mirror of
				https://github.com/minio/minio.git
				synced 2025-10-26 05:41:53 +01:00 
			
		
		
		
	This change adds a `Secret` property to `HelpKV` to identify secrets like passwords and auth tokens that should not be revealed by the server in its configuration fetching APIs. Configuration reporting APIs now do not return secrets.
		
			
				
	
	
		
			511 lines
		
	
	
		
			13 KiB
		
	
	
	
		
			Go
		
	
	
	
	
	
			
		
		
	
	
			511 lines
		
	
	
		
			13 KiB
		
	
	
	
		
			Go
		
	
	
	
	
	
| // Copyright (c) 2015-2022 MinIO, Inc.
 | |
| //
 | |
| // This file is part of MinIO Object Storage stack
 | |
| //
 | |
| // This program is free software: you can redistribute it and/or modify
 | |
| // it under the terms of the GNU Affero General Public License as published by
 | |
| // the Free Software Foundation, either version 3 of the License, or
 | |
| // (at your option) any later version.
 | |
| //
 | |
| // This program is distributed in the hope that it will be useful
 | |
| // but WITHOUT ANY WARRANTY; without even the implied warranty of
 | |
| // MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 | |
| // GNU Affero General Public License for more details.
 | |
| //
 | |
| // You should have received a copy of the GNU Affero General Public License
 | |
| // along with this program.  If not, see <http://www.gnu.org/licenses/>.
 | |
| 
 | |
| package plugin
 | |
| 
 | |
| import (
 | |
| 	"bytes"
 | |
| 	"context"
 | |
| 	"crypto/sha1"
 | |
| 	"encoding/base64"
 | |
| 	"encoding/json"
 | |
| 	"fmt"
 | |
| 	"io"
 | |
| 	"net/http"
 | |
| 	"net/url"
 | |
| 	"regexp"
 | |
| 	"sync"
 | |
| 	"time"
 | |
| 
 | |
| 	"github.com/minio/minio/internal/arn"
 | |
| 	"github.com/minio/minio/internal/config"
 | |
| 	"github.com/minio/minio/internal/logger"
 | |
| 	"github.com/minio/pkg/env"
 | |
| 	xnet "github.com/minio/pkg/net"
 | |
| )
 | |
| 
 | |
| // Authentication Plugin config and env variables
 | |
| const (
 | |
| 	URL        = "url"
 | |
| 	AuthToken  = "auth_token"
 | |
| 	RolePolicy = "role_policy"
 | |
| 	RoleID     = "role_id"
 | |
| 
 | |
| 	EnvIdentityPluginURL        = "MINIO_IDENTITY_PLUGIN_URL"
 | |
| 	EnvIdentityPluginAuthToken  = "MINIO_IDENTITY_PLUGIN_AUTH_TOKEN"
 | |
| 	EnvIdentityPluginRolePolicy = "MINIO_IDENTITY_PLUGIN_ROLE_POLICY"
 | |
| 	EnvIdentityPluginRoleID     = "MINIO_IDENTITY_PLUGIN_ROLE_ID"
 | |
| )
 | |
| 
 | |
| var (
 | |
| 	// DefaultKVS - default config for AuthN plugin config
 | |
| 	DefaultKVS = config.KVS{
 | |
| 		config.KV{
 | |
| 			Key:   URL,
 | |
| 			Value: "",
 | |
| 		},
 | |
| 		config.KV{
 | |
| 			Key:   AuthToken,
 | |
| 			Value: "",
 | |
| 		},
 | |
| 		config.KV{
 | |
| 			Key:   RolePolicy,
 | |
| 			Value: "",
 | |
| 		},
 | |
| 		config.KV{
 | |
| 			Key:   RoleID,
 | |
| 			Value: "",
 | |
| 		},
 | |
| 	}
 | |
| 
 | |
| 	defaultHelpPostfix = func(key string) string {
 | |
| 		return config.DefaultHelpPostfix(DefaultKVS, key)
 | |
| 	}
 | |
| 
 | |
| 	// Help for Identity Plugin
 | |
| 	Help = config.HelpKVS{
 | |
| 		config.HelpKV{
 | |
| 			Key:         URL,
 | |
| 			Description: `plugin hook endpoint (HTTP(S)) e.g. "http://localhost:8181/path/to/endpoint"` + defaultHelpPostfix(URL),
 | |
| 			Type:        "url",
 | |
| 		},
 | |
| 		config.HelpKV{
 | |
| 			Key:         AuthToken,
 | |
| 			Description: "authorization token for plugin hook endpoint" + defaultHelpPostfix(AuthToken),
 | |
| 			Optional:    true,
 | |
| 			Type:        "string",
 | |
| 			Sensitive:   true,
 | |
| 			Secret:      true,
 | |
| 		},
 | |
| 		config.HelpKV{
 | |
| 			Key:         RolePolicy,
 | |
| 			Description: "policies to apply for plugin authorized users" + defaultHelpPostfix(RolePolicy),
 | |
| 			Type:        "string",
 | |
| 		},
 | |
| 		config.HelpKV{
 | |
| 			Key:         RoleID,
 | |
| 			Description: "unique ID to generate the ARN" + defaultHelpPostfix(RoleID),
 | |
| 			Optional:    true,
 | |
| 			Type:        "string",
 | |
| 		},
 | |
| 		config.HelpKV{
 | |
| 			Key:         config.Comment,
 | |
| 			Description: config.DefaultComment,
 | |
| 			Optional:    true,
 | |
| 			Type:        "sentence",
 | |
| 		},
 | |
| 	}
 | |
| )
 | |
| 
 | |
| // Allows only Base64 URL encoding characters.
 | |
| var validRoleIDRegex = regexp.MustCompile(`^[A-Za-z0-9_-]+$`)
 | |
| 
 | |
| // Args for authentication plugin.
 | |
| type Args struct {
 | |
| 	URL         *xnet.URL
 | |
| 	AuthToken   string
 | |
| 	Transport   http.RoundTripper
 | |
| 	CloseRespFn func(r io.ReadCloser)
 | |
| 
 | |
| 	RolePolicy string
 | |
| 	RoleARN    arn.ARN
 | |
| }
 | |
| 
 | |
| // Validate - validate configuration params.
 | |
| func (a *Args) Validate() error {
 | |
| 	req, err := http.NewRequest(http.MethodPost, a.URL.String(), bytes.NewReader([]byte("")))
 | |
| 	if err != nil {
 | |
| 		return err
 | |
| 	}
 | |
| 
 | |
| 	req.Header.Set("Content-Type", "application/json")
 | |
| 	if a.AuthToken != "" {
 | |
| 		req.Header.Set("Authorization", a.AuthToken)
 | |
| 	}
 | |
| 
 | |
| 	client := &http.Client{Transport: a.Transport}
 | |
| 	resp, err := client.Do(req)
 | |
| 	if err != nil {
 | |
| 		return err
 | |
| 	}
 | |
| 	defer a.CloseRespFn(resp.Body)
 | |
| 
 | |
| 	return nil
 | |
| }
 | |
| 
 | |
| type serviceRTTMinuteStats struct {
 | |
| 	statsTime           time.Time
 | |
| 	rttMsSum, maxRttMs  float64
 | |
| 	successRequestCount int64
 | |
| 	failedRequestCount  int64
 | |
| }
 | |
| 
 | |
| type metrics struct {
 | |
| 	sync.Mutex
 | |
| 	LastCheckSuccess time.Time
 | |
| 	LastCheckFailure time.Time
 | |
| 	lastFullMinute   serviceRTTMinuteStats
 | |
| 	currentMinute    serviceRTTMinuteStats
 | |
| }
 | |
| 
 | |
| func (h *metrics) setConnSuccess(reqStartTime time.Time) {
 | |
| 	h.Lock()
 | |
| 	defer h.Unlock()
 | |
| 	h.LastCheckSuccess = reqStartTime
 | |
| }
 | |
| 
 | |
| func (h *metrics) setConnFailure(reqStartTime time.Time) {
 | |
| 	h.Lock()
 | |
| 	defer h.Unlock()
 | |
| 	h.LastCheckFailure = reqStartTime
 | |
| }
 | |
| 
 | |
| func (h *metrics) updateLastFullMinute(currReqMinute time.Time) {
 | |
| 	// Assumes the caller has h.Lock()'ed
 | |
| 	h.lastFullMinute = h.currentMinute
 | |
| 	h.currentMinute = serviceRTTMinuteStats{
 | |
| 		statsTime: currReqMinute,
 | |
| 	}
 | |
| }
 | |
| 
 | |
| func (h *metrics) accumRequestRTT(reqStartTime time.Time, rttMs float64, isSuccess bool) {
 | |
| 	h.Lock()
 | |
| 	defer h.Unlock()
 | |
| 
 | |
| 	// Update connectivity times
 | |
| 	if isSuccess {
 | |
| 		if reqStartTime.After(h.LastCheckSuccess) {
 | |
| 			h.LastCheckSuccess = reqStartTime
 | |
| 		}
 | |
| 	} else {
 | |
| 		if reqStartTime.After(h.LastCheckFailure) {
 | |
| 			h.LastCheckFailure = reqStartTime
 | |
| 		}
 | |
| 	}
 | |
| 
 | |
| 	// Round the reqest time *down* to whole minute.
 | |
| 	reqTimeMinute := reqStartTime.Truncate(time.Minute)
 | |
| 	if reqTimeMinute.After(h.currentMinute.statsTime) {
 | |
| 		// Drop the last full minute now, since we got a request for a time we
 | |
| 		// are not yet tracking.
 | |
| 		h.updateLastFullMinute(reqTimeMinute)
 | |
| 	}
 | |
| 	var entry *serviceRTTMinuteStats
 | |
| 	switch {
 | |
| 	case reqTimeMinute.Equal(h.currentMinute.statsTime):
 | |
| 		entry = &h.currentMinute
 | |
| 	case reqTimeMinute.Equal(h.lastFullMinute.statsTime):
 | |
| 		entry = &h.lastFullMinute
 | |
| 	default:
 | |
| 		// This request is too old, it should never happen, ignore it as we
 | |
| 		// cannot return an error.
 | |
| 		return
 | |
| 	}
 | |
| 
 | |
| 	// Update stats
 | |
| 	if isSuccess {
 | |
| 		if entry.maxRttMs < rttMs {
 | |
| 			entry.maxRttMs = rttMs
 | |
| 		}
 | |
| 		entry.rttMsSum += rttMs
 | |
| 		entry.successRequestCount++
 | |
| 	} else {
 | |
| 		entry.failedRequestCount++
 | |
| 	}
 | |
| }
 | |
| 
 | |
| // AuthNPlugin - implements pluggable authentication via webhook.
 | |
| type AuthNPlugin struct {
 | |
| 	args           Args
 | |
| 	client         *http.Client
 | |
| 	shutdownCtx    context.Context
 | |
| 	serviceMetrics *metrics
 | |
| }
 | |
| 
 | |
| // Enabled returns if AuthNPlugin is enabled.
 | |
| func Enabled(kvs config.KVS) bool {
 | |
| 	return kvs.Get(URL) != ""
 | |
| }
 | |
| 
 | |
| // LookupConfig lookup AuthNPlugin from config, override with any ENVs.
 | |
| func LookupConfig(kv config.KVS, transport *http.Transport, closeRespFn func(io.ReadCloser), serverRegion string) (Args, error) {
 | |
| 	args := Args{}
 | |
| 
 | |
| 	if err := config.CheckValidKeys(config.IdentityPluginSubSys, kv, DefaultKVS); err != nil {
 | |
| 		return args, err
 | |
| 	}
 | |
| 
 | |
| 	pluginURL := env.Get(EnvIdentityPluginURL, kv.Get(URL))
 | |
| 	if pluginURL == "" {
 | |
| 		return args, nil
 | |
| 	}
 | |
| 
 | |
| 	authToken := env.Get(EnvIdentityPluginAuthToken, kv.Get(AuthToken))
 | |
| 
 | |
| 	u, err := xnet.ParseHTTPURL(pluginURL)
 | |
| 	if err != nil {
 | |
| 		return args, err
 | |
| 	}
 | |
| 
 | |
| 	rolePolicy := env.Get(EnvIdentityPluginRolePolicy, kv.Get(RolePolicy))
 | |
| 	if rolePolicy == "" {
 | |
| 		return args, config.Errorf("A role policy must be specified for Identity Management Plugin")
 | |
| 	}
 | |
| 
 | |
| 	resourceID := "idmp-"
 | |
| 	roleID := env.Get(EnvIdentityPluginRoleID, kv.Get(RoleID))
 | |
| 	if roleID == "" {
 | |
| 		// We use a hash of the plugin URL so that the ARN remains
 | |
| 		// constant across restarts.
 | |
| 		h := sha1.New()
 | |
| 		h.Write([]byte(pluginURL))
 | |
| 		bs := h.Sum(nil)
 | |
| 		resourceID += base64.RawURLEncoding.EncodeToString(bs)
 | |
| 	} else {
 | |
| 		// Check that the roleID is restricted to URL safe characters
 | |
| 		// (base64 URL encoding chars).
 | |
| 		if !validRoleIDRegex.MatchString(roleID) {
 | |
| 			return args, config.Errorf("Role ID must match the regexp `^[a-zA-Z0-9_-]+$`")
 | |
| 		}
 | |
| 
 | |
| 		// Use the user provided ID here.
 | |
| 		resourceID += roleID
 | |
| 	}
 | |
| 
 | |
| 	roleArn, err := arn.NewIAMRoleARN(resourceID, serverRegion)
 | |
| 	if err != nil {
 | |
| 		return args, config.Errorf("unable to generate ARN from the plugin config: %v", err)
 | |
| 	}
 | |
| 
 | |
| 	args = Args{
 | |
| 		URL:         u,
 | |
| 		AuthToken:   authToken,
 | |
| 		Transport:   transport,
 | |
| 		CloseRespFn: closeRespFn,
 | |
| 		RolePolicy:  rolePolicy,
 | |
| 		RoleARN:     roleArn,
 | |
| 	}
 | |
| 	if err = args.Validate(); err != nil {
 | |
| 		return args, err
 | |
| 	}
 | |
| 	return args, nil
 | |
| }
 | |
| 
 | |
| // New - initializes Authorization Management Plugin.
 | |
| func New(shutdownCtx context.Context, args Args) *AuthNPlugin {
 | |
| 	if args.URL == nil || args.URL.Scheme == "" && args.AuthToken == "" {
 | |
| 		return nil
 | |
| 	}
 | |
| 	plugin := AuthNPlugin{
 | |
| 		args:        args,
 | |
| 		client:      &http.Client{Transport: args.Transport},
 | |
| 		shutdownCtx: shutdownCtx,
 | |
| 		serviceMetrics: &metrics{
 | |
| 			Mutex:            sync.Mutex{},
 | |
| 			LastCheckSuccess: time.Unix(0, 0),
 | |
| 			LastCheckFailure: time.Unix(0, 0),
 | |
| 			lastFullMinute:   serviceRTTMinuteStats{},
 | |
| 			currentMinute:    serviceRTTMinuteStats{},
 | |
| 		},
 | |
| 	}
 | |
| 	go plugin.doPeriodicHealthCheck()
 | |
| 	return &plugin
 | |
| }
 | |
| 
 | |
| // AuthNSuccessResponse - represents the response from the authentication plugin
 | |
| // service.
 | |
| type AuthNSuccessResponse struct {
 | |
| 	User               string                 `json:"user"`
 | |
| 	MaxValiditySeconds int                    `json:"maxValiditySeconds"`
 | |
| 	Claims             map[string]interface{} `json:"claims"`
 | |
| }
 | |
| 
 | |
| // AuthNErrorResponse - represents an error response from the authN plugin.
 | |
| type AuthNErrorResponse struct {
 | |
| 	Reason string `json:"reason"`
 | |
| }
 | |
| 
 | |
| // AuthNResponse - represents a result of the authentication operation.
 | |
| type AuthNResponse struct {
 | |
| 	Success *AuthNSuccessResponse
 | |
| 	Failure *AuthNErrorResponse
 | |
| }
 | |
| 
 | |
| const (
 | |
| 	minValidityDurationSeconds int = 900
 | |
| 	maxValidityDurationSeconds int = 365 * 24 * 3600
 | |
| )
 | |
| 
 | |
| // Authenticate authenticates the token with the external hook endpoint and
 | |
| // returns a parent user, max expiry duration for the authentication and a set
 | |
| // of claims.
 | |
| func (o *AuthNPlugin) Authenticate(roleArn arn.ARN, token string) (AuthNResponse, error) {
 | |
| 	if o == nil {
 | |
| 		return AuthNResponse{}, nil
 | |
| 	}
 | |
| 
 | |
| 	if roleArn != o.args.RoleARN {
 | |
| 		return AuthNResponse{}, fmt.Errorf("Invalid role ARN value: %s", roleArn.String())
 | |
| 	}
 | |
| 
 | |
| 	u := url.URL(*o.args.URL)
 | |
| 	q := u.Query()
 | |
| 	q.Set("token", token)
 | |
| 	u.RawQuery = q.Encode()
 | |
| 
 | |
| 	ctx, cancel := context.WithTimeout(context.Background(), 5*time.Second)
 | |
| 	defer cancel()
 | |
| 	req, err := http.NewRequestWithContext(ctx, http.MethodPost, u.String(), nil)
 | |
| 	if err != nil {
 | |
| 		return AuthNResponse{}, err
 | |
| 	}
 | |
| 
 | |
| 	if o.args.AuthToken != "" {
 | |
| 		req.Header.Set("Authorization", o.args.AuthToken)
 | |
| 	}
 | |
| 
 | |
| 	reqStartTime := time.Now()
 | |
| 	resp, err := o.client.Do(req)
 | |
| 	if err != nil {
 | |
| 		o.serviceMetrics.accumRequestRTT(reqStartTime, 0, false)
 | |
| 		return AuthNResponse{}, err
 | |
| 	}
 | |
| 	defer o.args.CloseRespFn(resp.Body)
 | |
| 	reqDurNanos := time.Since(reqStartTime).Nanoseconds()
 | |
| 	o.serviceMetrics.accumRequestRTT(reqStartTime, float64(reqDurNanos)/1e6, true)
 | |
| 
 | |
| 	switch resp.StatusCode {
 | |
| 	case 200:
 | |
| 		var result AuthNSuccessResponse
 | |
| 		if err = json.NewDecoder(resp.Body).Decode(&result); err != nil {
 | |
| 			return AuthNResponse{}, err
 | |
| 		}
 | |
| 
 | |
| 		if result.MaxValiditySeconds < minValidityDurationSeconds || result.MaxValiditySeconds > maxValidityDurationSeconds {
 | |
| 			return AuthNResponse{}, fmt.Errorf("Plugin returned an invalid validity duration (%d) - should be between %d and %d",
 | |
| 				result.MaxValiditySeconds, minValidityDurationSeconds, maxValidityDurationSeconds)
 | |
| 		}
 | |
| 
 | |
| 		return AuthNResponse{
 | |
| 			Success: &result,
 | |
| 		}, nil
 | |
| 
 | |
| 	case 403:
 | |
| 		var result AuthNErrorResponse
 | |
| 		if err = json.NewDecoder(resp.Body).Decode(&result); err != nil {
 | |
| 			return AuthNResponse{}, err
 | |
| 		}
 | |
| 		return AuthNResponse{
 | |
| 			Failure: &result,
 | |
| 		}, nil
 | |
| 
 | |
| 	default:
 | |
| 		return AuthNResponse{}, fmt.Errorf("Invalid status code %d from auth plugin", resp.StatusCode)
 | |
| 	}
 | |
| }
 | |
| 
 | |
| // GetRoleInfo - returns ARN to policies map.
 | |
| func (o *AuthNPlugin) GetRoleInfo() map[arn.ARN]string {
 | |
| 	return map[arn.ARN]string{
 | |
| 		o.args.RoleARN: o.args.RolePolicy,
 | |
| 	}
 | |
| }
 | |
| 
 | |
| // checkConnectivity returns true if we are able to connect to the plugin
 | |
| // service.
 | |
| func (o *AuthNPlugin) checkConnectivity(ctx context.Context) bool {
 | |
| 	ctx, cancel := context.WithTimeout(ctx, healthCheckTimeout)
 | |
| 	defer cancel()
 | |
| 	u := url.URL(*o.args.URL)
 | |
| 
 | |
| 	req, err := http.NewRequestWithContext(ctx, http.MethodHead, u.String(), nil)
 | |
| 	if err != nil {
 | |
| 		logger.LogIf(ctx, err)
 | |
| 		return false
 | |
| 	}
 | |
| 
 | |
| 	if o.args.AuthToken != "" {
 | |
| 		req.Header.Set("Authorization", o.args.AuthToken)
 | |
| 	}
 | |
| 
 | |
| 	resp, err := o.client.Do(req)
 | |
| 	if err != nil {
 | |
| 		return false
 | |
| 	}
 | |
| 	defer o.args.CloseRespFn(resp.Body)
 | |
| 	return true
 | |
| }
 | |
| 
 | |
| var (
 | |
| 	healthCheckInterval = 1 * time.Minute
 | |
| 	healthCheckTimeout  = 5 * time.Second
 | |
| )
 | |
| 
 | |
| func (o *AuthNPlugin) doPeriodicHealthCheck() {
 | |
| 	ticker := time.NewTicker(healthCheckInterval)
 | |
| 	defer ticker.Stop()
 | |
| 
 | |
| 	for {
 | |
| 		select {
 | |
| 		case <-ticker.C:
 | |
| 			now := time.Now()
 | |
| 			isConnected := o.checkConnectivity(o.shutdownCtx)
 | |
| 			if isConnected {
 | |
| 				o.serviceMetrics.setConnSuccess(now)
 | |
| 			} else {
 | |
| 				o.serviceMetrics.setConnFailure(now)
 | |
| 			}
 | |
| 		case <-o.shutdownCtx.Done():
 | |
| 			return
 | |
| 		}
 | |
| 	}
 | |
| }
 | |
| 
 | |
| // Metrics contains metrics about the authentication plugin service.
 | |
| type Metrics struct {
 | |
| 	LastReachableSecs, LastUnreachableSecs float64
 | |
| 
 | |
| 	// Last whole minute stats
 | |
| 	TotalRequests, FailedRequests int64
 | |
| 	AvgSuccRTTMs                  float64
 | |
| 	MaxSuccRTTMs                  float64
 | |
| }
 | |
| 
 | |
| // Metrics reports metrics related to plugin service reachability and stats for the last whole minute
 | |
| func (o *AuthNPlugin) Metrics() Metrics {
 | |
| 	if o == nil {
 | |
| 		// Return empty metrics when not configured.
 | |
| 		return Metrics{}
 | |
| 	}
 | |
| 	o.serviceMetrics.Lock()
 | |
| 	defer o.serviceMetrics.Unlock()
 | |
| 	l := &o.serviceMetrics.lastFullMinute
 | |
| 	var avg float64
 | |
| 	if l.successRequestCount > 0 {
 | |
| 		avg = l.rttMsSum / float64(l.successRequestCount)
 | |
| 	}
 | |
| 	now := time.Now().UTC()
 | |
| 	return Metrics{
 | |
| 		LastReachableSecs:   now.Sub(o.serviceMetrics.LastCheckSuccess).Seconds(),
 | |
| 		LastUnreachableSecs: now.Sub(o.serviceMetrics.LastCheckFailure).Seconds(),
 | |
| 		TotalRequests:       l.failedRequestCount + l.successRequestCount,
 | |
| 		FailedRequests:      l.failedRequestCount,
 | |
| 		AvgSuccRTTMs:        avg,
 | |
| 		MaxSuccRTTMs:        l.maxRttMs,
 | |
| 	}
 | |
| }
 |