mirror of
https://github.com/minio/minio.git
synced 2024-12-25 14:45:54 -05:00
ec5293ce29
This commit fixes a potential security issue, whereby a full-access token to the server would be available in the GET URL of a download request. This fixes that issue by introducing short-expiry tokens, which are only valid for one minute, and are regenerated for every download request. This commit specifically introduces the short-lived tokens, adds tests for the tokens, adds an RPC call for generating a token given a full-access token, updates the browser to use the new tokens for requests where the token is passed as a GET parameter, and adds some tests with the new temporary tokens. Refs: https://github.com/minio/minio/pull/4673
121 lines
3.5 KiB
Go
121 lines
3.5 KiB
Go
/*
|
|
* Minio Cloud Storage, (C) 2016, 2017 Minio, Inc.
|
|
*
|
|
* Licensed under the Apache License, Version 2.0 (the "License");
|
|
* you may not use this file except in compliance with the License.
|
|
* You may obtain a copy of the License at
|
|
*
|
|
* http://www.apache.org/licenses/LICENSE-2.0
|
|
*
|
|
* Unless required by applicable law or agreed to in writing, software
|
|
* distributed under the License is distributed on an "AS IS" BASIS,
|
|
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
* See the License for the specific language governing permissions and
|
|
* limitations under the License.
|
|
*/
|
|
|
|
package cmd
|
|
|
|
import "testing"
|
|
|
|
func testAuthenticate(authType string, t *testing.T) {
|
|
testPath, err := newTestConfig(globalMinioDefaultRegion)
|
|
if err != nil {
|
|
t.Fatalf("unable initialize config file, %s", err)
|
|
}
|
|
defer removeAll(testPath)
|
|
|
|
serverCred := serverConfig.GetCredential()
|
|
|
|
// Define test cases.
|
|
testCases := []struct {
|
|
accessKey string
|
|
secretKey string
|
|
expectedErr error
|
|
}{
|
|
// Access key too small.
|
|
{"user", "pass", errInvalidAccessKeyLength},
|
|
// Access key too long.
|
|
{"user12345678901234567", "pass", errInvalidAccessKeyLength},
|
|
// Access key contains unsuppported characters.
|
|
{"!@#$", "pass", errInvalidAccessKeyLength},
|
|
// Success when access key contains leading/trailing spaces.
|
|
{" " + serverCred.AccessKey + " ", serverCred.SecretKey, errInvalidAccessKeyLength},
|
|
// Secret key too small.
|
|
{"myuser", "pass", errInvalidSecretKeyLength},
|
|
// Secret key too long.
|
|
{"myuser", "pass1234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890", errInvalidSecretKeyLength},
|
|
// Authentication error.
|
|
{"myuser", "mypassword", errInvalidAccessKeyID},
|
|
// Authentication error.
|
|
{serverCred.AccessKey, "mypassword", errAuthentication},
|
|
// Success.
|
|
{serverCred.AccessKey, serverCred.SecretKey, nil},
|
|
}
|
|
|
|
// Run tests.
|
|
for _, testCase := range testCases {
|
|
var err error
|
|
if authType == "node" {
|
|
_, err = authenticateNode(testCase.accessKey, testCase.secretKey)
|
|
} else if authType == "web" {
|
|
_, err = authenticateWeb(testCase.accessKey, testCase.secretKey)
|
|
} else if authType == "url" {
|
|
_, err = authenticateURL(testCase.accessKey, testCase.secretKey)
|
|
}
|
|
|
|
if testCase.expectedErr != nil {
|
|
if err == nil {
|
|
t.Fatalf("%+v: expected: %s, got: <nil>", testCase, testCase.expectedErr)
|
|
}
|
|
if testCase.expectedErr.Error() != err.Error() {
|
|
t.Fatalf("%+v: expected: %s, got: %s", testCase, testCase.expectedErr, err)
|
|
}
|
|
} else if err != nil {
|
|
t.Fatalf("%+v: expected: <nil>, got: %s", testCase, err)
|
|
}
|
|
}
|
|
}
|
|
|
|
func TestAuthenticateNode(t *testing.T) {
|
|
testAuthenticate("node", t)
|
|
}
|
|
|
|
func TestAuthenticateWeb(t *testing.T) {
|
|
testAuthenticate("web", t)
|
|
}
|
|
|
|
func TestAuthenticateURL(t *testing.T) {
|
|
testAuthenticate("url", t)
|
|
}
|
|
|
|
func BenchmarkAuthenticateNode(b *testing.B) {
|
|
testPath, err := newTestConfig(globalMinioDefaultRegion)
|
|
if err != nil {
|
|
b.Fatalf("unable initialize config file, %s", err)
|
|
}
|
|
defer removeAll(testPath)
|
|
|
|
creds := serverConfig.GetCredential()
|
|
b.ResetTimer()
|
|
b.ReportAllocs()
|
|
for i := 0; i < b.N; i++ {
|
|
authenticateNode(creds.AccessKey, creds.SecretKey)
|
|
}
|
|
}
|
|
|
|
func BenchmarkAuthenticateWeb(b *testing.B) {
|
|
testPath, err := newTestConfig(globalMinioDefaultRegion)
|
|
if err != nil {
|
|
b.Fatalf("unable initialize config file, %s", err)
|
|
}
|
|
defer removeAll(testPath)
|
|
|
|
creds := serverConfig.GetCredential()
|
|
b.ResetTimer()
|
|
b.ReportAllocs()
|
|
for i := 0; i < b.N; i++ {
|
|
authenticateWeb(creds.AccessKey, creds.SecretKey)
|
|
}
|
|
}
|