You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
181 lines
5.4 KiB
181 lines
5.4 KiB
// +build ignore
|
|
|
|
/*
|
|
* MinIO Cloud Storage, (C) 2018 MinIO, Inc.
|
|
*
|
|
* Licensed under the Apache License, Version 2.0 (the "License");
|
|
* you may not use this file except in compliance with the License.
|
|
* You may obtain a copy of the License at
|
|
*
|
|
* http://www.apache.org/licenses/LICENSE-2.0
|
|
*
|
|
* Unless required by applicable law or agreed to in writing, software
|
|
* distributed under the License is distributed on an "AS IS" BASIS,
|
|
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
* See the License for the specific language governing permissions and
|
|
* limitations under the License.
|
|
*/
|
|
|
|
package main
|
|
|
|
import (
|
|
"context"
|
|
"crypto/rand"
|
|
"encoding/base64"
|
|
"encoding/json"
|
|
"encoding/xml"
|
|
"flag"
|
|
"fmt"
|
|
"log"
|
|
"net/http"
|
|
"net/url"
|
|
"time"
|
|
|
|
"golang.org/x/oauth2"
|
|
googleOAuth2 "golang.org/x/oauth2/google"
|
|
|
|
"github.com/minio/minio/pkg/auth"
|
|
)
|
|
|
|
// AssumedRoleUser - The identifiers for the temporary security credentials that
|
|
// the operation returns. Please also see https://docs.aws.amazon.com/goto/WebAPI/sts-2011-06-15/AssumedRoleUser
|
|
type AssumedRoleUser struct {
|
|
Arn string
|
|
AssumedRoleID string `xml:"AssumeRoleId"`
|
|
// contains filtered or unexported fields
|
|
}
|
|
|
|
// AssumeRoleWithWebIdentityResponse contains the result of successful AssumeRoleWithWebIdentity request.
|
|
type AssumeRoleWithWebIdentityResponse struct {
|
|
XMLName xml.Name `xml:"https://sts.amazonaws.com/doc/2011-06-15/ AssumeRoleWithWebIdentityResponse" json:"-"`
|
|
Result WebIdentityResult `xml:"AssumeRoleWithWebIdentityResult"`
|
|
ResponseMetadata struct {
|
|
RequestID string `xml:"RequestId,omitempty"`
|
|
} `xml:"ResponseMetadata,omitempty"`
|
|
}
|
|
|
|
// WebIdentityResult - Contains the response to a successful AssumeRoleWithWebIdentity
|
|
// request, including temporary credentials that can be used to make MinIO API requests.
|
|
type WebIdentityResult struct {
|
|
AssumedRoleUser AssumedRoleUser `xml:",omitempty"`
|
|
Audience string `xml:",omitempty"`
|
|
Credentials auth.Credentials `xml:",omitempty"`
|
|
PackedPolicySize int `xml:",omitempty"`
|
|
Provider string `xml:",omitempty"`
|
|
SubjectFromWebIdentityToken string `xml:",omitempty"`
|
|
}
|
|
|
|
// Returns a base64 encoded random 32 byte string.
|
|
func randomState() string {
|
|
b := make([]byte, 32)
|
|
rand.Read(b)
|
|
return base64.RawURLEncoding.EncodeToString(b)
|
|
}
|
|
|
|
var (
|
|
stsEndpoint string
|
|
authEndpoint string
|
|
tokenEndpoint string
|
|
clientID string
|
|
clientSecret string
|
|
port int
|
|
)
|
|
|
|
func init() {
|
|
flag.StringVar(&stsEndpoint, "sts-ep", "http://localhost:9000", "STS endpoint")
|
|
flag.StringVar(&authEndpoint, "auth-ep", googleOAuth2.Endpoint.AuthURL, "Auth endpoint")
|
|
flag.StringVar(&tokenEndpoint, "token-ep", googleOAuth2.Endpoint.TokenURL, "Token endpoint")
|
|
flag.StringVar(&clientID, "cid", "", "Client ID")
|
|
flag.StringVar(&clientSecret, "csec", "", "Client secret")
|
|
flag.IntVar(&port, "port", 8080, "Port")
|
|
}
|
|
|
|
func main() {
|
|
flag.Parse()
|
|
if clientID == "" || clientSecret == "" {
|
|
flag.PrintDefaults()
|
|
return
|
|
}
|
|
|
|
ctx := context.Background()
|
|
|
|
config := oauth2.Config{
|
|
ClientID: clientID,
|
|
ClientSecret: clientSecret,
|
|
Endpoint: oauth2.Endpoint{
|
|
AuthURL: authEndpoint,
|
|
TokenURL: tokenEndpoint,
|
|
},
|
|
RedirectURL: fmt.Sprintf("http://localhost:%v/oauth2/callback", port),
|
|
Scopes: []string{"openid", "profile", "email"},
|
|
}
|
|
|
|
state := randomState()
|
|
|
|
http.HandleFunc("/", func(w http.ResponseWriter, r *http.Request) {
|
|
http.Redirect(w, r, config.AuthCodeURL(state), http.StatusFound)
|
|
})
|
|
|
|
http.HandleFunc("/oauth2/callback", func(w http.ResponseWriter, r *http.Request) {
|
|
if r.URL.Query().Get("state") != state {
|
|
http.Error(w, "state did not match", http.StatusBadRequest)
|
|
return
|
|
}
|
|
|
|
oauth2Token, err := config.Exchange(ctx, r.URL.Query().Get("code"))
|
|
if err != nil {
|
|
http.Error(w, "Failed to exchange token: "+err.Error(), http.StatusInternalServerError)
|
|
return
|
|
}
|
|
|
|
if oauth2Token.Valid() {
|
|
v := url.Values{}
|
|
v.Set("Action", "AssumeRoleWithWebIdentity")
|
|
v.Set("WebIdentityToken", fmt.Sprintf("%s", oauth2Token.Extra("id_token")))
|
|
v.Set("DurationSeconds", fmt.Sprintf("%d", int64(oauth2Token.Expiry.Sub(time.Now().UTC()).Seconds())))
|
|
v.Set("Version", "2011-06-15")
|
|
|
|
u, err := url.Parse("http://localhost:9000")
|
|
if err != nil {
|
|
http.Error(w, err.Error(), http.StatusInternalServerError)
|
|
return
|
|
}
|
|
u.RawQuery = v.Encode()
|
|
|
|
req, err := http.NewRequest(http.MethodPost, u.String(), nil)
|
|
if err != nil {
|
|
http.Error(w, err.Error(), http.StatusInternalServerError)
|
|
return
|
|
}
|
|
resp, err := http.DefaultClient.Do(req)
|
|
if err != nil {
|
|
http.Error(w, err.Error(), http.StatusInternalServerError)
|
|
return
|
|
|
|
}
|
|
defer resp.Body.Close()
|
|
if resp.StatusCode != http.StatusOK {
|
|
http.Error(w, resp.Status, resp.StatusCode)
|
|
return
|
|
}
|
|
|
|
a := AssumeRoleWithWebIdentityResponse{}
|
|
if err = xml.NewDecoder(resp.Body).Decode(&a); err != nil {
|
|
http.Error(w, err.Error(), http.StatusInternalServerError)
|
|
return
|
|
}
|
|
|
|
w.Write([]byte("##### Credentials\n"))
|
|
c, err := json.MarshalIndent(a.Result.Credentials, "", "\t")
|
|
if err != nil {
|
|
http.Error(w, err.Error(), http.StatusInternalServerError)
|
|
return
|
|
}
|
|
w.Write(c)
|
|
}
|
|
})
|
|
|
|
address := fmt.Sprintf("localhost:%v", port)
|
|
log.Printf("listening on http://%s/", address)
|
|
log.Fatal(http.ListenAndServe(address, nil))
|
|
}
|
|
|