Update dependencies/vendor (#1659)

vendor/github.com/minio/minio-go/v7/pkg/credentials/credentials.go

@@ -22,8 +22,13 @@ import (
 	"time"
 )
 
-// STSVersion sts version string
-const STSVersion = "2011-06-15"
+const (
+	// STSVersion sts version string
+	STSVersion = "2011-06-15"
+
+	// How much duration to slash from the given expiration duration
+	defaultExpiryWindow = 0.8
+)
 
 // A Value is the AWS credentials value for individual credential fields.
 type Value struct {
@@ -82,10 +87,15 @@ type Expiry struct {
 // the expiration time given to ensure no requests are made with expired
 // tokens.
 func (e *Expiry) SetExpiration(expiration time.Time, window time.Duration) {
-	e.expiration = expiration
-	if window > 0 {
-		e.expiration = e.expiration.Add(-window)
+	if e.CurrentTime == nil {
+		e.CurrentTime = time.Now
 	}
+	cut := window
+	if cut < 0 {
+		expireIn := expiration.Sub(e.CurrentTime())
+		cut = time.Duration(float64(expireIn) * (1 - defaultExpiryWindow))
+	}
+	e.expiration = expiration.Add(-cut)
 }
 
 // IsExpired returns if the credentials are expired.

vendor/github.com/minio/minio-go/v7/pkg/credentials/iam_aws.go

@@ -38,7 +38,10 @@ import (
 // prior to the credentials actually expiring. This is beneficial
 // so race conditions with expiring credentials do not cause
 // request to fail unexpectedly due to ExpiredTokenException exceptions.
-const DefaultExpiryWindow = time.Second * 10 // 10 secs
+// DefaultExpiryWindow can be used as parameter to (*Expiry).SetExpiration.
+// When used the tokens refresh will be triggered when 80% of the elapsed
+// time until the actual expiration time is passed.
+const DefaultExpiryWindow = -1
 
 // A IAM retrieves credentials from the EC2 service, and keeps track if
 // those credentials are expired.
@@ -181,10 +184,6 @@ type ec2RoleCredRespBody struct {
 // be sent to fetch the rolling access credentials.
 // http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/iam-roles-for-amazon-ec2.html
 func getIAMRoleURL(endpoint string) (*url.URL, error) {
-	if endpoint == "" {
-		endpoint = defaultIAMRoleEndpoint
-	}
-
 	u, err := url.Parse(endpoint)
 	if err != nil {
 		return nil, err
@@ -281,6 +280,10 @@ func fetchIMDSToken(client *http.Client, endpoint string) (string, error) {
 // If the credentials cannot be found, or there is an error
 // reading the response an error will be returned.
 func getCredentials(client *http.Client, endpoint string) (ec2RoleCredRespBody, error) {
+	if endpoint == "" {
+		endpoint = defaultIAMRoleEndpoint
+	}
+
 	// https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/configuring-instance-metadata-service.html
 	token, _ := fetchIMDSToken(client, endpoint)
 

vendor/github.com/minio/minio-go/v7/pkg/credentials/sts_ldap_identity.go

@@ -1,6 +1,6 @@
 /*
  * MinIO Go Library for Amazon S3 Compatible Cloud Storage
- * Copyright 2019 MinIO, Inc.
+ * Copyright 2019-2021 MinIO, Inc.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -20,6 +20,7 @@ package credentials
 import (
 	"encoding/xml"
 	"errors"
+	"fmt"
 	"net/http"
 	"net/url"
 	"time"
@@ -60,26 +61,86 @@ type LDAPIdentity struct {
 
 	// LDAP username/password used to fetch LDAP STS credentials.
 	LDAPUsername, LDAPPassword string
+
+	// Session policy to apply to the generated credentials. Leave empty to
+	// use the full access policy available to the user.
+	Policy string
+
+	// RequestedExpiry is the configured expiry duration for credentials
+	// requested from LDAP.
+	RequestedExpiry time.Duration
 }
 
 // NewLDAPIdentity returns new credentials object that uses LDAP
 // Identity.
-func NewLDAPIdentity(stsEndpoint, ldapUsername, ldapPassword string) (*Credentials, error) {
+func NewLDAPIdentity(stsEndpoint, ldapUsername, ldapPassword string, optFuncs ...LDAPIdentityOpt) (*Credentials, error) {
+	l := LDAPIdentity{
+		Client:       &http.Client{Transport: http.DefaultTransport},
+		STSEndpoint:  stsEndpoint,
+		LDAPUsername: ldapUsername,
+		LDAPPassword: ldapPassword,
+	}
+	for _, optFunc := range optFuncs {
+		optFunc(&l)
+	}
+	return New(&l), nil
+}
+
+// LDAPIdentityOpt is a function type used to configured the LDAPIdentity
+// instance.
+type LDAPIdentityOpt func(*LDAPIdentity)
+
+// LDAPIdentityPolicyOpt sets the session policy for requested credentials.
+func LDAPIdentityPolicyOpt(policy string) LDAPIdentityOpt {
+	return func(k *LDAPIdentity) {
+		k.Policy = policy
+	}
+}
+
+// LDAPIdentityExpiryOpt sets the expiry duration for requested credentials.
+func LDAPIdentityExpiryOpt(d time.Duration) LDAPIdentityOpt {
+	return func(k *LDAPIdentity) {
+		k.RequestedExpiry = d
+	}
+}
+
+func stripPassword(err error) error {
+	urlErr, ok := err.(*url.Error)
+	if ok {
+		u, _ := url.Parse(urlErr.URL)
+		if u == nil {
+			return urlErr
+		}
+		values := u.Query()
+		values.Set("LDAPPassword", "xxxxx")
+		u.RawQuery = values.Encode()
+		urlErr.URL = u.String()
+		return urlErr
+	}
+	return err
+}
+
+// NewLDAPIdentityWithSessionPolicy returns new credentials object that uses
+// LDAP Identity with a specified session policy. The `policy` parameter must be
+// a JSON string specifying the policy document.
+//
+// DEPRECATED: Use the `LDAPIdentityPolicyOpt` with `NewLDAPIdentity` instead.
+func NewLDAPIdentityWithSessionPolicy(stsEndpoint, ldapUsername, ldapPassword, policy string) (*Credentials, error) {
 	return New(&LDAPIdentity{
 		Client:       &http.Client{Transport: http.DefaultTransport},
 		STSEndpoint:  stsEndpoint,
 		LDAPUsername: ldapUsername,
 		LDAPPassword: ldapPassword,
+		Policy:       policy,
 	}), nil
 }
 
 // Retrieve gets the credential by calling the MinIO STS API for
 // LDAP on the configured stsEndpoint.
 func (k *LDAPIdentity) Retrieve() (value Value, err error) {
-	u, kerr := url.Parse(k.STSEndpoint)
-	if kerr != nil {
-		err = kerr
-		return
+	u, err := url.Parse(k.STSEndpoint)
+	if err != nil {
+		return value, err
 	}
 
 	v := url.Values{}
@@ -87,25 +148,28 @@ func (k *LDAPIdentity) Retrieve() (value Value, err error) {
 	v.Set("Version", STSVersion)
 	v.Set("LDAPUsername", k.LDAPUsername)
 	v.Set("LDAPPassword", k.LDAPPassword)
+	if k.Policy != "" {
+		v.Set("Policy", k.Policy)
+	}
+	if k.RequestedExpiry != 0 {
+		v.Set("DurationSeconds", fmt.Sprintf("%d", int(k.RequestedExpiry.Seconds())))
+	}
 
 	u.RawQuery = v.Encode()
 
-	req, kerr := http.NewRequest(http.MethodPost, u.String(), nil)
-	if kerr != nil {
-		err = kerr
-		return
+	req, err := http.NewRequest(http.MethodPost, u.String(), nil)
+	if err != nil {
+		return value, stripPassword(err)
 	}
 
-	resp, kerr := k.Client.Do(req)
-	if kerr != nil {
-		err = kerr
-		return
+	resp, err := k.Client.Do(req)
+	if err != nil {
+		return value, stripPassword(err)
 	}
 
 	defer resp.Body.Close()
 	if resp.StatusCode != http.StatusOK {
-		err = errors.New(resp.Status)
-		return
+		return value, errors.New(resp.Status)
 	}
 
 	r := AssumeRoleWithLDAPResponse{}

vendor/github.com/minio/minio-go/v7/pkg/credentials/sts_web_identity.go

@@ -54,8 +54,9 @@ type WebIdentityResult struct {
 
 // WebIdentityToken - web identity token with expiry.
 type WebIdentityToken struct {
-	Token  string
-	Expiry int
+	Token       string
+	AccessToken string
+	Expiry      int
 }
 
 // A STSWebIdentity retrieves credentials from MinIO service, and keeps track if
@@ -121,6 +122,10 @@ func getWebIdentityCredentials(clnt *http.Client, endpoint, roleARN, roleSession
 		v.Set("RoleSessionName", roleSessionName)
 	}
 	v.Set("WebIdentityToken", idToken.Token)
+	if idToken.AccessToken != "" {
+		// Usually set when server is using extended userInfo endpoint.
+		v.Set("WebIdentityAccessToken", idToken.AccessToken)
+	}
 	if idToken.Expiry > 0 {
 		v.Set("DurationSeconds", fmt.Sprintf("%d", idToken.Expiry))
 	}