MyFavMirrors/minio
1
0
Fork 0
mirror of https://github.com/minio/minio.git synced 2025-02-02 17:35:58 -05:00
Code Issues Packages Projects Releases Wiki Activity

allow MINIO_STS_DURATION to increase the IDP token expiration (#18396)

Browse Source 
Share link duration is based on the IDP token expiration,
for the share link to last longer, you may now use
MINIO_STS_DURATION environment variable.
This commit is contained in:
Adrian Najera 2023-11-15 22:42:31 -06:00 committed by GitHub
parent 343dd2f491
commit 96c2304ae8
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
3 changed files with 19 additions and 12 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
internal/config/constants.go
View File

@ -83,3 +83,11 @@ const (
EnvRegion = "MINIO_REGION" // legacy EnvRegion = "MINIO_REGION" // legacy
EnvRegionName = "MINIO_REGION_NAME" // legacy EnvRegionName = "MINIO_REGION_NAME" // legacy
) )
// Expiration Token durations
// These values are used to validate the expiration time range from
// either the exp claim or MINI_STS_DURATION value
const (
MinExpiration = 900
MaxExpiration = 31536000
)

10
internal/config/identity/openid/jwt.go
View File

@ -114,8 +114,7 @@ func updateClaimsExpiry(dsecs string, claims map[string]interface{}) error {
return nil return nil
} }
expAt, err := auth.ExpToInt64(expStr) if _, err := auth.ExpToInt64(expStr); err != nil {
if err != nil {
return err return err
} }
@ -124,13 +123,6 @@ func updateClaimsExpiry(dsecs string, claims map[string]interface{}) error {
return err return err
} }
// Verify if JWT expiry is lesser than default expiry duration,
// if that is the case then set the default expiration to be
// from the JWT expiry claim.
if time.Unix(expAt, 0).UTC().Sub(time.Now().UTC()) < defaultExpiryDuration {
defaultExpiryDuration = time.Unix(expAt, 0).UTC().Sub(time.Now().UTC())
} // else honor the specified expiry duration.
claims["exp"] = time.Now().UTC().Add(defaultExpiryDuration).Unix() // update with new expiry. claims["exp"] = time.Now().UTC().Add(defaultExpiryDuration).Unix() // update with new expiry.
return nil return nil
} }

13
internal/config/identity/openid/openid.go
View File

@ -603,9 +603,9 @@ func GetDefaultExpiration(dsecs string) (time.Duration, error) {
timeout := env.Get(config.EnvMinioStsDuration, "") timeout := env.Get(config.EnvMinioStsDuration, "")
defaultExpiryDuration, err := time.ParseDuration(timeout) defaultExpiryDuration, err := time.ParseDuration(timeout)
if err != nil { if err != nil {
defaultExpiryDuration = time.Duration(60) * time.Minute defaultExpiryDuration = time.Hour
} }
if dsecs != "" { if timeout == "" && dsecs != "" {
expirySecs, err := strconv.ParseInt(dsecs, 10, 64) expirySecs, err := strconv.ParseInt(dsecs, 10, 64)
if err != nil { if err != nil {
return 0, auth.ErrInvalidDuration return 0, auth.ErrInvalidDuration
@ -614,11 +614,18 @@ func GetDefaultExpiration(dsecs string) (time.Duration, error) {
// The duration, in seconds, of the role session. // The duration, in seconds, of the role session.
// The value can range from 900 seconds (15 minutes) // The value can range from 900 seconds (15 minutes)
// up to 365 days. // up to 365 days.
if expirySecs < 900 || expirySecs > 31536000 { if expirySecs < config.MinExpiration || expirySecs > config.MaxExpiration {
return 0, auth.ErrInvalidDuration return 0, auth.ErrInvalidDuration
} }
defaultExpiryDuration = time.Duration(expirySecs) * time.Second defaultExpiryDuration = time.Duration(expirySecs) * time.Second
} else if timeout == "" && dsecs == "" {
return time.Hour, nil
} }
if defaultExpiryDuration.Seconds() < config.MinExpiration || defaultExpiryDuration.Seconds() > config.MaxExpiration {
return 0, auth.ErrInvalidDuration
}
return defaultExpiryDuration, nil return defaultExpiryDuration, nil
} }