jwt: Deprecate RSA usage, use HMAC instead.

HMAC is a much simpler implementation, providing the same
benefits as RSA, avoids additional steps and keeps the code
simpler.

This patch also additionally

- Implements PutObjectURL API.
- GetObjectURL, PutObjectURL take TargetHost as another
  argument for generating URL's for proper target destination.
- Adds experimental TLS support for JSON RPC calls.
master
Harshavardhana 9 years ago
parent 0c96ace8ad
commit db387912f2
  1. 39
      Browser.md
  2. 61
      JWT.md
  3. 8
      jwt-auth-handler.go
  4. 71
      jwt.go
  5. 4
      pkg/fs/fs-multipart.go
  6. 29
      routers.go
  7. 64
      web-config.go
  8. 10
      web-definitions.go
  9. 79
      web-handlers.go

@ -0,0 +1,39 @@
## Minio Browser
Minio Browser uses Json Web Tokens to authenticate JSON RPC requests.
Initial request generates a token for 'AccessKey' and 'SecretKey'
provided by the user.
<blockquote>
Currently these tokens expire after 10hrs, this is not configurable yet.
</blockquote>
### Start minio server
```
minio server <testdir>
```
### JSON RPC APIs.
JSON RPC namespace is `Web`.
#### Auth Operations
* Login - waits for 'username, password' and on success replies a new Json Web Token (JWT).
* ResetToken - resets token, requires password and token.
* Logout - currently a dummy operation.
#### Bucket/Object Operations.
* ListBuckets - lists buckets, requires a valid token.
* ListObjects - lists objects, requires a valid token.
* MakeBucket - make a new bucket, requires a valid token.
* GetObjectURL - generates a URL for download access, requires a valid token.
(generated URL is valid for 1hr)
* PutObjectURL - generates a URL for upload access, requies a valid token.
(generated URL is valid for 1hr)
#### Server Operations.
* DiskInfo - get backend disk statistics.

@ -1,61 +0,0 @@
### Generate RSA keys for JWT
```
mkdir -p ~/.minio/web
```
```
openssl genrsa -out ~/.minio/web/private.key 2048
```
```
openssl rsa -in ~/.minio/web/private.key -outform PEM -pubout -out ~/.minio/web/public.key
```
### Start minio server
```
minio server <testdir>
```
### Implemented JSON RPC APIs.
Namespace `Web`
* Login - waits for 'username, password' and on success replies a new JWT token.
* ResetToken - resets token, requires password and token.
* Logout - currently a dummy operation.
* ListBuckets - lists buckets, requires valid token.
* ListObjects - lists objects, requires valid token.
* GetObjectURL - generates a url for download access, requires valid token.
### Now you can use `webrpc.js` to make requests.
- Login example
```js
var webRPC = require('webrpc');
var web = new webRPC("http://localhost:9001/rpc")
// Generate JWT Token.
web.Login({"username": "YOUR-ACCESS-KEY-ID", "password": "YOUR-SECRET-ACCESS-KEY"})
.then(function(data) {
console.log("success : ", data);
})
.catch(function(error) {
console.log("fail : ", error.toString());
});
```
- ListBuckets example
```js
var webRPC = require('webrpc');
var web = new webRPC("http://localhost:9001/rpc", "my-token")
// Generate Token.
web.ListBuckets()
.then(function(data) {
console.log("Success : ", data);
})
.catch(function(error) {
console.log("fail : ", error.toString());
});
```

@ -43,13 +43,13 @@ func (h authHandler) ServeHTTP(w http.ResponseWriter, r *http.Request) {
} }
// Validate Authorization header to be valid. // Validate Authorization header to be valid.
jwt := InitJWT() jwt := InitJWT()
token, err := jwtgo.ParseFromRequest(r, func(token *jwtgo.Token) (interface{}, error) { token, e := jwtgo.ParseFromRequest(r, func(token *jwtgo.Token) (interface{}, error) {
if _, ok := token.Method.(*jwtgo.SigningMethodRSA); !ok { if _, ok := token.Method.(*jwtgo.SigningMethodHMAC); !ok {
return nil, fmt.Errorf("Unexpected signing method: %v", token.Header["alg"]) return nil, fmt.Errorf("Unexpected signing method: %v", token.Header["alg"])
} }
return jwt.PublicKey, nil return jwt.secretAccessKey, nil
}) })
if err != nil || !token.Valid { if e != nil || !token.Valid {
w.WriteHeader(http.StatusUnauthorized) w.WriteHeader(http.StatusUnauthorized)
return return
} }

@ -17,11 +17,7 @@
package main package main
import ( import (
"crypto/rsa" "bytes"
"crypto/x509"
"encoding/pem"
"errors"
"io/ioutil"
"time" "time"
jwtgo "github.com/dgrijalva/jwt-go" jwtgo "github.com/dgrijalva/jwt-go"
@ -31,72 +27,47 @@ import (
// JWT - jwt auth backend // JWT - jwt auth backend
type JWT struct { type JWT struct {
// Public value. accessKeyID []byte
PublicKey *rsa.PublicKey secretAccessKey []byte
// private values.
privateKey *rsa.PrivateKey
accessKeyID string
secretAccessKey string
} }
// Default - each token expires in 10hrs.
const ( const (
jwtExpirationDelta = 10 tokenExpires time.Duration = 10
) )
// InitJWT - initialize. // InitJWT - initialize.
func InitJWT() *JWT { func InitJWT() *JWT {
jwt := &JWT{ jwt := &JWT{}
privateKey: getPrivateKey(), // Load credentials.
}
// Validate if public key is of algorithm *rsa.PublicKey.
var ok bool
jwt.PublicKey, ok = jwt.privateKey.Public().(*rsa.PublicKey)
if !ok {
fatalIf(probe.NewError(errors.New("")), "Unsupported type of public key algorithm found.", nil)
}
// Load credentials configuration.
config, err := loadConfigV2() config, err := loadConfigV2()
fatalIf(err.Trace("JWT"), "Unable to load configuration file.", nil) fatalIf(err.Trace("JWT"), "Unable to load configuration file.", nil)
// Save access, secret keys. // Save access, secret keys.
jwt.accessKeyID = config.Credentials.AccessKeyID jwt.accessKeyID = []byte(config.Credentials.AccessKeyID)
jwt.secretAccessKey = config.Credentials.SecretAccessKey jwt.secretAccessKey = []byte(config.Credentials.SecretAccessKey)
return jwt return jwt
} }
// GenerateToken - generates a new Json Web Token based on the incoming user id. // GenerateToken - generates a new Json Web Token based on the incoming user id.
func (b *JWT) GenerateToken(userName string) (string, error) { func (jwt *JWT) GenerateToken(userName string) (string, *probe.Error) {
token := jwtgo.New(jwtgo.SigningMethodRS512) token := jwtgo.New(jwtgo.SigningMethodHS512)
// Token expires in 10hrs. // Token expires in 10hrs.
token.Claims["exp"] = time.Now().Add(time.Hour * time.Duration(jwtExpirationDelta)).Unix() token.Claims["exp"] = time.Now().Add(time.Hour * tokenExpires).Unix()
token.Claims["iat"] = time.Now().Unix() token.Claims["iat"] = time.Now().Unix()
token.Claims["sub"] = userName token.Claims["sub"] = userName
tokenString, err := token.SignedString(b.privateKey) tokenString, e := token.SignedString(jwt.secretAccessKey)
if err != nil { if e != nil {
return "", err return "", probe.NewError(e)
} }
return tokenString, nil return tokenString, nil
} }
// Authenticate - authenticates the username and password. // Authenticate - authenticates incoming username and password.
func (b *JWT) Authenticate(username, password string) bool { func (jwt *JWT) Authenticate(userName, password string) bool {
hashedPassword, _ := bcrypt.GenerateFromPassword([]byte(b.secretAccessKey), 10) if !bytes.Equal([]byte(userName), jwt.accessKeyID) {
if username == b.accessKeyID { return false
return bcrypt.CompareHashAndPassword(hashedPassword, []byte(password)) == nil
}
return false
}
// getPrivateKey - get the generated private key.
func getPrivateKey() *rsa.PrivateKey {
pemBytes, err := ioutil.ReadFile(mustGetPrivateKeyPath())
if err != nil {
panic(err)
}
data, _ := pem.Decode([]byte(pemBytes))
privateKeyImported, err := x509.ParsePKCS1PrivateKey(data.Bytes)
if err != nil {
panic(err)
} }
return privateKeyImported hashedPassword, _ := bcrypt.GenerateFromPassword(jwt.secretAccessKey, bcrypt.DefaultCost)
return bcrypt.CompareHashAndPassword(hashedPassword, []byte(password)) == nil
} }

@ -162,7 +162,7 @@ func (fs Filesystem) NewMultipartUpload(bucket, object string) (string, *probe.E
bucket = fs.denormalizeBucket(bucket) bucket = fs.denormalizeBucket(bucket)
bucketPath := filepath.Join(fs.path, bucket) bucketPath := filepath.Join(fs.path, bucket)
if _, e := os.Stat(bucketPath); e != nil { if _, e = os.Stat(bucketPath); e != nil {
// check bucket exists // check bucket exists
if os.IsNotExist(e) { if os.IsNotExist(e) {
return "", probe.NewError(BucketNotFound{Bucket: bucket}) return "", probe.NewError(BucketNotFound{Bucket: bucket})
@ -172,7 +172,7 @@ func (fs Filesystem) NewMultipartUpload(bucket, object string) (string, *probe.E
objectPath := filepath.Join(bucketPath, object) objectPath := filepath.Join(bucketPath, object)
objectDir := filepath.Dir(objectPath) objectDir := filepath.Dir(objectPath)
if _, e := os.Stat(objectDir); e != nil { if _, e = os.Stat(objectDir); e != nil {
if !os.IsNotExist(e) { if !os.IsNotExist(e) {
return "", probe.NewError(e) return "", probe.NewError(e)
} }

@ -46,12 +46,20 @@ type WebAPI struct {
AccessLog bool AccessLog bool
// Minio client instance. // Minio client instance.
Client minio.CloudStorageClient Client minio.CloudStorageClient
// private params.
inSecure bool // Enabled if TLS is false.
apiAddress string // api destination address.
// accessKeys kept to be used internally.
accessKeyID string
secretAccessKey string
} }
func getWebAPIHandler(web *WebAPI) http.Handler { func getWebAPIHandler(web *WebAPI) http.Handler {
var mwHandlers = []MiddlewareHandler{ var mwHandlers = []MiddlewareHandler{
TimeValidityHandler, // Validate time. TimeValidityHandler, // Validate time.
CorsHandler, // CORS added only for testing purposes. CorsHandler, // CORS added only for testing purposes.
AuthHandler, // Authentication handler for verifying tokens.
} }
if web.AccessLog { if web.AccessLog {
mwHandlers = append(mwHandlers, AccessLogHandler) mwHandlers = append(mwHandlers, AccessLogHandler)
@ -106,20 +114,27 @@ func registerCloudStorageAPI(mux *router.Router, a CloudStorageAPI) {
// getNewWebAPI instantiate a new WebAPI. // getNewWebAPI instantiate a new WebAPI.
func getNewWebAPI(conf cloudServerConfig) *WebAPI { func getNewWebAPI(conf cloudServerConfig) *WebAPI {
// Split host port. // Split host port.
_, port, e := net.SplitHostPort(conf.Address) host, port, e := net.SplitHostPort(conf.Address)
fatalIf(probe.NewError(e), "Unable to parse web addess.", nil) fatalIf(probe.NewError(e), "Unable to parse web addess.", nil)
// Default host to 'localhost'. // Default host is 'localhost', if no host present.
host := "localhost" if host == "" {
host = "localhost"
}
// Initialize minio client for AWS Signature Version '4' // Initialize minio client for AWS Signature Version '4'
client, e := minio.NewV4(net.JoinHostPort(host, port), conf.AccessKeyID, conf.SecretAccessKey, true) inSecure := !conf.TLS // Insecure true when TLS is false.
client, e := minio.NewV4(net.JoinHostPort(host, port), conf.AccessKeyID, conf.SecretAccessKey, inSecure)
fatalIf(probe.NewError(e), "Unable to initialize minio client", nil) fatalIf(probe.NewError(e), "Unable to initialize minio client", nil)
web := &WebAPI{ web := &WebAPI{
FSPath: conf.Path, FSPath: conf.Path,
AccessLog: conf.AccessLog, AccessLog: conf.AccessLog,
Client: client, Client: client,
inSecure: inSecure,
apiAddress: conf.Address,
accessKeyID: conf.AccessKeyID,
secretAccessKey: conf.SecretAccessKey,
} }
return web return web
} }

@ -1,64 +0,0 @@
/*
* Minio Cloud Storage, (C) 2016 Minio, Inc.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package main
import (
"os"
"path/filepath"
"github.com/minio/minio-xl/pkg/probe"
"github.com/minio/minio/pkg/user"
)
var customWebConfigDir = ""
// getWebConfigDir get web config dir.
func getWebConfigDir() (string, *probe.Error) {
if customWebConfigDir != "" {
return customWebConfigDir, nil
}
homeDir, e := user.HomeDir()
if e != nil {
return "", probe.NewError(e)
}
webConfigDir := filepath.Join(homeDir, ".minio", "web")
return webConfigDir, nil
}
func mustGetWebConfigDir() string {
webConfigDir, err := getWebConfigDir()
fatalIf(err.Trace(), "Unable to get config path.", nil)
return webConfigDir
}
// createWebConfigDir create users config path
func createWebConfigDir() *probe.Error {
webConfigDir, err := getWebConfigDir()
if err != nil {
return err.Trace()
}
if err := os.MkdirAll(webConfigDir, 0700); err != nil {
return probe.NewError(err)
}
return nil
}
func mustGetPrivateKeyPath() string {
webConfigDir, err := getWebConfigDir()
fatalIf(err.Trace(), "Unable to get config path.", nil)
return webConfigDir + "/private.key"
}

@ -53,8 +53,16 @@ type ObjectInfo struct {
Size int64 `json:"size"` Size int64 `json:"size"`
} }
// GetObjectURLArgs - get object url. // PutObjectURLArgs - args to generate url for upload access.
type PutObjectURLArgs struct {
TargetHost string `json:"targetHost"`
BucketName string `json:"bucketName"`
ObjectName string `json:"objectName"`
}
// GetObjectURLArgs - args to generate url for download access.
type GetObjectURLArgs struct { type GetObjectURLArgs struct {
TargetHost string `json:"targetHost"`
BucketName string `json:"bucketName"` BucketName string `json:"bucketName"`
ObjectName string `json:"objectName"` ObjectName string `json:"objectName"`
} }

@ -18,10 +18,13 @@ package main
import ( import (
"fmt" "fmt"
"net"
"net/http" "net/http"
"time" "time"
jwtgo "github.com/dgrijalva/jwt-go" jwtgo "github.com/dgrijalva/jwt-go"
"github.com/minio/minio-go"
"github.com/minio/minio-xl/pkg/probe"
"github.com/minio/minio/pkg/disk" "github.com/minio/minio/pkg/disk"
) )
@ -29,13 +32,13 @@ import (
// authenticated request. // authenticated request.
func isAuthenticated(req *http.Request) bool { func isAuthenticated(req *http.Request) bool {
jwt := InitJWT() jwt := InitJWT()
tokenRequest, err := jwtgo.ParseFromRequest(req, func(token *jwtgo.Token) (interface{}, error) { tokenRequest, e := jwtgo.ParseFromRequest(req, func(token *jwtgo.Token) (interface{}, error) {
if _, ok := token.Method.(*jwtgo.SigningMethodRSA); !ok { if _, ok := token.Method.(*jwtgo.SigningMethodHMAC); !ok {
return nil, fmt.Errorf("Unexpected signing method: %v", token.Header["alg"]) return nil, fmt.Errorf("Unexpected signing method: %v", token.Header["alg"])
} }
return jwt.PublicKey, nil return jwt.secretAccessKey, nil
}) })
if err != nil { if e != nil {
return false return false
} }
return tokenRequest.Valid return tokenRequest.Valid
@ -46,9 +49,9 @@ func (web *WebAPI) DiskInfo(r *http.Request, args *DiskInfoArgs, reply *disk.Inf
if !isAuthenticated(r) { if !isAuthenticated(r) {
return errUnAuthorizedRequest return errUnAuthorizedRequest
} }
info, err := disk.GetInfo(web.FSPath) info, e := disk.GetInfo(web.FSPath)
if err != nil { if e != nil {
return err return e
} }
*reply = info *reply = info
return nil return nil
@ -67,9 +70,9 @@ func (web *WebAPI) ListBuckets(r *http.Request, args *ListBucketsArgs, reply *[]
if !isAuthenticated(r) { if !isAuthenticated(r) {
return errUnAuthorizedRequest return errUnAuthorizedRequest
} }
buckets, err := web.Client.ListBuckets() buckets, e := web.Client.ListBuckets()
if err != nil { if e != nil {
return err return e
} }
for _, bucket := range buckets { for _, bucket := range buckets {
*reply = append(*reply, BucketInfo{ *reply = append(*reply, BucketInfo{
@ -101,16 +104,60 @@ func (web *WebAPI) ListObjects(r *http.Request, args *ListObjectsArgs, reply *[]
return nil return nil
} }
// GetObjectURL - get object url. func getTargetHost(apiAddress, targetHost string) (string, *probe.Error) {
if targetHost != "" {
_, port, e := net.SplitHostPort(apiAddress)
if e != nil {
return "", probe.NewError(e)
}
host, _, e := net.SplitHostPort(targetHost)
if e != nil {
return "", probe.NewError(e)
}
targetHost = net.JoinHostPort(host, port)
}
return targetHost, nil
}
// PutObjectURL - generates url for upload access.
func (web *WebAPI) PutObjectURL(r *http.Request, args *PutObjectURLArgs, reply *string) error {
if !isAuthenticated(r) {
return errUnAuthorizedRequest
}
targetHost, err := getTargetHost(web.apiAddress, args.TargetHost)
if err != nil {
return probe.WrapError(err)
}
client, e := minio.NewV4(targetHost, web.accessKeyID, web.secretAccessKey, web.inSecure)
if e != nil {
return e
}
signedURLStr, e := client.PresignedPutObject(args.BucketName, args.ObjectName, time.Duration(60*60)*time.Second)
if e != nil {
return e
}
*reply = signedURLStr
return nil
}
// GetObjectURL - generates url for download access.
func (web *WebAPI) GetObjectURL(r *http.Request, args *GetObjectURLArgs, reply *string) error { func (web *WebAPI) GetObjectURL(r *http.Request, args *GetObjectURLArgs, reply *string) error {
if !isAuthenticated(r) { if !isAuthenticated(r) {
return errUnAuthorizedRequest return errUnAuthorizedRequest
} }
urlStr, err := web.Client.PresignedGetObject(args.BucketName, args.ObjectName, time.Duration(60*60)*time.Second) targetHost, err := getTargetHost(web.apiAddress, args.TargetHost)
if err != nil { if err != nil {
return err return probe.WrapError(err)
}
client, e := minio.NewV4(targetHost, web.accessKeyID, web.secretAccessKey, web.inSecure)
if e != nil {
return e
}
signedURLStr, e := client.PresignedGetObject(args.BucketName, args.ObjectName, time.Duration(60*60)*time.Second)
if e != nil {
return e
} }
*reply = urlStr *reply = signedURLStr
return nil return nil
} }
@ -120,7 +167,7 @@ func (web *WebAPI) Login(r *http.Request, args *LoginArgs, reply *AuthToken) err
if jwt.Authenticate(args.Username, args.Password) { if jwt.Authenticate(args.Username, args.Password) {
token, err := jwt.GenerateToken(args.Username) token, err := jwt.GenerateToken(args.Username)
if err != nil { if err != nil {
return err return probe.WrapError(err.Trace())
} }
reply.Token = token reply.Token = token
return nil return nil
@ -134,7 +181,7 @@ func (web *WebAPI) RefreshToken(r *http.Request, args *LoginArgs, reply *AuthTok
jwt := InitJWT() jwt := InitJWT()
token, err := jwt.GenerateToken(args.Username) token, err := jwt.GenerateToken(args.Username)
if err != nil { if err != nil {
return err return probe.WrapError(err.Trace())
} }
reply.Token = token reply.Token = token
return nil return nil

Loading…
Cancel
Save