remove various unexpected features in console

- Unix listeners are removed
- KeepAlive, IdleTimeout etc are removed
- Authorization logic is simplified

Author: harshavardhana

cmd/console/server.go

@@ -29,6 +29,7 @@ import (
 	"github.com/go-openapi/loads"
 	"github.com/jessevdk/go-flags"
 	"github.com/minio/cli"
+	"github.com/minio/console/pkg/acl"
 	"github.com/minio/console/pkg/certs"
 	"github.com/minio/console/restapi"
 	"github.com/minio/console/restapi/operations"
@@ -130,9 +131,8 @@ func StartServer(ctx *cli.Context) error {
 
 	server.Host = ctx.String("host")
 	server.Port = ctx.Int("port")
-
-	restapi.Hostname = ctx.String("host")
-	restapi.Port = strconv.Itoa(ctx.Int("port"))
+	restapi.Hostname = server.Host
+	restapi.Port = strconv.Itoa(server.Port)
 
 	// Set all certs and CAs directories path
 	certs.GlobalCertsDir, _ = certs.NewConfigDirFromCtx(ctx, "certs-dir", certs.DefaultCertsDir.Get)
@@ -149,21 +149,21 @@ func StartServer(ctx *cli.Context) error {
 		// TLS flags from swagger server, used to support VMware vsphere operator version.
 		swaggerServerCertificate := ctx.String("tls-certificate")
 		swaggerServerCertificateKey := ctx.String("tls-key")
-		SwaggerServerCACertificate := ctx.String("tls-ca")
+		swaggerServerCACertificate := ctx.String("tls-ca")
 		// load tls cert and key from swagger server tls-certificate and tls-key flags
 		if swaggerServerCertificate != "" && swaggerServerCertificateKey != "" {
-			if errAddCert := certs.AddCertificate(context.Background(),
-				restapi.GlobalTLSCertsManager, swaggerServerCertificate, swaggerServerCertificateKey); errAddCert != nil {
-				log.Println(errAddCert)
+			if err = certs.AddCertificate(context.Background(),
+				restapi.GlobalTLSCertsManager, swaggerServerCertificate, swaggerServerCertificateKey); err != nil {
+				log.Fatalln(err)
 			}
-			if x509Certs, errParseCert := certs.ParsePublicCertFile(swaggerServerCertificate); errParseCert == nil {
+			if x509Certs, err := certs.ParsePublicCertFile(swaggerServerCertificate); err == nil {
 				restapi.GlobalPublicCerts = append(restapi.GlobalPublicCerts, x509Certs...)
 			}
 		}
 
 		// load ca cert from swagger server tls-ca flag
-		if SwaggerServerCACertificate != "" {
-			caCert, caCertErr := ioutil.ReadFile(SwaggerServerCACertificate)
+		if swaggerServerCACertificate != "" {
+			caCert, caCertErr := ioutil.ReadFile(swaggerServerCACertificate)
 			if caCertErr == nil {
 				restapi.GlobalRootCAs.AppendCertsFromPEM(caCert)
 			}
@@ -175,36 +175,37 @@ func StartServer(ctx *cli.Context) error {
 		// plain HTTP connections to HTTPS server
 		server.EnabledListeners = []string{"http", "https"}
 		server.TLSPort = ctx.Int("tls-port")
-		server.TLSHost = ctx.String("tls-host")
 		// Need to store tls-port, tls-host un config variables so secure.middleware can read from there
-		restapi.TLSPort = fmt.Sprintf("%v", ctx.Int("tls-port"))
+		restapi.TLSPort = strconv.Itoa(server.TLSPort)
 		restapi.Hostname = ctx.String("host")
 		restapi.TLSRedirect = ctx.String("tls-redirect")
 	}
 
 	server.ConfigureAPI()
 
-	// subnet license refresh process
-	go func() {
-		failedAttempts := 0
-		for {
-			if err := restapi.RefreshLicense(); err != nil {
-				log.Println(err)
-				failedAttempts++
-				// end license refresh after 3 consecutive failed attempts
-				if failedAttempts >= 3 {
-					return
+	if acl.GetOperatorMode() {
+		// subnet license refresh process
+		go func() {
+			failedAttempts := 0
+			for {
+				if err := restapi.RefreshLicense(); err != nil {
+					log.Println(err)
+					failedAttempts++
+					// end license refresh after 3 consecutive failed attempts
+					if failedAttempts >= 3 {
+						return
+					}
+					// wait 5 minutes and retry again
+					time.Sleep(time.Minute * 5)
+					continue
 				}
-				// wait 5 minutes and retry again
-				time.Sleep(time.Minute * 5)
-				continue
+				// if license refreshed successfully reset the counter
+				failedAttempts = 0
+				// try to refresh license every 24 hrs
+				time.Sleep(time.Hour * 24)
 			}
-			// if license refreshed successfully reset the counter
-			failedAttempts = 0
-			// try to refresh license every 24 hrs
-			time.Sleep(time.Hour * 24)
-		}
-	}()
+		}()
+	}
 
 	if err := server.Serve(); err != nil {
 		log.Fatalln(err)

pkg/auth/token.go

@@ -32,8 +32,8 @@ import (
 	"log"
 	"net/http"
 	"strings"
+	"time"
 
-	"github.com/go-openapi/swag"
 	"github.com/minio/console/models"
 	"github.com/minio/console/pkg/auth/token"
 	"github.com/minio/minio-go/v7/pkg/credentials"
@@ -43,8 +43,10 @@ import (
 	"golang.org/x/crypto/pbkdf2"
 )
 
+// Session token errors
 var (
-	errNoAuthToken  = errors.New("session token missing")
+	ErrNoAuthToken  = errors.New("session token missing")
+	errTokenExpired = errors.New("session token has expired")
 	errReadingToken = errors.New("session token internal data is malformed")
 	errClaimsFormat = errors.New("encrypted session token claims not in the right format")
 	errorGeneric    = errors.New("an error has occurred")
@@ -82,7 +84,7 @@ type TokenClaims struct {
 //	}
 func SessionTokenAuthenticate(token string) (*TokenClaims, error) {
 	if token == "" {
-		return nil, errNoAuthToken
+		return nil, ErrNoAuthToken
 	}
 	// decrypt encrypted token
 	claimTokens, err := decryptClaims(token)
@@ -289,25 +291,18 @@ func decrypt(ciphertext []byte, associatedData []byte) ([]byte, error) {
 // either defined on a cookie `token` or on Authorization header.
 //
 // Authorization Header needs to be like "Authorization Bearer <token>"
-func GetTokenFromRequest(r *http.Request) (*string, error) {
-	// Get Auth token
-	var reqToken string
-
+func GetTokenFromRequest(r *http.Request) (string, error) {
 	// Token might come either as a Cookie or as a Header
 	// if not set in cookie, check if it is set on Header.
 	tokenCookie, err := r.Cookie("token")
 	if err != nil {
-		headerToken := r.Header.Get("Authorization")
-		// reqToken should come as "Bearer <token>"
-		splitHeaderToken := strings.Split(headerToken, "Bearer")
-		if len(splitHeaderToken) <= 1 {
-			return nil, errNoAuthToken
-		}
-		reqToken = strings.TrimSpace(splitHeaderToken[1])
-	} else {
-		reqToken = strings.TrimSpace(tokenCookie.Value)
+		return "", ErrNoAuthToken
+	}
+	currentTime := time.Now()
+	if tokenCookie.Expires.After(currentTime) {
+		return "", errTokenExpired
 	}
-	return swag.String(reqToken), nil
+	return strings.TrimSpace(tokenCookie.Value), nil
 }
 
 func GetClaimsFromTokenInRequest(req *http.Request) (*models.Principal, error) {
@@ -317,7 +312,7 @@ func GetClaimsFromTokenInRequest(req *http.Request) (*models.Principal, error) {
 	}
 	// Perform decryption of the session token, if Console is able to decrypt the session token that means a valid session
 	// was used in the first place to get it
-	claims, err := SessionTokenAuthenticate(*sessionID)
+	claims, err := SessionTokenAuthenticate(sessionID)
 	if err != nil {
 		return nil, err
 	}

restapi/admin_subscription.go

@@ -412,24 +412,19 @@ func RefreshLicense() error {
 	if err != nil {
 		return err
 	}
+	if refreshedLicenseKey == "" {
+		return errors.New("license expired, please open a support ticket at https://subnet.min.io/")
+	}
 	// store new license in memory for console ui
 	LicenseKey = refreshedLicenseKey
-	// Update in memory license and update k8s secret
-	if refreshedLicenseKey != "" {
-		if acl.GetOperatorMode() {
-			ctx, cancel := context.WithTimeout(context.Background(), 20*time.Second)
-			defer cancel()
-			clientSet, err := cluster.K8sClient(saK8SToken)
-			if err != nil {
-				return err
-			}
-			k8sClient := k8sClient{
-				client: clientSet,
-			}
-			if err = saveSubscriptionLicense(ctx, &k8sClient, refreshedLicenseKey); err != nil {
-				return err
-			}
-		}
+	ctx, cancel := context.WithTimeout(context.Background(), 20*time.Second)
+	defer cancel()
+	clientSet, err := cluster.K8sClient(saK8SToken)
+	if err != nil {
+		return err
 	}
-	return nil
+	k8sClient := k8sClient{
+		client: clientSet,
+	}
+	return saveSubscriptionLicense(ctx, &k8sClient, refreshedLicenseKey)
 }

restapi/configure_console.go

@@ -21,7 +21,6 @@ package restapi
 import (
 	"bytes"
 	"crypto/tls"
-	"fmt"
 	"io"
 	"io/fs"
 	"log"
@@ -169,13 +168,6 @@ func configureTLS(tlsConfig *tls.Config) {
 	}
 }
 
-// As soon as server is initialized but not run yet, this function will be called.
-// If you need to modify a config, store server instance to stop it individually later, this is the place.
-// This function can be called multiple times, depending on the number of serving schemes.
-// scheme value will be set accordingly: "http", "https" or "unix"
-func configureServer(s *http.Server, scheme, addr string) {
-}
-
 // The middleware configuration is for the handler executors. These do not apply to the swagger.json document.
 // The middleware executes after routing but before authentication, binding and validation
 func setupMiddlewares(handler http.Handler) http.Handler {
@@ -215,30 +207,22 @@ func setupGlobalMiddleware(handler http.Handler) http.Handler {
 		IsDevelopment:                   !getProductionMode(),
 	}
 	secureMiddleware := secure.New(secureOptions)
-	app := secureMiddleware.Handler(next)
-	return app
+	return secureMiddleware.Handler(next)
 }
 
 func AuthenticationMiddleware(next http.Handler) http.Handler {
 	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-		// prioritize authorization header and skip
-		if r.Header.Get("Authorization") != "" {
-			next.ServeHTTP(w, r)
+		token, err := auth.GetTokenFromRequest(r)
+		if err != nil && err != auth.ErrNoAuthToken {
+			http.Error(w, err.Error(), http.StatusUnauthorized)
 			return
 		}
-		tokenCookie, err := r.Cookie("token")
-		if err != nil {
-			next.ServeHTTP(w, r)
-			return
-		}
-		currentTime := time.Now()
-		if tokenCookie.Expires.After(currentTime) {
-			next.ServeHTTP(w, r)
-			return
-		}
-		token := tokenCookie.Value
+		// All handlers handle appropriately to return errors
+		// based on their swagger rules, we do not need to
+		// additionally return error here, let the next ServeHTTPs
+		// handle it appropriately.
 		if token != "" {
-			r.Header.Add("Authorization", fmt.Sprintf("Bearer %s", token))
+			r.Header.Add("Authorization", "Bearer "+token)
 		}
 		next.ServeHTTP(w, r)
 	})
@@ -259,7 +243,6 @@ func FileServerMiddleware(next http.Handler) http.Handler {
 				panic(err)
 			}
 			wrapHandlerSinglePageApplication(http.FileServer(http.FS(buildFs))).ServeHTTP(w, r)
-
 		}
 	})
 }