oyd
/
minio
6
1
Fork 0
Code Issues Pull Requests Releases Wiki Activity

jwt: Deprecate RSA usage, use HMAC instead.

Browse Source 
HMAC is a much simpler implementation, providing the same
benefits as RSA, avoids additional steps and keeps the code
simpler.

This patch also additionally

- Implements PutObjectURL API.
- GetObjectURL, PutObjectURL take TargetHost as another
  argument for generating URL's for proper target destination.
- Adds experimental TLS support for JSON RPC calls.
master
Harshavardhana 9 years ago
parent 0c96ace8ad
commit db387912f2
9 changed files with 160 additions and 205 deletions
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Show Stats Download Patch File Download Diff File
  1. 39
      Browser.md
  2. 61
      JWT.md
  3. 8
      jwt-auth-handler.go
  4. 71
      jwt.go
  5. 4
      pkg/fs/fs-multipart.go
  6. 29
      routers.go
  7. 64
      web-config.go
  8. 10
      web-definitions.go
  9. 79
      web-handlers.go

39
Browser.md
Unescape View File

@ -0,0 +1,39 @@
## Minio Browser
Minio Browser uses Json Web Tokens to authenticate JSON RPC requests.
Initial request generates a token for 'AccessKey' and 'SecretKey'
provided by the user.
<blockquote>
Currently these tokens expire after 10hrs, this is not configurable yet.
</blockquote>
### Start minio server
```
minio server <testdir>
```
### JSON RPC APIs.
JSON RPC namespace is `Web`.
#### Auth Operations
* Login - waits for 'username, password' and on success replies a new Json Web Token (JWT).
* ResetToken - resets token, requires password and token.
* Logout - currently a dummy operation.
#### Bucket/Object Operations.
* ListBuckets - lists buckets, requires a valid token.
* ListObjects - lists objects, requires a valid token.
* MakeBucket - make a new bucket, requires a valid token.
* GetObjectURL - generates a URL for download access, requires a valid token.
(generated URL is valid for 1hr)
* PutObjectURL - generates a URL for upload access, requies a valid token.
(generated URL is valid for 1hr)
#### Server Operations.
* DiskInfo - get backend disk statistics.

61
JWT.md
Unescape View File

@ -1,61 +0,0 @@
### Generate RSA keys for JWT
```
mkdir -p ~/.minio/web
```
```
openssl genrsa -out ~/.minio/web/private.key 2048
```
```
openssl rsa -in ~/.minio/web/private.key -outform PEM -pubout -out ~/.minio/web/public.key
```
### Start minio server
```
minio server <testdir>
```
### Implemented JSON RPC APIs.
Namespace `Web`
* Login - waits for 'username, password' and on success replies a new JWT token.
* ResetToken - resets token, requires password and token.
* Logout - currently a dummy operation.
* ListBuckets - lists buckets, requires valid token.
* ListObjects - lists objects, requires valid token.
* GetObjectURL - generates a url for download access, requires valid token.
### Now you can use `webrpc.js` to make requests.
- Login example
```js
var webRPC = require('webrpc');
var web = new webRPC("http://localhost:9001/rpc")
// Generate JWT Token.
web.Login({"username": "YOUR-ACCESS-KEY-ID", "password": "YOUR-SECRET-ACCESS-KEY"})
.then(function(data) {
console.log("success : ", data);
})
.catch(function(error) {
console.log("fail : ", error.toString());
});
```
- ListBuckets example
```js
var webRPC = require('webrpc');
var web = new webRPC("http://localhost:9001/rpc", "my-token")
// Generate Token.
web.ListBuckets()
.then(function(data) {
console.log("Success : ", data);
})
.catch(function(error) {
console.log("fail : ", error.toString());
});
```

8
jwt-auth-handler.go
Unescape View File

@ -43,13 +43,13 @@ func (h authHandler) ServeHTTP(w http.ResponseWriter, r *http.Request) {
} }
// Validate Authorization header to be valid. // Validate Authorization header to be valid.
jwt := InitJWT() jwt := InitJWT()
token, err := jwtgo.ParseFromRequest(r, func(token *jwtgo.Token) (interface{}, error) { token, e := jwtgo.ParseFromRequest(r, func(token *jwtgo.Token) (interface{}, error) {
if _, ok := token.Method.(*jwtgo.SigningMethodRSA); !ok { if _, ok := token.Method.(*jwtgo.SigningMethodHMAC); !ok {
return nil, fmt.Errorf("Unexpected signing method: %v", token.Header["alg"]) return nil, fmt.Errorf("Unexpected signing method: %v", token.Header["alg"])
} }
return jwt.PublicKey, nil return jwt.secretAccessKey, nil
}) })
if err != nil || !token.Valid { if e != nil || !token.Valid {
w.WriteHeader(http.StatusUnauthorized) w.WriteHeader(http.StatusUnauthorized)
return return
} }

71
jwt.go
Unescape View File

@ -17,11 +17,7 @@
package main package main
import ( import (
"crypto/rsa" "bytes"
"crypto/x509"
"encoding/pem"
"errors"
"io/ioutil"
"time" "time"
jwtgo "github.com/dgrijalva/jwt-go" jwtgo "github.com/dgrijalva/jwt-go"
@ -31,72 +27,47 @@ import (
// JWT - jwt auth backend // JWT - jwt auth backend
type JWT struct { type JWT struct {
// Public value. accessKeyID []byte
PublicKey *rsa.PublicKey secretAccessKey []byte
// private values.
privateKey *rsa.PrivateKey
accessKeyID string
secretAccessKey string
} }
// Default - each token expires in 10hrs.
const ( const (
jwtExpirationDelta = 10 tokenExpires time.Duration = 10
) )
// InitJWT - initialize. // InitJWT - initialize.
func InitJWT() *JWT { func InitJWT() *JWT {
jwt := &JWT{ jwt := &JWT{}
privateKey: getPrivateKey(), // Load credentials.
}
// Validate if public key is of algorithm *rsa.PublicKey.
var ok bool
jwt.PublicKey, ok = jwt.privateKey.Public().(*rsa.PublicKey)
if !ok {
fatalIf(probe.NewError(errors.New("")), "Unsupported type of public key algorithm found.", nil)
}
// Load credentials configuration.
config, err := loadConfigV2() config, err := loadConfigV2()
fatalIf(err.Trace("JWT"), "Unable to load configuration file.", nil) fatalIf(err.Trace("JWT"), "Unable to load configuration file.", nil)
// Save access, secret keys. // Save access, secret keys.
jwt.accessKeyID = config.Credentials.AccessKeyID jwt.accessKeyID = []byte(config.Credentials.AccessKeyID)
jwt.secretAccessKey = config.Credentials.SecretAccessKey jwt.secretAccessKey = []byte(config.Credentials.SecretAccessKey)
return jwt return jwt
} }
// GenerateToken - generates a new Json Web Token based on the incoming user id. // GenerateToken - generates a new Json Web Token based on the incoming user id.
func (b *JWT) GenerateToken(userName string) (string, error) { func (jwt *JWT) GenerateToken(userName string) (string, *probe.Error) {
token := jwtgo.New(jwtgo.SigningMethodRS512) token := jwtgo.New(jwtgo.SigningMethodHS512)
// Token expires in 10hrs. // Token expires in 10hrs.
token.Claims["exp"] = time.Now().Add(time.Hour * time.Duration(jwtExpirationDelta)).Unix() token.Claims["exp"] = time.Now().Add(time.Hour * tokenExpires).Unix()
token.Claims["iat"] = time.Now().Unix() token.Claims["iat"] = time.Now().Unix()
token.Claims["sub"] = userName token.Claims["sub"] = userName
tokenString, err := token.SignedString(b.privateKey) tokenString, e := token.SignedString(jwt.secretAccessKey)
if err != nil { if e != nil {
return "", err return "", probe.NewError(e)
} }
return tokenString, nil return tokenString, nil
} }
// Authenticate - authenticates the username and password. // Authenticate - authenticates incoming username and password.
func (b *JWT) Authenticate(username, password string) bool { func (jwt *JWT) Authenticate(userName, password string) bool {
hashedPassword, _ := bcrypt.GenerateFromPassword([]byte(b.secretAccessKey), 10) if !bytes.Equal([]byte(userName), jwt.accessKeyID) {
if username == b.accessKeyID { return false
return bcrypt.CompareHashAndPassword(hashedPassword, []byte(password)) == nil
}
return false
}
// getPrivateKey - get the generated private key.
func getPrivateKey() *rsa.PrivateKey {
pemBytes, err := ioutil.ReadFile(mustGetPrivateKeyPath())
if err != nil {
panic(err)
}
data, _ := pem.Decode([]byte(pemBytes))
privateKeyImported, err := x509.ParsePKCS1PrivateKey(data.Bytes)
if err != nil {
panic(err)
} }
return privateKeyImported hashedPassword, _ := bcrypt.GenerateFromPassword(jwt.secretAccessKey, bcrypt.DefaultCost)
return bcrypt.CompareHashAndPassword(hashedPassword, []byte(password)) == nil
} }

4
pkg/fs/fs-multipart.go
Unescape View File

@ -162,7 +162,7 @@ func (fs Filesystem) NewMultipartUpload(bucket, object string) (string, *probe.E
bucket = fs.denormalizeBucket(bucket) bucket = fs.denormalizeBucket(bucket)
bucketPath := filepath.Join(fs.path, bucket) bucketPath := filepath.Join(fs.path, bucket)
if _, e := os.Stat(bucketPath); e != nil { if _, e = os.Stat(bucketPath); e != nil {
// check bucket exists // check bucket exists
if os.IsNotExist(e) { if os.IsNotExist(e) {
return "", probe.NewError(BucketNotFound{Bucket: bucket}) return "", probe.NewError(BucketNotFound{Bucket: bucket})
@ -172,7 +172,7 @@ func (fs Filesystem) NewMultipartUpload(bucket, object string) (string, *probe.E
objectPath := filepath.Join(bucketPath, object) objectPath := filepath.Join(bucketPath, object)
objectDir := filepath.Dir(objectPath) objectDir := filepath.Dir(objectPath)
if _, e := os.Stat(objectDir); e != nil { if _, e = os.Stat(objectDir); e != nil {
if !os.IsNotExist(e) { if !os.IsNotExist(e) {
return "", probe.NewError(e) return "", probe.NewError(e)
} }

29
routers.go
Unescape View File

@ -46,12 +46,20 @@ type WebAPI struct {
AccessLog bool AccessLog bool
// Minio client instance. // Minio client instance.
Client minio.CloudStorageClient Client minio.CloudStorageClient
// private params.
inSecure bool // Enabled if TLS is false.
apiAddress string // api destination address.
// accessKeys kept to be used internally.
accessKeyID string
secretAccessKey string
} }
func getWebAPIHandler(web *WebAPI) http.Handler { func getWebAPIHandler(web *WebAPI) http.Handler {
var mwHandlers = []MiddlewareHandler{ var mwHandlers = []MiddlewareHandler{
TimeValidityHandler, // Validate time. TimeValidityHandler, // Validate time.
CorsHandler, // CORS added only for testing purposes. CorsHandler, // CORS added only for testing purposes.
AuthHandler, // Authentication handler for verifying tokens.
} }
if web.AccessLog { if web.AccessLog {
mwHandlers = append(mwHandlers, AccessLogHandler) mwHandlers = append(mwHandlers, AccessLogHandler)
@ -106,20 +114,27 @@ func registerCloudStorageAPI(mux *router.Router, a CloudStorageAPI) {
// getNewWebAPI instantiate a new WebAPI. // getNewWebAPI instantiate a new WebAPI.
func getNewWebAPI(conf cloudServerConfig) *WebAPI { func getNewWebAPI(conf cloudServerConfig) *WebAPI {
// Split host port. // Split host port.
_, port, e := net.SplitHostPort(conf.Address) host, port, e := net.SplitHostPort(conf.Address)
fatalIf(probe.NewError(e), "Unable to parse web addess.", nil) fatalIf(probe.NewError(e), "Unable to parse web addess.", nil)
// Default host to 'localhost'. // Default host is 'localhost', if no host present.
host := "localhost" if host == "" {
host = "localhost"
}
// Initialize minio client for AWS Signature Version '4' // Initialize minio client for AWS Signature Version '4'
client, e := minio.NewV4(net.JoinHostPort(host, port), conf.AccessKeyID, conf.SecretAccessKey, true) inSecure := !conf.TLS // Insecure true when TLS is false.
client, e := minio.NewV4(net.JoinHostPort(host, port), conf.AccessKeyID, conf.SecretAccessKey, inSecure)
fatalIf(probe.NewError(e), "Unable to initialize minio client", nil) fatalIf(probe.NewError(e), "Unable to initialize minio client", nil)
web := &WebAPI{ web := &WebAPI{
FSPath: conf.Path, FSPath: conf.Path,
AccessLog: conf.AccessLog, AccessLog: conf.AccessLog,
Client: client, Client: client,
inSecure: inSecure,
apiAddress: conf.Address,
accessKeyID: conf.AccessKeyID,
secretAccessKey: conf.SecretAccessKey,
} }
return web return web
} }

64
web-config.go
Unescape View File

@ -1,64 +0,0 @@
/*
* Minio Cloud Storage, (C) 2016 Minio, Inc.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package main
import (
"os"
"path/filepath"
"github.com/minio/minio-xl/pkg/probe"
"github.com/minio/minio/pkg/user"
)
var customWebConfigDir = ""
// getWebConfigDir get web config dir.
func getWebConfigDir() (string, *probe.Error) {
if customWebConfigDir != "" {
return customWebConfigDir, nil
}
homeDir, e := user.HomeDir()
if e != nil {
return "", probe.NewError(e)
}
webConfigDir := filepath.Join(homeDir, ".minio", "web")
return webConfigDir, nil
}
func mustGetWebConfigDir() string {
webConfigDir, err := getWebConfigDir()
fatalIf(err.Trace(), "Unable to get config path.", nil)
return webConfigDir
}
// createWebConfigDir create users config path
func createWebConfigDir() *probe.Error {
webConfigDir, err := getWebConfigDir()
if err != nil {
return err.Trace()
}
if err := os.MkdirAll(webConfigDir, 0700); err != nil {
return probe.NewError(err)
}
return nil
}
func mustGetPrivateKeyPath() string {
webConfigDir, err := getWebConfigDir()
fatalIf(err.Trace(), "Unable to get config path.", nil)
return webConfigDir + "/private.key"
}

10
web-definitions.go
Unescape View File

@ -53,8 +53,16 @@ type ObjectInfo struct {
Size int64 `json:"size"` Size int64 `json:"size"`
} }
// GetObjectURLArgs - get object url. // PutObjectURLArgs - args to generate url for upload access.
type PutObjectURLArgs struct {
TargetHost string `json:"targetHost"`
BucketName string `json:"bucketName"`
ObjectName string `json:"objectName"`
}
// GetObjectURLArgs - args to generate url for download access.
type GetObjectURLArgs struct { type GetObjectURLArgs struct {
TargetHost string `json:"targetHost"`
BucketName string `json:"bucketName"` BucketName string `json:"bucketName"`
ObjectName string `json:"objectName"` ObjectName string `json:"objectName"`
} }

79
web-handlers.go
Unescape View File

@ -18,10 +18,13 @@ package main
import ( import (
"fmt" "fmt"
"net"
"net/http" "net/http"
"time" "time"
jwtgo "github.com/dgrijalva/jwt-go" jwtgo "github.com/dgrijalva/jwt-go"
"github.com/minio/minio-go"
"github.com/minio/minio-xl/pkg/probe"
"github.com/minio/minio/pkg/disk" "github.com/minio/minio/pkg/disk"
) )
@ -29,13 +32,13 @@ import (
// authenticated request. // authenticated request.
func isAuthenticated(req *http.Request) bool { func isAuthenticated(req *http.Request) bool {
jwt := InitJWT() jwt := InitJWT()
tokenRequest, err := jwtgo.ParseFromRequest(req, func(token *jwtgo.Token) (interface{}, error) { tokenRequest, e := jwtgo.ParseFromRequest(req, func(token *jwtgo.Token) (interface{}, error) {
if _, ok := token.Method.(*jwtgo.SigningMethodRSA); !ok { if _, ok := token.Method.(*jwtgo.SigningMethodHMAC); !ok {
return nil, fmt.Errorf("Unexpected signing method: %v", token.Header["alg"]) return nil, fmt.Errorf("Unexpected signing method: %v", token.Header["alg"])
} }
return jwt.PublicKey, nil return jwt.secretAccessKey, nil
}) })
if err != nil { if e != nil {
return false return false
} }
return tokenRequest.Valid return tokenRequest.Valid
@ -46,9 +49,9 @@ func (web *WebAPI) DiskInfo(r *http.Request, args *DiskInfoArgs, reply *disk.Inf
if !isAuthenticated(r) { if !isAuthenticated(r) {
return errUnAuthorizedRequest return errUnAuthorizedRequest
} }
info, err := disk.GetInfo(web.FSPath) info, e := disk.GetInfo(web.FSPath)
if err != nil { if e != nil {
return err return e
} }
*reply = info *reply = info
return nil return nil
@ -67,9 +70,9 @@ func (web *WebAPI) ListBuckets(r *http.Request, args *ListBucketsArgs, reply *[]
if !isAuthenticated(r) { if !isAuthenticated(r) {
return errUnAuthorizedRequest return errUnAuthorizedRequest
} }
buckets, err := web.Client.ListBuckets() buckets, e := web.Client.ListBuckets()
if err != nil { if e != nil {
return err return e
} }
for _, bucket := range buckets { for _, bucket := range buckets {
*reply = append(*reply, BucketInfo{ *reply = append(*reply, BucketInfo{
@ -101,16 +104,60 @@ func (web *WebAPI) ListObjects(r *http.Request, args *ListObjectsArgs, reply *[]
return nil return nil
} }
// GetObjectURL - get object url. func getTargetHost(apiAddress, targetHost string) (string, *probe.Error) {
if targetHost != "" {
_, port, e := net.SplitHostPort(apiAddress)
if e != nil {
return "", probe.NewError(e)
}
host, _, e := net.SplitHostPort(targetHost)
if e != nil {
return "", probe.NewError(e)
}
targetHost = net.JoinHostPort(host, port)
}
return targetHost, nil
}
// PutObjectURL - generates url for upload access.
func (web *WebAPI) PutObjectURL(r *http.Request, args *PutObjectURLArgs, reply *string) error {
if !isAuthenticated(r) {
return errUnAuthorizedRequest
}
targetHost, err := getTargetHost(web.apiAddress, args.TargetHost)
if err != nil {
return probe.WrapError(err)
}
client, e := minio.NewV4(targetHost, web.accessKeyID, web.secretAccessKey, web.inSecure)
if e != nil {
return e
}
signedURLStr, e := client.PresignedPutObject(args.BucketName, args.ObjectName, time.Duration(60*60)*time.Second)
if e != nil {
return e
}
*reply = signedURLStr
return nil
}
// GetObjectURL - generates url for download access.
func (web *WebAPI) GetObjectURL(r *http.Request, args *GetObjectURLArgs, reply *string) error { func (web *WebAPI) GetObjectURL(r *http.Request, args *GetObjectURLArgs, reply *string) error {
if !isAuthenticated(r) { if !isAuthenticated(r) {
return errUnAuthorizedRequest return errUnAuthorizedRequest
} }
urlStr, err := web.Client.PresignedGetObject(args.BucketName, args.ObjectName, time.Duration(60*60)*time.Second) targetHost, err := getTargetHost(web.apiAddress, args.TargetHost)
if err != nil { if err != nil {
return err return probe.WrapError(err)
}
client, e := minio.NewV4(targetHost, web.accessKeyID, web.secretAccessKey, web.inSecure)
if e != nil {
return e
}
signedURLStr, e := client.PresignedGetObject(args.BucketName, args.ObjectName, time.Duration(60*60)*time.Second)
if e != nil {
return e
} }
*reply = urlStr *reply = signedURLStr
return nil return nil
} }
@ -120,7 +167,7 @@ func (web *WebAPI) Login(r *http.Request, args *LoginArgs, reply *AuthToken) err
if jwt.Authenticate(args.Username, args.Password) { if jwt.Authenticate(args.Username, args.Password) {
token, err := jwt.GenerateToken(args.Username) token, err := jwt.GenerateToken(args.Username)
if err != nil { if err != nil {
return err return probe.WrapError(err.Trace())
} }
reply.Token = token reply.Token = token
return nil return nil
@ -134,7 +181,7 @@ func (web *WebAPI) RefreshToken(r *http.Request, args *LoginArgs, reply *AuthTok
jwt := InitJWT() jwt := InitJWT()
token, err := jwt.GenerateToken(args.Username) token, err := jwt.GenerateToken(args.Username)
if err != nil { if err != nil {
return err return probe.WrapError(err.Trace())
} }
reply.Token = token reply.Token = token
return nil return nil

Write Preview
Loading…
Cancel
Save