Add STSClientGrants and STSWebIdentity credential provider

[harshavardhana]

Both provider implements a way to retrieve temporary
credentials from Minio STS service

• using client grants token (Only Minio)
• using web identity token (Both Minio and AWS)

These temporary credentials will be used to perform API
operations, to be used with applications which are never
using static credentials.

[harshavardhana]

can i get some reviews @vadmeste @poornas ?

[poornas]

could you add examples for STSClientGrants and STSWebIdentity providers

[harshavardhana]

Once merged they will be added on server side examples @poornas, I would refrain to add them here. It would be required to copy documentation from server code.

[vadmeste]

One comment, LGTM otherwise

[harshavardhana]

My intention was something like this @vadmeste

package main

import (
	"bytes"
	"crypto/tls"
	"encoding/json"
	"flag"
	"fmt"
	"log"
	"net/http"
	"net/url"
	"strings"

	minio "github.com/minio/minio-go"
	"github.com/minio/minio-go/pkg/credentials"
)

// JWTToken - parses the output from IDP access token.
type JWTToken struct {
	AccessToken string `json:"access_token"`
	Expiry      int    `json:"expires_in"`
}

var (
	stsEndpoint  string
	idpEndpoint  string
	clientID     string
	clientSecret string
)

func init() {
	flag.StringVar(&stsEndpoint, "sts-ep", "http://localhost:9000", "STS endpoint")
	flag.StringVar(&idpEndpoint, "idp-ep", "https://localhost:9443/oauth2/token", "IDP endpoint")
	flag.StringVar(&clientID, "cid", "", "Client ID")
	flag.StringVar(&clientSecret, "csec", "", "Client secret")
}

func getTokenExpiry() (*credentials.ClientGrantsToken, error)) {
	data := url.Values{}
	data.Set("grant_type", "client_credentials")
	req, err := http.NewRequest(http.MethodPost, idpEndpoint, strings.NewReader(data.Encode()))
	if err != nil {
                return nil, err
	}
	req.Header.Set("Content-Type", "application/x-www-form-urlencoded")
	req.SetBasicAuth(clientID, clientSecret)
	t := &http.Transport{
		TLSClientConfig: &tls.Config{
			InsecureSkipVerify: true,
		},
	}
	hclient := http.Client{
		Transport: t,
	}
	resp, err := hclient.Do(req)
	if err != nil {
                return nil, err
	}
	defer resp.Body.Close()
	if resp.StatusCode != http.StatusOK {
                return nil, fmt.Errorf("%s", resp.Status)
	}

	var idpToken JWTToken
	if err = json.NewDecoder(resp.Body).Decode(&idpToken); err != nil {
                return nil, err
	}

	return &credentials.ClientGrantsToken{token: idpToken.AccessToken, expiry: idpToken.Expiry}, nil
}

func main() {
	flag.Parse()
	if clientID == "" || clientSecret == "" {
		flag.PrintDefaults()
		return
	}

	sts, err := credentials.NewSTSClientGrants(stsEndpoint, getTokenExpiry)
	if err != nil {
		log.Fatal(err)
	}

	// Uncommend this to use Minio API operations by initializing minio
	// client with obtained credentials.

	opts := &minio.Options{
		Creds:        sts,
		BucketLookup: minio.BucketLookupAuto,
	}

	clnt, err := minio.NewWithOptions(stsEndpoint, opts)
	if err != nil {
		log.Fatal(err)
	}

	d := bytes.NewReader([]byte("Hello, World"))
	n, err := clnt.PutObject("my-bucketname", "my-objectname", d, d.Size(), minio.PutObjectOptions{})
	if err != nil {
		log.Fatalln(err)
	}

	log.Println("Uploaded", "my-objectname", " of size: ", n, "Successfully.")
}

[harshavardhana]

I changed the implementation to match what @vadmeste asked in the previous comment PTAL again @poornas @vadmeste

[vadmeste]

LGTM

[poornas]

LGTM