2021-04-18 15:41:13 -04:00
// Copyright (c) 2015-2021 MinIO, Inc.
//
// This file is part of MinIO Object Storage stack
//
// This program is free software: you can redistribute it and/or modify
// it under the terms of the GNU Affero General Public License as published by
// the Free Software Foundation, either version 3 of the License, or
// (at your option) any later version.
//
// This program is distributed in the hope that it will be useful
// but WITHOUT ANY WARRANTY; without even the implied warranty of
// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
// GNU Affero General Public License for more details.
//
// You should have received a copy of the GNU Affero General Public License
// along with this program. If not, see <http://www.gnu.org/licenses/>.
2018-10-09 17:00:01 -04:00
package cmd
import (
2019-09-30 17:05:19 -04:00
"context"
2018-10-09 17:00:01 -04:00
"encoding/xml"
"net/http"
2019-07-03 01:34:32 -04:00
2021-06-01 17:59:40 -04:00
xhttp "github.com/minio/minio/internal/http"
"github.com/minio/minio/internal/logger"
2018-10-09 17:00:01 -04:00
)
// writeSTSErrorRespone writes error headers
2023-04-06 01:19:31 -04:00
func writeSTSErrorResponse ( ctx context . Context , w http . ResponseWriter , errCode STSErrorCode , errCtxt error ) {
err := stsErrCodes . ToSTSErr ( errCode )
2018-10-09 17:00:01 -04:00
// Generate error response.
2019-09-30 17:05:19 -04:00
stsErrorResponse := STSErrorResponse { }
stsErrorResponse . Error . Code = err . Code
stsErrorResponse . RequestID = w . Header ( ) . Get ( xhttp . AmzRequestID )
stsErrorResponse . Error . Message = err . Description
if errCtxt != nil {
2020-08-24 15:11:20 -04:00
stsErrorResponse . Error . Message = errCtxt . Error ( )
2019-09-30 17:05:19 -04:00
}
2019-10-11 21:50:54 -04:00
switch errCode {
2022-06-11 15:55:32 -04:00
case ErrSTSInternalError , ErrSTSNotInitialized , ErrSTSUpstreamError :
logger . LogIf ( ctx , errCtxt , logger . Minio )
2019-10-11 21:50:54 -04:00
}
2018-10-09 17:00:01 -04:00
encodedErrorResponse := encodeResponse ( stsErrorResponse )
2019-02-14 20:54:33 -05:00
writeResponse ( w , err . HTTPStatusCode , encodedErrorResponse , mimeXML )
2018-10-09 17:00:01 -04:00
}
// STSError structure
type STSError struct {
Code string
Description string
HTTPStatusCode int
}
// STSErrorResponse - error response format
type STSErrorResponse struct {
XMLName xml . Name ` xml:"https://sts.amazonaws.com/doc/2011-06-15/ ErrorResponse" json:"-" `
Error struct {
Type string ` xml:"Type" `
Code string ` xml:"Code" `
Message string ` xml:"Message" `
} ` xml:"Error" `
RequestID string ` xml:"RequestId" `
}
// STSErrorCode type of error status.
type STSErrorCode int
2021-03-31 12:30:52 -04:00
//go:generate stringer -type=STSErrorCode -trimprefix=Err $GOFILE
2018-10-09 17:00:01 -04:00
// Error codes, non exhaustive list - http://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRoleWithSAML.html
const (
ErrSTSNone STSErrorCode = iota
2019-02-27 20:46:55 -05:00
ErrSTSAccessDenied
2018-10-09 17:00:01 -04:00
ErrSTSMissingParameter
ErrSTSInvalidParameterValue
2019-01-04 16:48:12 -05:00
ErrSTSWebIdentityExpiredToken
2018-10-09 17:00:01 -04:00
ErrSTSClientGrantsExpiredToken
ErrSTSInvalidClientGrantsToken
ErrSTSMalformedPolicyDocument
2021-09-07 22:03:48 -04:00
ErrSTSInsecureConnection
ErrSTSInvalidClientCertificate
2018-10-09 17:00:01 -04:00
ErrSTSNotInitialized
2022-05-26 20:58:09 -04:00
ErrSTSUpstreamError
2018-10-09 17:00:01 -04:00
ErrSTSInternalError
)
2019-02-14 20:54:33 -05:00
type stsErrorCodeMap map [ STSErrorCode ] STSError
func ( e stsErrorCodeMap ) ToSTSErr ( errCode STSErrorCode ) STSError {
apiErr , ok := e [ errCode ]
if ! ok {
return e [ ErrSTSInternalError ]
}
return apiErr
}
2018-10-09 17:00:01 -04:00
// error code to STSError structure, these fields carry respective
// descriptions for all the error responses.
2019-02-14 20:54:33 -05:00
var stsErrCodes = stsErrorCodeMap {
2019-02-27 20:46:55 -05:00
ErrSTSAccessDenied : {
Code : "AccessDenied" ,
Description : "Generating temporary credentials not allowed for this request." ,
HTTPStatusCode : http . StatusForbidden ,
} ,
2018-10-09 17:00:01 -04:00
ErrSTSMissingParameter : {
Code : "MissingParameter" ,
Description : "A required parameter for the specified action is not supplied." ,
HTTPStatusCode : http . StatusBadRequest ,
} ,
ErrSTSInvalidParameterValue : {
Code : "InvalidParameterValue" ,
Description : "An invalid or out-of-range value was supplied for the input parameter." ,
HTTPStatusCode : http . StatusBadRequest ,
} ,
2019-01-04 16:48:12 -05:00
ErrSTSWebIdentityExpiredToken : {
Code : "ExpiredToken" ,
Description : "The web identity token that was passed is expired or is not valid. Get a new identity token from the identity provider and then retry the request." ,
HTTPStatusCode : http . StatusBadRequest ,
} ,
2018-10-09 17:00:01 -04:00
ErrSTSClientGrantsExpiredToken : {
Code : "ExpiredToken" ,
2019-01-04 16:48:12 -05:00
Description : "The client grants that was passed is expired or is not valid. Get a new client grants token from the identity provider and then retry the request." ,
2018-10-09 17:00:01 -04:00
HTTPStatusCode : http . StatusBadRequest ,
} ,
ErrSTSInvalidClientGrantsToken : {
Code : "InvalidClientGrantsToken" ,
2019-04-09 14:39:42 -04:00
Description : "The client grants token that was passed could not be validated by MinIO." ,
2018-10-09 17:00:01 -04:00
HTTPStatusCode : http . StatusBadRequest ,
} ,
ErrSTSMalformedPolicyDocument : {
Code : "MalformedPolicyDocument" ,
Description : "The request was rejected because the policy document was malformed." ,
HTTPStatusCode : http . StatusBadRequest ,
} ,
2021-09-07 22:03:48 -04:00
ErrSTSInsecureConnection : {
Code : "InsecureConnection" ,
Description : "The request was made over a plain HTTP connection. A TLS connection is required." ,
HTTPStatusCode : http . StatusBadRequest ,
} ,
ErrSTSInvalidClientCertificate : {
Code : "InvalidClientCertificate" ,
Description : "The provided client certificate is invalid. Retry with a different certificate." ,
HTTPStatusCode : http . StatusBadRequest ,
} ,
2018-10-09 17:00:01 -04:00
ErrSTSNotInitialized : {
Code : "STSNotInitialized" ,
Description : "STS API not initialized, please try again." ,
HTTPStatusCode : http . StatusServiceUnavailable ,
} ,
2022-05-26 20:58:09 -04:00
ErrSTSUpstreamError : {
Code : "InternalError" ,
Description : "An upstream service required for this operation failed - please try again or contact an administrator." ,
HTTPStatusCode : http . StatusInternalServerError ,
} ,
2018-10-09 17:00:01 -04:00
ErrSTSInternalError : {
Code : "InternalError" ,
Description : "We encountered an internal error generating credentials, please try again." ,
HTTPStatusCode : http . StatusInternalServerError ,
} ,
}