minio/cmd/jwt_test.go

/*
 * Minio Cloud Storage, (C) 2016, 2017 Minio, Inc.
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
 * You may obtain a copy of the License at
 *
 *     http://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the License for the specific language governing permissions and
 * limitations under the License.
 */

package cmd

import (
	"os"
	"testing"
)

func testAuthenticate(authType string, t *testing.T) {
	testPath, err := newTestConfig(globalMinioDefaultRegion)
	if err != nil {
		t.Fatalf("unable initialize config file, %s", err)
	}
	defer os.RemoveAll(testPath)
	// Create access and secret keys in length, 300 and 600
	cred, err := getNewCredential(300, 600)
	if err != nil {
		t.Fatalf("unable to get new credential, %v", err)
	}
	serverConfig.SetCredential(cred)

	// Define test cases.
	testCases := []struct {
		accessKey   string
		secretKey   string
		expectedErr error
	}{
		// Access key (less than 5 chrs) too small.
		{"user", cred.SecretKey, errInvalidAccessKeyLength},
		// Secret key (less than 8 chrs) too small.
		{cred.AccessKey, "pass", errInvalidSecretKeyLength},
		// Authentication error.
		{"myuser", "mypassword", errInvalidAccessKeyID},
		// Authentication error.
		{cred.AccessKey, "mypassword", errAuthentication},
		// Success.
		{cred.AccessKey, cred.SecretKey, nil},
	}

	// Run tests.
	for _, testCase := range testCases {
		var err error
		if authType == "node" {
			_, err = authenticateNode(testCase.accessKey, testCase.secretKey)
		} else if authType == "web" {
			_, err = authenticateWeb(testCase.accessKey, testCase.secretKey)
		} else if authType == "url" {
			_, err = authenticateURL(testCase.accessKey, testCase.secretKey)
		}

		if testCase.expectedErr != nil {
			if err == nil {
				t.Fatalf("%+v: expected: %s, got: <nil>", testCase, testCase.expectedErr)
			}
			if testCase.expectedErr.Error() != err.Error() {
				t.Fatalf("%+v: expected: %s, got: %s", testCase, testCase.expectedErr, err)
			}
		} else if err != nil {
			t.Fatalf("%+v: expected: <nil>, got: %s", testCase, err)
		}
	}
}

func TestAuthenticateNode(t *testing.T) {
	testAuthenticate("node", t)
}

func TestAuthenticateWeb(t *testing.T) {
	testAuthenticate("web", t)
}

func TestAuthenticateURL(t *testing.T) {
	testAuthenticate("url", t)
}

func BenchmarkAuthenticateNode(b *testing.B) {
	testPath, err := newTestConfig(globalMinioDefaultRegion)
	if err != nil {
		b.Fatalf("unable initialize config file, %s", err)
	}
	defer os.RemoveAll(testPath)

	creds := serverConfig.GetCredential()
	b.ResetTimer()
	b.ReportAllocs()
	for i := 0; i < b.N; i++ {
		authenticateNode(creds.AccessKey, creds.SecretKey)
	}
}

func BenchmarkAuthenticateWeb(b *testing.B) {
	testPath, err := newTestConfig(globalMinioDefaultRegion)
	if err != nil {
		b.Fatalf("unable initialize config file, %s", err)
	}
	defer os.RemoveAll(testPath)

	creds := serverConfig.GetCredential()
	b.ResetTimer()
	b.ReportAllocs()
	for i := 0; i < b.N; i++ {
		authenticateWeb(creds.AccessKey, creds.SecretKey)
	}
}
Have simpler JWT authentication. (#3501) 8 years ago			`/*`
Add constants for commonly used values. (#3588) This is a consolidation effort, avoiding usage of naked strings in codebase. Whenever possible use constants which can be repurposed elsewhere. This also fixes `goconst ./...` reported issues. 8 years ago			`* Minio Cloud Storage, (C) 2016, 2017 Minio, Inc.`
Have simpler JWT authentication. (#3501) 8 years ago			`*`
			`* Licensed under the Apache License, Version 2.0 (the "License");`
			`* you may not use this file except in compliance with the License.`
			`* You may obtain a copy of the License at`
			`*`
			`* http://www.apache.org/licenses/LICENSE-2.0`
			`*`
			`* Unless required by applicable law or agreed to in writing, software`
			`* distributed under the License is distributed on an "AS IS" BASIS,`
			`* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.`
			`* See the License for the specific language governing permissions and`
			`* limitations under the License.`
			`*/`

			`package cmd`

posix: Deprecate custom removeAll/mkdirAll implementations. (#4808) Since go1.8 os.RemoveAll and os.MkdirAll both support long path names i.e UNC path on windows. The code we are carrying was directly borrowed from `pkg/os` package and doesn't need to be in our repo anymore. As a side affect this also addresses our codecoverage issue. Refer #4658 7 years ago			`import (`
			`"os"`
			`"testing"`
			`)`
Have simpler JWT authentication. (#3501) 8 years ago
			`func testAuthenticate(authType string, t *testing.T) {`
Add constants for commonly used values. (#3588) This is a consolidation effort, avoiding usage of naked strings in codebase. Whenever possible use constants which can be repurposed elsewhere. This also fixes `goconst ./...` reported issues. 8 years ago			`testPath, err := newTestConfig(globalMinioDefaultRegion)`
Have simpler JWT authentication. (#3501) 8 years ago			`if err != nil {`
			`t.Fatalf("unable initialize config file, %s", err)`
			`}`
posix: Deprecate custom removeAll/mkdirAll implementations. (#4808) Since go1.8 os.RemoveAll and os.MkdirAll both support long path names i.e UNC path on windows. The code we are carrying was directly borrowed from `pkg/os` package and doesn't need to be in our repo anymore. As a side affect this also addresses our codecoverage issue. Refer #4658 7 years ago			`defer os.RemoveAll(testPath)`
Removes max limit requirement on accessKey and secretKey length (#4730) 7 years ago			`// Create access and secret keys in length, 300 and 600`
			`cred, err := getNewCredential(300, 600)`
			`if err != nil {`
			`t.Fatalf("unable to get new credential, %v", err)`
			`}`
			`serverConfig.SetCredential(cred)`
Have simpler JWT authentication. (#3501) 8 years ago
			`// Define test cases.`
			`testCases := []struct {`
			`accessKey string`
			`secretKey string`
			`expectedErr error`
			`}{`
Removes max limit requirement on accessKey and secretKey length (#4730) 7 years ago			`// Access key (less than 5 chrs) too small.`
			`{"user", cred.SecretKey, errInvalidAccessKeyLength},`
			`// Secret key (less than 8 chrs) too small.`
			`{cred.AccessKey, "pass", errInvalidSecretKeyLength},`
Have simpler JWT authentication. (#3501) 8 years ago			`// Authentication error.`
			`{"myuser", "mypassword", errInvalidAccessKeyID},`
			`// Authentication error.`
Removes max limit requirement on accessKey and secretKey length (#4730) 7 years ago			`{cred.AccessKey, "mypassword", errAuthentication},`
Have simpler JWT authentication. (#3501) 8 years ago			`// Success.`
Removes max limit requirement on accessKey and secretKey length (#4730) 7 years ago			`{cred.AccessKey, cred.SecretKey, nil},`
Have simpler JWT authentication. (#3501) 8 years ago			`}`

			`// Run tests.`
			`for _, testCase := range testCases {`
			`var err error`
			`if authType == "node" {`
			`_, err = authenticateNode(testCase.accessKey, testCase.secretKey)`
			`} else if authType == "web" {`
			`_, err = authenticateWeb(testCase.accessKey, testCase.secretKey)`
jwt,browser: allow short-expiry tokens for GETs (#4684) This commit fixes a potential security issue, whereby a full-access token to the server would be available in the GET URL of a download request. This fixes that issue by introducing short-expiry tokens, which are only valid for one minute, and are regenerated for every download request. This commit specifically introduces the short-lived tokens, adds tests for the tokens, adds an RPC call for generating a token given a full-access token, updates the browser to use the new tokens for requests where the token is passed as a GET parameter, and adds some tests with the new temporary tokens. Refs: https://github.com/minio/minio/pull/4673 7 years ago			`} else if authType == "url" {`
			`_, err = authenticateURL(testCase.accessKey, testCase.secretKey)`
Have simpler JWT authentication. (#3501) 8 years ago			`}`

			`if testCase.expectedErr != nil {`
			`if err == nil {`
			`t.Fatalf("%+v: expected: %s, got: <nil>", testCase, testCase.expectedErr)`
			`}`
			`if testCase.expectedErr.Error() != err.Error() {`
			`t.Fatalf("%+v: expected: %s, got: %s", testCase, testCase.expectedErr, err)`
			`}`
			`} else if err != nil {`
			`t.Fatalf("%+v: expected: <nil>, got: %s", testCase, err)`
			`}`
			`}`
			`}`

jwt: Cache the bcrypt password hash. (#3526) Creds don't require secretKeyHash to be calculated everytime, cache it instead and re-use. This is an optimization for bcrypt. Relevant results from the benchmark done locally, negative value means improvement in this scenario. ``` benchmark old ns/op new ns/op delta BenchmarkAuthenticateNode-4 160590992 80125647 -50.11% BenchmarkAuthenticateWeb-4 160556692 80432144 -49.90% benchmark old allocs new allocs delta BenchmarkAuthenticateNode-4 87 75 -13.79% BenchmarkAuthenticateWeb-4 87 75 -13.79% benchmark old bytes new bytes delta BenchmarkAuthenticateNode-4 15222 9785 -35.72% BenchmarkAuthenticateWeb-4 15222 9785 -35.72% ``` 8 years ago			`func TestAuthenticateNode(t *testing.T) {`
Have simpler JWT authentication. (#3501) 8 years ago			`testAuthenticate("node", t)`
			`}`

jwt: Cache the bcrypt password hash. (#3526) Creds don't require secretKeyHash to be calculated everytime, cache it instead and re-use. This is an optimization for bcrypt. Relevant results from the benchmark done locally, negative value means improvement in this scenario. ``` benchmark old ns/op new ns/op delta BenchmarkAuthenticateNode-4 160590992 80125647 -50.11% BenchmarkAuthenticateWeb-4 160556692 80432144 -49.90% benchmark old allocs new allocs delta BenchmarkAuthenticateNode-4 87 75 -13.79% BenchmarkAuthenticateWeb-4 87 75 -13.79% benchmark old bytes new bytes delta BenchmarkAuthenticateNode-4 15222 9785 -35.72% BenchmarkAuthenticateWeb-4 15222 9785 -35.72% ``` 8 years ago			`func TestAuthenticateWeb(t *testing.T) {`
Have simpler JWT authentication. (#3501) 8 years ago			`testAuthenticate("web", t)`
			`}`
jwt: Cache the bcrypt password hash. (#3526) Creds don't require secretKeyHash to be calculated everytime, cache it instead and re-use. This is an optimization for bcrypt. Relevant results from the benchmark done locally, negative value means improvement in this scenario. ``` benchmark old ns/op new ns/op delta BenchmarkAuthenticateNode-4 160590992 80125647 -50.11% BenchmarkAuthenticateWeb-4 160556692 80432144 -49.90% benchmark old allocs new allocs delta BenchmarkAuthenticateNode-4 87 75 -13.79% BenchmarkAuthenticateWeb-4 87 75 -13.79% benchmark old bytes new bytes delta BenchmarkAuthenticateNode-4 15222 9785 -35.72% BenchmarkAuthenticateWeb-4 15222 9785 -35.72% ``` 8 years ago
jwt,browser: allow short-expiry tokens for GETs (#4684) This commit fixes a potential security issue, whereby a full-access token to the server would be available in the GET URL of a download request. This fixes that issue by introducing short-expiry tokens, which are only valid for one minute, and are regenerated for every download request. This commit specifically introduces the short-lived tokens, adds tests for the tokens, adds an RPC call for generating a token given a full-access token, updates the browser to use the new tokens for requests where the token is passed as a GET parameter, and adds some tests with the new temporary tokens. Refs: https://github.com/minio/minio/pull/4673 7 years ago			`func TestAuthenticateURL(t *testing.T) {`
			`testAuthenticate("url", t)`
			`}`

jwt: Cache the bcrypt password hash. (#3526) Creds don't require secretKeyHash to be calculated everytime, cache it instead and re-use. This is an optimization for bcrypt. Relevant results from the benchmark done locally, negative value means improvement in this scenario. ``` benchmark old ns/op new ns/op delta BenchmarkAuthenticateNode-4 160590992 80125647 -50.11% BenchmarkAuthenticateWeb-4 160556692 80432144 -49.90% benchmark old allocs new allocs delta BenchmarkAuthenticateNode-4 87 75 -13.79% BenchmarkAuthenticateWeb-4 87 75 -13.79% benchmark old bytes new bytes delta BenchmarkAuthenticateNode-4 15222 9785 -35.72% BenchmarkAuthenticateWeb-4 15222 9785 -35.72% ``` 8 years ago			`func BenchmarkAuthenticateNode(b *testing.B) {`
			`testPath, err := newTestConfig(globalMinioDefaultRegion)`
			`if err != nil {`
			`b.Fatalf("unable initialize config file, %s", err)`
			`}`
posix: Deprecate custom removeAll/mkdirAll implementations. (#4808) Since go1.8 os.RemoveAll and os.MkdirAll both support long path names i.e UNC path on windows. The code we are carrying was directly borrowed from `pkg/os` package and doesn't need to be in our repo anymore. As a side affect this also addresses our codecoverage issue. Refer #4658 7 years ago			`defer os.RemoveAll(testPath)`
jwt: Cache the bcrypt password hash. (#3526) Creds don't require secretKeyHash to be calculated everytime, cache it instead and re-use. This is an optimization for bcrypt. Relevant results from the benchmark done locally, negative value means improvement in this scenario. ``` benchmark old ns/op new ns/op delta BenchmarkAuthenticateNode-4 160590992 80125647 -50.11% BenchmarkAuthenticateWeb-4 160556692 80432144 -49.90% benchmark old allocs new allocs delta BenchmarkAuthenticateNode-4 87 75 -13.79% BenchmarkAuthenticateWeb-4 87 75 -13.79% benchmark old bytes new bytes delta BenchmarkAuthenticateNode-4 15222 9785 -35.72% BenchmarkAuthenticateWeb-4 15222 9785 -35.72% ``` 8 years ago
			`creds := serverConfig.GetCredential()`
			`b.ResetTimer()`
			`b.ReportAllocs()`
			`for i := 0; i < b.N; i++ {`
			`authenticateNode(creds.AccessKey, creds.SecretKey)`
			`}`
			`}`

			`func BenchmarkAuthenticateWeb(b *testing.B) {`
			`testPath, err := newTestConfig(globalMinioDefaultRegion)`
			`if err != nil {`
			`b.Fatalf("unable initialize config file, %s", err)`
			`}`
posix: Deprecate custom removeAll/mkdirAll implementations. (#4808) Since go1.8 os.RemoveAll and os.MkdirAll both support long path names i.e UNC path on windows. The code we are carrying was directly borrowed from `pkg/os` package and doesn't need to be in our repo anymore. As a side affect this also addresses our codecoverage issue. Refer #4658 7 years ago			`defer os.RemoveAll(testPath)`
jwt: Cache the bcrypt password hash. (#3526) Creds don't require secretKeyHash to be calculated everytime, cache it instead and re-use. This is an optimization for bcrypt. Relevant results from the benchmark done locally, negative value means improvement in this scenario. ``` benchmark old ns/op new ns/op delta BenchmarkAuthenticateNode-4 160590992 80125647 -50.11% BenchmarkAuthenticateWeb-4 160556692 80432144 -49.90% benchmark old allocs new allocs delta BenchmarkAuthenticateNode-4 87 75 -13.79% BenchmarkAuthenticateWeb-4 87 75 -13.79% benchmark old bytes new bytes delta BenchmarkAuthenticateNode-4 15222 9785 -35.72% BenchmarkAuthenticateWeb-4 15222 9785 -35.72% ``` 8 years ago
			`creds := serverConfig.GetCredential()`
			`b.ResetTimer()`
			`b.ReportAllocs()`
			`for i := 0; i < b.N; i++ {`
			`authenticateWeb(creds.AccessKey, creds.SecretKey)`
			`}`
			`}`