minio/docs/sts/web-identity.go

180 lines
5.2 KiB
Go

// +build ignore
/*
* MinIO Cloud Storage, (C) 2019 MinIO, Inc.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package main
import (
"context"
"crypto/rand"
"encoding/base64"
"encoding/xml"
"errors"
"flag"
"fmt"
"log"
"net/http"
"net/url"
"time"
"golang.org/x/oauth2"
googleOAuth2 "golang.org/x/oauth2/google"
"github.com/minio/minio-go/v6"
"github.com/minio/minio-go/v6/pkg/credentials"
"github.com/minio/minio/pkg/auth"
)
// AssumedRoleUser - The identifiers for the temporary security credentials that
// the operation returns. Please also see https://docs.aws.amazon.com/goto/WebAPI/sts-2011-06-15/AssumedRoleUser
type AssumedRoleUser struct {
Arn string
AssumedRoleID string `xml:"AssumeRoleId"`
// contains filtered or unexported fields
}
// AssumeRoleWithWebIdentityResponse contains the result of successful AssumeRoleWithWebIdentity request.
type AssumeRoleWithWebIdentityResponse struct {
XMLName xml.Name `xml:"https://sts.amazonaws.com/doc/2011-06-15/ AssumeRoleWithWebIdentityResponse" json:"-"`
Result WebIdentityResult `xml:"AssumeRoleWithWebIdentityResult"`
ResponseMetadata struct {
RequestID string `xml:"RequestId,omitempty"`
} `xml:"ResponseMetadata,omitempty"`
}
// WebIdentityResult - Contains the response to a successful AssumeRoleWithWebIdentity
// request, including temporary credentials that can be used to make MinIO API requests.
type WebIdentityResult struct {
AssumedRoleUser AssumedRoleUser `xml:",omitempty"`
Audience string `xml:",omitempty"`
Credentials auth.Credentials `xml:",omitempty"`
PackedPolicySize int `xml:",omitempty"`
Provider string `xml:",omitempty"`
SubjectFromWebIdentityToken string `xml:",omitempty"`
}
// Returns a base64 encoded random 32 byte string.
func randomState() string {
b := make([]byte, 32)
rand.Read(b)
return base64.RawURLEncoding.EncodeToString(b)
}
var (
stsEndpoint string
authEndpoint string
tokenEndpoint string
clientID string
clientSecret string
port int
)
func init() {
flag.StringVar(&stsEndpoint, "sts-ep", "http://localhost:9000", "STS endpoint")
flag.StringVar(&authEndpoint, "auth-ep", googleOAuth2.Endpoint.AuthURL, "Auth endpoint")
flag.StringVar(&tokenEndpoint, "token-ep", googleOAuth2.Endpoint.TokenURL, "Token endpoint")
flag.StringVar(&clientID, "cid", "", "Client ID")
flag.StringVar(&clientSecret, "csec", "", "Client secret")
flag.IntVar(&port, "port", 8080, "Port")
}
func main() {
flag.Parse()
if clientID == "" || clientSecret == "" {
flag.PrintDefaults()
return
}
ctx := context.Background()
config := oauth2.Config{
ClientID: clientID,
ClientSecret: clientSecret,
Endpoint: oauth2.Endpoint{
AuthURL: authEndpoint,
TokenURL: tokenEndpoint,
},
RedirectURL: fmt.Sprintf("http://localhost:%v/oauth2/callback", port),
Scopes: []string{"openid", "profile", "email"},
}
state := randomState()
http.HandleFunc("/", func(w http.ResponseWriter, r *http.Request) {
http.Redirect(w, r, config.AuthCodeURL(state), http.StatusFound)
})
http.HandleFunc("/oauth2/callback", func(w http.ResponseWriter, r *http.Request) {
if r.URL.Query().Get("state") != state {
http.Error(w, "state did not match", http.StatusBadRequest)
return
}
getWebTokenExpiry := func() (*credentials.WebIdentityToken, error) {
oauth2Token, err := config.Exchange(ctx, r.URL.Query().Get("code"))
if err != nil {
return nil, err
}
if !oauth2Token.Valid() {
return nil, errors.New("invalid token")
}
return &credentials.WebIdentityToken{
Token: oauth2Token.Extra("id_token").(string),
Expiry: int(oauth2Token.Expiry.Sub(time.Now().UTC()).Seconds()),
}, nil
}
sts, err := credentials.NewSTSWebIdentity(stsEndpoint, getWebTokenExpiry)
if err != nil {
http.Error(w, err.Error(), http.StatusBadRequest)
return
}
// Uncomment this to use MinIO API operations by initializing minio
// client with obtained credentials.
opts := &minio.Options{
Creds: sts,
BucketLookup: minio.BucketLookupAuto,
}
u, err := url.Parse(stsEndpoint)
if err != nil {
http.Error(w, err.Error(), http.StatusBadRequest)
return
}
clnt, err := minio.NewWithOptions(u.Host, opts)
if err != nil {
http.Error(w, err.Error(), http.StatusBadRequest)
return
}
buckets, err := clnt.ListBuckets()
if err != nil {
http.Error(w, err.Error(), http.StatusBadRequest)
return
}
for _, bucket := range buckets {
log.Println(bucket)
}
})
address := fmt.Sprintf("localhost:%v", port)
log.Printf("listening on http://%s/", address)
log.Fatal(http.ListenAndServe(address, nil))
}