From 1330e59307e89e3d2ebcd60c7b1f18a2a8088c68 Mon Sep 17 00:00:00 2001 From: Harshavardhana Date: Thu, 27 Feb 2020 01:56:47 +0530 Subject: [PATCH] accessKeyId missing should return appropriate error in AssumeRole (#9048) For a non-existent user server would return STS not initialized ``` aws --profile harsha --endpoint-url http://localhost:9000 \ sts assume-role \ --role-arn arn:xxx:xxx:xxx:xxxx \ --role-session-name anything ``` instead return an appropriate error as expected by STS API Additionally also format the `trace` output for STS APIs --- cmd/http-tracer.go | 5 +++-- cmd/sts-errors.go | 6 ++++++ cmd/sts-handlers.go | 6 ++++++ 3 files changed, 15 insertions(+), 2 deletions(-) diff --git a/cmd/http-tracer.go b/cmd/http-tracer.go index bdfcc2d86..004afd046 100644 --- a/cmd/http-tracer.go +++ b/cmd/http-tracer.go @@ -83,14 +83,15 @@ func getOpName(name string) (op string) { op = strings.TrimPrefix(name, "github.com/minio/minio/cmd.") op = strings.TrimSuffix(op, "Handler-fm") op = strings.Replace(op, "objectAPIHandlers", "s3", 1) - op = strings.Replace(op, "webAPIHandlers", "s3", 1) + op = strings.Replace(op, "webAPIHandlers", "webui", 1) op = strings.Replace(op, "adminAPIHandlers", "admin", 1) op = strings.Replace(op, "(*storageRESTServer)", "internal", 1) op = strings.Replace(op, "(*peerRESTServer)", "internal", 1) op = strings.Replace(op, "(*lockRESTServer)", "internal", 1) - op = strings.Replace(op, "stsAPIHandlers", "sts", 1) + op = strings.Replace(op, "(*stsAPIHandlers)", "sts", 1) op = strings.Replace(op, "LivenessCheckHandler", "healthcheck", 1) op = strings.Replace(op, "ReadinessCheckHandler", "healthcheck", 1) + op = strings.Replace(op, "-fm", "", 1) return op } diff --git a/cmd/sts-errors.go b/cmd/sts-errors.go index 20e951efa..63c8e6365 100644 --- a/cmd/sts-errors.go +++ b/cmd/sts-errors.go @@ -78,6 +78,7 @@ const ( ErrSTSInvalidParameterValue ErrSTSWebIdentityExpiredToken ErrSTSClientGrantsExpiredToken + ErrSTSInvalidAccessKey ErrSTSInvalidClientGrantsToken ErrSTSMalformedPolicyDocument ErrSTSNotInitialized @@ -127,6 +128,11 @@ var stsErrCodes = stsErrorCodeMap{ Description: "The client grants token that was passed could not be validated by MinIO.", HTTPStatusCode: http.StatusBadRequest, }, + ErrSTSInvalidAccessKey: { + Code: "InvalidClientTokenId", + Description: "The security token included in the request is invalid.", + HTTPStatusCode: http.StatusForbidden, + }, ErrSTSMalformedPolicyDocument: { Code: "MalformedPolicyDocument", Description: "The request was rejected because the policy document was malformed.", diff --git a/cmd/sts-handlers.go b/cmd/sts-handlers.go index e418cd1db..2d0e73fdf 100644 --- a/cmd/sts-handlers.go +++ b/cmd/sts-handlers.go @@ -116,11 +116,17 @@ func checkAssumeRoleAuth(ctx context.Context, r *http.Request) (user auth.Creden case authTypeSigned: s3Err := isReqAuthenticated(ctx, r, globalServerRegion, serviceSTS) if STSErrorCode(s3Err) != ErrSTSNone { + if s3Err == ErrInvalidAccessKeyID { + return user, ErrSTSInvalidAccessKey + } return user, STSErrorCode(s3Err) } var owner bool user, owner, s3Err = getReqAccessKeyV4(r, globalServerRegion, serviceSTS) if STSErrorCode(s3Err) != ErrSTSNone { + if s3Err == ErrInvalidAccessKeyID { + return user, ErrSTSInvalidAccessKey + } return user, STSErrorCode(s3Err) } // Root credentials are not allowed to use STS API