Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Session Policy is BASE 64 encoded, but JSON is expected #11336

Closed
dnoelb opened this issue Jan 23, 2021 · 5 comments
Closed

Session Policy is BASE 64 encoded, but JSON is expected #11336

dnoelb opened this issue Jan 23, 2021 · 5 comments
Labels
community out of scope working as intended

Comments

@dnoelb
Copy link

dnoelb commented Jan 23, 2021

Used AssumeRoleWithWebIdenty API to retrieve an temporary session token to access the minio api with a session policy.
The first steps works, as the API returns a valid token, which contains a sessionPolicy. The Problem is, that the Session Policy within the returned Token is BASE64 encoded and the minio expects an JSON encoded string, when accessing the API with the access token.

Expected Behavior

Being able to access the Minio API with the returned session Token.

Current Behavior

The access is denied and the log of the minio outputs the following:

 API: SYSTEM()
 Time: 12:42:11 UTC 01/23/2021
 DeploymentID: 43cc4a6d-72b2-4aca-83f8-674845de7dee
 Error: invalid character 'e' looking for beginning of value (iampolicy.Error)
        3: cmd/iam.go:1827:cmd.(*IAMSys).IsAllowedSTS()
        2: cmd/iam.go:1894:cmd.(*IAMSys).IsAllowed()
        1: cmd/web-handlers.go:1380:cmd.(*webAPIHandlers).Download()

The returned sessionToken from AssumeRoleWithWebIdentity contains the following part with the session policy (i shortened the BASE64 string for privacy reasons):

[...]
  "policy": "policy",
  "sessionPolicy": "eyJW[AS BASE64 ENCODED POLICY]"
[...]
}

Possible Solution

Storing the sessionPolicy as JSON encoded within the token or expecting an base64 encoded sessionPolicy and decoding it prior to the policy checks.

Steps to Reproduce (for bugs)

  1. Setup Minio with Open ID Connect provider.
  2. Retrieve an Open ID token from the provider.
  3. Calling AssumeRoleWithWebIdentity API with the retrieved token and a session Policy
  4. Trying to access a resource on the server with the sessionToken from the previous step.
  5. The error message is than displayed within the minio logs.

Context

I am trying to build up an environment to give out temporary credentials to users, which limit the access to certain subdirectories.

Regression

Your Environment

  • Version used (minio --version): RELEASE.2021-01-08T21-18-21Z
  • Server setup and configuration: UBUNTU 20.04 VM for testing
  • Operating System and version (uname -a): Linux panther 5.8.0-38-generic List buckets response should be nested xml buckets #43~20.04.1-Ubuntu SMP Tue Jan 12 16:39:47 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux
@harshavardhana
Copy link
Member

@dnoelb can you share the code where you see this? It is client that needs to supply the correct session policy not server.

@harshavardhana
Copy link
Member

harshavardhana commented Jan 23, 2021
edited

You shouldn't be extracting sessionToken claims - sessionToken should be used opaquely and can be safely share with the client.

To re-request a new token you need to present session policy again in JSON form that you did originally.

We won't put a JSON inside a jwt claim

@dnoelb
Copy link
Author

dnoelb commented Jan 23, 2021

Hey, thanks for you answer! :)

The error does not occur in the step of requesting the sessionToken(vie assumerole...), but in the step of requesting some resource on the server with the sessionToken (I just took a look into it for debugging, it is otherweise just passed to the client).

When I make a call like like http://localhost:9000/minio/download/bucket/image.jpg?token=SESSIONTOKENHERE the access is denied by the server and this error message appears in the logs:

 API: SYSTEM()
 Time: 12:42:11 UTC 01/23/2021
 DeploymentID: 43cc4a6d-72b2-4aca-83f8-674845de7dee
 Error: invalid character 'e' looking for beginning of value (iampolicy.Error)
        3: cmd/iam.go:1827:cmd.(*IAMSys).IsAllowedSTS()
        2: cmd/iam.go:1894:cmd.(*IAMSys).IsAllowed()
        1: cmd/web-handlers.go:1380:cmd.(*webAPIHandlers).Download()

In my opinion, the message hints, that the first letter of the sessionPolicy within the sessionToken is 'e' and therefore encoded in BASE64. The minio server somehow tries to read just the string and does not decode the BASE64 of the sessionPolicy within the sessionToken, in order to check read the policy at this point.

@harshavardhana
Copy link
Member

When I make a call like like http://localhost:9000/minio/download/bucket/image.jpg?token=SESSIONTOKENHERE the access is denied by the server and this error message appears in the logs:

Yes but this is an incorrect way to call - sesstion token is not token= value that you can use @dnoelb with Browser API - this token should be used with AWS S3 APi as x-amz-security-token as a HTTP header.

@dnoelb
Copy link
Author

dnoelb commented Jan 23, 2021

Oh, now I understand my mistake, thank you very much for the help! :)

@github-actions github-actions bot locked as resolved and limited conversation to collaborators Jan 31, 2022
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
community out of scope working as intended
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@harshavardhana @dnoelb