697bc4cd1d
Previously every Handler function was receiving the session token in the form of a jwt string, in consequence every time we want to access the encrypted claims of the jwt we needed to run a decryption process, additionally we were decrypting the jwt twice, first at the session validation then inside each handler function, this was also causing a lot of using related to the merge between m3 and mcs What changed: Now we validate and decrypt the jwt once in `configure_mcs.go`, this works for both, mcs (console) and operator sessions, and then pass the decrypted claims to all the functions that need it, so no further token validation or decryption is need it.
165 lines
6.3 KiB
Go
165 lines
6.3 KiB
Go
// This file is part of MinIO Console Server
|
|
// Copyright (c) 2020 MinIO, Inc.
|
|
//
|
|
// This program is free software: you can redistribute it and/or modify
|
|
// it under the terms of the GNU Affero General Public License as published by
|
|
// the Free Software Foundation, either version 3 of the License, or
|
|
// (at your option) any later version.
|
|
//
|
|
// This program is distributed in the hope that it will be useful,
|
|
// but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
// GNU Affero General Public License for more details.
|
|
//
|
|
// You should have received a copy of the GNU Affero General Public License
|
|
// along with this program. If not, see <http://www.gnu.org/licenses/>.
|
|
|
|
package restapi
|
|
|
|
import (
|
|
"bytes"
|
|
"context"
|
|
"log"
|
|
"strings"
|
|
"time"
|
|
|
|
"github.com/go-openapi/runtime/middleware"
|
|
"github.com/go-openapi/swag"
|
|
"github.com/minio/mcs/models"
|
|
"github.com/minio/mcs/restapi/operations"
|
|
"github.com/minio/mcs/restapi/operations/user_api"
|
|
iampolicy "github.com/minio/minio/pkg/iam/policy"
|
|
)
|
|
|
|
func registerServiceAccountsHandlers(api *operations.McsAPI) {
|
|
// Create Service Account
|
|
api.UserAPICreateServiceAccountHandler = user_api.CreateServiceAccountHandlerFunc(func(params user_api.CreateServiceAccountParams, session *models.Principal) middleware.Responder {
|
|
creds, err := getCreateServiceAccountResponse(session, params.Body)
|
|
if err != nil {
|
|
return user_api.NewCreateServiceAccountDefault(500).WithPayload(&models.Error{Code: 500, Message: swag.String(err.Error())})
|
|
}
|
|
return user_api.NewCreateServiceAccountCreated().WithPayload(creds)
|
|
})
|
|
// List Service Accounts for User
|
|
api.UserAPIListUserServiceAccountsHandler = user_api.ListUserServiceAccountsHandlerFunc(func(params user_api.ListUserServiceAccountsParams, session *models.Principal) middleware.Responder {
|
|
serviceAccounts, err := getUserServiceAccountsResponse(session)
|
|
if err != nil {
|
|
return user_api.NewListUserServiceAccountsDefault(500).WithPayload(&models.Error{Code: 500, Message: swag.String(err.Error())})
|
|
}
|
|
return user_api.NewListUserServiceAccountsOK().WithPayload(serviceAccounts)
|
|
})
|
|
|
|
// Delete a User's service account
|
|
api.UserAPIDeleteServiceAccountHandler = user_api.DeleteServiceAccountHandlerFunc(func(params user_api.DeleteServiceAccountParams, session *models.Principal) middleware.Responder {
|
|
if err := getDeleteServiceAccountResponse(session, params.AccessKey); err != nil {
|
|
return user_api.NewDeleteServiceAccountDefault(500).WithPayload(&models.Error{Code: 500, Message: swag.String(err.Error())})
|
|
}
|
|
return user_api.NewDeleteServiceAccountNoContent()
|
|
})
|
|
}
|
|
|
|
// createServiceAccount adds a service account to the userClient and assigns a policy to him if defined.
|
|
func createServiceAccount(ctx context.Context, userClient MinioAdmin, policy string) (*models.ServiceAccountCreds, error) {
|
|
iamPolicy := &iampolicy.Policy{}
|
|
if strings.TrimSpace(policy) != "" {
|
|
iamp, err := iampolicy.ParseConfig(bytes.NewReader([]byte(policy)))
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
iamPolicy = iamp
|
|
}
|
|
|
|
creds, err := userClient.addServiceAccount(ctx, iamPolicy)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
return &models.ServiceAccountCreds{AccessKey: creds.AccessKey, SecretKey: creds.SecretKey}, nil
|
|
}
|
|
|
|
// getCreateServiceAccountResponse creates a service account with the defined policy for the user that
|
|
// is requestingit ,it first gets the credentials of the user and creates a client which is going to
|
|
// make the call to create the Service Account
|
|
func getCreateServiceAccountResponse(session *models.Principal, serviceAccount *models.ServiceAccountRequest) (*models.ServiceAccountCreds, error) {
|
|
ctx, cancel := context.WithTimeout(context.Background(), time.Second*20)
|
|
defer cancel()
|
|
|
|
userAdmin, err := newMAdminClient(session)
|
|
if err != nil {
|
|
log.Println("error creating user Client:", err)
|
|
return nil, err
|
|
}
|
|
// create a MinIO user Admin Client interface implementation
|
|
// defining the client to be used
|
|
userAdminClient := adminClient{client: userAdmin}
|
|
|
|
saCreds, err := createServiceAccount(ctx, userAdminClient, serviceAccount.Policy)
|
|
if err != nil {
|
|
log.Println("error creating service account:", err)
|
|
return nil, err
|
|
}
|
|
return saCreds, nil
|
|
}
|
|
|
|
// getUserServiceAccount gets list of the user's service accounts
|
|
func getUserServiceAccounts(ctx context.Context, userClient MinioAdmin) (models.ServiceAccounts, error) {
|
|
listServAccs, err := userClient.listServiceAccounts(ctx)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
serviceAccounts := models.ServiceAccounts{}
|
|
for _, acc := range listServAccs.Accounts {
|
|
serviceAccounts = append(serviceAccounts, acc)
|
|
}
|
|
return serviceAccounts, nil
|
|
}
|
|
|
|
// getUserServiceAccountsResponse authenticates the user and calls
|
|
// getUserServiceAccounts to list the user's service accounts
|
|
func getUserServiceAccountsResponse(session *models.Principal) (models.ServiceAccounts, error) {
|
|
ctx, cancel := context.WithTimeout(context.Background(), time.Second*20)
|
|
defer cancel()
|
|
|
|
userAdmin, err := newMAdminClient(session)
|
|
if err != nil {
|
|
log.Println("error creating user Client:", err)
|
|
return nil, err
|
|
}
|
|
// create a MinIO user Admin Client interface implementation
|
|
// defining the client to be used
|
|
userAdminClient := adminClient{client: userAdmin}
|
|
|
|
serviceAccounts, err := getUserServiceAccounts(ctx, userAdminClient)
|
|
if err != nil {
|
|
log.Println("error listing user's service account:", err)
|
|
return nil, err
|
|
}
|
|
return serviceAccounts, nil
|
|
|
|
}
|
|
|
|
// deleteServiceAccount calls delete service account api
|
|
func deleteServiceAccount(ctx context.Context, userClient MinioAdmin, accessKey string) error {
|
|
return userClient.deleteServiceAccount(ctx, accessKey)
|
|
}
|
|
|
|
// getDeleteServiceAccountResponse authenticates the user and calls deleteServiceAccount
|
|
func getDeleteServiceAccountResponse(session *models.Principal, accessKey string) error {
|
|
ctx, cancel := context.WithTimeout(context.Background(), time.Second*20)
|
|
defer cancel()
|
|
|
|
userAdmin, err := newMAdminClient(session)
|
|
if err != nil {
|
|
log.Println("error creating user Client:", err)
|
|
return err
|
|
}
|
|
// create a MinIO user Admin Client interface implementation
|
|
// defining the client to be used
|
|
userAdminClient := adminClient{client: userAdmin}
|
|
|
|
if err := deleteServiceAccount(ctx, userAdminClient, accessKey); err != nil {
|
|
log.Println("error deleting user's service account:", err)
|
|
return err
|
|
}
|
|
return nil
|
|
}
|