mtLS - Admin Client madmin-go

examples-server-info.go

//go:build ignore
// +build ignore

// Copyright (c) 2015-2022 MinIO, Inc.
//
// This file is part of MinIO Object Storage stack
//
// This program is free software: you can redistribute it and/or modify
// it under the terms of the GNU Affero General Public License as
// published by the Free Software Foundation, either version 3 of the
// License, or (at your option) any later version.
//
// This program is distributed in the hope that it will be useful,
// but WITHOUT ANY WARRANTY; without even the implied warranty of
// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
// GNU Affero General Public License for more details.
//
// You should have received a copy of the GNU Affero General Public License
// along with this program. If not, see <http://www.gnu.org/licenses/>.
//

package main

import (
	"context"
	"crypto/tls"
	"crypto/x509"
	"github.com/minio/madmin-go/v3"
	"github.com/minio/minio-go/v7/pkg/credentials"
	"log"
	"net"
	"net/http"
	"os"
	"time"
)

func main() {
	// Note: YOUR-ACCESSKEYID, YOUR-SECRETACCESSKEY and my-bucketname are
	// dummy values, please replace them with original values.

	// API requests are secure (HTTPS) if secure=true and insecure (HTTP) otherwise.
	// New returns an MinIO Admin client object.

	endpoint := "localhost:22000"
	//Server cert
	caCertPath := "/home/prakash/tmpwork/minio-tls/certs/public.crt"

	//Client Cert
	clientCertPath := "/home/prakash/tmpwork/minio-tls/client-certs"
	clientCertFileName := "/client1.crt"
	clientKeyFileName := "/client1.key"

	caCert, err := os.ReadFile(caCertPath)
	if err != nil {
		log.Printf("unable to setup CA certificate: %v", err)
		os.Exit(1)
	}

	var caCertPool *x509.CertPool
	caCertPool = x509.NewCertPool()
	caCertPool.AppendCertsFromPEM(caCert)

	cert, err := tls.LoadX509KeyPair(clientCertPath+clientCertFileName, clientCertPath+clientKeyFileName)
	if err != nil {
		log.Fatalf("Client: loadkeys: %s", err)
	}
	tlsConfig := tls.Config{
		Certificates: []tls.Certificate{cert},
		RootCAs:      caCertPool,
	}

	// default transportCreds with added CA cert and client cert
	transportCreds := &http.Transport{
		DialContext: (&net.Dialer{
			Timeout:   30 * time.Second,
			KeepAlive: 30 * time.Second,
		}).DialContext,
		TLSClientConfig: &tlsConfig,
	}

	creds, err := credentials.NewSTSCertificateIdentity("https://"+endpoint, cert, credentials.CertificateIdentityWithTransport(transportCreds))
	if err != nil {
		log.Printf("unable to setup client credentials: %v", err)
		os.Exit(1)
	}

	adminClient, err := madmin.NewWithOptions(endpoint, &madmin.Options{
		Creds:  creds,
		Secure: true,
	})
	// credValues, err := creds.Get()
	// fmt.Println("Credential Values: \n", "AccessKey::", credValues.AccessKeyID, "\nSecretKey::", credValues.SecretAccessKey, "\n Session Token:", credValues.SessionToken)
	if err != nil {
		log.Fatalln(err)
	}

	adminInfoJson, err := adminClient.ServerInfo(context.Background())
	if err != nil {
		log.Fatalln(err)
	}
	log.Printf("%+v\n", adminInfoJson)

}

/home/prakash/tmpwork/minio-tls

mc admin info local22s

https://gist.github.com/balamurugana/5b9d91ba5dbfafdc7bab94583674ed49

https://github.com/kanagarajkm/mkcert

mkcert localhost
mkcert -install

CI=true MINIO_ROOT_USER=minio MINIO_ROOT_PASSWORD=minio123 MINIO_IDENTITY_TLS_ENABLE=on MINIO_IDENTITY_TLS_SKIP_VERIFY=on minio server --certs-dir="./certs" -address :22000 --console-address :11000 /tmp/mn-latest-ext{1...4}

Client Auth:

/home/prakash/tmpwork/minio-tls/client-certs

• create policy client1

  {
  "Version": "2012-10-17",
  "Statement": [
    {
      "Action": [
        "s3:*"
      ],
      "Effect": "Allow",
      "Resource": [
        "arn:aws:s3:::*"
      ],
      "Sid": ""
    }
  ]
  

}

- create user client1 and assign the policy client1

curl -X POST  --key client1.key --cert client1.crt "https://localhost:22000?Action=AssumeRoleWithCertificate&Version=2011-06-15&DurationSeconds=3600" -k