Add rpc layer authentication.

master
Harshavardhana 8 years ago
parent b4172ad3c8
commit 61af764f8a
  1. 29
      cmd/signature-jwt.go
  2. 12
      cmd/signature-jwt_test.go
  3. 61
      cmd/storage-rpc-client.go
  4. 43
      cmd/storage-rpc-server-datatypes.go
  5. 119
      cmd/storage-rpc-server.go
  6. 13
      cmd/web-handlers.go

@ -17,7 +17,7 @@
package cmd
import (
"fmt"
"errors"
"strings"
"time"
@ -32,24 +32,27 @@ type JWT struct {
credential
}
// Default - each token expires in 10hrs.
// Default each token expires in 100yrs.
const (
tokenExpires time.Duration = 10
defaultTokenExpiry time.Duration = time.Hour * 876000 // 100yrs.
)
// newJWT - returns new JWT object.
func newJWT() (*JWT, error) {
func newJWT(expiry time.Duration) (*JWT, error) {
if serverConfig == nil {
return nil, fmt.Errorf("server not initialzed")
return nil, errors.New("Server not initialzed")
}
if expiry == 0 {
expiry = defaultTokenExpiry
}
// Save access, secret keys.
cred := serverConfig.GetCredential()
if !isValidAccessKey.MatchString(cred.AccessKeyID) {
return nil, fmt.Errorf("Invalid access key")
return nil, errors.New("Invalid access key")
}
if !isValidSecretKey.MatchString(cred.SecretAccessKey) {
return nil, fmt.Errorf("Invalid secret key")
return nil, errors.New("Invalid secret key")
}
return &JWT{cred}, nil
@ -61,13 +64,13 @@ func (jwt *JWT) GenerateToken(accessKey string) (string, error) {
accessKey = strings.TrimSpace(accessKey)
if !isValidAccessKey.MatchString(accessKey) {
return "", fmt.Errorf("Invalid access key")
return "", errors.New("Invalid access key")
}
tUTCNow := time.Now().UTC()
token := jwtgo.NewWithClaims(jwtgo.SigningMethodHS512, jwtgo.MapClaims{
// Token expires in 10hrs.
"exp": tUTCNow.Add(time.Hour * tokenExpires).Unix(),
"exp": tUTCNow.Add(defaultTokenExpiry).Unix(),
"iat": tUTCNow.Unix(),
"sub": accessKey,
})
@ -80,20 +83,20 @@ func (jwt *JWT) Authenticate(accessKey, secretKey string) error {
accessKey = strings.TrimSpace(accessKey)
if !isValidAccessKey.MatchString(accessKey) {
return fmt.Errorf("Invalid access key")
return errors.New("Invalid access key")
}
if !isValidSecretKey.MatchString(secretKey) {
return fmt.Errorf("Invalid secret key")
return errors.New("Invalid secret key")
}
if accessKey != jwt.AccessKeyID {
return fmt.Errorf("Access key does not match")
return errors.New("Access key does not match")
}
hashedSecretKey, _ := bcrypt.GenerateFromPassword([]byte(jwt.SecretAccessKey), bcrypt.DefaultCost)
if bcrypt.CompareHashAndPassword(hashedSecretKey, []byte(secretKey)) != nil {
return fmt.Errorf("Authentication failed")
return errors.New("Authentication failed")
}
// Success.

@ -72,11 +72,11 @@ func TestNewJWT(t *testing.T) {
expectedErr error
}{
// Test non-existent config directory.
{path.Join(path1, "non-existent-dir"), false, nil, fmt.Errorf("server not initialzed")},
{path.Join(path1, "non-existent-dir"), false, nil, fmt.Errorf("Server not initialzed")},
// Test empty config directory.
{path2, false, nil, fmt.Errorf("server not initialzed")},
{path2, false, nil, fmt.Errorf("Server not initialzed")},
// Test empty config file.
{path3, false, nil, fmt.Errorf("server not initialzed")},
{path3, false, nil, fmt.Errorf("Server not initialzed")},
// Test initialized config file.
{path4, true, nil, nil},
// Test to read already created config file.
@ -108,7 +108,7 @@ func TestNewJWT(t *testing.T) {
serverConfig.SetCredential(*testCase.cred)
}
_, err := newJWT()
_, err := newJWT(defaultWebTokenExpiry)
if testCase.expectedErr != nil {
if err == nil {
@ -132,7 +132,7 @@ func TestGenerateToken(t *testing.T) {
}
defer removeAll(testPath)
jwt, err := newJWT()
jwt, err := newJWT(defaultWebTokenExpiry)
if err != nil {
t.Fatalf("unable get new JWT, %s", err)
}
@ -179,7 +179,7 @@ func TestAuthenticate(t *testing.T) {
}
defer removeAll(testPath)
jwt, err := newJWT()
jwt, err := newJWT(defaultWebTokenExpiry)
if err != nil {
t.Fatalf("unable get new JWT, %s", err)
}

@ -17,20 +17,19 @@
package main
import (
"net/http"
"errors"
"net/rpc"
"path"
"strconv"
"strings"
"time"
)
type networkStorage struct {
netScheme string
netAddr string
netPath string
rpcClient *rpc.Client
httpClient *http.Client
netScheme string
netAddr string
netPath string
rpcClient *rpc.Client
rpcToken string
}
const (
@ -70,6 +69,25 @@ func toStorageErr(err error) error {
return err
}
// Login rpc client makes an authentication request to the rpc server.
// Receives a session token which will be used for subsequent requests.
// FIXME: Currently these tokens expire in 100yrs.
func loginRPCClient(rpcClient *rpc.Client) (tokenStr string, err error) {
cred := serverConfig.GetCredential()
reply := RPCLoginReply{}
if err = rpcClient.Call("Storage.LoginHandler", RPCLoginArgs{
Username: cred.AccessKeyID,
Password: cred.SecretAccessKey,
}, &reply); err != nil {
return "", err
}
if reply.ServerVersion != minioVersion {
return "", errors.New("Server version mismatch")
}
// Reply back server provided token.
return reply.Token, nil
}
// Initialize new rpc client.
func newRPCClient(networkPath string) (StorageAPI, error) {
// Input validation.
@ -80,15 +98,6 @@ func newRPCClient(networkPath string) (StorageAPI, error) {
// TODO validate netAddr and netPath.
netAddr, netPath := splitNetPath(networkPath)
// Initialize http client.
httpClient := &http.Client{
// Setting a sensible time out of 6minutes to wait for
// response headers. Request is pro-actively cancelled
// after 6minutes if no response was received from server.
Timeout: 6 * time.Minute,
Transport: http.DefaultTransport,
}
// Dial minio rpc storage http path.
rpcPath := path.Join(storageRPCPath, netPath)
port := getPort(srvConfig.serverAddr)
@ -98,13 +107,18 @@ func newRPCClient(networkPath string) (StorageAPI, error) {
return nil, err
}
token, err := loginRPCClient(rpcClient)
if err != nil {
return nil, err
}
// Initialize network storage.
ndisk := &networkStorage{
netScheme: "http", // TODO: fix for ssl rpc support.
netAddr: netAddr,
netPath: netPath,
rpcClient: rpcClient,
httpClient: httpClient,
netScheme: "http", // TODO: fix for ssl rpc support.
netAddr: netAddr,
netPath: netPath,
rpcClient: rpcClient,
rpcToken: token,
}
// Returns successfully here.
@ -117,7 +131,8 @@ func (n networkStorage) MakeVol(volume string) error {
return errVolumeBusy
}
reply := GenericReply{}
if err := n.rpcClient.Call("Storage.MakeVolHandler", volume, &reply); err != nil {
args := GenericVolArgs{n.rpcToken, volume}
if err := n.rpcClient.Call("Storage.MakeVolHandler", args, &reply); err != nil {
return toStorageErr(err)
}
return nil
@ -129,7 +144,7 @@ func (n networkStorage) ListVols() (vols []VolInfo, err error) {
return nil, errVolumeBusy
}
ListVols := ListVolsReply{}
err = n.rpcClient.Call("Storage.ListVolsHandler", "", &ListVols)
err = n.rpcClient.Call("Storage.ListVolsHandler", n.rpcToken, &ListVols)
if err != nil {
return nil, err
}

@ -16,12 +16,34 @@
package main
// RPCLoginArgs - login username and password for RPC.
type RPCLoginArgs struct {
Username string
Password string
}
// RPCLoginReply - login reply provides generated token to be used
// with subsequent requests.
type RPCLoginReply struct {
Token string
ServerVersion string
}
// GenericReply represents any generic RPC reply.
type GenericReply struct{}
// GenericArgs represents any generic RPC arguments.
type GenericArgs struct{}
// GenericVolArgs - generic volume args.
type GenericVolArgs struct {
// Authentication token generated by Login.
Token string
// Name of the volume.
Vol string
}
// ListVolsReply represents list of vols RPC reply.
type ListVolsReply struct {
// List of volumes stat information.
@ -30,6 +52,9 @@ type ListVolsReply struct {
// ReadAllArgs represents read all RPC arguments.
type ReadAllArgs struct {
// Authentication token generated by Login.
Token string
// Name of the volume.
Vol string
@ -39,6 +64,9 @@ type ReadAllArgs struct {
// ReadFileArgs represents read file RPC arguments.
type ReadFileArgs struct {
// Authentication token generated by Login.
Token string
// Name of the volume.
Vol string
@ -54,6 +82,9 @@ type ReadFileArgs struct {
// AppendFileArgs represents append file RPC arguments.
type AppendFileArgs struct {
// Authentication token generated by Login.
Token string
// Name of the volume.
Vol string
@ -66,6 +97,9 @@ type AppendFileArgs struct {
// StatFileArgs represents stat file RPC arguments.
type StatFileArgs struct {
// Authentication token generated by Login.
Token string
// Name of the volume.
Vol string
@ -75,6 +109,9 @@ type StatFileArgs struct {
// DeleteFileArgs represents delete file RPC arguments.
type DeleteFileArgs struct {
// Authentication token generated by Login.
Token string
// Name of the volume.
Vol string
@ -84,6 +121,9 @@ type DeleteFileArgs struct {
// ListDirArgs represents list contents RPC arguments.
type ListDirArgs struct {
// Authentication token generated by Login.
Token string
// Name of the volume.
Vol string
@ -93,6 +133,9 @@ type ListDirArgs struct {
// RenameFileArgs represents rename file RPC arguments.
type RenameFileArgs struct {
// Authentication token generated by Login.
Token string
// Name of source volume.
SrcVol string

@ -17,10 +17,13 @@
package main
import (
"errors"
"fmt"
"net/rpc"
"path"
"strings"
jwtgo "github.com/dgrijalva/jwt-go"
router "github.com/gorilla/mux"
)
@ -31,15 +34,62 @@ type storageServer struct {
path string
}
// Validates if incoming token is valid.
func isRPCTokenValid(tokenStr string) bool {
jwt, err := newJWT(defaultWebTokenExpiry) // Expiry set to 24Hrs.
if err != nil {
errorIf(err, "Unable to initialize JWT")
return false
}
token, err := jwtgo.Parse(tokenStr, func(token *jwtgo.Token) (interface{}, error) {
if _, ok := token.Method.(*jwtgo.SigningMethodHMAC); !ok {
return nil, fmt.Errorf("Unexpected signing method: %v", token.Header["alg"])
}
return []byte(jwt.SecretAccessKey), nil
})
if err != nil {
errorIf(err, "Unable to parse JWT token string")
return false
}
// Return if token is valid.
return token.Valid
}
/// Auth operations
// Login - login handler.
func (s *storageServer) LoginHandler(args *RPCLoginArgs, reply *RPCLoginReply) error {
jwt, err := newJWT(defaultTokenExpiry)
if err != nil {
return err
}
if err = jwt.Authenticate(args.Username, args.Password); err != nil {
return err
}
token, err := jwt.GenerateToken(args.Username)
if err != nil {
return err
}
reply.Token = token
reply.ServerVersion = minioVersion
return nil
}
/// Volume operations handlers
// MakeVolHandler - make vol handler is rpc wrapper for MakeVol operation.
func (s *storageServer) MakeVolHandler(arg *string, reply *GenericReply) error {
return s.storage.MakeVol(*arg)
func (s *storageServer) MakeVolHandler(args *GenericVolArgs, reply *GenericReply) error {
if !isRPCTokenValid(args.Token) {
return errors.New("Invalid token")
}
return s.storage.MakeVol(args.Vol)
}
// ListVolsHandler - list vols handler is rpc wrapper for ListVols operation.
func (s *storageServer) ListVolsHandler(arg *string, reply *ListVolsReply) error {
func (s *storageServer) ListVolsHandler(token *string, reply *ListVolsReply) error {
if !isRPCTokenValid(*token) {
return errors.New("Invalid token")
}
vols, err := s.storage.ListVols()
if err != nil {
return err
@ -49,8 +99,11 @@ func (s *storageServer) ListVolsHandler(arg *string, reply *ListVolsReply) error
}
// StatVolHandler - stat vol handler is a rpc wrapper for StatVol operation.
func (s *storageServer) StatVolHandler(arg *string, reply *VolInfo) error {
volInfo, err := s.storage.StatVol(*arg)
func (s *storageServer) StatVolHandler(args *GenericVolArgs, reply *VolInfo) error {
if !isRPCTokenValid(args.Token) {
return errors.New("Invalid token")
}
volInfo, err := s.storage.StatVol(args.Vol)
if err != nil {
return err
}
@ -60,15 +113,21 @@ func (s *storageServer) StatVolHandler(arg *string, reply *VolInfo) error {
// DeleteVolHandler - delete vol handler is a rpc wrapper for
// DeleteVol operation.
func (s *storageServer) DeleteVolHandler(arg *string, reply *GenericReply) error {
return s.storage.DeleteVol(*arg)
func (s *storageServer) DeleteVolHandler(args *GenericVolArgs, reply *GenericReply) error {
if !isRPCTokenValid(args.Token) {
return errors.New("Invalid token")
}
return s.storage.DeleteVol(args.Vol)
}
/// File operations
// StatFileHandler - stat file handler is rpc wrapper to stat file.
func (s *storageServer) StatFileHandler(arg *StatFileArgs, reply *FileInfo) error {
fileInfo, err := s.storage.StatFile(arg.Vol, arg.Path)
func (s *storageServer) StatFileHandler(args *StatFileArgs, reply *FileInfo) error {
if !isRPCTokenValid(args.Token) {
return errors.New("Invalid token")
}
fileInfo, err := s.storage.StatFile(args.Vol, args.Path)
if err != nil {
return err
}
@ -77,8 +136,11 @@ func (s *storageServer) StatFileHandler(arg *StatFileArgs, reply *FileInfo) erro
}
// ListDirHandler - list directory handler is rpc wrapper to list dir.
func (s *storageServer) ListDirHandler(arg *ListDirArgs, reply *[]string) error {
entries, err := s.storage.ListDir(arg.Vol, arg.Path)
func (s *storageServer) ListDirHandler(args *ListDirArgs, reply *[]string) error {
if !isRPCTokenValid(args.Token) {
return errors.New("Invalid token")
}
entries, err := s.storage.ListDir(args.Vol, args.Path)
if err != nil {
return err
}
@ -87,8 +149,11 @@ func (s *storageServer) ListDirHandler(arg *ListDirArgs, reply *[]string) error
}
// ReadAllHandler - read all handler is rpc wrapper to read all storage API.
func (s *storageServer) ReadAllHandler(arg *ReadFileArgs, reply *[]byte) error {
buf, err := s.storage.ReadAll(arg.Vol, arg.Path)
func (s *storageServer) ReadAllHandler(args *ReadFileArgs, reply *[]byte) error {
if !isRPCTokenValid(args.Token) {
return errors.New("Invalid token")
}
buf, err := s.storage.ReadAll(args.Vol, args.Path)
if err != nil {
return err
}
@ -97,8 +162,11 @@ func (s *storageServer) ReadAllHandler(arg *ReadFileArgs, reply *[]byte) error {
}
// ReadFileHandler - read file handler is rpc wrapper to read file.
func (s *storageServer) ReadFileHandler(arg *ReadFileArgs, reply *int64) error {
n, err := s.storage.ReadFile(arg.Vol, arg.Path, arg.Offset, arg.Buffer)
func (s *storageServer) ReadFileHandler(args *ReadFileArgs, reply *int64) error {
if !isRPCTokenValid(args.Token) {
return errors.New("Invalid token")
}
n, err := s.storage.ReadFile(args.Vol, args.Path, args.Offset, args.Buffer)
if err != nil {
return err
}
@ -107,18 +175,27 @@ func (s *storageServer) ReadFileHandler(arg *ReadFileArgs, reply *int64) error {
}
// AppendFileHandler - append file handler is rpc wrapper to append file.
func (s *storageServer) AppendFileHandler(arg *AppendFileArgs, reply *GenericReply) error {
return s.storage.AppendFile(arg.Vol, arg.Path, arg.Buffer)
func (s *storageServer) AppendFileHandler(args *AppendFileArgs, reply *GenericReply) error {
if !isRPCTokenValid(args.Token) {
return errors.New("Invalid token")
}
return s.storage.AppendFile(args.Vol, args.Path, args.Buffer)
}
// DeleteFileHandler - delete file handler is rpc wrapper to delete file.
func (s *storageServer) DeleteFileHandler(arg *DeleteFileArgs, reply *GenericReply) error {
return s.storage.DeleteFile(arg.Vol, arg.Path)
func (s *storageServer) DeleteFileHandler(args *DeleteFileArgs, reply *GenericReply) error {
if !isRPCTokenValid(args.Token) {
return errors.New("Invalid token")
}
return s.storage.DeleteFile(args.Vol, args.Path)
}
// RenameFileHandler - rename file handler is rpc wrapper to rename file.
func (s *storageServer) RenameFileHandler(arg *RenameFileArgs, reply *GenericReply) error {
return s.storage.RenameFile(arg.SrcVol, arg.SrcPath, arg.DstVol, arg.DstPath)
func (s *storageServer) RenameFileHandler(args *RenameFileArgs, reply *GenericReply) error {
if !isRPCTokenValid(args.Token) {
return errors.New("Invalid token")
}
return s.storage.RenameFile(args.SrcVol, args.SrcPath, args.DstVol, args.DstPath)
}
// Initialize new storage rpc.

@ -41,7 +41,7 @@ import (
// isJWTReqAuthenticated validates if any incoming request to be a
// valid JWT authenticated request.
func isJWTReqAuthenticated(req *http.Request) bool {
jwt, err := newJWT()
jwt, err := newJWT(defaultWebTokenExpiry)
if err != nil {
errorIf(err, "unable to initialize a new JWT")
return false
@ -289,9 +289,14 @@ type LoginRep struct {
UIVersion string `json:"uiVersion"`
}
// Default JWT for minio browser expires in 24hrs.
const (
defaultWebTokenExpiry time.Duration = time.Hour * 24 // 24Hrs.
)
// Login - user login handler.
func (web *webAPIHandlers) Login(r *http.Request, args *LoginArgs, reply *LoginRep) error {
jwt, err := newJWT()
jwt, err := newJWT(defaultWebTokenExpiry)
if err != nil {
return &json2.Error{Message: err.Error()}
}
@ -356,7 +361,7 @@ func (web *webAPIHandlers) SetAuth(r *http.Request, args *SetAuthArgs, reply *Se
return &json2.Error{Message: err.Error()}
}
jwt, err := newJWT()
jwt, err := newJWT(defaultWebTokenExpiry) // JWT Expiry set to 24Hrs.
if err != nil {
return &json2.Error{Message: err.Error()}
}
@ -442,7 +447,7 @@ func (web *webAPIHandlers) Download(w http.ResponseWriter, r *http.Request) {
object := vars["object"]
tokenStr := r.URL.Query().Get("token")
jwt, err := newJWT()
jwt, err := newJWT(defaultWebTokenExpiry) // Expiry set to 24Hrs.
if err != nil {
errorIf(err, "error in getting new JWT")
return

Loading…
Cancel
Save