mirror of
https://github.com/minio/minio.git
synced 2024-12-23 21:55:53 -05:00
api: More cleanups at WebAPI.
- Fixes a bug where bucketName was not denormalized. - Remove unneeded functions from jwt.go
This commit is contained in:
parent
f1ea609175
commit
ae2f15c6d0
@ -1,3 +1,19 @@
|
||||
/*
|
||||
* Minio Cloud Storage, (C) 2016 Minio, Inc.
|
||||
*
|
||||
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||
* you may not use this file except in compliance with the License.
|
||||
* You may obtain a copy of the License at
|
||||
*
|
||||
* http://www.apache.org/licenses/LICENSE-2.0
|
||||
*
|
||||
* Unless required by applicable law or agreed to in writing, software
|
||||
* distributed under the License is distributed on an "AS IS" BASIS,
|
||||
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
* See the License for the specific language governing permissions and
|
||||
* limitations under the License.
|
||||
*/
|
||||
|
||||
package main
|
||||
|
||||
import (
|
||||
@ -12,7 +28,7 @@ type authHandler struct {
|
||||
}
|
||||
|
||||
// AuthHandler -
|
||||
// Verify if authorization header has signature version '2', reject it cleanly.
|
||||
// Verify if authorization header is of form JWT, reject it otherwise.
|
||||
func AuthHandler(h http.Handler) http.Handler {
|
||||
return authHandler{h}
|
||||
}
|
||||
@ -20,11 +36,12 @@ func AuthHandler(h http.Handler) http.Handler {
|
||||
// Ignore request if authorization header is not valid.
|
||||
func (h authHandler) ServeHTTP(w http.ResponseWriter, r *http.Request) {
|
||||
// Let the top level caller handle if the requests should be
|
||||
// allowed.
|
||||
// allowed, if there are no Authorization headers.
|
||||
if r.Header.Get("Authorization") == "" {
|
||||
h.handler.ServeHTTP(w, r)
|
||||
return
|
||||
}
|
||||
// Validate Authorization header to be valid.
|
||||
jwt := InitJWT()
|
||||
token, err := jwtgo.ParseFromRequest(r, func(token *jwtgo.Token) (interface{}, error) {
|
||||
if _, ok := token.Method.(*jwtgo.SigningMethodRSA); !ok {
|
||||
|
85
jwt.go
85
jwt.go
@ -1,35 +1,60 @@
|
||||
/*
|
||||
* Minio Cloud Storage, (C) 2016 Minio, Inc.
|
||||
*
|
||||
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||
* you may not use this file except in compliance with the License.
|
||||
* You may obtain a copy of the License at
|
||||
*
|
||||
* http://www.apache.org/licenses/LICENSE-2.0
|
||||
*
|
||||
* Unless required by applicable law or agreed to in writing, software
|
||||
* distributed under the License is distributed on an "AS IS" BASIS,
|
||||
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
* See the License for the specific language governing permissions and
|
||||
* limitations under the License.
|
||||
*/
|
||||
|
||||
package main
|
||||
|
||||
import (
|
||||
"crypto/rsa"
|
||||
"crypto/x509"
|
||||
"encoding/pem"
|
||||
"errors"
|
||||
"io/ioutil"
|
||||
"time"
|
||||
|
||||
jwt "github.com/dgrijalva/jwt-go"
|
||||
jwtgo "github.com/dgrijalva/jwt-go"
|
||||
"github.com/minio/minio-xl/pkg/probe"
|
||||
"golang.org/x/crypto/bcrypt"
|
||||
)
|
||||
|
||||
// JWT - jwt auth backend
|
||||
type JWT struct {
|
||||
// Public value.
|
||||
PublicKey *rsa.PublicKey
|
||||
// private values.
|
||||
privateKey *rsa.PrivateKey
|
||||
PublicKey *rsa.PublicKey
|
||||
accessKeyID string
|
||||
secretAccessKey string
|
||||
}
|
||||
|
||||
const (
|
||||
jwtExpirationDelta = 10
|
||||
expireOffset = 3600
|
||||
)
|
||||
|
||||
// InitJWT - init.
|
||||
// InitJWT - initialize.
|
||||
func InitJWT() *JWT {
|
||||
jwt := &JWT{
|
||||
privateKey: getPrivateKey(),
|
||||
PublicKey: getPublicKey(),
|
||||
}
|
||||
// Validate if public key is of algorithm *rsa.PublicKey.
|
||||
var ok bool
|
||||
jwt.PublicKey, ok = jwt.privateKey.Public().(*rsa.PublicKey)
|
||||
if !ok {
|
||||
fatalIf(probe.NewError(errors.New("")), "Unsupported type of public key algorithm found.", nil)
|
||||
}
|
||||
// Load credentials configuration.
|
||||
config, err := loadConfigV2()
|
||||
fatalIf(err.Trace("JWT"), "Unable to load configuration file.", nil)
|
||||
|
||||
@ -39,9 +64,10 @@ func InitJWT() *JWT {
|
||||
return jwt
|
||||
}
|
||||
|
||||
// GenerateToken -
|
||||
// GenerateToken - generates a new Json Web Token based on the incoming user id.
|
||||
func (b *JWT) GenerateToken(userName string) (string, error) {
|
||||
token := jwt.New(jwt.SigningMethodRS512)
|
||||
token := jwtgo.New(jwtgo.SigningMethodRS512)
|
||||
// Token expires in 10hrs.
|
||||
token.Claims["exp"] = time.Now().Add(time.Hour * time.Duration(jwtExpirationDelta)).Unix()
|
||||
token.Claims["iat"] = time.Now().Unix()
|
||||
token.Claims["sub"] = userName
|
||||
@ -52,32 +78,16 @@ func (b *JWT) GenerateToken(userName string) (string, error) {
|
||||
return tokenString, nil
|
||||
}
|
||||
|
||||
// Authenticate -
|
||||
func (b *JWT) Authenticate(args *LoginArgs) bool {
|
||||
// Authenticate - authenticates the username and password.
|
||||
func (b *JWT) Authenticate(username, password string) bool {
|
||||
hashedPassword, _ := bcrypt.GenerateFromPassword([]byte(b.secretAccessKey), 10)
|
||||
if args.Username == b.accessKeyID {
|
||||
return bcrypt.CompareHashAndPassword(hashedPassword, []byte(args.Password)) == nil
|
||||
if username == b.accessKeyID {
|
||||
return bcrypt.CompareHashAndPassword(hashedPassword, []byte(password)) == nil
|
||||
}
|
||||
return false
|
||||
}
|
||||
|
||||
//
|
||||
func (b *JWT) getTokenRemainingValidity(timestamp interface{}) int {
|
||||
if validity, ok := timestamp.(float64); ok {
|
||||
tm := time.Unix(int64(validity), 0)
|
||||
remainer := tm.Sub(time.Now())
|
||||
if remainer > 0 {
|
||||
return int(remainer.Seconds() + expireOffset)
|
||||
}
|
||||
}
|
||||
return expireOffset
|
||||
}
|
||||
|
||||
// Logout - logout is not implemented yet.
|
||||
func (b *JWT) Logout(tokenString string) error {
|
||||
return nil
|
||||
}
|
||||
|
||||
// getPrivateKey - get the generated private key.
|
||||
func getPrivateKey() *rsa.PrivateKey {
|
||||
pemBytes, err := ioutil.ReadFile(mustGetPrivateKeyPath())
|
||||
if err != nil {
|
||||
@ -90,22 +100,3 @@ func getPrivateKey() *rsa.PrivateKey {
|
||||
}
|
||||
return privateKeyImported
|
||||
}
|
||||
|
||||
func getPublicKey() *rsa.PublicKey {
|
||||
pemBytes, err := ioutil.ReadFile(mustGetPublicKeyPath())
|
||||
if err != nil {
|
||||
panic(err)
|
||||
}
|
||||
data, _ := pem.Decode([]byte(pemBytes))
|
||||
publicKeyImported, err := x509.ParsePKIXPublicKey(data.Bytes)
|
||||
if err != nil {
|
||||
panic(err)
|
||||
}
|
||||
|
||||
rsaPub, ok := publicKeyImported.(*rsa.PublicKey)
|
||||
if !ok {
|
||||
panic(err)
|
||||
}
|
||||
|
||||
return rsaPub
|
||||
}
|
||||
|
@ -113,6 +113,15 @@ func (fs Filesystem) GetObjectMetadata(bucket, object string) (ObjectMetadata, *
|
||||
return ObjectMetadata{}, probe.NewError(ObjectNameInvalid{Bucket: bucket, Object: bucket})
|
||||
}
|
||||
|
||||
bucket = fs.denormalizeBucket(bucket)
|
||||
bucketPath := filepath.Join(fs.path, bucket)
|
||||
if _, e := os.Stat(bucketPath); e != nil {
|
||||
if os.IsNotExist(e) {
|
||||
return ObjectMetadata{}, probe.NewError(BucketNotFound{Bucket: bucket})
|
||||
}
|
||||
return ObjectMetadata{}, probe.NewError(e)
|
||||
}
|
||||
|
||||
metadata, err := getMetadata(fs.path, bucket, object)
|
||||
if err != nil {
|
||||
return ObjectMetadata{}, err.Trace(bucket, object)
|
||||
|
@ -1,3 +1,19 @@
|
||||
/*
|
||||
* Minio Cloud Storage, (C) 2016 Minio, Inc.
|
||||
*
|
||||
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||
* you may not use this file except in compliance with the License.
|
||||
* You may obtain a copy of the License at
|
||||
*
|
||||
* http://www.apache.org/licenses/LICENSE-2.0
|
||||
*
|
||||
* Unless required by applicable law or agreed to in writing, software
|
||||
* distributed under the License is distributed on an "AS IS" BASIS,
|
||||
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
* See the License for the specific language governing permissions and
|
||||
* limitations under the License.
|
||||
*/
|
||||
|
||||
package main
|
||||
|
||||
import (
|
||||
@ -46,9 +62,3 @@ func mustGetPrivateKeyPath() string {
|
||||
fatalIf(err.Trace(), "Unable to get config path.", nil)
|
||||
return webConfigDir + "/private.key"
|
||||
}
|
||||
|
||||
func mustGetPublicKeyPath() string {
|
||||
webConfigDir, err := getWebConfigDir()
|
||||
fatalIf(err.Trace(), "Unable to get config path.", nil)
|
||||
return webConfigDir + "/public.key"
|
||||
}
|
||||
|
@ -1,3 +1,19 @@
|
||||
/*
|
||||
* Minio Cloud Storage, (C) 2016 Minio, Inc.
|
||||
*
|
||||
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||
* you may not use this file except in compliance with the License.
|
||||
* You may obtain a copy of the License at
|
||||
*
|
||||
* http://www.apache.org/licenses/LICENSE-2.0
|
||||
*
|
||||
* Unless required by applicable law or agreed to in writing, software
|
||||
* distributed under the License is distributed on an "AS IS" BASIS,
|
||||
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
* See the License for the specific language governing permissions and
|
||||
* limitations under the License.
|
||||
*/
|
||||
|
||||
package main
|
||||
|
||||
import "time"
|
||||
|
@ -1,3 +1,19 @@
|
||||
/*
|
||||
* Minio Cloud Storage, (C) 2016 Minio, Inc.
|
||||
*
|
||||
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||
* you may not use this file except in compliance with the License.
|
||||
* You may obtain a copy of the License at
|
||||
*
|
||||
* http://www.apache.org/licenses/LICENSE-2.0
|
||||
*
|
||||
* Unless required by applicable law or agreed to in writing, software
|
||||
* distributed under the License is distributed on an "AS IS" BASIS,
|
||||
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
* See the License for the specific language governing permissions and
|
||||
* limitations under the License.
|
||||
*/
|
||||
|
||||
package main
|
||||
|
||||
import (
|
||||
@ -8,6 +24,8 @@ import (
|
||||
jwtgo "github.com/dgrijalva/jwt-go"
|
||||
)
|
||||
|
||||
// isAuthenticated validates if any incoming request to be a valid JWT
|
||||
// authenticated request.
|
||||
func isAuthenticated(req *http.Request) bool {
|
||||
jwt := InitJWT()
|
||||
tokenRequest, err := jwtgo.ParseFromRequest(req, func(token *jwtgo.Token) (interface{}, error) {
|
||||
@ -85,7 +103,7 @@ func (web *WebAPI) GetObjectURL(r *http.Request, args *GetObjectURLArgs, reply *
|
||||
// Login - user login handler.
|
||||
func (web *WebAPI) Login(r *http.Request, args *LoginArgs, reply *AuthToken) error {
|
||||
jwt := InitJWT()
|
||||
if jwt.Authenticate(args) {
|
||||
if jwt.Authenticate(args.Username, args.Password) {
|
||||
token, err := jwt.GenerateToken(args.Username)
|
||||
if err != nil {
|
||||
return err
|
||||
@ -113,11 +131,6 @@ func (web *WebAPI) RefreshToken(r *http.Request, args *LoginArgs, reply *AuthTok
|
||||
// Logout - user logout.
|
||||
func (web *WebAPI) Logout(r *http.Request, arg *string, reply *string) error {
|
||||
if isAuthenticated(r) {
|
||||
jwt := InitJWT()
|
||||
tokenString := r.Header.Get("Authorization")
|
||||
if err := jwt.Logout(tokenString); err != nil {
|
||||
return err
|
||||
}
|
||||
return nil
|
||||
}
|
||||
return errUnAuthorizedRequest
|
||||
|
Loading…
Reference in New Issue
Block a user