STS session token and console session cookie have same duration (#1202)

- `CONSOLE_STS_DURATION_IN_SECONDS` env renamed to `CONSOLE_STS_DURATION` to support more time formats

Signed-off-by: Lenin Alevski <[email protected]>

Author: Alevsk

pkg/auth/token/config.go

@@ -17,17 +17,25 @@
 package token
 
 import (
-	"strconv"
+	"time"
 
 	"github.com/minio/console/pkg/auth/utils"
 	"github.com/minio/pkg/env"
 )
 
-// ConsoleSTSDurationSeconds returns the default session duration for the STS requested tokens.
-func GetConsoleSTSDurationInSeconds() int {
-	duration, err := strconv.Atoi(env.Get(ConsoleSTSDurationSeconds, "3600"))
+// GetConsoleSTSDuration returns the default session duration for the STS requested tokens (defaults to 1h)
+func GetConsoleSTSDuration() time.Duration {
+	durationSeconds := env.Get(ConsoleSTSDurationSeconds, "")
+	if durationSeconds != "" {
+		duration, err := time.ParseDuration(durationSeconds + "s")
+		if err != nil {
+			duration = 1 * time.Hour
+		}
+		return duration
+	}
+	duration, err := time.ParseDuration(env.Get(ConsoleSTSDuration, "1h"))
 	if err != nil {
-		duration = 3600
+		duration = 1 * time.Hour
 	}
 	return duration
 }

pkg/auth/token/const.go

@@ -17,7 +17,8 @@
 package token
 
 const (
-	ConsoleSTSDurationSeconds = "CONSOLE_STS_DURATION_SECONDS"
+	ConsoleSTSDurationSeconds = "CONSOLE_STS_DURATION_SECONDS" // (deprecated), set value in seconds for sts session, ie: 3600
+	ConsoleSTSDuration        = "CONSOLE_STS_DURATION"         // time.Duration format, ie: 3600s, 2h45m, 1h, etc
 	ConsolePBKDFPassphrase    = "CONSOLE_PBKDF_PASSPHRASE"
 	ConsolePBKDFSalt          = "CONSOLE_PBKDF_SALT"
 )

restapi/client.go

@@ -326,7 +326,7 @@ func NewConsoleCredentials(accessKey, secretKey, location string) (*credentials.
 				AccessKey:       accessKey,
 				SecretKey:       secretKey,
 				Location:        location,
-				DurationSeconds: xjwt.GetConsoleSTSDurationInSeconds(),
+				DurationSeconds: int(xjwt.GetConsoleSTSDuration()),
 			}
 			stsAssumeRole := &credentials.STSAssumeRole{
 				Client:      GetConsoleHTTPClient(),

restapi/config.go

@@ -23,7 +23,6 @@ import (
 	"net/url"
 	"strconv"
 	"strings"
-	"time"
 
 	miniov2 "github.com/minio/operator/pkg/apis/minio.min.io/v2"
 
@@ -46,9 +45,6 @@ var (
 
 	// TLSRedirect console tls redirect rule
 	TLSRedirect = "on"
-
-	// SessionDuration cookie validity duration
-	SessionDuration = 45 * time.Minute
 )
 
 func getMinIOServer() string {

restapi/utils.go

@@ -23,6 +23,8 @@ import (
 	"os"
 	"strings"
 	"time"
+
+	xjwt "github.com/minio/console/pkg/auth/token"
 )
 
 // Do not use:
@@ -106,12 +108,13 @@ func FileExists(filename string) bool {
 }
 
 func NewSessionCookieForConsole(token string) http.Cookie {
+	sessionDuration := xjwt.GetConsoleSTSDuration()
 	return http.Cookie{
 		Path:     "/",
 		Name:     "token",
 		Value:    token,
-		MaxAge:   int(SessionDuration.Seconds()), // 45 minutes
-		Expires:  time.Now().Add(SessionDuration),
+		MaxAge:   int(sessionDuration.Seconds()), // default 1 hr
+		Expires:  time.Now().Add(sessionDuration),
 		HttpOnly: true,
 		// if len(GlobalPublicCerts) > 0 is true, that means Console is running with TLS enable and the browser
 		// should not leak any cookie if we access the site using HTTP