allow users to change password through browser (#7683)

Allow IAM users to change the password using browser UI.
2025-11-07 12:52:58 -05:00 · 2019-05-30 01:48:46 +05:30
parent 74e2fe0879
commit da8214845a
13 changed files with 509 additions and 304 deletions
--- a/cmd/iam.go
+++ b/cmd/iam.go
@@ -491,6 +491,51 @@ func (sys *IAMSys) SetUser(accessKey string, uinfo madmin.UserInfo) error {
 	return nil
 }

+// SetUserSecretKey - sets user secret key
+func (sys *IAMSys) SetUserSecretKey(accessKey string, secretKey string) error {
+	objectAPI := newObjectLayerFn()
+	if objectAPI == nil {
+		return errServerNotInitialized
+	}
+
+	sys.Lock()
+	defer sys.Unlock()
+
+	cred, ok := sys.iamUsersMap[accessKey]
+	if !ok {
+		return errNoSuchUser
+	}
+
+	uinfo := madmin.UserInfo{
+		SecretKey: secretKey,
+		Status:    madmin.AccountStatus(cred.Status),
+	}
+
+	configFile := pathJoin(iamConfigUsersPrefix, accessKey, iamIdentityFile)
+	data, err := json.Marshal(uinfo)
+	if err != nil {
+		return err
+	}
+
+	if globalEtcdClient != nil {
+		err = saveConfigEtcd(context.Background(), globalEtcdClient, configFile, data)
+	} else {
+		err = saveConfig(context.Background(), objectAPI, configFile, data)
+	}
+
+	if err != nil {
+		return err
+	}
+
+	sys.iamUsersMap[accessKey] = auth.Credentials{
+		AccessKey: accessKey,
+		SecretKey: secretKey,
+		Status:    string(uinfo.Status),
+	}
+
+	return nil
+}
+
 // GetUser - get user credentials
 func (sys *IAMSys) GetUser(accessKey string) (cred auth.Credentials, ok bool) {
 	sys.RLock()
--- a/cmd/jwt.go
+++ b/cmd/jwt.go
@@ -47,6 +47,7 @@ var (
 	errChangeCredNotAllowed = errors.New("Changing access key and secret key not allowed")
 	errAuthentication       = errors.New("Authentication failed, check your access credentials")
 	errNoAuthToken          = errors.New("JWT token missing")
+	errIncorrectCreds       = errors.New("Current access key or secret key is incorrect")
 )

 func authenticateJWTUsers(accessKey, secretKey string, expiry time.Duration) (string, error) {
--- a/cmd/web-handlers.go
+++ b/cmd/web-handlers.go
@@ -69,6 +69,7 @@ type ServerInfoRep struct {
 	MinioPlatform   string
 	MinioRuntime    string
 	MinioGlobalInfo map[string]interface{}
+	MinioUserInfo   map[string]interface{}
 	UIVersion       string `json:"uiVersion"`
 }

@@ -97,17 +98,17 @@ func (web *webAPIHandlers) ServerInfo(r *http.Request, args *WebGenericArgs, rep

 	reply.MinioVersion = Version
 	reply.MinioGlobalInfo = getGlobalInfo()
-	// If ENV creds are not set and incoming user is not owner
-	// disable changing credentials.
-	v, ok := reply.MinioGlobalInfo["isEnvCreds"].(bool)
-	if ok && !v {
-		reply.MinioGlobalInfo["isEnvCreds"] = !owner
-	}
-	// if etcd is set disallow changing credentials through UI
+
+	// if etcd is set, disallow changing credentials through UI for owner
 	if globalEtcdClient != nil {
 		reply.MinioGlobalInfo["isEnvCreds"] = true
 	}

+	// Check if the user is IAM user
+	reply.MinioUserInfo = map[string]interface{}{
+		"isIAMUser": !owner,
+	}
+
 	reply.MinioMemory = mem
 	reply.MinioPlatform = platform
 	reply.MinioRuntime = goruntime
@@ -768,8 +769,10 @@ func (web webAPIHandlers) GenerateAuth(r *http.Request, args *WebGenericArgs, re

 // SetAuthArgs - argument for SetAuth
 type SetAuthArgs struct {
-	AccessKey string `json:"accessKey"`
-	SecretKey string `json:"secretKey"`
+	CurrentAccessKey string `json:"currentAccessKey"`
+	CurrentSecretKey string `json:"currentSecretKey"`
+	NewAccessKey     string `json:"newAccessKey"`
+	NewSecretKey     string `json:"newSecretKey"`
 }

 // SetAuthReply - reply for SetAuth
@@ -781,68 +784,80 @@ type SetAuthReply struct {

 // SetAuth - Set accessKey and secretKey credentials.
 func (web *webAPIHandlers) SetAuth(r *http.Request, args *SetAuthArgs, reply *SetAuthReply) error {
-	_, owner, authErr := webRequestAuthenticate(r)
+	claims, owner, authErr := webRequestAuthenticate(r)
 	if authErr != nil {
 		return toJSONError(authErr)
 	}

-	// If creds are set through ENV disallow changing credentials.
-	if globalIsEnvCreds || globalWORMEnabled || !owner || globalEtcdClient != nil {
+	// When WORM is enabled, disallow changing credenatials for owner and user
+	if globalWORMEnabled {
 		return toJSONError(errChangeCredNotAllowed)
 	}

-	creds, err := auth.CreateCredentials(args.AccessKey, args.SecretKey)
-	if err != nil {
-		return toJSONError(err)
+	if owner {
+		if globalIsEnvCreds || globalEtcdClient != nil {
+			return toJSONError(errChangeCredNotAllowed)
+		}
+
+		// get Current creds and verify
+		prevCred := globalServerConfig.GetCredential()
+		if prevCred.AccessKey != args.CurrentAccessKey || prevCred.SecretKey != args.CurrentSecretKey {
+			return errIncorrectCreds
+		}
+
+		creds, err := auth.CreateCredentials(args.NewAccessKey, args.NewSecretKey)
+		if err != nil {
+			return toJSONError(err)
+		}
+
+		// Acquire lock before updating global configuration.
+		globalServerConfigMu.Lock()
+		defer globalServerConfigMu.Unlock()
+
+		// Update credentials in memory
+		prevCred = globalServerConfig.SetCredential(creds)
+
+		// Persist updated credentials.
+		if err = saveServerConfig(context.Background(), newObjectLayerFn(), globalServerConfig); err != nil {
+			// Save the current creds when failed to update.
+			globalServerConfig.SetCredential(prevCred)
+			logger.LogIf(context.Background(), err)
+			return toJSONError(err)
+		}
+
+		reply.Token, err = authenticateWeb(args.NewAccessKey, args.NewSecretKey)
+		if err != nil {
+			return toJSONError(err)
+		}
+	} else {
+		// for IAM users, access key cannot be updated
+		// claims.Subject is used instead of accesskey from args
+		prevCred, ok := globalIAMSys.GetUser(claims.Subject)
+		if !ok {
+			return errInvalidAccessKeyID
+		}
+
+		// Throw error when wrong secret key is provided
+		if prevCred.SecretKey != args.CurrentSecretKey {
+			return errIncorrectCreds
+		}
+
+		err := globalIAMSys.SetUserSecretKey(claims.Subject, args.NewSecretKey)
+		if err != nil {
+			return toJSONError(err)
+		}
+
+		reply.Token, err = authenticateWeb(claims.Subject, args.NewSecretKey)
+		if err != nil {
+			return toJSONError(err)
+		}
 	}

-	// Acquire lock before updating global configuration.
-	globalServerConfigMu.Lock()
-	defer globalServerConfigMu.Unlock()
-
-	// Update credentials in memory
-	prevCred := globalServerConfig.SetCredential(creds)
-
-	// Persist updated credentials.
-	if err = saveServerConfig(context.Background(), newObjectLayerFn(), globalServerConfig); err != nil {
-		// Save the current creds when failed to update.
-		globalServerConfig.SetCredential(prevCred)
-		logger.LogIf(context.Background(), err)
-		return toJSONError(err)
-	}
-
-	reply.Token, err = authenticateWeb(creds.AccessKey, creds.SecretKey)
-	if err != nil {
-		return toJSONError(err)
-	}
 	reply.UIVersion = browser.UIVersion

 	return nil
 }

-// GetAuthReply - Reply current credentials.
-type GetAuthReply struct {
-	AccessKey string `json:"accessKey"`
-	SecretKey string `json:"secretKey"`
-	UIVersion string `json:"uiVersion"`
-}
-
-// GetAuth - return accessKey and secretKey credentials.
-func (web *webAPIHandlers) GetAuth(r *http.Request, args *WebGenericArgs, reply *GetAuthReply) error {
-	_, owner, authErr := webRequestAuthenticate(r)
-	if authErr != nil {
-		return toJSONError(authErr)
-	}
-	if !owner {
-		return toJSONError(errAccessDenied)
-	}
-	creds := globalServerConfig.GetCredential()
-	reply.AccessKey = creds.AccessKey
-	reply.SecretKey = creds.SecretKey
-	reply.UIVersion = browser.UIVersion
-	return nil
-}
-
 // URLTokenReply contains the reply for CreateURLToken.
 type URLTokenReply struct {
 	Token     string `json:"token"`
--- a/cmd/web-handlers_test.go
+++ b/cmd/web-handlers_test.go
@@ -701,18 +701,20 @@ func testSetAuthWebHandler(obj ObjectLayer, instanceType string, t TestErrHandle
 	}

 	testCases := []struct {
-		username string
-		password string
-		success  bool
+		currentAccessKey string
+		currentSecretKey string
+		newAccessKey     string
+		newSecretKey     string
+		success          bool
 	}{
-		{"", "", false},
-		{"1", "1", false},
-		{"azerty", "foooooooooooooo", true},
+		{"", "", "", "", false},
+		{"1", "1", "1", "1", false},
+		{credentials.AccessKey, credentials.SecretKey, "azerty", "foooooooooooooo", true},
 	}

 	// Iterating over the test cases, calling the function under test and asserting the response.
 	for i, testCase := range testCases {
-		setAuthRequest := SetAuthArgs{AccessKey: testCase.username, SecretKey: testCase.password}
+		setAuthRequest := SetAuthArgs{CurrentAccessKey: testCase.currentAccessKey, CurrentSecretKey: testCase.currentSecretKey, NewAccessKey: testCase.newAccessKey, NewSecretKey: testCase.newSecretKey}
 		setAuthReply := &SetAuthReply{}
 		req, err := newTestWebRPCRequest("Web.SetAuth", authorization, setAuthRequest)
 		if err != nil {
@@ -735,42 +737,6 @@ func testSetAuthWebHandler(obj ObjectLayer, instanceType string, t TestErrHandle
 	}
 }

-// Wrapper for calling Get Auth Handler
-func TestWebHandlerGetAuth(t *testing.T) {
-	ExecObjectLayerTest(t, testGetAuthWebHandler)
-}
-
-// testGetAuthWebHandler - Test GetAuth web handler
-func testGetAuthWebHandler(obj ObjectLayer, instanceType string, t TestErrHandler) {
-	// Register the API end points with XL/FS object layer.
-	apiRouter := initTestWebRPCEndPoint(obj)
-	credentials := globalServerConfig.GetCredential()
-
-	rec := httptest.NewRecorder()
-	authorization, err := getWebRPCToken(apiRouter, credentials.AccessKey, credentials.SecretKey)
-	if err != nil {
-		t.Fatal("Cannot authenticate")
-	}
-
-	getAuthRequest := WebGenericArgs{}
-	getAuthReply := &GetAuthReply{}
-	req, err := newTestWebRPCRequest("Web.GetAuth", authorization, getAuthRequest)
-	if err != nil {
-		t.Fatalf("Failed to create HTTP request: <ERROR> %v", err)
-	}
-	apiRouter.ServeHTTP(rec, req)
-	if rec.Code != http.StatusOK {
-		t.Fatalf("Expected the response status to be 200, but instead found `%d`", rec.Code)
-	}
-	err = getTestWebRPCResponse(rec, &getAuthReply)
-	if err != nil {
-		t.Fatalf("Failed, %v", err)
-	}
-	if getAuthReply.AccessKey != credentials.AccessKey || getAuthReply.SecretKey != credentials.SecretKey {
-		t.Fatalf("Failed to get correct auth keys")
-	}
-}
-
 func TestWebCreateURLToken(t *testing.T) {
 	ExecObjectLayerTest(t, testCreateURLToken)
 }
@@ -1518,7 +1484,7 @@ func TestWebCheckAuthorization(t *testing.T) {
 	webRPCs := []string{
 		"ServerInfo", "StorageInfo", "MakeBucket",
 		"ListBuckets", "ListObjects", "RemoveObject",
-		"GenerateAuth", "SetAuth", "GetAuth",
+		"GenerateAuth", "SetAuth",
 		"GetBucketPolicy", "SetBucketPolicy", "ListAllBucketPolicies",
 		"PresignedGet",
 	}