From 410b4555e38165abf6808d3fe5145d7060057fb9 Mon Sep 17 00:00:00 2001 From: Lenin Alevski Date: Tue, 12 Oct 2021 21:25:02 -0700 Subject: [PATCH] Refactor session token (#1109) - Update operator dependency - Don't store policy on session token, instead obtain it during session validation Signed-off-by: Lenin Alevski --- go.mod | 4 +- go.sum | 33 ++++++++--- models/principal.go | 3 - operatorapi/configure_operator.go | 1 - operatorapi/operator_login.go | 83 +++++---------------------- operatorapi/operator_session.go | 2 +- pkg/acl/endpoints.go | 1 - pkg/auth/token.go | 27 ++------- pkg/auth/token_test.go | 4 +- portal-ui/src/common/utils.ts | 3 - restapi/client.go | 6 -- restapi/configure_console.go | 1 - restapi/embedded_spec.go | 12 ---- restapi/user_account.go | 8 +-- restapi/user_login.go | 95 +++++-------------------------- restapi/user_session.go | 31 +++++++++- restapi/utils.go | 80 +++++--------------------- swagger-console.yml | 4 -- 18 files changed, 108 insertions(+), 290 deletions(-) diff --git a/go.mod b/go.mod index 59cd59bb1..67d05c67d 100644 --- a/go.mod +++ b/go.mod @@ -21,8 +21,8 @@ require ( github.com/minio/madmin-go v1.1.6 github.com/minio/mc v0.0.0-20210626002108-cebf3318546f github.com/minio/minio-go/v7 v7.0.14 - github.com/minio/operator v0.0.0-20210812082324-26350f153661 - github.com/minio/operator/logsearchapi v0.0.0-20210812082324-26350f153661 + github.com/minio/operator v0.0.0-20211011212245-31460bbbc4b7 + github.com/minio/operator/logsearchapi v0.0.0-20211011212245-31460bbbc4b7 github.com/minio/pkg v1.1.5 github.com/minio/selfupdate v0.3.1 github.com/mitchellh/go-homedir v1.1.0 diff --git a/go.sum b/go.sum index d83db978d..070d19496 100644 --- a/go.sum +++ b/go.sum @@ -14,6 +14,7 @@ cloud.google.com/go v0.53.0/go.mod h1:fp/UouUEsRkN6ryDKNW/Upv/JBKnv6WDthjR6+vze6 cloud.google.com/go v0.54.0/go.mod h1:1rq2OEkV3YMf6n/9ZvGWI3GWw0VoqH/1x2nd8Is/bPc= cloud.google.com/go v0.56.0/go.mod h1:jr7tqZxxKOVYizybht9+26Z/gUq7tiRzu+ACVAMbKVk= cloud.google.com/go v0.57.0/go.mod h1:oXiQ6Rzq3RAkkY7N6t3TcE6jE+CIBBbA36lwQ1JyzZs= +cloud.google.com/go v0.60.0/go.mod h1:yw2G51M9IfRboUH61Us8GqCeF1PzPblB823Mn2q2eAU= cloud.google.com/go/bigquery v1.0.1/go.mod h1:i/xbL2UlR5RvWAURpBYZTtm/cXjCha9lbfbpx4poX+o= cloud.google.com/go/bigquery v1.3.0/go.mod h1:PjpwJnslEMmckchkHFfq+HTD2DmtT67aNFKH1/VBDHE= cloud.google.com/go/bigquery v1.4.0/go.mod h1:S8dzgnTigyfTmLBfrtrhyYhwRxG72rYxvftPBK2Dvzc= @@ -412,6 +413,7 @@ github.com/go-sql-driver/mysql v1.4.1/go.mod h1:zAC/RDZ24gD3HViQzih4MyKcchzm+sOG github.com/go-sql-driver/mysql v1.5.0/go.mod h1:DCzpHaOWr8IXmIStZouvnhqoel9Qv2LBy8hT2VhHyBg= github.com/go-stack/stack v1.8.0 h1:5SgMzNM5HxrEjV0ww2lTmX6E2Izsfxas4+YHWRs3Lsk= github.com/go-stack/stack v1.8.0/go.mod h1:v0f6uXyyMGvRgIKkXu+yp6POWl0qKG85gN/melR3HDY= +github.com/go-task/slim-sprig v0.0.0-20210107165309-348f09dbbbc0/go.mod h1:fyg7847qk6SyHyPtNmDHnmrv/HOrqktSC+C9fM+CJOE= github.com/go-test/deep v1.0.2-0.20181118220953-042da051cf31/go.mod h1:wGDj63lr65AM2AQyKZd/NYHGb0R+1RLqB8NKt3aSFNA= github.com/go-toolsmith/astcast v1.0.0/go.mod h1:mt2OdQTeAQcY4DQgPSArJjHCcOwlX+Wl/kwN+LbLGQ4= github.com/go-toolsmith/astcopy v1.0.0/go.mod h1:vrgyG+5Bxrnz4MZWPF+pI4R8h3qKRjjyvV/DSez4WVQ= @@ -551,6 +553,7 @@ github.com/google/pprof v0.0.0-20191218002539-d4f498aebedc/go.mod h1:ZgVRPoUq/hf github.com/google/pprof v0.0.0-20200212024743-f11f1df84d12/go.mod h1:ZgVRPoUq/hfqzAqh7sHMqb3I9Rq5C59dIz2SbBwJ4eM= github.com/google/pprof v0.0.0-20200229191704-1ebb73c60ed3/go.mod h1:ZgVRPoUq/hfqzAqh7sHMqb3I9Rq5C59dIz2SbBwJ4eM= github.com/google/pprof v0.0.0-20200430221834-fc25d7d30c6d/go.mod h1:ZgVRPoUq/hfqzAqh7sHMqb3I9Rq5C59dIz2SbBwJ4eM= +github.com/google/pprof v0.0.0-20200507031123-427632fa3b1c/go.mod h1:ZgVRPoUq/hfqzAqh7sHMqb3I9Rq5C59dIz2SbBwJ4eM= github.com/google/renameio v0.1.0/go.mod h1:KWCgfxg9yswjAJkECMjeO8J8rahYeXnNhOm40UhjYkI= github.com/google/rpmpack v0.0.0-20191226140753-aa36bfddb3a0/go.mod h1:RaTPr0KUf2K7fnZYLNDrr8rxAamWs3iNywJLtQ2AzBg= github.com/google/subcommands v1.0.1/go.mod h1:ZjhPrFU+Olkh9WazFPsl27BQ4UPiG37m3yTrtFlrHVk= @@ -626,6 +629,7 @@ github.com/hashicorp/go-uuid v1.0.0/go.mod h1:6SBZvOh/SIDV7/2o3Jml5SYk/TvGqwFJ/b github.com/hashicorp/go-uuid v1.0.1/go.mod h1:6SBZvOh/SIDV7/2o3Jml5SYk/TvGqwFJ/bN7x4byOro= github.com/hashicorp/go-version v1.1.0/go.mod h1:fltr4n8CU8Ke44wwGCBoEymUuxUHl09ZGVZPK5anwXA= github.com/hashicorp/go-version v1.2.0/go.mod h1:fltr4n8CU8Ke44wwGCBoEymUuxUHl09ZGVZPK5anwXA= +github.com/hashicorp/go-version v1.3.0/go.mod h1:fltr4n8CU8Ke44wwGCBoEymUuxUHl09ZGVZPK5anwXA= github.com/hashicorp/go.net v0.0.1/go.mod h1:hjKkEWcCURg++eb33jQU7oqQcI9XDCnUzHA0oac0k90= github.com/hashicorp/golang-lru v0.5.0/go.mod h1:/m3WP610KZHVQ1SGc6re/UDhFvYD7pJ4Ao+sR/qLZy8= github.com/hashicorp/golang-lru v0.5.1/go.mod h1:/m3WP610KZHVQ1SGc6re/UDhFvYD7pJ4Ao+sR/qLZy8= @@ -886,13 +890,14 @@ github.com/minio/minio-go/v7 v7.0.11-0.20210302210017-6ae69c73ce78/go.mod h1:mTh github.com/minio/minio-go/v7 v7.0.11-0.20210607181445-e162fdb8e584/go.mod h1:WoyW+ySKAKjY98B9+7ZbI8z8S3jaxaisdcvj9TGlazA= github.com/minio/minio-go/v7 v7.0.14 h1:T7cw8P586gVwEEd0y21kTYtloD576XZgP62N8pE130s= github.com/minio/minio-go/v7 v7.0.14/go.mod h1:S23iSP5/gbMwtxeY5FM71R+TkAYyzEdoNEDDwpt8yWs= -github.com/minio/operator v0.0.0-20210812082324-26350f153661 h1:dGAJHpfmhNukFg0M0wDqH+G1OB2YPgZCcT6uv4n9YQk= -github.com/minio/operator v0.0.0-20210812082324-26350f153661/go.mod h1:zQqn6VGT46xlSpVXh1I/VZRv+eSgHtVu6URdg71YKX8= -github.com/minio/operator/logsearchapi v0.0.0-20210812082324-26350f153661 h1:tJw15hS3b1dVTf5PwA4roXZ/oRNnHyZ/8Y+yNTmQ5rA= -github.com/minio/operator/logsearchapi v0.0.0-20210812082324-26350f153661/go.mod h1:R+38Pf3wfm+JMiyLPb/r8OMrBm0vK2hZgUT4y4aYoSY= +github.com/minio/operator v0.0.0-20211011212245-31460bbbc4b7 h1:dkfuMNslMjGoJ4ArAMSoQhidYNdm3SgzLBP+f96O3/E= +github.com/minio/operator v0.0.0-20211011212245-31460bbbc4b7/go.mod h1:lDpuz8nwsfhKlfiBaA3Z8AW019fWEAjO2gltfLbdorE= +github.com/minio/operator/logsearchapi v0.0.0-20211011212245-31460bbbc4b7 h1:vFtQqCt67ETp0JAkOKRWTKkgwFv14Vc1jJSxmQ8wJE0= +github.com/minio/operator/logsearchapi v0.0.0-20211011212245-31460bbbc4b7/go.mod h1:R+38Pf3wfm+JMiyLPb/r8OMrBm0vK2hZgUT4y4aYoSY= github.com/minio/pkg v1.0.3/go.mod h1:obU54TZ9QlMv0TRaDgQ/JTzf11ZSXxnSfLrm4tMtBP8= github.com/minio/pkg v1.0.4/go.mod h1:obU54TZ9QlMv0TRaDgQ/JTzf11ZSXxnSfLrm4tMtBP8= github.com/minio/pkg v1.0.8/go.mod h1:32x/3OmGB0EOi1N+3ggnp+B5VFkSBBB9svPMVfpnf14= +github.com/minio/pkg v1.0.11/go.mod h1:32x/3OmGB0EOi1N+3ggnp+B5VFkSBBB9svPMVfpnf14= github.com/minio/pkg v1.1.5 h1:phwKkJBQdVLyxOXC3RChPVGLtebplzQJ5jJ3l/HBvnk= github.com/minio/pkg v1.1.5/go.mod h1:32x/3OmGB0EOi1N+3ggnp+B5VFkSBBB9svPMVfpnf14= github.com/minio/selfupdate v0.3.1 h1:BWEFSNnrZVMUWXbXIgLDNDjbejkmpAmZvy/nCz1HlEs= @@ -952,8 +957,9 @@ github.com/nats-io/nuid v1.0.1/go.mod h1:19wcPz3Ph3q0Jbyiqsd0kePYG7A95tJPxeL+1OS github.com/nbutton23/zxcvbn-go v0.0.0-20180912185939-ae427f1e4c1d/go.mod h1:o96djdrsSGy3AWPyBgZMAGfxZNfgntdJG+11KU4QvbU= github.com/niemeyer/pretty v0.0.0-20200227124842-a10e7caefd8e h1:fD57ERR4JtEqsWbfPhv4DMiApHyliiK5xCTNVSPiaAs= github.com/niemeyer/pretty v0.0.0-20200227124842-a10e7caefd8e/go.mod h1:zD1mROLANZcx1PVRCS0qkT7pwLkGfwJo4zjcN/Tysno= -github.com/nxadm/tail v1.4.4 h1:DQuhQpB1tVlglWS2hLQ5OV6B5r8aGxSrPc5Qo6uTN78= github.com/nxadm/tail v1.4.4/go.mod h1:kenIhsEOeOJmVchQTgglprH7qJGnHDVpk1VPCcaMI8A= +github.com/nxadm/tail v1.4.8 h1:nPr65rt6Y5JFSKQO7qToXr7pePgD6Gwiw05lkbyAQTE= +github.com/nxadm/tail v1.4.8/go.mod h1:+ncqLTQzXmGhMZNUePPaPqPvBxHAIsmXswZKocGu+AU= github.com/oklog/oklog v0.3.2/go.mod h1:FCV+B7mhrz4o+ueLpx+KqkyXRGMWOYEvfiXtdGtbWGs= github.com/oklog/run v1.0.0/go.mod h1:dlhp/R75TPv97u0XWUtDeV/lRKWPKSdTuV0TZvrmrQA= github.com/oklog/ulid v1.3.1/go.mod h1:CirwcVhetQ6Lv90oh/F+FBtV6XMibvdAFo93nm5qn4U= @@ -967,8 +973,9 @@ github.com/onsi/ginkgo v1.10.2/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+ github.com/onsi/ginkgo v1.11.0/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE= github.com/onsi/ginkgo v1.12.0/go.mod h1:oUhWkIvk5aDxtKvDDuw8gItl8pKl42LzjC9KZE0HfGg= github.com/onsi/ginkgo v1.12.1/go.mod h1:zj2OWP4+oCPe1qIXoGWkgMRwljMUYCdkwsT2108oapk= -github.com/onsi/ginkgo v1.14.1 h1:jMU0WaQrP0a/YAEq8eJmJKjBoMs+pClEr1vDMlM/Do4= github.com/onsi/ginkgo v1.14.1/go.mod h1:iSB4RoI2tjJc9BBv4NKIKWKya62Rps+oPG/Lv9klQyY= +github.com/onsi/ginkgo v1.16.1 h1:foqVmeWDD6yYpK+Yz3fHyNIxFYNxswxqNFjSKe+vI54= +github.com/onsi/ginkgo v1.16.1/go.mod h1:CObGmKUOKaSC0RjmoAK7tKyn4Azo5P2IWuoMnvwxz1E= github.com/onsi/gomega v0.0.0-20170829124025-dcabb60a477c/go.mod h1:C1qb7wdrVGGVU+Z6iS04AVkA3Q65CEZX59MT0QO5uiA= github.com/onsi/gomega v1.4.3/go.mod h1:ex+gbHU/CVuBBDIJjb2X0qEXbFg53c61hWP/1CpauHY= github.com/onsi/gomega v1.5.0/go.mod h1:ex+gbHU/CVuBBDIJjb2X0qEXbFg53c61hWP/1CpauHY= @@ -977,8 +984,9 @@ github.com/onsi/gomega v1.7.1/go.mod h1:XdKZgCCFLUoM/7CFJVPcG8C1xQ1AJ0vpAezJrB7J github.com/onsi/gomega v1.8.1/go.mod h1:Ho0h+IUsWyvy1OpqCwxlQ/21gkhVunqlU8fDGcoTdcA= github.com/onsi/gomega v1.9.0/go.mod h1:Ho0h+IUsWyvy1OpqCwxlQ/21gkhVunqlU8fDGcoTdcA= github.com/onsi/gomega v1.10.1/go.mod h1:iN09h71vgCQne3DLsj+A5owkum+a2tYe+TOCB1ybHNo= -github.com/onsi/gomega v1.10.2 h1:aY/nuoWlKJud2J6U0E3NWsjlg+0GtwXxgEqthRdzlcs= github.com/onsi/gomega v1.10.2/go.mod h1:iN09h71vgCQne3DLsj+A5owkum+a2tYe+TOCB1ybHNo= +github.com/onsi/gomega v1.11.0 h1:+CqWgvj0OZycCaqclBD1pxKHAU+tOkHmQIWvDHq2aug= +github.com/onsi/gomega v1.11.0/go.mod h1:azGKhqFUon9Vuj0YmTfLSmx0FUwqXYSTl5re8lQLTUg= github.com/op/go-logging v0.0.0-20160315200505-970db520ece7/go.mod h1:HzydrMdWErDVzsI23lYNej1Htcns9BCg93Dk0bBINWk= github.com/opencontainers/go-digest v1.0.0-rc1/go.mod h1:cMLVZDEM3+U2I4VmLI6N8jQYUd2OVphdqWwCJHrFt2s= github.com/opencontainers/go-digest v1.0.0/go.mod h1:0JzlMkj0TRzQZfJkVvzbP0HBR3IKzErnv2BNG4W4MAM= @@ -1102,6 +1110,7 @@ github.com/sergi/go-diff v1.0.0/go.mod h1:0CfEIISq7TuYL3j771MWULgwwjU+GofnZX9QAm github.com/shirou/gopsutil v0.0.0-20190901111213-e4ec7b275ada h1:WokF3GuxBeL+n4Lk4Fa8v9mbdjlrl7bHuneF4N1bk2I= github.com/shirou/gopsutil v0.0.0-20190901111213-e4ec7b275ada/go.mod h1:WWnYX4lzhCH5h/3YBfyVA3VbLYjlMZZAQcW9ojMexNc= github.com/shirou/gopsutil/v3 v3.21.4/go.mod h1:ghfMypLDrFSWN2c9cDYFLHyynQ+QUht0cv/18ZqVczw= +github.com/shirou/gopsutil/v3 v3.21.5/go.mod h1:ghfMypLDrFSWN2c9cDYFLHyynQ+QUht0cv/18ZqVczw= github.com/shirou/gopsutil/v3 v3.21.6 h1:vU7jrp1Ic/2sHB7w6UNs7MIkn7ebVtTb5D9j45o9VYE= github.com/shirou/gopsutil/v3 v3.21.6/go.mod h1:JfVbDpIBLVzT8oKbvMg9P3wEIMDDpVn+LwHTKj0ST88= github.com/shirou/w32 v0.0.0-20160930032740-bb4de0191aa4/go.mod h1:qsXQc7+bwAM3Q1u/4XEfrquwF8Lw7D7y5cD8CuHnfIc= @@ -1390,6 +1399,7 @@ golang.org/x/net v0.0.0-20200324143707-d3edc9973b7e/go.mod h1:qpuaurCH72eLCgpAm/ golang.org/x/net v0.0.0-20200501053045-e0ff5e5a1de5/go.mod h1:qpuaurCH72eLCgpAm/N6yyVIVM9cpaDIP3A8BGJEC5A= golang.org/x/net v0.0.0-20200506145744-7e3656a0809f/go.mod h1:qpuaurCH72eLCgpAm/N6yyVIVM9cpaDIP3A8BGJEC5A= golang.org/x/net v0.0.0-20200520004742-59133d7f0dd7/go.mod h1:qpuaurCH72eLCgpAm/N6yyVIVM9cpaDIP3A8BGJEC5A= +golang.org/x/net v0.0.0-20200520182314-0ba52f642ac2/go.mod h1:qpuaurCH72eLCgpAm/N6yyVIVM9cpaDIP3A8BGJEC5A= golang.org/x/net v0.0.0-20200602114024-627f9648deb9/go.mod h1:qpuaurCH72eLCgpAm/N6yyVIVM9cpaDIP3A8BGJEC5A= golang.org/x/net v0.0.0-20200625001655-4c5254603344/go.mod h1:/O7V0waA8r7cgGh81Ro3o1hOxt32SMVPicZroKQ2sZA= golang.org/x/net v0.0.0-20200707034311-ab3426394381/go.mod h1:/O7V0waA8r7cgGh81Ro3o1hOxt32SMVPicZroKQ2sZA= @@ -1422,6 +1432,7 @@ golang.org/x/sync v0.0.0-20200317015054-43a5402ce75a/go.mod h1:RxMgew5VJxzue5/jJ golang.org/x/sync v0.0.0-20200625203802-6e8e738ad208/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20201020160332-67f06af15bc9/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20201207232520-09787c993a3a/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= +golang.org/x/sync v0.0.0-20210220032951-036812b2e83c/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sys v0.0.0-20170830134202-bb24a47a89ea/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= golang.org/x/sys v0.0.0-20180816055513-1c9583448a9c/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= golang.org/x/sys v0.0.0-20180823144017-11551d06cbcc/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= @@ -1489,14 +1500,16 @@ golang.org/x/sys v0.0.0-20200930185726-fdedc70b468f/go.mod h1:h1NjWce9XRLGQEsW7w golang.org/x/sys v0.0.0-20201015000850-e3ed0017c211/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20201112073958-5cba982894dd/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20201119102817-f84b799fce68/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20210112080510-489259a85091/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20210119212857-b64e53b001e4/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20210124154548-22da62e12c0c/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20210217105451-b926d437f341/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20210225134936-a50acf3fe073/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20210316164454-77fc1eacc6aa/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20210403161142-5e06dd20ab57/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.0.0-20210420072515-93ed5bcd2bfe h1:WdX7u8s3yOigWAhHEaDl8r9G+4XwFQEQFtBMYyN+kXQ= golang.org/x/sys v0.0.0-20210420072515-93ed5bcd2bfe/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20210510120138-977fb7262007 h1:gG67DSER+11cZvqIMb8S8bt0vZtiN6xWYARwirrOSfE= +golang.org/x/sys v0.0.0-20210510120138-977fb7262007/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/term v0.0.0-20201117132131-f5c789dd3221/go.mod h1:Nr5EML6q2oocZ2LXRh80K7BxOlk5/8JxuGnuhpl+muw= golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo= golang.org/x/term v0.0.0-20210220032956-6a3ed077a48d h1:SZxvLBoTP5yHO3Frd4z4vrF+DBX9vMVanchswa69toE= @@ -1598,8 +1611,10 @@ golang.org/x/tools v0.0.0-20200505023115-26f46d2f7ef8/go.mod h1:EkVYQZoAsY45+roY golang.org/x/tools v0.0.0-20200512131952-2bc93b1c0c88/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE= golang.org/x/tools v0.0.0-20200616133436-c1934b75d054/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE= golang.org/x/tools v0.0.0-20200619180055-7c47624df98f/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE= +golang.org/x/tools v0.0.0-20200626171337-aa94e735be7f/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE= golang.org/x/tools v0.0.0-20200804011535-6c149bb5ef0d/go.mod h1:njjCfa9FT2d7l9Bc6FUM5FLjQPp3cFF28FI3qnDFljA= golang.org/x/tools v0.0.0-20200918232735-d647fc253266/go.mod h1:z6u4i615ZeAfBE4XtMziQW1fSVJXACjjbWkB/mvPzlU= +golang.org/x/tools v0.0.0-20201224043029-2b0845dc783e/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA= golang.org/x/tools v0.0.0-20210106214847-113979e3529a/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA= golang.org/x/tools v0.0.0-20210114065538-d78b04bdf963/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA= golang.org/x/tools v0.1.0/go.mod h1:xkSsbof2nBLbhDlRMhhhyNLN/zl3eTqcnHD5viDpcZ0= @@ -1632,6 +1647,7 @@ google.golang.org/api v0.20.0/go.mod h1:BwFmGc8tA3vsd7r/7kR8DY7iEEGSU04BFxCo5jP/ google.golang.org/api v0.22.0/go.mod h1:BwFmGc8tA3vsd7r/7kR8DY7iEEGSU04BFxCo5jP/sfE= google.golang.org/api v0.24.0/go.mod h1:lIXQywCXRcnZPGlsd8NbLnOjtAoL6em04bJ9+z0MncE= google.golang.org/api v0.25.0/go.mod h1:lIXQywCXRcnZPGlsd8NbLnOjtAoL6em04bJ9+z0MncE= +google.golang.org/api v0.28.0/go.mod h1:lIXQywCXRcnZPGlsd8NbLnOjtAoL6em04bJ9+z0MncE= google.golang.org/appengine v1.1.0/go.mod h1:EbEs0AVv82hx2wNQdGPgUI5lhzA/G0D9YwlJXL52JkM= google.golang.org/appengine v1.2.0/go.mod h1:xpcJRLb0r/rnEns0DIKYYv+WjYCduHsrkT7/EB5XEv4= google.golang.org/appengine v1.3.0/go.mod h1:xpcJRLb0r/rnEns0DIKYYv+WjYCduHsrkT7/EB5XEv4= @@ -1672,6 +1688,7 @@ google.golang.org/genproto v0.0.0-20200511104702-f5ebc3bea380/go.mod h1:55QSHmfG google.golang.org/genproto v0.0.0-20200513103714-09dca8ec2884/go.mod h1:55QSHmfGQM9UVYDPBsyGGes0y52j32PQ3BqQfXhyH3c= google.golang.org/genproto v0.0.0-20200526211855-cb27e3aa2013/go.mod h1:NbSheEEYHJ7i3ixzK3sjbqSGDJWnxyFXZblF3eUsNvo= google.golang.org/genproto v0.0.0-20200527145253-8367513e4ece/go.mod h1:jDfRM7FcilCzHH/e9qn6dsT145K34l5v+OpcnNgKAAA= +google.golang.org/genproto v0.0.0-20200626011028-ee7919e894b5/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no= google.golang.org/genproto v0.0.0-20201110150050-8816d57aaa9a h1:pOwg4OoaRYScjmR4LlLgdtnyoHYTSAVhhqe5uPdpII8= google.golang.org/genproto v0.0.0-20201110150050-8816d57aaa9a/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no= google.golang.org/grpc v1.29.1 h1:EC2SB8S04d2r73uptxphDSUG+kTKVgjRPF+N3xpxRB4= diff --git a/models/principal.go b/models/principal.go index e9d655773..d9b2c1687 100644 --- a/models/principal.go +++ b/models/principal.go @@ -45,9 +45,6 @@ type Principal struct { // account access key AccountAccessKey string `json:"accountAccessKey,omitempty"` - - // actions - Actions []string `json:"actions"` } // Validate validates this principal diff --git a/operatorapi/configure_operator.go b/operatorapi/configure_operator.go index 71b3836f7..f554f2202 100644 --- a/operatorapi/configure_operator.go +++ b/operatorapi/configure_operator.go @@ -65,7 +65,6 @@ func configureAPI(api *operations.OperatorAPI) http.Handler { } return &models.Principal{ STSAccessKeyID: claims.STSAccessKeyID, - Actions: claims.Actions, STSSecretAccessKey: claims.STSSecretAccessKey, STSSessionToken: claims.STSSessionToken, AccountAccessKey: claims.AccountAccessKey, diff --git a/operatorapi/operator_login.go b/operatorapi/operator_login.go index b01d366fc..78d2c0938 100644 --- a/operatorapi/operator_login.go +++ b/operatorapi/operator_login.go @@ -17,23 +17,17 @@ package operatorapi import ( - "bytes" - "context" "net/http" - "time" "github.com/minio/minio-go/v7/pkg/credentials" "github.com/minio/console/restapi" - iampolicy "github.com/minio/pkg/iam/policy" - "github.com/go-openapi/runtime" "github.com/go-openapi/runtime/middleware" "github.com/minio/console/models" "github.com/minio/console/operatorapi/operations" "github.com/minio/console/operatorapi/operations/user_api" - "github.com/minio/console/pkg/acl" "github.com/minio/console/pkg/auth" "github.com/minio/console/pkg/auth/idp/oauth2" ) @@ -55,10 +49,8 @@ func registerLoginHandlers(api *operations.OperatorAPI) { } // Custom response writer to set the session cookies return middleware.ResponderFunc(func(w http.ResponseWriter, p runtime.Producer) { - cookies := restapi.NewSessionCookieForConsole(loginResponse.SessionID) - for _, cookie := range cookies { - http.SetCookie(w, &cookie) - } + cookie := restapi.NewSessionCookieForConsole(loginResponse.SessionID) + http.SetCookie(w, &cookie) user_api.NewLoginCreated().WithPayload(loginResponse).WriteResponse(w, p) }) }) @@ -69,10 +61,8 @@ func registerLoginHandlers(api *operations.OperatorAPI) { } // Custom response writer to set the session cookies return middleware.ResponderFunc(func(w http.ResponseWriter, p runtime.Producer) { - cookies := restapi.NewSessionCookieForConsole(loginResponse.SessionID) - for _, cookie := range cookies { - http.SetCookie(w, &cookie) - } + cookie := restapi.NewSessionCookieForConsole(loginResponse.SessionID) + http.SetCookie(w, &cookie) user_api.NewLoginOauth2AuthCreated().WithPayload(loginResponse).WriteResponse(w, p) }) }) @@ -83,10 +73,8 @@ func registerLoginHandlers(api *operations.OperatorAPI) { } // Custom response writer to set the session cookies return middleware.ResponderFunc(func(w http.ResponseWriter, p runtime.Producer) { - cookies := restapi.NewSessionCookieForConsole(loginResponse.SessionID) - for _, cookie := range cookies { - http.SetCookie(w, &cookie) - } + cookie := restapi.NewSessionCookieForConsole(loginResponse.SessionID) + http.SetCookie(w, &cookie) user_api.NewLoginOperatorCreated().WithPayload(loginResponse).WriteResponse(w, p) }) }) @@ -101,7 +89,7 @@ func login(credentials restapi.ConsoleCredentialsI) (*string, error) { return nil, err } // if we made it here, the consoleCredentials work, generate a jwt with claims - token, err := auth.NewEncryptedTokenForClient(&tokens, credentials.GetAccountAccessKey(), credentials.GetActions()) + token, err := auth.NewEncryptedTokenForClient(&tokens, credentials.GetAccountAccessKey()) if err != nil { LogError("error authenticating user: %v", err) return nil, errInvalidCredentials @@ -109,67 +97,22 @@ func login(credentials restapi.ConsoleCredentialsI) (*string, error) { return &token, nil } -// getAccountPolicy will return the associated policy of the current account -func getAccountPolicy(ctx context.Context, client restapi.MinioAdmin) (*iampolicy.Policy, error) { - // Obtain the current policy assigned to this user - // necessary for generating the list of allowed endpoints - accountInfo, err := client.AccountInfo(ctx) - if err != nil { - return nil, err - } - return iampolicy.ParseConfig(bytes.NewReader(accountInfo.Policy)) -} - // getConsoleCredentials will return consoleCredentials interface including the associated policy of the current account -func getConsoleCredentials(ctx context.Context, accessKey, secretKey string) (*restapi.ConsoleCredentials, error) { +func getConsoleCredentials(accessKey, secretKey string) (*restapi.ConsoleCredentials, error) { creds, err := newConsoleCredentials(secretKey) if err != nil { return nil, err } - // cCredentials will be sts credentials, account credentials will be need it in the scenario the user wish - // to change its password - cCredentials := &restapi.ConsoleCredentials{ + return &restapi.ConsoleCredentials{ ConsoleCredentials: creds, AccountAccessKey: accessKey, - } - tokens, err := cCredentials.Get() - if err != nil { - return nil, err - } - // initialize admin client - mAdminClient, err := restapi.NewMinioAdminClient(&models.Principal{ - STSAccessKeyID: tokens.AccessKeyID, - STSSecretAccessKey: tokens.SecretAccessKey, - STSSessionToken: tokens.SessionToken, - }) - if err != nil { - return nil, err - } - userAdminClient := restapi.AdminClient{Client: mAdminClient} - // Obtain the current policy assigned to this user - // necessary for generating the list of allowed endpoints - policy, err := getAccountPolicy(ctx, userAdminClient) - if err != nil { - return nil, err - } - // by default every user starts with an empty array of available actions - // therefore we would have access only to pages that doesn't require any privilege - // ie: service-account page - var actions []string - // if a policy is assigned to this user we parse the actions from there - if policy != nil { - actions = acl.GetActionsStringFromPolicy(policy) - } - cCredentials.Actions = actions - return cCredentials, nil + }, nil } // getLoginResponse performs login() and serializes it to the handler's output func getLoginResponse(lr *models.LoginRequest) (*models.LoginResponse, *models.Error) { - ctx, cancel := context.WithTimeout(context.Background(), 20*time.Second) - defer cancel() // prepare console credentials - consolCreds, err := getConsoleCredentials(ctx, *lr.AccessKey, *lr.SecretKey) + consolCreds, err := getConsoleCredentials(*lr.AccessKey, *lr.SecretKey) if err != nil { return nil, prepareError(errInvalidCredentials, nil, err) } @@ -214,7 +157,7 @@ func getLoginOauth2AuthResponse() (*models.LoginResponse, *models.Error) { if err != nil { return nil, prepareError(err) } - consoleCredentials := restapi.ConsoleCredentials{ConsoleCredentials: creds, Actions: []string{}} + consoleCredentials := restapi.ConsoleCredentials{ConsoleCredentials: creds} token, err := login(consoleCredentials) if err != nil { return nil, prepareError(errInvalidCredentials, nil, err) @@ -240,7 +183,7 @@ func getLoginOperatorResponse(lmr *models.LoginOperatorRequest) (*models.LoginRe if err != nil { return nil, prepareError(err) } - consoleCreds := restapi.ConsoleCredentials{ConsoleCredentials: creds, Actions: []string{}} + consoleCreds := restapi.ConsoleCredentials{ConsoleCredentials: creds} token, err := login(consoleCreds) if err != nil { return nil, prepareError(errInvalidCredentials, nil, err) diff --git a/operatorapi/operator_session.go b/operatorapi/operator_session.go index 4aef7342a..35bddc896 100644 --- a/operatorapi/operator_session.go +++ b/operatorapi/operator_session.go @@ -42,7 +42,7 @@ func getSessionResponse(session *models.Principal) (*models.OperatorSessionRespo return nil, prepareError(errorGenericInvalidSession) } sessionResp := &models.OperatorSessionResponse{ - Pages: acl.GetAuthorizedEndpoints(session.Actions), + Pages: acl.GetAuthorizedEndpoints([]string{}), Features: getListOfEnabledFeatures(), Status: models.OperatorSessionResponseStatusOk, Operator: true, diff --git a/pkg/acl/endpoints.go b/pkg/acl/endpoints.go index bf25f3a32..28eb46cd1 100644 --- a/pkg/acl/endpoints.go +++ b/pkg/acl/endpoints.go @@ -394,7 +394,6 @@ func GetAuthorizedEndpoints(actions []string) []string { if operatorOnly { rangeTake = operatorRules } - // Prepare new ActionSet structure that will hold all the user actions userAllowedAction := actionsStringToActionSet(actions) var allowedEndpoints []string diff --git a/pkg/auth/token.go b/pkg/auth/token.go index 46b5fcc9c..ae075c358 100644 --- a/pkg/auth/token.go +++ b/pkg/auth/token.go @@ -62,11 +62,10 @@ func IsSessionTokenValid(token string) bool { // TokenClaims claims struct for decrypted credentials type TokenClaims struct { - STSAccessKeyID string `json:"stsAccessKeyID,omitempty"` - STSSecretAccessKey string `json:"stsSecretAccessKey,omitempty"` - STSSessionToken string `json:"stsSessionToken,omitempty"` - AccountAccessKey string `json:"accountAccessKey,omitempty"` - Actions []string `json:"actions,omitempty"` + STSAccessKeyID string `json:"stsAccessKeyID,omitempty"` + STSSecretAccessKey string `json:"stsSecretAccessKey,omitempty"` + STSSessionToken string `json:"stsSessionToken,omitempty"` + AccountAccessKey string `json:"accountAccessKey,omitempty"` } // SessionTokenAuthenticate takes a session token, decode it, extract claims and validate the signature @@ -79,7 +78,6 @@ type TokenClaims struct { // STSSecretAccessKey // STSSessionToken // AccountAccessKey -// Actions // } func SessionTokenAuthenticate(token string) (*TokenClaims, error) { if token == "" { @@ -98,14 +96,13 @@ func SessionTokenAuthenticate(token string) (*TokenClaims, error) { // NewEncryptedTokenForClient generates a new session token with claims based on the provided STS credentials, first // encrypts the claims and the sign them -func NewEncryptedTokenForClient(credentials *credentials.Value, accountAccessKey string, actions []string) (string, error) { +func NewEncryptedTokenForClient(credentials *credentials.Value, accountAccessKey string) (string, error) { if credentials != nil { encryptedClaims, err := encryptClaims(&TokenClaims{ STSAccessKeyID: credentials.AccessKeyID, STSSecretAccessKey: credentials.SecretAccessKey, STSSessionToken: credentials.SessionToken, AccountAccessKey: accountAccessKey, - Actions: actions, }) if err != nil { return "", err @@ -287,7 +284,6 @@ func decrypt(ciphertext []byte, associatedData []byte) ([]byte, error) { func GetTokenFromRequest(r *http.Request) (string, error) { // Token might come either as a Cookie or as a Header // if not set in cookie, check if it is set on Header. - tokenCookie, err := r.Cookie("token") if err != nil { return "", ErrNoAuthToken @@ -296,17 +292,7 @@ func GetTokenFromRequest(r *http.Request) (string, error) { if tokenCookie.Expires.After(currentTime) { return "", errTokenExpired } - - mergeToken := strings.TrimSpace(tokenCookie.Value) - for _, cookie := range r.Cookies() { - // any cookie with token%d structure - if cookie.Name != "token" && !strings.HasPrefix(cookie.Name, "token-") && strings.HasPrefix(cookie.Name, "token") { - mergeToken = fmt.Sprintf("%s%s", mergeToken, strings.TrimSpace(cookie.Value)) - } - } - - return mergeToken, nil - + return strings.TrimSpace(tokenCookie.Value), nil } func GetClaimsFromTokenInRequest(req *http.Request) (*models.Principal, error) { @@ -322,7 +308,6 @@ func GetClaimsFromTokenInRequest(req *http.Request) (*models.Principal, error) { } return &models.Principal{ STSAccessKeyID: claims.STSAccessKeyID, - Actions: claims.Actions, STSSecretAccessKey: claims.STSSecretAccessKey, STSSessionToken: claims.STSSessionToken, AccountAccessKey: claims.AccountAccessKey, diff --git a/pkg/auth/token_test.go b/pkg/auth/token_test.go index 39642030b..d0263042c 100644 --- a/pkg/auth/token_test.go +++ b/pkg/auth/token_test.go @@ -36,14 +36,14 @@ func TestNewJWTWithClaimsForClient(t *testing.T) { funcAssert := assert.New(t) // Test-1 : NewEncryptedTokenForClient() is generated correctly without errors function := "NewEncryptedTokenForClient()" - token, err := NewEncryptedTokenForClient(creds, "", []string{""}) + token, err := NewEncryptedTokenForClient(creds, "") if err != nil || token == "" { t.Errorf("Failed on %s:, error occurred: %s", function, err) } // saving token for future tests goodToken = token // Test-2 : NewEncryptedTokenForClient() throws error because of empty credentials - if _, err = NewEncryptedTokenForClient(nil, "", []string{""}); err != nil { + if _, err = NewEncryptedTokenForClient(nil, ""); err != nil { funcAssert.Equal("provided credentials are empty", err.Error()) } } diff --git a/portal-ui/src/common/utils.ts b/portal-ui/src/common/utils.ts index 66a1b9e3f..250afd062 100644 --- a/portal-ui/src/common/utils.ts +++ b/portal-ui/src/common/utils.ts @@ -76,9 +76,6 @@ export const deleteCookie = (name: string) => { export const clearSession = () => { storage.removeItem("token"); deleteCookie("token"); - for (let i = 1; i < 10; i++) { - deleteCookie(`token${i}`); - } }; // timeFromDate gets time string from date input diff --git a/restapi/client.go b/restapi/client.go index ff5615c2f..0f8771595 100644 --- a/restapi/client.go +++ b/restapi/client.go @@ -262,18 +262,12 @@ type ConsoleCredentialsI interface { Get() (credentials.Value, error) Expire() GetAccountAccessKey() string - GetActions() []string } // Interface implementation type ConsoleCredentials struct { ConsoleCredentials *credentials.Credentials AccountAccessKey string - Actions []string -} - -func (c ConsoleCredentials) GetActions() []string { - return c.Actions } func (c ConsoleCredentials) GetAccountAccessKey() string { diff --git a/restapi/configure_console.go b/restapi/configure_console.go index 5b8defe77..a3391eec2 100644 --- a/restapi/configure_console.go +++ b/restapi/configure_console.go @@ -69,7 +69,6 @@ func configureAPI(api *operations.ConsoleAPI) http.Handler { } return &models.Principal{ STSAccessKeyID: claims.STSAccessKeyID, - Actions: claims.Actions, STSSecretAccessKey: claims.STSSecretAccessKey, STSSessionToken: claims.STSSessionToken, AccountAccessKey: claims.AccountAccessKey, diff --git a/restapi/embedded_spec.go b/restapi/embedded_spec.go index 413ae9743..f5f7ed15c 100644 --- a/restapi/embedded_spec.go +++ b/restapi/embedded_spec.go @@ -4797,12 +4797,6 @@ func init() { }, "accountAccessKey": { "type": "string" - }, - "actions": { - "type": "array", - "items": { - "type": "string" - } } } }, @@ -10531,12 +10525,6 @@ func init() { }, "accountAccessKey": { "type": "string" - }, - "actions": { - "type": "array", - "items": { - "type": "string" - } } } }, diff --git a/restapi/user_account.go b/restapi/user_account.go index 0e02cf664..5d7345faa 100644 --- a/restapi/user_account.go +++ b/restapi/user_account.go @@ -39,10 +39,8 @@ func registerAccountHandlers(api *operations.ConsoleAPI) { } // Custom response writer to update the session cookies return middleware.ResponderFunc(func(w http.ResponseWriter, p runtime.Producer) { - cookies := NewSessionCookieForConsole(changePasswordResponse.SessionID) - for _, cookie := range cookies { - http.SetCookie(w, &cookie) - } + cookie := NewSessionCookieForConsole(changePasswordResponse.SessionID) + http.SetCookie(w, &cookie) user_api.NewLoginCreated().WithPayload(changePasswordResponse).WriteResponse(w, p) }) }) @@ -88,7 +86,7 @@ func getChangePasswordResponse(session *models.Principal, params user_api.Accoun } // user credentials are updated at this point, we need to generate a new admin client and authenticate using // the new credentials - credentials, err := getConsoleCredentials(ctx, accessKey, newSecretKey) + credentials, err := getConsoleCredentials(accessKey, newSecretKey) if err != nil { return nil, prepareError(errInvalidCredentials, nil, err) } diff --git a/restapi/user_login.go b/restapi/user_login.go index 4609b4578..4b02496ff 100644 --- a/restapi/user_login.go +++ b/restapi/user_login.go @@ -29,7 +29,6 @@ import ( "github.com/go-openapi/runtime" "github.com/go-openapi/runtime/middleware" "github.com/minio/console/models" - "github.com/minio/console/pkg/acl" "github.com/minio/console/pkg/auth" "github.com/minio/console/pkg/auth/idp/oauth2" "github.com/minio/console/restapi/operations" @@ -53,10 +52,8 @@ func registerLoginHandlers(api *operations.ConsoleAPI) { } // Custom response writer to set the session cookies return middleware.ResponderFunc(func(w http.ResponseWriter, p runtime.Producer) { - cookies := NewSessionCookieForConsole(loginResponse.SessionID) - for _, cookie := range cookies { - http.SetCookie(w, &cookie) - } + cookie := NewSessionCookieForConsole(loginResponse.SessionID) + http.SetCookie(w, &cookie) user_api.NewLoginCreated().WithPayload(loginResponse).WriteResponse(w, p) }) }) @@ -67,10 +64,8 @@ func registerLoginHandlers(api *operations.ConsoleAPI) { } // Custom response writer to set the session cookies return middleware.ResponderFunc(func(w http.ResponseWriter, p runtime.Producer) { - cookies := NewSessionCookieForConsole(loginResponse.SessionID) - for _, cookie := range cookies { - http.SetCookie(w, &cookie) - } + cookie := NewSessionCookieForConsole(loginResponse.SessionID) + http.SetCookie(w, &cookie) user_api.NewLoginOauth2AuthCreated().WithPayload(loginResponse).WriteResponse(w, p) }) }) @@ -81,10 +76,8 @@ func registerLoginHandlers(api *operations.ConsoleAPI) { } // Custom response writer to set the session cookies return middleware.ResponderFunc(func(w http.ResponseWriter, p runtime.Producer) { - cookies := NewSessionCookieForConsole(loginResponse.SessionID) - for _, cookie := range cookies { - http.SetCookie(w, &cookie) - } + cookie := NewSessionCookieForConsole(loginResponse.SessionID) + http.SetCookie(w, &cookie) user_api.NewLoginOperatorCreated().WithPayload(loginResponse).WriteResponse(w, p) }) }) @@ -99,7 +92,7 @@ func login(credentials ConsoleCredentialsI) (*string, error) { return nil, err } // if we made it here, the consoleCredentials work, generate a jwt with claims - token, err := auth.NewEncryptedTokenForClient(&tokens, credentials.GetAccountAccessKey(), credentials.GetActions()) + token, err := auth.NewEncryptedTokenForClient(&tokens, credentials.GetAccountAccessKey()) if err != nil { LogError("error authenticating user: %v", err) return nil, errInvalidCredentials @@ -118,56 +111,22 @@ func getAccountPolicy(ctx context.Context, client MinioAdmin) (*iampolicy.Policy return iampolicy.ParseConfig(bytes.NewReader(accountInfo.Policy)) } -// getConsoleCredentials will return ConsoleCredentials interface including the associated policy of the current account -func getConsoleCredentials(ctx context.Context, accessKey, secretKey string) (*ConsoleCredentials, error) { +// getConsoleCredentials will return ConsoleCredentials interface +func getConsoleCredentials(accessKey, secretKey string) (*ConsoleCredentials, error) { creds, err := NewConsoleCredentials(accessKey, secretKey, GetMinIORegion()) if err != nil { return nil, err } - // cCredentials will be sts credentials, account credentials will be need it in the scenario the user wish - // to change its password - cCredentials := &ConsoleCredentials{ + return &ConsoleCredentials{ ConsoleCredentials: creds, AccountAccessKey: accessKey, - } - tokens, err := cCredentials.Get() - if err != nil { - return nil, err - } - // initialize admin client - mAdminClient, err := NewMinioAdminClient(&models.Principal{ - STSAccessKeyID: tokens.AccessKeyID, - STSSecretAccessKey: tokens.SecretAccessKey, - STSSessionToken: tokens.SessionToken, - }) - if err != nil { - return nil, err - } - userAdminClient := AdminClient{Client: mAdminClient} - // Obtain the current policy assigned to this user - // necessary for generating the list of allowed endpoints - policy, err := getAccountPolicy(ctx, userAdminClient) - if err != nil { - return nil, err - } - // by default every user starts with an empty array of available actions - // therefore we would have access only to pages that doesn't require any privilege - // ie: service-account page - var actions []string - // if a policy is assigned to this user we parse the actions from there - if policy != nil { - actions = acl.GetActionsStringFromPolicy(policy) - } - cCredentials.Actions = actions - return cCredentials, nil + }, nil } // getLoginResponse performs login() and serializes it to the handler's output func getLoginResponse(lr *models.LoginRequest) (*models.LoginResponse, *models.Error) { - ctx, cancel := context.WithTimeout(context.Background(), 20*time.Second) - defer cancel() // prepare console credentials - consolCreds, err := getConsoleCredentials(ctx, *lr.AccessKey, *lr.SecretKey) + consolCreds, err := getConsoleCredentials(*lr.AccessKey, *lr.SecretKey) if err != nil { return nil, prepareError(err, errInvalidCredentials, err) } @@ -232,39 +191,11 @@ func getLoginOauth2AuthResponse(lr *models.LoginOauth2AuthRequest) (*models.Logi if err != nil { return nil, prepareError(errInvalidCredentials, nil, err) } - creds, err := userCredentials.Get() - if err != nil { - return nil, prepareError(errInvalidCredentials, nil, err) - } // initialize admin client - mAdminClient, err := NewMinioAdminClient(&models.Principal{ - STSAccessKeyID: creds.AccessKeyID, - STSSecretAccessKey: creds.SecretAccessKey, - STSSessionToken: creds.SessionToken, - }) - if err != nil { - return nil, prepareError(errInvalidCredentials, nil, err) - } - userAdminClient := AdminClient{Client: mAdminClient} - // Obtain the current policy assigned to this user - // necessary for generating the list of allowed endpoints - policy, err := getAccountPolicy(ctx, userAdminClient) - if err != nil { - return nil, prepareError(ErrorGeneric, nil, err) - } - // by default every user starts with an empty array of available actions - // therefore we would have access only to pages that doesn't require any privilege - // ie: service-account page - var actions []string - // if a policy is assigned to this user we parse the actions from there - if policy != nil { - actions = acl.GetActionsStringFromPolicy(policy) - } // login user against console and generate session token token, err := login(&ConsoleCredentials{ ConsoleCredentials: userCredentials, AccountAccessKey: "", - Actions: actions, }) if err != nil { return nil, prepareError(errInvalidCredentials, nil, err) @@ -284,7 +215,7 @@ func getLoginOperatorResponse(lmr *models.LoginOperatorRequest) (*models.LoginRe if err != nil { return nil, prepareError(err) } - consoleCreds := ConsoleCredentials{ConsoleCredentials: creds, Actions: []string{}} + consoleCreds := ConsoleCredentials{ConsoleCredentials: creds} token, err := login(consoleCreds) if err != nil { return nil, prepareError(errInvalidCredentials, nil, err) diff --git a/restapi/user_session.go b/restapi/user_session.go index 992650625..57e4e22bf 100644 --- a/restapi/user_session.go +++ b/restapi/user_session.go @@ -17,8 +17,10 @@ package restapi import ( + "context" "net/http" "net/url" + "time" "github.com/go-openapi/runtime/middleware" "github.com/minio/console/models" @@ -65,13 +67,40 @@ func registerSessionHandlers(api *operations.ConsoleAPI) { // getSessionResponse parse the token of the current session and returns a list of allowed actions to render in the UI func getSessionResponse(session *models.Principal) (*models.SessionResponse, *models.Error) { + ctx, cancel := context.WithTimeout(context.Background(), 20*time.Second) + defer cancel() // serialize output if session == nil { return nil, prepareError(errorGenericInvalidSession) } + // initialize admin client + mAdminClient, err := NewMinioAdminClient(&models.Principal{ + STSAccessKeyID: session.STSAccessKeyID, + STSSecretAccessKey: session.STSSecretAccessKey, + STSSessionToken: session.STSSessionToken, + }) + if err != nil { + return nil, prepareError(err, errorGenericInvalidSession) + } + userAdminClient := AdminClient{Client: mAdminClient} + // Obtain the current policy assigned to this user + // necessary for generating the list of allowed endpoints + policy, err := getAccountPolicy(ctx, userAdminClient) + if err != nil { + return nil, prepareError(err, errorGenericInvalidSession) + } + // by default every user starts with an empty array of available actions + // therefore we would have access only to pages that doesn't require any privilege + // ie: service-account page + var actions []string + // if a policy is assigned to this user we parse the actions from there + if policy != nil { + actions = acl.GetActionsStringFromPolicy(policy) + } + sessionResp := &models.SessionResponse{ - Pages: acl.GetAuthorizedEndpoints(session.Actions), + Pages: acl.GetAuthorizedEndpoints(actions), Features: getListOfEnabledFeatures(), Status: models.SessionResponseStatusOk, Operator: false, diff --git a/restapi/utils.go b/restapi/utils.go index a3f6ba2a8..bf8ef3c15 100644 --- a/restapi/utils.go +++ b/restapi/utils.go @@ -18,7 +18,6 @@ package restapi import ( "crypto/rand" - "fmt" "io" "net/http" "os" @@ -106,73 +105,20 @@ func FileExists(filename string) bool { return !info.IsDir() } -func NewSessionCookieForConsole(token string) []http.Cookie { - const CookieChunk = 3800 - - expiration := time.Now().Add(SessionDuration) - var cookies []http.Cookie - - i := 0 - cookieIndex := 0 - - for i < len(token) { - var until int - if i+CookieChunk < len(token) { - until = i + CookieChunk - } else { - until = len(token) - } - - cookieName := "token" - if len(cookies) > 0 { - cookieName = fmt.Sprintf("token%d", len(cookies)) - } - - cookie := http.Cookie{ - Path: "/", - Name: cookieName, - Value: token[i:until], - MaxAge: int(SessionDuration.Seconds()), // 45 minutes - Expires: expiration, - HttpOnly: true, - // if len(GlobalPublicCerts) > 0 is true, that means Console is running with TLS enable and the browser - // should not leak any cookie if we access the site using HTTP - Secure: len(GlobalPublicCerts) > 0, - // read more: https://web.dev/samesite-cookies-explained/ - SameSite: http.SameSiteLaxMode, - } - - cookies = append(cookies, cookie) - i += until - cookieIndex++ +func NewSessionCookieForConsole(token string) http.Cookie { + return http.Cookie{ + Path: "/", + Name: "token", + Value: token, + MaxAge: int(SessionDuration.Seconds()), // 45 minutes + Expires: time.Now().Add(SessionDuration), + HttpOnly: true, + // if len(GlobalPublicCerts) > 0 is true, that means Console is running with TLS enable and the browser + // should not leak any cookie if we access the site using HTTP + Secure: len(GlobalPublicCerts) > 0, + // read more: https://web.dev/samesite-cookies-explained/ + SameSite: http.SameSiteLaxMode, } - - // clear old cookies - expiredDuration := time.Now().Add(-1 * time.Second) - for i := cookieIndex; i < 10; i++ { - cookieName := "token" - if len(cookies) > 0 { - cookieName = fmt.Sprintf("token%d", i) - } - - cookie := http.Cookie{ - Path: "/", - Name: cookieName, - Value: "", - MaxAge: 0, // 45 minutes - Expires: expiredDuration, - HttpOnly: true, - // if len(GlobalPublicCerts) > 0 is true, that means Console is running with TLS enable and the browser - // should not leak any cookie if we access the site using HTTP - Secure: len(GlobalPublicCerts) > 0, - // read more: https://web.dev/samesite-cookies-explained/ - SameSite: http.SameSiteLaxMode, - } - - cookies = append(cookies, cookie) - } - - return cookies } func ExpireSessionCookie() http.Cookie { diff --git a/swagger-console.yml b/swagger-console.yml index 587489d27..fb44e49ae 100644 --- a/swagger-console.yml +++ b/swagger-console.yml @@ -3044,10 +3044,6 @@ definitions: type: string STSSessionToken: type: string - actions: - type: array - items: - type: string accountAccessKey: type: string startProfilingItem: