MCS use the correct region to authenticate users (#94)

Alevsk · web-flow · commit 9ac754d4de3d · 2020-05-04T18:18:04.000-05:00
Previous mcs was authenticating all the users agains &lt;empty&gt; region,
this was a problem when an admin configure a different region via the
configuration page on mcs, now before authenticating a user via
credentials or idp mcs will ask minio what's the current region and try
to authenticate using that that information.

- Login to mcs
- Go to the configuration page and change the region, ie: us-west-1
- Logout from mcs
- Login to mcs again, you should not get any error
diff --git a/restapi/user_login.go b/restapi/user_login.go
@@ -31,6 +31,10 @@ import (
 	"github.com/minio/mcs/restapi/operations/user_api"
 )
 
+var (
+	errorGeneric = errors.New("an error occurred, please try again")
+)
+
 func registerLoginHandlers(api *operations.McsAPI) {
 	// get login strategy
 	api.UserAPILoginDetailHandler = user_api.LoginDetailHandlerFunc(func(params user_api.LoginDetailParams) middleware.Responder {
@@ -74,9 +78,32 @@ func login(credentials MCSCredentials) (*string, error) {
 	return &jwt, nil
 }
 
+func getConfiguredRegion(client MinioAdmin) string {
+	location := ""
+	configuration, err := getConfig(client, "region")
+	if err != nil {
+		log.Println("error obtaining MinIO region:", err)
+		return location
+	}
+	// region is an array of 1 element
+	if len(configuration) > 0 {
+		location = configuration[0].Value
+	}
+	return location
+}
+
 // getLoginResponse performs login() and serializes it to the handler's output
 func getLoginResponse(lr *models.LoginRequest) (*models.LoginResponse, error) {
-	creds, err := newMcsCredentials(*lr.AccessKey, *lr.SecretKey, "")
+	mAdmin, err := newSuperMAdminClient()
+	if err != nil {
+		log.Println("error creating Madmin Client:", err)
+		return nil, errorGeneric
+	}
+	adminClient := adminClient{client: mAdmin}
+	// obtain the configured MinIO region
+	// need it for user authentication
+	location := getConfiguredRegion(adminClient)
+	creds, err := newMcsCredentials(*lr.AccessKey, *lr.SecretKey, location)
 	if err != nil {
 		log.Println("error login:", err)
 		return nil, err
@@ -131,27 +158,32 @@ func getLoginOauth2AuthResponse(lr *models.LoginOauth2AuthRequest) (*models.Logi
 		// initialize new oauth2 client
 		oauth2Client, err := oauth2.NewOauth2ProviderClient(ctx, nil)
 		if err != nil {
-			return nil, err
+			log.Println("error getting new oauth2 client:", err)
+			return nil, errorGeneric
 		}
 		// initialize new identity provider
 		identityProvider := &auth.IdentityProvider{Client: oauth2Client}
 		// Validate user against IDP
 		identity, err := loginOauth2Auth(ctx, identityProvider, *lr.Code, *lr.State)
 		if err != nil {
-			return nil, err
+			log.Println("error validating user identity against idp:", err)
+			return nil, errorGeneric
 		}
 		mAdmin, err := newSuperMAdminClient()
 		if err != nil {
 			log.Println("error creating Madmin Client:", err)
-			return nil, err
+			return nil, errorGeneric
 		}
 		adminClient := adminClient{client: mAdmin}
 		accessKey := identity.Email
 		secretKey := utils.RandomCharString(32)
-		// Create user in MinIO
+		// obtain the configured MinIO region
+		// need it for user authentication
+		location := getConfiguredRegion(adminClient)
+		// create user in MinIO
 		if _, err := addUser(ctx, adminClient, &accessKey, &secretKey, []string{}); err != nil {
 			log.Println("error adding user:", err)
-			return nil, err
+			return nil, errorGeneric
 		}
 		// rollback user if there's an error after this point
 		defer func() {
@@ -164,25 +196,25 @@ func getLoginOauth2AuthResponse(lr *models.LoginOauth2AuthRequest) (*models.Logi
 		// assign the "mcsAdmin" policy to this user
 		if err := setPolicy(ctx, adminClient, oauth2.GetIDPPolicyForUser(), accessKey, models.PolicyEntityUser); err != nil {
 			log.Println("error setting policy:", err)
-			return nil, err
+			return nil, errorGeneric
 		}
 		// User was created correctly, create a new session/JWT
-		creds, err := newMcsCredentials(accessKey, secretKey, "")
+		creds, err := newMcsCredentials(accessKey, secretKey, location)
 		if err != nil {
 			log.Println("error login:", err)
-			return nil, err
+			return nil, errorGeneric
 		}
 		credentials := mcsCredentials{minioCredentials: creds}
 		jwt, err := login(credentials)
 		if err != nil {
 			log.Println("error login:", err)
-			return nil, err
+			return nil, errorGeneric
 		}
 		// serialize output
 		loginResponse := &models.LoginResponse{
 			SessionID: *jwt,
 		}
 		return loginResponse, nil
 	}
-	return nil, errors.New("an error occurred, please try again")
+	return nil, errorGeneric
 }
diff --git a/restapi/user_login_test.go b/restapi/user_login_test.go
@@ -24,6 +24,8 @@ import (
 	"github.com/minio/mcs/pkg/auth"
 	"github.com/minio/mcs/pkg/auth/idp/oauth2"
 	"github.com/minio/minio-go/v6/pkg/credentials"
+	"github.com/minio/minio/cmd/config"
+	"github.com/minio/minio/pkg/madmin"
 	"github.com/stretchr/testify/assert"
 )
 
@@ -101,3 +103,95 @@ func TestLoginOauth2Auth(t *testing.T) {
 		funcAssert.Equal("error", err.Error())
 	}
 }
+
+func Test_getConfiguredRegion(t *testing.T) {
+	client := adminClientMock{}
+	type args struct {
+		client adminClientMock
+	}
+
+	tests := []struct {
+		name string
+		args args
+		want string
+		mock func()
+	}{
+		// If MinIO returns an error, we return empty region name
+		{
+			name: "region",
+			args: args{
+				client: client,
+			},
+			want: "",
+			mock: func() {
+				// mock function response from getConfig()
+				minioGetConfigKVMock = func(key string) ([]byte, error) {
+					return nil, errors.New("Invalid config")
+				}
+				// mock function response from listConfig()
+				minioHelpConfigKVMock = func(subSys, key string, envOnly bool) (madmin.Help, error) {
+					return madmin.Help{}, errors.New("no help")
+				}
+			},
+		},
+		// MinIO returns an empty region name
+		{
+			name: "region",
+			args: args{
+				client: client,
+			},
+			want: "",
+			mock: func() {
+				// mock function response from getConfig()
+				minioGetConfigKVMock = func(key string) ([]byte, error) {
+					return []byte("region name= "), nil
+				}
+				// mock function response from listConfig()
+				minioHelpConfigKVMock = func(subSys, key string, envOnly bool) (madmin.Help, error) {
+					return madmin.Help{
+						SubSys:          config.RegionSubSys,
+						Description:     "label the location of the server",
+						MultipleTargets: false,
+						KeysHelp: []madmin.HelpKV{
+							{
+								Key:             "name",
+								Description:     "name of the location of the server e.g. \"us-west-rack2\"",
+								Optional:        true,
+								Type:            "string",
+								MultipleTargets: false,
+							},
+							{
+								Key:             "comment",
+								Description:     "optionally add a comment to this setting",
+								Optional:        true,
+								Type:            "sentence",
+								MultipleTargets: false,
+							},
+						},
+					}, nil
+				}
+			},
+		},
+		// MinIO returns the asia region
+		{
+			name: "region",
+			args: args{
+				client: client,
+			},
+			want: "asia",
+			mock: func() {
+				minioGetConfigKVMock = func(key string) ([]byte, error) {
+					return []byte("region name=asia "), nil
+				}
+			},
+		},
+	}
+	for _, tt := range tests {
+		tt.mock()
+		t.Run(tt.name, func(t *testing.T) {
+			if got := getConfiguredRegion(tt.args.client); got != tt.want {
+				t.Errorf("getConfiguredRegion() = %v, want %v", got, tt.want)
+			}
+		})
+	}
+}
