creds: Secretkey should be generated upto 40 characters in length. (#4471)

Current code allowed it wrongly to generate secret key upto 100 we should only use 100 as a value to validate but for generating it should be 40. Fixes #4470
7 years ago · 1c3f244fc5
parent 986aa8fabf
commit 1c3f244fc5
4 changed files with 31 additions and 18 deletions
--- a/cmd/credential.go
+++ b/cmd/credential.go
@ -25,19 +25,35 @@ import (
 )

 const (
-	accessKeyMinLen       = 5
-	accessKeyMaxLen       = 20
-	secretKeyMinLen       = 8
-	secretKeyMaxLenAmazon = 100
-	alphaNumericTable     = "0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ"
-	alphaNumericTableLen  = byte(len(alphaNumericTable))
+	// Minimum length for Minio access key.
+	accessKeyMinLen = 5
+
+	// Maximum length for Minio access key.
+	accessKeyMaxLen = 20
+
+	// Minimum length for Minio secret key for both server and gateway mode.
+	secretKeyMinLen = 8
+
+	// Maximum secret key length for Minio, this
+	// is used when autogenerating new credentials.
+	secretKeyMaxLenMinio = 40
+
+	// Maximum secret key length allowed from client side
+	// caters for both server and gateway mode.
+	secretKeyMaxLen = 100
+
+	// Alpha numeric table used for generating access keys.
+	alphaNumericTable = "0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ"
+
+	// Total length of the alpha numeric table.
+	alphaNumericTableLen = byte(len(alphaNumericTable))
 )

+// Common errors generated for access and secret key validation.
 var (
 	errInvalidAccessKeyLength = errors.New("Invalid access key, access key should be 5 to 20 characters in length")
 	errInvalidSecretKeyLength = errors.New("Invalid secret key, secret key should be 8 to 100 characters in length")
 )
-var secretKeyMaxLen = secretKeyMaxLenAmazon

 // isAccessKeyValid - validate access key for right length.
 func isAccessKeyValid(accessKey string) bool {
@ -111,10 +127,10 @@ func mustGetNewCredential() credential {
 	accessKey := string(keyBytes)

 	// Generate secret key.
-	keyBytes = make([]byte, secretKeyMaxLen)
+	keyBytes = make([]byte, secretKeyMaxLenMinio)
 	_, err = rand.Read(keyBytes)
 	fatalIf(err, "Unable to generate secret key.")
-	secretKey := string([]byte(base64.StdEncoding.EncodeToString(keyBytes))[:secretKeyMaxLen])
+	secretKey := string([]byte(base64.StdEncoding.EncodeToString(keyBytes))[:secretKeyMaxLenMinio])

 	cred, err := createCredential(accessKey, secretKey)
 	fatalIf(err, "Unable to generate new credential.")
--- a/cmd/credential_test.go
+++ b/cmd/credential_test.go
@ -23,6 +23,9 @@ func TestMustGetNewCredential(t *testing.T) {
 	if !cred.IsValid() {
 		t.Fatalf("Failed to get new valid credential")
 	}
+	if len(cred.SecretKey) != secretKeyMaxLenMinio {
+		t.Fatalf("Invalid length %d of the secretKey credential generated, expected %d", len(cred.SecretKey), secretKeyMaxLenMinio)
+	}
 }

 func TestCreateCredential(t *testing.T) {
--- a/cmd/gateway-main.go
+++ b/cmd/gateway-main.go
@ -19,11 +19,12 @@ package cmd
 import (
 	"errors"
 	"fmt"
-	"github.com/gorilla/mux"
-	"github.com/minio/cli"
 	"net/url"
 	"os"
 	"strings"
+
+	"github.com/gorilla/mux"
+	"github.com/minio/cli"
 )

 var gatewayTemplate = `NAME:
--- a/cmd/server_test.go
+++ b/cmd/server_test.go
@ -93,13 +93,6 @@ func (s *TestSuiteCommon) TearDownSuite(c *C) {
 	s.testServer.Stop()
 }

-func (s *TestSuiteCommon) TestAuth(c *C) {
-	cred := mustGetNewCredential()
-
-	c.Assert(len(cred.AccessKey), Equals, accessKeyMaxLen)
-	c.Assert(len(cred.SecretKey), Equals, secretKeyMaxLen)
-}
-
 func (s *TestSuiteCommon) TestBucketSQSNotificationWebHook(c *C) {
 	// Sample bucket notification.
 	bucketNotificationBuf := `<NotificationConfiguration><QueueConfiguration><Event>s3:ObjectCreated:Put</Event><Filter><S3Key><FilterRule><Name>prefix</Name><Value>images/</Value></FilterRule></S3Key></Filter><Id>1</Id><Queue>arn:minio:sqs:us-east-1:444455556666:webhook</Queue></QueueConfiguration></NotificationConfiguration>`