Align STS web-identity code snippet to documentation (minio#9114) (#9130)

master
gzur 5 years ago committed by GitHub
parent 35ecc04223
commit 3fea1d5e35
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
  1. 16
      docs/sts/keycloak.md
  2. 30
      docs/sts/web-identity.go

@ -39,15 +39,19 @@ $ go run docs/sts/web-identity.go -cid account -csec 072e7f00-4289-469c-9ab2-bbe
2018/12/26 17:49:36 listening on http://localhost:8888/ 2018/12/26 17:49:36 listening on http://localhost:8888/
``` ```
This will open the login page of keycloak, upon successful login, STS credentials will be printed on the screen, for example This will open the login page of keycloak, upon successful login, STS credentials along with any buckets discovered using the credentials will be printed on the screen, for example:
``` ```
##### Credentials
{ {
"accessKey": "6N2BALX7ELO827DXS3GK", "buckets": [
"secretKey": "23JKqAD+um8ObHqzfIh+bfqwG9V8qs9tFY6MqeFR", "bucket-x"
"expiration": "2019-10-01T07:22:34Z", ],
"sessionToken": "eyJhbGciOiJIUzUxMiIsInR5cCI6IkpXVCJ9.eyJhY2Nlc3NLZXkiOiI2TjJCQUxYN0VMTzgyN0RYUzNHSyIsImFjciI6IjAiLCJhdWQiOiJhY2NvdW50IiwiYXV0aF90aW1lIjoxNTY5OTEwNTUyLCJhenAiOiJhY2NvdW50IiwiZW1haWxfdmVyaWZpZWQiOmZhbHNlLCJleHAiOjE1Njk5MTQ1NTQsImlhdCI6MTU2OTkxMDk1NCwiaXNzIjoiaHR0cDovL2xvY2FsaG9zdDo4MDgxL2F1dGgvcmVhbG1zL2RlbW8iLCJqdGkiOiJkOTk4YTBlZS01NDk2LTQ4OWYtYWJlMi00ZWE5MjJiZDlhYWYiLCJuYmYiOjAsInBvbGljeSI6InJlYWR3cml0ZSIsInByZWZlcnJlZF91c2VybmFtZSI6Im5ld3VzZXIxIiwic2Vzc2lvbl9zdGF0ZSI6IjJiYTAyYTI2LWE5MTUtNDUxNC04M2M1LWE0YjgwYjc4ZTgxNyIsInN1YiI6IjY4ZmMzODVhLTA5MjItNGQyMS04N2U5LTZkZTdhYjA3Njc2NSIsInR5cCI6IklEIn0._UG_-ZHgwdRnsp0gFdwChb7VlbPs-Gr_RNUz9EV7TggCD59qjCFAKjNrVHfOSVkKvYEMe0PvwfRKjnJl3A_mBA" "credentials": {
"AccessKeyID": "6N2BALX7ELO827DXS3GK",
"SecretAccessKey": "23JKqAD+um8ObHqzfIh+bfqwG9V8qs9tFY6MqeFR+xxx",
"SessionToken": "eyJhbGciOiJIUzUxMiIsInR5cCI6IkpXVCJ9.eyJhY2Nlc3NLZXkiOiI2TjJCQUxYN0VMTzgyN0RYUzNHSyIsImFjciI6IjAiLCJhdWQiOiJhY2NvdW50IiwiYXV0aF90aW1lIjoxNTY5OTEwNTUyLCJhenAiOiJhY2NvdW50IiwiZW1haWxfdmVyaWZpZWQiOmZhbHNlLCJleHAiOjE1Njk5MTQ1NTQsImlhdCI6MTU2OTkxMDk1NCwiaXNzIjoiaHR0cDovL2xvY2FsaG9zdDo4MDgxL2F1dGgvcmVhbG1zL2RlbW8iLCJqdGkiOiJkOTk4YTBlZS01NDk2LTQ4OWYtYWJlMi00ZWE5MjJiZDlhYWYiLCJuYmYiOjAsInBvbGljeSI6InJlYWR3cml0ZSIsInByZWZlcnJlZF91c2VybmFtZSI6Im5ld3VzZXIxIiwic2Vzc2lvbl9zdGF0ZSI6IjJiYTAyYTI2LWE5MTUtNDUxNC04M2M1LWE0YjgwYjc4ZTgxNyIsInN1YiI6IjY4ZmMzODVhLTA5MjItNGQyMS04N2U5LTZkZTdhYjA3Njc2NSIsInR5cCI6IklEIn0._UG_-ZHgwdRnsp0gFdwChb7VlbPs-Gr_RNUz9EV7TggCD59qjCFAKjNrVHfOSVkKvYEMe0PvwfRKjnJl3A_mBA"",
"SignerType": 1
}
} }
``` ```

@ -143,6 +143,7 @@ func main() {
ddoc, err := parseDiscoveryDoc(configEndpoint) ddoc, err := parseDiscoveryDoc(configEndpoint)
if err != nil { if err != nil {
log.Println(fmt.Errorf("Failed to parse OIDC discovery document %s", err))
fmt.Println(err) fmt.Println(err)
return return
} }
@ -163,10 +164,16 @@ func main() {
state := randomState() state := randomState()
http.HandleFunc("/", func(w http.ResponseWriter, r *http.Request) { http.HandleFunc("/", func(w http.ResponseWriter, r *http.Request) {
log.Printf("%s %s", r.Method, r.RequestURI)
if r.RequestURI != "/" {
http.NotFound(w, r)
return
}
http.Redirect(w, r, config.AuthCodeURL(state), http.StatusFound) http.Redirect(w, r, config.AuthCodeURL(state), http.StatusFound)
}) })
http.HandleFunc("/oauth2/callback", func(w http.ResponseWriter, r *http.Request) { http.HandleFunc("/oauth2/callback", func(w http.ResponseWriter, r *http.Request) {
log.Printf("%s %s", r.Method, r.RequestURI)
if r.URL.Query().Get("state") != state { if r.URL.Query().Get("state") != state {
http.Error(w, "state did not match", http.StatusBadRequest) http.Error(w, "state did not match", http.StatusBadRequest)
return return
@ -189,13 +196,11 @@ func main() {
sts, err := credentials.NewSTSWebIdentity(stsEndpoint, getWebTokenExpiry) sts, err := credentials.NewSTSWebIdentity(stsEndpoint, getWebTokenExpiry)
if err != nil { if err != nil {
log.Println(fmt.Errorf("Could not get STS credentials: %s", err))
http.Error(w, err.Error(), http.StatusBadRequest) http.Error(w, err.Error(), http.StatusBadRequest)
return return
} }
// Uncomment this to use MinIO API operations by initializing minio
// client with obtained credentials.
opts := &minio.Options{ opts := &minio.Options{
Creds: sts, Creds: sts,
BucketLookup: minio.BucketLookupAuto, BucketLookup: minio.BucketLookupAuto,
@ -203,23 +208,40 @@ func main() {
u, err := url.Parse(stsEndpoint) u, err := url.Parse(stsEndpoint)
if err != nil { if err != nil {
log.Println(fmt.Errorf("Failed to parse STS Endpoint: %s", err))
http.Error(w, err.Error(), http.StatusBadRequest) http.Error(w, err.Error(), http.StatusBadRequest)
return return
} }
clnt, err := minio.NewWithOptions(u.Host, opts) clnt, err := minio.NewWithOptions(u.Host, opts)
if err != nil { if err != nil {
log.Println(fmt.Errorf("Error while initializing Minio client, %s", err))
http.Error(w, err.Error(), http.StatusBadRequest) http.Error(w, err.Error(), http.StatusBadRequest)
return return
} }
buckets, err := clnt.ListBuckets() buckets, err := clnt.ListBuckets()
if err != nil { if err != nil {
log.Println(fmt.Errorf("Error while listing buckets, %s", err))
http.Error(w, err.Error(), http.StatusBadRequest) http.Error(w, err.Error(), http.StatusBadRequest)
return return
} }
creds, _ := sts.Get()
bucketNames := []string{}
for _, bucket := range buckets { for _, bucket := range buckets {
log.Println(bucket) log.Println(fmt.Sprintf("Bucket discovered: %s", bucket.Name))
bucketNames = append(bucketNames, bucket.Name)
}
response := make(map[string]interface{})
response["credentials"] = creds
response["buckets"] = bucketNames
c, err := json.MarshalIndent(response, "", "\t")
if err != nil {
http.Error(w, err.Error(), http.StatusInternalServerError)
return
} }
w.Write(c)
}) })
address := fmt.Sprintf("localhost:%v", port) address := fmt.Sprintf("localhost:%v", port)

Loading…
Cancel
Save