Skip to content

Commit 85d549c

Browse files
harshavardhanaharshavardhana
authored
support all possible conditional values in policies (#1271)
Currently console only support "aws:username" as the most basic variable for policy evaluation. This PR extends this to add all the possible combinations possible. This includes all `jwt:*` and `ldap:*`
1 parent 5f46ec2 commit 85d549c

File tree

3 files changed

+51
-0
lines changed

3 files changed

+51
-0
lines changed

go.mod

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -13,6 +13,7 @@ require (
1313
github.com/go-openapi/strfmt v0.20.0
1414
github.com/go-openapi/swag v0.19.14
1515
github.com/go-openapi/validate v0.20.2
16+
github.com/golang-jwt/jwt/v4 v4.1.0
1617
github.com/gorilla/websocket v1.4.2
1718
github.com/jessevdk/go-flags v1.4.0
1819
github.com/klauspost/compress v1.13.6

go.sum

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -487,6 +487,8 @@ github.com/gogo/protobuf v1.3.2/go.mod h1:P1XiOD3dCwIKUDQYPy72D8LYyHL2YPYrpS2s69
487487
github.com/golang-jwt/jwt v3.2.1+incompatible/go.mod h1:8pz2t5EyA70fFQQSrl6XZXzqecmYZeUEB8OUGHkxJ+I=
488488
github.com/golang-jwt/jwt v3.2.2+incompatible h1:IfV12K8xAKAnZqdXVzCZ+TOjboZ2keLg81eXfW3O+oY=
489489
github.com/golang-jwt/jwt v3.2.2+incompatible/go.mod h1:8pz2t5EyA70fFQQSrl6XZXzqecmYZeUEB8OUGHkxJ+I=
490+
github.com/golang-jwt/jwt/v4 v4.1.0 h1:XUgk2Ex5veyVFVeLm0xhusUTQybEbexJXrvPNOKkSY0=
491+
github.com/golang-jwt/jwt/v4 v4.1.0/go.mod h1:/xlHOz8bRuivTWchD4jCa+NbatV+wEUSzwAxVc6locg=
490492
github.com/golang-sql/civil v0.0.0-20190719163853-cb61b32ac6fe/go.mod h1:8vg3r2VgvsThLBIFL93Qb5yWzgyZWhEmBwUJWevAkK0=
491493
github.com/golang/glog v0.0.0-20160126235308-23def4e6c14b h1:VKtxabqXZkF25pY9ekfRL6a582T4P37/31XEstQ5p58=
492494
github.com/golang/glog v0.0.0-20160126235308-23def4e6c14b/go.mod h1:SBH7ygxi8pfUlaOkMMuAQtPIUF8ecWP5IEl/CR7VP2Q=

restapi/user_session.go

Lines changed: 48 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -21,8 +21,10 @@ import (
2121
"encoding/json"
2222
"net/http"
2323
"net/url"
24+
"strconv"
2425
"time"
2526

27+
jwtgo "github.com/golang-jwt/jwt/v4"
2628
"github.com/minio/pkg/bucket/policy/condition"
2729

2830
minioIAMPolicy "github.com/minio/pkg/iam/policy"
@@ -70,6 +72,20 @@ func registerSessionHandlers(api *operations.ConsoleAPI) {
7072
})
7173
}
7274

75+
func getClaimsFromToken(sessionToken string) (map[string]interface{}, error) {
76+
jp := new(jwtgo.Parser)
77+
jp.ValidMethods = []string{
78+
"RS256", "RS384", "RS512", "ES256", "ES384", "ES512",
79+
"RS3256", "RS3384", "RS3512", "ES3256", "ES3384", "ES3512",
80+
}
81+
var claims jwtgo.MapClaims
82+
_, _, err := jp.ParseUnverified(sessionToken, &claims)
83+
if err != nil {
84+
return nil, err
85+
}
86+
return claims, nil
87+
}
88+
7389
// getSessionResponse parse the token of the current session and returns a list of allowed actions to render in the UI
7490
func getSessionResponse(session *models.Principal) (*models.SessionResponse, *models.Error) {
7591
ctx, cancel := context.WithTimeout(context.Background(), 20*time.Second)
@@ -104,12 +120,44 @@ func getSessionResponse(session *models.Principal) (*models.SessionResponse, *mo
104120
actions = acl.GetActionsStringFromPolicy(policy)
105121
}
106122

123+
currTime := time.Now().UTC()
124+
107125
// This actions will be global, meaning has to be attached to all resources
108126
conditionValues := map[string][]string{
109127
condition.AWSUsername.Name(): {session.AccountAccessKey},
128+
// All calls to MinIO from console use temporary credentials.
129+
condition.AWSPrincipalType.Name(): {"AssumeRole"},
130+
condition.AWSSecureTransport.Name(): {strconv.FormatBool(getMinIOEndpointIsSecure())},
131+
condition.AWSCurrentTime.Name(): {currTime.Format(time.RFC3339)},
132+
condition.AWSEpochTime.Name(): {strconv.FormatInt(currTime.Unix(), 10)},
133+
134+
// All calls from console are signature v4.
135+
condition.S3SignatureVersion.Name(): {"AWS4-HMAC-SHA256"},
136+
// All calls from console are signature v4.
137+
condition.S3AuthType.Name(): {"REST-HEADER"},
138+
// This is usually empty, may be set some times (rare).
139+
condition.S3LocationConstraint.Name(): {GetMinIORegion()},
140+
}
141+
142+
claims, err := getClaimsFromToken(session.STSSessionToken)
143+
if err != nil {
144+
return nil, prepareError(err, errorGenericInvalidSession)
145+
}
146+
147+
// Support all LDAP, JWT variables
148+
for k, v := range claims {
149+
vstr, ok := v.(string)
150+
if !ok {
151+
// skip all non-strings
152+
continue
153+
}
154+
// store all claims from sessionToken
155+
conditionValues[k] = []string{vstr}
110156
}
157+
111158
defaultActions := policy.IsAllowedActions("", "", conditionValues)
112159
consoleResourceName := "console-ui"
160+
113161
permissions := map[string]minioIAMPolicy.ActionSet{
114162
consoleResourceName: defaultActions,
115163
}

0 commit comments

Comments
 (0)