From e8ce3b64edb2515f2f3c0f4c1947e007307aec79 Mon Sep 17 00:00:00 2001 From: Bala FA Date: Mon, 26 Dec 2016 23:51:23 +0530 Subject: [PATCH] Generate and use access/secret keys properly (#3498) --- cmd/access-key.go | 91 --------- cmd/admin-handlers_test.go | 2 +- cmd/admin-rpc-client.go | 4 +- cmd/admin-rpc-server_test.go | 2 +- cmd/api-headers.go | 23 ++- cmd/api-headers_test.go | 2 +- cmd/auth-handler_test.go | 2 +- cmd/auth-rpc-client.go | 2 +- cmd/browser-peer-rpc.go | 4 +- cmd/browser-peer-rpc_test.go | 8 +- cmd/bucket-handlers_test.go | 62 +++--- cmd/bucket-notification-handlers_test.go | 8 +- cmd/bucket-policy-handlers_test.go | 62 +++--- cmd/config-migrate.go | 4 +- cmd/config-migrate_test.go | 8 +- cmd/config-old.go | 12 +- cmd/config-v11.go | 2 +- cmd/credential.go | 74 ++++++++ cmd/lock-instrument.go | 2 +- cmd/lock-rpc-server_test.go | 2 +- cmd/login-server_test.go | 6 +- cmd/main.go | 8 +- cmd/namespace-lock.go | 4 +- cmd/object-handlers_test.go | 230 +++++++++++------------ cmd/post-policy_test.go | 58 +++--- cmd/prepare-storage-msg.go | 2 +- cmd/s3-peer-client.go | 4 +- cmd/server-startup-msg.go | 8 +- cmd/server_test.go | 10 +- cmd/signature-jwt.go | 16 +- cmd/signature-jwt_test.go | 6 +- cmd/signature-v2.go | 16 +- cmd/signature-v2_test.go | 16 +- cmd/signature-v4-parser.go | 2 +- cmd/signature-v4.go | 14 +- cmd/signature-v4_test.go | 6 +- cmd/storage-rpc-client.go | 4 +- cmd/storage-rpc-server_test.go | 4 +- cmd/streaming-signature-v4.go | 6 +- cmd/test-utils_test.go | 20 +- cmd/web-handlers.go | 22 +-- cmd/web-handlers_test.go | 38 ++-- 42 files changed, 429 insertions(+), 447 deletions(-) delete mode 100644 cmd/access-key.go create mode 100644 cmd/credential.go diff --git a/cmd/access-key.go b/cmd/access-key.go deleted file mode 100644 index 5ade6037e..000000000 --- a/cmd/access-key.go +++ /dev/null @@ -1,91 +0,0 @@ -/* - * Minio Cloud Storage, (C) 2015, 2016 Minio, Inc. - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ - -package cmd - -import ( - "crypto/rand" - "encoding/base64" -) - -// credential container for access and secret keys. -type credential struct { - AccessKeyID string `json:"accessKey"` - SecretAccessKey string `json:"secretKey"` -} - -const ( - accessKeyMinLen = 5 - accessKeyMaxLen = 20 - secretKeyMinLen = 8 - secretKeyMaxLen = 40 -) - -// isValidAccessKey - validate access key for right length. -func isValidAccessKey(accessKey string) bool { - return len(accessKey) >= accessKeyMinLen && len(accessKey) <= accessKeyMaxLen -} - -// isValidSecretKey - validate secret key for right length. -func isValidSecretKey(secretKey string) bool { - return len(secretKey) >= secretKeyMinLen && len(secretKey) <= secretKeyMaxLen -} - -// mustGenAccessKeys - must generate access credentials. -func mustGenAccessKeys() (creds credential) { - creds, err := genAccessKeys() - fatalIf(err, "Unable to generate access keys.") - return creds -} - -// genAccessKeys - generate access credentials. -func genAccessKeys() (credential, error) { - accessKeyID, err := genAccessKeyID() - if err != nil { - return credential{}, err - } - secretAccessKey, err := genSecretAccessKey() - if err != nil { - return credential{}, err - } - creds := credential{ - AccessKeyID: string(accessKeyID), - SecretAccessKey: string(secretAccessKey), - } - return creds, nil -} - -// genAccessKeyID - generate random alpha numeric value using only uppercase characters -// takes input as size in integer -func genAccessKeyID() ([]byte, error) { - alpha := make([]byte, accessKeyMaxLen) - if _, err := rand.Read(alpha); err != nil { - return nil, err - } - for i := 0; i < accessKeyMaxLen; i++ { - alpha[i] = alphaNumericTable[alpha[i]%byte(len(alphaNumericTable))] - } - return alpha, nil -} - -// genSecretAccessKey - generate random base64 numeric value from a random seed. -func genSecretAccessKey() ([]byte, error) { - rb := make([]byte, secretKeyMaxLen) - if _, err := rand.Read(rb); err != nil { - return nil, err - } - return []byte(base64.StdEncoding.EncodeToString(rb))[:secretKeyMaxLen], nil -} diff --git a/cmd/admin-handlers_test.go b/cmd/admin-handlers_test.go index 0e012626f..95f5b853e 100644 --- a/cmd/admin-handlers_test.go +++ b/cmd/admin-handlers_test.go @@ -83,7 +83,7 @@ func getAdminCmdRequest(cmd cmdType, cred credential) (*http.Request, error) { return nil, err } req.Header.Set(minioAdminOpHeader, cmd.String()) - err = signRequestV4(req, cred.AccessKeyID, cred.SecretAccessKey) + err = signRequestV4(req, cred.AccessKey, cred.SecretKey) if err != nil { return nil, err } diff --git a/cmd/admin-rpc-client.go b/cmd/admin-rpc-client.go index 324ecda7b..d454cc05a 100644 --- a/cmd/admin-rpc-client.go +++ b/cmd/admin-rpc-client.go @@ -109,8 +109,8 @@ func makeAdminPeers(eps []*url.URL) adminPeers { // Check if the remote host has been added already if !seenAddr[ep.Host] { cfg := authConfig{ - accessKey: serverConfig.GetCredential().AccessKeyID, - secretKey: serverConfig.GetCredential().SecretAccessKey, + accessKey: serverConfig.GetCredential().AccessKey, + secretKey: serverConfig.GetCredential().SecretKey, address: ep.Host, secureConn: isSSL(), path: path.Join(reservedBucket, servicePath), diff --git a/cmd/admin-rpc-server_test.go b/cmd/admin-rpc-server_test.go index 99832642a..a18f91547 100644 --- a/cmd/admin-rpc-server_test.go +++ b/cmd/admin-rpc-server_test.go @@ -31,7 +31,7 @@ func testAdminCmd(cmd cmdType, t *testing.T) { adminServer := serviceCmd{} creds := serverConfig.GetCredential() reply := RPCLoginReply{} - args := RPCLoginArgs{Username: creds.AccessKeyID, Password: creds.SecretAccessKey} + args := RPCLoginArgs{Username: creds.AccessKey, Password: creds.SecretKey} err = adminServer.LoginHandler(&args, &reply) if err != nil { t.Fatalf("Failed to login to admin server - %v", err) diff --git a/cmd/api-headers.go b/cmd/api-headers.go index 5dd9ebeac..a16470ca0 100644 --- a/cmd/api-headers.go +++ b/cmd/api-headers.go @@ -25,23 +25,26 @@ import ( "strconv" ) -// Static alphanumeric table used for generating unique request ids -var alphaNumericTable = []byte("0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ") +const requestIDLen = 16 -// newRequestID generates and returns request ID string. -func newRequestID() string { - alpha := make([]byte, 16) - rand.Read(alpha) - for i := 0; i < 16; i++ { - alpha[i] = alphaNumericTable[alpha[i]%byte(len(alphaNumericTable))] +// mustGetRequestID generates and returns request ID string. +func mustGetRequestID() string { + reqBytes := make([]byte, requestIDLen) + if _, err := rand.Read(reqBytes); err != nil { + panic(err) } - return string(alpha) + + for i := 0; i < requestIDLen; i++ { + reqBytes[i] = alphaNumericTable[reqBytes[i]%alphaNumericTableLen] + } + + return string(reqBytes) } // Write http common headers func setCommonHeaders(w http.ResponseWriter) { // Set unique request ID for each reply. - w.Header().Set("X-Amz-Request-Id", newRequestID()) + w.Header().Set("X-Amz-Request-Id", mustGetRequestID()) w.Header().Set("Server", ("Minio/" + ReleaseTag + " (" + runtime.GOOS + "; " + runtime.GOARCH + ")")) w.Header().Set("Accept-Ranges", "bytes") } diff --git a/cmd/api-headers_test.go b/cmd/api-headers_test.go index a20c4a3a1..540d136ee 100644 --- a/cmd/api-headers_test.go +++ b/cmd/api-headers_test.go @@ -22,7 +22,7 @@ import ( func TestNewRequestID(t *testing.T) { // Ensure that it returns an alphanumeric result of length 16. - var id = newRequestID() + var id = mustGetRequestID() if len(id) != 16 { t.Fail() diff --git a/cmd/auth-handler_test.go b/cmd/auth-handler_test.go index 0e6989390..a1a536131 100644 --- a/cmd/auth-handler_test.go +++ b/cmd/auth-handler_test.go @@ -301,7 +301,7 @@ func mustNewRequest(method string, urlStr string, contentLength int64, body io.R func mustNewSignedRequest(method string, urlStr string, contentLength int64, body io.ReadSeeker, t *testing.T) *http.Request { req := mustNewRequest(method, urlStr, contentLength, body, t) cred := serverConfig.GetCredential() - if err := signRequestV4(req, cred.AccessKeyID, cred.SecretAccessKey); err != nil { + if err := signRequestV4(req, cred.AccessKey, cred.SecretKey); err != nil { t.Fatalf("Unable to inititalized new signed http request %s", err) } return req diff --git a/cmd/auth-rpc-client.go b/cmd/auth-rpc-client.go index 905eb2083..978c9382f 100644 --- a/cmd/auth-rpc-client.go +++ b/cmd/auth-rpc-client.go @@ -74,7 +74,7 @@ func isRPCTokenValid(tokenStr string) bool { if _, ok := token.Method.(*jwtgo.SigningMethodHMAC); !ok { return nil, fmt.Errorf("Unexpected signing method: %v", token.Header["alg"]) } - return []byte(jwt.SecretAccessKey), nil + return []byte(jwt.SecretKey), nil }) if err != nil { errorIf(err, "Unable to parse JWT token string") diff --git a/cmd/browser-peer-rpc.go b/cmd/browser-peer-rpc.go index f62ff80fe..3a76e8ff6 100644 --- a/cmd/browser-peer-rpc.go +++ b/cmd/browser-peer-rpc.go @@ -103,8 +103,8 @@ func updateCredsOnPeers(creds credential) map[string]error { // Initialize client client := newAuthClient(&authConfig{ - accessKey: serverConfig.GetCredential().AccessKeyID, - secretKey: serverConfig.GetCredential().SecretAccessKey, + accessKey: serverConfig.GetCredential().AccessKey, + secretKey: serverConfig.GetCredential().SecretKey, address: peers[ix], secureConn: isSSL(), path: path.Join(reservedBucket, browserPeerPath), diff --git a/cmd/browser-peer-rpc_test.go b/cmd/browser-peer-rpc_test.go index 2f34da764..4adfd4abf 100644 --- a/cmd/browser-peer-rpc_test.go +++ b/cmd/browser-peer-rpc_test.go @@ -63,8 +63,8 @@ func TestBrowserPeerRPC(t *testing.T) { func (s *TestRPCBrowserPeerSuite) testBrowserPeerRPC(t *testing.T) { // Construct RPC call arguments. creds := credential{ - AccessKeyID: "abcd1", - SecretAccessKey: "abcd1234", + AccessKey: "abcd1", + SecretKey: "abcd1234", } // Validate for invalid token. @@ -105,8 +105,8 @@ func (s *TestRPCBrowserPeerSuite) testBrowserPeerRPC(t *testing.T) { // Validate for success in loing handled with valid credetnails. rargs = &RPCLoginArgs{ - Username: creds.AccessKeyID, - Password: creds.SecretAccessKey, + Username: creds.AccessKey, + Password: creds.SecretKey, } rreply = &RPCLoginReply{} err = rclient.Call("BrowserPeer.LoginHandler", rargs, rreply) diff --git a/cmd/bucket-handlers_test.go b/cmd/bucket-handlers_test.go index 24fb82783..212c066eb 100644 --- a/cmd/bucket-handlers_test.go +++ b/cmd/bucket-handlers_test.go @@ -50,8 +50,8 @@ func testGetBucketLocationHandler(obj ObjectLayer, instanceType, bucketName stri // Tests for authenticated request and proper response. { bucketName: bucketName, - accessKey: credentials.AccessKeyID, - secretKey: credentials.SecretAccessKey, + accessKey: credentials.AccessKey, + secretKey: credentials.SecretKey, expectedRespStatus: http.StatusOK, locationResponse: []byte(` `), @@ -192,16 +192,16 @@ func testHeadBucketHandler(obj ObjectLayer, instanceType, bucketName string, api // Bucket exists. { bucketName: bucketName, - accessKey: credentials.AccessKeyID, - secretKey: credentials.SecretAccessKey, + accessKey: credentials.AccessKey, + secretKey: credentials.SecretKey, expectedRespStatus: http.StatusOK, }, // Test case - 2. // Non-existent bucket name. { bucketName: "2333", - accessKey: credentials.AccessKeyID, - secretKey: credentials.SecretAccessKey, + accessKey: credentials.AccessKey, + secretKey: credentials.SecretKey, expectedRespStatus: http.StatusNotFound, }, // Test case - 3. @@ -311,8 +311,8 @@ func testListMultipartUploadsHandler(obj ObjectLayer, instanceType, bucketName s uploadIDMarker: "", delimiter: "", maxUploads: "0", - accessKey: credentials.AccessKeyID, - secretKey: credentials.SecretAccessKey, + accessKey: credentials.AccessKey, + secretKey: credentials.SecretKey, expectedRespStatus: http.StatusBadRequest, shouldPass: false, }, @@ -325,8 +325,8 @@ func testListMultipartUploadsHandler(obj ObjectLayer, instanceType, bucketName s uploadIDMarker: "", delimiter: "", maxUploads: "0", - accessKey: credentials.AccessKeyID, - secretKey: credentials.SecretAccessKey, + accessKey: credentials.AccessKey, + secretKey: credentials.SecretKey, expectedRespStatus: http.StatusNotFound, shouldPass: false, }, @@ -339,8 +339,8 @@ func testListMultipartUploadsHandler(obj ObjectLayer, instanceType, bucketName s uploadIDMarker: "", delimiter: "-", maxUploads: "0", - accessKey: credentials.AccessKeyID, - secretKey: credentials.SecretAccessKey, + accessKey: credentials.AccessKey, + secretKey: credentials.SecretKey, expectedRespStatus: http.StatusNotImplemented, shouldPass: false, }, @@ -353,8 +353,8 @@ func testListMultipartUploadsHandler(obj ObjectLayer, instanceType, bucketName s uploadIDMarker: "", delimiter: "", maxUploads: "0", - accessKey: credentials.AccessKeyID, - secretKey: credentials.SecretAccessKey, + accessKey: credentials.AccessKey, + secretKey: credentials.SecretKey, expectedRespStatus: http.StatusNotImplemented, shouldPass: false, }, @@ -367,8 +367,8 @@ func testListMultipartUploadsHandler(obj ObjectLayer, instanceType, bucketName s uploadIDMarker: "abc", delimiter: "", maxUploads: "0", - accessKey: credentials.AccessKeyID, - secretKey: credentials.SecretAccessKey, + accessKey: credentials.AccessKey, + secretKey: credentials.SecretKey, expectedRespStatus: http.StatusNotImplemented, shouldPass: false, }, @@ -381,8 +381,8 @@ func testListMultipartUploadsHandler(obj ObjectLayer, instanceType, bucketName s uploadIDMarker: "", delimiter: "", maxUploads: "-1", - accessKey: credentials.AccessKeyID, - secretKey: credentials.SecretAccessKey, + accessKey: credentials.AccessKey, + secretKey: credentials.SecretKey, expectedRespStatus: http.StatusBadRequest, shouldPass: false, }, @@ -396,8 +396,8 @@ func testListMultipartUploadsHandler(obj ObjectLayer, instanceType, bucketName s uploadIDMarker: "", delimiter: "/", maxUploads: "100", - accessKey: credentials.AccessKeyID, - secretKey: credentials.SecretAccessKey, + accessKey: credentials.AccessKey, + secretKey: credentials.SecretKey, expectedRespStatus: http.StatusOK, shouldPass: true, }, @@ -410,8 +410,8 @@ func testListMultipartUploadsHandler(obj ObjectLayer, instanceType, bucketName s uploadIDMarker: "", delimiter: "", maxUploads: "100", - accessKey: credentials.AccessKeyID, - secretKey: credentials.SecretAccessKey, + accessKey: credentials.AccessKey, + secretKey: credentials.SecretKey, expectedRespStatus: http.StatusOK, shouldPass: true, }, @@ -535,8 +535,8 @@ func testListBucketsHandler(obj ObjectLayer, instanceType, bucketName string, ap // Validate a good case request succeeds. { bucketName: bucketName, - accessKey: credentials.AccessKeyID, - secretKey: credentials.SecretAccessKey, + accessKey: credentials.AccessKey, + secretKey: credentials.SecretKey, expectedRespStatus: http.StatusOK, }, // Test case - 2. @@ -684,7 +684,7 @@ func testAPIDeleteMultipleObjectsHandler(obj ObjectLayer, instanceType, bucketNa bucket: bucketName, objects: successRequest0, accessKey: "Invalid-AccessID", - secretKey: credentials.SecretAccessKey, + secretKey: credentials.SecretKey, expectedContent: nil, expectedRespStatus: http.StatusForbidden, }, @@ -693,8 +693,8 @@ func testAPIDeleteMultipleObjectsHandler(obj ObjectLayer, instanceType, bucketNa { bucket: bucketName, objects: successRequest0, - accessKey: credentials.AccessKeyID, - secretKey: credentials.SecretAccessKey, + accessKey: credentials.AccessKey, + secretKey: credentials.SecretKey, expectedContent: encodedSuccessResponse0, expectedRespStatus: http.StatusOK, }, @@ -703,8 +703,8 @@ func testAPIDeleteMultipleObjectsHandler(obj ObjectLayer, instanceType, bucketNa { bucket: bucketName, objects: successRequest1, - accessKey: credentials.AccessKeyID, - secretKey: credentials.SecretAccessKey, + accessKey: credentials.AccessKey, + secretKey: credentials.SecretKey, expectedContent: encodedSuccessResponse1, expectedRespStatus: http.StatusOK, }, @@ -713,8 +713,8 @@ func testAPIDeleteMultipleObjectsHandler(obj ObjectLayer, instanceType, bucketNa { bucket: bucketName, objects: successRequest1, - accessKey: credentials.AccessKeyID, - secretKey: credentials.SecretAccessKey, + accessKey: credentials.AccessKey, + secretKey: credentials.SecretKey, expectedContent: encodedErrorResponse, expectedRespStatus: http.StatusOK, }, diff --git a/cmd/bucket-notification-handlers_test.go b/cmd/bucket-notification-handlers_test.go index e4ef7b35b..986749fdd 100644 --- a/cmd/bucket-notification-handlers_test.go +++ b/cmd/bucket-notification-handlers_test.go @@ -209,7 +209,7 @@ func testGetBucketNotificationHandler(obj ObjectLayer, instanceType, bucketName } rec := httptest.NewRecorder() req, err := newTestSignedRequestV4("GET", getGetBucketNotificationURL("", bucketName), - 0, nil, credentials.AccessKeyID, credentials.SecretAccessKey) + 0, nil, credentials.AccessKey, credentials.SecretKey) if err != nil { t.Fatalf("%s: Failed to create HTTP testRequest for ListenBucketNotification: %v", instanceType, err) } @@ -222,7 +222,7 @@ func testGetBucketNotificationHandler(obj ObjectLayer, instanceType, bucketName } rec = httptest.NewRecorder() req, err = newTestSignedRequestV4("GET", getGetBucketNotificationURL("", bucketName), - 0, nil, credentials.AccessKeyID, credentials.SecretAccessKey) + 0, nil, credentials.AccessKey, credentials.SecretKey) if err != nil { t.Fatalf("%s: Failed to create HTTP testRequest for ListenBucketNotification: %v", instanceType, err) } @@ -268,7 +268,7 @@ func testListenBucketNotificationNilHandler(obj ObjectLayer, instanceType, bucke []string{"*.jpg"}, []string{ "s3:ObjectCreated:*", "s3:ObjectRemoved:*", - }), 0, nil, credentials.AccessKeyID, credentials.SecretAccessKey) + }), 0, nil, credentials.AccessKey, credentials.SecretKey) if tErr != nil { t.Fatalf("%s: Failed to create HTTP testRequest for ListenBucketNotification: %v", instanceType, tErr) } @@ -294,7 +294,7 @@ func testRemoveNotificationConfig(obj ObjectLayer, instanceType, bucketName stri testRec := httptest.NewRecorder() testReq, tErr := newTestSignedRequestV4("PUT", getPutBucketNotificationURL("", randBucket), int64(len(sampleNotificationBytes)), bytes.NewReader(sampleNotificationBytes), - credentials.AccessKeyID, credentials.SecretAccessKey) + credentials.AccessKey, credentials.SecretKey) if tErr != nil { t.Fatalf("%s: Failed to create HTTP testRequest for PutBucketNotification: %v", instanceType, tErr) } diff --git a/cmd/bucket-policy-handlers_test.go b/cmd/bucket-policy-handlers_test.go index 5b89e5289..c4d893e5d 100644 --- a/cmd/bucket-policy-handlers_test.go +++ b/cmd/bucket-policy-handlers_test.go @@ -277,8 +277,8 @@ func testPutBucketPolicyHandler(obj ObjectLayer, instanceType, bucketName string bucketPolicyReader: bytes.NewReader([]byte(fmt.Sprintf(bucketPolicyTemplate, bucketName, bucketName))), policyLen: len(fmt.Sprintf(bucketPolicyTemplate, bucketName, bucketName)), - accessKey: credentials.AccessKeyID, - secretKey: credentials.SecretAccessKey, + accessKey: credentials.AccessKey, + secretKey: credentials.SecretKey, expectedRespStatus: http.StatusNoContent, }, // Test case - 2. @@ -289,8 +289,8 @@ func testPutBucketPolicyHandler(obj ObjectLayer, instanceType, bucketName string bucketPolicyReader: bytes.NewReader([]byte(fmt.Sprintf(bucketPolicyTemplate, bucketName, bucketName))), policyLen: maxAccessPolicySize + 1, - accessKey: credentials.AccessKeyID, - secretKey: credentials.SecretAccessKey, + accessKey: credentials.AccessKey, + secretKey: credentials.SecretKey, expectedRespStatus: http.StatusBadRequest, }, // Test case - 3. @@ -301,8 +301,8 @@ func testPutBucketPolicyHandler(obj ObjectLayer, instanceType, bucketName string bucketPolicyReader: bytes.NewReader([]byte(fmt.Sprintf(bucketPolicyTemplate, bucketName, bucketName))), policyLen: 0, - accessKey: credentials.AccessKeyID, - secretKey: credentials.SecretAccessKey, + accessKey: credentials.AccessKey, + secretKey: credentials.SecretKey, expectedRespStatus: http.StatusLengthRequired, }, // Test case - 4. @@ -312,8 +312,8 @@ func testPutBucketPolicyHandler(obj ObjectLayer, instanceType, bucketName string bucketPolicyReader: nil, policyLen: 10, - accessKey: credentials.AccessKeyID, - secretKey: credentials.SecretAccessKey, + accessKey: credentials.AccessKey, + secretKey: credentials.SecretKey, expectedRespStatus: http.StatusBadRequest, }, // Test case - 5. @@ -336,8 +336,8 @@ func testPutBucketPolicyHandler(obj ObjectLayer, instanceType, bucketName string bucketPolicyReader: bytes.NewReader([]byte("dummy-policy")), policyLen: len([]byte("dummy-policy")), - accessKey: credentials.AccessKeyID, - secretKey: credentials.SecretAccessKey, + accessKey: credentials.AccessKey, + secretKey: credentials.SecretKey, expectedRespStatus: http.StatusBadRequest, }, // Test case - 7. @@ -348,8 +348,8 @@ func testPutBucketPolicyHandler(obj ObjectLayer, instanceType, bucketName string bucketPolicyReader: bytes.NewReader([]byte(fmt.Sprintf(bucketPolicyTemplate, bucketName, bucketName))), policyLen: len(fmt.Sprintf(bucketPolicyTemplate, bucketName, bucketName)), - accessKey: credentials.AccessKeyID, - secretKey: credentials.SecretAccessKey, + accessKey: credentials.AccessKey, + secretKey: credentials.SecretKey, expectedRespStatus: http.StatusBadRequest, }, // Test case - 8. @@ -361,8 +361,8 @@ func testPutBucketPolicyHandler(obj ObjectLayer, instanceType, bucketName string bucketPolicyReader: bytes.NewReader([]byte(fmt.Sprintf(bucketPolicyTemplate, "non-existent-bucket", "non-existent-bucket"))), policyLen: len(fmt.Sprintf(bucketPolicyTemplate, bucketName, bucketName)), - accessKey: credentials.AccessKeyID, - secretKey: credentials.SecretAccessKey, + accessKey: credentials.AccessKey, + secretKey: credentials.SecretKey, expectedRespStatus: http.StatusNotFound, }, // Test case - 9. @@ -374,8 +374,8 @@ func testPutBucketPolicyHandler(obj ObjectLayer, instanceType, bucketName string bucketPolicyReader: bytes.NewReader([]byte(fmt.Sprintf(bucketPolicyTemplate, ".invalid-bucket", ".invalid-bucket"))), policyLen: len(fmt.Sprintf(bucketPolicyTemplate, bucketName, bucketName)), - accessKey: credentials.AccessKeyID, - secretKey: credentials.SecretAccessKey, + accessKey: credentials.AccessKey, + secretKey: credentials.SecretKey, expectedRespStatus: http.StatusBadRequest, }, } @@ -469,7 +469,7 @@ func testGetBucketPolicyHandler(obj ObjectLayer, instanceType, bucketName string // expected Response. expectedRespStatus int }{ - {bucketName, credentials.AccessKeyID, credentials.SecretAccessKey, http.StatusNoContent}, + {bucketName, credentials.AccessKey, credentials.SecretKey, http.StatusNoContent}, } // Iterating over the cases and writing the bucket policy. @@ -520,8 +520,8 @@ func testGetBucketPolicyHandler(obj ObjectLayer, instanceType, bucketName string // Case which valid inputs, expected to return success status of 200OK. { bucketName: bucketName, - accessKey: credentials.AccessKeyID, - secretKey: credentials.SecretAccessKey, + accessKey: credentials.AccessKey, + secretKey: credentials.SecretKey, expectedBucketPolicy: bucketPolicyTemplate, expectedRespStatus: http.StatusOK, }, @@ -529,8 +529,8 @@ func testGetBucketPolicyHandler(obj ObjectLayer, instanceType, bucketName string // Case with non-existent bucket name. { bucketName: "non-existent-bucket", - accessKey: credentials.AccessKeyID, - secretKey: credentials.SecretAccessKey, + accessKey: credentials.AccessKey, + secretKey: credentials.SecretKey, expectedBucketPolicy: bucketPolicyTemplate, expectedRespStatus: http.StatusNotFound, }, @@ -538,8 +538,8 @@ func testGetBucketPolicyHandler(obj ObjectLayer, instanceType, bucketName string // Case with invalid bucket name. { bucketName: ".invalid-bucket-name", - accessKey: credentials.AccessKeyID, - secretKey: credentials.SecretAccessKey, + accessKey: credentials.AccessKey, + secretKey: credentials.SecretKey, expectedBucketPolicy: "", expectedRespStatus: http.StatusBadRequest, }, @@ -693,8 +693,8 @@ func testDeleteBucketPolicyHandler(obj ObjectLayer, instanceType, bucketName str }{ { bucketName: bucketName, - accessKey: credentials.AccessKeyID, - secretKey: credentials.SecretAccessKey, + accessKey: credentials.AccessKey, + secretKey: credentials.SecretKey, expectedRespStatus: http.StatusNoContent, }, } @@ -731,24 +731,24 @@ func testDeleteBucketPolicyHandler(obj ObjectLayer, instanceType, bucketName str // Test case - 1. { bucketName: bucketName, - accessKey: credentials.AccessKeyID, - secretKey: credentials.SecretAccessKey, + accessKey: credentials.AccessKey, + secretKey: credentials.SecretKey, expectedRespStatus: http.StatusNoContent, }, // Test case - 2. // Case with non-existent-bucket. { bucketName: "non-existent-bucket", - accessKey: credentials.AccessKeyID, - secretKey: credentials.SecretAccessKey, + accessKey: credentials.AccessKey, + secretKey: credentials.SecretKey, expectedRespStatus: http.StatusNotFound, }, // Test case - 3. // Case with invalid bucket name. { bucketName: ".invalid-bucket-name", - accessKey: credentials.AccessKeyID, - secretKey: credentials.SecretAccessKey, + accessKey: credentials.AccessKey, + secretKey: credentials.SecretKey, expectedRespStatus: http.StatusBadRequest, }, } diff --git a/cmd/config-migrate.go b/cmd/config-migrate.go index 0107a3d8c..04da1c882 100644 --- a/cmd/config-migrate.go +++ b/cmd/config-migrate.go @@ -112,8 +112,8 @@ func migrateV2ToV3() error { srvConfig.Version = "3" srvConfig.Addr = ":9000" srvConfig.Credential = credential{ - AccessKeyID: cv2.Credentials.AccessKeyID, - SecretAccessKey: cv2.Credentials.SecretAccessKey, + AccessKey: cv2.Credentials.AccessKey, + SecretKey: cv2.Credentials.SecretKey, } srvConfig.Region = cv2.Credentials.Region if srvConfig.Region == "" { diff --git a/cmd/config-migrate_test.go b/cmd/config-migrate_test.go index 2e0a1ce41..f2f4d3229 100644 --- a/cmd/config-migrate_test.go +++ b/cmd/config-migrate_test.go @@ -148,11 +148,11 @@ func TestServerConfigMigrateV2toV11(t *testing.T) { } // Check if accessKey and secretKey are not altered during migration - if serverConfig.Credential.AccessKeyID != accessKey { - t.Fatalf("Access key lost during migration, expected: %v, found:%v", accessKey, serverConfig.Credential.AccessKeyID) + if serverConfig.Credential.AccessKey != accessKey { + t.Fatalf("Access key lost during migration, expected: %v, found:%v", accessKey, serverConfig.Credential.AccessKey) } - if serverConfig.Credential.SecretAccessKey != secretKey { - t.Fatalf("Secret key lost during migration, expected: %v, found: %v", secretKey, serverConfig.Credential.SecretAccessKey) + if serverConfig.Credential.SecretKey != secretKey { + t.Fatalf("Secret key lost during migration, expected: %v, found: %v", secretKey, serverConfig.Credential.SecretKey) } // Initialize server config and check again if everything is fine diff --git a/cmd/config-old.go b/cmd/config-old.go index 5f85873ce..ebf8edb3b 100644 --- a/cmd/config-old.go +++ b/cmd/config-old.go @@ -10,9 +10,9 @@ import ( /////////////////// Config V1 /////////////////// type configV1 struct { - Version string `json:"version"` - AccessKeyID string `json:"accessKeyId"` - SecretAccessKey string `json:"secretAccessKey"` + Version string `json:"version"` + AccessKey string `json:"accessKeyId"` + SecretKey string `json:"secretAccessKey"` } // loadConfigV1 load config @@ -41,9 +41,9 @@ func loadConfigV1() (*configV1, error) { type configV2 struct { Version string `json:"version"` Credentials struct { - AccessKeyID string `json:"accessKeyId"` - SecretAccessKey string `json:"secretAccessKey"` - Region string `json:"region"` + AccessKey string `json:"accessKeyId"` + SecretKey string `json:"secretAccessKey"` + Region string `json:"region"` } `json:"credentials"` MongoLogger struct { Addr string `json:"addr"` diff --git a/cmd/config-v11.go b/cmd/config-v11.go index 9bf425b26..ebef56f36 100644 --- a/cmd/config-v11.go +++ b/cmd/config-v11.go @@ -50,7 +50,7 @@ func initConfig() (bool, error) { srvCfg := &serverConfigV11{} srvCfg.Version = globalMinioConfigVersion srvCfg.Region = "us-east-1" - srvCfg.Credential = mustGenAccessKeys() + srvCfg.Credential = newCredential() // Enable console logger by default on a fresh run. srvCfg.Logger.Console = consoleLogger{ diff --git a/cmd/credential.go b/cmd/credential.go new file mode 100644 index 000000000..3e2c7d576 --- /dev/null +++ b/cmd/credential.go @@ -0,0 +1,74 @@ +/* + * Minio Cloud Storage, (C) 2015, 2016 Minio, Inc. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package cmd + +import ( + "crypto/rand" + "encoding/base64" +) + +const ( + accessKeyMinLen = 5 + accessKeyMaxLen = 20 + secretKeyMinLen = 8 + secretKeyMaxLen = 40 + + alphaNumericTable = "0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ" + alphaNumericTableLen = byte(len(alphaNumericTable)) +) + +func mustGetAccessKey() string { + keyBytes := make([]byte, accessKeyMaxLen) + if _, err := rand.Read(keyBytes); err != nil { + panic(err) + } + + for i := 0; i < accessKeyMaxLen; i++ { + keyBytes[i] = alphaNumericTable[keyBytes[i]%alphaNumericTableLen] + } + + return string(keyBytes) +} + +func mustGetSecretKey() string { + keyBytes := make([]byte, secretKeyMaxLen) + if _, err := rand.Read(keyBytes); err != nil { + panic(err) + } + + return string([]byte(base64.StdEncoding.EncodeToString(keyBytes))[:secretKeyMaxLen]) +} + +// isAccessKeyValid - validate access key for right length. +func isAccessKeyValid(accessKey string) bool { + return len(accessKey) >= accessKeyMinLen && len(accessKey) <= accessKeyMaxLen +} + +// isSecretKeyValid - validate secret key for right length. +func isSecretKeyValid(secretKey string) bool { + return len(secretKey) >= secretKeyMinLen && len(secretKey) <= secretKeyMaxLen +} + +// credential container for access and secret keys. +type credential struct { + AccessKey string `json:"accessKey"` + SecretKey string `json:"secretKey"` +} + +func newCredential() credential { + return credential{mustGetAccessKey(), mustGetSecretKey()} +} diff --git a/cmd/lock-instrument.go b/cmd/lock-instrument.go index 2442e53ee..7c00ba6bd 100644 --- a/cmd/lock-instrument.go +++ b/cmd/lock-instrument.go @@ -268,5 +268,5 @@ func (n *nsLockMap) deleteLockInfoEntryForOps(param nsParam, opsID string) error // Return randomly generated string ID func getOpsID() string { - return newRequestID() + return mustGetRequestID() } diff --git a/cmd/lock-rpc-server_test.go b/cmd/lock-rpc-server_test.go index 30519b5b1..27098309e 100644 --- a/cmd/lock-rpc-server_test.go +++ b/cmd/lock-rpc-server_test.go @@ -55,7 +55,7 @@ func createLockTestServer(t *testing.T) (string, *lockServer, string) { lockMap: make(map[string][]lockRequesterInfo), } creds := serverConfig.GetCredential() - loginArgs := RPCLoginArgs{Username: creds.AccessKeyID, Password: creds.SecretAccessKey} + loginArgs := RPCLoginArgs{Username: creds.AccessKey, Password: creds.SecretKey} loginReply := RPCLoginReply{} err = locker.LoginHandler(&loginArgs, &loginReply) if err != nil { diff --git a/cmd/login-server_test.go b/cmd/login-server_test.go index a79e18371..3d8f66a97 100644 --- a/cmd/login-server_test.go +++ b/cmd/login-server_test.go @@ -32,7 +32,7 @@ func TestLoginHandler(t *testing.T) { }{ // Valid username and password { - args: RPCLoginArgs{Username: creds.AccessKeyID, Password: creds.SecretAccessKey}, + args: RPCLoginArgs{Username: creds.AccessKey, Password: creds.SecretKey}, expectedErr: nil, }, // Invalid username length @@ -47,12 +47,12 @@ func TestLoginHandler(t *testing.T) { }, // Invalid username { - args: RPCLoginArgs{Username: "aaaaa", Password: creds.SecretAccessKey}, + args: RPCLoginArgs{Username: "aaaaa", Password: creds.SecretKey}, expectedErr: errInvalidAccessKeyID, }, // Invalid password { - args: RPCLoginArgs{Username: creds.AccessKeyID, Password: "aaaaaaaa"}, + args: RPCLoginArgs{Username: creds.AccessKey, Password: "aaaaaaaa"}, expectedErr: errAuthentication, }, } diff --git a/cmd/main.go b/cmd/main.go index 9bd2292e2..073f3e922 100644 --- a/cmd/main.go +++ b/cmd/main.go @@ -189,14 +189,14 @@ func minioInit() { if accessKey != "" && secretKey != "" { // Set new credentials. serverConfig.SetCredential(credential{ - AccessKeyID: accessKey, - SecretAccessKey: secretKey, + AccessKey: accessKey, + SecretKey: secretKey, }) } - if !isValidAccessKey(serverConfig.GetCredential().AccessKeyID) { + if !isAccessKeyValid(serverConfig.GetCredential().AccessKey) { fatalIf(errInvalidArgument, "Invalid access key. Accept only a string starting with a alphabetic and containing from 5 to 20 characters.") } - if !isValidSecretKey(serverConfig.GetCredential().SecretAccessKey) { + if !isSecretKeyValid(serverConfig.GetCredential().SecretKey) { fatalIf(errInvalidArgument, "Invalid secret key. Accept only a string containing from 8 to 40 characters.") } diff --git a/cmd/namespace-lock.go b/cmd/namespace-lock.go index f549dd4f8..9f9ba73a5 100644 --- a/cmd/namespace-lock.go +++ b/cmd/namespace-lock.go @@ -40,8 +40,8 @@ func initDsyncNodes(eps []*url.URL) error { return errInvalidArgument } clnts[index] = newAuthClient(&authConfig{ - accessKey: cred.AccessKeyID, - secretKey: cred.SecretAccessKey, + accessKey: cred.AccessKey, + secretKey: cred.SecretKey, // Construct a new dsync server addr. secureConn: isSSL(), address: ep.Host, diff --git a/cmd/object-handlers_test.go b/cmd/object-handlers_test.go index da23c77dd..7ea378bdb 100644 --- a/cmd/object-handlers_test.go +++ b/cmd/object-handlers_test.go @@ -97,8 +97,8 @@ func testAPIHeadObjectHandler(obj ObjectLayer, instanceType, bucketName string, { bucketName: bucketName, objectName: objectName, - accessKey: credentials.AccessKeyID, - secretKey: credentials.SecretAccessKey, + accessKey: credentials.AccessKey, + secretKey: credentials.SecretKey, expectedRespStatus: http.StatusOK, }, // Test case - 2. @@ -106,8 +106,8 @@ func testAPIHeadObjectHandler(obj ObjectLayer, instanceType, bucketName string, { bucketName: bucketName, objectName: "abcd", - accessKey: credentials.AccessKeyID, - secretKey: credentials.SecretAccessKey, + accessKey: credentials.AccessKey, + secretKey: credentials.SecretKey, expectedRespStatus: http.StatusNotFound, }, // Test case - 3. @@ -117,7 +117,7 @@ func testAPIHeadObjectHandler(obj ObjectLayer, instanceType, bucketName string, bucketName: bucketName, objectName: objectName, accessKey: "Invalid-AccessID", - secretKey: credentials.SecretAccessKey, + secretKey: credentials.SecretKey, expectedRespStatus: http.StatusForbidden, }, } @@ -248,8 +248,8 @@ func testAPIGetObjectHandler(obj ObjectLayer, instanceType, bucketName string, a bucketName: bucketName, objectName: objectName, byteRange: "", - accessKey: credentials.AccessKeyID, - secretKey: credentials.SecretAccessKey, + accessKey: credentials.AccessKey, + secretKey: credentials.SecretKey, expectedContent: bytesData[0].byteData, expectedRespStatus: http.StatusOK, @@ -260,8 +260,8 @@ func testAPIGetObjectHandler(obj ObjectLayer, instanceType, bucketName string, a bucketName: bucketName, objectName: "abcd", byteRange: "", - accessKey: credentials.AccessKeyID, - secretKey: credentials.SecretAccessKey, + accessKey: credentials.AccessKey, + secretKey: credentials.SecretKey, expectedContent: encodeResponse(getAPIErrorResponse(getAPIError(ErrNoSuchKey), getGetObjectURL("", bucketName, "abcd"))), expectedRespStatus: http.StatusNotFound, @@ -272,8 +272,8 @@ func testAPIGetObjectHandler(obj ObjectLayer, instanceType, bucketName string, a bucketName: bucketName, objectName: objectName, byteRange: "bytes=10-100", - accessKey: credentials.AccessKeyID, - secretKey: credentials.SecretAccessKey, + accessKey: credentials.AccessKey, + secretKey: credentials.SecretKey, expectedContent: bytesData[0].byteData[10:101], expectedRespStatus: http.StatusPartialContent, @@ -284,8 +284,8 @@ func testAPIGetObjectHandler(obj ObjectLayer, instanceType, bucketName string, a bucketName: bucketName, objectName: objectName, byteRange: "bytes=-0", - accessKey: credentials.AccessKeyID, - secretKey: credentials.SecretAccessKey, + accessKey: credentials.AccessKey, + secretKey: credentials.SecretKey, expectedContent: encodeResponse(getAPIErrorResponse(getAPIError(ErrInvalidRange), getGetObjectURL("", bucketName, objectName))), expectedRespStatus: http.StatusRequestedRangeNotSatisfiable, @@ -297,8 +297,8 @@ func testAPIGetObjectHandler(obj ObjectLayer, instanceType, bucketName string, a bucketName: bucketName, objectName: objectName, byteRange: "bytes=10-1000000000000000", - accessKey: credentials.AccessKeyID, - secretKey: credentials.SecretAccessKey, + accessKey: credentials.AccessKey, + secretKey: credentials.SecretKey, expectedContent: bytesData[0].byteData[10:], expectedRespStatus: http.StatusPartialContent, @@ -311,7 +311,7 @@ func testAPIGetObjectHandler(obj ObjectLayer, instanceType, bucketName string, a objectName: objectName, byteRange: "", accessKey: "Invalid-AccessID", - secretKey: credentials.SecretAccessKey, + secretKey: credentials.SecretKey, expectedContent: encodeResponse(getAPIErrorResponse(getAPIError(ErrInvalidAccessKeyID), getGetObjectURL("", bucketName, objectName))), expectedRespStatus: http.StatusForbidden, @@ -470,8 +470,8 @@ func testAPIPutObjectStreamSigV4Handler(obj ObjectLayer, instanceType, bucketNam chunkSize: 64 * humanize.KiByte, expectedContent: []byte{}, expectedRespStatus: http.StatusOK, - accessKey: credentials.AccessKeyID, - secretKey: credentials.SecretAccessKey, + accessKey: credentials.AccessKey, + secretKey: credentials.SecretKey, shouldPass: true, }, // Test case - 2 @@ -484,8 +484,8 @@ func testAPIPutObjectStreamSigV4Handler(obj ObjectLayer, instanceType, bucketNam chunkSize: 1 * humanize.KiByte, expectedContent: []byte{}, expectedRespStatus: http.StatusOK, - accessKey: credentials.AccessKeyID, - secretKey: credentials.SecretAccessKey, + accessKey: credentials.AccessKey, + secretKey: credentials.SecretKey, shouldPass: true, }, // Test case - 3 @@ -512,8 +512,8 @@ func testAPIPutObjectStreamSigV4Handler(obj ObjectLayer, instanceType, bucketNam chunkSize: 64 * humanize.KiByte, expectedContent: []byte{}, expectedRespStatus: http.StatusBadRequest, - accessKey: credentials.AccessKeyID, - secretKey: credentials.SecretAccessKey, + accessKey: credentials.AccessKey, + secretKey: credentials.SecretKey, shouldPass: false, removeAuthHeader: true, }, @@ -527,8 +527,8 @@ func testAPIPutObjectStreamSigV4Handler(obj ObjectLayer, instanceType, bucketNam chunkSize: 100 * humanize.KiByte, expectedContent: []byte{}, expectedRespStatus: http.StatusOK, - accessKey: credentials.AccessKeyID, - secretKey: credentials.SecretAccessKey, + accessKey: credentials.AccessKey, + secretKey: credentials.SecretKey, shouldPass: false, }, // Test case - 6 @@ -541,8 +541,8 @@ func testAPIPutObjectStreamSigV4Handler(obj ObjectLayer, instanceType, bucketNam chunkSize: 1024, expectedContent: []byte{}, expectedRespStatus: http.StatusInternalServerError, - accessKey: credentials.AccessKeyID, - secretKey: credentials.SecretAccessKey, + accessKey: credentials.AccessKey, + secretKey: credentials.SecretKey, shouldPass: false, fault: malformedEncoding, }, @@ -556,8 +556,8 @@ func testAPIPutObjectStreamSigV4Handler(obj ObjectLayer, instanceType, bucketNam chunkSize: 1024, expectedContent: []byte{}, expectedRespStatus: http.StatusBadRequest, - accessKey: credentials.AccessKeyID, - secretKey: credentials.SecretAccessKey, + accessKey: credentials.AccessKey, + secretKey: credentials.SecretKey, shouldPass: false, fault: unexpectedEOF, }, @@ -571,8 +571,8 @@ func testAPIPutObjectStreamSigV4Handler(obj ObjectLayer, instanceType, bucketNam chunkSize: 1024, expectedContent: []byte{}, expectedRespStatus: http.StatusForbidden, - accessKey: credentials.AccessKeyID, - secretKey: credentials.SecretAccessKey, + accessKey: credentials.AccessKey, + secretKey: credentials.SecretKey, shouldPass: false, fault: signatureMismatch, }, @@ -587,8 +587,8 @@ func testAPIPutObjectStreamSigV4Handler(obj ObjectLayer, instanceType, bucketNam chunkSize: 1024, expectedContent: []byte{}, expectedRespStatus: http.StatusForbidden, - accessKey: credentials.AccessKeyID, - secretKey: credentials.SecretAccessKey, + accessKey: credentials.AccessKey, + secretKey: credentials.SecretKey, shouldPass: false, fault: chunkDateMismatch, }, @@ -602,8 +602,8 @@ func testAPIPutObjectStreamSigV4Handler(obj ObjectLayer, instanceType, bucketNam chunkSize: 1024, expectedContent: []byte{}, expectedRespStatus: http.StatusInternalServerError, - accessKey: credentials.AccessKeyID, - secretKey: credentials.SecretAccessKey, + accessKey: credentials.AccessKey, + secretKey: credentials.SecretKey, shouldPass: false, fault: tooBigDecodedLength, }, @@ -733,8 +733,8 @@ func testAPIPutObjectHandler(obj ObjectLayer, instanceType, bucketName string, a objectName: objectName, data: bytesData, dataLen: len(bytesData), - accessKey: credentials.AccessKeyID, - secretKey: credentials.SecretAccessKey, + accessKey: credentials.AccessKey, + secretKey: credentials.SecretKey, expectedRespStatus: http.StatusOK, }, @@ -746,7 +746,7 @@ func testAPIPutObjectHandler(obj ObjectLayer, instanceType, bucketName string, a data: bytesData, dataLen: len(bytesData), accessKey: "Wrong-AcessID", - secretKey: credentials.SecretAccessKey, + secretKey: credentials.SecretKey, expectedRespStatus: http.StatusForbidden, }, @@ -758,8 +758,8 @@ func testAPIPutObjectHandler(obj ObjectLayer, instanceType, bucketName string, a headers: copySourceHeader, data: bytesData, dataLen: len(bytesData), - accessKey: credentials.AccessKeyID, - secretKey: credentials.SecretAccessKey, + accessKey: credentials.AccessKey, + secretKey: credentials.SecretKey, expectedRespStatus: http.StatusBadRequest, }, // Test case - 4. @@ -770,8 +770,8 @@ func testAPIPutObjectHandler(obj ObjectLayer, instanceType, bucketName string, a headers: invalidMD5Header, data: bytesData, dataLen: len(bytesData), - accessKey: credentials.AccessKeyID, - secretKey: credentials.SecretAccessKey, + accessKey: credentials.AccessKey, + secretKey: credentials.SecretKey, expectedRespStatus: http.StatusBadRequest, }, // Test case - 5. @@ -781,8 +781,8 @@ func testAPIPutObjectHandler(obj ObjectLayer, instanceType, bucketName string, a objectName: objectName, data: bytesData, dataLen: len(bytesData), - accessKey: credentials.AccessKeyID, - secretKey: credentials.SecretAccessKey, + accessKey: credentials.AccessKey, + secretKey: credentials.SecretKey, fault: TooBigObject, expectedRespStatus: http.StatusBadRequest, }, @@ -793,8 +793,8 @@ func testAPIPutObjectHandler(obj ObjectLayer, instanceType, bucketName string, a objectName: objectName, data: bytesData, dataLen: len(bytesData), - accessKey: credentials.AccessKeyID, - secretKey: credentials.SecretAccessKey, + accessKey: credentials.AccessKey, + secretKey: credentials.SecretKey, fault: MissingContentLength, expectedRespStatus: http.StatusLengthRequired, }, @@ -991,8 +991,8 @@ func testAPICopyObjectHandler(obj ObjectLayer, instanceType, bucketName string, bucketName: bucketName, newObjectName: "newObject1", copySourceHeader: url.QueryEscape("/" + bucketName + "/" + objectName), - accessKey: credentials.AccessKeyID, - secretKey: credentials.SecretAccessKey, + accessKey: credentials.AccessKey, + secretKey: credentials.SecretKey, expectedRespStatus: http.StatusOK, }, @@ -1003,8 +1003,8 @@ func testAPICopyObjectHandler(obj ObjectLayer, instanceType, bucketName string, bucketName: bucketName, newObjectName: "newObject1", copySourceHeader: url.QueryEscape("/"), - accessKey: credentials.AccessKeyID, - secretKey: credentials.SecretAccessKey, + accessKey: credentials.AccessKey, + secretKey: credentials.SecretKey, expectedRespStatus: http.StatusBadRequest, }, @@ -1014,8 +1014,8 @@ func testAPICopyObjectHandler(obj ObjectLayer, instanceType, bucketName string, bucketName: bucketName, newObjectName: objectName, copySourceHeader: url.QueryEscape("/" + bucketName + "/" + objectName), - accessKey: credentials.AccessKeyID, - secretKey: credentials.SecretAccessKey, + accessKey: credentials.AccessKey, + secretKey: credentials.SecretKey, expectedRespStatus: http.StatusBadRequest, }, @@ -1027,8 +1027,8 @@ func testAPICopyObjectHandler(obj ObjectLayer, instanceType, bucketName string, bucketName: bucketName, newObjectName: objectName, copySourceHeader: url.QueryEscape("/" + bucketName + "/" + "non-existent-object"), - accessKey: credentials.AccessKeyID, - secretKey: credentials.SecretAccessKey, + accessKey: credentials.AccessKey, + secretKey: credentials.SecretKey, expectedRespStatus: http.StatusNotFound, }, @@ -1040,19 +1040,19 @@ func testAPICopyObjectHandler(obj ObjectLayer, instanceType, bucketName string, bucketName: "non-existent-destination-bucket", newObjectName: objectName, copySourceHeader: url.QueryEscape("/" + bucketName + "/" + objectName), - accessKey: credentials.AccessKeyID, - secretKey: credentials.SecretAccessKey, + accessKey: credentials.AccessKey, + secretKey: credentials.SecretKey, expectedRespStatus: http.StatusNotFound, }, // Test case - 6. - // Case with invalid AccessKeyID. + // Case with invalid AccessKey. { bucketName: bucketName, newObjectName: objectName, copySourceHeader: url.QueryEscape("/" + bucketName + "/" + objectName), accessKey: "Invalid-AccessID", - secretKey: credentials.SecretAccessKey, + secretKey: credentials.SecretKey, expectedRespStatus: http.StatusForbidden, }, @@ -1175,7 +1175,7 @@ func testAPINewMultipartHandler(obj ObjectLayer, instanceType, bucketName string rec := httptest.NewRecorder() // construct HTTP request for NewMultipart upload. req, err := newTestSignedRequestV4("POST", getNewMultipartURL("", bucketName, objectName), - 0, nil, credentials.AccessKeyID, credentials.SecretAccessKey) + 0, nil, credentials.AccessKey, credentials.SecretKey) if err != nil { t.Fatalf("Failed to create HTTP request for NewMultipart Request: %v", err) @@ -1208,7 +1208,7 @@ func testAPINewMultipartHandler(obj ObjectLayer, instanceType, bucketName string // construct HTTP request for NewMultipart upload. // Setting an invalid accessID. req, err = newTestSignedRequestV4("POST", getNewMultipartURL("", bucketName, objectName), - 0, nil, "Invalid-AccessID", credentials.SecretAccessKey) + 0, nil, "Invalid-AccessID", credentials.SecretKey) if err != nil { t.Fatalf("Failed to create HTTP request for NewMultipart Request: %v", err) @@ -1227,7 +1227,7 @@ func testAPINewMultipartHandler(obj ObjectLayer, instanceType, bucketName string recV2 := httptest.NewRecorder() // construct HTTP request for NewMultipartUpload endpoint. reqV2, err := newTestSignedRequestV2("POST", getNewMultipartURL("", bucketName, objectName), - 0, nil, credentials.AccessKeyID, credentials.SecretAccessKey) + 0, nil, credentials.AccessKey, credentials.SecretKey) if err != nil { t.Fatalf("Failed to create HTTP request for NewMultipart Request: %v", err) @@ -1260,7 +1260,7 @@ func testAPINewMultipartHandler(obj ObjectLayer, instanceType, bucketName string // construct HTTP request for NewMultipartUpload endpoint. // Setting invalid AccessID. reqV2, err = newTestSignedRequestV2("POST", getNewMultipartURL("", bucketName, objectName), - 0, nil, "Invalid-AccessID", credentials.SecretAccessKey) + 0, nil, "Invalid-AccessID", credentials.SecretKey) if err != nil { t.Fatalf("Failed to create HTTP request for NewMultipart Request: %v", err) @@ -1331,7 +1331,7 @@ func testAPINewMultipartHandlerParallel(obj ObjectLayer, instanceType, bucketNam defer wg.Done() rec := httptest.NewRecorder() // construct HTTP request NewMultipartUpload. - req, err := newTestSignedRequestV4("POST", getNewMultipartURL("", bucketName, objectName), 0, nil, credentials.AccessKeyID, credentials.SecretAccessKey) + req, err := newTestSignedRequestV4("POST", getNewMultipartURL("", bucketName, objectName), 0, nil, credentials.AccessKey, credentials.SecretKey) if err != nil { t.Fatalf("Failed to create HTTP request for NewMultipart request: %v", err) @@ -1527,8 +1527,8 @@ func testAPICompleteMultipartHandler(obj ObjectLayer, instanceType, bucketName s object: objectName, uploadID: uploadIDs[0], parts: inputParts[0].parts, - accessKey: credentials.AccessKeyID, - secretKey: credentials.SecretAccessKey, + accessKey: credentials.AccessKey, + secretKey: credentials.SecretKey, expectedContent: encodeResponse(getAPIErrorResponse(getAPIError(toAPIErrorCode(BadDigest{})), getGetObjectURL("", bucketName, objectName))), @@ -1542,8 +1542,8 @@ func testAPICompleteMultipartHandler(obj ObjectLayer, instanceType, bucketName s object: objectName, uploadID: uploadIDs[0], parts: []completePart{}, - accessKey: credentials.AccessKeyID, - secretKey: credentials.SecretAccessKey, + accessKey: credentials.AccessKey, + secretKey: credentials.SecretKey, expectedContent: encodeResponse(getAPIErrorResponse(getAPIError(ErrMalformedXML), getGetObjectURL("", bucketName, objectName))), @@ -1557,8 +1557,8 @@ func testAPICompleteMultipartHandler(obj ObjectLayer, instanceType, bucketName s object: objectName, uploadID: "abc", parts: inputParts[0].parts, - accessKey: credentials.AccessKeyID, - secretKey: credentials.SecretAccessKey, + accessKey: credentials.AccessKey, + secretKey: credentials.SecretKey, expectedContent: encodeResponse(getAPIErrorResponse(getAPIError(toAPIErrorCode(InvalidUploadID{UploadID: "abc"})), getGetObjectURL("", bucketName, objectName))), @@ -1571,8 +1571,8 @@ func testAPICompleteMultipartHandler(obj ObjectLayer, instanceType, bucketName s object: objectName, uploadID: uploadIDs[0], parts: inputParts[1].parts, - accessKey: credentials.AccessKeyID, - secretKey: credentials.SecretAccessKey, + accessKey: credentials.AccessKey, + secretKey: credentials.SecretKey, expectedContent: encodeResponse(completeMultipartAPIError{int64(4), int64(5242880), 1, "e2fc714c4727ee9395f324cd2e7f331f", getAPIErrorResponse(getAPIError(toAPIErrorCode(PartTooSmall{PartNumber: 1})), @@ -1586,8 +1586,8 @@ func testAPICompleteMultipartHandler(obj ObjectLayer, instanceType, bucketName s object: objectName, uploadID: uploadIDs[0], parts: inputParts[2].parts, - accessKey: credentials.AccessKeyID, - secretKey: credentials.SecretAccessKey, + accessKey: credentials.AccessKey, + secretKey: credentials.SecretKey, expectedContent: encodeResponse(getAPIErrorResponse(getAPIError(toAPIErrorCode(InvalidPart{})), getGetObjectURL("", bucketName, objectName))), @@ -1601,8 +1601,8 @@ func testAPICompleteMultipartHandler(obj ObjectLayer, instanceType, bucketName s object: objectName, uploadID: uploadIDs[0], parts: inputParts[3].parts, - accessKey: credentials.AccessKeyID, - secretKey: credentials.SecretAccessKey, + accessKey: credentials.AccessKey, + secretKey: credentials.SecretKey, expectedContent: encodeResponse(getAPIErrorResponse(getAPIError(ErrInvalidPartOrder), getGetObjectURL("", bucketName, objectName))), @@ -1617,7 +1617,7 @@ func testAPICompleteMultipartHandler(obj ObjectLayer, instanceType, bucketName s uploadID: uploadIDs[0], parts: inputParts[4].parts, accessKey: "Invalid-AccessID", - secretKey: credentials.SecretAccessKey, + secretKey: credentials.SecretKey, expectedContent: encodeResponse(getAPIErrorResponse(getAPIError(ErrInvalidAccessKeyID), getGetObjectURL("", bucketName, objectName))), @@ -1631,8 +1631,8 @@ func testAPICompleteMultipartHandler(obj ObjectLayer, instanceType, bucketName s object: objectName, uploadID: uploadIDs[0], parts: inputParts[4].parts, - accessKey: credentials.AccessKeyID, - secretKey: credentials.SecretAccessKey, + accessKey: credentials.AccessKey, + secretKey: credentials.SecretKey, expectedContent: encodedSuccessResponse, expectedRespStatus: http.StatusOK, @@ -1813,8 +1813,8 @@ func testAPIAbortMultipartHandler(obj ObjectLayer, instanceType, bucketName stri bucket: bucketName, object: objectName, uploadID: uploadIDs[0], - accessKey: credentials.AccessKeyID, - secretKey: credentials.SecretAccessKey, + accessKey: credentials.AccessKey, + secretKey: credentials.SecretKey, expectedRespStatus: http.StatusNoContent, }, // Test case - 2. @@ -1823,8 +1823,8 @@ func testAPIAbortMultipartHandler(obj ObjectLayer, instanceType, bucketName stri bucket: bucketName, object: objectName, uploadID: "nonexistent-upload-id", - accessKey: credentials.AccessKeyID, - secretKey: credentials.SecretAccessKey, + accessKey: credentials.AccessKey, + secretKey: credentials.SecretKey, expectedRespStatus: http.StatusNotFound, }, // Test case - 3. @@ -1834,7 +1834,7 @@ func testAPIAbortMultipartHandler(obj ObjectLayer, instanceType, bucketName stri object: objectName, uploadID: uploadIDs[0], accessKey: "Invalid-AccessID", - secretKey: credentials.SecretAccessKey, + secretKey: credentials.SecretKey, expectedRespStatus: http.StatusForbidden, }, } @@ -1957,8 +1957,8 @@ func testAPIDeleteObjectHandler(obj ObjectLayer, instanceType, bucketName string { bucketName: bucketName, objectName: objectName, - accessKey: credentials.AccessKeyID, - secretKey: credentials.SecretAccessKey, + accessKey: credentials.AccessKey, + secretKey: credentials.SecretKey, expectedRespStatus: http.StatusNoContent, }, @@ -1968,8 +1968,8 @@ func testAPIDeleteObjectHandler(obj ObjectLayer, instanceType, bucketName string { bucketName: bucketName, objectName: objectName, - accessKey: credentials.AccessKeyID, - secretKey: credentials.SecretAccessKey, + accessKey: credentials.AccessKey, + secretKey: credentials.SecretKey, expectedRespStatus: http.StatusNoContent, }, @@ -1980,7 +1980,7 @@ func testAPIDeleteObjectHandler(obj ObjectLayer, instanceType, bucketName string bucketName: bucketName, objectName: objectName, accessKey: "Invalid-AccessKey", - secretKey: credentials.SecretAccessKey, + secretKey: credentials.SecretKey, expectedRespStatus: http.StatusForbidden, }, @@ -2070,7 +2070,7 @@ func testAPIPutObjectPartHandlerPreSign(obj ObjectLayer, instanceType, bucketNam testObject := "testobject" rec := httptest.NewRecorder() req, err := newTestSignedRequestV4("POST", getNewMultipartURL("", bucketName, "testobject"), - 0, nil, credentials.AccessKeyID, credentials.SecretAccessKey) + 0, nil, credentials.AccessKey, credentials.SecretKey) if err != nil { t.Fatalf("[%s] - Failed to create a signed request to initiate multipart upload for %s/%s: %v", instanceType, bucketName, testObject, err) @@ -2096,7 +2096,7 @@ func testAPIPutObjectPartHandlerPreSign(obj ObjectLayer, instanceType, bucketNam t.Fatalf("[%s] - Failed to create an unsigned request to put object part for %s/%s %v", instanceType, bucketName, testObject, err) } - err = preSignV2(req, credentials.AccessKeyID, credentials.SecretAccessKey, int64(10*60*60)) + err = preSignV2(req, credentials.AccessKey, credentials.SecretKey, int64(10*60*60)) if err != nil { t.Fatalf("[%s] - Failed to presign an unsigned request to put object part for %s/%s %v", instanceType, bucketName, testObject, err) @@ -2113,7 +2113,7 @@ func testAPIPutObjectPartHandlerPreSign(obj ObjectLayer, instanceType, bucketNam t.Fatalf("[%s] - Failed to create an unsigned request to put object part for %s/%s %v", instanceType, bucketName, testObject, err) } - err = preSignV4(req, credentials.AccessKeyID, credentials.SecretAccessKey, int64(10*60*60)) + err = preSignV4(req, credentials.AccessKey, credentials.SecretKey, int64(10*60*60)) if err != nil { t.Fatalf("[%s] - Failed to presign an unsigned request to put object part for %s/%s %v", instanceType, bucketName, testObject, err) @@ -2136,7 +2136,7 @@ func testAPIPutObjectPartHandlerStreaming(obj ObjectLayer, instanceType, bucketN testObject := "testobject" rec := httptest.NewRecorder() req, err := newTestSignedRequestV4("POST", getNewMultipartURL("", bucketName, "testobject"), - 0, nil, credentials.AccessKeyID, credentials.SecretAccessKey) + 0, nil, credentials.AccessKey, credentials.SecretKey) if err != nil { t.Fatalf("[%s] - Failed to create a signed request to initiate multipart upload for %s/%s: %v", instanceType, bucketName, testObject, err) @@ -2171,7 +2171,7 @@ func testAPIPutObjectPartHandlerStreaming(obj ObjectLayer, instanceType, bucketN rec = httptest.NewRecorder() req, err = newTestStreamingSignedRequest("PUT", getPutObjectPartURL("", bucketName, testObject, mpartResp.UploadID, "1"), - 5, 1, bytes.NewReader([]byte("hello")), credentials.AccessKeyID, credentials.SecretAccessKey) + 5, 1, bytes.NewReader([]byte("hello")), credentials.AccessKey, credentials.SecretKey) if err != nil { t.Fatalf("Failed to create new streaming signed HTTP request: %v.", err) @@ -2273,8 +2273,8 @@ func testAPIPutObjectPartHandler(obj ObjectLayer, instanceType, bucketName strin reader: bytes.NewReader([]byte("hello")), partNumber: "1", fault: None, - accessKey: credentials.AccessKeyID, - secretKey: credentials.SecretAccessKey, + accessKey: credentials.AccessKey, + secretKey: credentials.SecretKey, expectedAPIError: noAPIErr, }, @@ -2285,8 +2285,8 @@ func testAPIPutObjectPartHandler(obj ObjectLayer, instanceType, bucketName strin reader: bytes.NewReader([]byte("hello")), partNumber: "9999999999999999999", fault: None, - accessKey: credentials.AccessKeyID, - secretKey: credentials.SecretAccessKey, + accessKey: credentials.AccessKey, + secretKey: credentials.SecretKey, expectedAPIError: invalidPart, }, @@ -2297,8 +2297,8 @@ func testAPIPutObjectPartHandler(obj ObjectLayer, instanceType, bucketName strin reader: bytes.NewReader([]byte("hello")), partNumber: strconv.Itoa(maxPartID + 1), fault: None, - accessKey: credentials.AccessKeyID, - secretKey: credentials.SecretAccessKey, + accessKey: credentials.AccessKey, + secretKey: credentials.SecretKey, expectedAPIError: invalidMaxParts, }, @@ -2309,8 +2309,8 @@ func testAPIPutObjectPartHandler(obj ObjectLayer, instanceType, bucketName strin reader: bytes.NewReader([]byte("hello")), partNumber: "1", fault: MissingContentLength, - accessKey: credentials.AccessKeyID, - secretKey: credentials.SecretAccessKey, + accessKey: credentials.AccessKey, + secretKey: credentials.SecretKey, expectedAPIError: missingContent, }, @@ -2321,8 +2321,8 @@ func testAPIPutObjectPartHandler(obj ObjectLayer, instanceType, bucketName strin reader: bytes.NewReader([]byte("hello")), partNumber: "1", fault: TooBigObject, - accessKey: credentials.AccessKeyID, - secretKey: credentials.SecretAccessKey, + accessKey: credentials.AccessKey, + secretKey: credentials.SecretKey, expectedAPIError: entityTooLarge, }, @@ -2333,8 +2333,8 @@ func testAPIPutObjectPartHandler(obj ObjectLayer, instanceType, bucketName strin reader: bytes.NewReader([]byte("hello")), partNumber: "1", fault: BadSignature, - accessKey: credentials.AccessKeyID, - secretKey: credentials.SecretAccessKey, + accessKey: credentials.AccessKey, + secretKey: credentials.SecretKey, expectedAPIError: badSigning, }, @@ -2346,8 +2346,8 @@ func testAPIPutObjectPartHandler(obj ObjectLayer, instanceType, bucketName strin reader: bytes.NewReader([]byte("hello")), partNumber: "1", fault: BadMD5, - accessKey: credentials.AccessKeyID, - secretKey: credentials.SecretAccessKey, + accessKey: credentials.AccessKey, + secretKey: credentials.SecretKey, expectedAPIError: badChecksum, }, @@ -2358,8 +2358,8 @@ func testAPIPutObjectPartHandler(obj ObjectLayer, instanceType, bucketName strin reader: bytes.NewReader([]byte("hello")), partNumber: "1", fault: MissingUploadID, - accessKey: credentials.AccessKeyID, - secretKey: credentials.SecretAccessKey, + accessKey: credentials.AccessKey, + secretKey: credentials.SecretKey, expectedAPIError: noSuchUploadID, }, @@ -2372,7 +2372,7 @@ func testAPIPutObjectPartHandler(obj ObjectLayer, instanceType, bucketName strin partNumber: "1", fault: None, accessKey: "Invalid-AccessID", - secretKey: credentials.SecretAccessKey, + secretKey: credentials.SecretKey, expectedAPIError: invalidAccessID, }, @@ -2541,7 +2541,7 @@ func testAPIListObjectPartsHandlerPreSign(obj ObjectLayer, instanceType, bucketN testObject := "testobject" rec := httptest.NewRecorder() req, err := newTestSignedRequestV4("POST", getNewMultipartURL("", bucketName, testObject), - 0, nil, credentials.AccessKeyID, credentials.SecretAccessKey) + 0, nil, credentials.AccessKey, credentials.SecretKey) if err != nil { t.Fatalf("[%s] - Failed to create a signed request to initiate multipart upload for %s/%s: %v", instanceType, bucketName, testObject, err) @@ -2564,7 +2564,7 @@ func testAPIListObjectPartsHandlerPreSign(obj ObjectLayer, instanceType, bucketN rec = httptest.NewRecorder() req, err = newTestSignedRequestV4("PUT", getPutObjectPartURL("", bucketName, testObject, mpartResp.UploadID, "1"), - int64(len("hello")), bytes.NewReader([]byte("hello")), credentials.AccessKeyID, credentials.SecretAccessKey) + int64(len("hello")), bytes.NewReader([]byte("hello")), credentials.AccessKey, credentials.SecretKey) if err != nil { t.Fatalf("[%s] - Failed to create a signed request to initiate multipart upload for %s/%s: %v", instanceType, bucketName, testObject, err) @@ -2584,7 +2584,7 @@ func testAPIListObjectPartsHandlerPreSign(obj ObjectLayer, instanceType, bucketN instanceType, bucketName, mpartResp.UploadID) } - err = preSignV2(req, credentials.AccessKeyID, credentials.SecretAccessKey, int64(10*60*60)) + err = preSignV2(req, credentials.AccessKey, credentials.SecretKey, int64(10*60*60)) if err != nil { t.Fatalf("[%s] - Failed to presignV2 an unsigned request to list object parts for bucket %s, uploadId %s", instanceType, bucketName, mpartResp.UploadID) @@ -2604,7 +2604,7 @@ func testAPIListObjectPartsHandlerPreSign(obj ObjectLayer, instanceType, bucketN instanceType, bucketName, mpartResp.UploadID) } - err = preSignV4(req, credentials.AccessKeyID, credentials.SecretAccessKey, int64(10*60*60)) + err = preSignV4(req, credentials.AccessKey, credentials.SecretKey, int64(10*60*60)) if err != nil { t.Fatalf("[%s] - Failed to presignV2 an unsigned request to list object parts for bucket %s, uploadId %s", instanceType, bucketName, mpartResp.UploadID) @@ -2724,7 +2724,7 @@ func testAPIListObjectPartsHandler(obj ObjectLayer, instanceType, bucketName str // constructing a v4 signed HTTP request for ListMultipartUploads. reqV4, err = newTestSignedRequestV4("GET", getListMultipartURLWithParams("", bucketName, testObject, uploadID, test.maxParts, test.partNumberMarker, ""), - 0, nil, credentials.AccessKeyID, credentials.SecretAccessKey) + 0, nil, credentials.AccessKey, credentials.SecretKey) if err != nil { t.Fatalf("Failed to create a V4 signed request to list object parts for %s/%s: %v.", @@ -2734,7 +2734,7 @@ func testAPIListObjectPartsHandler(obj ObjectLayer, instanceType, bucketName str // construct HTTP request for PutObject Part Object endpoint. reqV2, err = newTestSignedRequestV2("GET", getListMultipartURLWithParams("", bucketName, testObject, uploadID, test.maxParts, test.partNumberMarker, ""), - 0, nil, credentials.AccessKeyID, credentials.SecretAccessKey) + 0, nil, credentials.AccessKey, credentials.SecretKey) if err != nil { t.Fatalf("Failed to create a V2 signed request to list object parts for %s/%s: %v.", diff --git a/cmd/post-policy_test.go b/cmd/post-policy_test.go index 6881f18af..1b9b891d9 100644 --- a/cmd/post-policy_test.go +++ b/cmd/post-policy_test.go @@ -154,9 +154,9 @@ func testPostPolicyBucketHandler(obj ObjectLayer, instanceType string, t TestErr accessKey string secretKey string }{ - {http.StatusForbidden, "invalidaccesskey", credentials.SecretAccessKey}, - {http.StatusForbidden, credentials.AccessKeyID, "invalidsecretkey"}, - {http.StatusNoContent, credentials.AccessKeyID, credentials.SecretAccessKey}, + {http.StatusForbidden, "invalidaccesskey", credentials.SecretKey}, + {http.StatusForbidden, credentials.AccessKey, "invalidsecretkey"}, + {http.StatusNoContent, credentials.AccessKey, credentials.SecretKey}, } for i, test := range testCasesV2 { @@ -190,8 +190,8 @@ func testPostPolicyBucketHandler(obj ObjectLayer, instanceType string, t TestErr data: []byte("Hello, World"), expectedRespStatus: http.StatusNoContent, expectedHeaders: map[string]string{"X-Amz-Meta-Uuid": "1234"}, - accessKey: credentials.AccessKeyID, - secretKey: credentials.SecretAccessKey, + accessKey: credentials.AccessKey, + secretKey: credentials.SecretKey, malformedBody: false, }, // Bad case invalid request. @@ -208,8 +208,8 @@ func testPostPolicyBucketHandler(obj ObjectLayer, instanceType string, t TestErr objectName: "test", data: []byte("Hello, World"), expectedRespStatus: http.StatusBadRequest, - accessKey: credentials.AccessKeyID, - secretKey: credentials.SecretAccessKey, + accessKey: credentials.AccessKey, + secretKey: credentials.SecretKey, malformedBody: true, }, } @@ -262,20 +262,20 @@ func testPostPolicyBucketHandler(obj ObjectLayer, instanceType string, t TestErr objectName: "test", data: []byte("Hello, World"), expectedRespStatus: http.StatusNoContent, - accessKey: credentials.AccessKeyID, - secretKey: credentials.SecretAccessKey, + accessKey: credentials.AccessKey, + secretKey: credentials.SecretKey, dates: []interface{}{curTimePlus5Min.Format(expirationDateFormat), curTime.Format(iso8601DateFormat), curTime.Format(yyyymmdd)}, - policy: `{"expiration": "%s","conditions":[["eq", "$bucket", "` + bucketName + `"], ["starts-with", "$key", "test/"], ["eq", "$x-amz-algorithm", "AWS4-HMAC-SHA256"], ["eq", "$x-amz-date", "%s"], ["eq", "$x-amz-credential", "` + credentials.AccessKeyID + `/%s/us-east-1/s3/aws4_request"]]}`, + policy: `{"expiration": "%s","conditions":[["eq", "$bucket", "` + bucketName + `"], ["starts-with", "$key", "test/"], ["eq", "$x-amz-algorithm", "AWS4-HMAC-SHA256"], ["eq", "$x-amz-date", "%s"], ["eq", "$x-amz-credential", "` + credentials.AccessKey + `/%s/us-east-1/s3/aws4_request"]]}`, }, // Corrupted Base 64 result { objectName: "test", data: []byte("Hello, World"), expectedRespStatus: http.StatusBadRequest, - accessKey: credentials.AccessKeyID, - secretKey: credentials.SecretAccessKey, + accessKey: credentials.AccessKey, + secretKey: credentials.SecretKey, dates: []interface{}{curTimePlus5Min.Format(expirationDateFormat), curTime.Format(iso8601DateFormat), curTime.Format(yyyymmdd)}, - policy: `{"expiration": "%s","conditions":[["eq", "$bucket", "` + bucketName + `"], ["starts-with", "$key", "test/"], ["eq", "$x-amz-algorithm", "AWS4-HMAC-SHA256"], ["eq", "$x-amz-date", "%s"], ["eq", "$x-amz-credential", "` + credentials.AccessKeyID + `/%s/us-east-1/s3/aws4_request"]]}`, + policy: `{"expiration": "%s","conditions":[["eq", "$bucket", "` + bucketName + `"], ["starts-with", "$key", "test/"], ["eq", "$x-amz-algorithm", "AWS4-HMAC-SHA256"], ["eq", "$x-amz-date", "%s"], ["eq", "$x-amz-credential", "` + credentials.AccessKey + `/%s/us-east-1/s3/aws4_request"]]}`, corruptedBase64: true, }, // Corrupted Multipart body @@ -283,10 +283,10 @@ func testPostPolicyBucketHandler(obj ObjectLayer, instanceType string, t TestErr objectName: "test", data: []byte("Hello, World"), expectedRespStatus: http.StatusBadRequest, - accessKey: credentials.AccessKeyID, - secretKey: credentials.SecretAccessKey, + accessKey: credentials.AccessKey, + secretKey: credentials.SecretKey, dates: []interface{}{curTimePlus5Min.Format(expirationDateFormat), curTime.Format(iso8601DateFormat), curTime.Format(yyyymmdd)}, - policy: `{"expiration": "%s","conditions":[["eq", "$bucket", "` + bucketName + `"], ["starts-with", "$key", "test/"], ["eq", "$x-amz-algorithm", "AWS4-HMAC-SHA256"], ["eq", "$x-amz-date", "%s"], ["eq", "$x-amz-credential", "` + credentials.AccessKeyID + `/%s/us-east-1/s3/aws4_request"]]}`, + policy: `{"expiration": "%s","conditions":[["eq", "$bucket", "` + bucketName + `"], ["starts-with", "$key", "test/"], ["eq", "$x-amz-algorithm", "AWS4-HMAC-SHA256"], ["eq", "$x-amz-date", "%s"], ["eq", "$x-amz-credential", "` + credentials.AccessKey + `/%s/us-east-1/s3/aws4_request"]]}`, corruptedMultipart: true, }, @@ -305,18 +305,18 @@ func testPostPolicyBucketHandler(obj ObjectLayer, instanceType string, t TestErr objectName: "test", data: []byte("Hello, World"), expectedRespStatus: http.StatusBadRequest, - accessKey: credentials.AccessKeyID, - secretKey: credentials.SecretAccessKey, + accessKey: credentials.AccessKey, + secretKey: credentials.SecretKey, dates: []interface{}{curTime.Add(-1 * time.Minute * 5).Format(expirationDateFormat), curTime.Format(iso8601DateFormat), curTime.Format(yyyymmdd)}, - policy: `{"expiration": "%s","conditions":[["eq", "$bucket", "` + bucketName + `"], ["starts-with", "$key", "test/"], ["eq", "$x-amz-algorithm", "AWS4-HMAC-SHA256"], ["eq", "$x-amz-date", "%s"], ["eq", "$x-amz-credential", "` + credentials.AccessKeyID + `/%s/us-east-1/s3/aws4_request"]]}`, + policy: `{"expiration": "%s","conditions":[["eq", "$bucket", "` + bucketName + `"], ["starts-with", "$key", "test/"], ["eq", "$x-amz-algorithm", "AWS4-HMAC-SHA256"], ["eq", "$x-amz-date", "%s"], ["eq", "$x-amz-credential", "` + credentials.AccessKey + `/%s/us-east-1/s3/aws4_request"]]}`, }, // Corrupted policy document { objectName: "test", data: []byte("Hello, World"), expectedRespStatus: http.StatusBadRequest, - accessKey: credentials.AccessKeyID, - secretKey: credentials.SecretAccessKey, + accessKey: credentials.AccessKey, + secretKey: credentials.SecretKey, dates: []interface{}{curTimePlus5Min.Format(expirationDateFormat), curTime.Format(iso8601DateFormat), curTime.Format(yyyymmdd)}, policy: `{"3/aws4_request"]]}`, }, @@ -354,8 +354,8 @@ func testPostPolicyBucketHandler(obj ObjectLayer, instanceType string, t TestErr objectName: "test", data: bytes.Repeat([]byte("a"), 1025), expectedRespStatus: http.StatusNoContent, - accessKey: credentials.AccessKeyID, - secretKey: credentials.SecretAccessKey, + accessKey: credentials.AccessKey, + secretKey: credentials.SecretKey, malformedBody: false, }, // Failed with entity too small. @@ -363,8 +363,8 @@ func testPostPolicyBucketHandler(obj ObjectLayer, instanceType string, t TestErr objectName: "test", data: bytes.Repeat([]byte("a"), 1023), expectedRespStatus: http.StatusBadRequest, - accessKey: credentials.AccessKeyID, - secretKey: credentials.SecretAccessKey, + accessKey: credentials.AccessKey, + secretKey: credentials.SecretKey, malformedBody: false, }, // Failed with entity too large. @@ -372,8 +372,8 @@ func testPostPolicyBucketHandler(obj ObjectLayer, instanceType string, t TestErr objectName: "test", data: bytes.Repeat([]byte("a"), (1*humanize.MiByte)+1), expectedRespStatus: http.StatusBadRequest, - accessKey: credentials.AccessKeyID, - secretKey: credentials.SecretAccessKey, + accessKey: credentials.AccessKey, + secretKey: credentials.SecretKey, malformedBody: false, }, } @@ -444,14 +444,14 @@ func testPostPolicyBucketHandlerRedirect(obj ObjectLayer, instanceType string, t rec := httptest.NewRecorder() dates := []interface{}{curTimePlus5Min.Format(expirationDateFormat), curTime.Format(iso8601DateFormat), curTime.Format(yyyymmdd)} - policy := `{"expiration": "%s","conditions":[["eq", "$bucket", "` + bucketName + `"], {"success_action_redirect":"` + redirectURL + `"},["starts-with", "$key", "test/"], ["eq", "$x-amz-algorithm", "AWS4-HMAC-SHA256"], ["eq", "$x-amz-date", "%s"], ["eq", "$x-amz-credential", "` + credentials.AccessKeyID + `/%s/us-east-1/s3/aws4_request"]]}` + policy := `{"expiration": "%s","conditions":[["eq", "$bucket", "` + bucketName + `"], {"success_action_redirect":"` + redirectURL + `"},["starts-with", "$key", "test/"], ["eq", "$x-amz-algorithm", "AWS4-HMAC-SHA256"], ["eq", "$x-amz-date", "%s"], ["eq", "$x-amz-credential", "` + credentials.AccessKey + `/%s/us-east-1/s3/aws4_request"]]}` // Generate the final policy document policy = fmt.Sprintf(policy, dates...) // Create a new POST request with success_action_redirect field specified req, perr := newPostRequestV4Generic("", bucketName, keyName, []byte("objData"), - credentials.AccessKeyID, credentials.SecretAccessKey, curTime, + credentials.AccessKey, credentials.SecretKey, curTime, []byte(policy), map[string]string{"success_action_redirect": redirectURL}, false, false) if perr != nil { diff --git a/cmd/prepare-storage-msg.go b/cmd/prepare-storage-msg.go index bf442a0f8..d4d38700a 100644 --- a/cmd/prepare-storage-msg.go +++ b/cmd/prepare-storage-msg.go @@ -103,7 +103,7 @@ func getHealMsg(endpoints []*url.URL, storageDisks []StorageAPI) string { // msg += "MINIO_SECRET_KEY=%s " // msg += "minio control heal %s" // creds := serverConfig.GetCredential() - // msg = fmt.Sprintf(msg, creds.AccessKeyID, creds.SecretAccessKey, getHealEndpoint(isSSL(), endpoints[0])) + // msg = fmt.Sprintf(msg, creds.AccessKey, creds.SecretKey, getHealEndpoint(isSSL(), endpoints[0])) disksInfo, _, _ := getDisksInfo(storageDisks) for i, info := range disksInfo { if storageDisks[i] == nil { diff --git a/cmd/s3-peer-client.go b/cmd/s3-peer-client.go index 758256f8b..670eb14bf 100644 --- a/cmd/s3-peer-client.go +++ b/cmd/s3-peer-client.go @@ -62,8 +62,8 @@ func makeS3Peers(eps []*url.URL) s3Peers { // Check if the remote host has been added already if !seenAddr[ep.Host] { cfg := authConfig{ - accessKey: serverConfig.GetCredential().AccessKeyID, - secretKey: serverConfig.GetCredential().SecretAccessKey, + accessKey: serverConfig.GetCredential().AccessKey, + secretKey: serverConfig.GetCredential().SecretKey, address: ep.Host, secureConn: isSSL(), path: path.Join(reservedBucket, s3Path), diff --git a/cmd/server-startup-msg.go b/cmd/server-startup-msg.go index 8e0e96742..720ede6c7 100644 --- a/cmd/server-startup-msg.go +++ b/cmd/server-startup-msg.go @@ -75,8 +75,8 @@ func printServerCommonMsg(endPoints []string) { endPointStr := strings.Join(endPoints, " ") // Colorize the message and print. console.Println(colorBlue("\nEndpoint: ") + colorBold(fmt.Sprintf(getFormatStr(len(endPointStr), 1), endPointStr))) - console.Println(colorBlue("AccessKey: ") + colorBold(fmt.Sprintf("%s ", cred.AccessKeyID))) - console.Println(colorBlue("SecretKey: ") + colorBold(fmt.Sprintf("%s ", cred.SecretAccessKey))) + console.Println(colorBlue("AccessKey: ") + colorBold(fmt.Sprintf("%s ", cred.AccessKey))) + console.Println(colorBlue("SecretKey: ") + colorBold(fmt.Sprintf("%s ", cred.SecretKey))) console.Println(colorBlue("Region: ") + colorBold(fmt.Sprintf(getFormatStr(len(region), 3), region))) printEventNotifiers() @@ -109,10 +109,10 @@ func printCLIAccessMsg(endPoint string) { // Configure 'mc', following block prints platform specific information for minio client. console.Println(colorBlue("\nCommand-line Access: ") + mcQuickStartGuide) if runtime.GOOS == "windows" { - mcMessage := fmt.Sprintf("$ mc.exe config host add myminio %s %s %s", endPoint, cred.AccessKeyID, cred.SecretAccessKey) + mcMessage := fmt.Sprintf("$ mc.exe config host add myminio %s %s %s", endPoint, cred.AccessKey, cred.SecretKey) console.Println(fmt.Sprintf(getFormatStr(len(mcMessage), 3), mcMessage)) } else { - mcMessage := fmt.Sprintf("$ mc config host add myminio %s %s %s", endPoint, cred.AccessKeyID, cred.SecretAccessKey) + mcMessage := fmt.Sprintf("$ mc config host add myminio %s %s %s", endPoint, cred.AccessKey, cred.SecretKey) console.Println(fmt.Sprintf(getFormatStr(len(mcMessage), 3), mcMessage)) } } diff --git a/cmd/server_test.go b/cmd/server_test.go index 7d6f57c54..5f6fa9b83 100644 --- a/cmd/server_test.go +++ b/cmd/server_test.go @@ -94,14 +94,10 @@ func (s *TestSuiteCommon) TearDownSuite(c *C) { } func (s *TestSuiteCommon) TestAuth(c *C) { - secretID, err := genSecretAccessKey() - c.Assert(err, IsNil) + cred := newCredential() - accessID, err := genAccessKeyID() - c.Assert(err, IsNil) - - c.Assert(len(secretID), Equals, secretKeyMaxLen) - c.Assert(len(accessID), Equals, accessKeyMaxLen) + c.Assert(len(cred.AccessKey), Equals, accessKeyMaxLen) + c.Assert(len(cred.SecretKey), Equals, secretKeyMaxLen) } func (s *TestSuiteCommon) TestBucketSQSNotification(c *C) { diff --git a/cmd/signature-jwt.go b/cmd/signature-jwt.go index 7866eef4e..ab2d1b4cd 100644 --- a/cmd/signature-jwt.go +++ b/cmd/signature-jwt.go @@ -43,10 +43,10 @@ const ( // newJWT - returns new JWT object. func newJWT(expiry time.Duration, cred credential) (*JWT, error) { - if !isValidAccessKey(cred.AccessKeyID) { + if !isAccessKeyValid(cred.AccessKey) { return nil, errInvalidAccessKeyLength } - if !isValidSecretKey(cred.SecretAccessKey) { + if !isSecretKeyValid(cred.SecretKey) { return nil, errInvalidSecretKeyLength } return &JWT{cred, expiry}, nil @@ -60,7 +60,7 @@ func (jwt *JWT) GenerateToken(accessKey string) (string, error) { // Trim spaces. accessKey = strings.TrimSpace(accessKey) - if !isValidAccessKey(accessKey) { + if !isAccessKeyValid(accessKey) { return "", errInvalidAccessKeyLength } @@ -71,7 +71,7 @@ func (jwt *JWT) GenerateToken(accessKey string) (string, error) { "iat": tUTCNow.Unix(), "sub": accessKey, }) - return token.SignedString([]byte(jwt.SecretAccessKey)) + return token.SignedString([]byte(jwt.SecretKey)) } var errInvalidAccessKeyID = errors.New("The access key ID you provided does not exist in our records") @@ -82,18 +82,18 @@ func (jwt *JWT) Authenticate(accessKey, secretKey string) error { // Trim spaces. accessKey = strings.TrimSpace(accessKey) - if !isValidAccessKey(accessKey) { + if !isAccessKeyValid(accessKey) { return errInvalidAccessKeyLength } - if !isValidSecretKey(secretKey) { + if !isSecretKeyValid(secretKey) { return errInvalidSecretKeyLength } - if accessKey != jwt.AccessKeyID { + if accessKey != jwt.AccessKey { return errInvalidAccessKeyID } - hashedSecretKey, _ := bcrypt.GenerateFromPassword([]byte(jwt.SecretAccessKey), bcrypt.DefaultCost) + hashedSecretKey, _ := bcrypt.GenerateFromPassword([]byte(jwt.SecretKey), bcrypt.DefaultCost) if bcrypt.CompareHashAndPassword(hashedSecretKey, []byte(secretKey)) != nil { return errAuthentication } diff --git a/cmd/signature-jwt_test.go b/cmd/signature-jwt_test.go index 2fe96dcb8..b3421deb1 100644 --- a/cmd/signature-jwt_test.go +++ b/cmd/signature-jwt_test.go @@ -190,11 +190,11 @@ func TestAuthenticate(t *testing.T) { // Authentication error. {"myuser", "mypassword", errInvalidAccessKeyID}, // Authentication error. - {serverConfig.GetCredential().AccessKeyID, "mypassword", errAuthentication}, + {serverConfig.GetCredential().AccessKey, "mypassword", errAuthentication}, // Success. - {serverConfig.GetCredential().AccessKeyID, serverConfig.GetCredential().SecretAccessKey, nil}, + {serverConfig.GetCredential().AccessKey, serverConfig.GetCredential().SecretKey, nil}, // Success when access key contains leading/trailing spaces. - {" " + serverConfig.GetCredential().AccessKeyID + " ", serverConfig.GetCredential().SecretAccessKey, nil}, + {" " + serverConfig.GetCredential().AccessKey + " ", serverConfig.GetCredential().SecretKey, nil}, } // Run tests. diff --git a/cmd/signature-v2.go b/cmd/signature-v2.go index 4913fe71d..3952a912f 100644 --- a/cmd/signature-v2.go +++ b/cmd/signature-v2.go @@ -67,12 +67,12 @@ var resourceList = []string{ func doesPolicySignatureV2Match(formValues map[string]string) APIErrorCode { cred := serverConfig.GetCredential() accessKey := formValues["Awsaccesskeyid"] - if accessKey != cred.AccessKeyID { + if accessKey != cred.AccessKey { return ErrInvalidAccessKeyID } signature := formValues["Signature"] policy := formValues["Policy"] - if signature != calculateSignatureV2(policy, cred.SecretAccessKey) { + if signature != calculateSignatureV2(policy, cred.SecretKey) { return ErrSignatureDoesNotMatch } return ErrNone @@ -126,7 +126,7 @@ func doesPresignV2SignatureMatch(r *http.Request) APIErrorCode { } // Validate if access key id same. - if accessKey != cred.AccessKeyID { + if accessKey != cred.AccessKey { return ErrInvalidAccessKeyID } @@ -150,7 +150,7 @@ func doesPresignV2SignatureMatch(r *http.Request) APIErrorCode { } // Authorization = "AWS" + " " + AWSAccessKeyId + ":" + Signature; -// Signature = Base64( HMAC-SHA1( YourSecretAccessKeyID, UTF-8-Encoding-Of( StringToSign ) ) ); +// Signature = Base64( HMAC-SHA1( YourSecretKey, UTF-8-Encoding-Of( StringToSign ) ) ); // // StringToSign = HTTP-Verb + "\n" + // Content-Md5 + "\n" + @@ -193,7 +193,7 @@ func validateV2AuthHeader(v2Auth string) APIErrorCode { // Access credentials. cred := serverConfig.GetCredential() - if keySignFields[0] != cred.AccessKeyID { + if keySignFields[0] != cred.AccessKey { return ErrInvalidAccessKeyID } @@ -239,15 +239,15 @@ func calculateSignatureV2(stringToSign string, secret string) string { func preSignatureV2(method string, encodedResource string, encodedQuery string, headers http.Header, expires string) string { cred := serverConfig.GetCredential() stringToSign := presignV2STS(method, encodedResource, encodedQuery, headers, expires) - return calculateSignatureV2(stringToSign, cred.SecretAccessKey) + return calculateSignatureV2(stringToSign, cred.SecretKey) } // Return signature-v2 authrization header. func signatureV2(method string, encodedResource string, encodedQuery string, headers http.Header) string { cred := serverConfig.GetCredential() stringToSign := signV2STS(method, encodedResource, encodedQuery, headers) - signature := calculateSignatureV2(stringToSign, cred.SecretAccessKey) - return fmt.Sprintf("%s %s:%s", signV2Algorithm, cred.AccessKeyID, signature) + signature := calculateSignatureV2(stringToSign, cred.SecretKey) + return fmt.Sprintf("%s %s:%s", signV2Algorithm, cred.AccessKey, signature) } // Return canonical headers. diff --git a/cmd/signature-v2_test.go b/cmd/signature-v2_test.go index 6b8533539..4983eb183 100644 --- a/cmd/signature-v2_test.go +++ b/cmd/signature-v2_test.go @@ -55,7 +55,7 @@ func TestDoesPresignedV2SignatureMatch(t *testing.T) { queryParams: map[string]string{ "Expires": "60s", "Signature": "badsignature", - "AWSAccessKeyId": serverConfig.GetCredential().AccessKeyID, + "AWSAccessKeyId": serverConfig.GetCredential().AccessKey, }, expected: ErrMalformedExpires, }, @@ -64,7 +64,7 @@ func TestDoesPresignedV2SignatureMatch(t *testing.T) { queryParams: map[string]string{ "Expires": "60", "Signature": "badsignature", - "AWSAccessKeyId": serverConfig.GetCredential().AccessKeyID, + "AWSAccessKeyId": serverConfig.GetCredential().AccessKey, }, expected: ErrExpiredPresignRequest, }, @@ -73,7 +73,7 @@ func TestDoesPresignedV2SignatureMatch(t *testing.T) { queryParams: map[string]string{ "Expires": fmt.Sprintf("%d", now.Unix()+60), "Signature": "badsignature", - "AWSAccessKeyId": serverConfig.GetCredential().AccessKeyID, + "AWSAccessKeyId": serverConfig.GetCredential().AccessKey, }, expected: ErrSignatureDoesNotMatch, }, @@ -82,7 +82,7 @@ func TestDoesPresignedV2SignatureMatch(t *testing.T) { queryParams: map[string]string{ "Expires": fmt.Sprintf("%d", now.Unix()), "Signature": "zOM2YrY/yAQe15VWmT78OlBrK6g=", - "AWSAccessKeyId": serverConfig.GetCredential().AccessKeyID, + "AWSAccessKeyId": serverConfig.GetCredential().AccessKey, }, expected: ErrSignatureDoesNotMatch, }, @@ -126,7 +126,7 @@ func TestValidateV2AuthHeader(t *testing.T) { if err := serverConfig.Save(); err != nil { t.Fatal(err) } - accessID := serverConfig.GetCredential().AccessKeyID + accessID := serverConfig.GetCredential().AccessKey testCases := []struct { authString string @@ -207,9 +207,9 @@ func TestDoesPolicySignatureV2Match(t *testing.T) { signature string errCode APIErrorCode }{ - {"invalidAccessKey", policy, calculateSignatureV2(policy, creds.SecretAccessKey), ErrInvalidAccessKeyID}, - {creds.AccessKeyID, policy, calculateSignatureV2("random", creds.SecretAccessKey), ErrSignatureDoesNotMatch}, - {creds.AccessKeyID, policy, calculateSignatureV2(policy, creds.SecretAccessKey), ErrNone}, + {"invalidAccessKey", policy, calculateSignatureV2(policy, creds.SecretKey), ErrInvalidAccessKeyID}, + {creds.AccessKey, policy, calculateSignatureV2("random", creds.SecretKey), ErrSignatureDoesNotMatch}, + {creds.AccessKey, policy, calculateSignatureV2(policy, creds.SecretKey), ErrNone}, } for i, test := range testCases { formValues := make(map[string]string) diff --git a/cmd/signature-v4-parser.go b/cmd/signature-v4-parser.go index 8b24bb22b..913099e47 100644 --- a/cmd/signature-v4-parser.go +++ b/cmd/signature-v4-parser.go @@ -47,7 +47,7 @@ func parseCredentialHeader(credElement string) (credentialHeader, APIErrorCode) if len(credElements) != 5 { return credentialHeader{}, ErrCredMalformed } - if !isValidAccessKey(credElements[0]) { + if !isAccessKeyValid(credElements[0]) { return credentialHeader{}, ErrInvalidAccessKeyID } // Save access key id. diff --git a/cmd/signature-v4.go b/cmd/signature-v4.go index 2e6a0dda4..cf54c85a3 100644 --- a/cmd/signature-v4.go +++ b/cmd/signature-v4.go @@ -171,7 +171,7 @@ func doesPolicySignatureV4Match(formValues map[string]string) APIErrorCode { } // Verify if the access key id matches. - if credHeader.accessKey != cred.AccessKeyID { + if credHeader.accessKey != cred.AccessKey { return ErrInvalidAccessKeyID } @@ -188,7 +188,7 @@ func doesPolicySignatureV4Match(formValues map[string]string) APIErrorCode { } // Get signing key. - signingKey := getSigningKey(cred.SecretAccessKey, t, region) + signingKey := getSigningKey(cred.SecretKey, t, region) // Get signature. newSignature := getSignature(signingKey, formValues["Policy"]) @@ -217,7 +217,7 @@ func doesPresignedSignatureMatch(hashedPayload string, r *http.Request, region s } // Verify if the access key id matches. - if pSignValues.Credential.accessKey != cred.AccessKeyID { + if pSignValues.Credential.accessKey != cred.AccessKey { return ErrInvalidAccessKeyID } @@ -268,7 +268,7 @@ func doesPresignedSignatureMatch(hashedPayload string, r *http.Request, region s query.Set("X-Amz-Date", t.Format(iso8601Format)) query.Set("X-Amz-Expires", strconv.Itoa(expireSeconds)) query.Set("X-Amz-SignedHeaders", getSignedHeaders(extractedSignedHeaders)) - query.Set("X-Amz-Credential", cred.AccessKeyID+"/"+getScope(t, sRegion)) + query.Set("X-Amz-Credential", cred.AccessKey+"/"+getScope(t, sRegion)) // Save other headers available in the request parameters. for k, v := range req.URL.Query() { @@ -313,7 +313,7 @@ func doesPresignedSignatureMatch(hashedPayload string, r *http.Request, region s presignedStringToSign := getStringToSign(presignedCanonicalReq, t, region) // Get hmac presigned signing key. - presignedSigningKey := getSigningKey(cred.SecretAccessKey, t, region) + presignedSigningKey := getSigningKey(cred.SecretKey, t, region) // Get new signature. newSignature := getSignature(presignedSigningKey, presignedStringToSign) @@ -369,7 +369,7 @@ func doesSignatureMatch(hashedPayload string, r *http.Request, region string) AP } // Verify if the access key id matches. - if signV4Values.Credential.accessKey != cred.AccessKeyID { + if signV4Values.Credential.accessKey != cred.AccessKey { return ErrInvalidAccessKeyID } @@ -410,7 +410,7 @@ func doesSignatureMatch(hashedPayload string, r *http.Request, region string) AP stringToSign := getStringToSign(canonicalRequest, t, region) // Get hmac signing key. - signingKey := getSigningKey(cred.SecretAccessKey, t, region) + signingKey := getSigningKey(cred.SecretKey, t, region) // Calculate signature. newSignature := getSignature(signingKey, stringToSign) diff --git a/cmd/signature-v4_test.go b/cmd/signature-v4_test.go index c55520866..45efb295b 100644 --- a/cmd/signature-v4_test.go +++ b/cmd/signature-v4_test.go @@ -36,7 +36,7 @@ func niceError(code APIErrorCode) string { func TestDoesPolicySignatureMatch(t *testing.T) { credentialTemplate := "%s/%s/%s/s3/aws4_request" now := time.Now().UTC() - accessKey := serverConfig.GetCredential().AccessKeyID + accessKey := serverConfig.GetCredential().AccessKey testCases := []struct { form map[string]string @@ -83,7 +83,7 @@ func TestDoesPolicySignatureMatch(t *testing.T) { form: map[string]string{ "X-Amz-Credential": fmt.Sprintf(credentialTemplate, accessKey, now.Format(yyyymmdd), "us-east-1"), "X-Amz-Date": now.Format(iso8601Format), - "X-Amz-Signature": getSignature(getSigningKey(serverConfig.GetCredential().SecretAccessKey, now, "us-east-1"), "policy"), + "X-Amz-Signature": getSignature(getSigningKey(serverConfig.GetCredential().SecretKey, now, "us-east-1"), "policy"), "Policy": "policy", }, expected: ErrNone, @@ -112,7 +112,7 @@ func TestDoesPresignedSignatureMatch(t *testing.T) { credentialTemplate := "%s/%s/%s/s3/aws4_request" region := serverConfig.GetRegion() - accessKeyID := serverConfig.GetCredential().AccessKeyID + accessKeyID := serverConfig.GetCredential().AccessKey testCases := []struct { queryParams map[string]string headers map[string]string diff --git a/cmd/storage-rpc-client.go b/cmd/storage-rpc-client.go index 4ed639c2f..3f969d497 100644 --- a/cmd/storage-rpc-client.go +++ b/cmd/storage-rpc-client.go @@ -104,8 +104,8 @@ func newStorageRPC(ep *url.URL) (StorageAPI, error) { rpcAddr := ep.Host // Initialize rpc client with network address and rpc path. - accessKeyID := serverConfig.GetCredential().AccessKeyID - secretAccessKey := serverConfig.GetCredential().SecretAccessKey + accessKeyID := serverConfig.GetCredential().AccessKey + secretAccessKey := serverConfig.GetCredential().SecretKey if ep.User != nil { accessKeyID = ep.User.Username() if key, set := ep.User.Password(); set { diff --git a/cmd/storage-rpc-server_test.go b/cmd/storage-rpc-server_test.go index 4dc47475c..14ce5daa4 100644 --- a/cmd/storage-rpc-server_test.go +++ b/cmd/storage-rpc-server_test.go @@ -45,12 +45,12 @@ func createTestStorageServer(t *testing.T) *testStorageRPCServer { t.Fatalf("unable to get new JWT, %s", err) } - err = jwt.Authenticate(serverConfig.GetCredential().AccessKeyID, serverConfig.GetCredential().SecretAccessKey) + err = jwt.Authenticate(serverConfig.GetCredential().AccessKey, serverConfig.GetCredential().SecretKey) if err != nil { t.Fatalf("unable for JWT to authenticate, %s", err) } - token, err := jwt.GenerateToken(serverConfig.GetCredential().AccessKeyID) + token, err := jwt.GenerateToken(serverConfig.GetCredential().AccessKey) if err != nil { t.Fatalf("unable for JWT to generate token, %s", err) } diff --git a/cmd/streaming-signature-v4.go b/cmd/streaming-signature-v4.go index 85c0c0063..d2bbc3d66 100644 --- a/cmd/streaming-signature-v4.go +++ b/cmd/streaming-signature-v4.go @@ -56,7 +56,7 @@ func getChunkSignature(seedSignature string, date time.Time, hashedChunk string) hashedChunk // Get hmac signing key. - signingKey := getSigningKey(cred.SecretAccessKey, date, region) + signingKey := getSigningKey(cred.SecretKey, date, region) // Calculate signature. newSignature := getSignature(signingKey, stringToSign) @@ -101,7 +101,7 @@ func calculateSeedSignature(r *http.Request) (signature string, date time.Time, return "", time.Time{}, errCode } // Verify if the access key id matches. - if signV4Values.Credential.accessKey != cred.AccessKeyID { + if signV4Values.Credential.accessKey != cred.AccessKey { return "", time.Time{}, ErrInvalidAccessKeyID } @@ -138,7 +138,7 @@ func calculateSeedSignature(r *http.Request) (signature string, date time.Time, stringToSign := getStringToSign(canonicalRequest, date, region) // Get hmac signing key. - signingKey := getSigningKey(cred.SecretAccessKey, date, region) + signingKey := getSigningKey(cred.SecretKey, date, region) // Calculate signature. newSignature := getSignature(signingKey, stringToSign) diff --git a/cmd/test-utils_test.go b/cmd/test-utils_test.go index fc7440283..b427a6ae2 100644 --- a/cmd/test-utils_test.go +++ b/cmd/test-utils_test.go @@ -199,8 +199,8 @@ func UnstartedTestServer(t TestErrHandler, instanceType string) TestServer { if err != nil { t.Fatalf("Unexpected error %s", err) } - testServer.AccessKey = credentials.AccessKeyID - testServer.SecretKey = credentials.SecretAccessKey + testServer.AccessKey = credentials.AccessKey + testServer.SecretKey = credentials.SecretKey objLayer, storageDisks, err := initObjectLayer(testServer.Disks) if err != nil { @@ -361,8 +361,8 @@ func StartTestStorageRPCServer(t TestErrHandler, instanceType string, diskN int) testRPCServer.Root = root testRPCServer.Disks = endpoints - testRPCServer.AccessKey = credentials.AccessKeyID - testRPCServer.SecretKey = credentials.SecretAccessKey + testRPCServer.AccessKey = credentials.AccessKey + testRPCServer.SecretKey = credentials.SecretKey // Run TestServer. testRPCServer.Server = httptest.NewServer(initTestStorageRPCEndPoint(serverCmdConfig{ @@ -396,8 +396,8 @@ func StartTestPeersRPCServer(t TestErrHandler, instanceType string) TestServer { testRPCServer.Root = root testRPCServer.Disks = endpoints - testRPCServer.AccessKey = credentials.AccessKeyID - testRPCServer.SecretKey = credentials.SecretAccessKey + testRPCServer.AccessKey = credentials.AccessKey + testRPCServer.SecretKey = credentials.SecretKey // create temporary backend for the test server. objLayer, storageDisks, err := initObjectLayer(endpoints) @@ -2131,8 +2131,8 @@ func StartTestBrowserPeerRPCServer(t TestErrHandler, instanceType string) TestSe credentials := serverConfig.GetCredential() testRPCServer.Root = root - testRPCServer.AccessKey = credentials.AccessKeyID - testRPCServer.SecretKey = credentials.SecretAccessKey + testRPCServer.AccessKey = credentials.AccessKey + testRPCServer.SecretKey = credentials.SecretKey // Initialize and run the TestServer. testRPCServer.Server = httptest.NewServer(initTestBrowserPeerRPCEndPoint()) @@ -2152,8 +2152,8 @@ func StartTestS3PeerRPCServer(t TestErrHandler) (TestServer, []string) { credentials := serverConfig.GetCredential() testRPCServer.Root = root - testRPCServer.AccessKey = credentials.AccessKeyID - testRPCServer.SecretKey = credentials.SecretAccessKey + testRPCServer.AccessKey = credentials.AccessKey + testRPCServer.SecretKey = credentials.SecretKey // init disks objLayer, fsDirs, err := prepareXL() diff --git a/cmd/web-handlers.go b/cmd/web-handlers.go index eb6de45ee..2f4324566 100644 --- a/cmd/web-handlers.go +++ b/cmd/web-handlers.go @@ -52,7 +52,7 @@ func isJWTReqAuthenticated(req *http.Request) bool { if _, ok := token.Method.(*jwtgo.SigningMethodHMAC); !ok { return nil, fmt.Errorf("Unexpected signing method: %v", token.Header["alg"]) } - return []byte(jwt.SecretAccessKey), nil + return []byte(jwt.SecretKey), nil } token, err := jwtreq.ParseFromRequest(req, jwtreq.AuthorizationHeaderExtractor, reqCallback) if err != nil { @@ -347,9 +347,9 @@ func (web webAPIHandlers) GenerateAuth(r *http.Request, args *WebGenericArgs, re if !isJWTReqAuthenticated(r) { return toJSONError(errAuthentication) } - cred := mustGenAccessKeys() - reply.AccessKey = cred.AccessKeyID - reply.SecretKey = cred.SecretAccessKey + cred := newCredential() + reply.AccessKey = cred.AccessKey + reply.SecretKey = cred.SecretKey reply.UIVersion = miniobrowser.UIVersion return nil } @@ -375,8 +375,8 @@ func (web *webAPIHandlers) SetAuth(r *http.Request, args *SetAuthArgs, reply *Se // Initialize jwt with the new access keys, fail if not possible. jwt, err := newJWT(defaultJWTExpiry, credential{ - AccessKeyID: args.AccessKey, - SecretAccessKey: args.SecretKey, + AccessKey: args.AccessKey, + SecretKey: args.SecretKey, }) // JWT Expiry set to 24Hrs. if err != nil { return toJSONError(err) @@ -460,8 +460,8 @@ func (web *webAPIHandlers) GetAuth(r *http.Request, args *WebGenericArgs, reply return toJSONError(errAuthentication) } creds := serverConfig.GetCredential() - reply.AccessKey = creds.AccessKeyID - reply.SecretKey = creds.SecretAccessKey + reply.AccessKey = creds.AccessKey + reply.SecretKey = creds.SecretKey reply.UIVersion = miniobrowser.UIVersion return nil } @@ -531,7 +531,7 @@ func (web *webAPIHandlers) Download(w http.ResponseWriter, r *http.Request) { if _, ok := token.Method.(*jwtgo.SigningMethodHMAC); !ok { return nil, fmt.Errorf("Unexpected signing method: %v", token.Header["alg"]) } - return []byte(jwt.SecretAccessKey), nil + return []byte(jwt.SecretKey), nil }) if e != nil || !token.Valid { writeWebErrorResponse(w, errAuthentication) @@ -760,8 +760,8 @@ func presignedGet(host, bucket, object string, expiry int64) string { cred := serverConfig.GetCredential() region := serverConfig.GetRegion() - accessKey := cred.AccessKeyID - secretKey := cred.SecretAccessKey + accessKey := cred.AccessKey + secretKey := cred.SecretKey date := time.Now().UTC() dateStr := date.Format(iso8601Format) diff --git a/cmd/web-handlers_test.go b/cmd/web-handlers_test.go index 8a937c4a8..42cad932a 100644 --- a/cmd/web-handlers_test.go +++ b/cmd/web-handlers_test.go @@ -149,7 +149,7 @@ func testLoginWebHandler(obj ObjectLayer, instanceType string, t TestErrHandler) {"", "foo", false}, {"azerty", "", false}, {"azerty", "foo", false}, - {credentials.AccessKeyID, credentials.SecretAccessKey, true}, + {credentials.AccessKey, credentials.SecretKey, true}, } // Iterating over the test cases, calling the function under test and asserting the response. @@ -186,7 +186,7 @@ func testStorageInfoWebHandler(obj ObjectLayer, instanceType string, t TestErrHa credentials := serverConfig.GetCredential() - authorization, err := getWebRPCToken(apiRouter, credentials.AccessKeyID, credentials.SecretAccessKey) + authorization, err := getWebRPCToken(apiRouter, credentials.AccessKey, credentials.SecretKey) if err != nil { t.Fatal("Cannot authenticate") } @@ -232,7 +232,7 @@ func testServerInfoWebHandler(obj ObjectLayer, instanceType string, t TestErrHan credentials := serverConfig.GetCredential() - authorization, err := getWebRPCToken(apiRouter, credentials.AccessKeyID, credentials.SecretAccessKey) + authorization, err := getWebRPCToken(apiRouter, credentials.AccessKey, credentials.SecretKey) if err != nil { t.Fatal("Cannot authenticate") } @@ -278,7 +278,7 @@ func testMakeBucketWebHandler(obj ObjectLayer, instanceType string, t TestErrHan credentials := serverConfig.GetCredential() - authorization, err := getWebRPCToken(apiRouter, credentials.AccessKeyID, credentials.SecretAccessKey) + authorization, err := getWebRPCToken(apiRouter, credentials.AccessKey, credentials.SecretKey) if err != nil { t.Fatal("Cannot authenticate") } @@ -338,7 +338,7 @@ func testListBucketsWebHandler(obj ObjectLayer, instanceType string, t TestErrHa credentials := serverConfig.GetCredential() - authorization, err := getWebRPCToken(apiRouter, credentials.AccessKeyID, credentials.SecretAccessKey) + authorization, err := getWebRPCToken(apiRouter, credentials.AccessKey, credentials.SecretKey) if err != nil { t.Fatal("Cannot authenticate") } @@ -397,7 +397,7 @@ func testListObjectsWebHandler(obj ObjectLayer, instanceType string, t TestErrHa rec := httptest.NewRecorder() - authorization, err := getWebRPCToken(apiRouter, credentials.AccessKeyID, credentials.SecretAccessKey) + authorization, err := getWebRPCToken(apiRouter, credentials.AccessKey, credentials.SecretKey) if err != nil { t.Fatal("Cannot authenticate") } @@ -468,7 +468,7 @@ func testRemoveObjectWebHandler(obj ObjectLayer, instanceType string, t TestErrH credentials := serverConfig.GetCredential() rec := httptest.NewRecorder() - authorization, err := getWebRPCToken(apiRouter, credentials.AccessKeyID, credentials.SecretAccessKey) + authorization, err := getWebRPCToken(apiRouter, credentials.AccessKey, credentials.SecretKey) if err != nil { t.Fatal("Cannot authenticate") } @@ -544,7 +544,7 @@ func testGenerateAuthWebHandler(obj ObjectLayer, instanceType string, t TestErrH credentials := serverConfig.GetCredential() rec := httptest.NewRecorder() - authorization, err := getWebRPCToken(apiRouter, credentials.AccessKeyID, credentials.SecretAccessKey) + authorization, err := getWebRPCToken(apiRouter, credentials.AccessKey, credentials.SecretKey) if err != nil { t.Fatal("Cannot authenticate") } @@ -590,7 +590,7 @@ func testSetAuthWebHandler(obj ObjectLayer, instanceType string, t TestErrHandle credentials := serverConfig.GetCredential() rec := httptest.NewRecorder() - authorization, err := getWebRPCToken(apiRouter, credentials.AccessKeyID, credentials.SecretAccessKey) + authorization, err := getWebRPCToken(apiRouter, credentials.AccessKey, credentials.SecretKey) if err != nil { t.Fatal("Cannot authenticate") } @@ -651,7 +651,7 @@ func testGetAuthWebHandler(obj ObjectLayer, instanceType string, t TestErrHandle credentials := serverConfig.GetCredential() rec := httptest.NewRecorder() - authorization, err := getWebRPCToken(apiRouter, credentials.AccessKeyID, credentials.SecretAccessKey) + authorization, err := getWebRPCToken(apiRouter, credentials.AccessKey, credentials.SecretKey) if err != nil { t.Fatal("Cannot authenticate") } @@ -670,7 +670,7 @@ func testGetAuthWebHandler(obj ObjectLayer, instanceType string, t TestErrHandle if err != nil { t.Fatalf("Failed, %v", err) } - if getAuthReply.AccessKey != credentials.AccessKeyID || getAuthReply.SecretKey != credentials.SecretAccessKey { + if getAuthReply.AccessKey != credentials.AccessKey || getAuthReply.SecretKey != credentials.SecretKey { t.Fatalf("Failed to get correct auth keys") } } @@ -696,7 +696,7 @@ func testUploadWebHandler(obj ObjectLayer, instanceType string, t TestErrHandler credentials := serverConfig.GetCredential() rec := httptest.NewRecorder() - authorization, err := getWebRPCToken(apiRouter, credentials.AccessKeyID, credentials.SecretAccessKey) + authorization, err := getWebRPCToken(apiRouter, credentials.AccessKey, credentials.SecretKey) if err != nil { t.Fatal("Cannot authenticate") } @@ -760,7 +760,7 @@ func testDownloadWebHandler(obj ObjectLayer, instanceType string, t TestErrHandl credentials := serverConfig.GetCredential() rec := httptest.NewRecorder() - authorization, err := getWebRPCToken(apiRouter, credentials.AccessKeyID, credentials.SecretAccessKey) + authorization, err := getWebRPCToken(apiRouter, credentials.AccessKey, credentials.SecretKey) if err != nil { t.Fatal("Cannot authenticate") } @@ -815,7 +815,7 @@ func testWebPresignedGetHandler(obj ObjectLayer, instanceType string, t TestErrH credentials := serverConfig.GetCredential() - authorization, err := getWebRPCToken(apiRouter, credentials.AccessKeyID, credentials.SecretAccessKey) + authorization, err := getWebRPCToken(apiRouter, credentials.AccessKey, credentials.SecretKey) if err != nil { t.Fatal("Cannot authenticate") } @@ -928,7 +928,7 @@ func testWebGetBucketPolicyHandler(obj ObjectLayer, instanceType string, t TestE credentials := serverConfig.GetCredential() - authorization, err := getWebRPCToken(apiRouter, credentials.AccessKeyID, credentials.SecretAccessKey) + authorization, err := getWebRPCToken(apiRouter, credentials.AccessKey, credentials.SecretKey) if err != nil { t.Fatal("Cannot authenticate") } @@ -1011,7 +1011,7 @@ func testWebListAllBucketPoliciesHandler(obj ObjectLayer, instanceType string, t credentials := serverConfig.GetCredential() - authorization, err := getWebRPCToken(apiRouter, credentials.AccessKeyID, credentials.SecretAccessKey) + authorization, err := getWebRPCToken(apiRouter, credentials.AccessKey, credentials.SecretKey) if err != nil { t.Fatal("Cannot authenticate") } @@ -1117,7 +1117,7 @@ func testWebSetBucketPolicyHandler(obj ObjectLayer, instanceType string, t TestE credentials := serverConfig.GetCredential() - authorization, err := getWebRPCToken(apiRouter, credentials.AccessKeyID, credentials.SecretAccessKey) + authorization, err := getWebRPCToken(apiRouter, credentials.AccessKey, credentials.SecretKey) if err != nil { t.Fatal("Cannot authenticate") } @@ -1278,7 +1278,7 @@ func TestWebObjectLayerNotReady(t *testing.T) { rec := httptest.NewRecorder() credentials := serverConfig.GetCredential() - authorization, err := getWebRPCToken(apiRouter, credentials.AccessKeyID, credentials.SecretAccessKey) + authorization, err := getWebRPCToken(apiRouter, credentials.AccessKey, credentials.SecretKey) if err != nil { t.Fatal("Cannot authenticate", err) } @@ -1382,7 +1382,7 @@ func TestWebObjectLayerFaultyDisks(t *testing.T) { rec := httptest.NewRecorder() credentials := serverConfig.GetCredential() - authorization, err := getWebRPCToken(apiRouter, credentials.AccessKeyID, credentials.SecretAccessKey) + authorization, err := getWebRPCToken(apiRouter, credentials.AccessKey, credentials.SecretKey) if err != nil { t.Fatal("Cannot authenticate", err) }