sts: add support for certificate-based authentication (#12748)

This commit adds a new STS API for X.509 certificate
authentication.

A client can make an HTTP POST request over a TLS connection
and MinIO will verify the provided client certificate, map it to an 
S3 policy and return temp. S3 credentials to the client.

So, this STS API allows clients to authenticate with X.509
certificates over TLS and obtain temp. S3 credentials.

For more details and examples refer to the docs/sts/tls.md
documentation.

Signed-off-by: Andreas Auernhammer <hi@aead.dev>

cmd/sts-handlers.go

@@ -20,11 +20,13 @@ package cmd
 import (
 	"bytes"
 	"context"
+	"crypto/x509"
 	"encoding/base64"
 	"errors"
 	"fmt"
 	"net/http"
 	"strings"
+	"time"
 
 	"github.com/gorilla/mux"
 	"github.com/minio/minio/internal/auth"
@@ -48,10 +50,11 @@ const (
 	stsLDAPPassword     = "LDAPPassword"
 
 	// STS API action constants
-	clientGrants = "AssumeRoleWithClientGrants"
-	webIdentity  = "AssumeRoleWithWebIdentity"
-	ldapIdentity = "AssumeRoleWithLDAPIdentity"
-	assumeRole   = "AssumeRole"
+	clientGrants      = "AssumeRoleWithClientGrants"
+	webIdentity       = "AssumeRoleWithWebIdentity"
+	ldapIdentity      = "AssumeRoleWithLDAPIdentity"
+	clientCertificate = "AssumeRoleWithCertificate"
+	assumeRole        = "AssumeRole"
 
 	stsRequestBodyLimit = 10 * (1 << 20) // 10 MiB
 
@@ -124,6 +127,12 @@ func registerSTSRouter(router *mux.Router) {
 		Queries(stsVersion, stsAPIVersion).
 		Queries(stsLDAPUsername, "{LDAPUsername:.*}").
 		Queries(stsLDAPPassword, "{LDAPPassword:.*}")
+
+	// AssumeRoleWithCertificate
+	stsRouter.Methods(http.MethodPost).HandlerFunc(httpTraceAll(sts.AssumeRoleWithCertificate)).
+		Queries(stsAction, clientCertificate).
+		Queries(stsVersion, stsAPIVersion)
+
 }
 
 func checkAssumeRoleAuth(ctx context.Context, r *http.Request) (user auth.Credentials, isErrCodeSTS bool, stsErr STSErrorCode) {
@@ -649,3 +658,100 @@ func (sts *stsAPIHandlers) AssumeRoleWithLDAPIdentity(w http.ResponseWriter, r *
 
 	writeSuccessResponseXML(w, encodedSuccessResponse)
 }
+
+// AssumeRoleWithCertificate implements user authentication with client certificates.
+// It verifies the client-provided X.509 certificate, maps the certificate to an S3 policy
+// and returns temp. S3 credentials to the client.
+//
+// API endpoint: https://minio:9000?Action=AssumeRoleWithCertificate&Version=2011-06-15
+func (sts *stsAPIHandlers) AssumeRoleWithCertificate(w http.ResponseWriter, r *http.Request) {
+	var ctx = newContext(r, w, "AssumeRoleWithCertificate")
+
+	if !globalSTSTLSConfig.Enabled {
+		writeSTSErrorResponse(ctx, w, true, ErrSTSNotInitialized, errors.New("STS API 'AssumeRoleWithCertificate' is disabled"))
+		return
+	}
+
+	// We have to establish a TLS connection and the
+	// client must provide exactly one client certificate.
+	// Otherwise, we don't have a certificate to verify or
+	// the policy lookup would ambigious.
+	if r.TLS == nil {
+		writeSTSErrorResponse(ctx, w, true, ErrSTSInsecureConnection, errors.New("No TLS connection attempt"))
+		return
+	}
+	if len(r.TLS.PeerCertificates) == 0 {
+		writeSTSErrorResponse(ctx, w, true, ErrSTSMissingParameter, errors.New("No client certificate provided"))
+		return
+	}
+	if len(r.TLS.PeerCertificates) > 1 {
+		writeSTSErrorResponse(ctx, w, true, ErrSTSInvalidParameterValue, errors.New("More than one client certificate provided"))
+		return
+	}
+
+	var certificate = r.TLS.PeerCertificates[0]
+	if !globalSTSTLSConfig.InsecureSkipVerify {
+		_, err := certificate.Verify(x509.VerifyOptions{
+			KeyUsages: []x509.ExtKeyUsage{
+				x509.ExtKeyUsageClientAuth,
+			},
+			Roots: globalRootCAs,
+		})
+		if err != nil {
+			writeSTSErrorResponse(ctx, w, true, ErrSTSInvalidClientCertificate, err)
+			return
+		}
+	}
+
+	// We map the X.509 subject common name to the policy. So, a client
+	// with the common name "foo" will be associated with the policy "foo".
+	// Other mapping functions - e.g. public-key hash based mapping - are
+	// possible but not implemented.
+	//
+	// Group mapping is not possible with standard X.509 certificates.
+	if certificate.Subject.CommonName == "" {
+		writeSTSErrorResponse(ctx, w, true, ErrSTSMissingParameter, errors.New("certificate subject CN cannot be empty"))
+		return
+	}
+
+	expiry, err := globalSTSTLSConfig.GetExpiryDuration(r.Form.Get(stsDurationSeconds))
+	if err != nil {
+		writeSTSErrorResponse(ctx, w, true, ErrSTSMissingParameter, err)
+		return
+	}
+
+	// We set the expiry of the temp. credentials to the minimum of the
+	// configured expiry and the duration until the certificate itself
+	// expires.
+	// We must not issue credentials that out-live the certificate.
+	if validUntil := time.Until(certificate.NotAfter); validUntil < expiry {
+		expiry = validUntil
+	}
+
+	// Associate any service accounts to the certificate CN
+	parentUser := "tls:" + certificate.Subject.CommonName
+
+	tmpCredentials, err := auth.GetNewCredentialsWithMetadata(map[string]interface{}{
+		expClaim:    time.Now().UTC().Add(expiry).Unix(),
+		parentClaim: parentUser,
+		subClaim:    certificate.Subject.CommonName,
+		audClaim:    certificate.Subject.Organization,
+		issClaim:    certificate.Issuer.CommonName,
+	}, globalActiveCred.SecretKey)
+	if err != nil {
+		writeSTSErrorResponse(ctx, w, true, ErrSTSInternalError, err)
+		return
+	}
+
+	tmpCredentials.ParentUser = parentUser
+	err = globalIAMSys.SetTempUser(tmpCredentials.AccessKey, tmpCredentials, certificate.Subject.CommonName)
+	if err != nil {
+		writeSTSErrorResponse(ctx, w, true, ErrSTSInternalError, err)
+		return
+	}
+
+	var response = new(AssumeRoleWithCertificateResponse)
+	response.Result.Credentials = tmpCredentials
+	response.Metadata.RequestID = w.Header().Get(xhttp.AmzRequestID)
+	writeSuccessResponseXML(w, encodeResponse(response))
+}