mirror of
https://github.com/minio/minio.git
synced 2024-12-24 06:05:55 -05:00
Remove globalSTSTLSConfig (#16709)
This commit is contained in:
parent
9ed4fc9687
commit
7777d3b43a
@ -501,7 +501,7 @@ func (a adminAPIHandlers) GetConfigHandler(w http.ResponseWriter, r *http.Reques
|
|||||||
case config.IdentityLDAPSubSys:
|
case config.IdentityLDAPSubSys:
|
||||||
off = !xldap.Enabled(item.Config)
|
off = !xldap.Enabled(item.Config)
|
||||||
case config.IdentityTLSSubSys:
|
case config.IdentityTLSSubSys:
|
||||||
off = !globalSTSTLSConfig.Enabled
|
off = !globalIAMSys.STSTLSConfig.Enabled
|
||||||
case config.IdentityPluginSubSys:
|
case config.IdentityPluginSubSys:
|
||||||
off = !idplugin.Enabled(item.Config)
|
off = !idplugin.Enabled(item.Config)
|
||||||
}
|
}
|
||||||
|
@ -493,15 +493,6 @@ func lookupConfigs(s config.Config, objAPI ObjectLayer) {
|
|||||||
logger.Fatal(errors.New("no KMS configured"), "MINIO_KMS_AUTO_ENCRYPTION requires a valid KMS configuration")
|
logger.Fatal(errors.New("no KMS configured"), "MINIO_KMS_AUTO_ENCRYPTION requires a valid KMS configuration")
|
||||||
}
|
}
|
||||||
|
|
||||||
globalSTSTLSConfig, err = xtls.Lookup(s[config.IdentityTLSSubSys][config.Default])
|
|
||||||
if err != nil {
|
|
||||||
logger.LogIf(ctx, fmt.Errorf("Unable to initialize X.509/TLS STS API: %w", err))
|
|
||||||
}
|
|
||||||
|
|
||||||
if globalSTSTLSConfig.InsecureSkipVerify {
|
|
||||||
logger.LogIf(ctx, fmt.Errorf("CRITICAL: enabling %s is not recommended in a production environment", xtls.EnvIdentityTLSSkipVerify))
|
|
||||||
}
|
|
||||||
|
|
||||||
transport := NewHTTPTransport()
|
transport := NewHTTPTransport()
|
||||||
|
|
||||||
bootstrapTrace("lookup the event notification targets")
|
bootstrapTrace("lookup the event notification targets")
|
||||||
|
@ -43,7 +43,6 @@ import (
|
|||||||
"github.com/minio/minio/internal/config/compress"
|
"github.com/minio/minio/internal/config/compress"
|
||||||
"github.com/minio/minio/internal/config/dns"
|
"github.com/minio/minio/internal/config/dns"
|
||||||
idplugin "github.com/minio/minio/internal/config/identity/plugin"
|
idplugin "github.com/minio/minio/internal/config/identity/plugin"
|
||||||
xtls "github.com/minio/minio/internal/config/identity/tls"
|
|
||||||
polplugin "github.com/minio/minio/internal/config/policy/plugin"
|
polplugin "github.com/minio/minio/internal/config/policy/plugin"
|
||||||
"github.com/minio/minio/internal/config/storageclass"
|
"github.com/minio/minio/internal/config/storageclass"
|
||||||
"github.com/minio/minio/internal/config/subnet"
|
"github.com/minio/minio/internal/config/subnet"
|
||||||
@ -199,8 +198,6 @@ var (
|
|||||||
|
|
||||||
globalStorageClass storageclass.Config
|
globalStorageClass storageclass.Config
|
||||||
|
|
||||||
globalSTSTLSConfig xtls.Config
|
|
||||||
|
|
||||||
globalAuthNPlugin *idplugin.AuthNPlugin
|
globalAuthNPlugin *idplugin.AuthNPlugin
|
||||||
|
|
||||||
// CA root certificates, a nil value means system certs pool will be used
|
// CA root certificates, a nil value means system certs pool will be used
|
||||||
|
18
cmd/iam.go
18
cmd/iam.go
@ -42,6 +42,7 @@ import (
|
|||||||
xldap "github.com/minio/minio/internal/config/identity/ldap"
|
xldap "github.com/minio/minio/internal/config/identity/ldap"
|
||||||
"github.com/minio/minio/internal/config/identity/openid"
|
"github.com/minio/minio/internal/config/identity/openid"
|
||||||
idplugin "github.com/minio/minio/internal/config/identity/plugin"
|
idplugin "github.com/minio/minio/internal/config/identity/plugin"
|
||||||
|
xtls "github.com/minio/minio/internal/config/identity/tls"
|
||||||
"github.com/minio/minio/internal/config/policy/opa"
|
"github.com/minio/minio/internal/config/policy/opa"
|
||||||
polplugin "github.com/minio/minio/internal/config/policy/plugin"
|
polplugin "github.com/minio/minio/internal/config/policy/plugin"
|
||||||
xhttp "github.com/minio/minio/internal/http"
|
xhttp "github.com/minio/minio/internal/http"
|
||||||
@ -87,8 +88,10 @@ type IAMSys struct {
|
|||||||
sync.Mutex
|
sync.Mutex
|
||||||
|
|
||||||
iamRefreshInterval time.Duration
|
iamRefreshInterval time.Duration
|
||||||
LDAPConfig xldap.Config // only valid if usersSysType is LDAPUsers
|
|
||||||
OpenIDConfig openid.Config // only valid if OpenID is configured
|
LDAPConfig xldap.Config // only valid if usersSysType is LDAPUsers
|
||||||
|
OpenIDConfig openid.Config // only valid if OpenID is configured
|
||||||
|
STSTLSConfig xtls.Config // only valid if STS TLS is configured
|
||||||
|
|
||||||
usersSysType UsersSysType
|
usersSysType UsersSysType
|
||||||
|
|
||||||
@ -225,6 +228,15 @@ func (sys *IAMSys) Init(ctx context.Context, objAPI ObjectLayer, etcdClient *etc
|
|||||||
logger.LogIf(ctx, fmt.Errorf("Unable to parse LDAP configuration: %w", err))
|
logger.LogIf(ctx, fmt.Errorf("Unable to parse LDAP configuration: %w", err))
|
||||||
}
|
}
|
||||||
|
|
||||||
|
stsTLSConfig, err := xtls.Lookup(s[config.IdentityTLSSubSys][config.Default])
|
||||||
|
if err != nil {
|
||||||
|
logger.LogIf(ctx, fmt.Errorf("Unable to initialize X.509/TLS STS API: %w", err))
|
||||||
|
}
|
||||||
|
|
||||||
|
if stsTLSConfig.InsecureSkipVerify {
|
||||||
|
logger.LogIf(ctx, fmt.Errorf("CRITICAL: enabling %s is not recommended in a production environment", xtls.EnvIdentityTLSSkipVerify))
|
||||||
|
}
|
||||||
|
|
||||||
authNPluginCfg, err := idplugin.LookupConfig(s[config.IdentityPluginSubSys][config.Default],
|
authNPluginCfg, err := idplugin.LookupConfig(s[config.IdentityPluginSubSys][config.Default],
|
||||||
NewHTTPTransport(), xhttp.DrainBody, globalSite.Region)
|
NewHTTPTransport(), xhttp.DrainBody, globalSite.Region)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
@ -258,6 +270,8 @@ func (sys *IAMSys) Init(ctx context.Context, objAPI ObjectLayer, etcdClient *etc
|
|||||||
|
|
||||||
sys.LDAPConfig = ldapConfig
|
sys.LDAPConfig = ldapConfig
|
||||||
sys.OpenIDConfig = openidConfig
|
sys.OpenIDConfig = openidConfig
|
||||||
|
sys.STSTLSConfig = stsTLSConfig
|
||||||
|
|
||||||
sys.iamRefreshInterval = iamRefreshInterval
|
sys.iamRefreshInterval = iamRefreshInterval
|
||||||
|
|
||||||
// Initialize IAM store
|
// Initialize IAM store
|
||||||
|
@ -686,7 +686,7 @@ func (sts *stsAPIHandlers) AssumeRoleWithCertificate(w http.ResponseWriter, r *h
|
|||||||
claims := make(map[string]interface{})
|
claims := make(map[string]interface{})
|
||||||
defer logger.AuditLog(ctx, w, r, claims)
|
defer logger.AuditLog(ctx, w, r, claims)
|
||||||
|
|
||||||
if !globalSTSTLSConfig.Enabled {
|
if !globalIAMSys.STSTLSConfig.Enabled {
|
||||||
writeSTSErrorResponse(ctx, w, true, ErrSTSNotInitialized, errors.New("STS API 'AssumeRoleWithCertificate' is disabled"))
|
writeSTSErrorResponse(ctx, w, true, ErrSTSNotInitialized, errors.New("STS API 'AssumeRoleWithCertificate' is disabled"))
|
||||||
return
|
return
|
||||||
}
|
}
|
||||||
@ -727,7 +727,7 @@ func (sts *stsAPIHandlers) AssumeRoleWithCertificate(w http.ResponseWriter, r *h
|
|||||||
}
|
}
|
||||||
|
|
||||||
certificate := r.TLS.PeerCertificates[0]
|
certificate := r.TLS.PeerCertificates[0]
|
||||||
if !globalSTSTLSConfig.InsecureSkipVerify { // Verify whether the client certificate has been issued by a trusted CA.
|
if !globalIAMSys.STSTLSConfig.InsecureSkipVerify { // Verify whether the client certificate has been issued by a trusted CA.
|
||||||
_, err := certificate.Verify(x509.VerifyOptions{
|
_, err := certificate.Verify(x509.VerifyOptions{
|
||||||
KeyUsages: []x509.ExtKeyUsage{
|
KeyUsages: []x509.ExtKeyUsage{
|
||||||
x509.ExtKeyUsageClientAuth,
|
x509.ExtKeyUsageClientAuth,
|
||||||
@ -776,7 +776,7 @@ func (sts *stsAPIHandlers) AssumeRoleWithCertificate(w http.ResponseWriter, r *h
|
|||||||
return
|
return
|
||||||
}
|
}
|
||||||
|
|
||||||
expiry, err := globalSTSTLSConfig.GetExpiryDuration(r.Form.Get(stsDurationSeconds))
|
expiry, err := globalIAMSys.STSTLSConfig.GetExpiryDuration(r.Form.Get(stsDurationSeconds))
|
||||||
if err != nil {
|
if err != nil {
|
||||||
writeSTSErrorResponse(ctx, w, true, ErrSTSMissingParameter, err)
|
writeSTSErrorResponse(ctx, w, true, ErrSTSMissingParameter, err)
|
||||||
return
|
return
|
||||||
|
Loading…
Reference in New Issue
Block a user