MyFavMirrors/minio
1
0
Fork 0
mirror of https://github.com/minio/minio.git synced 2025-07-08 08:32:18 -04:00
Code Issues Packages Projects Releases Wiki Activity

Rename iam/validator -> iam/openid and add tests (#8340)

Browse Source 
Refactor as part of config migration
This commit is contained in:
Harshavardhana 2019-10-01 15:07:20 -07:00 committed by kannappanr
parent ff5bf51952
commit fb1374f2f7
12 changed files with 69 additions and 28 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

14
cmd/config-current.go
View File

@ -30,8 +30,8 @@ import (
"github.com/minio/minio/pkg/auth" "github.com/minio/minio/pkg/auth"
"github.com/minio/minio/pkg/event" "github.com/minio/minio/pkg/event"
"github.com/minio/minio/pkg/event/target" "github.com/minio/minio/pkg/event/target"
"github.com/minio/minio/pkg/iam/openid"
iampolicy "github.com/minio/minio/pkg/iam/policy" iampolicy "github.com/minio/minio/pkg/iam/policy"
"github.com/minio/minio/pkg/iam/validator"
xnet "github.com/minio/minio/pkg/net" xnet "github.com/minio/minio/pkg/net"
) )
@ -571,7 +571,7 @@ func (s *serverConfig) loadToCachedConfigs() {
"Unable to populate public key from JWKS URL %s", s.OpenID.JWKS.URL) "Unable to populate public key from JWKS URL %s", s.OpenID.JWKS.URL)
} }
globalIAMValidators = getAuthValidators(s) globalIAMValidators = getOpenIDValidators(s)
if s.Policy.OPA.URL != nil && s.Policy.OPA.URL.String() != "" { if s.Policy.OPA.URL != nil && s.Policy.OPA.URL.String() != "" {
opaArgs := iampolicy.OpaArgs{ opaArgs := iampolicy.OpaArgs{
@ -638,15 +638,15 @@ func loadConfig(objAPI ObjectLayer) error {
return nil return nil
} }
// getAuthValidators - returns ValidatorList which contains // getOpenIDValidators - returns ValidatorList which contains
// enabled providers in server config. // enabled providers in server config.
// A new authentication provider is added like below // A new authentication provider is added like below
// * Add a new provider in pkg/iam/validator package. // * Add a new provider in pkg/iam/openid package.
func getAuthValidators(config *serverConfig) *validator.Validators { func getOpenIDValidators(config *serverConfig) *openid.Validators {
validators := validator.NewValidators() validators := openid.NewValidators()
if config.OpenID.JWKS.URL != nil { if config.OpenID.JWKS.URL != nil {
validators.Add(validator.NewJWT(config.OpenID.JWKS)) validators.Add(openid.NewJWT(config.OpenID.JWKS))
} }
return validators return validators

4
cmd/config-migrate.go
View File

@ -29,8 +29,8 @@ import (
"github.com/minio/minio/pkg/auth" "github.com/minio/minio/pkg/auth"
"github.com/minio/minio/pkg/event" "github.com/minio/minio/pkg/event"
"github.com/minio/minio/pkg/event/target" "github.com/minio/minio/pkg/event/target"
"github.com/minio/minio/pkg/iam/openid"
iampolicy "github.com/minio/minio/pkg/iam/policy" iampolicy "github.com/minio/minio/pkg/iam/policy"
"github.com/minio/minio/pkg/iam/validator"
xnet "github.com/minio/minio/pkg/net" xnet "github.com/minio/minio/pkg/net"
"github.com/minio/minio/pkg/quick" "github.com/minio/minio/pkg/quick"
) )
@ -2654,7 +2654,7 @@ func migrateV30ToV31MinioSys(objAPI ObjectLayer) error {
} }
cfg.Version = "31" cfg.Version = "31"
cfg.OpenID.JWKS = validator.JWKSArgs{ cfg.OpenID.JWKS = openid.JWKSArgs{
URL: &xnet.URL{}, URL: &xnet.URL{},
} }
cfg.Policy.OPA = iampolicy.OpaArgs{ cfg.Policy.OPA = iampolicy.OpaArgs{

8
cmd/config-versions.go
View File

@ -22,8 +22,8 @@ import (
"github.com/minio/minio/cmd/crypto" "github.com/minio/minio/cmd/crypto"
"github.com/minio/minio/pkg/auth" "github.com/minio/minio/pkg/auth"
"github.com/minio/minio/pkg/event/target" "github.com/minio/minio/pkg/event/target"
"github.com/minio/minio/pkg/iam/openid"
iampolicy "github.com/minio/minio/pkg/iam/policy" iampolicy "github.com/minio/minio/pkg/iam/policy"
"github.com/minio/minio/pkg/iam/validator"
"github.com/minio/minio/pkg/quick" "github.com/minio/minio/pkg/quick"
) )
@ -817,7 +817,7 @@ type serverConfigV31 struct {
// OpenID configuration // OpenID configuration
OpenID struct { OpenID struct {
// JWKS validator config. // JWKS validator config.
JWKS validator.JWKSArgs `json:"jwks"` JWKS openid.JWKSArgs `json:"jwks"`
} `json:"openid"` } `json:"openid"`
// External policy enforcements. // External policy enforcements.
@ -872,7 +872,7 @@ type serverConfigV32 struct {
// OpenID configuration // OpenID configuration
OpenID struct { OpenID struct {
// JWKS validator config. // JWKS validator config.
JWKS validator.JWKSArgs `json:"jwks"` JWKS openid.JWKSArgs `json:"jwks"`
} `json:"openid"` } `json:"openid"`
// External policy enforcements. // External policy enforcements.
@ -916,7 +916,7 @@ type serverConfigV33 struct {
// OpenID configuration // OpenID configuration
OpenID struct { OpenID struct {
// JWKS validator config. // JWKS validator config.
JWKS validator.JWKSArgs `json:"jwks"` JWKS openid.JWKSArgs `json:"jwks"`
} `json:"openid"` } `json:"openid"`
// External policy enforcements. // External policy enforcements.

4
cmd/globals.go
View File

@ -33,8 +33,8 @@ import (
"github.com/minio/minio/pkg/auth" "github.com/minio/minio/pkg/auth"
"github.com/minio/minio/pkg/certs" "github.com/minio/minio/pkg/certs"
"github.com/minio/minio/pkg/dns" "github.com/minio/minio/pkg/dns"
"github.com/minio/minio/pkg/iam/openid"
iampolicy "github.com/minio/minio/pkg/iam/policy" iampolicy "github.com/minio/minio/pkg/iam/policy"
"github.com/minio/minio/pkg/iam/validator"
"github.com/minio/minio/pkg/pubsub" "github.com/minio/minio/pkg/pubsub"
) )
@ -269,7 +269,7 @@ var (
standardExcludeCompressContentTypes = []string{"video/*", "audio/*", "application/zip", "application/x-gzip", "application/x-zip-compressed", " application/x-compress", "application/x-spoon"} standardExcludeCompressContentTypes = []string{"video/*", "audio/*", "application/zip", "application/x-gzip", "application/x-zip-compressed", " application/x-compress", "application/x-spoon"}
// Authorization validators list. // Authorization validators list.
globalIAMValidators *validator.Validators globalIAMValidators *openid.Validators
// OPA policy system. // OPA policy system.
globalPolicyOPA *iampolicy.Opa globalPolicyOPA *iampolicy.Opa

3
cmd/signature-v4-utils_test.go
View File

@ -17,9 +17,10 @@
package cmd package cmd
import ( import (
"github.com/minio/minio/cmd/crypto"
"net/http" "net/http"
"testing" "testing"
"github.com/minio/minio/cmd/crypto"
) )
// TestSkipContentSha256Cksum - Test validate the logic which decides whether // TestSkipContentSha256Cksum - Test validate the logic which decides whether

8
cmd/sts-handlers.go
View File

@ -27,8 +27,8 @@ import (
xhttp "github.com/minio/minio/cmd/http" xhttp "github.com/minio/minio/cmd/http"
"github.com/minio/minio/cmd/logger" "github.com/minio/minio/cmd/logger"
"github.com/minio/minio/pkg/auth" "github.com/minio/minio/pkg/auth"
"github.com/minio/minio/pkg/iam/openid"
iampolicy "github.com/minio/minio/pkg/iam/policy" iampolicy "github.com/minio/minio/pkg/iam/policy"
"github.com/minio/minio/pkg/iam/validator"
"github.com/minio/minio/pkg/wildcard" "github.com/minio/minio/pkg/wildcard"
ldap "gopkg.in/ldap.v3" ldap "gopkg.in/ldap.v3"
) )
@ -181,7 +181,7 @@ func (sts *stsAPIHandlers) AssumeRole(w http.ResponseWriter, r *http.Request) {
var err error var err error
m := make(map[string]interface{}) m := make(map[string]interface{})
m["exp"], err = validator.GetDefaultExpiration(r.Form.Get("DurationSeconds")) m["exp"], err = openid.GetDefaultExpiration(r.Form.Get("DurationSeconds"))
if err != nil { if err != nil {
writeSTSErrorResponse(ctx, w, ErrSTSInvalidParameterValue, err) writeSTSErrorResponse(ctx, w, ErrSTSInvalidParameterValue, err)
return return
@ -282,7 +282,7 @@ func (sts *stsAPIHandlers) AssumeRoleWithJWT(w http.ResponseWriter, r *http.Requ
m, err := v.Validate(token, r.Form.Get("DurationSeconds")) m, err := v.Validate(token, r.Form.Get("DurationSeconds"))
if err != nil { if err != nil {
switch err { switch err {
case validator.ErrTokenExpired: case openid.ErrTokenExpired:
switch action { switch action {
case clientGrants: case clientGrants:
writeSTSErrorResponse(ctx, w, ErrSTSClientGrantsExpiredToken, err) writeSTSErrorResponse(ctx, w, ErrSTSClientGrantsExpiredToken, err)
@ -290,7 +290,7 @@ func (sts *stsAPIHandlers) AssumeRoleWithJWT(w http.ResponseWriter, r *http.Requ
writeSTSErrorResponse(ctx, w, ErrSTSWebIdentityExpiredToken, err) writeSTSErrorResponse(ctx, w, ErrSTSWebIdentityExpiredToken, err)
} }
return return
case validator.ErrInvalidDuration: case openid.ErrInvalidDuration:
writeSTSErrorResponse(ctx, w, ErrSTSInvalidParameterValue, err) writeSTSErrorResponse(ctx, w, ErrSTSInvalidParameterValue, err)
return return
} }

2
pkg/iam/validator/jwks.go → pkg/iam/openid/jwks.go
View File

@ -14,7 +14,7 @@
* limitations under the License. * limitations under the License.
*/ */
package validator package openid
import ( import (
"crypto" "crypto"

2
pkg/iam/validator/jwks_test.go → pkg/iam/openid/jwks_test.go
View File

@ -14,7 +14,7 @@
* limitations under the License. * limitations under the License.
*/ */
package validator package openid
import ( import (
"bytes" "bytes"

2
pkg/iam/validator/jwt.go → pkg/iam/openid/jwt.go
View File

@ -14,7 +14,7 @@
* limitations under the License. * limitations under the License.
*/ */
package validator package openid
import ( import (
"crypto" "crypto"

2
pkg/iam/validator/jwt_test.go → pkg/iam/openid/jwt_test.go
View File

@ -14,7 +14,7 @@
* limitations under the License. * limitations under the License.
*/ */
package validator package openid
import ( import (
"crypto" "crypto"

2
pkg/iam/validator/validators.go → pkg/iam/openid/validators.go
View File

@ -14,7 +14,7 @@
* limitations under the License. * limitations under the License.
*/ */
package validator package openid
import ( import (
"errors" "errors"

46
pkg/iam/validator/validators_test.go → pkg/iam/openid/validators_test.go
View File

@ -14,10 +14,14 @@
* limitations under the License. * limitations under the License.
*/ */
package validator package openid
import ( import (
"net/http"
"net/http/httptest"
"testing" "testing"
xnet "github.com/minio/minio/pkg/net"
) )
type errorValidator struct{} type errorValidator struct{}
@ -31,7 +35,32 @@ func (e errorValidator) ID() ID {
} }
func TestValidators(t *testing.T) { func TestValidators(t *testing.T) {
ts := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
w.Header().Set("content-type", "application/json")
w.Write([]byte(`{
"keys" : [ {
"kty" : "RSA",
"kid" : "1438289820780",
"use" : "sig",
"alg" : "RS256",
"n" : "idWPro_QiAFOdMsJD163lcDIPogOwXogRo3Pct2MMyeE2GAGqV20Sc8QUbuLDfPl-7Hi9IfFOz--JY6QL5l92eV-GJXkTmidUEooZxIZSp3ghRxLCqlyHeF5LuuM5LPRFDeF4YWFQT_D2eNo_w95g6qYSeOwOwGIfaHa2RMPcQAiM6LX4ot-Z7Po9z0_3ztFa02m3xejEFr2rLRqhFl3FZJaNnwTUk6an6XYsunxMk3Ya3lRaKJReeXeFtfTpShgtPiAl7lIfLJH9h26h2OAlww531DpxHSm1gKXn6bjB0NTC55vJKft4wXoc_0xKZhnWmjQE8d9xE8e1Z3Ll1LYbw",
"e" : "AQAB"
}, {
"kty" : "RSA",
"kid" : "1438289856256",
"use" : "sig",
"alg" : "RS256",
"n" : "zo5cKcbFECeiH8eGx2D-DsFSpjSKbTVlXD6uL5JAy9rYIv7eYEP6vrKeX-x1z70yEdvgk9xbf9alc8siDfAz3rLCknqlqL7XGVAQL0ZP63UceDmD60LHOzMrx4eR6p49B3rxFfjvX2SWSV3-1H6XNyLk_ALbG6bGCFGuWBQzPJB4LMKCrOFq-6jtRKOKWBXYgkYkaYs5dG-3e2ULbq-y2RdgxYh464y_-MuxDQfvUgP787XKfcXP_XjJZvyuOEANjVyJYZSOyhHUlSGJapQ8ztHdF-swsnf7YkePJ2eR9fynWV2ZoMaXOdidgZtGTa4R1Z4BgH2C0hKJiqRy9fB7Gw",
"e" : "AQAB"
} ]
}
`))
w.(http.Flusher).Flush()
}))
defer ts.Close()
vrs := NewValidators() vrs := NewValidators()
if err := vrs.Add(&errorValidator{}); err != nil { if err := vrs.Add(&errorValidator{}); err != nil {
t.Fatal(err) t.Fatal(err)
} }
@ -58,7 +87,18 @@ func TestValidators(t *testing.T) {
t.Fatalf("Unexpected number of vids %v", vids) t.Fatalf("Unexpected number of vids %v", vids)
} }
if vids[0] != "err" { u, err := xnet.ParseURL(ts.URL)
t.Fatalf("Unexpected vid %v", vids[0]) if err != nil {
t.Fatal(err)
}
if err = vrs.Add(NewJWT(JWKSArgs{
URL: u,
})); err != nil {
t.Fatal(err)
}
if _, err = vrs.Get("jwt"); err != nil {
t.Fatal(err)
} }
} }