From 7777d3b43aef04bc8c778c32c5b53b8df7fb5a76 Mon Sep 17 00:00:00 2001 From: Aditya Manthramurthy Date: Sun, 26 Feb 2023 23:37:00 -0800 Subject: [PATCH] Remove globalSTSTLSConfig (#16709) --- cmd/admin-handlers-config-kv.go | 2 +- cmd/config-current.go | 9 --------- cmd/globals.go | 3 --- cmd/iam.go | 18 ++++++++++++++++-- cmd/sts-handlers.go | 6 +++--- 5 files changed, 20 insertions(+), 18 deletions(-) diff --git a/cmd/admin-handlers-config-kv.go b/cmd/admin-handlers-config-kv.go index 0525c634b..640f8df05 100644 --- a/cmd/admin-handlers-config-kv.go +++ b/cmd/admin-handlers-config-kv.go @@ -501,7 +501,7 @@ func (a adminAPIHandlers) GetConfigHandler(w http.ResponseWriter, r *http.Reques case config.IdentityLDAPSubSys: off = !xldap.Enabled(item.Config) case config.IdentityTLSSubSys: - off = !globalSTSTLSConfig.Enabled + off = !globalIAMSys.STSTLSConfig.Enabled case config.IdentityPluginSubSys: off = !idplugin.Enabled(item.Config) } diff --git a/cmd/config-current.go b/cmd/config-current.go index 1c6e2d0b5..c14c6d4b1 100644 --- a/cmd/config-current.go +++ b/cmd/config-current.go @@ -493,15 +493,6 @@ func lookupConfigs(s config.Config, objAPI ObjectLayer) { logger.Fatal(errors.New("no KMS configured"), "MINIO_KMS_AUTO_ENCRYPTION requires a valid KMS configuration") } - globalSTSTLSConfig, err = xtls.Lookup(s[config.IdentityTLSSubSys][config.Default]) - if err != nil { - logger.LogIf(ctx, fmt.Errorf("Unable to initialize X.509/TLS STS API: %w", err)) - } - - if globalSTSTLSConfig.InsecureSkipVerify { - logger.LogIf(ctx, fmt.Errorf("CRITICAL: enabling %s is not recommended in a production environment", xtls.EnvIdentityTLSSkipVerify)) - } - transport := NewHTTPTransport() bootstrapTrace("lookup the event notification targets") diff --git a/cmd/globals.go b/cmd/globals.go index 8986d93f6..70420d264 100644 --- a/cmd/globals.go +++ b/cmd/globals.go @@ -43,7 +43,6 @@ import ( "github.com/minio/minio/internal/config/compress" "github.com/minio/minio/internal/config/dns" idplugin "github.com/minio/minio/internal/config/identity/plugin" - xtls "github.com/minio/minio/internal/config/identity/tls" polplugin "github.com/minio/minio/internal/config/policy/plugin" "github.com/minio/minio/internal/config/storageclass" "github.com/minio/minio/internal/config/subnet" @@ -199,8 +198,6 @@ var ( globalStorageClass storageclass.Config - globalSTSTLSConfig xtls.Config - globalAuthNPlugin *idplugin.AuthNPlugin // CA root certificates, a nil value means system certs pool will be used diff --git a/cmd/iam.go b/cmd/iam.go index ccb3e7dbe..cb965501d 100644 --- a/cmd/iam.go +++ b/cmd/iam.go @@ -42,6 +42,7 @@ import ( xldap "github.com/minio/minio/internal/config/identity/ldap" "github.com/minio/minio/internal/config/identity/openid" idplugin "github.com/minio/minio/internal/config/identity/plugin" + xtls "github.com/minio/minio/internal/config/identity/tls" "github.com/minio/minio/internal/config/policy/opa" polplugin "github.com/minio/minio/internal/config/policy/plugin" xhttp "github.com/minio/minio/internal/http" @@ -87,8 +88,10 @@ type IAMSys struct { sync.Mutex iamRefreshInterval time.Duration - LDAPConfig xldap.Config // only valid if usersSysType is LDAPUsers - OpenIDConfig openid.Config // only valid if OpenID is configured + + LDAPConfig xldap.Config // only valid if usersSysType is LDAPUsers + OpenIDConfig openid.Config // only valid if OpenID is configured + STSTLSConfig xtls.Config // only valid if STS TLS is configured usersSysType UsersSysType @@ -225,6 +228,15 @@ func (sys *IAMSys) Init(ctx context.Context, objAPI ObjectLayer, etcdClient *etc logger.LogIf(ctx, fmt.Errorf("Unable to parse LDAP configuration: %w", err)) } + stsTLSConfig, err := xtls.Lookup(s[config.IdentityTLSSubSys][config.Default]) + if err != nil { + logger.LogIf(ctx, fmt.Errorf("Unable to initialize X.509/TLS STS API: %w", err)) + } + + if stsTLSConfig.InsecureSkipVerify { + logger.LogIf(ctx, fmt.Errorf("CRITICAL: enabling %s is not recommended in a production environment", xtls.EnvIdentityTLSSkipVerify)) + } + authNPluginCfg, err := idplugin.LookupConfig(s[config.IdentityPluginSubSys][config.Default], NewHTTPTransport(), xhttp.DrainBody, globalSite.Region) if err != nil { @@ -258,6 +270,8 @@ func (sys *IAMSys) Init(ctx context.Context, objAPI ObjectLayer, etcdClient *etc sys.LDAPConfig = ldapConfig sys.OpenIDConfig = openidConfig + sys.STSTLSConfig = stsTLSConfig + sys.iamRefreshInterval = iamRefreshInterval // Initialize IAM store diff --git a/cmd/sts-handlers.go b/cmd/sts-handlers.go index b01872ca9..8843511d6 100644 --- a/cmd/sts-handlers.go +++ b/cmd/sts-handlers.go @@ -686,7 +686,7 @@ func (sts *stsAPIHandlers) AssumeRoleWithCertificate(w http.ResponseWriter, r *h claims := make(map[string]interface{}) defer logger.AuditLog(ctx, w, r, claims) - if !globalSTSTLSConfig.Enabled { + if !globalIAMSys.STSTLSConfig.Enabled { writeSTSErrorResponse(ctx, w, true, ErrSTSNotInitialized, errors.New("STS API 'AssumeRoleWithCertificate' is disabled")) return } @@ -727,7 +727,7 @@ func (sts *stsAPIHandlers) AssumeRoleWithCertificate(w http.ResponseWriter, r *h } certificate := r.TLS.PeerCertificates[0] - if !globalSTSTLSConfig.InsecureSkipVerify { // Verify whether the client certificate has been issued by a trusted CA. + if !globalIAMSys.STSTLSConfig.InsecureSkipVerify { // Verify whether the client certificate has been issued by a trusted CA. _, err := certificate.Verify(x509.VerifyOptions{ KeyUsages: []x509.ExtKeyUsage{ x509.ExtKeyUsageClientAuth, @@ -776,7 +776,7 @@ func (sts *stsAPIHandlers) AssumeRoleWithCertificate(w http.ResponseWriter, r *h return } - expiry, err := globalSTSTLSConfig.GetExpiryDuration(r.Form.Get(stsDurationSeconds)) + expiry, err := globalIAMSys.STSTLSConfig.GetExpiryDuration(r.Form.Get(stsDurationSeconds)) if err != nil { writeSTSErrorResponse(ctx, w, true, ErrSTSMissingParameter, err) return