Rename MCS to Console in codebase (#205)
This commit is contained in:
Daniel Valdivia
GitHub
@@ -19,7 +19,7 @@ package auth
|
||||
import (
|
||||
"context"
|
||||
|
||||
"github.com/minio/mcs/pkg/auth/idp/oauth2"
|
||||
"github.com/minio/console/pkg/auth/idp/oauth2"
|
||||
)
|
||||
|
||||
// IdentityProviderClient interface with all functions to be implemented
|
||||
|
||||
@@ -19,29 +19,29 @@
|
||||
package oauth2
|
||||
|
||||
import (
|
||||
"github.com/minio/mcs/pkg/auth/utils"
|
||||
"github.com/minio/console/pkg/auth/utils"
|
||||
"github.com/minio/minio/pkg/env"
|
||||
)
|
||||
|
||||
func GetIdpURL() string {
|
||||
return env.Get(McsIdpURL, "")
|
||||
return env.Get(ConsoleIdpURL, "")
|
||||
}
|
||||
|
||||
func GetIdpClientID() string {
|
||||
return env.Get(McsIdpClientID, "")
|
||||
return env.Get(ConsoleIdpClientID, "")
|
||||
}
|
||||
|
||||
func GetIdpSecret() string {
|
||||
return env.Get(McsIdpSecret, "")
|
||||
return env.Get(ConsoleIdpSecret, "")
|
||||
}
|
||||
|
||||
// Public endpoint used by the identity oidcProvider when redirecting the user after identity verification
|
||||
func GetIdpCallbackURL() string {
|
||||
return env.Get(McsIdpCallbackURL, "")
|
||||
return env.Get(ConsoleIdpCallbackURL, "")
|
||||
}
|
||||
|
||||
func GetIdpAdminRoles() string {
|
||||
return env.Get(McsIdpAdminRoles, "")
|
||||
return env.Get(ConsoleIdpAdminRoles, "")
|
||||
}
|
||||
|
||||
func IsIdpEnabled() bool {
|
||||
@@ -55,17 +55,17 @@ var defaultPassphraseForIdpHmac = utils.RandomCharString(64)
|
||||
|
||||
// GetPassphraseForIdpHmac returns passphrase for the pbkdf2 function used to sign the oauth2 state parameter
|
||||
func getPassphraseForIdpHmac() string {
|
||||
return env.Get(McsIdpHmacPassphrase, defaultPassphraseForIdpHmac)
|
||||
return env.Get(ConsoleIdpHmacPassphrase, defaultPassphraseForIdpHmac)
|
||||
}
|
||||
|
||||
var defaultSaltForIdpHmac = utils.RandomCharString(64)
|
||||
|
||||
// GetSaltForIdpHmac returns salt for the pbkdf2 function used to sign the oauth2 state parameter
|
||||
func getSaltForIdpHmac() string {
|
||||
return env.Get(McsIdpHmacSalt, defaultSaltForIdpHmac)
|
||||
return env.Get(ConsoleIdpHmacSalt, defaultSaltForIdpHmac)
|
||||
}
|
||||
|
||||
// GetSaltForIdpHmac returns the policy to be assigned to the users authenticating via an IDP
|
||||
func GetIDPPolicyForUser() string {
|
||||
return env.Get(McsIdpPolicyUser, "mcsAdmin")
|
||||
return env.Get(ConsoleIdpPolicyUser, "consoleAdmin")
|
||||
}
|
||||
|
||||
@@ -18,12 +18,12 @@ package oauth2
|
||||
|
||||
const (
|
||||
// const for idp configuration
|
||||
McsIdpURL = "MCS_IDP_URL"
|
||||
McsIdpClientID = "MCS_IDP_CLIENT_ID"
|
||||
McsIdpSecret = "MCS_IDP_SECRET"
|
||||
McsIdpCallbackURL = "MCS_IDP_CALLBACK"
|
||||
McsIdpAdminRoles = "MCS_IDP_ADMIN_ROLES"
|
||||
McsIdpHmacPassphrase = "MCS_IDP_HMAC_PASSPHRASE"
|
||||
McsIdpHmacSalt = "MCS_IDP_HMAC_SALT"
|
||||
McsIdpPolicyUser = "MCS_IDP_POLICY_USER"
|
||||
ConsoleIdpURL = "CONSOLE_IDP_URL"
|
||||
ConsoleIdpClientID = "CONSOLE_IDP_CLIENT_ID"
|
||||
ConsoleIdpSecret = "CONSOLE_IDP_SECRET"
|
||||
ConsoleIdpCallbackURL = "CONSOLE_IDP_CALLBACK"
|
||||
ConsoleIdpAdminRoles = "CONSOLE_IDP_ADMIN_ROLES"
|
||||
ConsoleIdpHmacPassphrase = "CONSOLE_IDP_HMAC_PASSPHRASE"
|
||||
ConsoleIdpHmacSalt = "CONSOLE_IDP_HMAC_SALT"
|
||||
ConsoleIdpPolicyUser = "CONSOLE_IDP_POLICY_USER"
|
||||
)
|
||||
|
||||
@@ -28,7 +28,7 @@ import (
|
||||
"strings"
|
||||
|
||||
"github.com/coreos/go-oidc"
|
||||
"github.com/minio/mcs/pkg/auth/utils"
|
||||
"github.com/minio/console/pkg/auth/utils"
|
||||
"golang.org/x/crypto/pbkdf2"
|
||||
xoauth2 "golang.org/x/oauth2"
|
||||
)
|
||||
@@ -94,7 +94,7 @@ type Provider struct {
|
||||
}
|
||||
|
||||
// derivedKey is the key used to compute the HMAC for signing the oauth state parameter
|
||||
// its derived using pbkdf on MCS_IDP_HMAC_PASSPHRASE with MCS_IDP_HMAC_SALT
|
||||
// its derived using pbkdf on CONSOLE_IDP_HMAC_PASSPHRASE with CONSOLE_IDP_HMAC_SALT
|
||||
var derivedKey = pbkdf2.Key([]byte(getPassphraseForIdpHmac()), []byte(getSaltForIdpHmac()), 4096, 32, sha1.New)
|
||||
|
||||
// NewOauth2ProviderClient instantiates a new oauth2 client using the configured credentials
|
||||
@@ -186,7 +186,7 @@ func (client *Provider) VerifyIdentity(ctx context.Context, code, state string)
|
||||
}
|
||||
|
||||
// validateOauth2State validates the provided state was originated using the same
|
||||
// instance (or one configured using the same secrets) of MCS, this is basically used to prevent CSRF attacks
|
||||
// instance (or one configured using the same secrets) of Console, this is basically used to prevent CSRF attacks
|
||||
// https://security.stackexchange.com/questions/20187/oauth2-cross-site-request-forgery-and-state-parameter
|
||||
func validateOauth2State(state string) bool {
|
||||
// state contains a base64 encoded string that may ends with "==", the browser encodes that to "%3D%3D"
|
||||
|
||||
@@ -32,8 +32,8 @@ import (
|
||||
|
||||
jwtgo "github.com/dgrijalva/jwt-go"
|
||||
"github.com/go-openapi/swag"
|
||||
"github.com/minio/mcs/models"
|
||||
xjwt "github.com/minio/mcs/pkg/auth/jwt"
|
||||
"github.com/minio/console/models"
|
||||
xjwt "github.com/minio/console/pkg/auth/jwt"
|
||||
"github.com/minio/minio-go/v7/pkg/credentials"
|
||||
uuid "github.com/satori/go.uuid"
|
||||
"golang.org/x/crypto/pbkdf2"
|
||||
@@ -46,7 +46,7 @@ var (
|
||||
errClaimsFormat = errors.New("encrypted jwt claims not in the right format")
|
||||
)
|
||||
|
||||
// derivedKey is the key used to encrypt the JWT claims, its derived using pbkdf on MCS_PBKDF_PASSPHRASE with MCS_PBKDF_SALT
|
||||
// derivedKey is the key used to encrypt the JWT claims, its derived using pbkdf on CONSOLE_PBKDF_PASSPHRASE with CONSOLE_PBKDF_SALT
|
||||
var derivedKey = pbkdf2.Key([]byte(xjwt.GetPBKDFPassphrase()), []byte(xjwt.GetPBKDFSalt()), 4096, 32, sha1.New)
|
||||
|
||||
// IsJWTValid returns true or false depending if the provided jwt is valid or not
|
||||
@@ -104,7 +104,7 @@ func NewJWTWithClaimsForClient(credentials *credentials.Value, actions []string,
|
||||
return "", err
|
||||
}
|
||||
claims := xjwt.NewStandardClaims()
|
||||
claims.SetExpiry(time.Now().UTC().Add(xjwt.GetMcsSTSAndJWTDurationTime()))
|
||||
claims.SetExpiry(time.Now().UTC().Add(xjwt.GetConsoleSTSAndJWTDurationTime()))
|
||||
claims.SetSubject(uuid.NewV4().String())
|
||||
claims.SetData(encryptedClaims)
|
||||
claims.SetAudience(audience)
|
||||
@@ -216,7 +216,7 @@ func GetClaimsFromTokenInRequest(req *http.Request) (*models.Principal, error) {
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
// Perform decryption of the JWT, if MCS is able to decrypt the JWT that means a valid session
|
||||
// Perform decryption of the JWT, if Console is able to decrypt the JWT that means a valid session
|
||||
// was used in the first place to get it
|
||||
claims, err := JWTAuthenticate(*sessionID)
|
||||
if err != nil {
|
||||
|
||||
@@ -20,31 +20,31 @@ import (
|
||||
"strconv"
|
||||
"time"
|
||||
|
||||
"github.com/minio/mcs/pkg/auth/utils"
|
||||
"github.com/minio/console/pkg/auth/utils"
|
||||
"github.com/minio/minio/pkg/env"
|
||||
)
|
||||
|
||||
// defaultHmacJWTPassphrase will be used by default if application is not configured with a custom MCS_HMAC_JWT_SECRET secret
|
||||
// defaultHmacJWTPassphrase will be used by default if application is not configured with a custom CONSOLE_HMAC_JWT_SECRET secret
|
||||
var defaultHmacJWTPassphrase = utils.RandomCharString(64)
|
||||
|
||||
// GetHmacJWTSecret returns the 64 bytes secret used for signing the generated JWT for the application
|
||||
func GetHmacJWTSecret() string {
|
||||
return env.Get(McsHmacJWTSecret, defaultHmacJWTPassphrase)
|
||||
return env.Get(ConsoleHmacJWTSecret, defaultHmacJWTPassphrase)
|
||||
}
|
||||
|
||||
// McsSTSAndJWTDurationSeconds returns the default session duration for the STS requested tokens and the generated JWTs.
|
||||
// ConsoleSTSAndJWTDurationSeconds returns the default session duration for the STS requested tokens and the generated JWTs.
|
||||
// Ideally both values should match so jwt and Minio sts sessions expires at the same time.
|
||||
func GetMcsSTSAndJWTDurationInSeconds() int {
|
||||
duration, err := strconv.Atoi(env.Get(McsSTSAndJWTDurationSeconds, "3600"))
|
||||
func GetConsoleSTSAndJWTDurationInSeconds() int {
|
||||
duration, err := strconv.Atoi(env.Get(ConsoleSTSAndJWTDurationSeconds, "3600"))
|
||||
if err != nil {
|
||||
duration = 3600
|
||||
}
|
||||
return duration
|
||||
}
|
||||
|
||||
// GetMcsSTSAndJWTDurationTime returns GetMcsSTSAndJWTDurationInSeconds in duration format
|
||||
func GetMcsSTSAndJWTDurationTime() time.Duration {
|
||||
duration := GetMcsSTSAndJWTDurationInSeconds()
|
||||
// GetConsoleSTSAndJWTDurationTime returns GetConsoleSTSAndJWTDurationInSeconds in duration format
|
||||
func GetConsoleSTSAndJWTDurationTime() time.Duration {
|
||||
duration := GetConsoleSTSAndJWTDurationInSeconds()
|
||||
return time.Duration(duration) * time.Second
|
||||
}
|
||||
|
||||
@@ -52,12 +52,12 @@ var defaultPBKDFPassphrase = utils.RandomCharString(64)
|
||||
|
||||
// GetPBKDFPassphrase returns passphrase for the pbkdf2 function used to encrypt JWT payload
|
||||
func GetPBKDFPassphrase() string {
|
||||
return env.Get(McsPBKDFPassphrase, defaultPBKDFPassphrase)
|
||||
return env.Get(ConsolePBKDFPassphrase, defaultPBKDFPassphrase)
|
||||
}
|
||||
|
||||
var defaultPBKDFSalt = utils.RandomCharString(64)
|
||||
|
||||
// GetPBKDFSalt returns salt for the pbkdf2 function used to encrypt JWT payload
|
||||
func GetPBKDFSalt() string {
|
||||
return env.Get(McsPBKDFSalt, defaultPBKDFSalt)
|
||||
return env.Get(ConsolePBKDFSalt, defaultPBKDFSalt)
|
||||
}
|
||||
|
||||
@@ -17,8 +17,8 @@
|
||||
package jwt
|
||||
|
||||
const (
|
||||
McsHmacJWTSecret = "MCS_HMAC_JWT_SECRET"
|
||||
McsSTSAndJWTDurationSeconds = "MCS_STS_AND_JWT_DURATION_SECONDS"
|
||||
McsPBKDFPassphrase = "MCS_PBKDF_PASSPHRASE"
|
||||
McsPBKDFSalt = "MCS_PBKDF_SALT"
|
||||
ConsoleHmacJWTSecret = "CONSOLE_HMAC_JWT_SECRET"
|
||||
ConsoleSTSAndJWTDurationSeconds = "CONSOLE_STS_AND_JWT_DURATION_SECONDS"
|
||||
ConsolePBKDFPassphrase = "CONSOLE_PBKDF_PASSPHRASE"
|
||||
ConsolePBKDFSalt = "CONSOLE_PBKDF_SALT"
|
||||
)
|
||||
|
||||
@@ -27,9 +27,9 @@ var (
|
||||
errInvalidCredentials = errors.New("invalid Credentials")
|
||||
)
|
||||
|
||||
// GetMcsCredentialsFromLDAP authenticates the user against MinIO when the LDAP integration is enabled
|
||||
// GetConsoleCredentialsFromLDAP authenticates the user against MinIO when the LDAP integration is enabled
|
||||
// if the authentication succeed *credentials.Credentials object is returned and we continue with the normal STSAssumeRole flow
|
||||
func GetMcsCredentialsFromLDAP(endpoint, ldapUser, ldapPassword string) (*credentials.Credentials, error) {
|
||||
func GetConsoleCredentialsFromLDAP(endpoint, ldapUser, ldapPassword string) (*credentials.Credentials, error) {
|
||||
creds, err := credentials.NewLDAPIdentity(endpoint, ldapUser, ldapPassword)
|
||||
if err != nil {
|
||||
log.Println("LDAP authentication error: ", err)
|
||||
|
||||
@@ -23,5 +23,5 @@ import (
|
||||
)
|
||||
|
||||
func GetLDAPEnabled() bool {
|
||||
return strings.ToLower(env.Get(MCSLDAPEnabled, "off")) == "on"
|
||||
return strings.ToLower(env.Get(ConsoleLDAPEnabled, "off")) == "on"
|
||||
}
|
||||
|
||||
@@ -18,5 +18,5 @@ package ldap
|
||||
|
||||
const (
|
||||
// const for ldap configuration
|
||||
MCSLDAPEnabled = "MCS_LDAP_ENABLED"
|
||||
ConsoleLDAPEnabled = "CONSOLE_LDAP_ENABLED"
|
||||
)
|
||||
|
||||
@@ -20,7 +20,7 @@ import (
|
||||
"context"
|
||||
"log"
|
||||
|
||||
"github.com/minio/mcs/cluster"
|
||||
"github.com/minio/console/cluster"
|
||||
"github.com/minio/minio-go/v7/pkg/credentials"
|
||||
operatorClientset "github.com/minio/operator/pkg/client/clientset/versioned"
|
||||
)
|
||||
@@ -30,7 +30,7 @@ type operatorCredentialsProvider struct {
|
||||
serviceAccountJWT string
|
||||
}
|
||||
|
||||
// Implementing the interfaces of the minio Provider, we use this to leverage on the existing mcs Authentication flow
|
||||
// Implementing the interfaces of the minio Provider, we use this to leverage on the existing console Authentication flow
|
||||
func (s operatorCredentialsProvider) Retrieve() (credentials.Value, error) {
|
||||
return credentials.Value{
|
||||
AccessKeyID: "",
|
||||
@@ -65,7 +65,7 @@ func (c *operatorClient) Authenticate(ctx context.Context) ([]byte, error) {
|
||||
}
|
||||
|
||||
// isServiceAccountTokenValid will make an authenticated request against kubernetes api, if the
|
||||
// request success means the provided jwt its a valid service account token and the MCS user can use it for future
|
||||
// request success means the provided jwt its a valid service account token and the console user can use it for future
|
||||
// requests until it expires
|
||||
func isServiceAccountTokenValid(ctx context.Context, operatorClient OperatorClient) bool {
|
||||
_, err := operatorClient.Authenticate(ctx)
|
||||
@@ -76,8 +76,8 @@ func isServiceAccountTokenValid(ctx context.Context, operatorClient OperatorClie
|
||||
return true
|
||||
}
|
||||
|
||||
// GetMcsCredentialsForOperator will validate the provided JWT (service account token) and return it in the form of credentials.Credentials
|
||||
func GetMcsCredentialsForOperator(jwt string) (*credentials.Credentials, error) {
|
||||
// GetConsoleCredentialsForOperator will validate the provided JWT (service account token) and return it in the form of credentials.Credentials
|
||||
func GetConsoleCredentialsForOperator(jwt string) (*credentials.Credentials, error) {
|
||||
ctx := context.Background()
|
||||
opClientClientSet, err := cluster.OperatorClient(jwt)
|
||||
if err != nil {
|
||||
|
||||
@@ -5,7 +5,7 @@ import (
|
||||
"errors"
|
||||
"testing"
|
||||
|
||||
"github.com/minio/mcs/cluster"
|
||||
"github.com/minio/console/cluster"
|
||||
operatorClientset "github.com/minio/operator/pkg/client/clientset/versioned"
|
||||
)
|
||||
|
||||
|
||||
Reference in New Issue
Block a user