MyFavMirrors/minio
1
0
Fork 0
mirror of https://github.com/minio/minio.git synced 2025-11-09 21:49:46 -05:00
Code Issues Packages Projects Releases Wiki Activity

docs: Add more STS docs with dex and python example (#10047)

Browse Source
This commit is contained in:
Harshavardhana
2020-07-15 04:55:55 -07:00
committed by GitHub
parent 00d3cc4b69
commit ec91fa55db
11 changed files with 685 additions and 12 deletions
Download Patch File Download Diff File Expand all files Collapse all files

144
docs/sts/client_grants/__init__.py Normal file
View File

@@ -0,0 +1,144 @@
# -*- coding: utf-8 -*-
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
import json
# standard.
import os
import certifi
# Dependencies
import urllib3
from botocore.credentials import CredentialProvider, RefreshableCredentials
from botocore.exceptions import CredentialRetrievalError
from dateutil.parser import parse
from .sts_element import STSElement
class ClientGrantsCredentialProvider(CredentialProvider):
"""
ClientGrantsCredentialProvider implements CredentialProvider compatible
implementation to be used with boto_session
"""
METHOD = 'assume-role-client-grants'
CANONICAL_NAME = 'AssumeRoleClientGrants'
def __init__(self, cid, csec,
idp_ep='http://localhost:8080/auth/realms/minio/protocol/openid-connect/token',
sts_ep='http://localhost:9000'):
self.cid = cid
self.csec = csec
self.idp_ep = idp_ep
self.sts_ep = sts_ep
# Load CA certificates from SSL_CERT_FILE file if set
ca_certs = os.environ.get('SSL_CERT_FILE')
if not ca_certs:
ca_certs = certifi.where()
self._http = urllib3.PoolManager(
timeout=urllib3.Timeout.DEFAULT_TIMEOUT,
maxsize=10,
cert_reqs='CERT_NONE',
ca_certs=ca_certs,
retries=urllib3.Retry(
total=5,
backoff_factor=0.2,
status_forcelist=[500, 502, 503, 504]
)
)
def load(self):
"""
Search for credentials with client_grants
"""
if self.cid is not None:
fetcher = self._create_credentials_fetcher()
return RefreshableCredentials.create_from_metadata(
metadata=fetcher(),
refresh_using=fetcher,
method=self.METHOD,
)
else:
return None
def _create_credentials_fetcher(self):
method = self.METHOD
def fetch_credentials():
# HTTP headers are case insensitive filter out
# all duplicate headers and pick one.
headers = {}
headers['content-type'] = 'application/x-www-form-urlencoded'
headers['authorization'] = urllib3.make_headers(
basic_auth='%s:%s' % (self.cid, self.csec))['authorization']
response = self._http.urlopen('POST', self.idp_ep,
body="grant_type=client_credentials",
headers=headers,
preload_content=True,
)
if response.status != 200:
message = "Credential refresh failed, response: %s"
raise CredentialRetrievalError(
provider=method,
error_msg=message % response.status,
)
creds = json.loads(response.data)
query = {}
query['Action'] = 'AssumeRoleWithClientGrants'
query['Token'] = creds['access_token']
query['DurationSeconds'] = creds['expires_in']
query['Version'] = '2011-06-15'
query_components = []
for key in query:
if query[key] is not None:
query_components.append("%s=%s" % (key, query[key]))
query_string = '&'.join(query_components)
sts_ep_url = self.sts_ep
if query_string:
sts_ep_url = self.sts_ep + '?' + query_string
response = self._http.urlopen(
'POST', sts_ep_url, preload_content=True)
if response.status != 200:
message = "Credential refresh failed, response: %s"
raise CredentialRetrievalError(
provider=method,
error_msg=message % response.status,
)
return parse_grants_response(response.data)
def parse_grants_response(data):
"""
Parser for AssumeRoleWithClientGrants response
:param data: Response data for AssumeRoleWithClientGrants request
:return: dict
"""
root = STSElement.fromstring(
'AssumeRoleWithClientGrantsResponse', data)
result = root.find('AssumeRoleWithClientGrantsResult')
creds = result.find('Credentials')
return dict(
access_key=creds.get_child_text('AccessKeyId'),
secret_key=creds.get_child_text('SecretAccessKey'),
token=creds.get_child_text('SessionToken'),
expiry_time=parse(creds.get_child_text('Expiration')).isoformat())
return fetch_credentials

90
docs/sts/client_grants/sts_element.py Normal file
View File

@@ -0,0 +1,90 @@
# -*- coding: utf-8 -*-
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
from xml.etree import cElementTree
from xml.etree.cElementTree import ParseError
if hasattr(cElementTree, 'ParseError'):
_ETREE_EXCEPTIONS = (ParseError, AttributeError, ValueError, TypeError)
else:
_ETREE_EXCEPTIONS = (SyntaxError, AttributeError, ValueError, TypeError)
_STS_NS = {'sts': 'https://sts.amazonaws.com/doc/2011-06-15/'}
class STSElement(object):
"""STS aware XML parsing class. Wraps a root element name and
cElementTree.Element instance. Provides STS namespace aware parsing
functions.
"""
def __init__(self, root_name, element):
self.root_name = root_name
self.element = element
@classmethod
def fromstring(cls, root_name, data):
"""Initialize STSElement from name and XML string data.
:param name: Name for XML data. Used in XML errors.
:param data: string data to be parsed.
:return: Returns an STSElement.
"""
try:
return cls(root_name, cElementTree.fromstring(data))
except _ETREE_EXCEPTIONS as error:
raise InvalidXMLError(
'"{}" XML is not parsable. Message: {}'.format(
root_name, error.message
)
)
def findall(self, name):
"""Similar to ElementTree.Element.findall()
"""
return [
STSElement(self.root_name, elem)
for elem in self.element.findall('sts:{}'.format(name), _STS_NS)
]
def find(self, name):
"""Similar to ElementTree.Element.find()
"""
elt = self.element.find('sts:{}'.format(name), _STS_NS)
return STSElement(self.root_name, elt) if elt is not None else None
def get_child_text(self, name, strict=True):
"""Extract text of a child element. If strict, and child element is
not present, raises InvalidXMLError and otherwise returns
None.
"""
if strict:
try:
return self.element.find('sts:{}'.format(name), _STS_NS).text
except _ETREE_EXCEPTIONS as error:
raise InvalidXMLError(
('Invalid XML provided for "{}" - erroring tag <{}>. '
'Message: {}').format(self.root_name, name, error.message)
)
else:
return self.element.findtext('sts:{}'.format(name), None, _STS_NS)
def text(self):
"""Fetch the current node's text
"""
return self.element.text