MyFavMirrors/minio
1
0
Fork 0
mirror of https://github.com/minio/minio.git synced 2025-01-11 23:13:23 -05:00
Code Issues Packages Projects Releases Wiki Activity

fixes misleading assume role error msgs (#9642)

Browse Source
This commit is contained in:
ebozduman 2020-05-21 09:09:18 -07:00 committed by GitHub
parent eaafb23535
commit 2896e780ae
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
5 changed files with 57 additions and 55 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
cmd/api-errors.go
View File

@ -459,7 +459,7 @@ var errorCodes = errorCodeMap{
}, },
ErrInvalidAccessKeyID: { ErrInvalidAccessKeyID: {
Code: "InvalidAccessKeyId", Code: "InvalidAccessKeyId",
Description: "The access key ID you provided does not exist in our records.", Description: "The Access Key Id you provided does not exist in our records.",
HTTPStatusCode: http.StatusForbidden, HTTPStatusCode: http.StatusForbidden,
}, },
ErrInvalidBucketName: { ErrInvalidBucketName: {

2
cmd/bucket-handlers_test.go
View File

@ -115,7 +115,7 @@ func testGetBucketLocationHandler(obj ObjectLayer, instanceType, bucketName stri
errorResponse: APIErrorResponse{ errorResponse: APIErrorResponse{
Resource: SlashSeparator + bucketName + SlashSeparator, Resource: SlashSeparator + bucketName + SlashSeparator,
Code: "InvalidAccessKeyId", Code: "InvalidAccessKeyId",
Message: "The access key ID you provided does not exist in our records.", Message: "The Access Key Id you provided does not exist in our records.",
}, },
shouldPass: false, shouldPass: false,
}, },

6
cmd/bucket-lifecycle-handlers_test.go
View File

@ -72,7 +72,7 @@ func testBucketLifecycleHandlersWrongCredentials(obj ObjectLayer, instanceType,
errorResponse: APIErrorResponse{ errorResponse: APIErrorResponse{
Resource: SlashSeparator + bucketName + SlashSeparator, Resource: SlashSeparator + bucketName + SlashSeparator,
Code: "InvalidAccessKeyId", Code: "InvalidAccessKeyId",
Message: "The access key ID you provided does not exist in our records.", Message: "The Access Key Id you provided does not exist in our records.",
}, },
shouldPass: false, shouldPass: false,
}, },
@ -102,7 +102,7 @@ func testBucketLifecycleHandlersWrongCredentials(obj ObjectLayer, instanceType,
errorResponse: APIErrorResponse{ errorResponse: APIErrorResponse{
Resource: SlashSeparator + bucketName + SlashSeparator, Resource: SlashSeparator + bucketName + SlashSeparator,
Code: "InvalidAccessKeyId", Code: "InvalidAccessKeyId",
Message: "The access key ID you provided does not exist in our records.", Message: "The Access Key Id you provided does not exist in our records.",
}, },
shouldPass: false, shouldPass: false,
}, },
@ -132,7 +132,7 @@ func testBucketLifecycleHandlersWrongCredentials(obj ObjectLayer, instanceType,
errorResponse: APIErrorResponse{ errorResponse: APIErrorResponse{
Resource: SlashSeparator + bucketName + SlashSeparator, Resource: SlashSeparator + bucketName + SlashSeparator,
Code: "InvalidAccessKeyId", Code: "InvalidAccessKeyId",
Message: "The access key ID you provided does not exist in our records.", Message: "The Access Key Id you provided does not exist in our records.",
}, },
shouldPass: false, shouldPass: false,
}, },

10
cmd/sts-errors.go
View File

@ -27,9 +27,12 @@ import (
) )
// writeSTSErrorRespone writes error headers // writeSTSErrorRespone writes error headers
func writeSTSErrorResponse(ctx context.Context, w http.ResponseWriter, errCode STSErrorCode, errCtxt error) { func writeSTSErrorResponse(ctx context.Context, w http.ResponseWriter, isErrCodeSTS bool, errCode STSErrorCode, errCtxt error) {
err := stsErrCodes.ToSTSErr(errCode) var err STSError
if err.Code == "InternalError" { if isErrCodeSTS {
err = stsErrCodes.ToSTSErr(errCode)
}
if err.Code == "InternalError" || !isErrCodeSTS {
aerr := getAPIError(APIErrorCode(errCode)) aerr := getAPIError(APIErrorCode(errCode))
if aerr.Code != "InternalError" { if aerr.Code != "InternalError" {
err.Code = aerr.Code err.Code = aerr.Code
@ -81,7 +84,6 @@ type STSErrorCode int
// Error codes, non exhaustive list - http://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRoleWithSAML.html // Error codes, non exhaustive list - http://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRoleWithSAML.html
const ( const (
ErrSTSNone STSErrorCode = iota ErrSTSNone STSErrorCode = iota
ErrSTSInvalidService
ErrSTSAccessDenied ErrSTSAccessDenied
ErrSTSMissingParameter ErrSTSMissingParameter
ErrSTSInvalidParameterValue ErrSTSInvalidParameterValue

92
cmd/sts-handlers.go
View File

@ -110,37 +110,37 @@ func registerSTSRouter(router *mux.Router) {
Queries(stsLDAPPassword, "{LDAPPassword:.*}") Queries(stsLDAPPassword, "{LDAPPassword:.*}")
} }
func checkAssumeRoleAuth(ctx context.Context, r *http.Request) (user auth.Credentials, stsErr STSErrorCode) { func checkAssumeRoleAuth(ctx context.Context, r *http.Request) (user auth.Credentials, isErrCodeSTS bool, stsErr STSErrorCode) {
switch getRequestAuthType(r) { switch getRequestAuthType(r) {
default: default:
return user, ErrSTSAccessDenied return user, true, ErrSTSAccessDenied
case authTypeSigned: case authTypeSigned:
s3Err := isReqAuthenticated(ctx, r, globalServerRegion, serviceSTS) s3Err := isReqAuthenticated(ctx, r, globalServerRegion, serviceSTS)
if STSErrorCode(s3Err) != ErrSTSNone { if APIErrorCode(s3Err) != ErrNone {
return user, STSErrorCode(s3Err) return user, false, STSErrorCode(s3Err)
} }
var owner bool var owner bool
user, owner, s3Err = getReqAccessKeyV4(r, globalServerRegion, serviceSTS) user, owner, s3Err = getReqAccessKeyV4(r, globalServerRegion, serviceSTS)
if STSErrorCode(s3Err) != ErrSTSNone { if APIErrorCode(s3Err) != ErrNone {
return user, STSErrorCode(s3Err) return user, false, STSErrorCode(s3Err)
} }
// Root credentials are not allowed to use STS API // Root credentials are not allowed to use STS API
if owner { if owner {
return user, ErrSTSAccessDenied return user, true, ErrSTSAccessDenied
} }
} }
// Session tokens are not allowed in STS AssumeRole requests. // Session tokens are not allowed in STS AssumeRole requests.
if getSessionToken(r) != "" { if getSessionToken(r) != "" {
return user, ErrSTSAccessDenied return user, true, ErrSTSAccessDenied
} }
// Temporary credentials or Service accounts cannot generate further temporary credentials. // Temporary credentials or Service accounts cannot generate further temporary credentials.
if user.IsTemp() || user.IsServiceAccount() { if user.IsTemp() || user.IsServiceAccount() {
return user, ErrSTSAccessDenied return user, true, ErrSTSAccessDenied
} }
return user, ErrSTSNone return user, true, ErrSTSNone
} }
// AssumeRole - implementation of AWS STS API AssumeRole to get temporary // AssumeRole - implementation of AWS STS API AssumeRole to get temporary
@ -149,18 +149,18 @@ func checkAssumeRoleAuth(ctx context.Context, r *http.Request) (user auth.Creden
func (sts *stsAPIHandlers) AssumeRole(w http.ResponseWriter, r *http.Request) { func (sts *stsAPIHandlers) AssumeRole(w http.ResponseWriter, r *http.Request) {
ctx := newContext(r, w, "AssumeRole") ctx := newContext(r, w, "AssumeRole")
user, stsErr := checkAssumeRoleAuth(ctx, r) user, isErrCodeSTS, stsErr := checkAssumeRoleAuth(ctx, r)
if stsErr != ErrSTSNone { if stsErr != ErrSTSNone {
writeSTSErrorResponse(ctx, w, stsErr, nil) writeSTSErrorResponse(ctx, w, isErrCodeSTS, stsErr, nil)
return return
} }
if err := r.ParseForm(); err != nil { if err := r.ParseForm(); err != nil {
writeSTSErrorResponse(ctx, w, ErrSTSInvalidParameterValue, err) writeSTSErrorResponse(ctx, w, true, ErrSTSInvalidParameterValue, err)
return return
} }
if r.Form.Get(stsVersion) != stsAPIVersion { if r.Form.Get(stsVersion) != stsAPIVersion {
writeSTSErrorResponse(ctx, w, ErrSTSMissingParameter, fmt.Errorf("Invalid STS API version %s, expecting %s", r.Form.Get(stsVersion), stsAPIVersion)) writeSTSErrorResponse(ctx, w, true, ErrSTSMissingParameter, fmt.Errorf("Invalid STS API version %s, expecting %s", r.Form.Get(stsVersion), stsAPIVersion))
return return
} }
@ -168,7 +168,7 @@ func (sts *stsAPIHandlers) AssumeRole(w http.ResponseWriter, r *http.Request) {
switch action { switch action {
case assumeRole: case assumeRole:
default: default:
writeSTSErrorResponse(ctx, w, ErrSTSInvalidParameterValue, fmt.Errorf("Unsupported action %s", action)) writeSTSErrorResponse(ctx, w, true, ErrSTSInvalidParameterValue, fmt.Errorf("Unsupported action %s", action))
return return
} }
@ -180,20 +180,20 @@ func (sts *stsAPIHandlers) AssumeRole(w http.ResponseWriter, r *http.Request) {
// The plain text that you use for both inline and managed session // The plain text that you use for both inline and managed session
// policies shouldn't exceed 2048 characters. // policies shouldn't exceed 2048 characters.
if len(sessionPolicyStr) > 2048 { if len(sessionPolicyStr) > 2048 {
writeSTSErrorResponse(ctx, w, ErrSTSInvalidParameterValue, fmt.Errorf("Session policy shouldn't exceed 2048 characters")) writeSTSErrorResponse(ctx, w, true, ErrSTSInvalidParameterValue, fmt.Errorf("Session policy shouldn't exceed 2048 characters"))
return return
} }
if len(sessionPolicyStr) > 0 { if len(sessionPolicyStr) > 0 {
sessionPolicy, err := iampolicy.ParseConfig(bytes.NewReader([]byte(sessionPolicyStr))) sessionPolicy, err := iampolicy.ParseConfig(bytes.NewReader([]byte(sessionPolicyStr)))
if err != nil { if err != nil {
writeSTSErrorResponse(ctx, w, ErrSTSInvalidParameterValue, err) writeSTSErrorResponse(ctx, w, true, ErrSTSInvalidParameterValue, err)
return return
} }
// Version in policy must not be empty // Version in policy must not be empty
if sessionPolicy.Version == "" { if sessionPolicy.Version == "" {
writeSTSErrorResponse(ctx, w, ErrSTSInvalidParameterValue, fmt.Errorf("Version cannot be empty expecting '2012-10-17'")) writeSTSErrorResponse(ctx, w, true, ErrSTSInvalidParameterValue, fmt.Errorf("Version cannot be empty expecting '2012-10-17'"))
return return
} }
} }
@ -202,13 +202,13 @@ func (sts *stsAPIHandlers) AssumeRole(w http.ResponseWriter, r *http.Request) {
m := make(map[string]interface{}) m := make(map[string]interface{})
m[expClaim], err = openid.GetDefaultExpiration(r.Form.Get(stsDurationSeconds)) m[expClaim], err = openid.GetDefaultExpiration(r.Form.Get(stsDurationSeconds))
if err != nil { if err != nil {
writeSTSErrorResponse(ctx, w, ErrSTSInvalidParameterValue, err) writeSTSErrorResponse(ctx, w, true, ErrSTSInvalidParameterValue, err)
return return
} }
policies, err := globalIAMSys.PolicyDBGet(user.AccessKey, false) policies, err := globalIAMSys.PolicyDBGet(user.AccessKey, false)
if err != nil { if err != nil {
writeSTSErrorResponse(ctx, w, ErrSTSInvalidParameterValue, err) writeSTSErrorResponse(ctx, w, true, ErrSTSInvalidParameterValue, err)
return return
} }
@ -226,7 +226,7 @@ func (sts *stsAPIHandlers) AssumeRole(w http.ResponseWriter, r *http.Request) {
secret := globalActiveCred.SecretKey secret := globalActiveCred.SecretKey
cred, err := auth.GetNewCredentialsWithMetadata(m, secret) cred, err := auth.GetNewCredentialsWithMetadata(m, secret)
if err != nil { if err != nil {
writeSTSErrorResponse(ctx, w, ErrSTSInternalError, err) writeSTSErrorResponse(ctx, w, true, ErrSTSInternalError, err)
return return
} }
@ -236,7 +236,7 @@ func (sts *stsAPIHandlers) AssumeRole(w http.ResponseWriter, r *http.Request) {
// Set the newly generated credentials. // Set the newly generated credentials.
if err = globalIAMSys.SetTempUser(cred.AccessKey, cred, policyName); err != nil { if err = globalIAMSys.SetTempUser(cred.AccessKey, cred, policyName); err != nil {
writeSTSErrorResponse(ctx, w, ErrSTSInternalError, err) writeSTSErrorResponse(ctx, w, true, ErrSTSInternalError, err)
return return
} }
@ -263,12 +263,12 @@ func (sts *stsAPIHandlers) AssumeRoleWithJWT(w http.ResponseWriter, r *http.Requ
// Parse the incoming form data. // Parse the incoming form data.
if err := r.ParseForm(); err != nil { if err := r.ParseForm(); err != nil {
writeSTSErrorResponse(ctx, w, ErrSTSInvalidParameterValue, err) writeSTSErrorResponse(ctx, w, true, ErrSTSInvalidParameterValue, err)
return return
} }
if r.Form.Get(stsVersion) != stsAPIVersion { if r.Form.Get(stsVersion) != stsAPIVersion {
writeSTSErrorResponse(ctx, w, ErrSTSMissingParameter, fmt.Errorf("Invalid STS API version %s, expecting %s", r.Form.Get("Version"), stsAPIVersion)) writeSTSErrorResponse(ctx, w, true, ErrSTSMissingParameter, fmt.Errorf("Invalid STS API version %s, expecting %s", r.Form.Get("Version"), stsAPIVersion))
return return
} }
@ -276,7 +276,7 @@ func (sts *stsAPIHandlers) AssumeRoleWithJWT(w http.ResponseWriter, r *http.Requ
switch action { switch action {
case clientGrants, webIdentity: case clientGrants, webIdentity:
default: default:
writeSTSErrorResponse(ctx, w, ErrSTSInvalidParameterValue, fmt.Errorf("Unsupported action %s", action)) writeSTSErrorResponse(ctx, w, true, ErrSTSInvalidParameterValue, fmt.Errorf("Unsupported action %s", action))
return return
} }
@ -284,13 +284,13 @@ func (sts *stsAPIHandlers) AssumeRoleWithJWT(w http.ResponseWriter, r *http.Requ
defer logger.AuditLog(w, r, action, nil) defer logger.AuditLog(w, r, action, nil)
if globalOpenIDValidators == nil { if globalOpenIDValidators == nil {
writeSTSErrorResponse(ctx, w, ErrSTSNotInitialized, errServerNotInitialized) writeSTSErrorResponse(ctx, w, true, ErrSTSNotInitialized, errServerNotInitialized)
return return
} }
v, err := globalOpenIDValidators.Get("jwt") v, err := globalOpenIDValidators.Get("jwt")
if err != nil { if err != nil {
writeSTSErrorResponse(ctx, w, ErrSTSInvalidParameterValue, err) writeSTSErrorResponse(ctx, w, true, ErrSTSInvalidParameterValue, err)
return return
} }
@ -305,16 +305,16 @@ func (sts *stsAPIHandlers) AssumeRoleWithJWT(w http.ResponseWriter, r *http.Requ
case openid.ErrTokenExpired: case openid.ErrTokenExpired:
switch action { switch action {
case clientGrants: case clientGrants:
writeSTSErrorResponse(ctx, w, ErrSTSClientGrantsExpiredToken, err) writeSTSErrorResponse(ctx, w, true, ErrSTSClientGrantsExpiredToken, err)
case webIdentity: case webIdentity:
writeSTSErrorResponse(ctx, w, ErrSTSWebIdentityExpiredToken, err) writeSTSErrorResponse(ctx, w, true, ErrSTSWebIdentityExpiredToken, err)
} }
return return
case auth.ErrInvalidDuration: case auth.ErrInvalidDuration:
writeSTSErrorResponse(ctx, w, ErrSTSInvalidParameterValue, err) writeSTSErrorResponse(ctx, w, true, ErrSTSInvalidParameterValue, err)
return return
} }
writeSTSErrorResponse(ctx, w, ErrSTSInvalidParameterValue, err) writeSTSErrorResponse(ctx, w, true, ErrSTSInvalidParameterValue, err)
return return
} }
@ -323,20 +323,20 @@ func (sts *stsAPIHandlers) AssumeRoleWithJWT(w http.ResponseWriter, r *http.Requ
// The plain text that you use for both inline and managed session // The plain text that you use for both inline and managed session
// policies shouldn't exceed 2048 characters. // policies shouldn't exceed 2048 characters.
if len(sessionPolicyStr) > 2048 { if len(sessionPolicyStr) > 2048 {
writeSTSErrorResponse(ctx, w, ErrSTSInvalidParameterValue, fmt.Errorf("Session policy should not exceed 2048 characters")) writeSTSErrorResponse(ctx, w, true, ErrSTSInvalidParameterValue, fmt.Errorf("Session policy should not exceed 2048 characters"))
return return
} }
if len(sessionPolicyStr) > 0 { if len(sessionPolicyStr) > 0 {
sessionPolicy, err := iampolicy.ParseConfig(bytes.NewReader([]byte(sessionPolicyStr))) sessionPolicy, err := iampolicy.ParseConfig(bytes.NewReader([]byte(sessionPolicyStr)))
if err != nil { if err != nil {
writeSTSErrorResponse(ctx, w, ErrSTSInvalidParameterValue, err) writeSTSErrorResponse(ctx, w, true, ErrSTSInvalidParameterValue, err)
return return
} }
// Version in policy must not be empty // Version in policy must not be empty
if sessionPolicy.Version == "" { if sessionPolicy.Version == "" {
writeSTSErrorResponse(ctx, w, ErrSTSInvalidParameterValue, fmt.Errorf("Invalid session policy version")) writeSTSErrorResponse(ctx, w, true, ErrSTSInvalidParameterValue, fmt.Errorf("Invalid session policy version"))
return return
} }
} }
@ -348,7 +348,7 @@ func (sts *stsAPIHandlers) AssumeRoleWithJWT(w http.ResponseWriter, r *http.Requ
secret := globalActiveCred.SecretKey secret := globalActiveCred.SecretKey
cred, err := auth.GetNewCredentialsWithMetadata(m, secret) cred, err := auth.GetNewCredentialsWithMetadata(m, secret)
if err != nil { if err != nil {
writeSTSErrorResponse(ctx, w, ErrSTSInternalError, err) writeSTSErrorResponse(ctx, w, true, ErrSTSInternalError, err)
return return
} }
@ -368,7 +368,7 @@ func (sts *stsAPIHandlers) AssumeRoleWithJWT(w http.ResponseWriter, r *http.Requ
// Set the newly generated credentials. // Set the newly generated credentials.
if err = globalIAMSys.SetTempUser(cred.AccessKey, cred, policyName); err != nil { if err = globalIAMSys.SetTempUser(cred.AccessKey, cred, policyName); err != nil {
writeSTSErrorResponse(ctx, w, ErrSTSInternalError, err) writeSTSErrorResponse(ctx, w, true, ErrSTSInternalError, err)
return return
} }
@ -430,12 +430,12 @@ func (sts *stsAPIHandlers) AssumeRoleWithLDAPIdentity(w http.ResponseWriter, r *
// Parse the incoming form data. // Parse the incoming form data.
if err := r.ParseForm(); err != nil { if err := r.ParseForm(); err != nil {
writeSTSErrorResponse(ctx, w, ErrSTSInvalidParameterValue, err) writeSTSErrorResponse(ctx, w, true, ErrSTSInvalidParameterValue, err)
return return
} }
if r.Form.Get(stsVersion) != stsAPIVersion { if r.Form.Get(stsVersion) != stsAPIVersion {
writeSTSErrorResponse(ctx, w, ErrSTSMissingParameter, fmt.Errorf("Invalid STS API version %s, expecting %s", r.Form.Get("Version"), stsAPIVersion)) writeSTSErrorResponse(ctx, w, true, ErrSTSMissingParameter, fmt.Errorf("Invalid STS API version %s, expecting %s", r.Form.Get("Version"), stsAPIVersion))
return return
} }
@ -443,7 +443,7 @@ func (sts *stsAPIHandlers) AssumeRoleWithLDAPIdentity(w http.ResponseWriter, r *
switch action { switch action {
case ldapIdentity: case ldapIdentity:
default: default:
writeSTSErrorResponse(ctx, w, ErrSTSInvalidParameterValue, fmt.Errorf("Unsupported action %s", action)) writeSTSErrorResponse(ctx, w, true, ErrSTSInvalidParameterValue, fmt.Errorf("Unsupported action %s", action))
return return
} }
@ -454,7 +454,7 @@ func (sts *stsAPIHandlers) AssumeRoleWithLDAPIdentity(w http.ResponseWriter, r *
ldapPassword := r.Form.Get(stsLDAPPassword) ldapPassword := r.Form.Get(stsLDAPPassword)
if ldapUsername == "" || ldapPassword == "" { if ldapUsername == "" || ldapPassword == "" {
writeSTSErrorResponse(ctx, w, ErrSTSMissingParameter, fmt.Errorf("LDAPUsername and LDAPPassword cannot be empty")) writeSTSErrorResponse(ctx, w, true, ErrSTSMissingParameter, fmt.Errorf("LDAPUsername and LDAPPassword cannot be empty"))
return return
} }
@ -463,20 +463,20 @@ func (sts *stsAPIHandlers) AssumeRoleWithLDAPIdentity(w http.ResponseWriter, r *
// The plain text that you use for both inline and managed session // The plain text that you use for both inline and managed session
// policies shouldn't exceed 2048 characters. // policies shouldn't exceed 2048 characters.
if len(sessionPolicyStr) > 2048 { if len(sessionPolicyStr) > 2048 {
writeSTSErrorResponse(ctx, w, ErrSTSInvalidParameterValue, fmt.Errorf("Session policy should not exceed 2048 characters")) writeSTSErrorResponse(ctx, w, true, ErrSTSInvalidParameterValue, fmt.Errorf("Session policy should not exceed 2048 characters"))
return return
} }
if len(sessionPolicyStr) > 0 { if len(sessionPolicyStr) > 0 {
sessionPolicy, err := iampolicy.ParseConfig(bytes.NewReader([]byte(sessionPolicyStr))) sessionPolicy, err := iampolicy.ParseConfig(bytes.NewReader([]byte(sessionPolicyStr)))
if err != nil { if err != nil {
writeSTSErrorResponse(ctx, w, ErrSTSInvalidParameterValue, err) writeSTSErrorResponse(ctx, w, true, ErrSTSInvalidParameterValue, err)
return return
} }
// Version in policy must not be empty // Version in policy must not be empty
if sessionPolicy.Version == "" { if sessionPolicy.Version == "" {
writeSTSErrorResponse(ctx, w, ErrSTSInvalidParameterValue, fmt.Errorf("Version needs to be specified in session policy")) writeSTSErrorResponse(ctx, w, true, ErrSTSInvalidParameterValue, fmt.Errorf("Version needs to be specified in session policy"))
return return
} }
} }
@ -484,7 +484,7 @@ func (sts *stsAPIHandlers) AssumeRoleWithLDAPIdentity(w http.ResponseWriter, r *
groups, err := globalLDAPConfig.Bind(ldapUsername, ldapPassword) groups, err := globalLDAPConfig.Bind(ldapUsername, ldapPassword)
if err != nil { if err != nil {
err = fmt.Errorf("LDAP server connection failure: %w", err) err = fmt.Errorf("LDAP server connection failure: %w", err)
writeSTSErrorResponse(ctx, w, ErrSTSInvalidParameterValue, err) writeSTSErrorResponse(ctx, w, true, ErrSTSInvalidParameterValue, err)
return return
} }
@ -501,7 +501,7 @@ func (sts *stsAPIHandlers) AssumeRoleWithLDAPIdentity(w http.ResponseWriter, r *
secret := globalActiveCred.SecretKey secret := globalActiveCred.SecretKey
cred, err := auth.GetNewCredentialsWithMetadata(m, secret) cred, err := auth.GetNewCredentialsWithMetadata(m, secret)
if err != nil { if err != nil {
writeSTSErrorResponse(ctx, w, ErrSTSInternalError, err) writeSTSErrorResponse(ctx, w, true, ErrSTSInternalError, err)
return return
} }
@ -517,7 +517,7 @@ func (sts *stsAPIHandlers) AssumeRoleWithLDAPIdentity(w http.ResponseWriter, r *
// LDAP policies are applied automatically using their ldapUser, ldapGroups // LDAP policies are applied automatically using their ldapUser, ldapGroups
// mapping. // mapping.
if err = globalIAMSys.SetTempUser(cred.AccessKey, cred, ""); err != nil { if err = globalIAMSys.SetTempUser(cred.AccessKey, cred, ""); err != nil {
writeSTSErrorResponse(ctx, w, ErrSTSInternalError, err) writeSTSErrorResponse(ctx, w, true, ErrSTSInternalError, err)
return return
} }