STS integration, JWT auth and Stateless MCS

This commit changes the authentication mechanism between mcs and minio to an sts
(security token service) schema using the user provided credentials, previously
mcs was using master credentials. With that said in order for you to
login to MCS as an admin your user must exists first on minio and have enough
privileges to do administrative operations.

```
./mc admin user add myminio alevsk alevsk12345
```

```
cat admin.json

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "admin:*",
        "s3:*"
      ],
      "Resource": [
        "arn:aws:s3:::*"
      ]
    }
  ]
}

./mc admin policy add myminio admin admin.json
```

```
./mc admin policy set myminio admin user=alevsk
```

Author: Alevsk

Makefile

@@ -22,6 +22,7 @@ assets:
 
 test:
 	@(go test -race -v github.com/minio/mcs/restapi/...)
+	@(go test -race -v github.com/minio/mcs/pkg/auth)
 
 coverage:
 	@(go test -v -coverprofile=coverage.out github.com/minio/mcs/restapi/... && go tool cover -html=coverage.out && open coverage.html)

README.md

@@ -54,6 +54,7 @@ $ mc admin policy set myminio mcsAdmin user=mcs
 To run the server:
 
 ```
+export MCS_HMAC_JWT_SECRET=YOURJWTSIGNINGSECRET
 export MCS_ACCESS_KEY=mcs
 export MCS_SECRET_KEY=YOURMCSSECRET
 export MCS_MINIO_SERVER=http://localhost:9000

go.mod

@@ -3,6 +3,7 @@ module github.com/minio/mcs
 go 1.14
 
 require (
+	github.com/dgrijalva/jwt-go v3.2.0+incompatible
 	github.com/elazarl/go-bindata-assetfs v1.0.0
 	github.com/go-openapi/errors v0.19.4
 	github.com/go-openapi/loads v0.19.5
@@ -12,6 +13,7 @@ require (
 	github.com/go-openapi/swag v0.19.8
 	github.com/go-openapi/validate v0.19.7
 	github.com/jessevdk/go-flags v1.4.0
+	github.com/json-iterator/go v1.1.9
 	github.com/minio/cli v1.22.0
 	github.com/minio/mc v0.0.0-20200415193718-68b638f2f96c
 	github.com/minio/minio v0.0.0-20200415191640-bde0f444dbab

go.sum

@@ -390,6 +390,7 @@ github.com/minio/minio v0.0.0-20200415191640-bde0f444dbab h1:9hlqghJl3e3HorXa6AD
 github.com/minio/minio v0.0.0-20200415191640-bde0f444dbab/go.mod h1:v8oQPMMaTkjDwp5cOz1WCElA4Ik+X+0y4On+VMk0fis=
 github.com/minio/minio-go/v6 v6.0.53 h1:8jzpwiOzZ5Iz7/goFWqNZRICbyWYShbb5rARjrnSCNI=
 github.com/minio/minio-go/v6 v6.0.53/go.mod h1:DIvC/IApeHX8q1BAMVCXSXwpmrmM+I+iBvhvztQorfI=
+github.com/minio/parquet-go v0.0.0-20200414234858-838cfa8aae61 h1:pUSI/WKPdd77gcuoJkSzhJ4wdS8OMDOsOu99MtpXEQA=
 github.com/minio/parquet-go v0.0.0-20200414234858-838cfa8aae61/go.mod h1:4trzEJ7N1nBTd5Tt7OCZT5SEin+WiAXpdJ/WgPkESA8=
 github.com/minio/sha256-simd v0.1.1 h1:5QHSlgo3nt5yKOJrC7W8w7X+NFl8cMPZm96iu8kKUJU=
 github.com/minio/sha256-simd v0.1.1/go.mod h1:B5e1o+1/KgNmWrSQK08Y6Z1Vb5pwIktudl0J58iy0KM=

pkg/auth/jwt.go

@@ -0,0 +1,72 @@
+// This file is part of MinIO Console Server
+// Copyright (c) 2020 MinIO, Inc.
+//
+// This program is free software: you can redistribute it and/or modify
+// it under the terms of the GNU Affero General Public License as published by
+// the Free Software Foundation, either version 3 of the License, or
+// (at your option) any later version.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU Affero General Public License for more details.
+//
+// You should have received a copy of the GNU Affero General Public License
+// along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+package auth
+
+import (
+	"errors"
+
+	jwtgo "github.com/dgrijalva/jwt-go"
+	xjwt "github.com/minio/mcs/pkg/auth/jwt"
+	"github.com/minio/minio-go/v6/pkg/credentials"
+	"github.com/minio/minio/cmd"
+)
+
+var (
+	errAuthentication = errors.New("Authentication failed, check your access credentials")
+	errNoAuthToken    = errors.New("JWT token missing")
+)
+
+// IsJWTValid returns true or false depending if the provided jwt is valid or not
+func IsJWTValid(token string) bool {
+	_, err := JWTAuthenticate(token)
+	return err == nil
+}
+
+// JWTAuthenticate takes a jwt, decode it, extract claims and validate the signature
+// returns claims after validation in the following format:
+//
+//	type MapClaims struct {
+//		AccessKeyID
+//		SecretAccessKey
+//		SessionToken
+//	}
+func JWTAuthenticate(token string) (*xjwt.MapClaims, error) {
+	if token == "" {
+		return nil, errNoAuthToken
+	}
+	claims := xjwt.NewMapClaims()
+	if err := xjwt.ParseWithClaims(token, claims); err != nil {
+		return claims, errAuthentication
+	}
+	return claims, nil
+}
+
+// NewJWTWithClaimsForClient generates a new jwt with claims based on the provided STS credentials
+func NewJWTWithClaimsForClient(credentials *credentials.Value, audience string) (string, error) {
+	if credentials != nil {
+		claims := xjwt.NewStandardClaims()
+		claims.SetExpiry(cmd.UTCNow().Add(xjwt.GetMcsSTSAndJWTDurationTime()))
+		claims.SetAccessKeyID(credentials.AccessKeyID)
+		claims.SetSecretAccessKey(credentials.SecretAccessKey)
+		claims.SetSessionToken(credentials.SessionToken)
+		claims.SetAudience(audience)
+
+		jwt := jwtgo.NewWithClaims(jwtgo.SigningMethodHS512, claims)
+		return jwt.SignedString([]byte(xjwt.GetHmacJWTSecret()))
+	}
+	return "", errors.New("provided credentials are empty")
+}

restapi/sessions/sessions.go renamed to pkg/auth/jwt/config.go

@@ -14,58 +14,18 @@
 // You should have received a copy of the GNU Affero General Public License
 // along with this program.  If not, see <http://www.gnu.org/licenses/>.
 
-package sessions
+package jwt
 
 import (
 	"crypto/rand"
 	"io"
+	"strconv"
 	"strings"
-	"sync"
+	"time"
 
-	mcCmd "github.com/minio/mc/cmd"
+	"github.com/minio/minio/pkg/env"
 )
 
-type Singleton struct {
-	sessions map[string]*mcCmd.Config
-}
-
-var instance *Singleton
-var once sync.Once
-
-// Returns a Singleton instance that keeps the sessions
-func GetInstance() *Singleton {
-	once.Do(func() {
-		//build sessions hash
-		sessions := make(map[string]*mcCmd.Config)
-
-		instance = &Singleton{
-			sessions: sessions,
-		}
-	})
-	return instance
-}
-
-// The delete built-in function deletes the element with the specified key (m[key]) from the map.
-// If m is nil or there is no such element, delete is a no-op. https://golang.org/pkg/builtin/#delete
-func (s *Singleton) DeleteSession(sessionID string) {
-	delete(s.sessions, sessionID)
-}
-
-func (s *Singleton) NewSession(cfg *mcCmd.Config) string {
-	// genereate random session id
-	sessionID := RandomCharString(64)
-	// store the cfg under that session id
-	s.sessions[sessionID] = cfg
-	return sessionID
-}
-
-func (s *Singleton) ValidSession(sessionID string) bool {
-	if _, ok := s.sessions[sessionID]; ok {
-		return true
-	}
-	return false
-}
-
 // Do not use:
 // https://stackoverflow.com/questions/22892120/how-to-generate-a-random-string-of-a-fixed-length-in-go
 // It relies on math/rand and therefore not on a cryptographically secure RNG => It must not be used
@@ -93,3 +53,27 @@ func RandomCharString(n int) string {
 	}
 	return s.String()
 }
+
+// defaultHmacJWTSecret will be used by default if application is not configured with a custom MCS_HMAC_JWT_SECRET secret
+var defaultHmacJWTSecret = RandomCharString(64)
+
+// GetHmacJWTSecret returns the 64 bytes secret used for signing the generated JWT for the application
+func GetHmacJWTSecret() string {
+	return env.Get(McsHmacJWTSecret, defaultHmacJWTSecret)
+}
+
+// McsSTSAndJWTDurationSeconds returns the default session duration for the STS requested tokens and the generated JWTs.
+// Ideally both values should match so jwt and Minio sts sessions expires at the same time.
+func GetMcsSTSAndJWTDurationInSeconds() int {
+	duration, err := strconv.Atoi(env.Get(McsSTSAndJWTDurationSeconds, "3600"))
+	if err != nil {
+		duration = 3600
+	}
+	return duration
+}
+
+// GetMcsSTSAndJWTDurationTime returns GetMcsSTSAndJWTDurationInSeconds in duration format
+func GetMcsSTSAndJWTDurationTime() time.Duration {
+	duration := GetMcsSTSAndJWTDurationInSeconds()
+	return time.Duration(duration) * time.Second
+}

pkg/auth/jwt/const.go

@@ -0,0 +1,22 @@
+// This file is part of MinIO Console Server
+// Copyright (c) 2020 MinIO, Inc.
+//
+// This program is free software: you can redistribute it and/or modify
+// it under the terms of the GNU Affero General Public License as published by
+// the Free Software Foundation, either version 3 of the License, or
+// (at your option) any later version.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU Affero General Public License for more details.
+//
+// You should have received a copy of the GNU Affero General Public License
+// along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+package jwt
+
+const (
+	McsHmacJWTSecret            = "MCS_HMAC_JWT_SECRET"
+	McsSTSAndJWTDurationSeconds = "MCS_STS_AND_JWT_DURATION_SECONDS"
+)