Fix crash observed in OPA initialization (#7990)

Related to #7982, this PR refactors the code such that we validate the OPA or JWKS in a common place. This is also a refactor which is already done in the new config migration change. Attempt to avoid any network I/O during Unmarshal of JSON from disk, instead do it later when updating the in-memory data structure.
2025-01-11 15:03:22 -05:00 · 2019-07-29 15:58:25 -07:00 · 2019-07-29 15:58:25 -07:00 · 8d47ef503c
commit 8d47ef503c
parent 54eded2e6f
3 changed files with 28 additions and 58 deletions
--- a/cmd/config-current.go
+++ b/cmd/config-current.go
@ -281,28 +281,27 @@ func (s *serverConfig) loadFromEnvs() {
 	}

 	if jwksURL, ok := os.LookupEnv("MINIO_IAM_JWKS_URL"); ok {
-		if u, err := xnet.ParseURL(jwksURL); err == nil {
-			s.OpenID.JWKS.URL = u
-			logger.FatalIf(s.OpenID.JWKS.PopulatePublicKey(), "Unable to populate public key from JWKS URL")
-		} else {
+		u, err := xnet.ParseURL(jwksURL)
+		if err != nil {
 			logger.FatalIf(err, "Unable to parse MINIO_IAM_JWKS_URL %s", jwksURL)
 		}
+		s.OpenID.JWKS.URL = u
 	}

 	if opaURL, ok := os.LookupEnv("MINIO_IAM_OPA_URL"); ok {
-		if u, err := xnet.ParseURL(opaURL); err == nil {
-			opaArgs := iampolicy.OpaArgs{
-				URL:         u,
-				AuthToken:   os.Getenv("MINIO_IAM_OPA_AUTHTOKEN"),
-				Transport:   NewCustomHTTPTransport(),
-				CloseRespFn: xhttp.DrainBody,
-			}
-			s.Policy.OPA.URL = opaArgs.URL
-			s.Policy.OPA.AuthToken = opaArgs.AuthToken
-			logger.FatalIf(opaArgs.Validate(), "Unable to reach MINIO_IAM_OPA_URL %s", opaURL)
-		} else {
+		u, err := xnet.ParseURL(opaURL)
+		if err != nil {
 			logger.FatalIf(err, "Unable to parse MINIO_IAM_OPA_URL %s", opaURL)
 		}
+		opaArgs := iampolicy.OpaArgs{
+			URL:         u,
+			AuthToken:   os.Getenv("MINIO_IAM_OPA_AUTHTOKEN"),
+			Transport:   NewCustomHTTPTransport(),
+			CloseRespFn: xhttp.DrainBody,
+		}
+		logger.FatalIf(opaArgs.Validate(), "Unable to reach MINIO_IAM_OPA_URL %s", opaURL)
+		s.Policy.OPA.URL = opaArgs.URL
+		s.Policy.OPA.AuthToken = opaArgs.AuthToken
 	}
 }

@ -547,7 +546,7 @@ func (s *serverConfig) loadToCachedConfigs() {
 		globalCacheMaxUse = cacheConf.MaxUse
 	}
 	if err := Environment.LookupKMSConfig(s.KMS); err != nil {
-		logger.FatalIf(err, "Unable to setup the KMS")
+		logger.FatalIf(err, "Unable to setup the KMS %s", s.KMS.Vault.Endpoint)
 	}

 	if !globalIsCompressionEnabled {
@ -557,15 +556,22 @@ func (s *serverConfig) loadToCachedConfigs() {
 		globalIsCompressionEnabled = compressionConf.Enabled
 	}

+	if s.OpenID.JWKS.URL != nil && s.OpenID.JWKS.URL.String() != "" {
+		logger.FatalIf(s.OpenID.JWKS.PopulatePublicKey(),
+			"Unable to populate public key from JWKS URL %s", s.OpenID.JWKS.URL)
+	}
+
 	globalIAMValidators = getAuthValidators(s)

 	if s.Policy.OPA.URL != nil && s.Policy.OPA.URL.String() != "" {
-		globalPolicyOPA = iampolicy.NewOpa(iampolicy.OpaArgs{
+		opaArgs := iampolicy.OpaArgs{
 			URL:         s.Policy.OPA.URL,
 			AuthToken:   s.Policy.OPA.AuthToken,
 			Transport:   NewCustomHTTPTransport(),
 			CloseRespFn: xhttp.DrainBody,
-		})
+		}
+		logger.FatalIf(opaArgs.Validate(), "Unable to reach OPA URL %s", s.Policy.OPA.URL)
+		globalPolicyOPA = iampolicy.NewOpa(opaArgs)
 	}
 }

--- a/pkg/iam/policy/opa.go
+++ b/pkg/iam/policy/opa.go
@ -22,7 +22,6 @@ import (
 	"io"
 	"io/ioutil"
 	"net/http"
-	"os"

 	xnet "github.com/minio/minio/pkg/net"
 )
@ -63,17 +62,8 @@ func (a *OpaArgs) UnmarshalJSON(data []byte) error {
 	type subOpaArgs OpaArgs
 	var so subOpaArgs

-	if opaURL, ok := os.LookupEnv("MINIO_IAM_OPA_URL"); ok {
-		u, err := xnet.ParseURL(opaURL)
-		if err != nil {
-			return err
-		}
-		so.URL = u
-		so.AuthToken = os.Getenv("MINIO_IAM_OPA_AUTHTOKEN")
-	} else {
-		if err := json.Unmarshal(data, &so); err != nil {
-			return err
-		}
+	if err := json.Unmarshal(data, &so); err != nil {
+		return err
 	}

 	oa := OpaArgs(so)
@ -82,10 +72,6 @@ func (a *OpaArgs) UnmarshalJSON(data []byte) error {
 		return nil
 	}

-	if err := oa.Validate(); err != nil {
-		return err
-	}
-
 	*a = oa
 	return nil
 }
--- a/pkg/iam/validator/jwt.go
+++ b/pkg/iam/validator/jwt.go
@ -24,7 +24,6 @@ import (
 	"fmt"
 	"net"
 	"net/http"
-	"os"
 	"strconv"
 	"time"

@ -38,11 +37,6 @@ type JWKSArgs struct {
 	publicKeys map[string]crypto.PublicKey
 }

-// Validate JWT authentication target arguments
-func (r *JWKSArgs) Validate() error {
-	return nil
-}
-
 // PopulatePublicKey - populates a new publickey from the JWKS URL.
 func (r *JWKSArgs) PopulatePublicKey() error {
 	insecureClient := &http.Client{Transport: newCustomHTTPTransport(true)}
@ -83,17 +77,8 @@ func (r *JWKSArgs) UnmarshalJSON(data []byte) error {
 	type subJWKSArgs JWKSArgs
 	var sr subJWKSArgs

-	// IAM related envs.
-	if jwksURL, ok := os.LookupEnv("MINIO_IAM_JWKS_URL"); ok {
-		u, err := xnet.ParseURL(jwksURL)
-		if err != nil {
-			return err
-		}
-		sr.URL = u
-	} else {
-		if err := json.Unmarshal(data, &sr); err != nil {
-			return err
-		}
+	if err := json.Unmarshal(data, &sr); err != nil {
+		return err
 	}

 	ar := JWKSArgs(sr)
@ -101,13 +86,6 @@ func (r *JWKSArgs) UnmarshalJSON(data []byte) error {
 		*r = ar
 		return nil
 	}
-	if err := ar.Validate(); err != nil {
-		return err
-	}
-
-	if err := ar.PopulatePublicKey(); err != nil {
-		return err
-	}

 	*r = ar
 	return nil