diff --git a/cmd/auth-handler.go b/cmd/auth-handler.go index 5d866e38f..21b464839 100644 --- a/cmd/auth-handler.go +++ b/cmd/auth-handler.go @@ -487,20 +487,7 @@ func setAuthHandler(h http.Handler) http.Handler { // handler for validating incoming authorization headers. return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { aType := getRequestAuthType(r) - if isSupportedS3AuthType(aType) { - // Let top level caller validate for anonymous and known signed requests. - h.ServeHTTP(w, r) - return - } else if aType == authTypeJWT { - // Validate Authorization header if its valid for JWT request. - if _, _, authErr := webRequestAuthenticate(r); authErr != nil { - w.WriteHeader(http.StatusUnauthorized) - w.Write([]byte(authErr.Error())) - return - } - h.ServeHTTP(w, r) - return - } else if aType == authTypeSTS { + if isSupportedS3AuthType(aType) || aType == authTypeJWT || aType == authTypeSTS { h.ServeHTTP(w, r) return } diff --git a/cmd/handler-utils.go b/cmd/handler-utils.go index e1678c0be..ecff4ec50 100644 --- a/cmd/handler-utils.go +++ b/cmd/handler-utils.go @@ -213,15 +213,6 @@ func getReqAccessCred(r *http.Request, region string) (cred auth.Credentials) { if cred.AccessKey == "" { cred, _, _ = getReqAccessKeyV2(r) } - if cred.AccessKey == "" { - claims, owner, _ := webRequestAuthenticate(r) - if owner { - return globalActiveCred - } - if claims != nil { - cred, _ = globalIAMSys.GetUser(claims.AccessKey) - } - } return cred } diff --git a/cmd/jwt.go b/cmd/jwt.go index 3243fbd5b..e94077be9 100644 --- a/cmd/jwt.go +++ b/cmd/jwt.go @@ -27,6 +27,7 @@ import ( "github.com/minio/minio/internal/auth" xjwt "github.com/minio/minio/internal/jwt" "github.com/minio/minio/internal/logger" + iampolicy "github.com/minio/pkg/iam/policy" ) const ( @@ -97,29 +98,6 @@ func authenticateURL(accessKey, secretKey string) (string, error) { return authenticateJWTUsers(accessKey, secretKey, defaultURLJWTExpiry) } -// Callback function used for parsing -func webTokenCallback(claims *xjwt.MapClaims) ([]byte, error) { - if claims.AccessKey == globalActiveCred.AccessKey { - return []byte(globalActiveCred.SecretKey), nil - } - ok, _, err := globalIAMSys.IsTempUser(claims.AccessKey) - if err != nil { - if err == errNoSuchUser { - return nil, errInvalidAccessKeyID - } - return nil, err - } - if ok { - return []byte(globalActiveCred.SecretKey), nil - } - cred, ok := globalIAMSys.GetUser(claims.AccessKey) - if !ok { - return nil, errInvalidAccessKeyID - } - return []byte(cred.SecretKey), nil - -} - // Check if the request is authenticated. // Returns nil if the request is authenticated. errNoAuthToken if token missing. // Returns errAuthentication for all other errors. @@ -132,10 +110,44 @@ func webRequestAuthenticate(req *http.Request) (*xjwt.MapClaims, bool, error) { return nil, false, err } claims := xjwt.NewMapClaims() - if err := xjwt.ParseWithClaims(token, claims, webTokenCallback); err != nil { + if err := xjwt.ParseWithClaims(token, claims, func(claims *xjwt.MapClaims) ([]byte, error) { + if claims.AccessKey == globalActiveCred.AccessKey { + return []byte(globalActiveCred.SecretKey), nil + } + cred, ok := globalIAMSys.GetUser(claims.AccessKey) + if !ok { + return nil, errInvalidAccessKeyID + } + return []byte(cred.SecretKey), nil + }); err != nil { return claims, false, errAuthentication } - owner := claims.AccessKey == globalActiveCred.AccessKey + owner := true + if globalActiveCred.AccessKey != claims.AccessKey { + // Check if the access key is part of users credentials. + ucred, ok := globalIAMSys.GetUser(claims.AccessKey) + if !ok { + return nil, false, errInvalidAccessKeyID + } + + // get embedded claims + eclaims, s3Err := checkClaimsFromToken(req, ucred) + if s3Err != ErrNone { + return nil, false, errAuthentication + } + + for k, v := range eclaims { + claims.MapClaims[k] = v + } + + // Now check if we have a sessionPolicy. + if _, ok = eclaims[iampolicy.SessionPolicyName]; ok { + owner = false + } else { + owner = globalActiveCred.AccessKey == ucred.ParentUser + } + } + return claims, owner, nil }