mirrors/object-browser
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Refactor session token (#1109)

Browse Source 
- Update operator dependency
- Don't store policy on session token, instead obtain it during session
  validation

Signed-off-by: Lenin Alevski <alevsk.8772@gmail.com>
This commit is contained in:
Lenin Alevski
2021-10-12 21:25:02 -07:00
committed by GitHub
parent 2cae87aaed
commit 410b4555e3
18 changed files with 108 additions and 290 deletions
Download Patch File Download Diff File Expand all files Collapse all files

27
pkg/auth/token.go
View File

@@ -62,11 +62,10 @@ func IsSessionTokenValid(token string) bool {
// TokenClaims claims struct for decrypted credentials
type TokenClaims struct {
STSAccessKeyID string `json:"stsAccessKeyID,omitempty"`
STSSecretAccessKey string `json:"stsSecretAccessKey,omitempty"`
STSSessionToken string `json:"stsSessionToken,omitempty"`
AccountAccessKey string `json:"accountAccessKey,omitempty"`
Actions []string `json:"actions,omitempty"`
STSAccessKeyID string `json:"stsAccessKeyID,omitempty"`
STSSecretAccessKey string `json:"stsSecretAccessKey,omitempty"`
STSSessionToken string `json:"stsSessionToken,omitempty"`
AccountAccessKey string `json:"accountAccessKey,omitempty"`
}
// SessionTokenAuthenticate takes a session token, decode it, extract claims and validate the signature
@@ -79,7 +78,6 @@ type TokenClaims struct {
// STSSecretAccessKey
// STSSessionToken
// AccountAccessKey
// Actions
// }
func SessionTokenAuthenticate(token string) (*TokenClaims, error) {
if token == "" {
@@ -98,14 +96,13 @@ func SessionTokenAuthenticate(token string) (*TokenClaims, error) {
// NewEncryptedTokenForClient generates a new session token with claims based on the provided STS credentials, first
// encrypts the claims and the sign them
func NewEncryptedTokenForClient(credentials *credentials.Value, accountAccessKey string, actions []string) (string, error) {
func NewEncryptedTokenForClient(credentials *credentials.Value, accountAccessKey string) (string, error) {
if credentials != nil {
encryptedClaims, err := encryptClaims(&TokenClaims{
STSAccessKeyID: credentials.AccessKeyID,
STSSecretAccessKey: credentials.SecretAccessKey,
STSSessionToken: credentials.SessionToken,
AccountAccessKey: accountAccessKey,
Actions: actions,
})
if err != nil {
return "", err
@@ -287,7 +284,6 @@ func decrypt(ciphertext []byte, associatedData []byte) ([]byte, error) {
func GetTokenFromRequest(r *http.Request) (string, error) {
// Token might come either as a Cookie or as a Header
// if not set in cookie, check if it is set on Header.
tokenCookie, err := r.Cookie("token")
if err != nil {
return "", ErrNoAuthToken
@@ -296,17 +292,7 @@ func GetTokenFromRequest(r *http.Request) (string, error) {
if tokenCookie.Expires.After(currentTime) {
return "", errTokenExpired
}
mergeToken := strings.TrimSpace(tokenCookie.Value)
for _, cookie := range r.Cookies() {
// any cookie with token%d structure
if cookie.Name != "token" && !strings.HasPrefix(cookie.Name, "token-") && strings.HasPrefix(cookie.Name, "token") {
mergeToken = fmt.Sprintf("%s%s", mergeToken, strings.TrimSpace(cookie.Value))
}
}
return mergeToken, nil
return strings.TrimSpace(tokenCookie.Value), nil
}
func GetClaimsFromTokenInRequest(req *http.Request) (*models.Principal, error) {
@@ -322,7 +308,6 @@ func GetClaimsFromTokenInRequest(req *http.Request) (*models.Principal, error) {
}
return &models.Principal{
STSAccessKeyID: claims.STSAccessKeyID,
Actions: claims.Actions,
STSSecretAccessKey: claims.STSSecretAccessKey,
STSSessionToken: claims.STSSessionToken,
AccountAccessKey: claims.AccountAccessKey,

4
pkg/auth/token_test.go
View File

@@ -36,14 +36,14 @@ func TestNewJWTWithClaimsForClient(t *testing.T) {
funcAssert := assert.New(t)
// Test-1 : NewEncryptedTokenForClient() is generated correctly without errors
function := "NewEncryptedTokenForClient()"
token, err := NewEncryptedTokenForClient(creds, "", []string{""})
token, err := NewEncryptedTokenForClient(creds, "")
if err != nil || token == "" {
t.Errorf("Failed on %s:, error occurred: %s", function, err)
}
// saving token for future tests
goodToken = token
// Test-2 : NewEncryptedTokenForClient() throws error because of empty credentials
if _, err = NewEncryptedTokenForClient(nil, "", []string{""}); err != nil {
if _, err = NewEncryptedTokenForClient(nil, ""); err != nil {
funcAssert.Equal("provided credentials are empty", err.Error())
}
}