iFrame Support

Signed-off-by: Daniel Valdivia <[email protected]>

Author: dvaldivia

operatorapi/configure_operator.go

@@ -22,6 +22,7 @@ package operatorapi
 import (
 	"crypto/tls"
 	"net/http"
+	"strings"
 
 	"github.com/minio/console/restapi"
 	"github.com/unrolled/secure"
@@ -137,12 +138,25 @@ func AuthenticationMiddleware(next http.Handler) http.Handler {
 	})
 }
 
+// proxyMiddleware adds the proxy capability
+func proxyMiddleware(next http.Handler) http.Handler {
+	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		if strings.HasPrefix(r.URL.Path, "/api/proxy") {
+			serveProxy(w, r)
+		} else {
+			next.ServeHTTP(w, r)
+		}
+	})
+}
+
 // The middleware configuration happens before anything, this middleware also applies to serving the swagger.json document.
 // So this is a good place to plug in a panic handling middleware, logging and metrics.
 func setupGlobalMiddleware(handler http.Handler) http.Handler {
 	// handle cookie or authorization header for session
 	next := AuthenticationMiddleware(handler)
 	// serve static files
+	next = proxyMiddleware(next)
+	// serve static files
 	next = restapi.FileServerMiddleware(next)
 	// Secure middleware, this middleware wrap all the previous handlers and add
 	// HTTP security headers

operatorapi/proxy.go

@@ -0,0 +1,228 @@
+// This file is part of MinIO Console Server
+// Copyright (c) 2021 MinIO, Inc.
+//
+// This program is free software: you can redistribute it and/or modify
+// it under the terms of the GNU Affero General Public License as published by
+// the Free Software Foundation, either version 3 of the License, or
+// (at your option) any later version.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU Affero General Public License for more details.
+//
+// You should have received a copy of the GNU Affero General Public License
+// along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+package operatorapi
+
+import (
+	"bytes"
+	"crypto/sha1"
+	"crypto/tls"
+	"encoding/json"
+	"fmt"
+	"io"
+	"log"
+	"net/http"
+	"net/http/cookiejar"
+	url2 "net/url"
+	"strings"
+
+	v2 "github.com/minio/operator/pkg/apis/minio.min.io/v2"
+
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+
+	"github.com/minio/console/cluster"
+
+	"github.com/minio/console/pkg/auth"
+)
+
+func serveProxy(responseWriter http.ResponseWriter, req *http.Request) {
+	urlParts := strings.Split(req.URL.Path, "/")
+
+	if len(urlParts) < 5 {
+		log.Println(len(urlParts))
+		return
+	}
+	namespace := urlParts[3]
+	tenantName := urlParts[4]
+
+	// validate the tenantName
+
+	token, err := auth.GetTokenFromRequest(req)
+	if err != nil {
+		log.Println(err)
+		responseWriter.WriteHeader(401)
+		return
+	}
+	claims, err := auth.SessionTokenAuthenticate(token)
+	if err != nil {
+		log.Printf("Unable to validate the session token %s: %v\n", token, err)
+		responseWriter.WriteHeader(401)
+
+		return
+	}
+
+	//STSSessionToken := currToken.Value
+	STSSessionToken := claims.STSSessionToken
+
+	opClientClientSet, err := cluster.OperatorClient(STSSessionToken)
+	if err != nil {
+		log.Println(err)
+		responseWriter.WriteHeader(404)
+		return
+	}
+	opClient := operatorClient{
+		client: opClientClientSet,
+	}
+	tenant, err := opClient.TenantGet(req.Context(), namespace, tenantName, metav1.GetOptions{})
+	if err != nil {
+		log.Println(err)
+		responseWriter.WriteHeader(502)
+		return
+	}
+
+	nsTenant := fmt.Sprintf("%s/%s", tenant.Namespace, tenant.Name)
+
+	tenantSchema := "http"
+	tenantPort := ":9090"
+	if tenant.AutoCert() || tenant.ConsoleExternalCert() {
+		tenantSchema = "https"
+		tenantPort = ":9443"
+	}
+	tenantURL := fmt.Sprintf("%s://%s.%s.svc.%s%s", tenantSchema, tenant.ConsoleCIServiceName(), tenant.Namespace, v2.GetClusterDomain(), tenantPort)
+	// for development
+	//tenantURL = "http://localhost:9091"
+	//tenantURL = "https://localhost:9443"
+
+	h := sha1.New()
+	h.Write([]byte(nsTenant))
+	log.Printf("Proxying request for %s/%s", namespace, tenantName)
+	tenantCookieName := fmt.Sprintf("token-%x", string(h.Sum(nil)))
+	tenantCookie, err := req.Cookie(tenantCookieName)
+	if err != nil {
+		// login to tenantName
+		loginURL := fmt.Sprintf("%s/api/v1/login", tenantURL)
+
+		// get the tenant credentials
+		clientSet, err := cluster.K8sClient(STSSessionToken)
+		if err != nil {
+			log.Println(err)
+			responseWriter.WriteHeader(500)
+			return
+		}
+
+		currentSecret, err := clientSet.CoreV1().Secrets(namespace).Get(req.Context(), tenant.Spec.CredsSecret.Name, metav1.GetOptions{})
+		if err != nil {
+			log.Println(err)
+			responseWriter.WriteHeader(500)
+			return
+		}
+
+		data := map[string]string{
+			"accessKey": string(currentSecret.Data["accesskey"]),
+			"secretKey": string(currentSecret.Data["secretkey"]),
+		}
+		payload, _ := json.Marshal(data)
+
+		loginReq, err := http.NewRequest(http.MethodPost, loginURL, bytes.NewReader(payload))
+		if err != nil {
+			log.Println(err)
+			responseWriter.WriteHeader(500)
+			return
+		}
+		loginReq.Header.Add("Content-Type", "application/json")
+
+              // FIXME: in the future we should use restapi.GetConsoleSTSClient()
+		tr := &http.Transport{
+			TLSClientConfig: &tls.Config{InsecureSkipVerify: true},
+		}
+		client := &http.Client{Transport: tr}
+
+		loginResp, err := client.Do(loginReq)
+		if err != nil {
+			log.Println(err)
+			responseWriter.WriteHeader(500)
+			return
+		}
+
+		for _, c := range loginResp.Cookies() {
+			if c.Name == "token" {
+				tenantCookie = c
+				c := &http.Cookie{
+					Name:     tenantCookieName,
+					Value:    c.Value,
+					Path:     c.Path,
+					Expires:  c.Expires,
+					HttpOnly: c.HttpOnly,
+				}
+
+				http.SetCookie(responseWriter, c)
+				break
+			}
+		}
+		defer loginResp.Body.Close()
+	}
+
+	targetURL, err := url2.Parse(tenantURL)
+	if err != nil {
+		log.Println(err)
+		responseWriter.WriteHeader(500)
+		return
+	}
+	targetURL.Path = strings.Replace(req.URL.Path, fmt.Sprintf("/api/proxy/%s/%s", tenant.Namespace, tenant.Name), "", -1)
+
+	proxiedCookie := &http.Cookie{
+		Name:     "token",
+		Value:    tenantCookie.Value,
+		Path:     tenantCookie.Path,
+		Expires:  tenantCookie.Expires,
+		HttpOnly: tenantCookie.HttpOnly,
+	}
+
+	proxyCookieJar, _ := cookiejar.New(nil)
+	proxyCookieJar.SetCookies(targetURL, []*http.Cookie{proxiedCookie})
+
+	tr := &http.Transport{
+		// FIXME: use restapi.GetConsoleSTSClient()
+		TLSClientConfig: &tls.Config{InsecureSkipVerify: true},
+	}
+	client := &http.Client{Transport: tr,
+		Jar: proxyCookieJar,
+		CheckRedirect: func(req *http.Request, via []*http.Request) error {
+			return http.ErrUseLastResponse
+		}}
+
+	proxRequest, err := http.NewRequest(req.Method, targetURL.String(), req.Body)
+	if err != nil {
+		log.Println(err)
+		responseWriter.WriteHeader(500)
+		return
+	}
+
+	for _, v := range req.Header.Values("Content-Type") {
+		proxRequest.Header.Add("Content-Type", v)
+	}
+
+	resp, err := client.Do(proxRequest)
+	if err != nil {
+		log.Println(err)
+		responseWriter.WriteHeader(500)
+		return
+	}
+
+	for hk, hv := range resp.Header {
+		if hk != "X-Frame-Options" {
+			for _, v := range hv {
+				responseWriter.Header().Add(hk, v)
+			}
+		}
+	}
+	// Allow iframes
+	responseWriter.Header().Set("X-Frame-Options", "SAMEORIGIN")
+	responseWriter.Header().Set("X-XSS-Protection", "1")
+
+	io.Copy(responseWriter, resp.Body)
+
+}

pkg/acl/endpoints.go

@@ -29,6 +29,7 @@ var (
 	iamPolicies                 = "/policies"
 	policiesDetail              = "/policies/:policyName"
 	dashboard                   = "/dashboard"
+	metrics                     = "/metrics"
 	profiling                   = "/profiling"
 	buckets                     = "/buckets"
 	bucketsDetail               = "/buckets/:bucketName"
@@ -293,6 +294,7 @@ var endpointRules = map[string]ConfigurationActionSet{
 	iamPolicies:                 iamPoliciesActionSet,
 	policiesDetail:              iamPoliciesActionSet,
 	dashboard:                   dashboardActionSet,
+	metrics:                     dashboardActionSet,
 	profiling:                   profilingActionSet,
 	buckets:                     bucketsActionSet,
 	bucketsDetail:               bucketsActionSet,

pkg/acl/endpoints_test.go

@@ -50,7 +50,7 @@ func TestGetAuthorizedEndpoints(t *testing.T) {
 			args: args{
 				[]string{"admin:ServerInfo"},
 			},
-			want: 7,
+			want: 8,
 		},
 		{
 			name: "policies endpoint",
@@ -72,7 +72,7 @@ func TestGetAuthorizedEndpoints(t *testing.T) {
 					"admin:*",
 				},
 			},
-			want: 21,
+			want: 22,
 		},
 		{
 			name: "all s3 endpoints",
@@ -91,7 +91,7 @@ func TestGetAuthorizedEndpoints(t *testing.T) {
 					"s3:*",
 				},
 			},
-			want: 30,
+			want: 31,
 		},
 		{
 			name: "Console User - default endpoints",

portal-ui/build/asset-manifest.json

@@ -1,25 +1,25 @@
 {
   "files": {
     "main.css": "/static/css/main.8cfac526.chunk.css",
-    "main.js": "/static/js/main.19a8b820.chunk.js",
-    "main.js.map": "/static/js/main.19a8b820.chunk.js.map",
+    "main.js": "/static/js/main.aed25c81.chunk.js",
+    "main.js.map": "/static/js/main.aed25c81.chunk.js.map",
     "runtime-main.js": "/static/js/runtime-main.43a31377.js",
     "runtime-main.js.map": "/static/js/runtime-main.43a31377.js.map",
-    "static/css/2.20c81d8d.chunk.css": "/static/css/2.20c81d8d.chunk.css",
-    "static/js/2.c66fcba0.chunk.js": "/static/js/2.c66fcba0.chunk.js",
-    "static/js/2.c66fcba0.chunk.js.map": "/static/js/2.c66fcba0.chunk.js.map",
+    "static/css/2.c5a51b70.chunk.css": "/static/css/2.c5a51b70.chunk.css",
+    "static/js/2.dd405112.chunk.js": "/static/js/2.dd405112.chunk.js",
+    "static/js/2.dd405112.chunk.js.map": "/static/js/2.dd405112.chunk.js.map",
     "index.html": "/index.html",
-    "static/css/2.20c81d8d.chunk.css.map": "/static/css/2.20c81d8d.chunk.css.map",
+    "static/css/2.c5a51b70.chunk.css.map": "/static/css/2.c5a51b70.chunk.css.map",
     "static/css/main.8cfac526.chunk.css.map": "/static/css/main.8cfac526.chunk.css.map",
-    "static/js/2.c66fcba0.chunk.js.LICENSE.txt": "/static/js/2.c66fcba0.chunk.js.LICENSE.txt",
+    "static/js/2.dd405112.chunk.js.LICENSE.txt": "/static/js/2.dd405112.chunk.js.LICENSE.txt",
     "static/media/minio_console_logo.0837460e.svg": "/static/media/minio_console_logo.0837460e.svg",
     "static/media/minio_operator_logo.1312b7c9.svg": "/static/media/minio_operator_logo.1312b7c9.svg"
   },
   "entrypoints": [
     "static/js/runtime-main.43a31377.js",
-    "static/css/2.20c81d8d.chunk.css",
-    "static/js/2.c66fcba0.chunk.js",
+    "static/css/2.c5a51b70.chunk.css",
+    "static/js/2.dd405112.chunk.js",
     "static/css/main.8cfac526.chunk.css",
-    "static/js/main.19a8b820.chunk.js"
+    "static/js/main.aed25c81.chunk.js"
   ]
 }

portal-ui/build/index.html

@@ -1 +1 @@
-<!doctype html><html lang="en"><head><meta charset="utf-8"/><meta name="viewport" content="width=device-width,initial-scale=1"/><meta name="theme-color" content="#000000"/><meta name="description" content="MinIO Console"/><link href="https://fonts.googleapis.com/css2?family=Lato:wght@400;500;700;900&display=swap" rel="stylesheet"/><link rel="apple-touch-icon" sizes="180x180" href="/apple-icon-180x180.png"/><link rel="icon" type="image/png" sizes="32x32" href="/favicon-32x32.png"/><link rel="icon" type="image/png" sizes="96x96" href="/favicon-96x96.png"/><link rel="icon" type="image/png" sizes="16x16" href="/favicon-16x16.png"/><link rel="manifest" href="/manifest.json"/><link rel="mask-icon" href="/safari-pinned-tab.svg" color="#3a4e54"/><title>MinIO Console</title><link href="/static/css/2.20c81d8d.chunk.css" rel="stylesheet"><link href="/static/css/main.8cfac526.chunk.css" rel="stylesheet"></head><body><noscript>You need to enable JavaScript to run this app.</noscript><div id="root"></div><script>!function(e){function r(r){for(var n,l,i=r[0],a=r[1],p=r[2],c=0,s=[];c<i.length;c++)l=i[c],Object.prototype.hasOwnProperty.call(o,l)&&o[l]&&s.push(o[l][0]),o[l]=0;for(n in a)Object.prototype.hasOwnProperty.call(a,n)&&(e[n]=a[n]);for(f&&f(r);s.length;)s.shift()();return u.push.apply(u,p||[]),t()}function t(){for(var e,r=0;r<u.length;r++){for(var t=u[r],n=!0,i=1;i<t.length;i++){var a=t[i];0!==o[a]&&(n=!1)}n&&(u.splice(r--,1),e=l(l.s=t[0]))}return e}var n={},o={1:0},u=[];function l(r){if(n[r])return n[r].exports;var t=n[r]={i:r,l:!1,exports:{}};return e[r].call(t.exports,t,t.exports,l),t.l=!0,t.exports}l.m=e,l.c=n,l.d=function(e,r,t){l.o(e,r)||Object.defineProperty(e,r,{enumerable:!0,get:t})},l.r=function(e){"undefined"!=typeof Symbol&&Symbol.toStringTag&&Object.defineProperty(e,Symbol.toStringTag,{value:"Module"}),Object.defineProperty(e,"__esModule",{value:!0})},l.t=function(e,r){if(1&r&&(e=l(e)),8&r)return e;if(4&r&&"object"==typeof e&&e&&e.__esModule)return e;var t=Object.create(null);if(l.r(t),Object.defineProperty(t,"default",{enumerable:!0,value:e}),2&r&&"string"!=typeof e)for(var n in e)l.d(t,n,function(r){return e[r]}.bind(null,n));return t},l.n=function(e){var r=e&&e.__esModule?function(){return e.default}:function(){return e};return l.d(r,"a",r),r},l.o=function(e,r){return Object.prototype.hasOwnProperty.call(e,r)},l.p="/";var i=this["webpackJsonpportal-ui"]=this["webpackJsonpportal-ui"]||[],a=i.push.bind(i);i.push=r,i=i.slice();for(var p=0;p<i.length;p++)r(i[p]);var f=a;t()}([])</script><script src="/static/js/2.c66fcba0.chunk.js"></script><script src="/static/js/main.19a8b820.chunk.js"></script></body></html>
+<!doctype html><html lang="en"><head><meta charset="utf-8"/><meta name="viewport" content="width=device-width,initial-scale=1"/><meta name="theme-color" content="#000000"/><meta name="description" content="MinIO Console"/><link href="https://fonts.googleapis.com/css2?family=Lato:wght@400;500;700;900&display=swap" rel="stylesheet"/><link rel="apple-touch-icon" sizes="180x180" href="/apple-icon-180x180.png"/><link rel="icon" type="image/png" sizes="32x32" href="/favicon-32x32.png"/><link rel="icon" type="image/png" sizes="96x96" href="/favicon-96x96.png"/><link rel="icon" type="image/png" sizes="16x16" href="/favicon-16x16.png"/><link rel="manifest" href="/manifest.json"/><link rel="mask-icon" href="/safari-pinned-tab.svg" color="#3a4e54"/><title>MinIO Console</title><link href="/static/css/2.c5a51b70.chunk.css" rel="stylesheet"><link href="/static/css/main.8cfac526.chunk.css" rel="stylesheet"></head><body><noscript>You need to enable JavaScript to run this app.</noscript><div id="root"></div><script>!function(e){function r(r){for(var n,l,i=r[0],a=r[1],p=r[2],c=0,s=[];c<i.length;c++)l=i[c],Object.prototype.hasOwnProperty.call(o,l)&&o[l]&&s.push(o[l][0]),o[l]=0;for(n in a)Object.prototype.hasOwnProperty.call(a,n)&&(e[n]=a[n]);for(f&&f(r);s.length;)s.shift()();return u.push.apply(u,p||[]),t()}function t(){for(var e,r=0;r<u.length;r++){for(var t=u[r],n=!0,i=1;i<t.length;i++){var a=t[i];0!==o[a]&&(n=!1)}n&&(u.splice(r--,1),e=l(l.s=t[0]))}return e}var n={},o={1:0},u=[];function l(r){if(n[r])return n[r].exports;var t=n[r]={i:r,l:!1,exports:{}};return e[r].call(t.exports,t,t.exports,l),t.l=!0,t.exports}l.m=e,l.c=n,l.d=function(e,r,t){l.o(e,r)||Object.defineProperty(e,r,{enumerable:!0,get:t})},l.r=function(e){"undefined"!=typeof Symbol&&Symbol.toStringTag&&Object.defineProperty(e,Symbol.toStringTag,{value:"Module"}),Object.defineProperty(e,"__esModule",{value:!0})},l.t=function(e,r){if(1&r&&(e=l(e)),8&r)return e;if(4&r&&"object"==typeof e&&e&&e.__esModule)return e;var t=Object.create(null);if(l.r(t),Object.defineProperty(t,"default",{enumerable:!0,value:e}),2&r&&"string"!=typeof e)for(var n in e)l.d(t,n,function(r){return e[r]}.bind(null,n));return t},l.n=function(e){var r=e&&e.__esModule?function(){return e.default}:function(){return e};return l.d(r,"a",r),r},l.o=function(e,r){return Object.prototype.hasOwnProperty.call(e,r)},l.p="/";var i=this["webpackJsonpportal-ui"]=this["webpackJsonpportal-ui"]||[],a=i.push.bind(i);i.push=r,i=i.slice();for(var p=0;p<i.length;p++)r(i[p]);var f=a;t()}([])</script><script src="/static/js/2.dd405112.chunk.js"></script><script src="/static/js/main.aed25c81.chunk.js"></script></body></html>