diff --git a/cmd/admin-handlers-config-kv.go b/cmd/admin-handlers-config-kv.go index bd15d58af..7a90c1802 100644 --- a/cmd/admin-handlers-config-kv.go +++ b/cmd/admin-handlers-config-kv.go @@ -49,7 +49,7 @@ func validateAdminReqConfigKV(ctx context.Context, w http.ResponseWriter, r *htt } // Validate request signature. - cred, adminAPIErr := checkAdminRequestAuthType(ctx, r, iampolicy.ConfigUpdateAdminAction, "") + cred, adminAPIErr := checkAdminRequestAuth(ctx, r, iampolicy.ConfigUpdateAdminAction, "") if adminAPIErr != ErrNone { writeErrorResponseJSON(ctx, w, errorCodes.ToAPIErr(adminAPIErr), r.URL) return cred, nil diff --git a/cmd/admin-handlers-users.go b/cmd/admin-handlers-users.go index 8a11ed936..89e9a2d6f 100644 --- a/cmd/admin-handlers-users.go +++ b/cmd/admin-handlers-users.go @@ -42,7 +42,7 @@ func validateAdminUsersReq(ctx context.Context, w http.ResponseWriter, r *http.R } // Validate request signature. - cred, adminAPIErr = checkAdminRequestAuthType(ctx, r, action, "") + cred, adminAPIErr = checkAdminRequestAuth(ctx, r, action, "") if adminAPIErr != ErrNone { writeErrorResponseJSON(ctx, w, errorCodes.ToAPIErr(adminAPIErr), r.URL) return nil, cred diff --git a/cmd/admin-handlers.go b/cmd/admin-handlers.go index 95bff82d1..da9e235dd 100644 --- a/cmd/admin-handlers.go +++ b/cmd/admin-handlers.go @@ -461,8 +461,15 @@ func (a adminAPIHandlers) StartProfilingHandler(w http.ResponseWriter, r *http.R defer logger.AuditLog(w, r, "StartProfiling", mustGetClaimsFromToken(r)) - objectAPI, _ := validateAdminReq(ctx, w, r, iampolicy.ProfilingAdminAction) - if objectAPI == nil { + // Validate request signature. + _, adminAPIErr := checkAdminRequestAuth(ctx, r, iampolicy.ProfilingAdminAction, "") + if adminAPIErr != ErrNone { + writeErrorResponseJSON(ctx, w, errorCodes.ToAPIErr(adminAPIErr), r.URL) + return + } + + if globalNotificationSys == nil { + writeErrorResponseJSON(ctx, w, errorCodes.ToAPIErr(ErrServerNotInitialized), r.URL) return } @@ -559,8 +566,15 @@ func (a adminAPIHandlers) DownloadProfilingHandler(w http.ResponseWriter, r *htt defer logger.AuditLog(w, r, "DownloadProfiling", mustGetClaimsFromToken(r)) - objectAPI, _ := validateAdminReq(ctx, w, r, iampolicy.ProfilingAdminAction) - if objectAPI == nil { + // Validate request signature. + _, adminAPIErr := checkAdminRequestAuth(ctx, r, iampolicy.ProfilingAdminAction, "") + if adminAPIErr != ErrNone { + writeErrorResponseJSON(ctx, w, errorCodes.ToAPIErr(adminAPIErr), r.URL) + return + } + + if globalNotificationSys == nil { + writeErrorResponseJSON(ctx, w, errorCodes.ToAPIErr(ErrServerNotInitialized), r.URL) return } @@ -900,7 +914,7 @@ func validateAdminReq(ctx context.Context, w http.ResponseWriter, r *http.Reques } // Validate request signature. - cred, adminAPIErr = checkAdminRequestAuthType(ctx, r, action, "") + cred, adminAPIErr = checkAdminRequestAuth(ctx, r, action, "") if adminAPIErr != ErrNone { writeErrorResponseJSON(ctx, w, errorCodes.ToAPIErr(adminAPIErr), r.URL) return nil, cred @@ -1032,7 +1046,7 @@ func (a adminAPIHandlers) TraceHandler(w http.ResponseWriter, r *http.Request) { trcErr := r.URL.Query().Get("err") == "true" // Validate request signature. - _, adminAPIErr := checkAdminRequestAuthType(ctx, r, iampolicy.TraceAdminAction, "") + _, adminAPIErr := checkAdminRequestAuth(ctx, r, iampolicy.TraceAdminAction, "") if adminAPIErr != ErrNone { writeErrorResponseJSON(ctx, w, errorCodes.ToAPIErr(adminAPIErr), r.URL) return @@ -1431,7 +1445,7 @@ func (a adminAPIHandlers) BandwidthMonitorHandler(w http.ResponseWriter, r *http defer logger.AuditLog(w, r, "BandwidthMonitor", mustGetClaimsFromToken(r)) // Validate request signature. - _, adminAPIErr := checkAdminRequestAuthType(ctx, r, iampolicy.BandwidthMonitorAction, "") + _, adminAPIErr := checkAdminRequestAuth(ctx, r, iampolicy.BandwidthMonitorAction, "") if adminAPIErr != ErrNone { writeErrorResponseJSON(ctx, w, errorCodes.ToAPIErr(adminAPIErr), r.URL) return diff --git a/cmd/auth-handler.go b/cmd/auth-handler.go index 38971a2e1..97df5d0c7 100644 --- a/cmd/auth-handler.go +++ b/cmd/auth-handler.go @@ -151,9 +151,10 @@ func validateAdminSignature(ctx context.Context, r *http.Request, region string) return cred, claims, owner, ErrNone } -// checkAdminRequestAuthType checks whether the request is a valid signature V2 or V4 request. -// It does not accept presigned or JWT or anonymous requests. -func checkAdminRequestAuthType(ctx context.Context, r *http.Request, action iampolicy.AdminAction, region string) (auth.Credentials, APIErrorCode) { +// checkAdminRequestAuth checks for authentication and authorization for the incoming +// request. It only accepts V2 and V4 requests. Presigned, JWT and anonymous requests +// are automatically rejected. +func checkAdminRequestAuth(ctx context.Context, r *http.Request, action iampolicy.AdminAction, region string) (auth.Credentials, APIErrorCode) { cred, claims, owner, s3Err := validateAdminSignature(ctx, r, region) if s3Err != ErrNone { return cred, s3Err diff --git a/cmd/auth-handler_test.go b/cmd/auth-handler_test.go index bf27ccfe6..fe735d306 100644 --- a/cmd/auth-handler_test.go +++ b/cmd/auth-handler_test.go @@ -421,7 +421,7 @@ func TestCheckAdminRequestAuthType(t *testing.T) { } ctx := context.Background() for i, testCase := range testCases { - if _, s3Error := checkAdminRequestAuthType(ctx, testCase.Request, iampolicy.AllAdminActions, globalServerRegion); s3Error != testCase.ErrCode { + if _, s3Error := checkAdminRequestAuth(ctx, testCase.Request, iampolicy.AllAdminActions, globalServerRegion); s3Error != testCase.ErrCode { t.Errorf("Test %d: Unexpected s3error returned wanted %d, got %d", i, testCase.ErrCode, s3Error) } }