mirrors/object-browser
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Remove user secret key from encrypted session token (#652)

Browse Source 
User secret key is not really need it to be stored inside the encrypted
session key, since the `change-password` endpoint requires the user to
provide the current `secret key` that password will be used to
initialize a new minio client then we will leverage on the
`SetUser` operation, this api only works with actual user credentials
and not sts credentials
This commit is contained in:
Lenin Alevski
2021-03-18 10:27:27 -07:00
committed by GitHub
parent 3fcf278460
commit c48a024310
12 changed files with 13 additions and 47 deletions
Download Patch File Download Diff File Expand all files Collapse all files

15
restapi/user_account.go
View File

@@ -45,10 +45,7 @@ func registerAccountHandlers(api *operations.ConsoleAPI) {
}
// changePassword validate current current user password and if it's correct set the new password
func changePassword(ctx context.Context, client MinioAdmin, session *models.Principal, currentSecretKey, newSecretKey string) error {
if session.AccountSecretKey != currentSecretKey {
return errChangePassword
}
func changePassword(ctx context.Context, client MinioAdmin, session *models.Principal, newSecretKey string) error {
if err := client.changePassword(ctx, session.AccountAccessKey, newSecretKey); err != nil {
return err
}
@@ -60,22 +57,22 @@ func changePassword(ctx context.Context, client MinioAdmin, session *models.Prin
func getChangePasswordResponse(session *models.Principal, params user_api.AccountChangePasswordParams) (*models.LoginResponse, *models.Error) {
ctx, cancel := context.WithTimeout(context.Background(), 20*time.Second)
defer cancel()
accessKey := session.AccountAccessKey
currentSecretKey := *params.Body.CurrentSecretKey
newSecretKey := *params.Body.NewSecretKey
// changePassword operations requires an AdminClient initialized with parent account credentials not
// STS credentials
parentAccountClient, err := newMAdminClient(&models.Principal{
STSAccessKeyID: session.AccountAccessKey,
STSSecretAccessKey: session.AccountSecretKey,
STSSecretAccessKey: currentSecretKey,
})
if err != nil {
return nil, prepareError(err)
}
// parentAccountClient will contain access and secret key credentials for the user
userClient := adminClient{client: parentAccountClient}
accessKey := session.AccountAccessKey
currentSecretKey := *params.Body.CurrentSecretKey
newSecretKey := *params.Body.NewSecretKey
// currentSecretKey will compare currentSecretKey against the stored secret key inside the encrypted session
if err := changePassword(ctx, userClient, session, currentSecretKey, newSecretKey); err != nil {
if err := changePassword(ctx, userClient, session, newSecretKey); err != nil {
return nil, prepareError(err)
}
// user credentials are updated at this point, we need to generate a new admin client and authenticate using