You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
minio/docs/sts/web-identity.go

259 lines
7.9 KiB

// +build ignore
/*
* MinIO Cloud Storage, (C) 2019 MinIO, Inc.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package main
import (
"context"
"crypto/rand"
"encoding/base64"
"encoding/json"
"encoding/xml"
"errors"
"flag"
"fmt"
"log"
"net/http"
"net/url"
"strings"
"time"
"golang.org/x/oauth2"
"github.com/minio/minio-go/v7"
"github.com/minio/minio-go/v7/pkg/credentials"
"github.com/minio/minio/pkg/auth"
)
// AssumedRoleUser - The identifiers for the temporary security credentials that
// the operation returns. Please also see https://docs.aws.amazon.com/goto/WebAPI/sts-2011-06-15/AssumedRoleUser
type AssumedRoleUser struct {
Arn string
AssumedRoleID string `xml:"AssumeRoleId"`
// contains filtered or unexported fields
}
// AssumeRoleWithWebIdentityResponse contains the result of successful AssumeRoleWithWebIdentity request.
type AssumeRoleWithWebIdentityResponse struct {
XMLName xml.Name `xml:"https://sts.amazonaws.com/doc/2011-06-15/ AssumeRoleWithWebIdentityResponse" json:"-"`
Result WebIdentityResult `xml:"AssumeRoleWithWebIdentityResult"`
ResponseMetadata struct {
RequestID string `xml:"RequestId,omitempty"`
} `xml:"ResponseMetadata,omitempty"`
}
// WebIdentityResult - Contains the response to a successful AssumeRoleWithWebIdentity
// request, including temporary credentials that can be used to make MinIO API requests.
type WebIdentityResult struct {
AssumedRoleUser AssumedRoleUser `xml:",omitempty"`
Audience string `xml:",omitempty"`
Credentials auth.Credentials `xml:",omitempty"`
PackedPolicySize int `xml:",omitempty"`
Provider string `xml:",omitempty"`
SubjectFromWebIdentityToken string `xml:",omitempty"`
}
// Returns a base64 encoded random 32 byte string.
func randomState() string {
b := make([]byte, 32)
rand.Read(b)
return base64.RawURLEncoding.EncodeToString(b)
}
var (
stsEndpoint string
configEndpoint string
clientID string
clientSec string
clientScopes string
port int
)
// DiscoveryDoc - parses the output from openid-configuration
// for example https://accounts.google.com/.well-known/openid-configuration
type DiscoveryDoc struct {
Issuer string `json:"issuer,omitempty"`
AuthEndpoint string `json:"authorization_endpoint,omitempty"`
TokenEndpoint string `json:"token_endpoint,omitempty"`
UserInfoEndpoint string `json:"userinfo_endpoint,omitempty"`
RevocationEndpoint string `json:"revocation_endpoint,omitempty"`
JwksURI string `json:"jwks_uri,omitempty"`
ResponseTypesSupported []string `json:"response_types_supported,omitempty"`
SubjectTypesSupported []string `json:"subject_types_supported,omitempty"`
IDTokenSigningAlgValuesSupported []string `json:"id_token_signing_alg_values_supported,omitempty"`
ScopesSupported []string `json:"scopes_supported,omitempty"`
TokenEndpointAuthMethods []string `json:"token_endpoint_auth_methods_supported,omitempty"`
ClaimsSupported []string `json:"claims_supported,omitempty"`
CodeChallengeMethodsSupported []string `json:"code_challenge_methods_supported,omitempty"`
}
func parseDiscoveryDoc(ustr string) (DiscoveryDoc, error) {
d := DiscoveryDoc{}
req, err := http.NewRequest(http.MethodGet, ustr, nil)
if err != nil {
return d, err
}
clnt := http.Client{
Transport: http.DefaultTransport,
}
resp, err := clnt.Do(req)
if err != nil {
return d, err
}
defer resp.Body.Close()
if resp.StatusCode != http.StatusOK {
return d, err
}
dec := json.NewDecoder(resp.Body)
if err = dec.Decode(&d); err != nil {
return d, err
}
return d, nil
}
func init() {
flag.StringVar(&stsEndpoint, "sts-ep", "http://localhost:9000", "STS endpoint")
flag.StringVar(&configEndpoint, "config-ep",
"https://accounts.google.com/.well-known/openid-configuration",
"OpenID discovery document endpoint")
flag.StringVar(&clientID, "cid", "", "Client ID")
flag.StringVar(&clientSec, "csec", "", "Client Secret")
flag.StringVar(&clientScopes, "cscopes", "openid", "Client Scopes")
flag.IntVar(&port, "port", 8080, "Port")
}
func main() {
flag.Parse()
if clientID == "" || clientSec == "" {
flag.PrintDefaults()
return
}
ddoc, err := parseDiscoveryDoc(configEndpoint)
if err != nil {
log.Println(fmt.Errorf("Failed to parse OIDC discovery document %s", err))
fmt.Println(err)
return
}
scopes := ddoc.ScopesSupported
if clientScopes != "" {
scopes = strings.Split(clientScopes, ",");
}
ctx := context.Background()
config := oauth2.Config{
ClientID: clientID,
ClientSecret: clientSec,
Endpoint: oauth2.Endpoint{
AuthURL: ddoc.AuthEndpoint,
TokenURL: ddoc.TokenEndpoint,
},
RedirectURL: fmt.Sprintf("http://localhost:%d/oauth2/callback", port),
Scopes: scopes,
}
state := randomState()
http.HandleFunc("/", func(w http.ResponseWriter, r *http.Request) {
log.Printf("%s %s", r.Method, r.RequestURI)
if r.RequestURI != "/" {
http.NotFound(w, r)
return
}
http.Redirect(w, r, config.AuthCodeURL(state), http.StatusFound)
})
http.HandleFunc("/oauth2/callback", func(w http.ResponseWriter, r *http.Request) {
log.Printf("%s %s", r.Method, r.RequestURI)
if r.URL.Query().Get("state") != state {
http.Error(w, "state did not match", http.StatusBadRequest)
return
}
getWebTokenExpiry := func() (*credentials.WebIdentityToken, error) {
oauth2Token, err := config.Exchange(ctx, r.URL.Query().Get("code"))
if err != nil {
return nil, err
}
if !oauth2Token.Valid() {
return nil, errors.New("invalid token")
}
return &credentials.WebIdentityToken{
Token: oauth2Token.Extra("id_token").(string),
Expiry: int(oauth2Token.Expiry.Sub(time.Now().UTC()).Seconds()),
}, nil
}
sts, err := credentials.NewSTSWebIdentity(stsEndpoint, getWebTokenExpiry)
if err != nil {
log.Println(fmt.Errorf("Could not get STS credentials: %s", err))
http.Error(w, err.Error(), http.StatusBadRequest)
return
}
opts := &minio.Options{
Creds: sts,
BucketLookup: minio.BucketLookupAuto,
}
u, err := url.Parse(stsEndpoint)
if err != nil {
log.Println(fmt.Errorf("Failed to parse STS Endpoint: %s", err))
http.Error(w, err.Error(), http.StatusBadRequest)
return
}
clnt, err := minio.NewWithOptions(u.Host, opts)
if err != nil {
log.Println(fmt.Errorf("Error while initializing Minio client, %s", err))
http.Error(w, err.Error(), http.StatusBadRequest)
return
}
buckets, err := clnt.ListBuckets()
if err != nil {
log.Println(fmt.Errorf("Error while listing buckets, %s", err))
http.Error(w, err.Error(), http.StatusBadRequest)
return
}
creds, _ := sts.Get()
bucketNames := []string{}
for _, bucket := range buckets {
log.Println(fmt.Sprintf("Bucket discovered: %s", bucket.Name))
bucketNames = append(bucketNames, bucket.Name)
}
response := make(map[string]interface{})
response["credentials"] = creds
response["buckets"] = bucketNames
c, err := json.MarshalIndent(response, "", "\t")
if err != nil {
http.Error(w, err.Error(), http.StatusInternalServerError)
return
}
w.Write(c)
})
address := fmt.Sprintf("localhost:%v", port)
log.Printf("listening on http://%s/", address)
log.Fatal(http.ListenAndServe(address, nil))
}