mirror of
https://github.com/minio/minio.git
synced 2024-12-24 06:05:55 -05:00
fix: sts to return appropriate errors (#9161)
This commit is contained in:
parent
5b9342d35c
commit
09d35d3b4c
@ -122,7 +122,8 @@ const (
|
||||
ErrMissingCredTag
|
||||
ErrCredMalformed
|
||||
ErrInvalidRegion
|
||||
ErrInvalidService
|
||||
ErrInvalidServiceS3
|
||||
ErrInvalidServiceSTS
|
||||
ErrInvalidRequestVersion
|
||||
ErrMissingSignTag
|
||||
ErrMissingSignHeadersTag
|
||||
@ -653,9 +654,14 @@ var errorCodes = errorCodeMap{
|
||||
// FIXME: Should contain the invalid param set as seen in https://github.com/minio/minio/issues/2385.
|
||||
// right Description: "Error parsing the X-Amz-Credential parameter; incorrect service \"s4\". This endpoint belongs to \"s3\".".
|
||||
// Need changes to make sure variable messages can be constructed.
|
||||
ErrInvalidService: {
|
||||
Code: "AuthorizationQueryParametersError",
|
||||
Description: "Error parsing the X-Amz-Credential parameter; incorrect service. This endpoint belongs to \"s3\".",
|
||||
ErrInvalidServiceS3: {
|
||||
Code: "AuthorizationParametersError",
|
||||
Description: "Error parsing the Credential/X-Amz-Credential parameter; incorrect service. This endpoint belongs to \"s3\".",
|
||||
HTTPStatusCode: http.StatusBadRequest,
|
||||
},
|
||||
ErrInvalidServiceSTS: {
|
||||
Code: "AuthorizationParametersError",
|
||||
Description: "Error parsing the Credential parameter; incorrect service. This endpoint belongs to \"sts\".",
|
||||
HTTPStatusCode: http.StatusBadRequest,
|
||||
},
|
||||
// FIXME: Should contain the invalid param set as seen in https://github.com/minio/minio/issues/2385.
|
||||
|
@ -108,7 +108,11 @@ func parseCredentialHeader(credElement string, region string, stype serviceType)
|
||||
|
||||
}
|
||||
if credElements[2] != string(stype) {
|
||||
return ch, ErrInvalidService
|
||||
switch stype {
|
||||
case serviceSTS:
|
||||
return ch, ErrInvalidServiceSTS
|
||||
}
|
||||
return ch, ErrInvalidServiceS3
|
||||
}
|
||||
cred.scope.service = credElements[2]
|
||||
if credElements[3] != "aws4_request" {
|
||||
|
@ -151,7 +151,7 @@ func TestParseCredentialHeader(t *testing.T) {
|
||||
"ABCD",
|
||||
"ABCD"),
|
||||
expectedCredentials: credentialHeader{},
|
||||
expectedErrCode: ErrInvalidService,
|
||||
expectedErrCode: ErrInvalidServiceS3,
|
||||
},
|
||||
// Test Case - 7.
|
||||
// Test case with invalid region.
|
||||
|
@ -29,6 +29,14 @@ import (
|
||||
// writeSTSErrorRespone writes error headers
|
||||
func writeSTSErrorResponse(ctx context.Context, w http.ResponseWriter, errCode STSErrorCode, errCtxt error) {
|
||||
err := stsErrCodes.ToSTSErr(errCode)
|
||||
if err.Code == "InternalError" {
|
||||
aerr := getAPIError(APIErrorCode(errCode))
|
||||
if aerr.Code != "InternalError" {
|
||||
err.Code = aerr.Code
|
||||
err.Description = aerr.Description
|
||||
err.HTTPStatusCode = aerr.HTTPStatusCode
|
||||
}
|
||||
}
|
||||
// Generate error response.
|
||||
stsErrorResponse := STSErrorResponse{}
|
||||
stsErrorResponse.Error.Code = err.Code
|
||||
@ -73,12 +81,12 @@ type STSErrorCode int
|
||||
// Error codes, non exhaustive list - http://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRoleWithSAML.html
|
||||
const (
|
||||
ErrSTSNone STSErrorCode = iota
|
||||
ErrSTSInvalidService
|
||||
ErrSTSAccessDenied
|
||||
ErrSTSMissingParameter
|
||||
ErrSTSInvalidParameterValue
|
||||
ErrSTSWebIdentityExpiredToken
|
||||
ErrSTSClientGrantsExpiredToken
|
||||
ErrSTSInvalidAccessKey
|
||||
ErrSTSInvalidClientGrantsToken
|
||||
ErrSTSMalformedPolicyDocument
|
||||
ErrSTSNotInitialized
|
||||
@ -128,11 +136,6 @@ var stsErrCodes = stsErrorCodeMap{
|
||||
Description: "The client grants token that was passed could not be validated by MinIO.",
|
||||
HTTPStatusCode: http.StatusBadRequest,
|
||||
},
|
||||
ErrSTSInvalidAccessKey: {
|
||||
Code: "InvalidClientTokenId",
|
||||
Description: "The security token included in the request is invalid.",
|
||||
HTTPStatusCode: http.StatusForbidden,
|
||||
},
|
||||
ErrSTSMalformedPolicyDocument: {
|
||||
Code: "MalformedPolicyDocument",
|
||||
Description: "The request was rejected because the policy document was malformed.",
|
||||
|
@ -119,17 +119,11 @@ func checkAssumeRoleAuth(ctx context.Context, r *http.Request) (user auth.Creden
|
||||
case authTypeSigned:
|
||||
s3Err := isReqAuthenticated(ctx, r, globalServerRegion, serviceSTS)
|
||||
if STSErrorCode(s3Err) != ErrSTSNone {
|
||||
if s3Err == ErrInvalidAccessKeyID {
|
||||
return user, ErrSTSInvalidAccessKey
|
||||
}
|
||||
return user, STSErrorCode(s3Err)
|
||||
}
|
||||
var owner bool
|
||||
user, owner, s3Err = getReqAccessKeyV4(r, globalServerRegion, serviceSTS)
|
||||
if STSErrorCode(s3Err) != ErrSTSNone {
|
||||
if s3Err == ErrInvalidAccessKeyID {
|
||||
return user, ErrSTSInvalidAccessKey
|
||||
}
|
||||
return user, STSErrorCode(s3Err)
|
||||
}
|
||||
// Root credentials are not allowed to use STS API
|
||||
|
Loading…
Reference in New Issue
Block a user