Introduce STS client grants API and OPA policy integration (#6168)

This PR introduces two new features

- AWS STS compatible STS API named AssumeRoleWithClientGrants

```
POST /?Action=AssumeRoleWithClientGrants&Token=<jwt>
```

This API endpoint returns temporary access credentials, access
tokens signature types supported by this API

  - RSA keys
  - ECDSA keys

Fetches the required public key from the JWKS endpoints, provides
them as rsa or ecdsa public keys.

- External policy engine support, in this case OPA policy engine

- Credentials are stored on disks

pkg/madmin/config-commands.go

@@ -19,61 +19,16 @@ package madmin
 
 import (
 	"bytes"
-	"crypto/rand"
 	"encoding/base64"
 	"encoding/json"
 	"errors"
-	"fmt"
 	"io"
-	"io/ioutil"
 	"net/http"
 	"net/url"
 
 	"github.com/minio/minio/pkg/quick"
-	"github.com/minio/sio"
-	"golang.org/x/crypto/argon2"
 )
 
-// EncryptServerConfigData - encrypts server config data.
-func EncryptServerConfigData(password string, data []byte) ([]byte, error) {
-	salt := make([]byte, 32)
-	if _, err := io.ReadFull(rand.Reader, salt); err != nil {
-		return nil, err
-	}
-
-	// derive an encryption key from the master key and the nonce
-	var key [32]byte
-	copy(key[:], argon2.IDKey([]byte(password), salt, 1, 64*1024, 4, 32))
-
-	encrypted, err := sio.EncryptReader(bytes.NewReader(data), sio.Config{
-		Key: key[:]},
-	)
-	if err != nil {
-		return nil, err
-	}
-	edata, err := ioutil.ReadAll(encrypted)
-	return append(salt, edata...), err
-}
-
-// DecryptServerConfigData - decrypts server config data.
-func DecryptServerConfigData(password string, data io.Reader) ([]byte, error) {
-	salt := make([]byte, 32)
-	if _, err := io.ReadFull(data, salt); err != nil {
-		return nil, err
-	}
-	// derive an encryption key from the master key and the nonce
-	var key [32]byte
-	copy(key[:], argon2.IDKey([]byte(password), salt, 1, 64*1024, 4, 32))
-
-	decrypted, err := sio.DecryptReader(data, sio.Config{
-		Key: key[:]},
-	)
-	if err != nil {
-		return nil, err
-	}
-	return ioutil.ReadAll(decrypted)
-}
-
 // GetConfig - returns the config.json of a minio setup, incoming data is encrypted.
 func (adm *AdminClient) GetConfig() ([]byte, error) {
 	// Execute GET on /minio/admin/v1/config to get config of a setup.
@@ -89,7 +44,7 @@ func (adm *AdminClient) GetConfig() ([]byte, error) {
 	}
 	defer closeResponse(resp)
 
-	return DecryptServerConfigData(adm.secretAccessKey, resp.Body)
+	return DecryptData(adm.secretAccessKey, resp.Body)
 }
 
 // GetConfigKeys - returns partial json or json value from config.json of a minio setup.
@@ -114,7 +69,7 @@ func (adm *AdminClient) GetConfigKeys(keys []string) ([]byte, error) {
 		return nil, httpRespToErrorResponse(resp)
 	}
 
-	return DecryptServerConfigData(adm.secretAccessKey, resp.Body)
+	return DecryptData(adm.secretAccessKey, resp.Body)
 }
 
 // SetConfig - set config supplied as config.json for the setup.
@@ -125,7 +80,7 @@ func (adm *AdminClient) SetConfig(config io.Reader) (err error) {
 	configBuf := make([]byte, maxConfigJSONSize+1)
 	n, err := io.ReadFull(config, configBuf)
 	if err == nil {
-		return fmt.Errorf("too large file")
+		return bytes.ErrTooLarge
 	}
 	if err != io.ErrUnexpectedEOF {
 		return err
@@ -151,7 +106,7 @@ func (adm *AdminClient) SetConfig(config io.Reader) (err error) {
 		return errors.New("Duplicate key in json file: " + err.Error())
 	}
 
-	econfigBytes, err := EncryptServerConfigData(adm.secretAccessKey, configBytes)
+	econfigBytes, err := EncryptData(adm.secretAccessKey, configBytes)
 	if err != nil {
 		return err
 	}
@@ -180,7 +135,7 @@ func (adm *AdminClient) SetConfig(config io.Reader) (err error) {
 func (adm *AdminClient) SetConfigKeys(params map[string]string) error {
 	queryVals := make(url.Values)
 	for k, v := range params {
-		encryptedVal, err := EncryptServerConfigData(adm.secretAccessKey, []byte(v))
+		encryptedVal, err := EncryptData(adm.secretAccessKey, []byte(v))
 		if err != nil {
 			return err
 		}