Add admin accesskey sts-revoke and idp ldap accesskey sts-revoke (#5160)

taran-p · web-flow · commit 5349af008286 · 2025-03-31T13:55:31.000-07:00
diff --git a/cmd/admin-accesskey-sts-revoke.go b/cmd/admin-accesskey-sts-revoke.go
@@ -0,0 +1,149 @@
+// Copyright (c) 2015-2025 MinIO, Inc.
+//
+// This file is part of MinIO Object Storage stack
+//
+// This program is free software: you can redistribute it and/or modify
+// it under the terms of the GNU Affero General Public License as published by
+// the Free Software Foundation, either version 3 of the License, or
+// (at your option) any later version.
+//
+// This program is distributed in the hope that it will be useful
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU Affero General Public License for more details.
+//
+// You should have received a copy of the GNU Affero General Public License
+// along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+package cmd
+
+import (
+	"github.com/minio/cli"
+	json "github.com/minio/colorjson"
+	"github.com/minio/madmin-go/v3"
+	"github.com/minio/mc/pkg/probe"
+)
+
+var adminAccesskeySTSRevokeFlags = []cli.Flag{
+	cli.BoolFlag{
+		Name:  "all",
+		Usage: "revoke all STS accounts for the specified user",
+	},
+	cli.BoolFlag{
+		Name:  "self",
+		Usage: "revoke all STS accounts for the authenticated user",
+	},
+	cli.StringFlag{
+		Name:  "token-type",
+		Usage: "specify the token type to revoke",
+	},
+}
+
+var adminAccesskeySTSRevokeCmd = cli.Command{
+	Name:         "sts-revoke",
+	Usage:        "revokes all STS accounts or specified types for the specified user",
+	Action:       mainAdminAccesskeySTSRevoke,
+	OnUsageError: onUsageError,
+	Before:       setGlobalsFromContext,
+	Flags:        append(adminAccesskeySTSRevokeFlags, globalFlags...),
+	CustomHelpTemplate: `NAME:
+  {{.HelpName}} - {{.Usage}}
+
+USAGE:
+  {{.HelpName}} ALIAS USER [--all | --token-type TOKEN_TYPE]
+
+  Exactly one of --all or --token-type must be specified.
+
+FLAGS:
+  {{range .VisibleFlags}}{{.}}
+  {{end}}
+EXAMPLES:
+  1. Revoke all STS accounts for user "user1"
+	 {{.Prompt}} {{.HelpName}} myminio user1 --all
+
+  2. Revoke STS accounts of a token type "app-1" for user "user1"
+	 {{.Prompt}} {{.HelpName}} myminio user1 --token-type app-1
+
+  3. Revoke all STS accounts for the authenticated user
+	 {{.Prompt}} {{.HelpName}} myminio --self
+
+  4. Revoke STS accounts of a token type "app-1" for the authenticated user
+	 {{.Prompt}} {{.HelpName}} myminio --self --token-type app-1
+`,
+}
+
+type stsRevokeMessage struct {
+	Status          string `json:"status"`
+	User            string `json:"user"`
+	TokenRevokeType string `json:"tokenRevokeType,omitempty"`
+}
+
+func (m stsRevokeMessage) String() string {
+	userString := "user " + m.User
+	if m.User == "" {
+		userString = "authenticated user"
+	}
+	if m.TokenRevokeType == "" {
+		return "Successfully revoked all STS accounts for " + userString
+	}
+	return "Successfully revoked all STS accounts of type " + m.TokenRevokeType + " for " + userString
+}
+
+func (m stsRevokeMessage) JSON() string {
+	if m.Status == "" {
+		m.Status = "success"
+	}
+	jsonMessageBytes, e := json.MarshalIndent(m, "", " ")
+	fatalIf(probe.NewError(e), "Unable to marshal into JSON.")
+
+	return string(jsonMessageBytes)
+}
+
+// checkSTSRevokeSyntax - validate all the passed arguments
+func checkSTSRevokeSyntax(ctx *cli.Context) {
+	if len(ctx.Args()) > 2 || len(ctx.Args()) == 0 {
+		showCommandHelpAndExit(ctx, 1)
+	}
+
+	if !ctx.Bool("self") && ctx.Args().Get(1) == "" {
+		fatalIf(errInvalidArgument().Trace(), "Must specify user or use --self flag.")
+	}
+
+	if ctx.Bool("self") && ctx.Args().Get(1) != "" {
+		fatalIf(errInvalidArgument().Trace(), "Cannot specify user with --self flag.")
+	}
+
+	if (!ctx.Bool("all") && ctx.String("token-type") == "") || (ctx.Bool("all") && ctx.String("token-type") != "") {
+		fatalIf(errDummy().Trace(), "Exactly one of --all or --token-type must be specified.")
+	}
+}
+
+// mainAdminAccesskeySTSRevoke is the handle for "mc admin accesskey sts-revoke" command.
+func mainAdminAccesskeySTSRevoke(ctx *cli.Context) error {
+	checkSTSRevokeSyntax(ctx)
+
+	// Get the alias parameter from cli
+	args := ctx.Args()
+	aliasedURL := args.Get(0)
+	user := args.Get(1) // will be empty if --self flag is set
+	tokenRevokeType := ctx.String("token-type")
+	fullRevoke := ctx.Bool("all")
+
+	// Create a new MinIO Admin Client
+	client, err := newAdminClient(aliasedURL)
+	fatalIf(err, "Unable to initialize admin connection.")
+
+	e := client.RevokeTokens(globalContext, madmin.RevokeTokensReq{
+		User:            user,
+		TokenRevokeType: tokenRevokeType,
+		FullRevoke:      fullRevoke,
+	})
+	fatalIf(probe.NewError(e).Trace(args...), "Unable to revoke tokens for %s", user)
+
+	printMsg(stsRevokeMessage{
+		User:            user,
+		TokenRevokeType: tokenRevokeType,
+	})
+
+	return nil
+}
diff --git a/cmd/admin-accesskey.go b/cmd/admin-accesskey.go
@@ -27,6 +27,7 @@ var adminAccesskeySubcommands = []cli.Command{
 	adminAccesskeyEditCmd,
 	adminAccesskeyEnableCmd,
 	adminAccesskeyDisableCmd,
+	adminAccesskeySTSRevokeCmd,
 }
 
 var adminAccesskeyCmd = cli.Command{
diff --git a/cmd/auto-complete.go b/cmd/auto-complete.go
@@ -391,16 +391,18 @@ var completeCmds = map[string]complete.Predictor{
 	"/idp/ldap/accesskey/edit":              aliasCompleter,
 	"/idp/ldap/accesskey/enable":            aliasCompleter,
 	"/idp/ldap/accesskey/disable":           aliasCompleter,
-
-	"/admin/accesskey/create":  aliasCompleter,
-	"/admin/accesskey/list":    aliasCompleter,
-	"/admin/accesskey/ls":      aliasCompleter,
-	"/admin/accesskey/remove":  aliasCompleter,
-	"/admin/accesskey/rm":      aliasCompleter,
-	"/admin/accesskey/info":    aliasCompleter,
-	"/admin/accesskey/edit":    aliasCompleter,
-	"/admin/accesskey/enable":  aliasCompleter,
-	"/admin/accesskey/disable": aliasCompleter,
+	"/idp/ldap/accesskey/sts-revoke":        aliasCompleter,
+
+	"/admin/accesskey/create":     aliasCompleter,
+	"/admin/accesskey/list":       aliasCompleter,
+	"/admin/accesskey/ls":         aliasCompleter,
+	"/admin/accesskey/remove":     aliasCompleter,
+	"/admin/accesskey/rm":         aliasCompleter,
+	"/admin/accesskey/info":       aliasCompleter,
+	"/admin/accesskey/edit":       aliasCompleter,
+	"/admin/accesskey/enable":     aliasCompleter,
+	"/admin/accesskey/disable":    aliasCompleter,
+	"/admin/accesskey/sts-revoke": aliasCompleter,
 
 	"/admin/policy/info":     aliasCompleter,
 	"/admin/policy/update":   aliasCompleter,
diff --git a/cmd/idp-ldap-accesskey-sts-revoke.go b/cmd/idp-ldap-accesskey-sts-revoke.go
@@ -0,0 +1,90 @@
+// Copyright (c) 2015-2025 MinIO, Inc.
+//
+// This file is part of MinIO Object Storage stack
+//
+// This program is free software: you can redistribute it and/or modify
+// it under the terms of the GNU Affero General Public License as published by
+// the Free Software Foundation, either version 3 of the License, or
+// (at your option) any later version.
+//
+// This program is distributed in the hope that it will be useful
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU Affero General Public License for more details.
+//
+// You should have received a copy of the GNU Affero General Public License
+// along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+package cmd
+
+import (
+	"github.com/minio/cli"
+	"github.com/minio/madmin-go/v3"
+	"github.com/minio/mc/pkg/probe"
+)
+
+var idpLdapAccesskeySTSRevokeCmd = cli.Command{
+	Name:         "sts-revoke",
+	Usage:        "revokes all STS accounts or specified types for the specified user",
+	Action:       mainIdpLdapAccesskeySTSRevoke,
+	OnUsageError: onUsageError,
+	Before:       setGlobalsFromContext,
+	Flags:        append(adminAccesskeySTSRevokeFlags, globalFlags...),
+	CustomHelpTemplate: `NAME:
+  {{.HelpName}} - {{.Usage}}
+
+USAGE:
+  {{.HelpName}} ALIAS USER [--all | --token-type TOKEN_TYPE]
+
+  Exactly one of --all or --token-type must be specified.
+
+FLAGS:
+  {{range .VisibleFlags}}{{.}}
+  {{end}}
+EXAMPLES:
+  1. Revoke all STS accounts for LDAP user 'bobfisher'
+	 {{.Prompt}} {{.HelpName}} myminio uid=bobfisher,ou=people,ou=hwengg,dc=min,dc=io --all
+
+  2. Revoke all STS accounts for LDAP user 'bobfisher' (alt)
+	 {{.Prompt}} {{.HelpName}} myminio bobfisher --all
+
+  3. Revoke STS accounts of a token type 'app-1' for user 'user1'
+	 {{.Prompt}} {{.HelpName}} myminio user1 --token-type app-1
+
+  4. Revoke all STS accounts for the authenticated user (must be LDAP service account)
+	 {{.Prompt}} {{.HelpName}} myminio --self
+
+  5. Revoke STS accounts of a token type 'app-1' for the authenticated user (must be LDAP service account)
+	 {{.Prompt}} {{.HelpName}} myminio --self --token-type app-1
+`,
+}
+
+// mainIdpLdapAccesskeySTSRevoke is the handle for "mc idp ldap accesskey sts-revoke" command.
+func mainIdpLdapAccesskeySTSRevoke(ctx *cli.Context) error {
+	checkSTSRevokeSyntax(ctx)
+
+	// Get the alias parameter from cli
+	args := ctx.Args()
+	aliasedURL := args.Get(0)
+	user := args.Get(1) // will be empty if --self flag is set
+	tokenRevokeType := ctx.String("token-type")
+	fullRevoke := ctx.Bool("all")
+
+	// Create a new MinIO Admin Client
+	client, err := newAdminClient(aliasedURL)
+	fatalIf(err, "Unable to initialize admin connection.")
+
+	e := client.RevokeTokens(globalContext, madmin.RevokeTokensReq{
+		User:            user,
+		TokenRevokeType: tokenRevokeType,
+		FullRevoke:      fullRevoke,
+	})
+	fatalIf(probe.NewError(e).Trace(args...), "Unable to revoke tokens for %s", user)
+
+	printMsg(stsRevokeMessage{
+		User:            user,
+		TokenRevokeType: tokenRevokeType,
+	})
+
+	return nil
+}
diff --git a/cmd/idp-ldap-accesskey.go b/cmd/idp-ldap-accesskey.go
@@ -28,6 +28,7 @@ var idpLdapAccesskeySubcommands = []cli.Command{
 	idpLdapAccesskeyEditCmd,
 	idpLdapAccesskeyEnableCmd,
 	idpLdapAccesskeyDisableCmd,
+	idpLdapAccesskeySTSRevokeCmd,
 }
 
 var idpLdapAccesskeyCmd = cli.Command{
diff --git a/go.mod b/go.mod
@@ -4,6 +4,8 @@ go 1.23.0
 
 toolchain go1.23.6
 
+replace github.com/minio/madmin-go/v3 => github.com/minio/madmin-go/v3 v3.0.100-0.20250319234114-3c39f28946cb
+
 require (
 	github.com/charmbracelet/bubbles v0.20.0
 	github.com/charmbracelet/bubbletea v1.3.4
diff --git a/go.sum b/go.sum
@@ -142,8 +142,8 @@ github.com/minio/crc64nvme v1.0.1 h1:DHQPrYPdqK7jQG/Ls5CTBZWeex/2FMS3G5XGkycuFrY
 github.com/minio/crc64nvme v1.0.1/go.mod h1:eVfm2fAzLlxMdUGc0EEBGSMmPwmXD5XiNRpnu9J3bvg=
 github.com/minio/filepath v1.0.0 h1:fvkJu1+6X+ECRA6G3+JJETj4QeAYO9sV43I79H8ubDY=
 github.com/minio/filepath v1.0.0/go.mod h1:/nRZA2ldl5z6jT9/KQuvZcQlxZIMQoFFQPvEXx9T/Bw=
-github.com/minio/madmin-go/v3 v3.0.97 h1:P7XO+ofPexkXy9akxG9Xoif1zIkbmWKeKtG3AquVzEY=
-github.com/minio/madmin-go/v3 v3.0.97/go.mod h1:pMLdj9OtN0CANNs5tdm6opvOlDFfj0WhbztboZAjRWE=
+github.com/minio/madmin-go/v3 v3.0.100-0.20250319234114-3c39f28946cb h1:J+db7F8JuJDR/lqco4XHLtM5gErYkSYXwR+X4hfjl3Q=
+github.com/minio/madmin-go/v3 v3.0.100-0.20250319234114-3c39f28946cb/go.mod h1:pMLdj9OtN0CANNs5tdm6opvOlDFfj0WhbztboZAjRWE=
 github.com/minio/md5-simd v1.1.2 h1:Gdi1DZK69+ZVMoNHRXJyNcxrMA4dSxoYHZSQbirFg34=
 github.com/minio/md5-simd v1.1.2/go.mod h1:MzdKDxYpY2BT9XQFocsiZf/NKVtR7nkE4RoEpN+20RM=
 github.com/minio/minio-go/v7 v7.0.88 h1:v8MoIJjwYxOkehp+eiLIuvXk87P2raUtoU5klrAAshs=

Original file line number	Diff line number	Diff line change
`@@ -27,6 +27,7 @@ var adminAccesskeySubcommands = []cli.Command{`
`27`	`27`	`adminAccesskeyEditCmd,`
`28`	`28`	`adminAccesskeyEnableCmd,`
`29`	`29`	`adminAccesskeyDisableCmd,`
	`30`	`+ adminAccesskeySTSRevokeCmd,`
`30`	`31`	`}`
`31`	`32`
`32`	`33`	`var adminAccesskeyCmd = cli.Command{`
Original file line number	Diff line number	Diff line change
`@@ -28,6 +28,7 @@ var idpLdapAccesskeySubcommands = []cli.Command{`
`28`	`28`	`idpLdapAccesskeyEditCmd,`
`29`	`29`	`idpLdapAccesskeyEnableCmd,`
`30`	`30`	`idpLdapAccesskeyDisableCmd,`
	`31`	`+ idpLdapAccesskeySTSRevokeCmd,`
`31`	`32`	`}`
`32`	`33`
`33`	`34`	`var idpLdapAccesskeyCmd = cli.Command{`