Add rpc layer authentication.

master
Harshavardhana 8 years ago
parent b4172ad3c8
commit 61af764f8a
  1. 29
      cmd/signature-jwt.go
  2. 12
      cmd/signature-jwt_test.go
  3. 61
      cmd/storage-rpc-client.go
  4. 43
      cmd/storage-rpc-server-datatypes.go
  5. 119
      cmd/storage-rpc-server.go
  6. 13
      cmd/web-handlers.go

@ -17,7 +17,7 @@
package cmd package cmd
import ( import (
"fmt" "errors"
"strings" "strings"
"time" "time"
@ -32,24 +32,27 @@ type JWT struct {
credential credential
} }
// Default - each token expires in 10hrs. // Default each token expires in 100yrs.
const ( const (
tokenExpires time.Duration = 10 defaultTokenExpiry time.Duration = time.Hour * 876000 // 100yrs.
) )
// newJWT - returns new JWT object. // newJWT - returns new JWT object.
func newJWT() (*JWT, error) { func newJWT(expiry time.Duration) (*JWT, error) {
if serverConfig == nil { if serverConfig == nil {
return nil, fmt.Errorf("server not initialzed") return nil, errors.New("Server not initialzed")
}
if expiry == 0 {
expiry = defaultTokenExpiry
} }
// Save access, secret keys. // Save access, secret keys.
cred := serverConfig.GetCredential() cred := serverConfig.GetCredential()
if !isValidAccessKey.MatchString(cred.AccessKeyID) { if !isValidAccessKey.MatchString(cred.AccessKeyID) {
return nil, fmt.Errorf("Invalid access key") return nil, errors.New("Invalid access key")
} }
if !isValidSecretKey.MatchString(cred.SecretAccessKey) { if !isValidSecretKey.MatchString(cred.SecretAccessKey) {
return nil, fmt.Errorf("Invalid secret key") return nil, errors.New("Invalid secret key")
} }
return &JWT{cred}, nil return &JWT{cred}, nil
@ -61,13 +64,13 @@ func (jwt *JWT) GenerateToken(accessKey string) (string, error) {
accessKey = strings.TrimSpace(accessKey) accessKey = strings.TrimSpace(accessKey)
if !isValidAccessKey.MatchString(accessKey) { if !isValidAccessKey.MatchString(accessKey) {
return "", fmt.Errorf("Invalid access key") return "", errors.New("Invalid access key")
} }
tUTCNow := time.Now().UTC() tUTCNow := time.Now().UTC()
token := jwtgo.NewWithClaims(jwtgo.SigningMethodHS512, jwtgo.MapClaims{ token := jwtgo.NewWithClaims(jwtgo.SigningMethodHS512, jwtgo.MapClaims{
// Token expires in 10hrs. // Token expires in 10hrs.
"exp": tUTCNow.Add(time.Hour * tokenExpires).Unix(), "exp": tUTCNow.Add(defaultTokenExpiry).Unix(),
"iat": tUTCNow.Unix(), "iat": tUTCNow.Unix(),
"sub": accessKey, "sub": accessKey,
}) })
@ -80,20 +83,20 @@ func (jwt *JWT) Authenticate(accessKey, secretKey string) error {
accessKey = strings.TrimSpace(accessKey) accessKey = strings.TrimSpace(accessKey)
if !isValidAccessKey.MatchString(accessKey) { if !isValidAccessKey.MatchString(accessKey) {
return fmt.Errorf("Invalid access key") return errors.New("Invalid access key")
} }
if !isValidSecretKey.MatchString(secretKey) { if !isValidSecretKey.MatchString(secretKey) {
return fmt.Errorf("Invalid secret key") return errors.New("Invalid secret key")
} }
if accessKey != jwt.AccessKeyID { if accessKey != jwt.AccessKeyID {
return fmt.Errorf("Access key does not match") return errors.New("Access key does not match")
} }
hashedSecretKey, _ := bcrypt.GenerateFromPassword([]byte(jwt.SecretAccessKey), bcrypt.DefaultCost) hashedSecretKey, _ := bcrypt.GenerateFromPassword([]byte(jwt.SecretAccessKey), bcrypt.DefaultCost)
if bcrypt.CompareHashAndPassword(hashedSecretKey, []byte(secretKey)) != nil { if bcrypt.CompareHashAndPassword(hashedSecretKey, []byte(secretKey)) != nil {
return fmt.Errorf("Authentication failed") return errors.New("Authentication failed")
} }
// Success. // Success.

@ -72,11 +72,11 @@ func TestNewJWT(t *testing.T) {
expectedErr error expectedErr error
}{ }{
// Test non-existent config directory. // Test non-existent config directory.
{path.Join(path1, "non-existent-dir"), false, nil, fmt.Errorf("server not initialzed")}, {path.Join(path1, "non-existent-dir"), false, nil, fmt.Errorf("Server not initialzed")},
// Test empty config directory. // Test empty config directory.
{path2, false, nil, fmt.Errorf("server not initialzed")}, {path2, false, nil, fmt.Errorf("Server not initialzed")},
// Test empty config file. // Test empty config file.
{path3, false, nil, fmt.Errorf("server not initialzed")}, {path3, false, nil, fmt.Errorf("Server not initialzed")},
// Test initialized config file. // Test initialized config file.
{path4, true, nil, nil}, {path4, true, nil, nil},
// Test to read already created config file. // Test to read already created config file.
@ -108,7 +108,7 @@ func TestNewJWT(t *testing.T) {
serverConfig.SetCredential(*testCase.cred) serverConfig.SetCredential(*testCase.cred)
} }
_, err := newJWT() _, err := newJWT(defaultWebTokenExpiry)
if testCase.expectedErr != nil { if testCase.expectedErr != nil {
if err == nil { if err == nil {
@ -132,7 +132,7 @@ func TestGenerateToken(t *testing.T) {
} }
defer removeAll(testPath) defer removeAll(testPath)
jwt, err := newJWT() jwt, err := newJWT(defaultWebTokenExpiry)
if err != nil { if err != nil {
t.Fatalf("unable get new JWT, %s", err) t.Fatalf("unable get new JWT, %s", err)
} }
@ -179,7 +179,7 @@ func TestAuthenticate(t *testing.T) {
} }
defer removeAll(testPath) defer removeAll(testPath)
jwt, err := newJWT() jwt, err := newJWT(defaultWebTokenExpiry)
if err != nil { if err != nil {
t.Fatalf("unable get new JWT, %s", err) t.Fatalf("unable get new JWT, %s", err)
} }

@ -17,20 +17,19 @@
package main package main
import ( import (
"net/http" "errors"
"net/rpc" "net/rpc"
"path" "path"
"strconv" "strconv"
"strings" "strings"
"time"
) )
type networkStorage struct { type networkStorage struct {
netScheme string netScheme string
netAddr string netAddr string
netPath string netPath string
rpcClient *rpc.Client rpcClient *rpc.Client
httpClient *http.Client rpcToken string
} }
const ( const (
@ -70,6 +69,25 @@ func toStorageErr(err error) error {
return err return err
} }
// Login rpc client makes an authentication request to the rpc server.
// Receives a session token which will be used for subsequent requests.
// FIXME: Currently these tokens expire in 100yrs.
func loginRPCClient(rpcClient *rpc.Client) (tokenStr string, err error) {
cred := serverConfig.GetCredential()
reply := RPCLoginReply{}
if err = rpcClient.Call("Storage.LoginHandler", RPCLoginArgs{
Username: cred.AccessKeyID,
Password: cred.SecretAccessKey,
}, &reply); err != nil {
return "", err
}
if reply.ServerVersion != minioVersion {
return "", errors.New("Server version mismatch")
}
// Reply back server provided token.
return reply.Token, nil
}
// Initialize new rpc client. // Initialize new rpc client.
func newRPCClient(networkPath string) (StorageAPI, error) { func newRPCClient(networkPath string) (StorageAPI, error) {
// Input validation. // Input validation.
@ -80,15 +98,6 @@ func newRPCClient(networkPath string) (StorageAPI, error) {
// TODO validate netAddr and netPath. // TODO validate netAddr and netPath.
netAddr, netPath := splitNetPath(networkPath) netAddr, netPath := splitNetPath(networkPath)
// Initialize http client.
httpClient := &http.Client{
// Setting a sensible time out of 6minutes to wait for
// response headers. Request is pro-actively cancelled
// after 6minutes if no response was received from server.
Timeout: 6 * time.Minute,
Transport: http.DefaultTransport,
}
// Dial minio rpc storage http path. // Dial minio rpc storage http path.
rpcPath := path.Join(storageRPCPath, netPath) rpcPath := path.Join(storageRPCPath, netPath)
port := getPort(srvConfig.serverAddr) port := getPort(srvConfig.serverAddr)
@ -98,13 +107,18 @@ func newRPCClient(networkPath string) (StorageAPI, error) {
return nil, err return nil, err
} }
token, err := loginRPCClient(rpcClient)
if err != nil {
return nil, err
}
// Initialize network storage. // Initialize network storage.
ndisk := &networkStorage{ ndisk := &networkStorage{
netScheme: "http", // TODO: fix for ssl rpc support. netScheme: "http", // TODO: fix for ssl rpc support.
netAddr: netAddr, netAddr: netAddr,
netPath: netPath, netPath: netPath,
rpcClient: rpcClient, rpcClient: rpcClient,
httpClient: httpClient, rpcToken: token,
} }
// Returns successfully here. // Returns successfully here.
@ -117,7 +131,8 @@ func (n networkStorage) MakeVol(volume string) error {
return errVolumeBusy return errVolumeBusy
} }
reply := GenericReply{} reply := GenericReply{}
if err := n.rpcClient.Call("Storage.MakeVolHandler", volume, &reply); err != nil { args := GenericVolArgs{n.rpcToken, volume}
if err := n.rpcClient.Call("Storage.MakeVolHandler", args, &reply); err != nil {
return toStorageErr(err) return toStorageErr(err)
} }
return nil return nil
@ -129,7 +144,7 @@ func (n networkStorage) ListVols() (vols []VolInfo, err error) {
return nil, errVolumeBusy return nil, errVolumeBusy
} }
ListVols := ListVolsReply{} ListVols := ListVolsReply{}
err = n.rpcClient.Call("Storage.ListVolsHandler", "", &ListVols) err = n.rpcClient.Call("Storage.ListVolsHandler", n.rpcToken, &ListVols)
if err != nil { if err != nil {
return nil, err return nil, err
} }

@ -16,12 +16,34 @@
package main package main
// RPCLoginArgs - login username and password for RPC.
type RPCLoginArgs struct {
Username string
Password string
}
// RPCLoginReply - login reply provides generated token to be used
// with subsequent requests.
type RPCLoginReply struct {
Token string
ServerVersion string
}
// GenericReply represents any generic RPC reply. // GenericReply represents any generic RPC reply.
type GenericReply struct{} type GenericReply struct{}
// GenericArgs represents any generic RPC arguments. // GenericArgs represents any generic RPC arguments.
type GenericArgs struct{} type GenericArgs struct{}
// GenericVolArgs - generic volume args.
type GenericVolArgs struct {
// Authentication token generated by Login.
Token string
// Name of the volume.
Vol string
}
// ListVolsReply represents list of vols RPC reply. // ListVolsReply represents list of vols RPC reply.
type ListVolsReply struct { type ListVolsReply struct {
// List of volumes stat information. // List of volumes stat information.
@ -30,6 +52,9 @@ type ListVolsReply struct {
// ReadAllArgs represents read all RPC arguments. // ReadAllArgs represents read all RPC arguments.
type ReadAllArgs struct { type ReadAllArgs struct {
// Authentication token generated by Login.
Token string
// Name of the volume. // Name of the volume.
Vol string Vol string
@ -39,6 +64,9 @@ type ReadAllArgs struct {
// ReadFileArgs represents read file RPC arguments. // ReadFileArgs represents read file RPC arguments.
type ReadFileArgs struct { type ReadFileArgs struct {
// Authentication token generated by Login.
Token string
// Name of the volume. // Name of the volume.
Vol string Vol string
@ -54,6 +82,9 @@ type ReadFileArgs struct {
// AppendFileArgs represents append file RPC arguments. // AppendFileArgs represents append file RPC arguments.
type AppendFileArgs struct { type AppendFileArgs struct {
// Authentication token generated by Login.
Token string
// Name of the volume. // Name of the volume.
Vol string Vol string
@ -66,6 +97,9 @@ type AppendFileArgs struct {
// StatFileArgs represents stat file RPC arguments. // StatFileArgs represents stat file RPC arguments.
type StatFileArgs struct { type StatFileArgs struct {
// Authentication token generated by Login.
Token string
// Name of the volume. // Name of the volume.
Vol string Vol string
@ -75,6 +109,9 @@ type StatFileArgs struct {
// DeleteFileArgs represents delete file RPC arguments. // DeleteFileArgs represents delete file RPC arguments.
type DeleteFileArgs struct { type DeleteFileArgs struct {
// Authentication token generated by Login.
Token string
// Name of the volume. // Name of the volume.
Vol string Vol string
@ -84,6 +121,9 @@ type DeleteFileArgs struct {
// ListDirArgs represents list contents RPC arguments. // ListDirArgs represents list contents RPC arguments.
type ListDirArgs struct { type ListDirArgs struct {
// Authentication token generated by Login.
Token string
// Name of the volume. // Name of the volume.
Vol string Vol string
@ -93,6 +133,9 @@ type ListDirArgs struct {
// RenameFileArgs represents rename file RPC arguments. // RenameFileArgs represents rename file RPC arguments.
type RenameFileArgs struct { type RenameFileArgs struct {
// Authentication token generated by Login.
Token string
// Name of source volume. // Name of source volume.
SrcVol string SrcVol string

@ -17,10 +17,13 @@
package main package main
import ( import (
"errors"
"fmt"
"net/rpc" "net/rpc"
"path" "path"
"strings" "strings"
jwtgo "github.com/dgrijalva/jwt-go"
router "github.com/gorilla/mux" router "github.com/gorilla/mux"
) )
@ -31,15 +34,62 @@ type storageServer struct {
path string path string
} }
// Validates if incoming token is valid.
func isRPCTokenValid(tokenStr string) bool {
jwt, err := newJWT(defaultWebTokenExpiry) // Expiry set to 24Hrs.
if err != nil {
errorIf(err, "Unable to initialize JWT")
return false
}
token, err := jwtgo.Parse(tokenStr, func(token *jwtgo.Token) (interface{}, error) {
if _, ok := token.Method.(*jwtgo.SigningMethodHMAC); !ok {
return nil, fmt.Errorf("Unexpected signing method: %v", token.Header["alg"])
}
return []byte(jwt.SecretAccessKey), nil
})
if err != nil {
errorIf(err, "Unable to parse JWT token string")
return false
}
// Return if token is valid.
return token.Valid
}
/// Auth operations
// Login - login handler.
func (s *storageServer) LoginHandler(args *RPCLoginArgs, reply *RPCLoginReply) error {
jwt, err := newJWT(defaultTokenExpiry)
if err != nil {
return err
}
if err = jwt.Authenticate(args.Username, args.Password); err != nil {
return err
}
token, err := jwt.GenerateToken(args.Username)
if err != nil {
return err
}
reply.Token = token
reply.ServerVersion = minioVersion
return nil
}
/// Volume operations handlers /// Volume operations handlers
// MakeVolHandler - make vol handler is rpc wrapper for MakeVol operation. // MakeVolHandler - make vol handler is rpc wrapper for MakeVol operation.
func (s *storageServer) MakeVolHandler(arg *string, reply *GenericReply) error { func (s *storageServer) MakeVolHandler(args *GenericVolArgs, reply *GenericReply) error {
return s.storage.MakeVol(*arg) if !isRPCTokenValid(args.Token) {
return errors.New("Invalid token")
}
return s.storage.MakeVol(args.Vol)
} }
// ListVolsHandler - list vols handler is rpc wrapper for ListVols operation. // ListVolsHandler - list vols handler is rpc wrapper for ListVols operation.
func (s *storageServer) ListVolsHandler(arg *string, reply *ListVolsReply) error { func (s *storageServer) ListVolsHandler(token *string, reply *ListVolsReply) error {
if !isRPCTokenValid(*token) {
return errors.New("Invalid token")
}
vols, err := s.storage.ListVols() vols, err := s.storage.ListVols()
if err != nil { if err != nil {
return err return err
@ -49,8 +99,11 @@ func (s *storageServer) ListVolsHandler(arg *string, reply *ListVolsReply) error
} }
// StatVolHandler - stat vol handler is a rpc wrapper for StatVol operation. // StatVolHandler - stat vol handler is a rpc wrapper for StatVol operation.
func (s *storageServer) StatVolHandler(arg *string, reply *VolInfo) error { func (s *storageServer) StatVolHandler(args *GenericVolArgs, reply *VolInfo) error {
volInfo, err := s.storage.StatVol(*arg) if !isRPCTokenValid(args.Token) {
return errors.New("Invalid token")
}
volInfo, err := s.storage.StatVol(args.Vol)
if err != nil { if err != nil {
return err return err
} }
@ -60,15 +113,21 @@ func (s *storageServer) StatVolHandler(arg *string, reply *VolInfo) error {
// DeleteVolHandler - delete vol handler is a rpc wrapper for // DeleteVolHandler - delete vol handler is a rpc wrapper for
// DeleteVol operation. // DeleteVol operation.
func (s *storageServer) DeleteVolHandler(arg *string, reply *GenericReply) error { func (s *storageServer) DeleteVolHandler(args *GenericVolArgs, reply *GenericReply) error {
return s.storage.DeleteVol(*arg) if !isRPCTokenValid(args.Token) {
return errors.New("Invalid token")
}
return s.storage.DeleteVol(args.Vol)
} }
/// File operations /// File operations
// StatFileHandler - stat file handler is rpc wrapper to stat file. // StatFileHandler - stat file handler is rpc wrapper to stat file.
func (s *storageServer) StatFileHandler(arg *StatFileArgs, reply *FileInfo) error { func (s *storageServer) StatFileHandler(args *StatFileArgs, reply *FileInfo) error {
fileInfo, err := s.storage.StatFile(arg.Vol, arg.Path) if !isRPCTokenValid(args.Token) {
return errors.New("Invalid token")
}
fileInfo, err := s.storage.StatFile(args.Vol, args.Path)
if err != nil { if err != nil {
return err return err
} }
@ -77,8 +136,11 @@ func (s *storageServer) StatFileHandler(arg *StatFileArgs, reply *FileInfo) erro
} }
// ListDirHandler - list directory handler is rpc wrapper to list dir. // ListDirHandler - list directory handler is rpc wrapper to list dir.
func (s *storageServer) ListDirHandler(arg *ListDirArgs, reply *[]string) error { func (s *storageServer) ListDirHandler(args *ListDirArgs, reply *[]string) error {
entries, err := s.storage.ListDir(arg.Vol, arg.Path) if !isRPCTokenValid(args.Token) {
return errors.New("Invalid token")
}
entries, err := s.storage.ListDir(args.Vol, args.Path)
if err != nil { if err != nil {
return err return err
} }
@ -87,8 +149,11 @@ func (s *storageServer) ListDirHandler(arg *ListDirArgs, reply *[]string) error
} }
// ReadAllHandler - read all handler is rpc wrapper to read all storage API. // ReadAllHandler - read all handler is rpc wrapper to read all storage API.
func (s *storageServer) ReadAllHandler(arg *ReadFileArgs, reply *[]byte) error { func (s *storageServer) ReadAllHandler(args *ReadFileArgs, reply *[]byte) error {
buf, err := s.storage.ReadAll(arg.Vol, arg.Path) if !isRPCTokenValid(args.Token) {
return errors.New("Invalid token")
}
buf, err := s.storage.ReadAll(args.Vol, args.Path)
if err != nil { if err != nil {
return err return err
} }
@ -97,8 +162,11 @@ func (s *storageServer) ReadAllHandler(arg *ReadFileArgs, reply *[]byte) error {
} }
// ReadFileHandler - read file handler is rpc wrapper to read file. // ReadFileHandler - read file handler is rpc wrapper to read file.
func (s *storageServer) ReadFileHandler(arg *ReadFileArgs, reply *int64) error { func (s *storageServer) ReadFileHandler(args *ReadFileArgs, reply *int64) error {
n, err := s.storage.ReadFile(arg.Vol, arg.Path, arg.Offset, arg.Buffer) if !isRPCTokenValid(args.Token) {
return errors.New("Invalid token")
}
n, err := s.storage.ReadFile(args.Vol, args.Path, args.Offset, args.Buffer)
if err != nil { if err != nil {
return err return err
} }
@ -107,18 +175,27 @@ func (s *storageServer) ReadFileHandler(arg *ReadFileArgs, reply *int64) error {
} }
// AppendFileHandler - append file handler is rpc wrapper to append file. // AppendFileHandler - append file handler is rpc wrapper to append file.
func (s *storageServer) AppendFileHandler(arg *AppendFileArgs, reply *GenericReply) error { func (s *storageServer) AppendFileHandler(args *AppendFileArgs, reply *GenericReply) error {
return s.storage.AppendFile(arg.Vol, arg.Path, arg.Buffer) if !isRPCTokenValid(args.Token) {
return errors.New("Invalid token")
}
return s.storage.AppendFile(args.Vol, args.Path, args.Buffer)
} }
// DeleteFileHandler - delete file handler is rpc wrapper to delete file. // DeleteFileHandler - delete file handler is rpc wrapper to delete file.
func (s *storageServer) DeleteFileHandler(arg *DeleteFileArgs, reply *GenericReply) error { func (s *storageServer) DeleteFileHandler(args *DeleteFileArgs, reply *GenericReply) error {
return s.storage.DeleteFile(arg.Vol, arg.Path) if !isRPCTokenValid(args.Token) {
return errors.New("Invalid token")
}
return s.storage.DeleteFile(args.Vol, args.Path)
} }
// RenameFileHandler - rename file handler is rpc wrapper to rename file. // RenameFileHandler - rename file handler is rpc wrapper to rename file.
func (s *storageServer) RenameFileHandler(arg *RenameFileArgs, reply *GenericReply) error { func (s *storageServer) RenameFileHandler(args *RenameFileArgs, reply *GenericReply) error {
return s.storage.RenameFile(arg.SrcVol, arg.SrcPath, arg.DstVol, arg.DstPath) if !isRPCTokenValid(args.Token) {
return errors.New("Invalid token")
}
return s.storage.RenameFile(args.SrcVol, args.SrcPath, args.DstVol, args.DstPath)
} }
// Initialize new storage rpc. // Initialize new storage rpc.

@ -41,7 +41,7 @@ import (
// isJWTReqAuthenticated validates if any incoming request to be a // isJWTReqAuthenticated validates if any incoming request to be a
// valid JWT authenticated request. // valid JWT authenticated request.
func isJWTReqAuthenticated(req *http.Request) bool { func isJWTReqAuthenticated(req *http.Request) bool {
jwt, err := newJWT() jwt, err := newJWT(defaultWebTokenExpiry)
if err != nil { if err != nil {
errorIf(err, "unable to initialize a new JWT") errorIf(err, "unable to initialize a new JWT")
return false return false
@ -289,9 +289,14 @@ type LoginRep struct {
UIVersion string `json:"uiVersion"` UIVersion string `json:"uiVersion"`
} }
// Default JWT for minio browser expires in 24hrs.
const (
defaultWebTokenExpiry time.Duration = time.Hour * 24 // 24Hrs.
)
// Login - user login handler. // Login - user login handler.
func (web *webAPIHandlers) Login(r *http.Request, args *LoginArgs, reply *LoginRep) error { func (web *webAPIHandlers) Login(r *http.Request, args *LoginArgs, reply *LoginRep) error {
jwt, err := newJWT() jwt, err := newJWT(defaultWebTokenExpiry)
if err != nil { if err != nil {
return &json2.Error{Message: err.Error()} return &json2.Error{Message: err.Error()}
} }
@ -356,7 +361,7 @@ func (web *webAPIHandlers) SetAuth(r *http.Request, args *SetAuthArgs, reply *Se
return &json2.Error{Message: err.Error()} return &json2.Error{Message: err.Error()}
} }
jwt, err := newJWT() jwt, err := newJWT(defaultWebTokenExpiry) // JWT Expiry set to 24Hrs.
if err != nil { if err != nil {
return &json2.Error{Message: err.Error()} return &json2.Error{Message: err.Error()}
} }
@ -442,7 +447,7 @@ func (web *webAPIHandlers) Download(w http.ResponseWriter, r *http.Request) {
object := vars["object"] object := vars["object"]
tokenStr := r.URL.Query().Get("token") tokenStr := r.URL.Query().Get("token")
jwt, err := newJWT() jwt, err := newJWT(defaultWebTokenExpiry) // Expiry set to 24Hrs.
if err != nil { if err != nil {
errorIf(err, "error in getting new JWT") errorIf(err, "error in getting new JWT")
return return

Loading…
Cancel
Save