mirrors/object-browser
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Remove user secret key from encrypted session token (#652)

Browse Source 
User secret key is not really need it to be stored inside the encrypted
session key, since the `change-password` endpoint requires the user to
provide the current `secret key` that password will be used to
initialize a new minio client then we will leverage on the
`SetUser` operation, this api only works with actual user credentials
and not sts credentials
This commit is contained in:
Lenin Alevski
2021-03-18 10:27:27 -07:00
committed by GitHub
parent 3fcf278460
commit c48a024310
12 changed files with 13 additions and 47 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
restapi/client.go
View File

@@ -242,7 +242,6 @@ type ConsoleCredentialsI interface {
Get() (credentials.Value, error)
Expire()
GetAccountAccessKey() string
GetAccountSecretKey() string
GetActions() []string
}
@@ -250,7 +249,6 @@ type ConsoleCredentialsI interface {
type consoleCredentials struct {
consoleCredentials *credentials.Credentials
accountAccessKey string
accountSecretKey string
actions []string
}
@@ -262,10 +260,6 @@ func (c consoleCredentials) GetAccountAccessKey() string {
return c.accountAccessKey
}
func (c consoleCredentials) GetAccountSecretKey() string {
return c.accountSecretKey
}
// implements *Login.Get()
func (c consoleCredentials) Get() (credentials.Value, error) {
return c.consoleCredentials.Get()

1
restapi/configure_console.go
View File

@@ -84,7 +84,6 @@ func configureAPI(api *operations.ConsoleAPI) http.Handler {
STSSecretAccessKey: claims.STSSecretAccessKey,
STSSessionToken: claims.STSSessionToken,
AccountAccessKey: claims.AccountAccessKey,
AccountSecretKey: claims.AccountSecretKey,
}, nil
}

6
restapi/embedded_spec.go
View File

@@ -4815,9 +4815,6 @@ func init() {
"accountAccessKey": {
"type": "string"
},
"accountSecretKey": {
"type": "string"
},
"actions": {
"type": "array",
"items": {
@@ -10804,9 +10801,6 @@ func init() {
"accountAccessKey": {
"type": "string"
},
"accountSecretKey": {
"type": "string"
},
"actions": {
"type": "array",
"items": {

4
restapi/error.go
View File

@@ -31,7 +31,7 @@ var (
errPolicyBodyNotInRequest = errors.New("error policy body not in request")
errInvalidEncryptionAlgorithm = errors.New("error invalid encryption algorithm")
errSSENotConfigured = errors.New("error server side encryption configuration was not found")
errChangePassword = errors.New("unable to update password, please check your current password")
errChangePassword = errors.New("error please check your current password")
errInvalidLicense = errors.New("invalid license key")
errLicenseNotFound = errors.New("license not found")
errAvoidSelfAccountDelete = errors.New("logged in user cannot be deleted by itself")
@@ -95,7 +95,7 @@ func prepareError(err ...error) *models.Error {
errorMessage = errorGenericInvalidSession.Error()
}
// account change password
if errors.Is(err[0], errChangePassword) {
if madmin.ToErrorResponse(err[0]).Code == "SignatureDoesNotMatch" {
errorCode = 403
errorMessage = errChangePassword.Error()
}

15
restapi/user_account.go
View File

@@ -45,10 +45,7 @@ func registerAccountHandlers(api *operations.ConsoleAPI) {
}
// changePassword validate current current user password and if it's correct set the new password
func changePassword(ctx context.Context, client MinioAdmin, session *models.Principal, currentSecretKey, newSecretKey string) error {
if session.AccountSecretKey != currentSecretKey {
return errChangePassword
}
func changePassword(ctx context.Context, client MinioAdmin, session *models.Principal, newSecretKey string) error {
if err := client.changePassword(ctx, session.AccountAccessKey, newSecretKey); err != nil {
return err
}
@@ -60,22 +57,22 @@ func changePassword(ctx context.Context, client MinioAdmin, session *models.Prin
func getChangePasswordResponse(session *models.Principal, params user_api.AccountChangePasswordParams) (*models.LoginResponse, *models.Error) {
ctx, cancel := context.WithTimeout(context.Background(), 20*time.Second)
defer cancel()
accessKey := session.AccountAccessKey
currentSecretKey := *params.Body.CurrentSecretKey
newSecretKey := *params.Body.NewSecretKey
// changePassword operations requires an AdminClient initialized with parent account credentials not
// STS credentials
parentAccountClient, err := newMAdminClient(&models.Principal{
STSAccessKeyID: session.AccountAccessKey,
STSSecretAccessKey: session.AccountSecretKey,
STSSecretAccessKey: currentSecretKey,
})
if err != nil {
return nil, prepareError(err)
}
// parentAccountClient will contain access and secret key credentials for the user
userClient := adminClient{client: parentAccountClient}
accessKey := session.AccountAccessKey
currentSecretKey := *params.Body.CurrentSecretKey
newSecretKey := *params.Body.NewSecretKey
// currentSecretKey will compare currentSecretKey against the stored secret key inside the encrypted session
if err := changePassword(ctx, userClient, session, currentSecretKey, newSecretKey); err != nil {
if err := changePassword(ctx, userClient, session, newSecretKey); err != nil {
return nil, prepareError(err)
}
// user credentials are updated at this point, we need to generate a new admin client and authenticate using

5
restapi/user_account_test.go
View File

@@ -48,7 +48,6 @@ func Test_changePassword(t *testing.T) {
ctx: context.Background(),
session: &models.Principal{
AccountAccessKey: "TESTTEST",
AccountSecretKey: "TESTTEST",
},
currentSecretKey: "TESTTEST",
newSecretKey: "TESTTEST2",
@@ -66,7 +65,6 @@ func Test_changePassword(t *testing.T) {
ctx: context.Background(),
session: &models.Principal{
AccountAccessKey: "TESTTEST",
AccountSecretKey: "TESTTEST",
},
currentSecretKey: "TESTTEST",
newSecretKey: "TESTTEST2",
@@ -85,7 +83,6 @@ func Test_changePassword(t *testing.T) {
ctx: context.Background(),
session: &models.Principal{
AccountAccessKey: "TESTTEST",
AccountSecretKey: "TESTTEST123",
},
currentSecretKey: "TESTTEST",
newSecretKey: "TESTTEST2",
@@ -103,7 +100,7 @@ func Test_changePassword(t *testing.T) {
if tt.mock != nil {
tt.mock()
}
if err := changePassword(tt.args.ctx, tt.args.client, tt.args.session, tt.args.currentSecretKey, tt.args.newSecretKey); (err != nil) != tt.wantErr {
if err := changePassword(tt.args.ctx, tt.args.client, tt.args.session, tt.args.newSecretKey); (err != nil) != tt.wantErr {
t.Errorf("changePassword() error = %v, wantErr %v", err, tt.wantErr)
}
})

4
restapi/user_login.go
View File

@@ -93,7 +93,7 @@ func login(credentials ConsoleCredentialsI) (*string, error) {
return nil, err
}
// if we made it here, the consoleCredentials work, generate a jwt with claims
token, err := auth.NewEncryptedTokenForClient(&tokens, credentials.GetAccountAccessKey(), credentials.GetAccountSecretKey(), credentials.GetActions())
token, err := auth.NewEncryptedTokenForClient(&tokens, credentials.GetAccountAccessKey(), credentials.GetActions())
if err != nil {
log.Println("error authenticating user", err)
return nil, errInvalidCredentials
@@ -123,7 +123,6 @@ func getConsoleCredentials(ctx context.Context, accessKey, secretKey string) (*c
cCredentials := &consoleCredentials{
consoleCredentials: creds,
accountAccessKey: accessKey,
accountSecretKey: secretKey,
}
tokens, err := cCredentials.Get()
if err != nil {
@@ -278,7 +277,6 @@ func getLoginOauth2AuthResponse(lr *models.LoginOauth2AuthRequest) (*models.Logi
token, err := login(&consoleCredentials{
consoleCredentials: userCredentials,
accountAccessKey: "",
accountSecretKey: "",
actions: actions,
})
if err != nil {

4
restapi/user_login_test.go
View File

@@ -43,10 +43,6 @@ func (ac consoleCredentialsMock) GetAccountAccessKey() string {
return ""
}
func (ac consoleCredentialsMock) GetAccountSecretKey() string {
return ""
}
// Common mocks
var consoleCredentialsGetMock func() (credentials.Value, error)