move to madmin-go/, pkg/ packages (#765)

minio · Jun 1, 2021 · eff001b · eff001b
1 parent 9498f8d
commit eff001b
Show file tree

Hide file tree

Showing 59 changed files with 490 additions and 471 deletions.
diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
diff --git a/cluster/config.go b/cluster/config.go
@@ -26,7 +26,7 @@ import (
 	"strings"
 	"time"
 
-	"github.com/minio/minio/pkg/env"
+	"github.com/minio/pkg/env"
 )
 
 var (

diff --git a/cmd/console/main.go b/cmd/console/main.go
@@ -23,13 +23,11 @@ import (
 	"sort"
 	"time"
 
-	"github.com/minio/console/pkg"
-
-	"github.com/minio/minio/pkg/console"
-	"github.com/minio/minio/pkg/trie"
-	"github.com/minio/minio/pkg/words"
-
 	"github.com/minio/cli"
+	"github.com/minio/console/pkg"
+	"github.com/minio/pkg/console"
+	"github.com/minio/pkg/trie"
+	"github.com/minio/pkg/words"
 )
 
 // Help template for Console.

diff --git a/cmd/console/server.go b/cmd/console/server.go
@@ -25,8 +25,6 @@ import (
 	"path/filepath"
 	"time"
 
-	"github.com/minio/minio/cmd/config"
-
 	"github.com/go-openapi/loads"
 	"github.com/jessevdk/go-flags"
 	"github.com/minio/cli"
@@ -150,7 +148,7 @@ func startServer(ctx *cli.Context) error {
 		if errAddCert := certs.AddCertificate(context.Background(), restapi.GlobalTLSCertsManager, swaggerServerCertificate, swaggerServerCertificateKey); errAddCert != nil {
 			log.Println(errAddCert)
 		}
-		if x509Certs, errParseCert := config.ParsePublicCertFile(swaggerServerCertificate); errParseCert == nil {
+		if x509Certs, errParseCert := certs.ParsePublicCertFile(swaggerServerCertificate); errParseCert == nil {
 			if len(x509Certs) > 0 {
 				restapi.GlobalPublicCerts = append(restapi.GlobalPublicCerts, x509Certs[0])
 			}

diff --git a/go.mod b/go.mod
@@ -18,23 +18,26 @@ require (
 	github.com/minio/cli v1.22.0
 	github.com/minio/direct-csi v1.2.8
 	github.com/minio/kes v0.11.0
-	github.com/minio/mc v0.0.0-20210422171734-4eae7ec7ed25
-	github.com/minio/minio v0.0.0-20210423185853-cbfdf97abf9f
-	github.com/minio/minio-go/v7 v7.0.11-0.20210407221404-ba867dba7ee1
-	github.com/minio/operator v0.0.0-20210419212754-93a9239fd18b
+	github.com/minio/madmin-go v1.0.8
+	github.com/minio/mc v0.0.0-20210531030240-fbbae711bdb4
+	github.com/minio/minio-go/v7 v7.0.11-0.20210517200026-f0518ca447d6
+	github.com/minio/operator v0.0.0-20210528062917-73fddaa05e7a
 	github.com/minio/operator/logsearchapi v0.0.0-20210201110528-753019b838b4
+	github.com/minio/pkg v1.0.3
 	github.com/minio/selfupdate v0.3.1
 	github.com/mitchellh/go-homedir v1.1.0
 	github.com/pquerna/cachecontrol v0.0.0-20180517163645-1555304b9b35 // indirect
 	github.com/rs/xid v1.2.1
 	github.com/secure-io/sio-go v0.3.1
-	github.com/stretchr/testify v1.6.1
+	github.com/stretchr/testify v1.7.0
 	github.com/unrolled/secure v1.0.7
-	golang.org/x/crypto v0.0.0-20210415154028-4f45737414dc
-	golang.org/x/net v0.0.0-20210226172049-e18ecbb05110
+	golang.org/x/crypto v0.0.0-20210421170649-83a5a9bb288b
+	golang.org/x/net v0.0.0-20210421230115-4e50805a0758
 	golang.org/x/oauth2 v0.0.0-20200107190931-bf48bf16ab8d
-	gopkg.in/yaml.v2 v2.3.0
+	gopkg.in/yaml.v2 v2.4.0
 	k8s.io/api v0.20.2
 	k8s.io/apimachinery v0.20.2
 	k8s.io/client-go v0.20.2
 )
+
+replace google.golang.org/grpc => google.golang.org/grpc v1.29.1
diff --git a/go.sum b/go.sum
diff --git a/pkg/acl/config.go b/pkg/acl/config.go
@@ -19,7 +19,7 @@ package acl
 import (
 	"strings"
 
-	"github.com/minio/minio/pkg/env"
+	"github.com/minio/pkg/env"
 )
 
 // GetOperatorMode gets Console Operator mode status set on env variable or default one

diff --git a/pkg/acl/endpoints.go b/pkg/acl/endpoints.go
@@ -17,7 +17,7 @@
 package acl
 
 import (
-	iampolicy "github.com/minio/minio/pkg/iam/policy"
+	iampolicy "github.com/minio/pkg/iam/policy"
 )
 
 // endpoints definition

diff --git a/pkg/acl/endpoints_test.go b/pkg/acl/endpoints_test.go
@@ -20,7 +20,7 @@ import (
 	"reflect"
 	"testing"
 
-	iampolicy "github.com/minio/minio/pkg/iam/policy"
+	iampolicy "github.com/minio/pkg/iam/policy"
 )
 
 type args struct {

diff --git a/pkg/auth/idp/oauth2/config.go b/pkg/auth/idp/oauth2/config.go
@@ -22,7 +22,7 @@ import (
 	"strings"
 
 	"github.com/minio/console/pkg/auth/utils"
-	"github.com/minio/minio/pkg/env"
+	"github.com/minio/pkg/env"
 )
 
 func GetSTSEndpoint() string {

diff --git a/pkg/auth/ldap/config.go b/pkg/auth/ldap/config.go
@@ -19,7 +19,7 @@ package ldap
 import (
 	"strings"
 
-	"github.com/minio/minio/pkg/env"
+	"github.com/minio/pkg/env"
 )
 
 func GetLDAPEnabled() bool {

diff --git a/pkg/auth/token/config.go b/pkg/auth/token/config.go
@@ -20,7 +20,7 @@ import (
 	"strconv"
 
 	"github.com/minio/console/pkg/auth/utils"
-	"github.com/minio/minio/pkg/env"
+	"github.com/minio/pkg/env"
 )
 
 // ConsoleSTSDurationSeconds returns the default session duration for the STS requested tokens.

diff --git a/pkg/certs/certs.go b/pkg/certs/certs.go
@@ -17,18 +17,24 @@
 package certs
 
 import (
+	"bytes"
 	"context"
+	"crypto"
+	"crypto/ecdsa"
+	"crypto/tls"
 	"crypto/x509"
+	"encoding/pem"
 	"errors"
 	"fmt"
+	"io/ioutil"
+	"log"
 	"os"
 	"path/filepath"
 	"strings"
 
 	"github.com/minio/cli"
-	"github.com/minio/minio/cmd/config"
-	"github.com/minio/minio/cmd/logger"
-	xcerts "github.com/minio/minio/pkg/certs"
+	xcerts "github.com/minio/pkg/certs"
+	"github.com/minio/pkg/env"
 	"github.com/mitchellh/go-homedir"
 )
 
@@ -78,6 +84,40 @@ var (
 	GlobalCertsCADir = DefaultCertsCADir
 )
 
+// ParsePublicCertFile - parses public cert into its *x509.Certificate equivalent.
+func ParsePublicCertFile(certFile string) (x509Certs []*x509.Certificate, err error) {
+	// Read certificate file.
+	var data []byte
+	if data, err = ioutil.ReadFile(certFile); err != nil {
+		return nil, err
+	}
+
+	// Trimming leading and tailing white spaces.
+	data = bytes.TrimSpace(data)
+
+	// Parse all certs in the chain.
+	current := data
+	for len(current) > 0 {
+		var pemBlock *pem.Block
+		if pemBlock, current = pem.Decode(current); pemBlock == nil {
+			return nil, fmt.Errorf("could not read PEM block from file %s", certFile)
+		}
+
+		var x509Cert *x509.Certificate
+		if x509Cert, err = x509.ParseCertificate(pemBlock.Bytes); err != nil {
+			return nil, err
+		}
+
+		x509Certs = append(x509Certs, x509Cert)
+	}
+
+	if len(x509Certs) == 0 {
+		return nil, fmt.Errorf("empty public certificate file %s", certFile)
+	}
+
+	return x509Certs, nil
+}
+
 // MkdirAllIgnorePerm attempts to create all directories, ignores any permission denied errors.
 func MkdirAllIgnorePerm(path string) error {
 	err := os.MkdirAll(path, 0700)
@@ -115,19 +155,22 @@ func NewConfigDirFromCtx(ctx *cli.Context, option string, getDefaultDir func() s
 		// default directory.
 		dir = getDefaultDir()
 		if dir == "" {
-			logger.FatalIf(errors.New("invalid arguments specified"), "%s option must be provided", option)
+			log.Fatalln(fmt.Sprintf("invalid arguments specified, %s option must be provided", option))
 		}
 	}
 
 	if dir == "" {
-		logger.FatalIf(errors.New("empty directory"), "%s directory cannot be empty", option)
+		log.Fatalln(fmt.Sprintf("empty directory, %s directory cannot be empty", option))
 	}
 
 	// Disallow relative paths, figure out absolute paths.
 	dirAbs, err := filepath.Abs(dir)
-	logger.FatalIf(err, "Unable to fetch absolute path for %s=%s", option, dir)
-	logger.FatalIf(MkdirAllIgnorePerm(dirAbs), "Unable to create directory specified %s=%s", option, dir)
-
+	if err != nil {
+		log.Fatalf("%s: Unable to fetch absolute path for %s=%s", err, option, dir)
+	}
+	if err = MkdirAllIgnorePerm(dirAbs); err != nil {
+		log.Fatalf("%s: Unable to create directory specified %s=%s", err, option, dir)
+	}
 	return &ConfigDir{Path: dirAbs}, dirSet
 }
 
@@ -139,6 +182,58 @@ func getPrivateKeyFile() string {
 	return filepath.Join(GlobalCertsDir.Get(), PrivateKeyFile)
 }
 
+// EnvCertPassword is the environment variable which contains the password used
+// to decrypt the TLS private key. It must be set if the TLS private key is
+// password protected.
+const EnvCertPassword = "CONSOLE_CERT_PASSWD"
+
+// LoadX509KeyPair - load an X509 key pair (private key , certificate)
+// from the provided paths. The private key may be encrypted and is
+// decrypted using the ENV_VAR: MINIO_CERT_PASSWD.
+func LoadX509KeyPair(certFile, keyFile string) (tls.Certificate, error) {
+	certPEMBlock, err := ioutil.ReadFile(certFile)
+	if err != nil {
+		return tls.Certificate{}, err
+	}
+	keyPEMBlock, err := ioutil.ReadFile(keyFile)
+	if err != nil {
+		return tls.Certificate{}, err
+	}
+	key, rest := pem.Decode(keyPEMBlock)
+	if len(rest) > 0 {
+		return tls.Certificate{}, errors.New("the private key contains additional data")
+	}
+	if x509.IsEncryptedPEMBlock(key) {
+		password := env.Get(EnvCertPassword, "")
+		if len(password) == 0 {
+			return tls.Certificate{}, errors.New("no password")
+		}
+		decryptedKey, decErr := x509.DecryptPEMBlock(key, []byte(password))
+		if decErr != nil {
+			return tls.Certificate{}, decErr
+		}
+		keyPEMBlock = pem.EncodeToMemory(&pem.Block{Type: key.Type, Bytes: decryptedKey})
+	}
+	cert, err := tls.X509KeyPair(certPEMBlock, keyPEMBlock)
+	if err != nil {
+		return tls.Certificate{}, err
+	}
+	// Ensure that the private key is not a P-384 or P-521 EC key.
+	// The Go TLS stack does not provide constant-time implementations of P-384 and P-521.
+	if priv, ok := cert.PrivateKey.(crypto.Signer); ok {
+		if pub, ok := priv.Public().(*ecdsa.PublicKey); ok {
+			switch pub.Params().Name {
+			case "P-384":
+				fallthrough
+			case "P-521":
+				// unfortunately there is no cleaner way to check
+				return tls.Certificate{}, fmt.Errorf("tls: the ECDSA curve '%s' is not supported", pub.Params().Name)
+			}
+		}
+	}
+	return cert, nil
+}
+
 func GetTLSConfig() (x509Certs []*x509.Certificate, manager *xcerts.Manager, err error) {
 
 	ctx := context.Background()
@@ -147,11 +242,11 @@ func GetTLSConfig() (x509Certs []*x509.Certificate, manager *xcerts.Manager, err
 		return nil, nil, nil
 	}
 
-	if x509Certs, err = config.ParsePublicCertFile(getPublicCertFile()); err != nil {
+	if x509Certs, err = ParsePublicCertFile(getPublicCertFile()); err != nil {
 		return nil, nil, err
 	}
 
-	manager, err = xcerts.NewManager(ctx, getPublicCertFile(), getPrivateKeyFile(), config.LoadX509KeyPair)
+	manager, err = xcerts.NewManager(ctx, getPublicCertFile(), getPrivateKeyFile(), LoadX509KeyPair)
 	if err != nil {
 		return nil, nil, err
 	}
@@ -212,8 +307,7 @@ func GetTLSConfig() (x509Certs []*x509.Certificate, manager *xcerts.Manager, err
 			continue
 		}
 		if err = manager.AddCertificate(certFile, keyFile); err != nil {
-			err = fmt.Errorf("unable to load TLS certificate '%s,%s': %w", certFile, keyFile, err)
-			logger.LogIf(ctx, err, logger.Application)
+			log.Fatalln(fmt.Errorf("unable to load TLS certificate '%s,%s': %w", certFile, keyFile, err))
 		}
 	}
 	return x509Certs, manager, nil
@@ -222,10 +316,14 @@ func GetTLSConfig() (x509Certs []*x509.Certificate, manager *xcerts.Manager, err
 func GetAllCertificatesAndCAs() (*x509.CertPool, []*x509.Certificate, *xcerts.Manager) {
 	// load all CAs from ~/.console/certs/CAs
 	GlobalRootCAs, err := xcerts.GetRootCAs(GlobalCertsCADir.Get())
-	logger.FatalIf(err, "Failed to read root CAs (%v)", err)
+	if err != nil {
+		log.Fatalln(err)
+	}
 	// load all certs from ~/.console/certs
 	globalPublicCerts, globalTLSCertsManager, err := GetTLSConfig()
-	logger.FatalIf(err, "Unable to load the TLS configuration")
+	if err != nil {
+		log.Fatalln(err)
+	}
 	return GlobalRootCAs, globalPublicCerts, globalTLSCertsManager
 }
 
@@ -236,6 +334,6 @@ func AddCertificate(ctx context.Context, manager *xcerts.Manager, publicKey, pri
 		return manager.AddCertificate(publicKey, privateKey)
 	}
 	// Initialize cert manager
-	manager, err = xcerts.NewManager(ctx, publicKey, privateKey, config.LoadX509KeyPair)
+	manager, err = xcerts.NewManager(ctx, publicKey, privateKey, LoadX509KeyPair)
 	return err
 }