From 34d62837fdb8f1ca4824fbcf4e06003016b56165 Mon Sep 17 00:00:00 2001 From: Anis Elleuch Date: Fri, 27 Jan 2023 23:26:30 +0100 Subject: [PATCH] Trust STS IDP connection when the url is localhost (#2603) During SSO login, Console contacts MinIO server to generate new temporary credentials. When TLS is enabled, setting up a correct TLS certificate is something that needs to be done correctly by the user. However, recently, we started to skip the TLS verification when Console talks to MinIO server using a loopback address, but we missed the case of Console generating temporary credentials in case of IDP. This commit will get the configured MinIO server url to decide if the STS call needs to skip the TLS verification or not. Co-authored-by: Anis Elleuch --- pkg/auth/idp/oauth2/provider.go | 11 +++++++---- restapi/user_login.go | 4 ++-- 2 files changed, 9 insertions(+), 6 deletions(-) diff --git a/pkg/auth/idp/oauth2/provider.go b/pkg/auth/idp/oauth2/provider.go index 98891cc88..d48db2040 100644 --- a/pkg/auth/idp/oauth2/provider.go +++ b/pkg/auth/idp/oauth2/provider.go @@ -113,6 +113,7 @@ type Provider struct { RefreshToken string oauth2Config Configuration provHTTPClient *http.Client + stsHTTPClient *http.Client } // DefaultDerivedKey is the key used to compute the HMAC for signing the oauth state parameter @@ -217,8 +218,8 @@ var defaultScopes = []string{"openid", "profile", "email"} // // We only support Authentication with the Authorization Code Flow - spec: // https://openid.net/specs/openid-connect-core-1_0.html#CodeFlowAuth -func (o OpenIDPCfg) NewOauth2ProviderClient(name string, scopes []string, r *http.Request, httpClient *http.Client) (*Provider, error) { - ddoc, err := parseDiscoveryDoc(o[name].URL, httpClient) +func (o OpenIDPCfg) NewOauth2ProviderClient(name string, scopes []string, r *http.Request, idpClient, stsClient *http.Client) (*Provider, error) { + ddoc, err := parseDiscoveryDoc(o[name].URL, idpClient) if err != nil { return nil, err } @@ -277,7 +278,9 @@ func (o OpenIDPCfg) NewOauth2ProviderClient(name string, scopes []string, r *htt client.IDPName = name client.UserInfo = o[name].Userinfo - client.provHTTPClient = httpClient + + client.provHTTPClient = idpClient + client.stsHTTPClient = stsClient return client, nil } @@ -357,7 +360,7 @@ func (client *Provider) VerifyIdentity(ctx context.Context, code, state, roleARN stsEndpoint := GetSTSEndpoint() sts := credentials.New(&credentials.STSWebIdentity{ - Client: client.provHTTPClient, + Client: client.stsHTTPClient, STSEndpoint: stsEndpoint, GetWebIDTokenExpiry: getWebTokenExpiry, RoleARN: roleARN, diff --git a/restapi/user_login.go b/restapi/user_login.go index c49bb6821..304fed249 100644 --- a/restapi/user_login.go +++ b/restapi/user_login.go @@ -176,7 +176,7 @@ func getLoginDetailsResponse(params authApi.LoginDetailParams, openIDProviders o loginStrategy = models.LoginDetailsLoginStrategyRedirect for name, provider := range openIDProviders { // initialize new oauth2 client - oauth2Client, err := openIDProviders.NewOauth2ProviderClient(name, nil, r, GetConsoleHTTPClient("")) + oauth2Client, err := openIDProviders.NewOauth2ProviderClient(name, nil, r, GetConsoleHTTPClient(""), GetConsoleHTTPClient(getMinIOServer())) if err != nil { return nil, ErrorWithContext(ctx, err, ErrOauth2Provider) } @@ -244,7 +244,7 @@ func getLoginOauth2AuthResponse(params authApi.LoginOauth2AuthParams, openIDProv IDPName := requestItems.IDPName state := requestItems.State providerCfg := openIDProviders[IDPName] - oauth2Client, err := openIDProviders.NewOauth2ProviderClient(IDPName, nil, r, GetConsoleHTTPClient("")) + oauth2Client, err := openIDProviders.NewOauth2ProviderClient(IDPName, nil, r, GetConsoleHTTPClient(""), GetConsoleHTTPClient(getMinIOServer())) if err != nil { return nil, ErrorWithContext(ctx, err) }