remove various unexpected features in console (#782)

- Unix listeners are removed - KeepAlive, IdleTimeout etc are removed - Authorization logic is simplified - Added support for MINIO_PROMETHEUS_JOB_ID
minio · Jun 4, 2021 · 83d6620 · 83d6620
1 parent b1aedf8
commit 83d6620
Show file tree

Hide file tree

Showing 8 changed files with 116 additions and 287 deletions.
diff --git a/cmd/console/server.go b/cmd/console/server.go
@@ -130,9 +130,8 @@ func StartServer(ctx *cli.Context) error {
 
 	server.Host = ctx.String("host")
 	server.Port = ctx.Int("port")
-
-	restapi.Hostname = ctx.String("host")
-	restapi.Port = strconv.Itoa(ctx.Int("port"))
+	restapi.Hostname = server.Host
+	restapi.Port = strconv.Itoa(server.Port)
 
 	// Set all certs and CAs directories path
 	certs.GlobalCertsDir, _ = certs.NewConfigDirFromCtx(ctx, "certs-dir", certs.DefaultCertsDir.Get)
@@ -149,21 +148,21 @@ func StartServer(ctx *cli.Context) error {
 		// TLS flags from swagger server, used to support VMware vsphere operator version.
 		swaggerServerCertificate := ctx.String("tls-certificate")
 		swaggerServerCertificateKey := ctx.String("tls-key")
-		SwaggerServerCACertificate := ctx.String("tls-ca")
+		swaggerServerCACertificate := ctx.String("tls-ca")
 		// load tls cert and key from swagger server tls-certificate and tls-key flags
 		if swaggerServerCertificate != "" && swaggerServerCertificateKey != "" {
-			if errAddCert := certs.AddCertificate(context.Background(),
-				restapi.GlobalTLSCertsManager, swaggerServerCertificate, swaggerServerCertificateKey); errAddCert != nil {
-				log.Println(errAddCert)
+			if err = certs.AddCertificate(context.Background(),
+				restapi.GlobalTLSCertsManager, swaggerServerCertificate, swaggerServerCertificateKey); err != nil {
+				log.Fatalln(err)
 			}
-			if x509Certs, errParseCert := certs.ParsePublicCertFile(swaggerServerCertificate); errParseCert == nil {
+			if x509Certs, err := certs.ParsePublicCertFile(swaggerServerCertificate); err == nil {
 				restapi.GlobalPublicCerts = append(restapi.GlobalPublicCerts, x509Certs...)
 			}
 		}
 
 		// load ca cert from swagger server tls-ca flag
-		if SwaggerServerCACertificate != "" {
-			caCert, caCertErr := ioutil.ReadFile(SwaggerServerCACertificate)
+		if swaggerServerCACertificate != "" {
+			caCert, caCertErr := ioutil.ReadFile(swaggerServerCACertificate)
 			if caCertErr == nil {
 				restapi.GlobalRootCAs.AppendCertsFromPEM(caCert)
 			}
@@ -175,9 +174,8 @@ func StartServer(ctx *cli.Context) error {
 		// plain HTTP connections to HTTPS server
 		server.EnabledListeners = []string{"http", "https"}
 		server.TLSPort = ctx.Int("tls-port")
-		server.TLSHost = ctx.String("tls-host")
 		// Need to store tls-port, tls-host un config variables so secure.middleware can read from there
-		restapi.TLSPort = fmt.Sprintf("%v", ctx.Int("tls-port"))
+		restapi.TLSPort = strconv.Itoa(server.TLSPort)
 		restapi.Hostname = ctx.String("host")
 		restapi.TLSRedirect = ctx.String("tls-redirect")
 	}

diff --git a/pkg/auth/token.go b/pkg/auth/token.go
@@ -32,8 +32,8 @@ import (
 	"log"
 	"net/http"
 	"strings"
+	"time"
 
-	"github.com/go-openapi/swag"
 	"github.com/minio/console/models"
 	"github.com/minio/console/pkg/auth/token"
 	"github.com/minio/minio-go/v7/pkg/credentials"
@@ -43,8 +43,10 @@ import (
 	"golang.org/x/crypto/pbkdf2"
 )
 
+// Session token errors
 var (
-	errNoAuthToken  = errors.New("session token missing")
+	ErrNoAuthToken  = errors.New("session token missing")
+	errTokenExpired = errors.New("session token has expired")
 	errReadingToken = errors.New("session token internal data is malformed")
 	errClaimsFormat = errors.New("encrypted session token claims not in the right format")
 	errorGeneric    = errors.New("an error has occurred")
@@ -82,7 +84,7 @@ type TokenClaims struct {
 //	}
 func SessionTokenAuthenticate(token string) (*TokenClaims, error) {
 	if token == "" {
-		return nil, errNoAuthToken
+		return nil, ErrNoAuthToken
 	}
 	// decrypt encrypted token
 	claimTokens, err := decryptClaims(token)
@@ -289,25 +291,18 @@ func decrypt(ciphertext []byte, associatedData []byte) ([]byte, error) {
 // either defined on a cookie `token` or on Authorization header.
 //
 // Authorization Header needs to be like "Authorization Bearer <token>"
-func GetTokenFromRequest(r *http.Request) (*string, error) {
-	// Get Auth token
-	var reqToken string
-
+func GetTokenFromRequest(r *http.Request) (string, error) {
 	// Token might come either as a Cookie or as a Header
 	// if not set in cookie, check if it is set on Header.
 	tokenCookie, err := r.Cookie("token")
 	if err != nil {
-		headerToken := r.Header.Get("Authorization")
-		// reqToken should come as "Bearer <token>"
-		splitHeaderToken := strings.Split(headerToken, "Bearer")
-		if len(splitHeaderToken) <= 1 {
-			return nil, errNoAuthToken
-		}
-		reqToken = strings.TrimSpace(splitHeaderToken[1])
-	} else {
-		reqToken = strings.TrimSpace(tokenCookie.Value)
+		return "", ErrNoAuthToken
+	}
+	currentTime := time.Now()
+	if tokenCookie.Expires.After(currentTime) {
+		return "", errTokenExpired
 	}
-	return swag.String(reqToken), nil
+	return strings.TrimSpace(tokenCookie.Value), nil
 }
 
 func GetClaimsFromTokenInRequest(req *http.Request) (*models.Principal, error) {
@@ -317,7 +312,7 @@ func GetClaimsFromTokenInRequest(req *http.Request) (*models.Principal, error) {
 	}
 	// Perform decryption of the session token, if Console is able to decrypt the session token that means a valid session
 	// was used in the first place to get it
-	claims, err := SessionTokenAuthenticate(*sessionID)
+	claims, err := SessionTokenAuthenticate(sessionID)
 	if err != nil {
 		return nil, err
 	}