mirror of
https://github.com/minio/minio.git
synced 2025-01-11 15:03:22 -05:00
accessKeyId missing should return appropriate error in AssumeRole (#9048)
For a non-existent user server would return STS not initialized ``` aws --profile harsha --endpoint-url http://localhost:9000 \ sts assume-role \ --role-arn arn:xxx:xxx:xxx:xxxx \ --role-session-name anything ``` instead return an appropriate error as expected by STS API Additionally also format the `trace` output for STS APIs
This commit is contained in:
parent
2dd14c0b89
commit
1330e59307
@ -83,14 +83,15 @@ func getOpName(name string) (op string) {
|
||||
op = strings.TrimPrefix(name, "github.com/minio/minio/cmd.")
|
||||
op = strings.TrimSuffix(op, "Handler-fm")
|
||||
op = strings.Replace(op, "objectAPIHandlers", "s3", 1)
|
||||
op = strings.Replace(op, "webAPIHandlers", "s3", 1)
|
||||
op = strings.Replace(op, "webAPIHandlers", "webui", 1)
|
||||
op = strings.Replace(op, "adminAPIHandlers", "admin", 1)
|
||||
op = strings.Replace(op, "(*storageRESTServer)", "internal", 1)
|
||||
op = strings.Replace(op, "(*peerRESTServer)", "internal", 1)
|
||||
op = strings.Replace(op, "(*lockRESTServer)", "internal", 1)
|
||||
op = strings.Replace(op, "stsAPIHandlers", "sts", 1)
|
||||
op = strings.Replace(op, "(*stsAPIHandlers)", "sts", 1)
|
||||
op = strings.Replace(op, "LivenessCheckHandler", "healthcheck", 1)
|
||||
op = strings.Replace(op, "ReadinessCheckHandler", "healthcheck", 1)
|
||||
op = strings.Replace(op, "-fm", "", 1)
|
||||
return op
|
||||
}
|
||||
|
||||
|
@ -78,6 +78,7 @@ const (
|
||||
ErrSTSInvalidParameterValue
|
||||
ErrSTSWebIdentityExpiredToken
|
||||
ErrSTSClientGrantsExpiredToken
|
||||
ErrSTSInvalidAccessKey
|
||||
ErrSTSInvalidClientGrantsToken
|
||||
ErrSTSMalformedPolicyDocument
|
||||
ErrSTSNotInitialized
|
||||
@ -127,6 +128,11 @@ var stsErrCodes = stsErrorCodeMap{
|
||||
Description: "The client grants token that was passed could not be validated by MinIO.",
|
||||
HTTPStatusCode: http.StatusBadRequest,
|
||||
},
|
||||
ErrSTSInvalidAccessKey: {
|
||||
Code: "InvalidClientTokenId",
|
||||
Description: "The security token included in the request is invalid.",
|
||||
HTTPStatusCode: http.StatusForbidden,
|
||||
},
|
||||
ErrSTSMalformedPolicyDocument: {
|
||||
Code: "MalformedPolicyDocument",
|
||||
Description: "The request was rejected because the policy document was malformed.",
|
||||
|
@ -116,11 +116,17 @@ func checkAssumeRoleAuth(ctx context.Context, r *http.Request) (user auth.Creden
|
||||
case authTypeSigned:
|
||||
s3Err := isReqAuthenticated(ctx, r, globalServerRegion, serviceSTS)
|
||||
if STSErrorCode(s3Err) != ErrSTSNone {
|
||||
if s3Err == ErrInvalidAccessKeyID {
|
||||
return user, ErrSTSInvalidAccessKey
|
||||
}
|
||||
return user, STSErrorCode(s3Err)
|
||||
}
|
||||
var owner bool
|
||||
user, owner, s3Err = getReqAccessKeyV4(r, globalServerRegion, serviceSTS)
|
||||
if STSErrorCode(s3Err) != ErrSTSNone {
|
||||
if s3Err == ErrInvalidAccessKeyID {
|
||||
return user, ErrSTSInvalidAccessKey
|
||||
}
|
||||
return user, STSErrorCode(s3Err)
|
||||
}
|
||||
// Root credentials are not allowed to use STS API
|
||||
|
Loading…
Reference in New Issue
Block a user