github.com/minio/minio@v0.0.0-20240328213742-3f72439b8a27/internal/config/identity/tls/config.go (about) 1 // Copyright (c) 2015-2021 MinIO, Inc. 2 // 3 // This file is part of MinIO Object Storage stack 4 // 5 // This program is free software: you can redistribute it and/or modify 6 // it under the terms of the GNU Affero General Public License as published by 7 // the Free Software Foundation, either version 3 of the License, or 8 // (at your option) any later version. 9 // 10 // This program is distributed in the hope that it will be useful 11 // but WITHOUT ANY WARRANTY; without even the implied warranty of 12 // MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 13 // GNU Affero General Public License for more details. 14 // 15 // You should have received a copy of the GNU Affero General Public License 16 // along with this program. If not, see <http://www.gnu.org/licenses/>. 17 18 package tls 19 20 import ( 21 "strconv" 22 "time" 23 24 "github.com/minio/minio/internal/auth" 25 "github.com/minio/minio/internal/config" 26 "github.com/minio/pkg/v2/env" 27 ) 28 29 const ( 30 // EnvIdentityTLSEnabled is an environment variable that controls whether the X.509 31 // TLS STS API is enabled. By default, if not set, it is enabled. 32 EnvIdentityTLSEnabled = "MINIO_IDENTITY_TLS_ENABLE" 33 34 // EnvIdentityTLSSkipVerify is an environment variable that controls whether 35 // MinIO verifies the client certificate present by the client 36 // when requesting temp. credentials. 37 // By default, MinIO always verify the client certificate. 38 // 39 // The client certificate verification should only be skipped 40 // when debugging or testing a setup since it allows arbitrary 41 // clients to obtain temp. credentials with arbitrary policy 42 // permissions - including admin permissions. 43 EnvIdentityTLSSkipVerify = "MINIO_IDENTITY_TLS_SKIP_VERIFY" 44 ) 45 46 // Config contains the STS TLS configuration for generating temp. 47 // credentials and mapping client certificates to S3 policies. 48 type Config struct { 49 Enabled bool `json:"enabled"` 50 51 // InsecureSkipVerify, if set to true, disables the client 52 // certificate verification. It should only be set for 53 // debugging or testing purposes. 54 InsecureSkipVerify bool `json:"skip_verify"` 55 } 56 57 const ( 58 defaultExpiry time.Duration = 1 * time.Hour 59 minExpiry time.Duration = 15 * time.Minute 60 maxExpiry time.Duration = 365 * 24 * time.Hour 61 ) 62 63 // GetExpiryDuration - return parsed expiry duration. 64 func (l Config) GetExpiryDuration(dsecs string) (time.Duration, error) { 65 if dsecs == "" { 66 return defaultExpiry, nil 67 } 68 69 d, err := strconv.Atoi(dsecs) 70 if err != nil { 71 return 0, auth.ErrInvalidDuration 72 } 73 74 dur := time.Duration(d) * time.Second 75 76 if dur < minExpiry || dur > maxExpiry { 77 return 0, auth.ErrInvalidDuration 78 } 79 return dur, nil 80 } 81 82 // Lookup returns a new Config by merging the given K/V config 83 // system with environment variables. 84 func Lookup(kvs config.KVS) (Config, error) { 85 if err := config.CheckValidKeys(config.IdentityTLSSubSys, kvs, DefaultKVS); err != nil { 86 return Config{}, err 87 } 88 cfg := Config{} 89 var err error 90 v := env.Get(EnvIdentityTLSEnabled, "") 91 if v == "" { 92 return cfg, nil 93 } 94 cfg.Enabled, err = config.ParseBool(v) 95 if err != nil { 96 return Config{}, err 97 } 98 cfg.InsecureSkipVerify, err = config.ParseBool(env.Get(EnvIdentityTLSSkipVerify, kvs.Get(skipVerify))) 99 if err != nil { 100 return Config{}, err 101 } 102 return cfg, nil 103 } 104 105 const ( 106 skipVerify = "skip_verify" 107 ) 108 109 // DefaultKVS is the default K/V config system for 110 // the STS TLS API. 111 var DefaultKVS = config.KVS{ 112 config.KV{ 113 Key: skipVerify, 114 Value: "off", 115 }, 116 } 117 118 // Help is the help and description for the STS API K/V configuration. 119 var Help = config.HelpKVS{ 120 config.HelpKV{ 121 Key: skipVerify, 122 Description: `trust client certificates without verification (default: 'off')`, 123 Optional: true, 124 Type: "on|off", 125 }, 126 }