STS session token and console session cookie have same duration (#1202)

- `CONSOLE_STS_DURATION_IN_SECONDS` env renamed to `CONSOLE_STS_DURATION` to support more time formats Signed-off-by: Lenin Alevski <alevsk.8772@gmail.com>
2021-11-09 21:41:00 -08:00
parent 4a8ec219cc
commit c2f0889ff8
5 changed files with 21 additions and 13 deletions
--- a/pkg/auth/token/config.go
+++ b/pkg/auth/token/config.go
@@ -17,17 +17,25 @@
 package token

 import (
-	"strconv"
+	"time"

 	"github.com/minio/console/pkg/auth/utils"
 	"github.com/minio/pkg/env"
 )

-// ConsoleSTSDurationSeconds returns the default session duration for the STS requested tokens.
-func GetConsoleSTSDurationInSeconds() int {
-	duration, err := strconv.Atoi(env.Get(ConsoleSTSDurationSeconds, "3600"))
+// GetConsoleSTSDuration returns the default session duration for the STS requested tokens (defaults to 1h)
+func GetConsoleSTSDuration() time.Duration {
+	durationSeconds := env.Get(ConsoleSTSDurationSeconds, "")
+	if durationSeconds != "" {
+		duration, err := time.ParseDuration(durationSeconds + "s")
 		if err != nil {
-		duration = 3600
+			duration = 1 * time.Hour
+		}
+		return duration
+	}
+	duration, err := time.ParseDuration(env.Get(ConsoleSTSDuration, "1h"))
+	if err != nil {
+		duration = 1 * time.Hour
 	}
 	return duration
 }
--- a/pkg/auth/token/const.go
+++ b/pkg/auth/token/const.go
@@ -17,7 +17,8 @@
 package token

 const (
-	ConsoleSTSDurationSeconds = "CONSOLE_STS_DURATION_SECONDS"
+	ConsoleSTSDurationSeconds = "CONSOLE_STS_DURATION_SECONDS" // (deprecated), set value in seconds for sts session, ie: 3600
+	ConsoleSTSDuration        = "CONSOLE_STS_DURATION"         // time.Duration format, ie: 3600s, 2h45m, 1h, etc
 	ConsolePBKDFPassphrase    = "CONSOLE_PBKDF_PASSPHRASE"
 	ConsolePBKDFSalt          = "CONSOLE_PBKDF_SALT"
 )
--- a/restapi/client.go
+++ b/restapi/client.go
@@ -326,7 +326,7 @@ func NewConsoleCredentials(accessKey, secretKey, location string) (*credentials.
 				AccessKey:       accessKey,
 				SecretKey:       secretKey,
 				Location:        location,
-				DurationSeconds: xjwt.GetConsoleSTSDurationInSeconds(),
+				DurationSeconds: int(xjwt.GetConsoleSTSDuration()),
 			}
 			stsAssumeRole := &credentials.STSAssumeRole{
 				Client:      GetConsoleHTTPClient(),
--- a/restapi/config.go
+++ b/restapi/config.go
@@ -23,7 +23,6 @@ import (
 	"net/url"
 	"strconv"
 	"strings"
-	"time"

 	miniov2 "github.com/minio/operator/pkg/apis/minio.min.io/v2"

@@ -46,9 +45,6 @@ var (

 	// TLSRedirect console tls redirect rule
 	TLSRedirect = "on"
-
-	// SessionDuration cookie validity duration
-	SessionDuration = 45 * time.Minute
 )

 func getMinIOServer() string {
--- a/restapi/utils.go
+++ b/restapi/utils.go
@@ -23,6 +23,8 @@ import (
 	"os"
 	"strings"
 	"time"
+
+	xjwt "github.com/minio/console/pkg/auth/token"
 )

 // Do not use:
@@ -106,12 +108,13 @@ func FileExists(filename string) bool {
 }

 func NewSessionCookieForConsole(token string) http.Cookie {
+	sessionDuration := xjwt.GetConsoleSTSDuration()
 	return http.Cookie{
 		Path:     "/",
 		Name:     "token",
 		Value:    token,
-		MaxAge:   int(SessionDuration.Seconds()), // 45 minutes
-		Expires:  time.Now().Add(SessionDuration),
+		MaxAge:   int(sessionDuration.Seconds()), // default 1 hr
+		Expires:  time.Now().Add(sessionDuration),
 		HttpOnly: true,
 		// if len(GlobalPublicCerts) > 0 is true, that means Console is running with TLS enable and the browser
 		// should not leak any cookie if we access the site using HTTP