2020-04-02 15:54:34 -07:00
|
|
|
// This file is part of MinIO Console Server
|
2021-01-19 17:04:13 -06:00
|
|
|
// Copyright (c) 2021 MinIO, Inc.
|
2020-04-02 15:54:34 -07:00
|
|
|
//
|
|
|
|
|
// This program is free software: you can redistribute it and/or modify
|
|
|
|
|
// it under the terms of the GNU Affero General Public License as published by
|
|
|
|
|
// the Free Software Foundation, either version 3 of the License, or
|
|
|
|
|
// (at your option) any later version.
|
|
|
|
|
//
|
|
|
|
|
// This program is distributed in the hope that it will be useful,
|
|
|
|
|
// but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
|
|
|
// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
|
|
|
// GNU Affero General Public License for more details.
|
|
|
|
|
//
|
|
|
|
|
// You should have received a copy of the GNU Affero General Public License
|
|
|
|
|
// along with this program. If not, see <http://www.gnu.org/licenses/>.
|
|
|
|
|
|
|
|
|
|
package restapi
|
|
|
|
|
|
|
|
|
|
import (
|
2021-10-12 21:25:02 -07:00
|
|
|
"context"
|
2021-11-02 17:34:39 -07:00
|
|
|
"encoding/json"
|
2021-09-17 23:11:28 -07:00
|
|
|
"net/http"
|
|
|
|
|
"net/url"
|
2021-11-30 21:14:55 -08:00
|
|
|
"strconv"
|
2021-10-12 21:25:02 -07:00
|
|
|
"time"
|
2021-07-20 21:02:33 -05:00
|
|
|
|
2021-11-30 21:14:55 -08:00
|
|
|
jwtgo "github.com/golang-jwt/jwt/v4"
|
2021-11-18 08:25:01 -08:00
|
|
|
"github.com/minio/pkg/bucket/policy/condition"
|
|
|
|
|
|
|
|
|
|
minioIAMPolicy "github.com/minio/pkg/iam/policy"
|
|
|
|
|
|
2020-04-02 15:54:34 -07:00
|
|
|
"github.com/go-openapi/runtime/middleware"
|
2020-07-26 00:34:17 -07:00
|
|
|
"github.com/minio/console/models"
|
|
|
|
|
"github.com/minio/console/pkg/acl"
|
|
|
|
|
"github.com/minio/console/restapi/operations"
|
|
|
|
|
"github.com/minio/console/restapi/operations/user_api"
|
2020-04-02 15:54:34 -07:00
|
|
|
)
|
|
|
|
|
|
2021-09-17 23:11:28 -07:00
|
|
|
func isErasureMode() bool {
|
|
|
|
|
u, err := url.Parse(getMinIOServer())
|
2021-07-20 21:02:33 -05:00
|
|
|
if err != nil {
|
2021-09-17 23:11:28 -07:00
|
|
|
panic(err)
|
2021-07-20 21:02:33 -05:00
|
|
|
}
|
2021-09-17 23:11:28 -07:00
|
|
|
u.Path = "/minio/health/cluster"
|
2021-07-20 21:02:33 -05:00
|
|
|
|
2021-09-17 23:11:28 -07:00
|
|
|
req, err := http.NewRequest(http.MethodGet, u.String(), nil)
|
|
|
|
|
if err != nil {
|
|
|
|
|
panic(err)
|
|
|
|
|
}
|
2021-07-20 21:02:33 -05:00
|
|
|
|
2021-09-17 23:11:28 -07:00
|
|
|
clnt := GetConsoleHTTPClient()
|
|
|
|
|
resp, err := clnt.Do(req)
|
2021-07-20 21:02:33 -05:00
|
|
|
if err != nil {
|
2021-09-17 23:11:28 -07:00
|
|
|
panic(err)
|
2021-07-20 21:02:33 -05:00
|
|
|
}
|
|
|
|
|
|
2021-09-17 23:11:28 -07:00
|
|
|
if resp.StatusCode != http.StatusOK {
|
|
|
|
|
return false
|
|
|
|
|
}
|
2021-07-20 21:02:33 -05:00
|
|
|
|
2021-09-17 23:11:28 -07:00
|
|
|
return resp.Header.Get("x-minio-write-quorum") != ""
|
2021-07-20 21:02:33 -05:00
|
|
|
}
|
|
|
|
|
|
2020-07-26 00:34:17 -07:00
|
|
|
func registerSessionHandlers(api *operations.ConsoleAPI) {
|
2020-04-02 15:54:34 -07:00
|
|
|
// session check
|
2020-07-10 19:14:28 -07:00
|
|
|
api.UserAPISessionCheckHandler = user_api.SessionCheckHandlerFunc(func(params user_api.SessionCheckParams, session *models.Principal) middleware.Responder {
|
|
|
|
|
sessionResp, err := getSessionResponse(session)
|
ACL for mcs (#123)
This PR sets the initial version of the ACL for mcs, the idea behind
this is to start using the principle of least privileges when assigning
policies to users when creating users through mcs, currently mcsAdmin policy uses admin:*
and s3:* and by default a user with that policy will have access to everything, if want to limit
that we can create a policy with least privileges.
We need to start validating explicitly if users has acccess to an
specific endpoint based on IAM policy actions.
In this first version every endpoint (you can see it as a page to),
defines a set of well defined admin/s3 actions to work properly, ie:
```
// corresponds to /groups endpoint used by the groups page
var groupsActionSet = iampolicy.NewActionSet(
iampolicy.ListGroupsAdminAction,
iampolicy.AddUserToGroupAdminAction,
//iampolicy.GetGroupAdminAction,
iampolicy.EnableGroupAdminAction,
iampolicy.DisableGroupAdminAction,
)
// corresponds to /policies endpoint used by the policies page
var iamPoliciesActionSet = iampolicy.NewActionSet(
iampolicy.GetPolicyAdminAction,
iampolicy.DeletePolicyAdminAction,
iampolicy.CreatePolicyAdminAction,
iampolicy.AttachPolicyAdminAction,
iampolicy.ListUserPoliciesAdminAction,
)
```
With that said, for this initial version, now the sessions endpoint will
return a list of authorized pages to be render on the UI, on subsequent
prs we will add this verification of authorization via a server
middleware.
2020-05-18 18:03:06 -07:00
|
|
|
if err != nil {
|
2020-09-04 20:32:57 -07:00
|
|
|
return user_api.NewSessionCheckDefault(int(err.Code)).WithPayload(err)
|
ACL for mcs (#123)
This PR sets the initial version of the ACL for mcs, the idea behind
this is to start using the principle of least privileges when assigning
policies to users when creating users through mcs, currently mcsAdmin policy uses admin:*
and s3:* and by default a user with that policy will have access to everything, if want to limit
that we can create a policy with least privileges.
We need to start validating explicitly if users has acccess to an
specific endpoint based on IAM policy actions.
In this first version every endpoint (you can see it as a page to),
defines a set of well defined admin/s3 actions to work properly, ie:
```
// corresponds to /groups endpoint used by the groups page
var groupsActionSet = iampolicy.NewActionSet(
iampolicy.ListGroupsAdminAction,
iampolicy.AddUserToGroupAdminAction,
//iampolicy.GetGroupAdminAction,
iampolicy.EnableGroupAdminAction,
iampolicy.DisableGroupAdminAction,
)
// corresponds to /policies endpoint used by the policies page
var iamPoliciesActionSet = iampolicy.NewActionSet(
iampolicy.GetPolicyAdminAction,
iampolicy.DeletePolicyAdminAction,
iampolicy.CreatePolicyAdminAction,
iampolicy.AttachPolicyAdminAction,
iampolicy.ListUserPoliciesAdminAction,
)
```
With that said, for this initial version, now the sessions endpoint will
return a list of authorized pages to be render on the UI, on subsequent
prs we will add this verification of authorization via a server
middleware.
2020-05-18 18:03:06 -07:00
|
|
|
}
|
2020-04-02 15:54:34 -07:00
|
|
|
return user_api.NewSessionCheckOK().WithPayload(sessionResp)
|
|
|
|
|
})
|
|
|
|
|
}
|
|
|
|
|
|
2021-11-30 21:14:55 -08:00
|
|
|
func getClaimsFromToken(sessionToken string) (map[string]interface{}, error) {
|
|
|
|
|
jp := new(jwtgo.Parser)
|
|
|
|
|
jp.ValidMethods = []string{
|
|
|
|
|
"RS256", "RS384", "RS512", "ES256", "ES384", "ES512",
|
|
|
|
|
"RS3256", "RS3384", "RS3512", "ES3256", "ES3384", "ES3512",
|
|
|
|
|
}
|
|
|
|
|
var claims jwtgo.MapClaims
|
|
|
|
|
_, _, err := jp.ParseUnverified(sessionToken, &claims)
|
|
|
|
|
if err != nil {
|
|
|
|
|
return nil, err
|
|
|
|
|
}
|
|
|
|
|
return claims, nil
|
|
|
|
|
}
|
|
|
|
|
|
2020-10-19 15:32:21 -07:00
|
|
|
// getSessionResponse parse the token of the current session and returns a list of allowed actions to render in the UI
|
2020-09-04 20:32:57 -07:00
|
|
|
func getSessionResponse(session *models.Principal) (*models.SessionResponse, *models.Error) {
|
2021-10-12 21:25:02 -07:00
|
|
|
ctx, cancel := context.WithTimeout(context.Background(), 20*time.Second)
|
|
|
|
|
defer cancel()
|
2020-04-02 15:54:34 -07:00
|
|
|
// serialize output
|
2020-07-10 19:14:28 -07:00
|
|
|
if session == nil {
|
2021-07-19 17:17:56 -07:00
|
|
|
return nil, prepareError(errorGenericInvalidSession)
|
ACL for mcs (#123)
This PR sets the initial version of the ACL for mcs, the idea behind
this is to start using the principle of least privileges when assigning
policies to users when creating users through mcs, currently mcsAdmin policy uses admin:*
and s3:* and by default a user with that policy will have access to everything, if want to limit
that we can create a policy with least privileges.
We need to start validating explicitly if users has acccess to an
specific endpoint based on IAM policy actions.
In this first version every endpoint (you can see it as a page to),
defines a set of well defined admin/s3 actions to work properly, ie:
```
// corresponds to /groups endpoint used by the groups page
var groupsActionSet = iampolicy.NewActionSet(
iampolicy.ListGroupsAdminAction,
iampolicy.AddUserToGroupAdminAction,
//iampolicy.GetGroupAdminAction,
iampolicy.EnableGroupAdminAction,
iampolicy.DisableGroupAdminAction,
)
// corresponds to /policies endpoint used by the policies page
var iamPoliciesActionSet = iampolicy.NewActionSet(
iampolicy.GetPolicyAdminAction,
iampolicy.DeletePolicyAdminAction,
iampolicy.CreatePolicyAdminAction,
iampolicy.AttachPolicyAdminAction,
iampolicy.ListUserPoliciesAdminAction,
)
```
With that said, for this initial version, now the sessions endpoint will
return a list of authorized pages to be render on the UI, on subsequent
prs we will add this verification of authorization via a server
middleware.
2020-05-18 18:03:06 -07:00
|
|
|
}
|
2021-07-20 21:02:33 -05:00
|
|
|
|
2021-10-12 21:25:02 -07:00
|
|
|
// initialize admin client
|
|
|
|
|
mAdminClient, err := NewMinioAdminClient(&models.Principal{
|
|
|
|
|
STSAccessKeyID: session.STSAccessKeyID,
|
|
|
|
|
STSSecretAccessKey: session.STSSecretAccessKey,
|
|
|
|
|
STSSessionToken: session.STSSessionToken,
|
|
|
|
|
})
|
|
|
|
|
if err != nil {
|
|
|
|
|
return nil, prepareError(err, errorGenericInvalidSession)
|
|
|
|
|
}
|
|
|
|
|
userAdminClient := AdminClient{Client: mAdminClient}
|
|
|
|
|
// Obtain the current policy assigned to this user
|
|
|
|
|
// necessary for generating the list of allowed endpoints
|
|
|
|
|
policy, err := getAccountPolicy(ctx, userAdminClient)
|
|
|
|
|
if err != nil {
|
|
|
|
|
return nil, prepareError(err, errorGenericInvalidSession)
|
|
|
|
|
}
|
2021-11-18 08:25:01 -08:00
|
|
|
// by default every user starts with an empty array of available val
|
2021-10-12 21:25:02 -07:00
|
|
|
// therefore we would have access only to pages that doesn't require any privilege
|
|
|
|
|
// ie: service-account page
|
|
|
|
|
var actions []string
|
2021-11-18 08:25:01 -08:00
|
|
|
// if a policy is assigned to this user we parse the val from there
|
2021-10-12 21:25:02 -07:00
|
|
|
if policy != nil {
|
|
|
|
|
actions = acl.GetActionsStringFromPolicy(policy)
|
|
|
|
|
}
|
2021-11-18 08:25:01 -08:00
|
|
|
|
2021-11-30 21:14:55 -08:00
|
|
|
currTime := time.Now().UTC()
|
|
|
|
|
|
2021-11-18 08:25:01 -08:00
|
|
|
// This actions will be global, meaning has to be attached to all resources
|
|
|
|
|
conditionValues := map[string][]string{
|
|
|
|
|
condition.AWSUsername.Name(): {session.AccountAccessKey},
|
2021-11-30 21:14:55 -08:00
|
|
|
// All calls to MinIO from console use temporary credentials.
|
|
|
|
|
condition.AWSPrincipalType.Name(): {"AssumeRole"},
|
|
|
|
|
condition.AWSSecureTransport.Name(): {strconv.FormatBool(getMinIOEndpointIsSecure())},
|
|
|
|
|
condition.AWSCurrentTime.Name(): {currTime.Format(time.RFC3339)},
|
|
|
|
|
condition.AWSEpochTime.Name(): {strconv.FormatInt(currTime.Unix(), 10)},
|
|
|
|
|
|
|
|
|
|
// All calls from console are signature v4.
|
|
|
|
|
condition.S3SignatureVersion.Name(): {"AWS4-HMAC-SHA256"},
|
|
|
|
|
// All calls from console are signature v4.
|
|
|
|
|
condition.S3AuthType.Name(): {"REST-HEADER"},
|
|
|
|
|
// This is usually empty, may be set some times (rare).
|
|
|
|
|
condition.S3LocationConstraint.Name(): {GetMinIORegion()},
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
claims, err := getClaimsFromToken(session.STSSessionToken)
|
|
|
|
|
if err != nil {
|
|
|
|
|
return nil, prepareError(err, errorGenericInvalidSession)
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// Support all LDAP, JWT variables
|
|
|
|
|
for k, v := range claims {
|
|
|
|
|
vstr, ok := v.(string)
|
|
|
|
|
if !ok {
|
|
|
|
|
// skip all non-strings
|
|
|
|
|
continue
|
|
|
|
|
}
|
|
|
|
|
// store all claims from sessionToken
|
|
|
|
|
conditionValues[k] = []string{vstr}
|
2021-11-18 08:25:01 -08:00
|
|
|
}
|
2021-11-30 21:14:55 -08:00
|
|
|
|
2021-11-18 08:25:01 -08:00
|
|
|
defaultActions := policy.IsAllowedActions("", "", conditionValues)
|
|
|
|
|
consoleResourceName := "console-ui"
|
2021-11-30 21:14:55 -08:00
|
|
|
|
2021-11-18 08:25:01 -08:00
|
|
|
permissions := map[string]minioIAMPolicy.ActionSet{
|
|
|
|
|
consoleResourceName: defaultActions,
|
|
|
|
|
}
|
|
|
|
|
deniedActions := map[string]minioIAMPolicy.ActionSet{}
|
|
|
|
|
for _, statement := range policy.Statements {
|
|
|
|
|
for _, resource := range statement.Resources.ToSlice() {
|
|
|
|
|
resourceName := resource.String()
|
|
|
|
|
statementActions := statement.Actions.ToSlice()
|
|
|
|
|
if statement.Effect == "Allow" {
|
|
|
|
|
// check if val are denied before adding them to the map
|
|
|
|
|
var allowedActions []minioIAMPolicy.Action
|
|
|
|
|
if dActions, ok := deniedActions[resourceName]; ok {
|
|
|
|
|
for _, action := range statementActions {
|
|
|
|
|
if len(dActions.Intersection(minioIAMPolicy.NewActionSet(action))) == 0 {
|
|
|
|
|
// It's ok to allow this action
|
|
|
|
|
allowedActions = append(allowedActions, action)
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
} else {
|
|
|
|
|
allowedActions = statementActions
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// Add validated actions
|
|
|
|
|
if resourceActions, ok := permissions[resourceName]; ok {
|
|
|
|
|
mergedActions := append(resourceActions.ToSlice(), allowedActions...)
|
|
|
|
|
permissions[resourceName] = minioIAMPolicy.NewActionSet(mergedActions...)
|
|
|
|
|
} else {
|
|
|
|
|
mergedActions := append(defaultActions.ToSlice(), allowedActions...)
|
|
|
|
|
permissions[resourceName] = minioIAMPolicy.NewActionSet(mergedActions...)
|
|
|
|
|
}
|
|
|
|
|
} else {
|
|
|
|
|
// Add new banned actions to the map
|
|
|
|
|
if resourceActions, ok := deniedActions[resourceName]; ok {
|
|
|
|
|
mergedActions := append(resourceActions.ToSlice(), statementActions...)
|
|
|
|
|
deniedActions[resourceName] = minioIAMPolicy.NewActionSet(mergedActions...)
|
|
|
|
|
} else {
|
|
|
|
|
deniedActions[resourceName] = statement.Actions
|
|
|
|
|
}
|
|
|
|
|
// Remove existing val from key if necessary
|
|
|
|
|
if currentResourceActions, ok := permissions[resourceName]; ok {
|
|
|
|
|
var newAllowedActions []minioIAMPolicy.Action
|
|
|
|
|
for _, action := range currentResourceActions.ToSlice() {
|
|
|
|
|
if len(deniedActions[resourceName].Intersection(minioIAMPolicy.NewActionSet(action))) == 0 {
|
|
|
|
|
// It's ok to allow this action
|
|
|
|
|
newAllowedActions = append(newAllowedActions, action)
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
permissions[resourceName] = minioIAMPolicy.NewActionSet(newAllowedActions...)
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
resourcePermissions := map[string][]string{}
|
|
|
|
|
for key, val := range permissions {
|
|
|
|
|
var resourceActions []string
|
|
|
|
|
for _, action := range val.ToSlice() {
|
|
|
|
|
resourceActions = append(resourceActions, string(action))
|
|
|
|
|
}
|
|
|
|
|
resourcePermissions[key] = resourceActions
|
|
|
|
|
|
|
|
|
|
}
|
2021-11-10 09:47:47 -08:00
|
|
|
rawPolicy, err := json.Marshal(policy)
|
|
|
|
|
if err != nil {
|
|
|
|
|
return nil, prepareError(err, errorGenericInvalidSession)
|
|
|
|
|
}
|
|
|
|
|
var sessionPolicy *models.IamPolicy
|
|
|
|
|
err = json.Unmarshal(rawPolicy, &sessionPolicy)
|
|
|
|
|
if err != nil {
|
|
|
|
|
return nil, prepareError(err)
|
|
|
|
|
}
|
2020-04-02 15:54:34 -07:00
|
|
|
sessionResp := &models.SessionResponse{
|
2021-10-12 21:25:02 -07:00
|
|
|
Pages: acl.GetAuthorizedEndpoints(actions),
|
2021-07-20 21:02:33 -05:00
|
|
|
Features: getListOfEnabledFeatures(),
|
|
|
|
|
Status: models.SessionResponseStatusOk,
|
2021-07-22 11:17:26 -07:00
|
|
|
Operator: false,
|
2021-09-17 23:11:28 -07:00
|
|
|
DistributedMode: isErasureMode(),
|
2021-11-18 08:25:01 -08:00
|
|
|
Permissions: resourcePermissions,
|
2020-04-02 15:54:34 -07:00
|
|
|
}
|
ACL for mcs (#123)
This PR sets the initial version of the ACL for mcs, the idea behind
this is to start using the principle of least privileges when assigning
policies to users when creating users through mcs, currently mcsAdmin policy uses admin:*
and s3:* and by default a user with that policy will have access to everything, if want to limit
that we can create a policy with least privileges.
We need to start validating explicitly if users has acccess to an
specific endpoint based on IAM policy actions.
In this first version every endpoint (you can see it as a page to),
defines a set of well defined admin/s3 actions to work properly, ie:
```
// corresponds to /groups endpoint used by the groups page
var groupsActionSet = iampolicy.NewActionSet(
iampolicy.ListGroupsAdminAction,
iampolicy.AddUserToGroupAdminAction,
//iampolicy.GetGroupAdminAction,
iampolicy.EnableGroupAdminAction,
iampolicy.DisableGroupAdminAction,
)
// corresponds to /policies endpoint used by the policies page
var iamPoliciesActionSet = iampolicy.NewActionSet(
iampolicy.GetPolicyAdminAction,
iampolicy.DeletePolicyAdminAction,
iampolicy.CreatePolicyAdminAction,
iampolicy.AttachPolicyAdminAction,
iampolicy.ListUserPoliciesAdminAction,
)
```
With that said, for this initial version, now the sessions endpoint will
return a list of authorized pages to be render on the UI, on subsequent
prs we will add this verification of authorization via a server
middleware.
2020-05-18 18:03:06 -07:00
|
|
|
return sessionResp, nil
|
2020-04-02 15:54:34 -07:00
|
|
|
}
|
2021-04-01 16:13:57 -07:00
|
|
|
|
|
|
|
|
// getListOfEnabledFeatures returns a list of features
|
|
|
|
|
func getListOfEnabledFeatures() []string {
|
|
|
|
|
var features []string
|
2021-07-21 18:13:23 -05:00
|
|
|
logSearchURL := getLogSearchURL()
|
|
|
|
|
|
|
|
|
|
if logSearchURL != "" {
|
|
|
|
|
features = append(features, "log-search")
|
|
|
|
|
}
|
|
|
|
|
|
2021-04-01 16:13:57 -07:00
|
|
|
return features
|
|
|
|
|
}
|