Have simpler JWT authentication. (#3501)

cmd/jwt.go

@@ -0,0 +1,116 @@
+/*
+ * Minio Cloud Storage, (C) 2016 Minio, Inc.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package cmd
+
+import (
+	"errors"
+	"fmt"
+	"net/http"
+	"strings"
+	"time"
+
+	jwtgo "github.com/dgrijalva/jwt-go"
+	jwtreq "github.com/dgrijalva/jwt-go/request"
+	"golang.org/x/crypto/bcrypt"
+)
+
+const (
+	jwtAlgorithm = "Bearer"
+
+	// Default JWT token for web handlers is one day.
+	defaultJWTExpiry = 24 * time.Hour
+
+	// Inter-node JWT token expiry is 100 years approx.
+	defaultInterNodeJWTExpiry = 100 * 365 * 24 * time.Hour
+)
+
+var errInvalidAccessKeyLength = errors.New("Invalid access key, access key should be 5 to 20 characters in length")
+var errInvalidSecretKeyLength = errors.New("Invalid secret key, secret key should be 8 to 40 characters in length")
+
+var errInvalidAccessKeyID = errors.New("The access key ID you provided does not exist in our records")
+var errAuthentication = errors.New("Authentication failed, check your access credentials")
+
+func authenticateJWT(accessKey, secretKey string, expiry time.Duration) (string, error) {
+	// Trim spaces.
+	accessKey = strings.TrimSpace(accessKey)
+
+	if !isAccessKeyValid(accessKey) {
+		return "", errInvalidAccessKeyLength
+	}
+	if !isSecretKeyValid(secretKey) {
+		return "", errInvalidSecretKeyLength
+	}
+
+	serverCred := serverConfig.GetCredential()
+
+	// Validate access key.
+	if accessKey != serverCred.AccessKey {
+		return "", errInvalidAccessKeyID
+	}
+
+	// Validate secret key.
+	// Using bcrypt to avoid timing attacks.
+	hashedSecretKey, _ := bcrypt.GenerateFromPassword([]byte(serverCred.SecretKey), bcrypt.DefaultCost)
+	if bcrypt.CompareHashAndPassword(hashedSecretKey, []byte(secretKey)) != nil {
+		return "", errAuthentication
+	}
+
+	utcNow := time.Now().UTC()
+	token := jwtgo.NewWithClaims(jwtgo.SigningMethodHS512, jwtgo.MapClaims{
+		"exp": utcNow.Add(expiry).Unix(),
+		"iat": utcNow.Unix(),
+		"sub": accessKey,
+	})
+
+	return token.SignedString([]byte(serverCred.SecretKey))
+}
+
+func authenticateNode(accessKey, secretKey string) (string, error) {
+	return authenticateJWT(accessKey, secretKey, defaultInterNodeJWTExpiry)
+}
+
+func authenticateWeb(accessKey, secretKey string) (string, error) {
+	return authenticateJWT(accessKey, secretKey, defaultJWTExpiry)
+}
+
+func keyFuncCallback(jwtToken *jwtgo.Token) (interface{}, error) {
+	if _, ok := jwtToken.Method.(*jwtgo.SigningMethodHMAC); !ok {
+		return nil, fmt.Errorf("Unexpected signing method: %v", jwtToken.Header["alg"])
+	}
+
+	return []byte(serverConfig.GetCredential().SecretKey), nil
+}
+
+func isAuthTokenValid(tokenString string) bool {
+	jwtToken, err := jwtgo.Parse(tokenString, keyFuncCallback)
+	if err != nil {
+		errorIf(err, "Unable to parse JWT token string")
+		return false
+	}
+
+	return jwtToken.Valid
+}
+
+func isHTTPRequestValid(req *http.Request) bool {
+	jwtToken, err := jwtreq.ParseFromRequest(req, jwtreq.AuthorizationHeaderExtractor, keyFuncCallback)
+	if err != nil {
+		errorIf(err, "Unable to parse JWT token string")
+		return false
+	}
+
+	return jwtToken.Valid
+}