update all deps to new changes (#3489)
This commit is contained in:
Harshavardhana
GitHub
@@ -21,6 +21,7 @@ import (
|
||||
"errors"
|
||||
"fmt"
|
||||
"io"
|
||||
"net/http"
|
||||
"path"
|
||||
"strings"
|
||||
"time"
|
||||
@@ -288,6 +289,7 @@ type ConsoleCredentialsI interface {
|
||||
type ConsoleCredentials struct {
|
||||
ConsoleCredentials *credentials.Credentials
|
||||
AccountAccessKey string
|
||||
CredContext *credentials.CredContext
|
||||
}
|
||||
|
||||
func (c ConsoleCredentials) GetAccountAccessKey() string {
|
||||
@@ -296,7 +298,7 @@ func (c ConsoleCredentials) GetAccountAccessKey() string {
|
||||
|
||||
// Get implements *Login.Get()
|
||||
func (c ConsoleCredentials) Get() (credentials.Value, error) {
|
||||
return c.ConsoleCredentials.Get()
|
||||
return c.ConsoleCredentials.GetWithContext(c.CredContext)
|
||||
}
|
||||
|
||||
// Expire implements *Login.Expire()
|
||||
@@ -311,6 +313,10 @@ type consoleSTSAssumeRole struct {
|
||||
stsAssumeRole *credentials.STSAssumeRole
|
||||
}
|
||||
|
||||
func (s consoleSTSAssumeRole) RetrieveWithCredContext(cc *credentials.CredContext) (credentials.Value, error) {
|
||||
return s.stsAssumeRole.RetrieveWithCredContext(cc)
|
||||
}
|
||||
|
||||
func (s consoleSTSAssumeRole) Retrieve() (credentials.Value, error) {
|
||||
return s.stsAssumeRole.Retrieve()
|
||||
}
|
||||
@@ -319,7 +325,7 @@ func (s consoleSTSAssumeRole) IsExpired() bool {
|
||||
return s.stsAssumeRole.IsExpired()
|
||||
}
|
||||
|
||||
func stsCredentials(minioURL, accessKey, secretKey, location, clientIP string) (*credentials.Credentials, error) {
|
||||
func stsCredentials(minioURL, accessKey, secretKey, location string, client *http.Client) (*credentials.Credentials, error) {
|
||||
if accessKey == "" || secretKey == "" {
|
||||
return nil, errors.New("credentials endpoint, access and secret key are mandatory for AssumeRoleSTS")
|
||||
}
|
||||
@@ -330,7 +336,7 @@ func stsCredentials(minioURL, accessKey, secretKey, location, clientIP string) (
|
||||
DurationSeconds: int(xjwt.GetConsoleSTSDuration().Seconds()),
|
||||
}
|
||||
stsAssumeRole := &credentials.STSAssumeRole{
|
||||
Client: GetConsoleHTTPClient(clientIP),
|
||||
Client: client,
|
||||
STSEndpoint: minioURL,
|
||||
Options: opts,
|
||||
}
|
||||
@@ -338,51 +344,48 @@ func stsCredentials(minioURL, accessKey, secretKey, location, clientIP string) (
|
||||
return credentials.New(consoleSTSWrapper), nil
|
||||
}
|
||||
|
||||
func NewConsoleCredentials(accessKey, secretKey, location, clientIP string) (*credentials.Credentials, error) {
|
||||
func NewConsoleCredentials(accessKey, secretKey, location string, client *http.Client) (*credentials.Credentials, error) {
|
||||
minioURL := getMinIOServer()
|
||||
|
||||
// Future authentication methods can be added under this switch statement
|
||||
switch {
|
||||
// LDAP authentication for Console
|
||||
case ldap.GetLDAPEnabled():
|
||||
{
|
||||
creds, err := auth.GetCredentialsFromLDAP(GetConsoleHTTPClient(clientIP), minioURL, accessKey, secretKey)
|
||||
if ldap.GetLDAPEnabled() {
|
||||
creds, err := auth.GetCredentialsFromLDAP(client, minioURL, accessKey, secretKey)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
|
||||
credContext := &credentials.CredContext{
|
||||
Client: client,
|
||||
}
|
||||
|
||||
// We verify if LDAP credentials are correct and no error is returned
|
||||
_, err = creds.GetWithContext(credContext)
|
||||
|
||||
if err != nil && strings.Contains(strings.ToLower(err.Error()), "not found") {
|
||||
// We try to use STS Credentials in case LDAP credentials are incorrect.
|
||||
stsCreds, errSTS := stsCredentials(minioURL, accessKey, secretKey, location, client)
|
||||
|
||||
// If there is an error with STS too, then we return the original LDAP error
|
||||
if errSTS != nil {
|
||||
LogError("error in STS credentials for LDAP case: %v ", errSTS)
|
||||
|
||||
// We return LDAP result
|
||||
return creds, nil
|
||||
}
|
||||
|
||||
_, err := stsCreds.GetWithContext(credContext)
|
||||
// There is an error with STS credentials, We return the result of LDAP as STS is not a priority in this case.
|
||||
if err != nil {
|
||||
return nil, err
|
||||
return creds, nil
|
||||
}
|
||||
|
||||
// We verify if LDAP credentials are correct and no error is returned
|
||||
_, err = creds.Get()
|
||||
|
||||
if err != nil && strings.Contains(strings.ToLower(err.Error()), "not found") {
|
||||
// We try to use STS Credentials in case LDAP credentials are incorrect.
|
||||
stsCreds, errSTS := stsCredentials(minioURL, accessKey, secretKey, location, clientIP)
|
||||
|
||||
// If there is an error with STS too, then we return the original LDAP error
|
||||
if errSTS != nil {
|
||||
LogError("error in STS credentials for LDAP case: %v ", errSTS)
|
||||
|
||||
// We return LDAP result
|
||||
return creds, nil
|
||||
}
|
||||
|
||||
_, err := stsCreds.Get()
|
||||
// There is an error with STS credentials, We return the result of LDAP as STS is not a priority in this case.
|
||||
if err != nil {
|
||||
return creds, nil
|
||||
}
|
||||
|
||||
return stsCreds, nil
|
||||
}
|
||||
|
||||
return creds, nil
|
||||
}
|
||||
// default authentication for Console is via STS (Security Token Service) against MinIO
|
||||
default:
|
||||
{
|
||||
return stsCredentials(minioURL, accessKey, secretKey, location, clientIP)
|
||||
return stsCreds, nil
|
||||
}
|
||||
|
||||
return creds, nil
|
||||
}
|
||||
|
||||
return stsCredentials(minioURL, accessKey, secretKey, location, client)
|
||||
}
|
||||
|
||||
// getConsoleCredentialsFromSession returns the *consoleCredentials.Login associated to the
|
||||
|
||||
@@ -58,6 +58,7 @@ func getChangePasswordResponse(session *models.Principal, params accountApi.Acco
|
||||
ctx, cancel := context.WithCancel(params.HTTPRequest.Context())
|
||||
defer cancel()
|
||||
clientIP := getClientIP(params.HTTPRequest)
|
||||
client := GetConsoleHTTPClient(clientIP)
|
||||
|
||||
// changePassword operations requires an AdminClient initialized with parent account credentials not
|
||||
// STS credentials
|
||||
@@ -79,7 +80,7 @@ func getChangePasswordResponse(session *models.Principal, params accountApi.Acco
|
||||
}
|
||||
// user credentials are updated at this point, we need to generate a new admin client and authenticate using
|
||||
// the new credentials
|
||||
credentials, err := getConsoleCredentials(accessKey, newSecretKey, clientIP)
|
||||
credentials, err := getConsoleCredentials(accessKey, newSecretKey, client)
|
||||
if err != nil {
|
||||
return nil, ErrorWithContext(ctx, ErrInvalidLogin, nil, err)
|
||||
}
|
||||
|
||||
@@ -21,6 +21,7 @@ import (
|
||||
"encoding/json"
|
||||
"errors"
|
||||
"fmt"
|
||||
"net/http"
|
||||
"strings"
|
||||
"time"
|
||||
|
||||
@@ -29,6 +30,7 @@ import (
|
||||
"github.com/minio/madmin-go/v3"
|
||||
"github.com/minio/mc/cmd"
|
||||
"github.com/minio/mc/pkg/probe"
|
||||
"github.com/minio/minio-go/v7/pkg/credentials"
|
||||
"github.com/minio/minio-go/v7/pkg/sse"
|
||||
"github.com/minio/minio-go/v7/pkg/tags"
|
||||
|
||||
@@ -1067,8 +1069,7 @@ func getMaxShareLinkExpirationResponse(session *models.Principal, params bucketA
|
||||
// getMaxShareLinkExpirationSeconds returns the max share link expiration time in seconds which is the sts token expiration time
|
||||
func getMaxShareLinkExpirationSeconds(session *models.Principal) (int64, error) {
|
||||
creds := getConsoleCredentialsFromSession(session)
|
||||
|
||||
val, err := creds.Get()
|
||||
val, err := creds.GetWithContext(&credentials.CredContext{Client: http.DefaultClient})
|
||||
if err != nil {
|
||||
return 0, err
|
||||
}
|
||||
|
||||
@@ -20,15 +20,10 @@ import (
|
||||
"context"
|
||||
"encoding/base64"
|
||||
"encoding/json"
|
||||
stderrors "errors"
|
||||
"fmt"
|
||||
"net"
|
||||
"net/http"
|
||||
"net/url"
|
||||
"strings"
|
||||
|
||||
"github.com/go-openapi/errors"
|
||||
|
||||
"github.com/go-openapi/runtime"
|
||||
"github.com/go-openapi/runtime/middleware"
|
||||
"github.com/minio/console/api/operations"
|
||||
@@ -39,6 +34,7 @@ import (
|
||||
"github.com/minio/madmin-go/v3"
|
||||
"github.com/minio/minio-go/v7/pkg/credentials"
|
||||
"github.com/minio/pkg/v3/env"
|
||||
xnet "github.com/minio/pkg/v3/net"
|
||||
)
|
||||
|
||||
func registerLoginHandlers(api *operations.ConsoleAPI) {
|
||||
@@ -114,14 +110,17 @@ func getAccountInfo(ctx context.Context, client MinioAdmin) (*madmin.AccountInfo
|
||||
}
|
||||
|
||||
// getConsoleCredentials will return ConsoleCredentials interface
|
||||
func getConsoleCredentials(accessKey, secretKey, clientIP string) (*ConsoleCredentials, error) {
|
||||
creds, err := NewConsoleCredentials(accessKey, secretKey, GetMinIORegion(), clientIP)
|
||||
func getConsoleCredentials(accessKey, secretKey string, client *http.Client) (*ConsoleCredentials, error) {
|
||||
creds, err := NewConsoleCredentials(accessKey, secretKey, GetMinIORegion(), client)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
return &ConsoleCredentials{
|
||||
ConsoleCredentials: creds,
|
||||
AccountAccessKey: accessKey,
|
||||
CredContext: &credentials.CredContext{
|
||||
Client: client,
|
||||
},
|
||||
}, nil
|
||||
}
|
||||
|
||||
@@ -130,25 +129,24 @@ func getLoginResponse(params authApi.LoginParams) (*models.LoginResponse, *Coded
|
||||
ctx, cancel := context.WithCancel(params.HTTPRequest.Context())
|
||||
defer cancel()
|
||||
lr := params.Body
|
||||
|
||||
clientIP := getClientIP(params.HTTPRequest)
|
||||
client := GetConsoleHTTPClient(clientIP)
|
||||
|
||||
var err error
|
||||
var consoleCreds *ConsoleCredentials
|
||||
// if we receive an STS we use that instead of the credentials
|
||||
if lr.Sts != "" {
|
||||
creds := credentials.NewStaticV4(lr.AccessKey, lr.SecretKey, lr.Sts)
|
||||
consoleCreds = &ConsoleCredentials{
|
||||
ConsoleCredentials: creds,
|
||||
ConsoleCredentials: credentials.NewStaticV4(lr.AccessKey, lr.SecretKey, lr.Sts),
|
||||
AccountAccessKey: lr.AccessKey,
|
||||
}
|
||||
|
||||
credsVerificate, _ := creds.Get()
|
||||
|
||||
if credsVerificate.SessionToken == "" || credsVerificate.SecretAccessKey == "" || credsVerificate.AccessKeyID == "" {
|
||||
return nil, ErrorWithContext(ctx, errors.New(401, "Invalid STS Params"))
|
||||
CredContext: &credentials.CredContext{
|
||||
Client: client,
|
||||
},
|
||||
}
|
||||
} else {
|
||||
clientIP := getClientIP(params.HTTPRequest)
|
||||
// prepare console credentials
|
||||
consoleCreds, err = getConsoleCredentials(lr.AccessKey, lr.SecretKey, clientIP)
|
||||
consoleCreds, err = getConsoleCredentials(lr.AccessKey, lr.SecretKey, client)
|
||||
if err != nil {
|
||||
return nil, ErrorWithContext(ctx, err, ErrInvalidLogin)
|
||||
}
|
||||
@@ -160,11 +158,8 @@ func getLoginResponse(params authApi.LoginParams) (*models.LoginResponse, *Coded
|
||||
}
|
||||
sessionID, err := login(consoleCreds, sf)
|
||||
if err != nil {
|
||||
var urlErr *url.Error
|
||||
if stderrors.As(err, &urlErr) {
|
||||
if _, isNetErr := urlErr.Err.(net.Error); isNetErr {
|
||||
return nil, ErrorWithContext(ctx, ErrNetworkError)
|
||||
}
|
||||
if xnet.IsNetworkOrHostDown(err, true) {
|
||||
return nil, ErrorWithContext(ctx, ErrNetworkError)
|
||||
}
|
||||
return nil, ErrorWithContext(ctx, err, ErrInvalidLogin)
|
||||
}
|
||||
@@ -265,6 +260,7 @@ func getLoginOauth2AuthResponse(params authApi.LoginOauth2AuthParams, openIDProv
|
||||
r := params.HTTPRequest
|
||||
lr := params.Body
|
||||
|
||||
client := GetConsoleHTTPClient(getClientIP(params.HTTPRequest))
|
||||
if len(openIDProviders) > 0 {
|
||||
// we read state
|
||||
rState := *lr.State
|
||||
@@ -288,8 +284,7 @@ func getLoginOauth2AuthResponse(params authApi.LoginOauth2AuthParams, openIDProv
|
||||
}
|
||||
|
||||
// Initialize new identity provider with new oauth2Client per IDPName
|
||||
oauth2Client, err := providerCfg.GetOauth2Provider(IDPName, nil, r,
|
||||
GetConsoleHTTPClient(getClientIP(params.HTTPRequest)))
|
||||
oauth2Client, err := providerCfg.GetOauth2Provider(IDPName, nil, r, client)
|
||||
if err != nil {
|
||||
return nil, ErrorWithContext(ctx, err)
|
||||
}
|
||||
@@ -309,6 +304,7 @@ func getLoginOauth2AuthResponse(params authApi.LoginOauth2AuthParams, openIDProv
|
||||
token, err := login(&ConsoleCredentials{
|
||||
ConsoleCredentials: userCredentials,
|
||||
AccountAccessKey: "",
|
||||
CredContext: &credentials.CredContext{Client: client},
|
||||
}, nil)
|
||||
if err != nil {
|
||||
return nil, ErrorWithContext(ctx, err)
|
||||
|
||||
Reference in New Issue
Block a user