minio/cmd/jwt.go
Anis Elleuch ed4fcb63f7 Require content-length in POST & Upload requests (#3671)
Avoid passing size = -1 to PutObject API by requiring content-length
header in POST request (as AWS S3 does) and in Upload web handler.
Post handler is modified to completely store multipart file to know
its size before sending it to PutObject().
2017-02-02 10:45:00 -08:00

129 lines
3.7 KiB
Go

/*
* Minio Cloud Storage, (C) 2016 Minio, Inc.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package cmd
import (
"errors"
"fmt"
"net/http"
"strings"
"time"
jwtgo "github.com/dgrijalva/jwt-go"
jwtreq "github.com/dgrijalva/jwt-go/request"
"golang.org/x/crypto/bcrypt"
)
const (
jwtAlgorithm = "Bearer"
// Default JWT token for web handlers is one day.
defaultJWTExpiry = 24 * time.Hour
// Inter-node JWT token expiry is 100 years approx.
defaultInterNodeJWTExpiry = 100 * 365 * 24 * time.Hour
)
var errInvalidAccessKeyLength = errors.New("Invalid access key, access key should be 5 to 20 characters in length")
var errInvalidSecretKeyLength = errors.New("Invalid secret key, secret key should be 8 to 40 characters in length")
var errInvalidAccessKeyID = errors.New("The access key ID you provided does not exist in our records")
var errAuthentication = errors.New("Authentication failed, check your access credentials")
var errNoAuthToken = errors.New("JWT token missing")
func authenticateJWT(accessKey, secretKey string, expiry time.Duration) (string, error) {
// Trim spaces.
accessKey = strings.TrimSpace(accessKey)
if !isAccessKeyValid(accessKey) {
return "", errInvalidAccessKeyLength
}
if !isSecretKeyValid(secretKey) {
return "", errInvalidSecretKeyLength
}
serverCred := serverConfig.GetCredential()
// Validate access key.
if accessKey != serverCred.AccessKey {
return "", errInvalidAccessKeyID
}
// Validate secret key.
// Using bcrypt to avoid timing attacks.
if bcrypt.CompareHashAndPassword(serverCred.SecretKeyHash, []byte(secretKey)) != nil {
return "", errAuthentication
}
utcNow := time.Now().UTC()
token := jwtgo.NewWithClaims(jwtgo.SigningMethodHS512, jwtgo.MapClaims{
"exp": utcNow.Add(expiry).Unix(),
"iat": utcNow.Unix(),
"sub": accessKey,
})
return token.SignedString([]byte(serverCred.SecretKey))
}
func authenticateNode(accessKey, secretKey string) (string, error) {
return authenticateJWT(accessKey, secretKey, defaultInterNodeJWTExpiry)
}
func authenticateWeb(accessKey, secretKey string) (string, error) {
return authenticateJWT(accessKey, secretKey, defaultJWTExpiry)
}
func keyFuncCallback(jwtToken *jwtgo.Token) (interface{}, error) {
if _, ok := jwtToken.Method.(*jwtgo.SigningMethodHMAC); !ok {
return nil, fmt.Errorf("Unexpected signing method: %v", jwtToken.Header["alg"])
}
return []byte(serverConfig.GetCredential().SecretKey), nil
}
func isAuthTokenValid(tokenString string) bool {
jwtToken, err := jwtgo.Parse(tokenString, keyFuncCallback)
if err != nil {
errorIf(err, "Unable to parse JWT token string")
return false
}
return jwtToken.Valid
}
func isHTTPRequestValid(req *http.Request) bool {
return webRequestAuthenticate(req) == nil
}
// Check if the request is authenticated.
// Returns nil if the request is authenticated. errNoAuthToken if token missing.
// Returns errAuthentication for all other errors.
func webRequestAuthenticate(req *http.Request) error {
jwtToken, err := jwtreq.ParseFromRequest(req, jwtreq.AuthorizationHeaderExtractor, keyFuncCallback)
if err != nil {
if err == jwtreq.ErrNoTokenInRequest {
return errNoAuthToken
}
return errAuthentication
}
if !jwtToken.Valid {
return errAuthentication
}
return nil
}