diff --git a/CREDITS b/CREDITS index 70863a646..9a8c6242a 100644 --- a/CREDITS +++ b/CREDITS @@ -13275,376 +13275,6 @@ Mozilla Public License, version 2.0 be used to construe this License against a Contributor. -10. Versions of the License - -10.1. New Versions - - Mozilla Foundation is the license steward. Except as provided in Section - 10.3, no one other than the license steward has the right to modify or - publish new versions of this License. Each version will be given a - distinguishing version number. - -10.2. Effect of New Versions - - You may distribute the Covered Software under the terms of the version - of the License under which You originally received the Covered Software, - or under the terms of any subsequent version published by the license - steward. - -10.3. Modified Versions - - If you create software not governed by this License, and you want to - create a new license for such software, you may create and use a - modified version of this License if you rename the license and remove - any references to the name of the license steward (except to note that - such modified license differs from this License). - -10.4. Distributing Source Code Form that is Incompatible With Secondary - Licenses If You choose to distribute Source Code Form that is - Incompatible With Secondary Licenses under the terms of this version of - the License, the notice described in Exhibit B of this License must be - attached. - -Exhibit A - Source Code Form License Notice - - This Source Code Form is subject to the - terms of the Mozilla Public License, v. - 2.0. If a copy of the MPL was not - distributed with this file, You can - obtain one at - http://mozilla.org/MPL/2.0/. - -If it is not possible or desirable to put the notice in a particular file, -then You may include the notice in a location (such as a LICENSE file in a -relevant directory) where a recipient would be likely to look for such a -notice. - -You may add additional accurate notices of copyright ownership. - -Exhibit B - "Incompatible With Secondary Licenses" Notice - - This Source Code Form is "Incompatible - With Secondary Licenses", as defined by - the Mozilla Public License, v. 2.0. - -================================================================ - -github.com/hashicorp/golang-lru/v2 -https://github.com/hashicorp/golang-lru/v2 ----------------------------------------------------------------- -Copyright (c) 2014 HashiCorp, Inc. - -Mozilla Public License, version 2.0 - -1. Definitions - -1.1. "Contributor" - - means each individual or legal entity that creates, contributes to the - creation of, or owns Covered Software. - -1.2. "Contributor Version" - - means the combination of the Contributions of others (if any) used by a - Contributor and that particular Contributor's Contribution. - -1.3. "Contribution" - - means Covered Software of a particular Contributor. - -1.4. "Covered Software" - - means Source Code Form to which the initial Contributor has attached the - notice in Exhibit A, the Executable Form of such Source Code Form, and - Modifications of such Source Code Form, in each case including portions - thereof. - -1.5. "Incompatible With Secondary Licenses" - means - - a. that the initial Contributor has attached the notice described in - Exhibit B to the Covered Software; or - - b. that the Covered Software was made available under the terms of - version 1.1 or earlier of the License, but not also under the terms of - a Secondary License. - -1.6. "Executable Form" - - means any form of the work other than Source Code Form. - -1.7. "Larger Work" - - means a work that combines Covered Software with other material, in a - separate file or files, that is not Covered Software. - -1.8. "License" - - means this document. - -1.9. "Licensable" - - means having the right to grant, to the maximum extent possible, whether - at the time of the initial grant or subsequently, any and all of the - rights conveyed by this License. - -1.10. "Modifications" - - means any of the following: - - a. any file in Source Code Form that results from an addition to, - deletion from, or modification of the contents of Covered Software; or - - b. any new file in Source Code Form that contains any Covered Software. - -1.11. "Patent Claims" of a Contributor - - means any patent claim(s), including without limitation, method, - process, and apparatus claims, in any patent Licensable by such - Contributor that would be infringed, but for the grant of the License, - by the making, using, selling, offering for sale, having made, import, - or transfer of either its Contributions or its Contributor Version. - -1.12. "Secondary License" - - means either the GNU General Public License, Version 2.0, the GNU Lesser - General Public License, Version 2.1, the GNU Affero General Public - License, Version 3.0, or any later versions of those licenses. - -1.13. "Source Code Form" - - means the form of the work preferred for making modifications. - -1.14. "You" (or "Your") - - means an individual or a legal entity exercising rights under this - License. For legal entities, "You" includes any entity that controls, is - controlled by, or is under common control with You. For purposes of this - definition, "control" means (a) the power, direct or indirect, to cause - the direction or management of such entity, whether by contract or - otherwise, or (b) ownership of more than fifty percent (50%) of the - outstanding shares or beneficial ownership of such entity. - - -2. License Grants and Conditions - -2.1. Grants - - Each Contributor hereby grants You a world-wide, royalty-free, - non-exclusive license: - - a. under intellectual property rights (other than patent or trademark) - Licensable by such Contributor to use, reproduce, make available, - modify, display, perform, distribute, and otherwise exploit its - Contributions, either on an unmodified basis, with Modifications, or - as part of a Larger Work; and - - b. under Patent Claims of such Contributor to make, use, sell, offer for - sale, have made, import, and otherwise transfer either its - Contributions or its Contributor Version. - -2.2. Effective Date - - The licenses granted in Section 2.1 with respect to any Contribution - become effective for each Contribution on the date the Contributor first - distributes such Contribution. - -2.3. Limitations on Grant Scope - - The licenses granted in this Section 2 are the only rights granted under - this License. No additional rights or licenses will be implied from the - distribution or licensing of Covered Software under this License. - Notwithstanding Section 2.1(b) above, no patent license is granted by a - Contributor: - - a. for any code that a Contributor has removed from Covered Software; or - - b. for infringements caused by: (i) Your and any other third party's - modifications of Covered Software, or (ii) the combination of its - Contributions with other software (except as part of its Contributor - Version); or - - c. under Patent Claims infringed by Covered Software in the absence of - its Contributions. - - This License does not grant any rights in the trademarks, service marks, - or logos of any Contributor (except as may be necessary to comply with - the notice requirements in Section 3.4). - -2.4. Subsequent Licenses - - No Contributor makes additional grants as a result of Your choice to - distribute the Covered Software under a subsequent version of this - License (see Section 10.2) or under the terms of a Secondary License (if - permitted under the terms of Section 3.3). - -2.5. Representation - - Each Contributor represents that the Contributor believes its - Contributions are its original creation(s) or it has sufficient rights to - grant the rights to its Contributions conveyed by this License. - -2.6. Fair Use - - This License is not intended to limit any rights You have under - applicable copyright doctrines of fair use, fair dealing, or other - equivalents. - -2.7. Conditions - - Sections 3.1, 3.2, 3.3, and 3.4 are conditions of the licenses granted in - Section 2.1. - - -3. Responsibilities - -3.1. Distribution of Source Form - - All distribution of Covered Software in Source Code Form, including any - Modifications that You create or to which You contribute, must be under - the terms of this License. You must inform recipients that the Source - Code Form of the Covered Software is governed by the terms of this - License, and how they can obtain a copy of this License. You may not - attempt to alter or restrict the recipients' rights in the Source Code - Form. - -3.2. Distribution of Executable Form - - If You distribute Covered Software in Executable Form then: - - a. such Covered Software must also be made available in Source Code Form, - as described in Section 3.1, and You must inform recipients of the - Executable Form how they can obtain a copy of such Source Code Form by - reasonable means in a timely manner, at a charge no more than the cost - of distribution to the recipient; and - - b. You may distribute such Executable Form under the terms of this - License, or sublicense it under different terms, provided that the - license for the Executable Form does not attempt to limit or alter the - recipients' rights in the Source Code Form under this License. - -3.3. Distribution of a Larger Work - - You may create and distribute a Larger Work under terms of Your choice, - provided that You also comply with the requirements of this License for - the Covered Software. If the Larger Work is a combination of Covered - Software with a work governed by one or more Secondary Licenses, and the - Covered Software is not Incompatible With Secondary Licenses, this - License permits You to additionally distribute such Covered Software - under the terms of such Secondary License(s), so that the recipient of - the Larger Work may, at their option, further distribute the Covered - Software under the terms of either this License or such Secondary - License(s). - -3.4. Notices - - You may not remove or alter the substance of any license notices - (including copyright notices, patent notices, disclaimers of warranty, or - limitations of liability) contained within the Source Code Form of the - Covered Software, except that You may alter any license notices to the - extent required to remedy known factual inaccuracies. - -3.5. Application of Additional Terms - - You may choose to offer, and to charge a fee for, warranty, support, - indemnity or liability obligations to one or more recipients of Covered - Software. However, You may do so only on Your own behalf, and not on - behalf of any Contributor. You must make it absolutely clear that any - such warranty, support, indemnity, or liability obligation is offered by - You alone, and You hereby agree to indemnify every Contributor for any - liability incurred by such Contributor as a result of warranty, support, - indemnity or liability terms You offer. You may include additional - disclaimers of warranty and limitations of liability specific to any - jurisdiction. - -4. Inability to Comply Due to Statute or Regulation - - If it is impossible for You to comply with any of the terms of this License - with respect to some or all of the Covered Software due to statute, - judicial order, or regulation then You must: (a) comply with the terms of - this License to the maximum extent possible; and (b) describe the - limitations and the code they affect. Such description must be placed in a - text file included with all distributions of the Covered Software under - this License. Except to the extent prohibited by statute or regulation, - such description must be sufficiently detailed for a recipient of ordinary - skill to be able to understand it. - -5. Termination - -5.1. The rights granted under this License will terminate automatically if You - fail to comply with any of its terms. However, if You become compliant, - then the rights granted under this License from a particular Contributor - are reinstated (a) provisionally, unless and until such Contributor - explicitly and finally terminates Your grants, and (b) on an ongoing - basis, if such Contributor fails to notify You of the non-compliance by - some reasonable means prior to 60 days after You have come back into - compliance. Moreover, Your grants from a particular Contributor are - reinstated on an ongoing basis if such Contributor notifies You of the - non-compliance by some reasonable means, this is the first time You have - received notice of non-compliance with this License from such - Contributor, and You become compliant prior to 30 days after Your receipt - of the notice. - -5.2. If You initiate litigation against any entity by asserting a patent - infringement claim (excluding declaratory judgment actions, - counter-claims, and cross-claims) alleging that a Contributor Version - directly or indirectly infringes any patent, then the rights granted to - You by any and all Contributors for the Covered Software under Section - 2.1 of this License shall terminate. - -5.3. In the event of termination under Sections 5.1 or 5.2 above, all end user - license agreements (excluding distributors and resellers) which have been - validly granted by You or Your distributors under this License prior to - termination shall survive termination. - -6. Disclaimer of Warranty - - Covered Software is provided under this License on an "as is" basis, - without warranty of any kind, either expressed, implied, or statutory, - including, without limitation, warranties that the Covered Software is free - of defects, merchantable, fit for a particular purpose or non-infringing. - The entire risk as to the quality and performance of the Covered Software - is with You. Should any Covered Software prove defective in any respect, - You (not any Contributor) assume the cost of any necessary servicing, - repair, or correction. This disclaimer of warranty constitutes an essential - part of this License. No use of any Covered Software is authorized under - this License except under this disclaimer. - -7. Limitation of Liability - - Under no circumstances and under no legal theory, whether tort (including - negligence), contract, or otherwise, shall any Contributor, or anyone who - distributes Covered Software as permitted above, be liable to You for any - direct, indirect, special, incidental, or consequential damages of any - character including, without limitation, damages for lost profits, loss of - goodwill, work stoppage, computer failure or malfunction, or any and all - other commercial damages or losses, even if such party shall have been - informed of the possibility of such damages. This limitation of liability - shall not apply to liability for death or personal injury resulting from - such party's negligence to the extent applicable law prohibits such - limitation. Some jurisdictions do not allow the exclusion or limitation of - incidental or consequential damages, so this exclusion and limitation may - not apply to You. - -8. Litigation - - Any litigation relating to this License may be brought only in the courts - of a jurisdiction where the defendant maintains its principal place of - business and such litigation shall be governed by laws of that - jurisdiction, without reference to its conflict-of-law provisions. Nothing - in this Section shall prevent a party's ability to bring cross-claims or - counter-claims. - -9. Miscellaneous - - This License represents the complete agreement concerning the subject - matter hereof. If any provision of this License is held to be - unenforceable, such provision shall be reformed only to the extent - necessary to make it enforceable. Any law or regulation which provides that - the language of a contract shall be construed against the drafter shall not - be used to construe this License against a Contributor. - - 10. Versions of the License 10.1. New Versions @@ -16499,12 +16129,6 @@ THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLI ================================================================ -github.com/mattn/go-localereader -https://github.com/mattn/go-localereader ----------------------------------------------------------------- -All rights reserved proprietary -================================================================ - github.com/mattn/go-runewidth https://github.com/mattn/go-runewidth ---------------------------------------------------------------- @@ -16801,12 +16425,6 @@ SOFTWARE. ================================================================ -github.com/minio/colorjson -https://github.com/minio/colorjson ----------------------------------------------------------------- -All rights reserved proprietary -================================================================ - github.com/minio/console https://github.com/minio/console ---------------------------------------------------------------- @@ -17474,12 +17092,6 @@ For more information on this, and how to apply and follow the GNU AGPL, see ================================================================ -github.com/minio/csvparser -https://github.com/minio/csvparser ----------------------------------------------------------------- -All rights reserved proprietary -================================================================ - github.com/minio/dnscache https://github.com/minio/dnscache ---------------------------------------------------------------- @@ -18175,12 +17787,6 @@ For more information on this, and how to apply and follow the GNU AGPL, see ================================================================ -github.com/minio/filepath -https://github.com/minio/filepath ----------------------------------------------------------------- -All rights reserved proprietary -================================================================ - github.com/minio/highwayhash https://github.com/minio/highwayhash ---------------------------------------------------------------- diff --git a/cmd/common-main.go b/cmd/common-main.go index 70abf6d29..e276a4f5e 100644 --- a/cmd/common-main.go +++ b/cmd/common-main.go @@ -871,6 +871,12 @@ func loadRootCredentials() { } else { globalActiveCred = auth.DefaultCredentials } + + var err error + globalNodeAuthToken, err = authenticateNode(globalActiveCred.AccessKey, globalActiveCred.SecretKey) + if err != nil { + logger.Fatal(err, "Unable to generate internode credentials") + } } // Initialize KMS global variable after valiadating and loading the configuration. diff --git a/cmd/globals.go b/cmd/globals.go index 7491ac8e5..82489b3d6 100644 --- a/cmd/globals.go +++ b/cmd/globals.go @@ -310,6 +310,7 @@ var ( globalBootTime = UTCNow() globalActiveCred auth.Credentials + globalNodeAuthToken string globalSiteReplicatorCred siteReplicatorCred // Captures if root credentials are set via ENV. diff --git a/cmd/jwt.go b/cmd/jwt.go index 0bb46369e..d0faaf8ec 100644 --- a/cmd/jwt.go +++ b/cmd/jwt.go @@ -24,10 +24,8 @@ import ( jwtgo "github.com/golang-jwt/jwt/v4" jwtreq "github.com/golang-jwt/jwt/v4/request" - "github.com/hashicorp/golang-lru/v2/expirable" "github.com/minio/minio/internal/auth" xjwt "github.com/minio/minio/internal/jwt" - "github.com/minio/minio/internal/logger" "github.com/minio/pkg/v3/policy" ) @@ -37,8 +35,8 @@ const ( // Default JWT token for web handlers is one day. defaultJWTExpiry = 24 * time.Hour - // Inter-node JWT token expiry is 15 minutes. - defaultInterNodeJWTExpiry = 15 * time.Minute + // Inter-node JWT token expiry is 100 years approx. + defaultInterNodeJWTExpiry = 100 * 365 * 24 * time.Hour ) var ( @@ -50,17 +48,10 @@ var ( errMalformedAuth = errors.New("Malformed authentication input") ) -type cacheKey struct { - accessKey, secretKey, audience string -} - -var cacheLRU = expirable.NewLRU[cacheKey, string](1000, nil, 15*time.Second) - -func authenticateNode(accessKey, secretKey, audience string) (string, error) { +func authenticateNode(accessKey, secretKey string) (string, error) { claims := xjwt.NewStandardClaims() claims.SetExpiry(UTCNow().Add(defaultInterNodeJWTExpiry)) claims.SetAccessKey(accessKey) - claims.SetAudience(audience) jwt := jwtgo.NewWithClaims(jwtgo.SigningMethodHS512, claims) return jwt.SignedString([]byte(secretKey)) @@ -141,27 +132,9 @@ func metricsRequestAuthenticate(req *http.Request) (*xjwt.MapClaims, []string, b return claims, groups, owner, nil } -// newCachedAuthToken returns a token that is cached up to 15 seconds. -// If globalActiveCred is updated it is reflected at once. -func newCachedAuthToken() func(audience string) string { - fn := func(accessKey, secretKey, audience string) (s string, err error) { - k := cacheKey{accessKey: accessKey, secretKey: secretKey, audience: audience} - - var ok bool - s, ok = cacheLRU.Get(k) - if !ok { - s, err = authenticateNode(accessKey, secretKey, audience) - if err != nil { - return "", err - } - cacheLRU.Add(k, s) - } - return s, nil - } - return func(audience string) string { - cred := globalActiveCred - token, err := fn(cred.AccessKey, cred.SecretKey, audience) - logger.CriticalIf(GlobalContext, err) - return token +// newCachedAuthToken returns the cached token. +func newCachedAuthToken() func() string { + return func() string { + return globalNodeAuthToken } } diff --git a/cmd/jwt_test.go b/cmd/jwt_test.go index 24b66df94..7d813b39e 100644 --- a/cmd/jwt_test.go +++ b/cmd/jwt_test.go @@ -107,7 +107,7 @@ func BenchmarkParseJWTStandardClaims(b *testing.B) { } creds := globalActiveCred - token, err := authenticateNode(creds.AccessKey, creds.SecretKey, "") + token, err := authenticateNode(creds.AccessKey, creds.SecretKey) if err != nil { b.Fatal(err) } @@ -138,7 +138,7 @@ func BenchmarkParseJWTMapClaims(b *testing.B) { } creds := globalActiveCred - token, err := authenticateNode(creds.AccessKey, creds.SecretKey, "") + token, err := authenticateNode(creds.AccessKey, creds.SecretKey) if err != nil { b.Fatal(err) } @@ -176,7 +176,7 @@ func BenchmarkAuthenticateNode(b *testing.B) { b.ResetTimer() b.ReportAllocs() for i := 0; i < b.N; i++ { - fn(creds.AccessKey, creds.SecretKey, "aud") + fn(creds.AccessKey, creds.SecretKey) } }) b.Run("cached", func(b *testing.B) { @@ -184,7 +184,7 @@ func BenchmarkAuthenticateNode(b *testing.B) { b.ResetTimer() b.ReportAllocs() for i := 0; i < b.N; i++ { - fn("aud") + fn() } }) } diff --git a/cmd/lock-rest-server-common_test.go b/cmd/lock-rest-server-common_test.go index 1ef884532..3e82b8829 100644 --- a/cmd/lock-rest-server-common_test.go +++ b/cmd/lock-rest-server-common_test.go @@ -44,7 +44,7 @@ func createLockTestServer(ctx context.Context, t *testing.T) (string, *lockRESTS }, } creds := globalActiveCred - token, err := authenticateNode(creds.AccessKey, creds.SecretKey, "") + token, err := authenticateNode(creds.AccessKey, creds.SecretKey) if err != nil { t.Fatal(err) } diff --git a/cmd/object-lambda-handlers.go b/cmd/object-lambda-handlers.go index eae0706eb..72fd5687f 100644 --- a/cmd/object-lambda-handlers.go +++ b/cmd/object-lambda-handlers.go @@ -19,6 +19,7 @@ package cmd import ( "crypto/subtle" + "encoding/hex" "io" "net/http" "net/url" @@ -33,6 +34,7 @@ import ( "github.com/minio/minio/internal/auth" levent "github.com/minio/minio/internal/config/lambda/event" + "github.com/minio/minio/internal/hash/sha256" xhttp "github.com/minio/minio/internal/http" "github.com/minio/minio/internal/logger" ) @@ -77,16 +79,13 @@ func getLambdaEventData(bucket, object string, cred auth.Credentials, r *http.Re return levent.Event{}, err } - token, err := authenticateNode(cred.AccessKey, cred.SecretKey, u.RawQuery) - if err != nil { - return levent.Event{}, err - } + ckSum := sha256.Sum256([]byte(cred.AccessKey + u.RawQuery)) eventData := levent.Event{ GetObjectContext: &levent.GetObjectContext{ InputS3URL: u.String(), OutputRoute: shortuuid.New(), - OutputToken: token, + OutputToken: hex.EncodeToString(ckSum[:]), }, UserRequest: levent.UserRequest{ URL: r.URL.String(), diff --git a/cmd/storage-rest-server.go b/cmd/storage-rest-server.go index 201ffc5dd..ed8ecd409 100644 --- a/cmd/storage-rest-server.go +++ b/cmd/storage-rest-server.go @@ -110,7 +110,7 @@ func (s *storageRESTServer) writeErrorResponse(w http.ResponseWriter, err error) const DefaultSkewTime = 15 * time.Minute // validateStorageRequestToken will validate the token against the provided audience. -func validateStorageRequestToken(token, audience string) error { +func validateStorageRequestToken(token string) error { claims := xjwt.NewStandardClaims() if err := xjwt.ParseWithStandardClaims(token, claims, []byte(globalActiveCred.SecretKey)); err != nil { return errAuthentication @@ -121,9 +121,6 @@ func validateStorageRequestToken(token, audience string) error { return errAuthentication } - if claims.Audience != audience { - return errAuthentication - } return nil } @@ -136,20 +133,24 @@ func storageServerRequestValidate(r *http.Request) error { } return errMalformedAuth } - if err = validateStorageRequestToken(token, r.URL.RawQuery); err != nil { + + if err = validateStorageRequestToken(token); err != nil { return err } - requestTimeStr := r.Header.Get("X-Minio-Time") - requestTime, err := time.Parse(time.RFC3339, requestTimeStr) + nanoTime, err := strconv.ParseInt(r.Header.Get("X-Minio-Time"), 10, 64) if err != nil { return errMalformedAuth } - utcNow := UTCNow() - delta := requestTime.Sub(utcNow) + + localTime := UTCNow() + remoteTime := time.Unix(0, nanoTime) + + delta := remoteTime.Sub(localTime) if delta < 0 { delta *= -1 } + if delta > DefaultSkewTime { return errSkewedAuthTime } diff --git a/cmd/storage-rest_test.go b/cmd/storage-rest_test.go index bb034adaa..f305ea6ed 100644 --- a/cmd/storage-rest_test.go +++ b/cmd/storage-rest_test.go @@ -315,6 +315,7 @@ func newStorageRESTHTTPServerClient(t testing.TB) *storageRESTClient { url.Path = t.TempDir() globalMinioHost, globalMinioPort = mustSplitHostPort(url.Host) + globalNodeAuthToken, _ = authenticateNode(globalActiveCred.AccessKey, globalActiveCred.SecretKey) endpoint, err := NewEndpoint(url.String()) if err != nil { diff --git a/cmd/test-utils_test.go b/cmd/test-utils_test.go index e4cd0a71c..d7a999733 100644 --- a/cmd/test-utils_test.go +++ b/cmd/test-utils_test.go @@ -83,6 +83,8 @@ func TestMain(m *testing.M) { SecretKey: auth.DefaultSecretKey, } + globalNodeAuthToken, _ = authenticateNode(auth.DefaultAccessKey, auth.DefaultSecretKey) + // disable ENVs which interfere with tests. for _, env := range []string{ crypto.EnvKMSAutoEncryption, diff --git a/go.mod b/go.mod index eb4480965..206a9f947 100644 --- a/go.mod +++ b/go.mod @@ -32,7 +32,6 @@ require ( github.com/golang-jwt/jwt/v4 v4.5.0 github.com/gomodule/redigo v1.9.2 github.com/google/uuid v1.6.0 - github.com/hashicorp/golang-lru/v2 v2.0.7 github.com/inconshreveable/mousetrap v1.1.0 github.com/json-iterator/go v1.1.12 github.com/klauspost/compress v1.17.9 diff --git a/go.sum b/go.sum index 90f7381e3..33f8df272 100644 --- a/go.sum +++ b/go.sum @@ -322,8 +322,6 @@ github.com/hashicorp/go-uuid v1.0.3/go.mod h1:6SBZvOh/SIDV7/2o3Jml5SYk/TvGqwFJ/b github.com/hashicorp/golang-lru v0.5.0/go.mod h1:/m3WP610KZHVQ1SGc6re/UDhFvYD7pJ4Ao+sR/qLZy8= github.com/hashicorp/golang-lru v1.0.2 h1:dV3g9Z/unq5DpblPpw+Oqcv4dU/1omnb4Ok8iPY6p1c= github.com/hashicorp/golang-lru v1.0.2/go.mod h1:iADmTwqILo4mZ8BN3D2Q6+9jd8WM5uGBxy+E8yxSoD4= -github.com/hashicorp/golang-lru/v2 v2.0.7 h1:a+bsQ5rvGLjzHuww6tVxozPZFVghXaHOwFs4luLUK2k= -github.com/hashicorp/golang-lru/v2 v2.0.7/go.mod h1:QeFd9opnmA6QUJc5vARoKUSoFhyfM2/ZepoAG6RGpeM= github.com/hashicorp/hcl v1.0.0/go.mod h1:E5yfLk+7swimpb2L/Alb/PJmXilQ/rhwaUYs4T20WEQ= github.com/hashicorp/raft v1.3.9 h1:9yuo1aR0bFTr1cw7pj3S2Bk6MhJCsnr2NAxvIBrP2x4= github.com/hashicorp/raft v1.3.9/go.mod h1:4Ak7FSPnuvmb0GV6vgIAJ4vYT4bek9bb6Q+7HVbyzqM= diff --git a/internal/grid/debug.go b/internal/grid/debug.go index 8d02bb7fe..c6c334198 100644 --- a/internal/grid/debug.go +++ b/internal/grid/debug.go @@ -169,13 +169,13 @@ func dummyRequestValidate(r *http.Request) error { return nil } -func dummyTokenValidate(token, audience string) error { - if token == audience { +func dummyTokenValidate(token string) error { + if token == "debug" { return nil } - return fmt.Errorf("invalid token. want %s, got %s", audience, token) + return fmt.Errorf("invalid token. want empty, got %s", token) } -func dummyNewToken(audience string) string { - return audience +func dummyNewToken() string { + return "debug" } diff --git a/internal/grid/grid.go b/internal/grid/grid.go index 8ff7aaa82..6baf7771c 100644 --- a/internal/grid/grid.go +++ b/internal/grid/grid.go @@ -26,6 +26,7 @@ import ( "io" "net" "net/http" + "strconv" "strings" "sync" "time" @@ -208,8 +209,8 @@ func ConnectWS(dial ContextDialer, auth AuthFn, tls *tls.Config) func(ctx contex dialer.NetDial = dial } header := make(http.Header, 2) - header.Set("Authorization", "Bearer "+auth("")) - header.Set("X-Minio-Time", time.Now().UTC().Format(time.RFC3339)) + header.Set("Authorization", "Bearer "+auth()) + header.Set("X-Minio-Time", strconv.FormatInt(time.Now().UnixNano(), 10)) if len(header) > 0 { dialer.Header = ws.HandshakeHeaderHTTP(header) @@ -225,4 +226,4 @@ func ConnectWS(dial ContextDialer, auth AuthFn, tls *tls.Config) func(ctx contex } // ValidateTokenFn must validate the token and return an error if it is invalid. -type ValidateTokenFn func(token, audience string) error +type ValidateTokenFn func(token string) error diff --git a/internal/grid/manager.go b/internal/grid/manager.go index b9e199e4d..89ae20090 100644 --- a/internal/grid/manager.go +++ b/internal/grid/manager.go @@ -245,7 +245,7 @@ func (m *Manager) IncomingConn(ctx context.Context, conn net.Conn) { writeErr(fmt.Errorf("time difference too large between servers: %v", time.Since(cReq.Time).Abs())) return } - if err := m.authToken(cReq.Token, cReq.audience()); err != nil { + if err := m.authToken(cReq.Token); err != nil { writeErr(fmt.Errorf("auth token: %w", err)) return } @@ -257,10 +257,10 @@ func (m *Manager) IncomingConn(ctx context.Context, conn net.Conn) { } // AuthFn should provide an authentication string for the given aud. -type AuthFn func(aud string) string +type AuthFn func() string // ValidateAuthFn should check authentication for the given aud. -type ValidateAuthFn func(auth, aud string) string +type ValidateAuthFn func(auth string) string // Connection will return the connection for the specified host. // If the host does not exist nil will be returned. diff --git a/internal/grid/msg.go b/internal/grid/msg.go index 5fa8dc49d..355078b6c 100644 --- a/internal/grid/msg.go +++ b/internal/grid/msg.go @@ -262,14 +262,9 @@ type connectReq struct { Token string } -// audience returns the audience for the connect call. -func (c *connectReq) audience() string { - return fmt.Sprintf("%s-%d", c.Host, c.Time.Unix()) -} - // addToken will add the token to the connect request. func (c *connectReq) addToken(fn AuthFn) { - c.Token = fn(c.audience()) + c.Token = fn() } func (connectReq) Op() Op { diff --git a/internal/rest/client.go b/internal/rest/client.go index 5722be061..4e01b9cc8 100644 --- a/internal/rest/client.go +++ b/internal/rest/client.go @@ -28,6 +28,7 @@ import ( "net/http/httputil" "net/url" "path" + "strconv" "strings" "sync" "sync/atomic" @@ -95,9 +96,9 @@ type Client struct { // TraceOutput will print debug information on non-200 calls if set. TraceOutput io.Writer // Debug trace output - httpClient *http.Client - url *url.URL - newAuthToken func(audience string) string + httpClient *http.Client + url *url.URL + auth func() string sync.RWMutex // mutex for lastErr lastErr error @@ -188,10 +189,10 @@ func (c *Client) newRequest(ctx context.Context, u url.URL, body io.Reader) (*ht } } - if c.newAuthToken != nil { - req.Header.Set("Authorization", "Bearer "+c.newAuthToken(u.RawQuery)) + if c.auth != nil { + req.Header.Set("Authorization", "Bearer "+c.auth()) } - req.Header.Set("X-Minio-Time", time.Now().UTC().Format(time.RFC3339)) + req.Header.Set("X-Minio-Time", strconv.FormatInt(time.Now().UnixNano(), 10)) if tc, ok := ctx.Value(mcontext.ContextTraceKey).(*mcontext.TraceCtxt); ok { req.Header.Set(xhttp.AmzRequestID, tc.AmzReqID) @@ -387,7 +388,7 @@ func (c *Client) Close() { } // NewClient - returns new REST client. -func NewClient(uu *url.URL, tr http.RoundTripper, newAuthToken func(aud string) string) *Client { +func NewClient(uu *url.URL, tr http.RoundTripper, auth func() string) *Client { connected := int32(online) urlStr := uu.String() u, err := url.Parse(urlStr) @@ -404,7 +405,7 @@ func NewClient(uu *url.URL, tr http.RoundTripper, newAuthToken func(aud string) clnt := &Client{ httpClient: &http.Client{Transport: tr}, url: u, - newAuthToken: newAuthToken, + auth: auth, connected: connected, lastConn: time.Now().UnixNano(), MaxErrResponseSize: 4096,