remove various unexpected features in console (#782)

- Unix listeners are removed
- KeepAlive, IdleTimeout etc are removed
- Authorization logic is simplified
- Added support for MINIO_PROMETHEUS_JOB_ID

cmd/console/server.go

@@ -130,9 +130,8 @@ func StartServer(ctx *cli.Context) error {
 
 	server.Host = ctx.String("host")
 	server.Port = ctx.Int("port")
-
+	restapi.Hostname = server.Host
-	restapi.Hostname = ctx.String("host")
+	restapi.Port = strconv.Itoa(server.Port)
-	restapi.Port = strconv.Itoa(ctx.Int("port"))
 
 	// Set all certs and CAs directories path
 	certs.GlobalCertsDir, _ = certs.NewConfigDirFromCtx(ctx, "certs-dir", certs.DefaultCertsDir.Get)
@@ -149,21 +148,21 @@ func StartServer(ctx *cli.Context) error {
 		// TLS flags from swagger server, used to support VMware vsphere operator version.
 		swaggerServerCertificate := ctx.String("tls-certificate")
 		swaggerServerCertificateKey := ctx.String("tls-key")
-		SwaggerServerCACertificate := ctx.String("tls-ca")
+		swaggerServerCACertificate := ctx.String("tls-ca")
 		// load tls cert and key from swagger server tls-certificate and tls-key flags
 		if swaggerServerCertificate != "" && swaggerServerCertificateKey != "" {
-			if errAddCert := certs.AddCertificate(context.Background(),
+			if err = certs.AddCertificate(context.Background(),
-				restapi.GlobalTLSCertsManager, swaggerServerCertificate, swaggerServerCertificateKey); errAddCert != nil {
+				restapi.GlobalTLSCertsManager, swaggerServerCertificate, swaggerServerCertificateKey); err != nil {
-				log.Println(errAddCert)
+				log.Fatalln(err)
 			}
-			if x509Certs, errParseCert := certs.ParsePublicCertFile(swaggerServerCertificate); errParseCert == nil {
+			if x509Certs, err := certs.ParsePublicCertFile(swaggerServerCertificate); err == nil {
 				restapi.GlobalPublicCerts = append(restapi.GlobalPublicCerts, x509Certs...)
 			}
 		}
 
 		// load ca cert from swagger server tls-ca flag
-		if SwaggerServerCACertificate != "" {
+		if swaggerServerCACertificate != "" {
-			caCert, caCertErr := ioutil.ReadFile(SwaggerServerCACertificate)
+			caCert, caCertErr := ioutil.ReadFile(swaggerServerCACertificate)
 			if caCertErr == nil {
 				restapi.GlobalRootCAs.AppendCertsFromPEM(caCert)
 			}
@@ -175,9 +174,8 @@ func StartServer(ctx *cli.Context) error {
 		// plain HTTP connections to HTTPS server
 		server.EnabledListeners = []string{"http", "https"}
 		server.TLSPort = ctx.Int("tls-port")
-		server.TLSHost = ctx.String("tls-host")
 		// Need to store tls-port, tls-host un config variables so secure.middleware can read from there
-		restapi.TLSPort = fmt.Sprintf("%v", ctx.Int("tls-port"))
+		restapi.TLSPort = strconv.Itoa(server.TLSPort)
 		restapi.Hostname = ctx.String("host")
 		restapi.TLSRedirect = ctx.String("tls-redirect")
 	}

pkg/auth/token.go

@@ -32,8 +32,8 @@ import (
 	"log"
 	"net/http"
 	"strings"
+	"time"
 
-	"github.com/go-openapi/swag"
 	"github.com/minio/console/models"
 	"github.com/minio/console/pkg/auth/token"
 	"github.com/minio/minio-go/v7/pkg/credentials"
@@ -43,8 +43,10 @@ import (
 	"golang.org/x/crypto/pbkdf2"
 )
 
+// Session token errors
 var (
-	errNoAuthToken  = errors.New("session token missing")
+	ErrNoAuthToken  = errors.New("session token missing")
+	errTokenExpired = errors.New("session token has expired")
 	errReadingToken = errors.New("session token internal data is malformed")
 	errClaimsFormat = errors.New("encrypted session token claims not in the right format")
 	errorGeneric    = errors.New("an error has occurred")
@@ -82,7 +84,7 @@ type TokenClaims struct {
 //	}
 func SessionTokenAuthenticate(token string) (*TokenClaims, error) {
 	if token == "" {
-		return nil, errNoAuthToken
+		return nil, ErrNoAuthToken
 	}
 	// decrypt encrypted token
 	claimTokens, err := decryptClaims(token)
@@ -289,25 +291,18 @@ func decrypt(ciphertext []byte, associatedData []byte) ([]byte, error) {
 // either defined on a cookie `token` or on Authorization header.
 //
 // Authorization Header needs to be like "Authorization Bearer <token>"
-func GetTokenFromRequest(r *http.Request) (*string, error) {
+func GetTokenFromRequest(r *http.Request) (string, error) {
-	// Get Auth token
-	var reqToken string
-
 	// Token might come either as a Cookie or as a Header
 	// if not set in cookie, check if it is set on Header.
 	tokenCookie, err := r.Cookie("token")
 	if err != nil {
-		headerToken := r.Header.Get("Authorization")
+		return "", ErrNoAuthToken
-		// reqToken should come as "Bearer <token>"
-		splitHeaderToken := strings.Split(headerToken, "Bearer")
-		if len(splitHeaderToken) <= 1 {
-			return nil, errNoAuthToken
-		}
-		reqToken = strings.TrimSpace(splitHeaderToken[1])
-	} else {
-		reqToken = strings.TrimSpace(tokenCookie.Value)
 	}
-	return swag.String(reqToken), nil
+	currentTime := time.Now()
+	if tokenCookie.Expires.After(currentTime) {
+		return "", errTokenExpired
+	}
+	return strings.TrimSpace(tokenCookie.Value), nil
 }
 
 func GetClaimsFromTokenInRequest(req *http.Request) (*models.Principal, error) {
@@ -317,7 +312,7 @@ func GetClaimsFromTokenInRequest(req *http.Request) (*models.Principal, error) {
 	}
 	// Perform decryption of the session token, if Console is able to decrypt the session token that means a valid session
 	// was used in the first place to get it
-	claims, err := SessionTokenAuthenticate(*sessionID)
+	claims, err := SessionTokenAuthenticate(sessionID)
 	if err != nil {
 		return nil, err
 	}

restapi/admin_info.go

@@ -151,7 +151,7 @@ var widgets = []Metric{
 		},
 		Targets: []Target{
 			{
-				Expr:         "time() - max(minio_node_process_starttime_seconds)",
+				Expr:         `time() - max(minio_node_process_starttime_seconds{job="${jobid}"})`,
 				LegendFormat: "{{instance}}",
 				Step:         60,
 			},
@@ -177,7 +177,7 @@ var widgets = []Metric{
 		},
 		Targets: []Target{
 			{
-				Expr:         "sum by (instance) (minio_s3_traffic_received_bytes{job=\"minio-job\"})",
+				Expr:         `sum by (instance) (minio_s3_traffic_received_bytes{job="${jobid}"})`,
 				LegendFormat: "{{instance}}",
 				Step:         60,
 			},
@@ -203,7 +203,7 @@ var widgets = []Metric{
 		},
 		Targets: []Target{
 			{
-				Expr:         "topk(1, sum(minio_cluster_capacity_usable_free_bytes) by (instance))",
+				Expr:         `topk(1, sum(minio_cluster_capacity_usable_free_bytes{job="${jobid}"}) by (instance))`,
 				LegendFormat: "",
 				Step:         300,
 			},
@@ -221,7 +221,7 @@ var widgets = []Metric{
 		},
 		Targets: []Target{
 			{
-				Expr:         "sum(minio_bucket_usage_total_bytes) by (instance)",
+				Expr:         `sum(minio_bucket_usage_total_bytes{job="${jobid}"}) by (instance)`,
 				LegendFormat: "Used Capacity",
 			},
 		},
@@ -245,7 +245,7 @@ var widgets = []Metric{
 		},
 		Targets: []Target{
 			{
-				Expr:         "max by (range) (minio_bucket_objects_size_distribution)",
+				Expr:         `max by (range) (minio_bucket_objects_size_distribution{job="${jobid}"})`,
 				LegendFormat: "{{range}}",
 				Step:         300,
 			},
@@ -271,7 +271,7 @@ var widgets = []Metric{
 		},
 		Targets: []Target{
 			{
-				Expr:         "sum (minio_node_file_descriptor_open_total)",
+				Expr:         `sum(minio_node_file_descriptor_open_total{job="${jobid}"})`,
 				LegendFormat: "",
 				Step:         60,
 			},
@@ -297,7 +297,7 @@ var widgets = []Metric{
 		},
 		Targets: []Target{
 			{
-				Expr:         "sum by (instance) (minio_s3_traffic_sent_bytes{job=\"minio-job\"})",
+				Expr:         `sum by (instance) (minio_s3_traffic_sent_bytes{job="${jobid}"})`,
 				LegendFormat: "",
 				Step:         60,
 			},
@@ -323,7 +323,7 @@ var widgets = []Metric{
 		},
 		Targets: []Target{
 			{
-				Expr:         "sum without (server,instance) (minio_node_go_routine_total)",
+				Expr:         `sum without (server,instance) (minio_node_go_routine_total{job="${jobid}"})`,
 				LegendFormat: "",
 				Step:         60,
 			},
@@ -349,7 +349,7 @@ var widgets = []Metric{
 		},
 		Targets: []Target{
 			{
-				Expr:         "minio_cluster_nodes_online_total",
+				Expr:         `minio_cluster_nodes_online_total{job="${jobid}"}`,
 				LegendFormat: "",
 				Step:         60,
 			},
@@ -375,7 +375,7 @@ var widgets = []Metric{
 		},
 		Targets: []Target{
 			{
-				Expr:         "minio_cluster_disk_online_total",
+				Expr:         `minio_cluster_disk_online_total{job="${jobid}"}`,
 				LegendFormat: "Total online disks in MinIO Cluster",
 				Step:         60,
 			},
@@ -401,7 +401,7 @@ var widgets = []Metric{
 		},
 		Targets: []Target{
 			{
-				Expr:         "count(count by (bucket) (minio_bucket_usage_total_bytes))",
+				Expr:         `count(count by (bucket) (minio_bucket_usage_total_bytes{job="${jobid}"}))`,
 				LegendFormat: "",
 			},
 		},
@@ -418,7 +418,7 @@ var widgets = []Metric{
 		},
 		Targets: []Target{
 			{
-				Expr:         "sum by (server) (rate(minio_s3_traffic_received_bytes[$__interval]))",
+				Expr:         `sum by (server) (rate(minio_s3_traffic_received_bytes{job="${jobid}"}[$__interval]))`,
 				LegendFormat: "Data Received [{{server}}]",
 			},
 		},
@@ -435,7 +435,7 @@ var widgets = []Metric{
 		},
 		Targets: []Target{
 			{
-				Expr:         "sum by (server) (rate(minio_s3_traffic_sent_bytes[$__interval]))",
+				Expr:         `sum by (server) (rate(minio_s3_traffic_sent_bytes{job="${jobid}"}[$__interval]))`,
 				LegendFormat: "Data Sent [{{server}}]",
 			},
 		},
@@ -460,7 +460,7 @@ var widgets = []Metric{
 		},
 		Targets: []Target{
 			{
-				Expr:         "minio_cluster_nodes_offline_total",
+				Expr:         `minio_cluster_nodes_offline_total{job="${jobid}"}`,
 				LegendFormat: "",
 				Step:         60,
 			},
@@ -486,7 +486,7 @@ var widgets = []Metric{
 		},
 		Targets: []Target{
 			{
-				Expr:         "minio_cluster_disk_offline_total",
+				Expr:         `minio_cluster_disk_offline_total{job="${jobid}"}`,
 				LegendFormat: "",
 				Step:         60,
 			},
@@ -512,7 +512,7 @@ var widgets = []Metric{
 		},
 		Targets: []Target{
 			{
-				Expr:         "topk(1, sum(minio_bucket_usage_object_total) by (instance))",
+				Expr:         `topk(1, sum(minio_bucket_usage_object_total{job="${jobid}"}) by (instance))`,
 				LegendFormat: "",
 			},
 		},
@@ -537,7 +537,7 @@ var widgets = []Metric{
 		},
 		Targets: []Target{
 			{
-				Expr:         "minio_heal_time_last_activity_nano_seconds",
+				Expr:         `minio_heal_time_last_activity_nano_seconds{job="${jobid}"}`,
 				LegendFormat: "{{server}}",
 				Step:         60,
 			},
@@ -563,7 +563,7 @@ var widgets = []Metric{
 		},
 		Targets: []Target{
 			{
-				Expr:         "minio_usage_last_activity_nano_seconds",
+				Expr:         `minio_usage_last_activity_nano_seconds{job="${jobid}"}`,
 				LegendFormat: "{{server}}",
 				Step:         60,
 			},
@@ -581,7 +581,7 @@ var widgets = []Metric{
 		},
 		Targets: []Target{
 			{
-				Expr:         "sum by (server,api) (rate(minio_s3_requests_total[$__interval]))",
+				Expr:         `sum by (server,api) (rate(minio_s3_requests_total{job="${jobid}"}[$__interval]))`,
 				LegendFormat: "{{server,api}}",
 			},
 		},
@@ -598,7 +598,7 @@ var widgets = []Metric{
 		},
 		Targets: []Target{
 			{
-				Expr:         "rate(minio_s3_requests_errors_total[$__interval])",
+				Expr:         `rate(minio_s3_requests_errors_total{job="${jobid}"}[$__interval])`,
 				LegendFormat: "{{server,api}}",
 			},
 		},
@@ -615,13 +615,13 @@ var widgets = []Metric{
 		},
 		Targets: []Target{
 			{
-				Expr:         "rate(minio_inter_node_traffic_sent_bytes{job=\"minio-job\"}[$__interval])",
+				Expr:         `rate(minio_inter_node_traffic_sent_bytes{job="${jobid}"}[$__interval])`,
 				LegendFormat: "Internode Bytes Received [{{server}}]",
 				Step:         4,
 			},
 
 			{
-				Expr:         "rate(minio_inter_node_traffic_sent_bytes{job=\"minio-job\"}[$__interval])",
+				Expr:         `rate(minio_inter_node_traffic_sent_bytes{job="${jobid}"}[$__interval])`,
 				LegendFormat: "Internode Bytes Received [{{server}}]",
 			},
 		},
@@ -638,7 +638,7 @@ var widgets = []Metric{
 		},
 		Targets: []Target{
 			{
-				Expr:         "rate(minio_node_process_cpu_total_seconds[$__interval])",
+				Expr:         `rate(minio_node_process_cpu_total_seconds{job="${jobid}"}[$__interval])`,
 				LegendFormat: "CPU Usage Rate [{{server}}]",
 			},
 		},
@@ -655,7 +655,7 @@ var widgets = []Metric{
 		},
 		Targets: []Target{
 			{
-				Expr:         "minio_node_process_resident_memory_bytes",
+				Expr:         `minio_node_process_resident_memory_bytes{job="${jobid}"}`,
 				LegendFormat: "Memory Used [{{server}}]",
 			},
 		},
@@ -672,7 +672,7 @@ var widgets = []Metric{
 		},
 		Targets: []Target{
 			{
-				Expr:         "minio_node_disk_used_bytes",
+				Expr:         `minio_node_disk_used_bytes{job="${jobid}"}`,
 				LegendFormat: "Used Capacity [{{server}}:{{disk}}]",
 			},
 		},
@@ -689,7 +689,7 @@ var widgets = []Metric{
 		},
 		Targets: []Target{
 			{
-				Expr:         "minio_cluster_disk_free_inodes",
+				Expr:         `minio_cluster_disk_free_inodes{job="${jobid}"}`,
 				LegendFormat: "Free Inodes [{{server}}:{{disk}}]",
 			},
 		},
@@ -706,13 +706,13 @@ var widgets = []Metric{
 		},
 		Targets: []Target{
 			{
-				Expr:         "rate(minio_node_syscall_read_total[$__interval])",
+				Expr:         `rate(minio_node_syscall_read_total{job="${jobid}"}[$__interval])`,
 				LegendFormat: "Read Syscalls [{{server}}]",
 				Step:         60,
 			},
 
 			{
-				Expr:         "rate(minio_node_syscall_read_total[$__interval])",
+				Expr:         `rate(minio_node_syscall_read_total{job="${jobid}"}[$__interval])`,
 				LegendFormat: "Read Syscalls [{{server}}]",
 			},
 		},
@@ -729,7 +729,7 @@ var widgets = []Metric{
 		},
 		Targets: []Target{
 			{
-				Expr:         "minio_node_file_descriptor_open_total",
+				Expr:         `minio_node_file_descriptor_open_total{job="${jobid}"}`,
 				LegendFormat: "Open FDs [{{server}}]",
 			},
 		},
@@ -746,12 +746,12 @@ var widgets = []Metric{
 		},
 		Targets: []Target{
 			{
-				Expr:         "rate(minio_node_io_rchar_bytes[$__interval])",
+				Expr:         `rate(minio_node_io_rchar_bytes{job="${jobid}"}[$__interval])`,
 				LegendFormat: "Node RChar [{{server}}]",
 			},
 
 			{
-				Expr:         "rate(minio_node_io_rchar_bytes[$__interval])",
+				Expr:         `rate(minio_node_io_rchar_bytes{job="${jobid}"}[$__interval])`,
 				LegendFormat: "Node RChar [{{server}}]",
 			},
 		},
@@ -786,8 +786,6 @@ type LabelResults struct {
 	Response LabelResponse
 }
 
-var jobRegex = regexp.MustCompile(`(?m)\{[a-z]+\=\".*?\"\}`)
-
 // getAdminInfoResponse returns the response containing total buckets, objects and usage.
 func getAdminInfoResponse(session *models.Principal) (*models.AdminInfoResponse, *models.Error) {
 	prometheusURL := getPrometheusURL()
@@ -846,6 +844,7 @@ func getAdminInfoResponse(session *models.Principal) (*models.AdminInfoResponse,
 
 func getAdminInfoWidgetResponse(params admin_api.DashboardWidgetDetailsParams) (*models.WidgetDetails, *models.Error) {
 	prometheusURL := getPrometheusURL()
+	prometheusJobID := getPrometheusJobID()
 
 	labelResultsCh := make(chan LabelResults)
 
@@ -858,14 +857,9 @@ func getAdminInfoWidgetResponse(params admin_api.DashboardWidgetDetailsParams) (
 				log.Println(err)
 				return
 			}
-			defer func() {
-				if err := resp.Body.Close(); err != nil {
-					log.Println(err)
-				}
-			}()
-
 			if resp.StatusCode != 200 {
 				body, err := ioutil.ReadAll(resp.Body)
+				resp.Body.Close()
 				if err != nil {
 					log.Println(err)
 					return
@@ -878,7 +872,9 @@ func getAdminInfoWidgetResponse(params admin_api.DashboardWidgetDetailsParams) (
 
 			var response LabelResponse
 			jd := json.NewDecoder(resp.Body)
-			if err = jd.Decode(&response); err != nil {
+			err = jd.Decode(&response)
+			resp.Body.Close()
+			if err != nil {
 				log.Println(err)
 				return
 			}
@@ -947,13 +943,8 @@ LabelsWaitLoop:
 					}
 				}
 
-				// replace the weird {job="asd"} in the exp
+				queryExpr = strings.Replace(queryExpr, "${jobid}", prometheusJobID, -1)
-				if strings.Contains(queryExpr, "job=") {
+				endpoint := fmt.Sprintf("%s/api/v1/%s?query=%s%s", prometheusURL, apiType, url.QueryEscape(queryExpr), extraParamters)
-					queryExpr = jobRegex.ReplaceAllString(queryExpr, "")
-				}
-
-				endpoint := fmt.Sprintf("%s/api/v1/%s?query=%s%s", getPrometheusURL(), apiType, url.QueryEscape(queryExpr), extraParamters)
-
 				resp, err := http.Get(endpoint)
 				if err != nil {
 					log.Println(err)
@@ -983,11 +974,6 @@ LabelsWaitLoop:
 					log.Println(err)
 					return
 				}
-				//body, _ := ioutil.ReadAll(resp.Body)
-				//err = json.Unmarshal(body, &response)
-				//if err != nil {
-				//	log.Println(err)
-				//}
 
 				targetResult := models.ResultTarget{
 					LegendFormat: target.LegendFormat,
@@ -1000,15 +986,6 @@ LabelsWaitLoop:
 					})
 				}
 
-				//xx, err := json.Marshal(response)
-				//if err != nil {
-				//	log.Println(err)
-				//}
-				//log.Println("----", m.Title)
-				//log.Println(string(body))
-				//log.Println(string(xx))
-				//log.Println("=====")
-
 				targetResults <- &targetResult
 
 			}(target, params)

restapi/admin_subscription.go

@@ -412,24 +412,22 @@ func RefreshLicense() error {
 	if err != nil {
 		return err
 	}
+	if refreshedLicenseKey == "" {
+		return errors.New("license expired, please open a support ticket at https://subnet.min.io/")
+	}
 	// store new license in memory for console ui
 	LicenseKey = refreshedLicenseKey
-	// Update in memory license and update k8s secret
+	if acl.GetOperatorMode() {
-	if refreshedLicenseKey != "" {
+		ctx, cancel := context.WithTimeout(context.Background(), 20*time.Second)
-		if acl.GetOperatorMode() {
+		defer cancel()
-			ctx, cancel := context.WithTimeout(context.Background(), 20*time.Second)
+		clientSet, err := cluster.K8sClient(saK8SToken)
-			defer cancel()
+		if err != nil {
-			clientSet, err := cluster.K8sClient(saK8SToken)
+			return err
-			if err != nil {
-				return err
-			}
-			k8sClient := k8sClient{
-				client: clientSet,
-			}
-			if err = saveSubscriptionLicense(ctx, &k8sClient, refreshedLicenseKey); err != nil {
-				return err
-			}
 		}
+		k8sClient := k8sClient{
+			client: clientSet,
+		}
+		return saveSubscriptionLicense(ctx, &k8sClient, refreshedLicenseKey)
 	}
 	return nil
 }

restapi/config.go

@@ -22,7 +22,6 @@ import (
 	"net"
 	"strconv"
 	"strings"
-	"sync"
 	"time"
 
 	"github.com/minio/pkg/certs"
@@ -53,14 +52,21 @@ var (
 )
 
 var (
-	logSearchAPI  string
+	logSearchAPI    string
-	logSearchURL  string
+	logSearchURL    string
-	prometheusURL string
+	prometheusURL   string
-	consoleImage  string
+	prometheusJobID string
-
+	consoleImage    string
-	once sync.Once
 )
 
+func init() {
+	logSearchAPI = env.Get(LogSearchQueryAuthToken, "")
+	logSearchURL = env.Get(LogSearchURL, "http://localhost:8080")
+	prometheusURL = env.Get(PrometheusURL, "")
+	prometheusJobID = env.Get(PrometheusJobID, "minio-job")
+	consoleImage = env.Get(ConsoleOperatorConsoleImage, ConsoleImageDefaultVersion)
+}
+
 func getMinIOServer() string {
 	return strings.TrimSpace(env.Get(ConsoleMinIOServer, "http://localhost:9000"))
 }
@@ -238,26 +244,21 @@ func getSecureExpectCTHeader() string {
 }
 
 func getLogSearchAPIToken() string {
-	once.Do(func() {
-		initVars()
-	})
 	return logSearchAPI
 }
 
 func getLogSearchURL() string {
-	once.Do(func() {
-		initVars()
-	})
 	return logSearchURL
 }
 
 func getPrometheusURL() string {
-	once.Do(func() {
-		initVars()
-	})
 	return prometheusURL
 }
 
+func getPrometheusJobID() string {
+	return prometheusJobID
+}
+
 // GetSubnetLicense returns the current subnet jwt license
 func GetSubnetLicense() string {
 	// if we have a license key in memory return that
@@ -269,13 +270,6 @@ func GetSubnetLicense() string {
 	return LicenseKey
 }
 
-func initVars() {
-	logSearchAPI = env.Get(LogSearchQueryAuthToken, "")
-	logSearchURL = env.Get(LogSearchURL, "http://localhost:8080")
-	prometheusURL = env.Get(PrometheusURL, "")
-	consoleImage = env.Get(ConsoleOperatorConsoleImage, ConsoleImageDefaultVersion)
-}
-
 var (
 	// GlobalRootCAs is CA root certificates, a nil value means system certs pool will be used
 	GlobalRootCAs *x509.CertPool
@@ -296,8 +290,5 @@ func getK8sSAToken() string {
 }
 
 func getConsoleImage() string {
-	once.Do(func() {
-		initVars()
-	})
 	return consoleImage
 }

restapi/configure_console.go

@@ -21,7 +21,6 @@ package restapi
 import (
 	"bytes"
 	"crypto/tls"
-	"fmt"
 	"io"
 	"io/fs"
 	"log"
@@ -169,13 +168,6 @@ func configureTLS(tlsConfig *tls.Config) {
 	}
 }
 
-// As soon as server is initialized but not run yet, this function will be called.
-// If you need to modify a config, store server instance to stop it individually later, this is the place.
-// This function can be called multiple times, depending on the number of serving schemes.
-// scheme value will be set accordingly: "http", "https" or "unix"
-func configureServer(s *http.Server, scheme, addr string) {
-}
-
 // The middleware configuration is for the handler executors. These do not apply to the swagger.json document.
 // The middleware executes after routing but before authentication, binding and validation
 func setupMiddlewares(handler http.Handler) http.Handler {
@@ -215,30 +207,22 @@ func setupGlobalMiddleware(handler http.Handler) http.Handler {
 		IsDevelopment:                   !getProductionMode(),
 	}
 	secureMiddleware := secure.New(secureOptions)
-	app := secureMiddleware.Handler(next)
+	return secureMiddleware.Handler(next)
-	return app
 }
 
 func AuthenticationMiddleware(next http.Handler) http.Handler {
 	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-		// prioritize authorization header and skip
+		token, err := auth.GetTokenFromRequest(r)
-		if r.Header.Get("Authorization") != "" {
+		if err != nil && err != auth.ErrNoAuthToken {
-			next.ServeHTTP(w, r)
+			http.Error(w, err.Error(), http.StatusUnauthorized)
 			return
 		}
-		tokenCookie, err := r.Cookie("token")
+		// All handlers handle appropriately to return errors
-		if err != nil {
+		// based on their swagger rules, we do not need to
-			next.ServeHTTP(w, r)
+		// additionally return error here, let the next ServeHTTPs
-			return
+		// handle it appropriately.
-		}
-		currentTime := time.Now()
-		if tokenCookie.Expires.After(currentTime) {
-			next.ServeHTTP(w, r)
-			return
-		}
-		token := tokenCookie.Value
 		if token != "" {
-			r.Header.Add("Authorization", fmt.Sprintf("Bearer %s", token))
+			r.Header.Add("Authorization", "Bearer "+token)
 		}
 		next.ServeHTTP(w, r)
 	})
@@ -259,7 +243,6 @@ func FileServerMiddleware(next http.Handler) http.Handler {
 				panic(err)
 			}
 			wrapHandlerSinglePageApplication(http.FileServer(http.FS(buildFs))).ServeHTTP(w, r)
-
 		}
 	})
 }

restapi/consts.go

@@ -52,6 +52,7 @@ const (
 	ConsoleOperatorConsoleImage                  = "CONSOLE_OPERATOR_CONSOLE_IMAGE"
 	LogSearchURL                                 = "CONSOLE_LOG_QUERY_URL"
 	PrometheusURL                                = "CONSOLE_PROMETHEUS_URL"
+	PrometheusJobID                              = "CONSOLE_PROMETHEUS_JOB_ID"
 	LogSearchQueryAuthToken                      = "LOGSEARCH_QUERY_AUTH_TOKEN"
 
 	// Constants for prometheus annotations

restapi/server.go

@@ -38,9 +38,7 @@ import (
 	"time"
 
 	"github.com/go-openapi/runtime/flagext"
-	"github.com/go-openapi/swag"
 	flags "github.com/jessevdk/go-flags"
-	"golang.org/x/net/netutil"
 
 	"github.com/minio/console/restapi/operations"
 )
@@ -48,7 +46,6 @@ import (
 const (
 	schemeHTTP  = "http"
 	schemeHTTPS = "https"
-	schemeUnix  = "unix"
 )
 
 var defaultSchemes []string
@@ -86,30 +83,19 @@ func (s *Server) ConfigureFlags() {
 // Server for the console API
 type Server struct {
 	EnabledListeners []string         `long:"scheme" description:"the listeners to enable, this can be repeated and defaults to the schemes in the swagger spec"`
-	CleanupTimeout   time.Duration    `long:"cleanup-timeout" description:"grace period for which to wait before killing idle connections" default:"10s"`
 	GracefulTimeout  time.Duration    `long:"graceful-timeout" description:"grace period for which to wait before shutting down the server" default:"15s"`
 	MaxHeaderSize    flagext.ByteSize `long:"max-header-size" description:"controls the maximum number of bytes the server will read parsing the request header's keys and values, including the request line. It does not limit the size of the request body." default:"1MiB"`
 
-	SocketPath    flags.Filename `long:"socket-path" description:"the unix socket to listen on" default:"/var/run/console.sock"`
+	Host         string        `long:"host" description:"the IP to listen on"`
-	domainSocketL net.Listener
+	Port         int           `long:"port" description:"the port to listen on for insecure connections, defaults to 9090"`
-
-	Host         string        `long:"host" description:"the IP to listen on" default:"localhost" env:"HOST"`
-	Port         int           `long:"port" description:"the port to listen on for insecure connections, defaults to a random value" env:"PORT"`
-	ListenLimit  int           `long:"listen-limit" description:"limit the number of outstanding requests"`
-	KeepAlive    time.Duration `long:"keep-alive" description:"sets the TCP keep-alive timeouts on accepted connections. It prunes dead TCP connections ( e.g. closing laptop mid-download)" default:"3m"`
 	ReadTimeout  time.Duration `long:"read-timeout" description:"maximum duration before timing out read of the request" default:"30s"`
 	WriteTimeout time.Duration `long:"write-timeout" description:"maximum duration before timing out write of the response" default:"60s"`
 	httpServerL  net.Listener
 
-	TLSHost           string         `long:"tls-host" description:"the IP to listen on for tls, when not specified it's the same as --host" env:"TLS_HOST"`
+	TLSPort           int            `long:"tls-port" description:"the port to listen on for secure connections, defaults to 9443"`
-	TLSPort           int            `long:"tls-port" description:"the port to listen on for secure connections, defaults to a random value" env:"TLS_PORT"`
+	TLSCertificate    flags.Filename `long:"tls-certificate" description:"the certificate to use for secure connections"`
-	TLSCertificate    flags.Filename `long:"tls-certificate" description:"the certificate to use for secure connections" env:"TLS_CERTIFICATE"`
+	TLSCertificateKey flags.Filename `long:"tls-key" description:"the private key to use for secure connections"`
-	TLSCertificateKey flags.Filename `long:"tls-key" description:"the private key to use for secure connections" env:"TLS_PRIVATE_KEY"`
+	TLSCACertificate  flags.Filename `long:"tls-ca" description:"the certificate authority file to be used to trust MinIO server"`
-	TLSCACertificate  flags.Filename `long:"tls-ca" description:"the certificate authority file to be used with mutual tls auth" env:"TLS_CA_CERTIFICATE"`
-	TLSListenLimit    int            `long:"tls-listen-limit" description:"limit the number of outstanding requests"`
-	TLSKeepAlive      time.Duration  `long:"tls-keep-alive" description:"sets the TCP keep-alive timeouts on accepted connections. It prunes dead TCP connections ( e.g. closing laptop mid-download)"`
-	TLSReadTimeout    time.Duration  `long:"tls-read-timeout" description:"maximum duration before timing out read of the request"`
-	TLSWriteTimeout   time.Duration  `long:"tls-write-timeout" description:"maximum duration before timing out write of the response"`
 	httpsServerL      net.Listener
 
 	api          *operations.ConsoleAPI
@@ -191,46 +177,13 @@ func (s *Server) Serve() (err error) {
 
 	servers := []*http.Server{}
 
-	if s.hasScheme(schemeUnix) {
-		domainSocket := new(http.Server)
-		domainSocket.MaxHeaderBytes = int(s.MaxHeaderSize)
-		domainSocket.Handler = s.handler
-		if int64(s.CleanupTimeout) > 0 {
-			domainSocket.IdleTimeout = s.CleanupTimeout
-		}
-
-		configureServer(domainSocket, "unix", string(s.SocketPath))
-
-		servers = append(servers, domainSocket)
-		wg.Add(1)
-		s.Logf("Serving console at unix://%s", s.SocketPath)
-		go func(l net.Listener) {
-			defer wg.Done()
-			if err := domainSocket.Serve(l); err != nil && err != http.ErrServerClosed {
-				s.Fatalf("%v", err)
-			}
-			s.Logf("Stopped serving console at unix://%s", s.SocketPath)
-		}(s.domainSocketL)
-	}
-
 	if s.hasScheme(schemeHTTP) {
 		httpServer := new(http.Server)
 		httpServer.MaxHeaderBytes = int(s.MaxHeaderSize)
 		httpServer.ReadTimeout = s.ReadTimeout
 		httpServer.WriteTimeout = s.WriteTimeout
-		httpServer.SetKeepAlivesEnabled(int64(s.KeepAlive) > 0)
-		if s.ListenLimit > 0 {
-			s.httpServerL = netutil.LimitListener(s.httpServerL, s.ListenLimit)
-		}
-
-		if int64(s.CleanupTimeout) > 0 {
-			httpServer.IdleTimeout = s.CleanupTimeout
-		}
-
 		httpServer.Handler = s.handler
 
-		configureServer(httpServer, "http", s.httpServerL.Addr().String())
-
 		servers = append(servers, httpServer)
 		wg.Add(1)
 		s.Logf("Serving console at http://%s", s.httpServerL.Addr())
@@ -246,15 +199,8 @@ func (s *Server) Serve() (err error) {
 	if s.hasScheme(schemeHTTPS) {
 		httpsServer := new(http.Server)
 		httpsServer.MaxHeaderBytes = int(s.MaxHeaderSize)
-		httpsServer.ReadTimeout = s.TLSReadTimeout
+		httpsServer.ReadTimeout = s.ReadTimeout
-		httpsServer.WriteTimeout = s.TLSWriteTimeout
+		httpsServer.WriteTimeout = s.WriteTimeout
-		httpsServer.SetKeepAlivesEnabled(int64(s.TLSKeepAlive) > 0)
-		if s.TLSListenLimit > 0 {
-			s.httpsServerL = netutil.LimitListener(s.httpsServerL, s.TLSListenLimit)
-		}
-		if int64(s.CleanupTimeout) > 0 {
-			httpsServer.IdleTimeout = s.CleanupTimeout
-		}
 		httpsServer.Handler = s.handler
 
 		// Inspired by https://blog.bracebin.com/achieving-perfect-ssl-labs-score-with-go
@@ -307,7 +253,7 @@ func (s *Server) Serve() (err error) {
 		// call custom TLS configurator
 		configureTLS(httpsServer.TLSConfig)
 
-		if len(httpsServer.TLSConfig.Certificates) == 0 && httpsServer.TLSConfig.GetCertificate == nil {
+		if len(httpsServer.TLSConfig.Certificates) == 0 || httpsServer.TLSConfig.GetCertificate == nil {
 			// after standard and custom config are passed, this ends up with no certificate
 			if s.TLSCertificate == "" {
 				if s.TLSCertificateKey == "" {
@@ -325,8 +271,6 @@ func (s *Server) Serve() (err error) {
 		// must have at least one certificate or panics
 		httpsServer.TLSConfig.BuildNameToCertificate()
 
-		configureServer(httpsServer, "https", s.httpsServerL.Addr().String())
-
 		servers = append(servers, httpsServer)
 		wg.Add(1)
 		s.Logf("Serving console at https://%s", s.httpsServerL.Addr())
@@ -340,7 +284,7 @@ func (s *Server) Serve() (err error) {
 	}
 
 	wg.Add(1)
-	go s.handleShutdown(wg, &servers)
+	go s.handleShutdown(wg, servers)
 
 	wg.Wait()
 	return nil
@@ -352,65 +296,19 @@ func (s *Server) Listen() error {
 		return nil
 	}
 
-	if s.hasScheme(schemeHTTPS) {
+	var err error
-		// Use http host if https host wasn't defined
-		if s.TLSHost == "" {
-			s.TLSHost = s.Host
-		}
-		// Use http listen limit if https listen limit wasn't defined
-		if s.TLSListenLimit == 0 {
-			s.TLSListenLimit = s.ListenLimit
-		}
-		// Use http tcp keep alive if https tcp keep alive wasn't defined
-		if int64(s.TLSKeepAlive) == 0 {
-			s.TLSKeepAlive = s.KeepAlive
-		}
-		// Use http read timeout if https read timeout wasn't defined
-		if int64(s.TLSReadTimeout) == 0 {
-			s.TLSReadTimeout = s.ReadTimeout
-		}
-		// Use http write timeout if https write timeout wasn't defined
-		if int64(s.TLSWriteTimeout) == 0 {
-			s.TLSWriteTimeout = s.WriteTimeout
-		}
-	}
-
-	if s.hasScheme(schemeUnix) {
-		domSockListener, err := net.Listen("unix", string(s.SocketPath))
-		if err != nil {
-			return err
-		}
-		s.domainSocketL = domSockListener
-	}
-
 	if s.hasScheme(schemeHTTP) {
-		listener, err := net.Listen("tcp", net.JoinHostPort(s.Host, strconv.Itoa(s.Port)))
+		s.httpServerL, err = net.Listen("tcp", net.JoinHostPort(s.Host, strconv.Itoa(s.Port)))
 		if err != nil {
 			return err
 		}
-
-		h, p, err := swag.SplitHostPort(listener.Addr().String())
-		if err != nil {
-			return err
-		}
-		s.Host = h
-		s.Port = p
-		s.httpServerL = listener
 	}
 
 	if s.hasScheme(schemeHTTPS) {
-		tlsListener, err := net.Listen("tcp", net.JoinHostPort(s.TLSHost, strconv.Itoa(s.TLSPort)))
+		s.httpsServerL, err = net.Listen("tcp", net.JoinHostPort(s.Host, strconv.Itoa(s.TLSPort)))
 		if err != nil {
 			return err
 		}
-
-		sh, sp, err := swag.SplitHostPort(tlsListener.Addr().String())
-		if err != nil {
-			return err
-		}
-		s.TLSHost = sh
-		s.TLSPort = sp
-		s.httpsServerL = tlsListener
 	}
 
 	s.hasListeners = true
@@ -425,16 +323,14 @@ func (s *Server) Shutdown() error {
 	return nil
 }
 
-func (s *Server) handleShutdown(wg *sync.WaitGroup, serversPtr *[]*http.Server) {
+func (s *Server) handleShutdown(wg *sync.WaitGroup, servers []*http.Server) {
 	// wg.Done must occur last, after s.api.ServerShutdown()
 	// (to preserve old behaviour)
 	defer wg.Done()
 
 	<-s.shutdown
 
-	servers := *serversPtr
+	ctx, cancel := context.WithTimeout(context.Background(), s.GracefulTimeout)
-
-	ctx, cancel := context.WithTimeout(context.TODO(), s.GracefulTimeout)
 	defer cancel()
 
 	// first execute the pre-shutdown hook
@@ -477,16 +373,6 @@ func (s *Server) SetHandler(handler http.Handler) {
 	s.handler = handler
 }
 
-// UnixListener returns the domain socket listener
-func (s *Server) UnixListener() (net.Listener, error) {
-	if !s.hasListeners {
-		if err := s.Listen(); err != nil {
-			return nil, err
-		}
-	}
-	return s.domainSocketL, nil
-}
-
 // HTTPListener returns the http listener
 func (s *Server) HTTPListener() (net.Listener, error) {
 	if !s.hasListeners {