Refactor for session management (#193)

Previously every Handler function was receiving the session token in the form of a jwt string, in consequence every time we want to access the encrypted claims of the jwt we needed to run a decryption process, additionally we were decrypting the jwt twice, first at the session validation then inside each handler function, this was also causing a lot of using related to the merge between m3 and mcs What changed: Now we validate and decrypt the jwt once in `configure_mcs.go`, this works for both, mcs (console) and operator sessions, and then pass the decrypted claims to all the functions that need it, so no further token validation or decryption is need it.
2020-07-10 19:14:28 -07:00
parent 93e1168141
commit 697bc4cd1d
34 changed files with 618 additions and 605 deletions
--- a/restapi/client.go
+++ b/restapi/client.go
@@ -25,6 +25,7 @@ import (

 	mc "github.com/minio/mc/cmd"
 	"github.com/minio/mc/pkg/probe"
+	"github.com/minio/mcs/models"
 	"github.com/minio/mcs/pkg/acl"
 	"github.com/minio/mcs/pkg/auth"
 	xjwt "github.com/minio/mcs/pkg/auth/jwt"
@@ -218,24 +219,16 @@ func GetClaimsFromJWT(jwt string) (*auth.DecryptedClaims, error) {
 	return claims, nil
 }

-// getMcsCredentialsFromJWT returns the *mcsCredentials.Credentials associated to the
+// getMcsCredentialsFromSession returns the *mcsCredentials.Credentials associated to the
 // provided jwt, this is useful for running the Expire() or IsExpired() operations
-func getMcsCredentialsFromJWT(jwt string) (*credentials.Credentials, error) {
-	claims, err := GetClaimsFromJWT(jwt)
-	if err != nil {
-		return nil, err
-	}
-	creds := credentials.NewStaticV4(claims.AccessKeyID, claims.SecretAccessKey, claims.SessionToken)
-	return creds, nil
+func getMcsCredentialsFromSession(claims *models.Principal) *credentials.Credentials {
+	return credentials.NewStaticV4(claims.AccessKeyID, claims.SecretAccessKey, claims.SessionToken)
 }

 // newMinioClient creates a new MinIO client based on the mcsCredentials extracted
 // from the provided jwt
-func newMinioClient(jwt string) (*minio.Client, error) {
-	creds, err := getMcsCredentialsFromJWT(jwt)
-	if err != nil {
-		return nil, err
-	}
+func newMinioClient(claims *models.Principal) (*minio.Client, error) {
+	creds := getMcsCredentialsFromSession(claims)
 	minioClient, err := minio.NewWithOptions(getMinIOEndpoint(), &minio.Options{
 		Creds:  creds,
 		Secure: getMinIOEndpointIsSecure(),
@@ -248,7 +241,7 @@ func newMinioClient(jwt string) (*minio.Client, error) {
 }

 // newS3BucketClient creates a new mc S3Client to talk to the server based on a bucket
-func newS3BucketClient(claims *auth.DecryptedClaims, bucketName string) (*mc.S3Client, error) {
+func newS3BucketClient(claims *models.Principal, bucketName string) (*mc.S3Client, error) {
 	endpoint := getMinIOServer()
 	useSSL := getMinIOEndpointIsSecure()