:8443")
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	jwt := NewJWT(JWKSArgs{
+		URL:       u1,
+		publicKey: keys[0],
+	})
+	if jwt.ID() != "jwt" {
+		t.Fatalf("Uexpected id %s for the validator", jwt.ID())
+	}
+
+	u, err := url.Parse("http://localhost:8443/?Token=invalid")
+	if err != nil {
+		t.Fatal(err)
+	}
+	if _, err := jwt.Validate(u.Query().Get("Token"), ""); err == nil {
+		t.Fatal(err)
+	}
+}
+
+func TestDefaultExpiryDuration(t *testing.T) {
+	testCases := []struct {
+		reqURL    string
+		duration  time.Duration
+		expectErr bool
+	}{
+		{
+			reqURL:   "http://localhost:8443/?Token=xxxxx",
+			duration: time.Duration(60) * time.Minute,
+		},
+		{
+			reqURL:    "http://localhost:8443/?DurationSeconds=9s",
+			expectErr: true,
+		},
+		{
+			reqURL:    "http://localhost:8443/?DurationSeconds=43201",
+			expectErr: true,
+		},
+		{
+			reqURL:    "http://localhost:8443/?DurationSeconds=800",
+			expectErr: true,
+		},
+		{
+			reqURL:   "http://localhost:8443/?DurationSeconds=901",
+			duration: time.Duration(901) * time.Second,
+		},
+	}
+
+	for i, testCase := range testCases {
+		u, err := url.Parse(testCase.reqURL)
+		if err != nil {
+			t.Fatal(err)
+		}
+		d, err := getDefaultExpiration(u.Query().Get("DurationSeconds"))
+		gotErr := (err != nil)
+		if testCase.expectErr != gotErr {
+			t.Errorf("Test %d: Expected %v, got %v with error %s", i+1, testCase.expectErr, gotErr, err)
+		}
+		if d != testCase.duration {
+			t.Errorf("Test %d: Expected duration %d, got %d", i+1, testCase.duration, d)
+		}
+	}
+}

pkg/iam/validator/validators.go

@@ -0,0 +1,92 @@
+/*
+ * Minio Cloud Storage, (C) 2018 Minio, Inc.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package validator
+
+import (
+	"errors"
+	"fmt"
+	"sync"
+)
+
+// ID - holds identification name authentication validator target.
+type ID string
+
+// Validator interface describes basic implementation
+// requirements of various authentication providers.
+type Validator interface {
+	// Validate is a custom validator function for this provider,
+	// each validation is authenticationType or provider specific.
+	Validate(token string, duration string) (map[string]interface{}, error)
+
+	// ID returns provider name of this provider.
+	ID() ID
+}
+
+// ErrTokenExpired - error token expired
+var (
+	ErrTokenExpired    = errors.New("token expired")
+	ErrInvalidDuration = errors.New("duration higher than token expiry")
+)
+
+// Validators - holds list of providers indexed by provider id.
+type Validators struct {
+	sync.RWMutex
+	providers map[ID]Validator
+}
+
+// Add - adds unique provider to provider list.
+func (list *Validators) Add(provider Validator) error {
+	list.Lock()
+	defer list.Unlock()
+
+	if _, ok := list.providers[provider.ID()]; ok {
+		return fmt.Errorf("provider %v already exists", provider.ID())
+	}
+
+	list.providers[provider.ID()] = provider
+	return nil
+}
+
+// List - returns available provider IDs.
+func (list *Validators) List() []ID {
+	list.RLock()
+	defer list.RUnlock()
+
+	keys := []ID{}
+	for k := range list.providers {
+		keys = append(keys, k)
+	}
+
+	return keys
+}
+
+// Get - returns the provider for the given providerID, if not found
+// returns an error.
+func (list *Validators) Get(id ID) (p Validator, err error) {
+	list.RLock()
+	defer list.RUnlock()
+	var ok bool
+	if p, ok = list.providers[id]; !ok {
+		return nil, fmt.Errorf("provider %v doesn't exist", id)
+	}
+	return p, nil
+}
+
+// NewValidators - creates Validators.
+func NewValidators() *Validators {
+	return &Validators{providers: make(map[ID]Validator)}
+}

pkg/iam/validator/validators_test.go

@@ -0,0 +1,64 @@
+/*
+ * Minio Cloud Storage, (C) 2018 Minio, Inc.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package validator
+
+import (
+	"testing"
+)
+
+type errorValidator struct{}
+
+func (e errorValidator) Validate(token, dsecs string) (map[string]interface{}, error) {
+	return nil, ErrTokenExpired
+}
+
+func (e errorValidator) ID() ID {
+	return "err"
+}
+
+func TestValidators(t *testing.T) {
+	vrs := NewValidators()
+	if err := vrs.Add(&errorValidator{}); err != nil {
+		t.Fatal(err)
+	}
+
+	if err := vrs.Add(&errorValidator{}); err == nil {
+		t.Fatal("Unexpected should return error for double inserts")
+	}
+
+	if _, err := vrs.Get("unknown"); err == nil {
+		t.Fatal("Unexpected should return error for unknown validators")
+	}
+
+	v, err := vrs.Get("err")
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	if _, err = v.Validate("", ""); err != ErrTokenExpired {
+		t.Fatalf("Expected error %s, got %s", ErrTokenExpired, err)
+	}
+
+	vids := vrs.List()
+	if len(vids) == 0 || len(vids) > 1 {
+		t.Fatalf("Unexpected number of vids %v", vids)
+	}
+
+	if vids[0] != "err" {
+		t.Fatalf("Unexpected vid %v", vids[0])
+	}
+}