From 07c5e72cdb8657a016ca28faa3d365115b937e71 Mon Sep 17 00:00:00 2001 From: Aditya Manthramurthy Date: Mon, 15 Nov 2021 14:14:22 -0800 Subject: [PATCH] add thread context in surrounding function into IAM functions (#13658) --- cmd/admin-handlers-users.go | 28 +++++------ cmd/iam-store.go | 2 +- cmd/iam.go | 90 +++++++++++++++++----------------- cmd/jwt.go | 7 +-- cmd/peer-rest-server.go | 14 +++--- cmd/signature-v4-utils.go | 2 +- cmd/signature-v4-utils_test.go | 2 +- cmd/site-replication.go | 10 ++-- cmd/sts-handlers.go | 8 +-- 9 files changed, 82 insertions(+), 81 deletions(-) diff --git a/cmd/admin-handlers-users.go b/cmd/admin-handlers-users.go index 5483c30ed..f50b4832c 100644 --- a/cmd/admin-handlers-users.go +++ b/cmd/admin-handlers-users.go @@ -58,7 +58,7 @@ func (a adminAPIHandlers) RemoveUser(w http.ResponseWriter, r *http.Request) { return } - if err := globalIAMSys.DeleteUser(accessKey); err != nil { + if err := globalIAMSys.DeleteUser(ctx, accessKey); err != nil { writeErrorResponseJSON(ctx, w, toAdminAPIErr(ctx, err), r.URL) return } @@ -191,7 +191,7 @@ func (a adminAPIHandlers) GetUserInfo(w http.ResponseWriter, r *http.Request) { } } - userInfo, err := globalIAMSys.GetUserInfo(name) + userInfo, err := globalIAMSys.GetUserInfo(ctx, name) if err != nil { writeErrorResponseJSON(ctx, w, toAdminAPIErr(ctx, err), r.URL) return @@ -231,9 +231,9 @@ func (a adminAPIHandlers) UpdateGroupMembers(w http.ResponseWriter, r *http.Requ } if updReq.IsRemove { - err = globalIAMSys.RemoveUsersFromGroup(updReq.Group, updReq.Members) + err = globalIAMSys.RemoveUsersFromGroup(ctx, updReq.Group, updReq.Members) } else { - err = globalIAMSys.AddUsersToGroup(updReq.Group, updReq.Members) + err = globalIAMSys.AddUsersToGroup(ctx, updReq.Group, updReq.Members) } if err != nil { @@ -292,7 +292,7 @@ func (a adminAPIHandlers) ListGroups(w http.ResponseWriter, r *http.Request) { return } - groups, err := globalIAMSys.ListGroups() + groups, err := globalIAMSys.ListGroups(ctx) if err != nil { writeErrorResponseJSON(ctx, w, toAdminAPIErr(ctx, err), r.URL) return @@ -324,9 +324,9 @@ func (a adminAPIHandlers) SetGroupStatus(w http.ResponseWriter, r *http.Request) var err error if status == statusEnabled { - err = globalIAMSys.SetGroupStatus(group, true) + err = globalIAMSys.SetGroupStatus(ctx, group, true) } else if status == statusDisabled { - err = globalIAMSys.SetGroupStatus(group, false) + err = globalIAMSys.SetGroupStatus(ctx, group, false) } else { err = errInvalidArgument } @@ -367,7 +367,7 @@ func (a adminAPIHandlers) SetUserStatus(w http.ResponseWriter, r *http.Request) return } - if err := globalIAMSys.SetUserStatus(accessKey, madmin.AccountStatus(status)); err != nil { + if err := globalIAMSys.SetUserStatus(ctx, accessKey, madmin.AccountStatus(status)); err != nil { writeErrorResponseJSON(ctx, w, toAdminAPIErr(ctx, err), r.URL) return } @@ -477,7 +477,7 @@ func (a adminAPIHandlers) AddUser(w http.ResponseWriter, r *http.Request) { return } - if err = globalIAMSys.CreateUser(accessKey, uinfo); err != nil { + if err = globalIAMSys.CreateUser(ctx, accessKey, uinfo); err != nil { writeErrorResponseJSON(ctx, w, toAdminAPIErr(ctx, err), r.URL) return } @@ -1304,7 +1304,7 @@ func (a adminAPIHandlers) ListBucketPolicies(w http.ResponseWriter, r *http.Requ } bucket := mux.Vars(r)["bucket"] - policies, err := globalIAMSys.ListPolicies(bucket) + policies, err := globalIAMSys.ListPolicies(ctx, bucket) if err != nil { writeErrorResponseJSON(ctx, w, toAdminAPIErr(ctx, err), r.URL) return @@ -1336,7 +1336,7 @@ func (a adminAPIHandlers) ListCannedPolicies(w http.ResponseWriter, r *http.Requ return } - policies, err := globalIAMSys.ListPolicies("") + policies, err := globalIAMSys.ListPolicies(ctx, "") if err != nil { writeErrorResponseJSON(ctx, w, toAdminAPIErr(ctx, err), r.URL) return @@ -1371,7 +1371,7 @@ func (a adminAPIHandlers) RemoveCannedPolicy(w http.ResponseWriter, r *http.Requ vars := mux.Vars(r) policyName := vars["name"] - if err := globalIAMSys.DeletePolicy(policyName); err != nil { + if err := globalIAMSys.DeletePolicy(ctx, policyName); err != nil { writeErrorResponseJSON(ctx, w, toAdminAPIErr(ctx, err), r.URL) return } @@ -1439,7 +1439,7 @@ func (a adminAPIHandlers) AddCannedPolicy(w http.ResponseWriter, r *http.Request return } - if err = globalIAMSys.SetPolicy(policyName, *iamPolicy); err != nil { + if err = globalIAMSys.SetPolicy(ctx, policyName, *iamPolicy); err != nil { writeErrorResponseJSON(ctx, w, toAdminAPIErr(ctx, err), r.URL) return } @@ -1494,7 +1494,7 @@ func (a adminAPIHandlers) SetPolicyForUserOrGroup(w http.ResponseWriter, r *http } } - if err := globalIAMSys.PolicyDBSet(entityName, policyName, isGroup); err != nil { + if err := globalIAMSys.PolicyDBSet(ctx, entityName, policyName, isGroup); err != nil { writeErrorResponseJSON(ctx, w, toAdminAPIErr(ctx, err), r.URL) return } diff --git a/cmd/iam-store.go b/cmd/iam-store.go index f41e3cc83..bccc2207c 100644 --- a/cmd/iam-store.go +++ b/cmd/iam-store.go @@ -1353,7 +1353,7 @@ func (store *IAMStoreSys) SetTempUser(ctx context.Context, accessKey string, cre } u := newUserIdentity(cred) - err := store.saveUserIdentity(context.Background(), accessKey, stsUser, u, options{ttl: ttl}) + err := store.saveUserIdentity(ctx, accessKey, stsUser, u, options{ttl: ttl}) if err != nil { return err } diff --git a/cmd/iam.go b/cmd/iam.go index 4d6fa54dd..42ec9ba31 100644 --- a/cmd/iam.go +++ b/cmd/iam.go @@ -87,26 +87,26 @@ const ( // storage, it is removed from in-memory maps as well - this // simplifies the implementation for group removal. This is called // only via IAM notifications. -func (sys *IAMSys) LoadGroup(objAPI ObjectLayer, group string) error { +func (sys *IAMSys) LoadGroup(ctx context.Context, objAPI ObjectLayer, group string) error { if !sys.Initialized() { return errServerNotInitialized } - return sys.store.GroupNotificationHandler(context.Background(), group) + return sys.store.GroupNotificationHandler(ctx, group) } // LoadPolicy - reloads a specific canned policy from backend disks or etcd. -func (sys *IAMSys) LoadPolicy(objAPI ObjectLayer, policyName string) error { +func (sys *IAMSys) LoadPolicy(ctx context.Context, objAPI ObjectLayer, policyName string) error { if !sys.Initialized() { return errServerNotInitialized } - return sys.store.PolicyNotificationHandler(context.Background(), policyName) + return sys.store.PolicyNotificationHandler(ctx, policyName) } // LoadPolicyMapping - loads the mapped policy for a user or group // from storage into server memory. -func (sys *IAMSys) LoadPolicyMapping(objAPI ObjectLayer, userOrGroup string, isGroup bool) error { +func (sys *IAMSys) LoadPolicyMapping(ctx context.Context, objAPI ObjectLayer, userOrGroup string, isGroup bool) error { if !sys.Initialized() { return errServerNotInitialized } @@ -117,25 +117,25 @@ func (sys *IAMSys) LoadPolicyMapping(objAPI ObjectLayer, userOrGroup string, isG userType = stsUser } - return sys.store.PolicyMappingNotificationHandler(context.Background(), userOrGroup, isGroup, userType) + return sys.store.PolicyMappingNotificationHandler(ctx, userOrGroup, isGroup, userType) } // LoadUser - reloads a specific user from backend disks or etcd. -func (sys *IAMSys) LoadUser(objAPI ObjectLayer, accessKey string, userType IAMUserType) error { +func (sys *IAMSys) LoadUser(ctx context.Context, objAPI ObjectLayer, accessKey string, userType IAMUserType) error { if !sys.Initialized() { return errServerNotInitialized } - return sys.store.UserNotificationHandler(context.Background(), accessKey, userType) + return sys.store.UserNotificationHandler(ctx, accessKey, userType) } // LoadServiceAccount - reloads a specific service account from backend disks or etcd. -func (sys *IAMSys) LoadServiceAccount(accessKey string) error { +func (sys *IAMSys) LoadServiceAccount(ctx context.Context, accessKey string) error { if !sys.Initialized() { return errServerNotInitialized } - return sys.store.UserNotificationHandler(context.Background(), accessKey, svcUser) + return sys.store.UserNotificationHandler(ctx, accessKey, svcUser) } // Perform IAM configuration migration. @@ -338,7 +338,7 @@ func (sys *IAMSys) watch(ctx context.Context) { } } -func (sys *IAMSys) loadWatchedEvent(outerCtx context.Context, event iamWatchEvent) (err error) { +func (sys *IAMSys) loadWatchedEvent(ctx context.Context, event iamWatchEvent) (err error) { usersPrefix := strings.HasPrefix(event.keyPath, iamConfigUsersPrefix) groupsPrefix := strings.HasPrefix(event.keyPath, iamConfigGroupsPrefix) stsPrefix := strings.HasPrefix(event.keyPath, iamConfigSTSPrefix) @@ -348,7 +348,7 @@ func (sys *IAMSys) loadWatchedEvent(outerCtx context.Context, event iamWatchEven policyDBSTSUsersPrefix := strings.HasPrefix(event.keyPath, iamConfigPolicyDBSTSUsersPrefix) policyDBGroupsPrefix := strings.HasPrefix(event.keyPath, iamConfigPolicyDBGroupsPrefix) - ctx, cancel := context.WithTimeout(context.Background(), defaultContextTimeout) + ctx, cancel := context.WithTimeout(ctx, defaultContextTimeout) defer cancel() if event.isCreated { @@ -417,12 +417,12 @@ func (sys *IAMSys) loadWatchedEvent(outerCtx context.Context, event iamWatchEven } // DeletePolicy - deletes a canned policy from backend or etcd. -func (sys *IAMSys) DeletePolicy(policyName string) error { +func (sys *IAMSys) DeletePolicy(ctx context.Context, policyName string) error { if !sys.Initialized() { return errServerNotInitialized } - return sys.store.DeletePolicy(context.Background(), policyName) + return sys.store.DeletePolicy(ctx, policyName) } // InfoPolicy - expands the canned policy into its JSON structure. @@ -435,32 +435,32 @@ func (sys *IAMSys) InfoPolicy(policyName string) (iampolicy.Policy, error) { } // ListPolicies - lists all canned policies. -func (sys *IAMSys) ListPolicies(bucketName string) (map[string]iampolicy.Policy, error) { +func (sys *IAMSys) ListPolicies(ctx context.Context, bucketName string) (map[string]iampolicy.Policy, error) { if !sys.Initialized() { return nil, errServerNotInitialized } <-sys.configLoaded - return sys.store.ListPolicies(context.Background(), bucketName) + return sys.store.ListPolicies(ctx, bucketName) } // SetPolicy - sets a new named policy. -func (sys *IAMSys) SetPolicy(policyName string, p iampolicy.Policy) error { +func (sys *IAMSys) SetPolicy(ctx context.Context, policyName string, p iampolicy.Policy) error { if !sys.Initialized() { return errServerNotInitialized } - return sys.store.SetPolicy(context.Background(), policyName, p) + return sys.store.SetPolicy(ctx, policyName, p) } // DeleteUser - delete user (only for long-term users not STS users). -func (sys *IAMSys) DeleteUser(accessKey string) error { +func (sys *IAMSys) DeleteUser(ctx context.Context, accessKey string) error { if !sys.Initialized() { return errServerNotInitialized } - return sys.store.DeleteUser(context.Background(), accessKey, regUser) + return sys.store.DeleteUser(ctx, accessKey, regUser) } // CurrentPolicies - returns comma separated policy string, from @@ -476,7 +476,7 @@ func (sys *IAMSys) CurrentPolicies(policyName string) string { } // SetTempUser - set temporary user credentials, these credentials have an expiry. -func (sys *IAMSys) SetTempUser(accessKey string, cred auth.Credentials, policyName string) error { +func (sys *IAMSys) SetTempUser(ctx context.Context, accessKey string, cred auth.Credentials, policyName string) error { if !sys.Initialized() { return errServerNotInitialized } @@ -486,7 +486,7 @@ func (sys *IAMSys) SetTempUser(accessKey string, cred auth.Credentials, policyNa policyName = "" } - return sys.store.SetTempUser(context.Background(), accessKey, cred, policyName) + return sys.store.SetTempUser(ctx, accessKey, cred, policyName) } // ListBucketUsers - list all users who can access this 'bucket' @@ -548,7 +548,7 @@ func (sys *IAMSys) IsServiceAccount(name string) (bool, string, error) { } // GetUserInfo - get info on a user. -func (sys *IAMSys) GetUserInfo(name string) (u madmin.UserInfo, err error) { +func (sys *IAMSys) GetUserInfo(ctx context.Context, name string) (u madmin.UserInfo, err error) { if !sys.Initialized() { return u, errServerNotInitialized } @@ -556,14 +556,14 @@ func (sys *IAMSys) GetUserInfo(name string) (u madmin.UserInfo, err error) { select { case <-sys.configLoaded: default: - sys.store.LoadUser(context.Background(), name) + sys.store.LoadUser(ctx, name) } return sys.store.GetUserInfo(name) } // SetUserStatus - sets current user status, supports disabled or enabled. -func (sys *IAMSys) SetUserStatus(accessKey string, status madmin.AccountStatus) error { +func (sys *IAMSys) SetUserStatus(ctx context.Context, accessKey string, status madmin.AccountStatus) error { if !sys.Initialized() { return errServerNotInitialized } @@ -572,7 +572,7 @@ func (sys *IAMSys) SetUserStatus(accessKey string, status madmin.AccountStatus) return errIAMActionNotAllowed } - return sys.store.SetUserStatus(context.Background(), accessKey, status) + return sys.store.SetUserStatus(ctx, accessKey, status) } type newServiceAccountOpts struct { @@ -756,7 +756,7 @@ func (sys *IAMSys) DeleteServiceAccount(ctx context.Context, accessKey string) e // CreateUser - create new user credentials and policy, if user already exists // they shall be rewritten with new inputs. -func (sys *IAMSys) CreateUser(accessKey string, uinfo madmin.UserInfo) error { +func (sys *IAMSys) CreateUser(ctx context.Context, accessKey string, uinfo madmin.UserInfo) error { if !sys.Initialized() { return errServerNotInitialized } @@ -773,11 +773,11 @@ func (sys *IAMSys) CreateUser(accessKey string, uinfo madmin.UserInfo) error { return auth.ErrInvalidSecretKeyLength } - return sys.store.AddUser(context.Background(), accessKey, uinfo) + return sys.store.AddUser(ctx, accessKey, uinfo) } // SetUserSecretKey - sets user secret key -func (sys *IAMSys) SetUserSecretKey(accessKey string, secretKey string) error { +func (sys *IAMSys) SetUserSecretKey(ctx context.Context, accessKey string, secretKey string) error { if !sys.Initialized() { return errServerNotInitialized } @@ -794,7 +794,7 @@ func (sys *IAMSys) SetUserSecretKey(accessKey string, secretKey string) error { return auth.ErrInvalidSecretKeyLength } - return sys.store.UpdateUserSecretKey(context.Background(), accessKey, secretKey) + return sys.store.UpdateUserSecretKey(ctx, accessKey, secretKey) } // purgeExpiredCredentialsForExternalSSO - validates if local credentials are still valid @@ -919,7 +919,7 @@ func (sys *IAMSys) updateGroupMembershipsForLDAP(ctx context.Context) { } // GetUser - get user credentials -func (sys *IAMSys) GetUser(accessKey string) (cred auth.Credentials, ok bool) { +func (sys *IAMSys) GetUser(ctx context.Context, accessKey string) (cred auth.Credentials, ok bool) { if !sys.Initialized() { return cred, false } @@ -928,7 +928,7 @@ func (sys *IAMSys) GetUser(accessKey string) (cred auth.Credentials, ok bool) { select { case <-sys.configLoaded: default: - sys.store.LoadUser(context.Background(), accessKey) + sys.store.LoadUser(ctx, accessKey) fallback = true } @@ -940,7 +940,7 @@ func (sys *IAMSys) GetUser(accessKey string) (cred auth.Credentials, ok bool) { // the IAM store and see if credential // exists now. If it doesn't proceed to // fail. - sys.store.LoadUser(context.Background(), accessKey) + sys.store.LoadUser(ctx, accessKey) cred, ok = sys.store.GetUser(accessKey) } @@ -949,14 +949,14 @@ func (sys *IAMSys) GetUser(accessKey string) (cred auth.Credentials, ok bool) { policies, err := sys.store.PolicyDBGet(cred.AccessKey, false) if err != nil { // Reject if the policy map for user doesn't exist anymore. - logger.LogIf(context.Background(), fmt.Errorf("'%s' user does not have a policy present", cred.ParentUser)) + logger.LogIf(ctx, fmt.Errorf("'%s' user does not have a policy present", cred.ParentUser)) return auth.Credentials{}, false } for _, group := range cred.Groups { ps, err := sys.store.PolicyDBGet(group, true) if err != nil { // Reject if the policy map for group doesn't exist anymore. - logger.LogIf(context.Background(), fmt.Errorf("'%s' group does not have a policy present", group)) + logger.LogIf(ctx, fmt.Errorf("'%s' group does not have a policy present", group)) return auth.Credentials{}, false } policies = append(policies, ps...) @@ -969,7 +969,7 @@ func (sys *IAMSys) GetUser(accessKey string) (cred auth.Credentials, ok bool) { // AddUsersToGroup - adds users to a group, creating the group if // needed. No error if user(s) already are in the group. -func (sys *IAMSys) AddUsersToGroup(group string, members []string) error { +func (sys *IAMSys) AddUsersToGroup(ctx context.Context, group string, members []string) error { if !sys.Initialized() { return errServerNotInitialized } @@ -978,12 +978,12 @@ func (sys *IAMSys) AddUsersToGroup(group string, members []string) error { return errIAMActionNotAllowed } - return sys.store.AddUsersToGroup(context.Background(), group, members) + return sys.store.AddUsersToGroup(ctx, group, members) } // RemoveUsersFromGroup - remove users from group. If no users are // given, and the group is empty, deletes the group as well. -func (sys *IAMSys) RemoveUsersFromGroup(group string, members []string) error { +func (sys *IAMSys) RemoveUsersFromGroup(ctx context.Context, group string, members []string) error { if !sys.Initialized() { return errServerNotInitialized } @@ -992,11 +992,11 @@ func (sys *IAMSys) RemoveUsersFromGroup(group string, members []string) error { return errIAMActionNotAllowed } - return sys.store.RemoveUsersFromGroup(context.Background(), group, members) + return sys.store.RemoveUsersFromGroup(ctx, group, members) } // SetGroupStatus - enable/disabled a group -func (sys *IAMSys) SetGroupStatus(group string, enabled bool) error { +func (sys *IAMSys) SetGroupStatus(ctx context.Context, group string, enabled bool) error { if !sys.Initialized() { return errServerNotInitialized } @@ -1005,7 +1005,7 @@ func (sys *IAMSys) SetGroupStatus(group string, enabled bool) error { return errIAMActionNotAllowed } - return sys.store.SetGroupStatus(context.Background(), group, enabled) + return sys.store.SetGroupStatus(ctx, group, enabled) } // GetGroupDescription - builds up group description @@ -1018,18 +1018,18 @@ func (sys *IAMSys) GetGroupDescription(group string) (gd madmin.GroupDesc, err e } // ListGroups - lists groups. -func (sys *IAMSys) ListGroups() (r []string, err error) { +func (sys *IAMSys) ListGroups(ctx context.Context) (r []string, err error) { if !sys.Initialized() { return r, errServerNotInitialized } <-sys.configLoaded - return sys.store.ListGroups(context.Background()) + return sys.store.ListGroups(ctx) } // PolicyDBSet - sets a policy for a user or group in the PolicyDB. -func (sys *IAMSys) PolicyDBSet(name, policy string, isGroup bool) error { +func (sys *IAMSys) PolicyDBSet(ctx context.Context, name, policy string, isGroup bool) error { if !sys.Initialized() { return errServerNotInitialized } @@ -1040,7 +1040,7 @@ func (sys *IAMSys) PolicyDBSet(name, policy string, isGroup bool) error { userType = stsUser } - return sys.store.PolicyDBSet(context.Background(), name, policy, userType, isGroup) + return sys.store.PolicyDBSet(ctx, name, policy, userType, isGroup) } // PolicyDBGet - gets policy set on a user or group. If a list of groups is diff --git a/cmd/jwt.go b/cmd/jwt.go index a8d409576..172dbb777 100644 --- a/cmd/jwt.go +++ b/cmd/jwt.go @@ -18,6 +18,7 @@ package cmd import ( + "context" "errors" "net/http" "time" @@ -62,7 +63,7 @@ func authenticateJWTUsersWithCredentials(credentials auth.Credentials, expiresAt serverCred := globalActiveCred if serverCred.AccessKey != credentials.AccessKey { var ok bool - serverCred, ok = globalIAMSys.GetUser(credentials.AccessKey) + serverCred, ok = globalIAMSys.GetUser(context.TODO(), credentials.AccessKey) if !ok { return "", errInvalidAccessKeyID } @@ -114,7 +115,7 @@ func webRequestAuthenticate(req *http.Request) (*xjwt.MapClaims, bool, error) { if claims.AccessKey == globalActiveCred.AccessKey { return []byte(globalActiveCred.SecretKey), nil } - cred, ok := globalIAMSys.GetUser(claims.AccessKey) + cred, ok := globalIAMSys.GetUser(req.Context(), claims.AccessKey) if !ok { return nil, errInvalidAccessKeyID } @@ -125,7 +126,7 @@ func webRequestAuthenticate(req *http.Request) (*xjwt.MapClaims, bool, error) { owner := true if globalActiveCred.AccessKey != claims.AccessKey { // Check if the access key is part of users credentials. - ucred, ok := globalIAMSys.GetUser(claims.AccessKey) + ucred, ok := globalIAMSys.GetUser(req.Context(), claims.AccessKey) if !ok { return nil, false, errInvalidAccessKeyID } diff --git a/cmd/peer-rest-server.go b/cmd/peer-rest-server.go index 58f691801..c53f1f0e2 100644 --- a/cmd/peer-rest-server.go +++ b/cmd/peer-rest-server.go @@ -77,7 +77,7 @@ func (s *peerRESTServer) DeletePolicyHandler(w http.ResponseWriter, r *http.Requ return } - if err := globalIAMSys.DeletePolicy(policyName); err != nil { + if err := globalIAMSys.DeletePolicy(r.Context(), policyName); err != nil { s.writeErrorResponse(w, err) return } @@ -103,7 +103,7 @@ func (s *peerRESTServer) LoadPolicyHandler(w http.ResponseWriter, r *http.Reques return } - if err := globalIAMSys.LoadPolicy(objAPI, policyName); err != nil { + if err := globalIAMSys.LoadPolicy(r.Context(), objAPI, policyName); err != nil { s.writeErrorResponse(w, err) return } @@ -130,7 +130,7 @@ func (s *peerRESTServer) LoadPolicyMappingHandler(w http.ResponseWriter, r *http } _, isGroup := r.Form[peerRESTIsGroup] - if err := globalIAMSys.LoadPolicyMapping(objAPI, userOrGroup, isGroup); err != nil { + if err := globalIAMSys.LoadPolicyMapping(r.Context(), objAPI, userOrGroup, isGroup); err != nil { s.writeErrorResponse(w, err) return } @@ -182,7 +182,7 @@ func (s *peerRESTServer) LoadServiceAccountHandler(w http.ResponseWriter, r *htt return } - if err := globalIAMSys.LoadServiceAccount(accessKey); err != nil { + if err := globalIAMSys.LoadServiceAccount(r.Context(), accessKey); err != nil { s.writeErrorResponse(w, err) return } @@ -208,7 +208,7 @@ func (s *peerRESTServer) DeleteUserHandler(w http.ResponseWriter, r *http.Reques return } - if err := globalIAMSys.DeleteUser(accessKey); err != nil { + if err := globalIAMSys.DeleteUser(r.Context(), accessKey); err != nil { s.writeErrorResponse(w, err) return } @@ -245,7 +245,7 @@ func (s *peerRESTServer) LoadUserHandler(w http.ResponseWriter, r *http.Request) userType = stsUser } - if err = globalIAMSys.LoadUser(objAPI, accessKey, userType); err != nil { + if err = globalIAMSys.LoadUser(r.Context(), objAPI, accessKey, userType); err != nil { s.writeErrorResponse(w, err) return } @@ -266,7 +266,7 @@ func (s *peerRESTServer) LoadGroupHandler(w http.ResponseWriter, r *http.Request vars := mux.Vars(r) group := vars[peerRESTGroup] - err := globalIAMSys.LoadGroup(objAPI, group) + err := globalIAMSys.LoadGroup(r.Context(), objAPI, group) if err != nil { s.writeErrorResponse(w, err) return diff --git a/cmd/signature-v4-utils.go b/cmd/signature-v4-utils.go index 9569688a2..e1f643a92 100644 --- a/cmd/signature-v4-utils.go +++ b/cmd/signature-v4-utils.go @@ -152,7 +152,7 @@ func checkKeyValid(r *http.Request, accessKey string) (auth.Credentials, bool, A cred := globalActiveCred if cred.AccessKey != accessKey { // Check if the access key is part of users credentials. - ucred, ok := globalIAMSys.GetUser(accessKey) + ucred, ok := globalIAMSys.GetUser(r.Context(), accessKey) if !ok { return cred, false, ErrInvalidAccessKeyID } diff --git a/cmd/signature-v4-utils_test.go b/cmd/signature-v4-utils_test.go index 0d770a4cf..2e5b1050f 100644 --- a/cmd/signature-v4-utils_test.go +++ b/cmd/signature-v4-utils_test.go @@ -76,7 +76,7 @@ func TestCheckValid(t *testing.T) { t.Fatalf("unable create credential, %s", err) } - globalIAMSys.CreateUser(ucreds.AccessKey, madmin.UserInfo{ + globalIAMSys.CreateUser(ctx, ucreds.AccessKey, madmin.UserInfo{ SecretKey: ucreds.SecretKey, Status: madmin.AccountEnabled, }) diff --git a/cmd/site-replication.go b/cmd/site-replication.go index 68ac3ba0a..1c1540a4c 100644 --- a/cmd/site-replication.go +++ b/cmd/site-replication.go @@ -947,9 +947,9 @@ func (c *SiteReplicationSys) IAMChangeHook(ctx context.Context, item madmin.SRIA func (c *SiteReplicationSys) PeerAddPolicyHandler(ctx context.Context, policyName string, p *iampolicy.Policy) error { var err error if p == nil { - err = globalIAMSys.DeletePolicy(policyName) + err = globalIAMSys.DeletePolicy(ctx, policyName) } else { - err = globalIAMSys.SetPolicy(policyName, *p) + err = globalIAMSys.SetPolicy(ctx, policyName, *p) } if err != nil { return wrapSRErr(err) @@ -1061,7 +1061,7 @@ func (c *SiteReplicationSys) PeerSvcAccChangeHandler(ctx context.Context, change // PeerPolicyMappingHandler - copies policy mapping to local. func (c *SiteReplicationSys) PeerPolicyMappingHandler(ctx context.Context, mapping madmin.SRPolicyMapping) error { - err := globalIAMSys.PolicyDBSet(mapping.UserOrGroup, mapping.Policy, mapping.IsGroup) + err := globalIAMSys.PolicyDBSet(ctx, mapping.UserOrGroup, mapping.Policy, mapping.IsGroup) if err != nil { return wrapSRErr(err) } @@ -1116,7 +1116,7 @@ func (c *SiteReplicationSys) PeerSTSAccHandler(ctx context.Context, stsCred madm } // Set these credentials to IAM. - if err := globalIAMSys.SetTempUser(cred.AccessKey, cred, ""); err != nil { + if err := globalIAMSys.SetTempUser(ctx, cred.AccessKey, cred, ""); err != nil { return fmt.Errorf("unable to save STS credential: %v", err) } @@ -1404,7 +1404,7 @@ func (c *SiteReplicationSys) syncLocalToPeers(ctx context.Context) SRError { { // Replicate IAM policies on local to all peers. - allPolicies, err := globalIAMSys.ListPolicies("") + allPolicies, err := globalIAMSys.ListPolicies(ctx, "") if err != nil { return errSRBackendIssue(err) } diff --git a/cmd/sts-handlers.go b/cmd/sts-handlers.go index b42a97077..1f42a3900 100644 --- a/cmd/sts-handlers.go +++ b/cmd/sts-handlers.go @@ -273,7 +273,7 @@ func (sts *stsAPIHandlers) AssumeRole(w http.ResponseWriter, r *http.Request) { cred.ParentUser = user.AccessKey // Set the newly generated credentials. - if err = globalIAMSys.SetTempUser(cred.AccessKey, cred, policyName); err != nil { + if err = globalIAMSys.SetTempUser(ctx, cred.AccessKey, cred, policyName); err != nil { writeSTSErrorResponse(ctx, w, true, ErrSTSInternalError, err) return } @@ -479,7 +479,7 @@ func (sts *stsAPIHandlers) AssumeRoleWithSSO(w http.ResponseWriter, r *http.Requ cred.ParentUser = "openid:" + subFromToken + ":" + issFromToken // Set the newly generated credentials. - if err = globalIAMSys.SetTempUser(cred.AccessKey, cred, policyName); err != nil { + if err = globalIAMSys.SetTempUser(ctx, cred.AccessKey, cred, policyName); err != nil { writeSTSErrorResponse(ctx, w, true, ErrSTSInternalError, err) return } @@ -645,7 +645,7 @@ func (sts *stsAPIHandlers) AssumeRoleWithLDAPIdentity(w http.ResponseWriter, r * // Set the newly generated credentials, policyName is empty on purpose // LDAP policies are applied automatically using their ldapUser, ldapGroups // mapping. - if err = globalIAMSys.SetTempUser(cred.AccessKey, cred, ""); err != nil { + if err = globalIAMSys.SetTempUser(ctx, cred.AccessKey, cred, ""); err != nil { writeSTSErrorResponse(ctx, w, true, ErrSTSInternalError, err) return } @@ -813,7 +813,7 @@ func (sts *stsAPIHandlers) AssumeRoleWithCertificate(w http.ResponseWriter, r *h } tmpCredentials.ParentUser = parentUser - err = globalIAMSys.SetTempUser(tmpCredentials.AccessKey, tmpCredentials, certificate.Subject.CommonName) + err = globalIAMSys.SetTempUser(ctx, tmpCredentials.AccessKey, tmpCredentials, certificate.Subject.CommonName) if err != nil { writeSTSErrorResponse(ctx, w, true, ErrSTSInternalError, err) return