Mirror
/
MinIO
mirror of https://github.com/minio/minio.git
2
0
Fork 0
Code Issues Releases Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
12513 Commits
4 Branches
520 Tags
175 MiB
Tree: b9f0e8c712
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from 'b9f0e8c712'
${ noResults }
MinIO/cmd/auth-handler_test.go

501 lines
15 KiB
Raw Normal View History

update license change for MinIO Signed-off-by: Harshavardhana <harsha@minio.io>
4 years ago
api: use checkAuth now at PutBucket, DeleteBucket handlers. (#2225) Additionally add a unit test for isReqAuthenticated function.
9 years ago
server: Move all the top level files into cmd folder. (#2490) This change brings a change which was done for the 'mc' package to allow for clean repo and have a cleaner github drop in experience.
9 years ago
api: use checkAuth now at PutBucket, DeleteBucket handlers. (#2225) Additionally add a unit test for isReqAuthenticated function.
9 years ago
Make sure to log unhandled errors always (#6784) In many situations, while testing we encounter ErrInternalError, to reduce logging we have removed logging from quite a few places which is acceptable but when ErrInternalError occurs we should have a facility to log the corresponding error, this helps to debug Minio server.
7 years ago
api: use checkAuth now at PutBucket, DeleteBucket handlers. (#2225) Additionally add a unit test for isReqAuthenticated function.
9 years ago
tests: Add auth-handler. (#2721) Fixes #2658
9 years ago
posix: Deprecate custom removeAll/mkdirAll implementations. (#4808) Since go1.8 os.RemoveAll and os.MkdirAll both support long path names i.e UNC path on windows. The code we are carrying was directly borrowed from `pkg/os` package and doesn't need to be in our repo anymore. As a side affect this also addresses our codecoverage issue. Refer #4658
8 years ago
api: use checkAuth now at PutBucket, DeleteBucket handlers. (#2225) Additionally add a unit test for isReqAuthenticated function.
9 years ago
fix authentication bypass against Admin-API (#5412) This change fixes an authentication bypass attack against the minio Admin-API. Therefore the Admin-API rejects now all types of requests except valid signature V2 and signature V4 requests - this includes signature V2/V4 pre-signed requests. Fixes #5411
8 years ago
move credentials as separate package (#5115)
8 years ago
rename all remaining packages to internal/ (#12418) This is to ensure that there are no projects that try to import `minio/minio/pkg` into their own repo. Any such common packages should go to `https://github.com/minio/pkg`
4 years ago
ldap: Add user DN attributes list config param (#19758) This change uses the updated ldap library in minio/pkg (bumped up to v3). A new config parameter is added for LDAP configuration to specify extra user attributes to load from the LDAP server and to store them as additional claims for the user. A test is added in sts_handlers.go that shows how to access the LDAP attributes as a claim. This is in preparation for adding SSH pubkey authentication to MinIO's SFTP integration.
1 year ago
api: use checkAuth now at PutBucket, DeleteBucket handlers. (#2225) Additionally add a unit test for isReqAuthenticated function.
9 years ago
fix: background local test also via channel (#15086) current implementation for `standalone` setups was blocking the `perf drive`. Bonus: remove all old unused complicated code.
3 years ago
tests: Add auth-handler. (#2721) Fixes #2658
9 years ago
Remove deprecated io/ioutil (#15707)
3 years ago
tests: Add auth-handler. (#2721) Fixes #2658
9 years ago
Remove XL references in public docs to Erasure. (#3725) Ref #3722
9 years ago
Add constants for commonly used values. (#3588) This is a consolidation effort, avoiding usage of naked strings in codebase. Whenever possible use constants which can be repurposed elsewhere. This also fixes `goconst ./...` reported issues.
9 years ago
Use const slashSeparator instead of "/" everywhere (#8028)
6 years ago
tests: Add auth-handler. (#2721) Fixes #2658
9 years ago
For streaming signature do not save content-encoding in PutObject() (#3776) Content-Encoding is set to "aws-chunked" which is an S3 specific API value which is no meaning for an object. This is how S3 behaves as well for a streaming signature uploaded object.
9 years ago
tests: Add auth-handler. (#2721) Fixes #2658
9 years ago
feat: Add notification support for bucketCreates and removal (#10075)
5 years ago
use ParseForm() to allow query param lookups once (#12900) ``` cpu: Intel(R) Core(TM) i5-7200U CPU @ 2.50GHz BenchmarkURLQueryForm BenchmarkURLQueryForm-4 247099363 4.809 ns/op 0 B/op 0 allocs/op BenchmarkURLQuery BenchmarkURLQuery-4 2517624 462.1 ns/op 432 B/op 4 allocs/op PASS ok github.com/minio/minio/cmd 3.848s ```
4 years ago
tests: Add auth-handler. (#2721) Fixes #2658
9 years ago
Remove XL references in public docs to Erasure. (#3725) Ref #3722
9 years ago
Add constants for commonly used values. (#3588) This is a consolidation effort, avoiding usage of naked strings in codebase. Whenever possible use constants which can be repurposed elsewhere. This also fixes `goconst ./...` reported issues.
9 years ago
Use const slashSeparator instead of "/" everywhere (#8028)
6 years ago
tests: Add auth-handler. (#2721) Fixes #2658
9 years ago
Remove XL references in public docs to Erasure. (#3725) Ref #3722
9 years ago
Add constants for commonly used values. (#3588) This is a consolidation effort, avoiding usage of naked strings in codebase. Whenever possible use constants which can be repurposed elsewhere. This also fixes `goconst ./...` reported issues.
9 years ago
Use const slashSeparator instead of "/" everywhere (#8028)
6 years ago
tests: Add auth-handler. (#2721) Fixes #2658
9 years ago
Remove XL references in public docs to Erasure. (#3725) Ref #3722
9 years ago
Add constants for commonly used values. (#3588) This is a consolidation effort, avoiding usage of naked strings in codebase. Whenever possible use constants which can be repurposed elsewhere. This also fixes `goconst ./...` reported issues.
9 years ago
Use const slashSeparator instead of "/" everywhere (#8028)
6 years ago
tests: Add auth-handler. (#2721) Fixes #2658
9 years ago
Remove XL references in public docs to Erasure. (#3725) Ref #3722
9 years ago
Add constants for commonly used values. (#3588) This is a consolidation effort, avoiding usage of naked strings in codebase. Whenever possible use constants which can be repurposed elsewhere. This also fixes `goconst ./...` reported issues.
9 years ago
Use const slashSeparator instead of "/" everywhere (#8028)
6 years ago
tests: Add auth-handler. (#2721) Fixes #2658
9 years ago
feat: Add notification support for bucketCreates and removal (#10075)
5 years ago
use ParseForm() to allow query param lookups once (#12900) ``` cpu: Intel(R) Core(TM) i5-7200U CPU @ 2.50GHz BenchmarkURLQueryForm BenchmarkURLQueryForm-4 247099363 4.809 ns/op 0 B/op 0 allocs/op BenchmarkURLQuery BenchmarkURLQuery-4 2517624 462.1 ns/op 432 B/op 4 allocs/op PASS ok github.com/minio/minio/cmd 3.848s ```
4 years ago
tests: Add auth-handler. (#2721) Fixes #2658
9 years ago
api/handlers: Implement streaming signature v4 support. (#2370) * api/handlers: Implement streaming signature v4 support. Fixes #2326 * tests: Add tests for quick/safe
9 years ago
signature: Add legacy signature v2 support transparently. (#2811) Add new tests as well.
9 years ago
api/handlers: Implement streaming signature v4 support. (#2370) * api/handlers: Implement streaming signature v4 support. Fixes #2326 * tests: Add tests for quick/safe
9 years ago
signature: Add legacy signature v2 support transparently. (#2811) Add new tests as well.
9 years ago
api/handlers: Implement streaming signature v4 support. (#2370) * api/handlers: Implement streaming signature v4 support. Fixes #2326 * tests: Add tests for quick/safe
9 years ago
signature: Add legacy signature v2 support transparently. (#2811) Add new tests as well.
9 years ago
api/handlers: Implement streaming signature v4 support. (#2370) * api/handlers: Implement streaming signature v4 support. Fixes #2326 * tests: Add tests for quick/safe
9 years ago
signature: Add legacy signature v2 support transparently. (#2811) Add new tests as well.
9 years ago
api/handlers: Implement streaming signature v4 support. (#2370) * api/handlers: Implement streaming signature v4 support. Fixes #2326 * tests: Add tests for quick/safe
9 years ago
signature: Add legacy signature v2 support transparently. (#2811) Add new tests as well.
9 years ago
feat: Add notification support for bucketCreates and removal (#10075)
5 years ago
signature: Add legacy signature v2 support transparently. (#2811) Add new tests as well.
9 years ago
use ParseForm() to allow query param lookups once (#12900) ``` cpu: Intel(R) Core(TM) i5-7200U CPU @ 2.50GHz BenchmarkURLQueryForm BenchmarkURLQueryForm-4 247099363 4.809 ns/op 0 B/op 0 allocs/op BenchmarkURLQuery BenchmarkURLQuery-4 2517624 462.1 ns/op 432 B/op 4 allocs/op PASS ok github.com/minio/minio/cmd 3.848s ```
4 years ago
signature: Add legacy signature v2 support transparently. (#2811) Add new tests as well.
9 years ago
use typos instead of codespell (#19088)
1 year ago
tests: signature-utils test (#2342)
9 years ago
feat: Add notification support for bucketCreates and removal (#10075)
5 years ago
tests: signature-utils test (#2342)
9 years ago
use ParseForm() to allow query param lookups once (#12900) ``` cpu: Intel(R) Core(TM) i5-7200U CPU @ 2.50GHz BenchmarkURLQueryForm BenchmarkURLQueryForm-4 247099363 4.809 ns/op 0 B/op 0 allocs/op BenchmarkURLQuery BenchmarkURLQuery-4 2517624 462.1 ns/op 432 B/op 4 allocs/op PASS ok github.com/minio/minio/cmd 3.848s ```
4 years ago
tests: signature-utils test (#2342)
9 years ago
api: use checkAuth now at PutBucket, DeleteBucket handlers. (#2225) Additionally add a unit test for isReqAuthenticated function.
9 years ago
Migrate config to KV data format (#8392) - adding oauth support to MinIO browser (#8400) by @kanagaraj - supports multi-line get/set/del for all config fields - add support for comments, allow toggle - add extensive validation of config before saving - support MinIO browser to support proper claims, using STS tokens - env support for all config parameters, legacy envs are also supported with all documentation now pointing to latest ENVs - preserve accessKey/secretKey from FS mode setups - add history support implements three APIs - ClearHistory - RestoreHistory - ListHistory - add help command support for each config parameters - all the bug fixes after migration to KV, and other bug fixes encountered during testing.
6 years ago
Generate and use access/secret keys properly (#3498)
9 years ago
add codespell action (#18818) Original work here, #18474, refixed and updated.
2 years ago
api: use checkAuth now at PutBucket, DeleteBucket handlers. (#2225) Additionally add a unit test for isReqAuthenticated function.
9 years ago
fix authentication bypass against Admin-API (#5412) This change fixes an authentication bypass attack against the minio Admin-API. Therefore the Admin-API rejects now all types of requests except valid signature V2 and signature V4 requests - this includes signature V2/V4 pre-signed requests. Fixes #5411
8 years ago
Migrate config to KV data format (#8392) - adding oauth support to MinIO browser (#8400) by @kanagaraj - supports multi-line get/set/del for all config fields - add support for comments, allow toggle - add extensive validation of config before saving - support MinIO browser to support proper claims, using STS tokens - env support for all config parameters, legacy envs are also supported with all documentation now pointing to latest ENVs - preserve accessKey/secretKey from FS mode setups - add history support implements three APIs - ClearHistory - RestoreHistory - ListHistory - add help command support for each config parameters - all the bug fixes after migration to KV, and other bug fixes encountered during testing.
6 years ago
fix authentication bypass against Admin-API (#5412) This change fixes an authentication bypass attack against the minio Admin-API. Therefore the Admin-API rejects now all types of requests except valid signature V2 and signature V4 requests - this includes signature V2/V4 pre-signed requests. Fixes #5411
8 years ago
add codespell action (#18818) Original work here, #18474, refixed and updated.
2 years ago
fix authentication bypass against Admin-API (#5412) This change fixes an authentication bypass attack against the minio Admin-API. Therefore the Admin-API rejects now all types of requests except valid signature V2 and signature V4 requests - this includes signature V2/V4 pre-signed requests. Fixes #5411
8 years ago
Migrate config to KV data format (#8392) - adding oauth support to MinIO browser (#8400) by @kanagaraj - supports multi-line get/set/del for all config fields - add support for comments, allow toggle - add extensive validation of config before saving - support MinIO browser to support proper claims, using STS tokens - env support for all config parameters, legacy envs are also supported with all documentation now pointing to latest ENVs - preserve accessKey/secretKey from FS mode setups - add history support implements three APIs - ClearHistory - RestoreHistory - ListHistory - add help command support for each config parameters - all the bug fixes after migration to KV, and other bug fixes encountered during testing.
6 years ago
fix authentication bypass against Admin-API (#5412) This change fixes an authentication bypass attack against the minio Admin-API. Therefore the Admin-API rejects now all types of requests except valid signature V2 and signature V4 requests - this includes signature V2/V4 pre-signed requests. Fixes #5411
8 years ago
add codespell action (#18818) Original work here, #18474, refixed and updated.
2 years ago
fix authentication bypass against Admin-API (#5412) This change fixes an authentication bypass attack against the minio Admin-API. Therefore the Admin-API rejects now all types of requests except valid signature V2 and signature V4 requests - this includes signature V2/V4 pre-signed requests. Fixes #5411
8 years ago
Migrate config to KV data format (#8392) - adding oauth support to MinIO browser (#8400) by @kanagaraj - supports multi-line get/set/del for all config fields - add support for comments, allow toggle - add extensive validation of config before saving - support MinIO browser to support proper claims, using STS tokens - env support for all config parameters, legacy envs are also supported with all documentation now pointing to latest ENVs - preserve accessKey/secretKey from FS mode setups - add history support implements three APIs - ClearHistory - RestoreHistory - ListHistory - add help command support for each config parameters - all the bug fixes after migration to KV, and other bug fixes encountered during testing.
6 years ago
fix authentication bypass against Admin-API (#5412) This change fixes an authentication bypass attack against the minio Admin-API. Therefore the Admin-API rejects now all types of requests except valid signature V2 and signature V4 requests - this includes signature V2/V4 pre-signed requests. Fixes #5411
8 years ago
add codespell action (#18818) Original work here, #18474, refixed and updated.
2 years ago
fix authentication bypass against Admin-API (#5412) This change fixes an authentication bypass attack against the minio Admin-API. Therefore the Admin-API rejects now all types of requests except valid signature V2 and signature V4 requests - this includes signature V2/V4 pre-signed requests. Fixes #5411
8 years ago
Return InvalidDigest when md5 sent by client is invalid (#5654) This is to ensure proper compatibility with AWS S3, handle special cases where - Content-Md5 is set to empty - Content-Md5 is set to invalid
7 years ago
Migrate config to KV data format (#8392) - adding oauth support to MinIO browser (#8400) by @kanagaraj - supports multi-line get/set/del for all config fields - add support for comments, allow toggle - add extensive validation of config before saving - support MinIO browser to support proper claims, using STS tokens - env support for all config parameters, legacy envs are also supported with all documentation now pointing to latest ENVs - preserve accessKey/secretKey from FS mode setups - add history support implements three APIs - ClearHistory - RestoreHistory - ListHistory - add help command support for each config parameters - all the bug fixes after migration to KV, and other bug fixes encountered during testing.
6 years ago
Return InvalidDigest when md5 sent by client is invalid (#5654) This is to ensure proper compatibility with AWS S3, handle special cases where - Content-Md5 is set to empty - Content-Md5 is set to invalid
7 years ago
Migrate config to KV data format (#8392) - adding oauth support to MinIO browser (#8400) by @kanagaraj - supports multi-line get/set/del for all config fields - add support for comments, allow toggle - add extensive validation of config before saving - support MinIO browser to support proper claims, using STS tokens - env support for all config parameters, legacy envs are also supported with all documentation now pointing to latest ENVs - preserve accessKey/secretKey from FS mode setups - add history support implements three APIs - ClearHistory - RestoreHistory - ListHistory - add help command support for each config parameters - all the bug fixes after migration to KV, and other bug fixes encountered during testing.
6 years ago
Return InvalidDigest when md5 sent by client is invalid (#5654) This is to ensure proper compatibility with AWS S3, handle special cases where - Content-Md5 is set to empty - Content-Md5 is set to invalid
7 years ago
Migrate config to KV data format (#8392) - adding oauth support to MinIO browser (#8400) by @kanagaraj - supports multi-line get/set/del for all config fields - add support for comments, allow toggle - add extensive validation of config before saving - support MinIO browser to support proper claims, using STS tokens - env support for all config parameters, legacy envs are also supported with all documentation now pointing to latest ENVs - preserve accessKey/secretKey from FS mode setups - add history support implements three APIs - ClearHistory - RestoreHistory - ListHistory - add help command support for each config parameters - all the bug fixes after migration to KV, and other bug fixes encountered during testing.
6 years ago
update gofumpt -w - new changes
3 years ago
signature-v4: Use sha256("") for calculating canonical request (#4064)
8 years ago
Migrate config to KV data format (#8392) - adding oauth support to MinIO browser (#8400) by @kanagaraj - supports multi-line get/set/del for all config fields - add support for comments, allow toggle - add extensive validation of config before saving - support MinIO browser to support proper claims, using STS tokens - env support for all config parameters, legacy envs are also supported with all documentation now pointing to latest ENVs - preserve accessKey/secretKey from FS mode setups - add history support implements three APIs - ClearHistory - RestoreHistory - ListHistory - add help command support for each config parameters - all the bug fixes after migration to KV, and other bug fixes encountered during testing.
6 years ago
signature-v4: Use sha256("") for calculating canonical request (#4064)
8 years ago
api: use checkAuth now at PutBucket, DeleteBucket handlers. (#2225) Additionally add a unit test for isReqAuthenticated function.
9 years ago
Revert "Revert "tests: Add context cancelation (#15374)"" This reverts commit 564a0afae1c6ddfb6e57152f70e0e0730796164c.
3 years ago
api: use checkAuth now at PutBucket, DeleteBucket handlers. (#2225) Additionally add a unit test for isReqAuthenticated function.
9 years ago
Migrate config.json from config-dir to backend (#6195) This PR is the first set of changes to move the config to the backend, the changes use the existing `config.json` allows it to be migrated such that we can save it in on backend disks. In future releases, we will slowly migrate out of the current architecture. Fixes #6182
7 years ago
api: Add bucket notification util tests. (#2289)
9 years ago
api: use checkAuth now at PutBucket, DeleteBucket handlers. (#2225) Additionally add a unit test for isReqAuthenticated function.
9 years ago
Revert "Revert "tests: Add context cancelation (#15374)"" This reverts commit 564a0afae1c6ddfb6e57152f70e0e0730796164c.
3 years ago
fix: IAM not initialized then checkKeyValid() should return 503s (#12260) currently GetUser() returns 403 when IAM is not initialized this can lead to applications crashing, instead return 503 so that the applications can retry and backoff. fixes #12078
4 years ago
de-couple bucket metadata loading with lock context (#13679) avoid passing lock context while loading bucket metadata, refactor such that we can de-couple things for subsystem loading.
4 years ago
IAM: init IAM with Init() rather than InitStore() in tests (#13643) - rename InitStore() to initStore() and fix tests - Use IAMSys.Lock() only when IAMSys struct is being mutated
4 years ago
move credentials as separate package (#5115)
8 years ago
Simplify credential usage. (#3893)
8 years ago
Migrate config to KV data format (#8392) - adding oauth support to MinIO browser (#8400) by @kanagaraj - supports multi-line get/set/del for all config fields - add support for comments, allow toggle - add extensive validation of config before saving - support MinIO browser to support proper claims, using STS tokens - env support for all config parameters, legacy envs are also supported with all documentation now pointing to latest ENVs - preserve accessKey/secretKey from FS mode setups - add history support implements three APIs - ClearHistory - RestoreHistory - ListHistory - add help command support for each config parameters - all the bug fixes after migration to KV, and other bug fixes encountered during testing.
6 years ago
api: use checkAuth now at PutBucket, DeleteBucket handlers. (#2225) Additionally add a unit test for isReqAuthenticated function.
9 years ago
allow root user to be disabled via config settings (#17089)
2 years ago
api: use checkAuth now at PutBucket, DeleteBucket handlers. (#2225) Additionally add a unit test for isReqAuthenticated function.
9 years ago
feat: Add notification support for bucketCreates and removal (#10075)
5 years ago
Return InvalidDigest when md5 sent by client is invalid (#5654) This is to ensure proper compatibility with AWS S3, handle special cases where - Content-Md5 is set to empty - Content-Md5 is set to invalid
7 years ago
feat: Add notification support for bucketCreates and removal (#10075)
5 years ago
Return InvalidDigest when md5 sent by client is invalid (#5654) This is to ensure proper compatibility with AWS S3, handle special cases where - Content-Md5 is set to empty - Content-Md5 is set to invalid
7 years ago
feat: Add notification support for bucketCreates and removal (#10075)
5 years ago
api: use checkAuth now at PutBucket, DeleteBucket handlers. (#2225) Additionally add a unit test for isReqAuthenticated function.
9 years ago
feat: Add notification support for bucketCreates and removal (#10075)
5 years ago
api: use checkAuth now at PutBucket, DeleteBucket handlers. (#2225) Additionally add a unit test for isReqAuthenticated function.
9 years ago
feat: Add notification support for bucketCreates and removal (#10075)
5 years ago
api: use checkAuth now at PutBucket, DeleteBucket handlers. (#2225) Additionally add a unit test for isReqAuthenticated function.
9 years ago
security: fix write-to-RAM DoS vulnerability (#5957) This commit fixes a DoS vulnerability for certain APIs using signature V4 by verifying the content-md5 and/or content-sha56 of the request body in a streaming mode. The issue was caused by reading the entire body of the request into memory to verify the content-md5 or content-sha56 checksum if present. The vulnerability could be exploited by either replaying a V4 request (in the 15 min time frame) or sending a V4 presigned request with a large body.
7 years ago
handle racy updates to globalSite config (#19750) ``` ================== WARNING: DATA RACE Read at 0x0000082be990 by goroutine 205: github.com/minio/minio/cmd.setCommonHeaders() Previous write at 0x0000082be990 by main goroutine: github.com/minio/minio/cmd.lookupConfigs() ```
1 year ago
Implement AssumeRole API for Minio users (#7267) For actual API reference read here https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRole.html Documentation is added and updated as well at docs/sts/assume-role.md Fixes #6381
7 years ago
Remove deprecated io/ioutil (#15707)
3 years ago
Support unknown gateway errors and convert at handler layer (#7219) Different gateway implementations due to different backend API errors, might return different unsupported errors at our handler layer. Current code posed a problem for us because this information was lost and we would convert it to InternalError in this situation all S3 clients end up retrying the request. To avoid this unexpected situation implement a way to support this cleanly such that the underlying information is not lost which is returned by gateway.
7 years ago
security: fix write-to-RAM DoS vulnerability (#5957) This commit fixes a DoS vulnerability for certain APIs using signature V4 by verifying the content-md5 and/or content-sha56 of the request body in a streaming mode. The issue was caused by reading the entire body of the request into memory to verify the content-md5 or content-sha56 checksum if present. The vulnerability could be exploited by either replaying a V4 request (in the 15 min time frame) or sending a V4 presigned request with a large body.
7 years ago
api: use checkAuth now at PutBucket, DeleteBucket handlers. (#2225) Additionally add a unit test for isReqAuthenticated function.
9 years ago
fix: Add missing return in admin requests auth (#9422)
5 years ago
fix authentication bypass against Admin-API (#5412) This change fixes an authentication bypass attack against the minio Admin-API. Therefore the Admin-API rejects now all types of requests except valid signature V2 and signature V4 requests - this includes signature V2/V4 pre-signed requests. Fixes #5411
8 years ago
move to go1.24 (#21114)
4 months ago
Revert "Revert "tests: Add context cancelation (#15374)"" This reverts commit 564a0afae1c6ddfb6e57152f70e0e0730796164c.
3 years ago
fix authentication bypass against Admin-API (#5412) This change fixes an authentication bypass attack against the minio Admin-API. Therefore the Admin-API rejects now all types of requests except valid signature V2 and signature V4 requests - this includes signature V2/V4 pre-signed requests. Fixes #5411
8 years ago
Migrate config.json from config-dir to backend (#6195) This PR is the first set of changes to move the config to the backend, the changes use the existing `config.json` allows it to be migrated such that we can save it in on backend disks. In future releases, we will slowly migrate out of the current architecture. Fixes #6182
7 years ago
fix authentication bypass against Admin-API (#5412) This change fixes an authentication bypass attack against the minio Admin-API. Therefore the Admin-API rejects now all types of requests except valid signature V2 and signature V4 requests - this includes signature V2/V4 pre-signed requests. Fixes #5411
8 years ago
Migrate config to KV data format (#8392) - adding oauth support to MinIO browser (#8400) by @kanagaraj - supports multi-line get/set/del for all config fields - add support for comments, allow toggle - add extensive validation of config before saving - support MinIO browser to support proper claims, using STS tokens - env support for all config parameters, legacy envs are also supported with all documentation now pointing to latest ENVs - preserve accessKey/secretKey from FS mode setups - add history support implements three APIs - ClearHistory - RestoreHistory - ListHistory - add help command support for each config parameters - all the bug fixes after migration to KV, and other bug fixes encountered during testing.
6 years ago
fix authentication bypass against Admin-API (#5412) This change fixes an authentication bypass attack against the minio Admin-API. Therefore the Admin-API rejects now all types of requests except valid signature V2 and signature V4 requests - this includes signature V2/V4 pre-signed requests. Fixes #5411
8 years ago
feat: Add notification support for bucketCreates and removal (#10075)
5 years ago
fix authentication bypass against Admin-API (#5412) This change fixes an authentication bypass attack against the minio Admin-API. Therefore the Admin-API rejects now all types of requests except valid signature V2 and signature V4 requests - this includes signature V2/V4 pre-signed requests. Fixes #5411
8 years ago
handle racy updates to globalSite config (#19750) ``` ================== WARNING: DATA RACE Read at 0x0000082be990 by goroutine 205: github.com/minio/minio/cmd.setCommonHeaders() Previous write at 0x0000082be990 by main goroutine: github.com/minio/minio/cmd.lookupConfigs() ```
1 year ago
fix authentication bypass against Admin-API (#5412) This change fixes an authentication bypass attack against the minio Admin-API. Therefore the Admin-API rejects now all types of requests except valid signature V2 and signature V4 requests - this includes signature V2/V4 pre-signed requests. Fixes #5411
8 years ago
fix: Add missing return in admin requests auth (#9422)
5 years ago
move to go1.24 (#21114)
4 months ago
IAM: init IAM with Init() rather than InitStore() in tests (#13643) - rename InitStore() to initStore() and fix tests - Use IAMSys.Lock() only when IAMSys struct is being mutated
4 years ago
fix: Add missing return in admin requests auth (#9422)
5 years ago
Revert "Revert "tests: Add context cancelation (#15374)"" This reverts commit 564a0afae1c6ddfb6e57152f70e0e0730796164c.
3 years ago
fix: Add missing return in admin requests auth (#9422)
5 years ago
fix: IAM not initialized then checkKeyValid() should return 503s (#12260) currently GetUser() returns 403 when IAM is not initialized this can lead to applications crashing, instead return 503 so that the applications can retry and backoff. fixes #12078
4 years ago
Revert "Revert "tests: Add context cancelation (#15374)"" This reverts commit 564a0afae1c6ddfb6e57152f70e0e0730796164c.
3 years ago
fix: IAM not initialized then checkKeyValid() should return 503s (#12260) currently GetUser() returns 403 when IAM is not initialized this can lead to applications crashing, instead return 503 so that the applications can retry and backoff. fixes #12078
4 years ago
allow root user to be disabled via config settings (#17089)
2 years ago
fix: Add missing return in admin requests auth (#9422)
5 years ago
allow root user to be disabled via config settings (#17089)
2 years ago
fix: Add missing return in admin requests auth (#9422)
5 years ago
feat: Add notification support for bucketCreates and removal (#10075)
5 years ago
fix: Add missing return in admin requests auth (#9422)
5 years ago
add codespell action (#18818) Original work here, #18474, refixed and updated.
2 years ago
fix: Add missing return in admin requests auth (#9422)
5 years ago
upgrade deps for minio/pkg v1.6.1 to include groups conditions (#16538)
3 years ago
fix: Add missing return in admin requests auth (#9422)
5 years ago
  1. // Copyright (c) 2015-2021 MinIO, Inc.
  2. //
  3. // This file is part of MinIO Object Storage stack
  4. //
  5. // This program is free software: you can redistribute it and/or modify
  6. // it under the terms of the GNU Affero General Public License as published by
  7. // the Free Software Foundation, either version 3 of the License, or
  8. // (at your option) any later version.
  9. //
  10. // This program is distributed in the hope that it will be useful
  11. // but WITHOUT ANY WARRANTY; without even the implied warranty of
  12. // MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
  13. // GNU Affero General Public License for more details.
  14. //
  15. // You should have received a copy of the GNU Affero General Public License
  16. // along with this program. If not, see <http://www.gnu.org/licenses/>.
  18. package cmd
  20. import (
  21. "bytes"
  22. "context"
  23. "io"
  24. "net/http"
  25. "net/url"
  26. "os"
  27. "testing"
  28. "time"
  30. "github.com/minio/minio/internal/auth"
  31. "github.com/minio/pkg/v3/policy"
  32. )
  34. type nullReader struct{}
  36. func (r *nullReader) Read(b []byte) (int, error) {
  37. return len(b), nil
  38. }
  40. // Test get request auth type.
  41. func TestGetRequestAuthType(t *testing.T) {
  42. type testCase struct {
  43. req *http.Request
  44. authT authType
  45. }
  46. nopCloser := io.NopCloser(io.LimitReader(&nullReader{}, 1024))
  47. testCases := []testCase{
  48. // Test case - 1
  49. // Check for generic signature v4 header.
  50. {
  51. req: &http.Request{
  52. URL: &url.URL{
  53. Host: "127.0.0.1:9000",
  54. Scheme: httpScheme,
  55. Path: SlashSeparator,
  56. },
  57. Header: http.Header{
  58. "Authorization": []string{"AWS4-HMAC-SHA256 <cred_string>"},
  59. "X-Amz-Content-Sha256": []string{streamingContentSHA256},
  60. "Content-Encoding": []string{streamingContentEncoding},
  61. },
  62. Method: http.MethodPut,
  63. Body: nopCloser,
  64. },
  65. authT: authTypeStreamingSigned,
  66. },
  67. // Test case - 2
  68. // Check for JWT header.
  69. {
  70. req: &http.Request{
  71. URL: &url.URL{
  72. Host: "127.0.0.1:9000",
  73. Scheme: httpScheme,
  74. Path: SlashSeparator,
  75. },
  76. Header: http.Header{
  77. "Authorization": []string{"Bearer 12313123"},
  78. },
  79. },
  80. authT: authTypeJWT,
  81. },
  82. // Test case - 3
  83. // Empty authorization header.
  84. {
  85. req: &http.Request{
  86. URL: &url.URL{
  87. Host: "127.0.0.1:9000",
  88. Scheme: httpScheme,
  89. Path: SlashSeparator,
  90. },
  91. Header: http.Header{
  92. "Authorization": []string{""},
  93. },
  94. },
  95. authT: authTypeUnknown,
  96. },
  97. // Test case - 4
  98. // Check for presigned.
  99. {
  100. req: &http.Request{
  101. URL: &url.URL{
  102. Host: "127.0.0.1:9000",
  103. Scheme: httpScheme,
  104. Path: SlashSeparator,
  105. RawQuery: "X-Amz-Credential=EXAMPLEINVALIDEXAMPL%2Fs3%2F20160314%2Fus-east-1",
  106. },
  107. },
  108. authT: authTypePresigned,
  109. },
  110. // Test case - 5
  111. // Check for post policy.
  112. {
  113. req: &http.Request{
  114. URL: &url.URL{
  115. Host: "127.0.0.1:9000",
  116. Scheme: httpScheme,
  117. Path: SlashSeparator,
  118. },
  119. Header: http.Header{
  120. "Content-Type": []string{"multipart/form-data"},
  121. },
  122. Method: http.MethodPost,
  123. Body: nopCloser,
  124. },
  125. authT: authTypePostPolicy,
  126. },
  127. }
  129. // .. Tests all request auth type.
  130. for i, testc := range testCases {
  131. authT := getRequestAuthType(testc.req)
  132. if authT != testc.authT {
  133. t.Errorf("Test %d: Expected %d, got %d", i+1, testc.authT, authT)
  134. }
  135. }
  136. }
  138. // Test all s3 supported auth types.
  139. func TestS3SupportedAuthType(t *testing.T) {
  140. type testCase struct {
  141. authT authType
  142. pass bool
  143. }
  144. // List of all valid and invalid test cases.
  145. testCases := []testCase{
  146. // Test 1 - supported s3 type anonymous.
  147. {
  148. authT: authTypeAnonymous,
  149. pass: true,
  150. },
  151. // Test 2 - supported s3 type presigned.
  152. {
  153. authT: authTypePresigned,
  154. pass: true,
  155. },
  156. // Test 3 - supported s3 type signed.
  157. {
  158. authT: authTypeSigned,
  159. pass: true,
  160. },
  161. // Test 4 - supported s3 type with post policy.
  162. {
  163. authT: authTypePostPolicy,
  164. pass: true,
  165. },
  166. // Test 5 - supported s3 type with streaming signed.
  167. {
  168. authT: authTypeStreamingSigned,
  169. pass: true,
  170. },
  171. // Test 6 - supported s3 type with signature v2.
  172. {
  173. authT: authTypeSignedV2,
  174. pass: true,
  175. },
  176. // Test 7 - supported s3 type with presign v2.
  177. {
  178. authT: authTypePresignedV2,
  179. pass: true,
  180. },
  181. // Test 8 - JWT is not supported s3 type.
  182. {
  183. authT: authTypeJWT,
  184. pass: false,
  185. },
  186. // Test 9 - unknown auth header is not supported s3 type.
  187. {
  188. authT: authTypeUnknown,
  189. pass: false,
  190. },
  191. // Test 10 - some new auth type is not supported s3 type.
  192. {
  193. authT: authType(9),
  194. pass: false,
  195. },
  196. }
  197. // Validate all the test cases.
  198. for i, tt := range testCases {
  199. ok := isSupportedS3AuthType(tt.authT)
  200. if ok != tt.pass {
  201. t.Errorf("Test %d:, Expected %t, got %t", i+1, tt.pass, ok)
  202. }
  203. }
  204. }
  206. func TestIsRequestPresignedSignatureV2(t *testing.T) {
  207. testCases := []struct {
  208. inputQueryKey string
  209. inputQueryValue string
  210. expectedResult bool
  211. }{
  212. // Test case - 1.
  213. // Test case with query key "AWSAccessKeyId" set.
  214. {"", "", false},
  215. // Test case - 2.
  216. {"AWSAccessKeyId", "", true},
  217. // Test case - 3.
  218. {"X-Amz-Content-Sha256", "", false},
  219. }
  221. for i, testCase := range testCases {
  222. // creating an input HTTP request.
  223. // Only the query parameters are relevant for this particular test.
  224. inputReq, err := http.NewRequest(http.MethodGet, "http://example.com", nil)
  225. if err != nil {
  226. t.Fatalf("Error initializing input HTTP request: %v", err)
  227. }
  228. q := inputReq.URL.Query()
  229. q.Add(testCase.inputQueryKey, testCase.inputQueryValue)
  230. inputReq.URL.RawQuery = q.Encode()
  231. inputReq.ParseForm()
  233. actualResult := isRequestPresignedSignatureV2(inputReq)
  234. if testCase.expectedResult != actualResult {
  235. t.Errorf("Test %d: Expected the result to `%v`, but instead got `%v`", i+1, testCase.expectedResult, actualResult)
  236. }
  237. }
  238. }
  240. // TestIsRequestPresignedSignatureV4 - Test validates the logic for presign signature version v4 detection.
  241. func TestIsRequestPresignedSignatureV4(t *testing.T) {
  242. testCases := []struct {
  243. inputQueryKey string
  244. inputQueryValue string
  245. expectedResult bool
  246. }{
  247. // Test case - 1.
  248. // Test case with query key ""X-Amz-Credential" set.
  249. {"", "", false},
  250. // Test case - 2.
  251. {"X-Amz-Credential", "", true},
  252. // Test case - 3.
  253. {"X-Amz-Content-Sha256", "", false},
  254. }
  256. for i, testCase := range testCases {
  257. // creating an input HTTP request.
  258. // Only the query parameters are relevant for this particular test.
  259. inputReq, err := http.NewRequest(http.MethodGet, "http://example.com", nil)
  260. if err != nil {
  261. t.Fatalf("Error initializing input HTTP request: %v", err)
  262. }
  263. q := inputReq.URL.Query()
  264. q.Add(testCase.inputQueryKey, testCase.inputQueryValue)
  265. inputReq.URL.RawQuery = q.Encode()
  266. inputReq.ParseForm()
  268. actualResult := isRequestPresignedSignatureV4(inputReq)
  269. if testCase.expectedResult != actualResult {
  270. t.Errorf("Test %d: Expected the result to `%v`, but instead got `%v`", i+1, testCase.expectedResult, actualResult)
  271. }
  272. }
  273. }
  275. // Provides a fully populated http request instance, fails otherwise.
  276. func mustNewRequest(method string, urlStr string, contentLength int64, body io.ReadSeeker, t *testing.T) *http.Request {
  277. req, err := newTestRequest(method, urlStr, contentLength, body)
  278. if err != nil {
  279. t.Fatalf("Unable to initialize new http request %s", err)
  280. }
  281. return req
  282. }
  284. // This is similar to mustNewRequest but additionally the request
  285. // is signed with AWS Signature V4, fails if not able to do so.
  286. func mustNewSignedRequest(method string, urlStr string, contentLength int64, body io.ReadSeeker, t *testing.T) *http.Request {
  287. req := mustNewRequest(method, urlStr, contentLength, body, t)
  288. cred := globalActiveCred
  289. if err := signRequestV4(req, cred.AccessKey, cred.SecretKey); err != nil {
  290. t.Fatalf("Unable to initialized new signed http request %s", err)
  291. }
  292. return req
  293. }
  295. // This is similar to mustNewRequest but additionally the request
  296. // is signed with AWS Signature V2, fails if not able to do so.
  297. func mustNewSignedV2Request(method string, urlStr string, contentLength int64, body io.ReadSeeker, t *testing.T) *http.Request {
  298. req := mustNewRequest(method, urlStr, contentLength, body, t)
  299. cred := globalActiveCred
  300. if err := signRequestV2(req, cred.AccessKey, cred.SecretKey); err != nil {
  301. t.Fatalf("Unable to initialized new signed http request %s", err)
  302. }
  303. return req
  304. }
  306. // This is similar to mustNewRequest but additionally the request
  307. // is presigned with AWS Signature V2, fails if not able to do so.
  308. func mustNewPresignedV2Request(method string, urlStr string, contentLength int64, body io.ReadSeeker, t *testing.T) *http.Request {
  309. req := mustNewRequest(method, urlStr, contentLength, body, t)
  310. cred := globalActiveCred
  311. if err := preSignV2(req, cred.AccessKey, cred.SecretKey, time.Now().Add(10*time.Minute).Unix()); err != nil {
  312. t.Fatalf("Unable to initialized new signed http request %s", err)
  313. }
  314. return req
  315. }
  317. // This is similar to mustNewRequest but additionally the request
  318. // is presigned with AWS Signature V4, fails if not able to do so.
  319. func mustNewPresignedRequest(method string, urlStr string, contentLength int64, body io.ReadSeeker, t *testing.T) *http.Request {
  320. req := mustNewRequest(method, urlStr, contentLength, body, t)
  321. cred := globalActiveCred
  322. if err := preSignV4(req, cred.AccessKey, cred.SecretKey, time.Now().Add(10*time.Minute).Unix()); err != nil {
  323. t.Fatalf("Unable to initialized new signed http request %s", err)
  324. }
  325. return req
  326. }
  328. func mustNewSignedShortMD5Request(method string, urlStr string, contentLength int64, body io.ReadSeeker, t *testing.T) *http.Request {
  329. req := mustNewRequest(method, urlStr, contentLength, body, t)
  330. req.Header.Set("Content-Md5", "invalid-digest")
  331. cred := globalActiveCred
  332. if err := signRequestV4(req, cred.AccessKey, cred.SecretKey); err != nil {
  333. t.Fatalf("Unable to initialized new signed http request %s", err)
  334. }
  335. return req
  336. }
  338. func mustNewSignedEmptyMD5Request(method string, urlStr string, contentLength int64, body io.ReadSeeker, t *testing.T) *http.Request {
  339. req := mustNewRequest(method, urlStr, contentLength, body, t)
  340. req.Header.Set("Content-Md5", "")
  341. cred := globalActiveCred
  342. if err := signRequestV4(req, cred.AccessKey, cred.SecretKey); err != nil {
  343. t.Fatalf("Unable to initialized new signed http request %s", err)
  344. }
  345. return req
  346. }
  348. func mustNewSignedBadMD5Request(method string, urlStr string, contentLength int64,
  349. body io.ReadSeeker, t *testing.T,
  350. ) *http.Request {
  351. req := mustNewRequest(method, urlStr, contentLength, body, t)
  352. req.Header.Set("Content-Md5", "YWFhYWFhYWFhYWFhYWFhCg==")
  353. cred := globalActiveCred
  354. if err := signRequestV4(req, cred.AccessKey, cred.SecretKey); err != nil {
  355. t.Fatalf("Unable to initialized new signed http request %s", err)
  356. }
  357. return req
  358. }
  360. // Tests is requested authenticated function, tests replies for s3 errors.
  361. func TestIsReqAuthenticated(t *testing.T) {
  362. ctx, cancel := context.WithCancel(GlobalContext)
  363. defer cancel()
  365. objLayer, fsDir, err := prepareFS(ctx)
  366. if err != nil {
  367. t.Fatal(err)
  368. }
  369. defer os.RemoveAll(fsDir)
  370. if err = newTestConfig(globalMinioDefaultRegion, objLayer); err != nil {
  371. t.Fatalf("unable initialize config file, %s", err)
  372. }
  374. initAllSubsystems(ctx)
  376. initConfigSubsystem(ctx, objLayer)
  378. creds, err := auth.CreateCredentials("myuser", "mypassword")
  379. if err != nil {
  380. t.Fatalf("unable create credential, %s", err)
  381. }
  383. globalActiveCred = creds
  385. globalIAMSys.Init(ctx, objLayer, globalEtcdClient, 2*time.Second)
  387. // List of test cases for validating http request authentication.
  388. testCases := []struct {
  389. req *http.Request
  390. s3Error APIErrorCode
  391. }{
  392. // When request is unsigned, access denied is returned.
  393. {mustNewRequest(http.MethodGet, "http://127.0.0.1:9000", 0, nil, t), ErrAccessDenied},
  394. // Empty Content-Md5 header.
  395. {mustNewSignedEmptyMD5Request(http.MethodPut, "http://127.0.0.1:9000/", 5, bytes.NewReader([]byte("hello")), t), ErrInvalidDigest},
  396. // Short Content-Md5 header.
  397. {mustNewSignedShortMD5Request(http.MethodPut, "http://127.0.0.1:9000/", 5, bytes.NewReader([]byte("hello")), t), ErrInvalidDigest},
  398. // When request is properly signed, but has bad Content-MD5 header.
  399. {mustNewSignedBadMD5Request(http.MethodPut, "http://127.0.0.1:9000/", 5, bytes.NewReader([]byte("hello")), t), ErrBadDigest},
  400. // When request is properly signed, error is none.
  401. {mustNewSignedRequest(http.MethodGet, "http://127.0.0.1:9000", 0, nil, t), ErrNone},
  402. }
  404. // Validates all testcases.
  405. for i, testCase := range testCases {
  406. s3Error := isReqAuthenticated(ctx, testCase.req, globalSite.Region(), serviceS3)
  407. if s3Error != testCase.s3Error {
  408. if _, err := io.ReadAll(testCase.req.Body); toAPIErrorCode(ctx, err) != testCase.s3Error {
  409. t.Fatalf("Test %d: Unexpected S3 error: want %d - got %d (got after reading request %s)", i, testCase.s3Error, s3Error, toAPIError(ctx, err).Code)
  410. }
  411. }
  412. }
  413. }
  415. func TestCheckAdminRequestAuthType(t *testing.T) {
  416. ctx, cancel := context.WithCancel(t.Context())
  417. defer cancel()
  419. objLayer, fsDir, err := prepareFS(ctx)
  420. if err != nil {
  421. t.Fatal(err)
  422. }
  423. defer os.RemoveAll(fsDir)
  425. if err = newTestConfig(globalMinioDefaultRegion, objLayer); err != nil {
  426. t.Fatalf("unable initialize config file, %s", err)
  427. }
  429. creds, err := auth.CreateCredentials("myuser", "mypassword")
  430. if err != nil {
  431. t.Fatalf("unable create credential, %s", err)
  432. }
  434. globalActiveCred = creds
  435. testCases := []struct {
  436. Request *http.Request
  437. ErrCode APIErrorCode
  438. }{
  439. {Request: mustNewRequest(http.MethodGet, "http://127.0.0.1:9000", 0, nil, t), ErrCode: ErrAccessDenied},
  440. {Request: mustNewSignedRequest(http.MethodGet, "http://127.0.0.1:9000", 0, nil, t), ErrCode: ErrNone},
  441. {Request: mustNewSignedV2Request(http.MethodGet, "http://127.0.0.1:9000", 0, nil, t), ErrCode: ErrAccessDenied},
  442. {Request: mustNewPresignedV2Request(http.MethodGet, "http://127.0.0.1:9000", 0, nil, t), ErrCode: ErrAccessDenied},
  443. {Request: mustNewPresignedRequest(http.MethodGet, "http://127.0.0.1:9000", 0, nil, t), ErrCode: ErrAccessDenied},
  444. }
  445. for i, testCase := range testCases {
  446. if _, s3Error := checkAdminRequestAuth(ctx, testCase.Request, policy.AllAdminActions, globalSite.Region()); s3Error != testCase.ErrCode {
  447. t.Errorf("Test %d: Unexpected s3error returned wanted %d, got %d", i, testCase.ErrCode, s3Error)
  448. }
  449. }
  450. }
  452. func TestValidateAdminSignature(t *testing.T) {
  453. ctx, cancel := context.WithCancel(t.Context())
  454. defer cancel()
  456. objLayer, fsDir, err := prepareFS(ctx)
  457. if err != nil {
  458. t.Fatal(err)
  459. }
  460. defer os.RemoveAll(fsDir)
  462. if err = newTestConfig(globalMinioDefaultRegion, objLayer); err != nil {
  463. t.Fatalf("unable initialize config file, %s", err)
  464. }
  466. initAllSubsystems(ctx)
  468. initConfigSubsystem(ctx, objLayer)
  470. creds, err := auth.CreateCredentials("admin", "mypassword")
  471. if err != nil {
  472. t.Fatalf("unable create credential, %s", err)
  473. }
  474. globalActiveCred = creds
  476. globalIAMSys.Init(ctx, objLayer, globalEtcdClient, 2*time.Second)
  478. testCases := []struct {
  479. AccessKey string
  480. SecretKey string
  481. ErrCode APIErrorCode
  482. }{
  483. {"", "", ErrInvalidAccessKeyID},
  484. {"admin", "", ErrSignatureDoesNotMatch},
  485. {"admin", "wrongpassword", ErrSignatureDoesNotMatch},
  486. {"wronguser", "mypassword", ErrInvalidAccessKeyID},
  487. {"", "mypassword", ErrInvalidAccessKeyID},
  488. {"admin", "mypassword", ErrNone},
  489. }
  491. for i, testCase := range testCases {
  492. req := mustNewRequest(http.MethodGet, "http://localhost:9000/", 0, nil, t)
  493. if err := signRequestV4(req, testCase.AccessKey, testCase.SecretKey); err != nil {
  494. t.Fatalf("Unable to initialized new signed http request %s", err)
  495. }
  496. _, _, s3Error := validateAdminSignature(ctx, req, globalMinioDefaultRegion)
  497. if s3Error != testCase.ErrCode {
  498. t.Errorf("Test %d: Unexpected s3error returned wanted %d, got %d", i+1, testCase.ErrCode, s3Error)
  499. }
  500. }
  501. }