accessKeyId missing should return appropriate error in AssumeRole (#9048)

For a non-existent user server would return STS not initialized
```
aws --profile harsha --endpoint-url http://localhost:9000 \
      sts assume-role \
      --role-arn arn:xxx:xxx:xxx:xxxx \
      --role-session-name anything
```

instead return an appropriate error as expected by STS API

Additionally also format the `trace` output for STS APIs
This commit is contained in:
Harshavardhana 2020-02-27 01:56:47 +05:30 committed by GitHub
parent 2dd14c0b89
commit 1330e59307
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
3 changed files with 15 additions and 2 deletions

View File

@ -83,14 +83,15 @@ func getOpName(name string) (op string) {
op = strings.TrimPrefix(name, "github.com/minio/minio/cmd.") op = strings.TrimPrefix(name, "github.com/minio/minio/cmd.")
op = strings.TrimSuffix(op, "Handler-fm") op = strings.TrimSuffix(op, "Handler-fm")
op = strings.Replace(op, "objectAPIHandlers", "s3", 1) op = strings.Replace(op, "objectAPIHandlers", "s3", 1)
op = strings.Replace(op, "webAPIHandlers", "s3", 1) op = strings.Replace(op, "webAPIHandlers", "webui", 1)
op = strings.Replace(op, "adminAPIHandlers", "admin", 1) op = strings.Replace(op, "adminAPIHandlers", "admin", 1)
op = strings.Replace(op, "(*storageRESTServer)", "internal", 1) op = strings.Replace(op, "(*storageRESTServer)", "internal", 1)
op = strings.Replace(op, "(*peerRESTServer)", "internal", 1) op = strings.Replace(op, "(*peerRESTServer)", "internal", 1)
op = strings.Replace(op, "(*lockRESTServer)", "internal", 1) op = strings.Replace(op, "(*lockRESTServer)", "internal", 1)
op = strings.Replace(op, "stsAPIHandlers", "sts", 1) op = strings.Replace(op, "(*stsAPIHandlers)", "sts", 1)
op = strings.Replace(op, "LivenessCheckHandler", "healthcheck", 1) op = strings.Replace(op, "LivenessCheckHandler", "healthcheck", 1)
op = strings.Replace(op, "ReadinessCheckHandler", "healthcheck", 1) op = strings.Replace(op, "ReadinessCheckHandler", "healthcheck", 1)
op = strings.Replace(op, "-fm", "", 1)
return op return op
} }

View File

@ -78,6 +78,7 @@ const (
ErrSTSInvalidParameterValue ErrSTSInvalidParameterValue
ErrSTSWebIdentityExpiredToken ErrSTSWebIdentityExpiredToken
ErrSTSClientGrantsExpiredToken ErrSTSClientGrantsExpiredToken
ErrSTSInvalidAccessKey
ErrSTSInvalidClientGrantsToken ErrSTSInvalidClientGrantsToken
ErrSTSMalformedPolicyDocument ErrSTSMalformedPolicyDocument
ErrSTSNotInitialized ErrSTSNotInitialized
@ -127,6 +128,11 @@ var stsErrCodes = stsErrorCodeMap{
Description: "The client grants token that was passed could not be validated by MinIO.", Description: "The client grants token that was passed could not be validated by MinIO.",
HTTPStatusCode: http.StatusBadRequest, HTTPStatusCode: http.StatusBadRequest,
}, },
ErrSTSInvalidAccessKey: {
Code: "InvalidClientTokenId",
Description: "The security token included in the request is invalid.",
HTTPStatusCode: http.StatusForbidden,
},
ErrSTSMalformedPolicyDocument: { ErrSTSMalformedPolicyDocument: {
Code: "MalformedPolicyDocument", Code: "MalformedPolicyDocument",
Description: "The request was rejected because the policy document was malformed.", Description: "The request was rejected because the policy document was malformed.",

View File

@ -116,11 +116,17 @@ func checkAssumeRoleAuth(ctx context.Context, r *http.Request) (user auth.Creden
case authTypeSigned: case authTypeSigned:
s3Err := isReqAuthenticated(ctx, r, globalServerRegion, serviceSTS) s3Err := isReqAuthenticated(ctx, r, globalServerRegion, serviceSTS)
if STSErrorCode(s3Err) != ErrSTSNone { if STSErrorCode(s3Err) != ErrSTSNone {
if s3Err == ErrInvalidAccessKeyID {
return user, ErrSTSInvalidAccessKey
}
return user, STSErrorCode(s3Err) return user, STSErrorCode(s3Err)
} }
var owner bool var owner bool
user, owner, s3Err = getReqAccessKeyV4(r, globalServerRegion, serviceSTS) user, owner, s3Err = getReqAccessKeyV4(r, globalServerRegion, serviceSTS)
if STSErrorCode(s3Err) != ErrSTSNone { if STSErrorCode(s3Err) != ErrSTSNone {
if s3Err == ErrInvalidAccessKeyID {
return user, ErrSTSInvalidAccessKey
}
return user, STSErrorCode(s3Err) return user, STSErrorCode(s3Err)
} }
// Root credentials are not allowed to use STS API // Root credentials are not allowed to use STS API