fix: sts to return appropriate errors (#9161)
This commit is contained in:
Harshavardhana
GitHub
parent
5b9342d35c
commit
09d35d3b4c
|
|
@ -122,7 +122,8 @@ const (
|
||||||
ErrMissingCredTag
|
ErrMissingCredTag
|
||||||
ErrCredMalformed
|
ErrCredMalformed
|
||||||
ErrInvalidRegion
|
ErrInvalidRegion
|
||||||
ErrInvalidService
|
ErrInvalidServiceS3
|
||||||
|
ErrInvalidServiceSTS
|
||||||
ErrInvalidRequestVersion
|
ErrInvalidRequestVersion
|
||||||
ErrMissingSignTag
|
ErrMissingSignTag
|
||||||
ErrMissingSignHeadersTag
|
ErrMissingSignHeadersTag
|
||||||
|
|
@ -653,9 +654,14 @@ var errorCodes = errorCodeMap{
|
||||||
// FIXME: Should contain the invalid param set as seen in https://github.com/minio/minio/issues/2385.
|
// FIXME: Should contain the invalid param set as seen in https://github.com/minio/minio/issues/2385.
|
||||||
// right Description: "Error parsing the X-Amz-Credential parameter; incorrect service \"s4\". This endpoint belongs to \"s3\".".
|
// right Description: "Error parsing the X-Amz-Credential parameter; incorrect service \"s4\". This endpoint belongs to \"s3\".".
|
||||||
// Need changes to make sure variable messages can be constructed.
|
// Need changes to make sure variable messages can be constructed.
|
||||||
ErrInvalidService: {
|
ErrInvalidServiceS3: {
|
||||||
Code: "AuthorizationQueryParametersError",
|
Code: "AuthorizationParametersError",
|
||||||
Description: "Error parsing the X-Amz-Credential parameter; incorrect service. This endpoint belongs to \"s3\".",
|
Description: "Error parsing the Credential/X-Amz-Credential parameter; incorrect service. This endpoint belongs to \"s3\".",
|
||||||
|
HTTPStatusCode: http.StatusBadRequest,
|
||||||
|
},
|
||||||
|
ErrInvalidServiceSTS: {
|
||||||
|
Code: "AuthorizationParametersError",
|
||||||
|
Description: "Error parsing the Credential parameter; incorrect service. This endpoint belongs to \"sts\".",
|
||||||
HTTPStatusCode: http.StatusBadRequest,
|
HTTPStatusCode: http.StatusBadRequest,
|
||||||
},
|
},
|
||||||
// FIXME: Should contain the invalid param set as seen in https://github.com/minio/minio/issues/2385.
|
// FIXME: Should contain the invalid param set as seen in https://github.com/minio/minio/issues/2385.
|
||||||
|
|
|
||||||
|
|
@ -108,7 +108,11 @@ func parseCredentialHeader(credElement string, region string, stype serviceType)
|
||||||
|
|
||||||
}
|
}
|
||||||
if credElements[2] != string(stype) {
|
if credElements[2] != string(stype) {
|
||||||
return ch, ErrInvalidService
|
switch stype {
|
||||||
|
case serviceSTS:
|
||||||
|
return ch, ErrInvalidServiceSTS
|
||||||
|
}
|
||||||
|
return ch, ErrInvalidServiceS3
|
||||||
}
|
}
|
||||||
cred.scope.service = credElements[2]
|
cred.scope.service = credElements[2]
|
||||||
if credElements[3] != "aws4_request" {
|
if credElements[3] != "aws4_request" {
|
||||||
|
|
|
||||||
|
|
@ -151,7 +151,7 @@ func TestParseCredentialHeader(t *testing.T) {
|
||||||
"ABCD",
|
"ABCD",
|
||||||
"ABCD"),
|
"ABCD"),
|
||||||
expectedCredentials: credentialHeader{},
|
expectedCredentials: credentialHeader{},
|
||||||
expectedErrCode: ErrInvalidService,
|
expectedErrCode: ErrInvalidServiceS3,
|
||||||
},
|
},
|
||||||
// Test Case - 7.
|
// Test Case - 7.
|
||||||
// Test case with invalid region.
|
// Test case with invalid region.
|
||||||
|
|
|
||||||
|
|
@ -29,6 +29,14 @@ import (
|
||||||
// writeSTSErrorRespone writes error headers
|
// writeSTSErrorRespone writes error headers
|
||||||
func writeSTSErrorResponse(ctx context.Context, w http.ResponseWriter, errCode STSErrorCode, errCtxt error) {
|
func writeSTSErrorResponse(ctx context.Context, w http.ResponseWriter, errCode STSErrorCode, errCtxt error) {
|
||||||
err := stsErrCodes.ToSTSErr(errCode)
|
err := stsErrCodes.ToSTSErr(errCode)
|
||||||
|
if err.Code == "InternalError" {
|
||||||
|
aerr := getAPIError(APIErrorCode(errCode))
|
||||||
|
if aerr.Code != "InternalError" {
|
||||||
|
err.Code = aerr.Code
|
||||||
|
err.Description = aerr.Description
|
||||||
|
err.HTTPStatusCode = aerr.HTTPStatusCode
|
||||||
|
}
|
||||||
|
}
|
||||||
// Generate error response.
|
// Generate error response.
|
||||||
stsErrorResponse := STSErrorResponse{}
|
stsErrorResponse := STSErrorResponse{}
|
||||||
stsErrorResponse.Error.Code = err.Code
|
stsErrorResponse.Error.Code = err.Code
|
||||||
|
|
@ -73,12 +81,12 @@ type STSErrorCode int
|
||||||
// Error codes, non exhaustive list - http://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRoleWithSAML.html
|
// Error codes, non exhaustive list - http://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRoleWithSAML.html
|
||||||
const (
|
const (
|
||||||
ErrSTSNone STSErrorCode = iota
|
ErrSTSNone STSErrorCode = iota
|
||||||
|
ErrSTSInvalidService
|
||||||
ErrSTSAccessDenied
|
ErrSTSAccessDenied
|
||||||
ErrSTSMissingParameter
|
ErrSTSMissingParameter
|
||||||
ErrSTSInvalidParameterValue
|
ErrSTSInvalidParameterValue
|
||||||
ErrSTSWebIdentityExpiredToken
|
ErrSTSWebIdentityExpiredToken
|
||||||
ErrSTSClientGrantsExpiredToken
|
ErrSTSClientGrantsExpiredToken
|
||||||
ErrSTSInvalidAccessKey
|
|
||||||
ErrSTSInvalidClientGrantsToken
|
ErrSTSInvalidClientGrantsToken
|
||||||
ErrSTSMalformedPolicyDocument
|
ErrSTSMalformedPolicyDocument
|
||||||
ErrSTSNotInitialized
|
ErrSTSNotInitialized
|
||||||
|
|
@ -128,11 +136,6 @@ var stsErrCodes = stsErrorCodeMap{
|
||||||
Description: "The client grants token that was passed could not be validated by MinIO.",
|
Description: "The client grants token that was passed could not be validated by MinIO.",
|
||||||
HTTPStatusCode: http.StatusBadRequest,
|
HTTPStatusCode: http.StatusBadRequest,
|
||||||
},
|
},
|
||||||
ErrSTSInvalidAccessKey: {
|
|
||||||
Code: "InvalidClientTokenId",
|
|
||||||
Description: "The security token included in the request is invalid.",
|
|
||||||
HTTPStatusCode: http.StatusForbidden,
|
|
||||||
},
|
|
||||||
ErrSTSMalformedPolicyDocument: {
|
ErrSTSMalformedPolicyDocument: {
|
||||||
Code: "MalformedPolicyDocument",
|
Code: "MalformedPolicyDocument",
|
||||||
Description: "The request was rejected because the policy document was malformed.",
|
Description: "The request was rejected because the policy document was malformed.",
|
||||||
|
|
|
||||||
|
|
@ -119,17 +119,11 @@ func checkAssumeRoleAuth(ctx context.Context, r *http.Request) (user auth.Creden
|
||||||
case authTypeSigned:
|
case authTypeSigned:
|
||||||
s3Err := isReqAuthenticated(ctx, r, globalServerRegion, serviceSTS)
|
s3Err := isReqAuthenticated(ctx, r, globalServerRegion, serviceSTS)
|
||||||
if STSErrorCode(s3Err) != ErrSTSNone {
|
if STSErrorCode(s3Err) != ErrSTSNone {
|
||||||
if s3Err == ErrInvalidAccessKeyID {
|
|
||||||
return user, ErrSTSInvalidAccessKey
|
|
||||||
}
|
|
||||||
return user, STSErrorCode(s3Err)
|
return user, STSErrorCode(s3Err)
|
||||||
}
|
}
|
||||||
var owner bool
|
var owner bool
|
||||||
user, owner, s3Err = getReqAccessKeyV4(r, globalServerRegion, serviceSTS)
|
user, owner, s3Err = getReqAccessKeyV4(r, globalServerRegion, serviceSTS)
|
||||||
if STSErrorCode(s3Err) != ErrSTSNone {
|
if STSErrorCode(s3Err) != ErrSTSNone {
|
||||||
if s3Err == ErrInvalidAccessKeyID {
|
|
||||||
return user, ErrSTSInvalidAccessKey
|
|
||||||
}
|
|
||||||
return user, STSErrorCode(s3Err)
|
return user, STSErrorCode(s3Err)
|
||||||
}
|
}
|
||||||
// Root credentials are not allowed to use STS API
|
// Root credentials are not allowed to use STS API
|
||||||
|
|
|
||||||
Loading…
Reference in a new issue