From 59bb54ed6a7e0f7a1b188a925f08df329ac18f99 Mon Sep 17 00:00:00 2001 From: Aditya Manthramurthy Date: Mon, 9 Aug 2021 18:14:38 -0700 Subject: [PATCH] Use common function for authenticating admin requests (#12915) --- cmd/admin-bucket-handlers.go | 8 +- cmd/admin-handler-utils.go | 172 ++++++++++++++++++++++++++++++++ cmd/admin-handlers-config-kv.go | 38 ++----- cmd/admin-handlers-users.go | 51 +++------- cmd/admin-handlers.go | 148 --------------------------- cmd/tier-handlers.go | 6 +- 6 files changed, 202 insertions(+), 221 deletions(-) create mode 100644 cmd/admin-handler-utils.go diff --git a/cmd/admin-bucket-handlers.go b/cmd/admin-bucket-handlers.go index b6327b414..a3a544b51 100644 --- a/cmd/admin-bucket-handlers.go +++ b/cmd/admin-bucket-handlers.go @@ -85,7 +85,7 @@ func (a adminAPIHandlers) GetBucketQuotaConfigHandler(w http.ResponseWriter, r * defer logger.AuditLog(ctx, w, r, mustGetClaimsFromToken(r)) - objectAPI, _ := validateAdminUsersReq(ctx, w, r, iampolicy.GetBucketQuotaAdminAction) + objectAPI, _ := validateAdminReq(ctx, w, r, iampolicy.GetBucketQuotaAdminAction) if objectAPI == nil { writeErrorResponseJSON(ctx, w, errorCodes.ToAPIErr(ErrServerNotInitialized), r.URL) return @@ -130,7 +130,7 @@ func (a adminAPIHandlers) SetRemoteTargetHandler(w http.ResponseWriter, r *http. } // Get current object layer instance. - objectAPI, _ := validateAdminUsersReq(ctx, w, r, iampolicy.SetBucketTargetAction) + objectAPI, _ := validateAdminReq(ctx, w, r, iampolicy.SetBucketTargetAction) if objectAPI == nil { writeErrorResponseJSON(ctx, w, errorCodes.ToAPIErr(ErrServerNotInitialized), r.URL) return @@ -258,7 +258,7 @@ func (a adminAPIHandlers) ListRemoteTargetsHandler(w http.ResponseWriter, r *htt return } // Get current object layer instance. - objectAPI, _ := validateAdminUsersReq(ctx, w, r, iampolicy.GetBucketTargetAction) + objectAPI, _ := validateAdminReq(ctx, w, r, iampolicy.GetBucketTargetAction) if objectAPI == nil { writeErrorResponseJSON(ctx, w, errorCodes.ToAPIErr(ErrServerNotInitialized), r.URL) return @@ -298,7 +298,7 @@ func (a adminAPIHandlers) RemoveRemoteTargetHandler(w http.ResponseWriter, r *ht return } // Get current object layer instance. - objectAPI, _ := validateAdminUsersReq(ctx, w, r, iampolicy.SetBucketTargetAction) + objectAPI, _ := validateAdminReq(ctx, w, r, iampolicy.SetBucketTargetAction) if objectAPI == nil { writeErrorResponseJSON(ctx, w, errorCodes.ToAPIErr(ErrServerNotInitialized), r.URL) return diff --git a/cmd/admin-handler-utils.go b/cmd/admin-handler-utils.go new file mode 100644 index 000000000..6142eaeaa --- /dev/null +++ b/cmd/admin-handler-utils.go @@ -0,0 +1,172 @@ +// Copyright (c) 2015-2021 MinIO, Inc. +// +// This file is part of MinIO Object Storage stack +// +// This program is free software: you can redistribute it and/or modify +// it under the terms of the GNU Affero General Public License as published by +// the Free Software Foundation, either version 3 of the License, or +// (at your option) any later version. +// +// This program is distributed in the hope that it will be useful +// but WITHOUT ANY WARRANTY; without even the implied warranty of +// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +// GNU Affero General Public License for more details. +// +// You should have received a copy of the GNU Affero General Public License +// along with this program. If not, see . + +package cmd + +import ( + "context" + "errors" + "net/http" + + "github.com/minio/kes" + "github.com/minio/madmin-go" + "github.com/minio/minio/internal/auth" + "github.com/minio/minio/internal/config" + iampolicy "github.com/minio/pkg/iam/policy" +) + +func validateAdminReq(ctx context.Context, w http.ResponseWriter, r *http.Request, action iampolicy.AdminAction) (ObjectLayer, auth.Credentials) { + // Get current object layer instance. + objectAPI := newObjectLayerFn() + if objectAPI == nil || globalNotificationSys == nil { + writeErrorResponseJSON(ctx, w, errorCodes.ToAPIErr(ErrServerNotInitialized), r.URL) + return nil, auth.Credentials{} + } + + // Validate request signature. + cred, adminAPIErr := checkAdminRequestAuth(ctx, r, action, "") + if adminAPIErr != ErrNone { + writeErrorResponseJSON(ctx, w, errorCodes.ToAPIErr(adminAPIErr), r.URL) + return nil, cred + } + + return objectAPI, cred +} + +// AdminError - is a generic error for all admin APIs. +type AdminError struct { + Code string + Message string + StatusCode int +} + +func (ae AdminError) Error() string { + return ae.Message +} + +func toAdminAPIErr(ctx context.Context, err error) APIError { + if err == nil { + return noError + } + + var apiErr APIError + switch e := err.(type) { + case iampolicy.Error: + apiErr = APIError{ + Code: "XMinioMalformedIAMPolicy", + Description: e.Error(), + HTTPStatusCode: http.StatusBadRequest, + } + case config.Error: + apiErr = APIError{ + Code: "XMinioConfigError", + Description: e.Error(), + HTTPStatusCode: http.StatusBadRequest, + } + case AdminError: + apiErr = APIError{ + Code: e.Code, + Description: e.Message, + HTTPStatusCode: e.StatusCode, + } + default: + switch { + case errors.Is(err, errConfigNotFound): + apiErr = APIError{ + Code: "XMinioConfigError", + Description: err.Error(), + HTTPStatusCode: http.StatusNotFound, + } + case errors.Is(err, errIAMActionNotAllowed): + apiErr = APIError{ + Code: "XMinioIAMActionNotAllowed", + Description: err.Error(), + HTTPStatusCode: http.StatusForbidden, + } + case errors.Is(err, errIAMNotInitialized): + apiErr = APIError{ + Code: "XMinioIAMNotInitialized", + Description: err.Error(), + HTTPStatusCode: http.StatusServiceUnavailable, + } + case errors.Is(err, kes.ErrKeyExists): + apiErr = APIError{ + Code: "XMinioKMSKeyExists", + Description: err.Error(), + HTTPStatusCode: http.StatusConflict, + } + + // Tier admin API errors + case errors.Is(err, madmin.ErrTierNameEmpty): + apiErr = APIError{ + Code: "XMinioAdminTierNameEmpty", + Description: err.Error(), + HTTPStatusCode: http.StatusBadRequest, + } + case errors.Is(err, madmin.ErrTierInvalidConfig): + apiErr = APIError{ + Code: "XMinioAdminTierInvalidConfig", + Description: err.Error(), + HTTPStatusCode: http.StatusBadRequest, + } + case errors.Is(err, madmin.ErrTierInvalidConfigVersion): + apiErr = APIError{ + Code: "XMinioAdminTierInvalidConfigVersion", + Description: err.Error(), + HTTPStatusCode: http.StatusBadRequest, + } + case errors.Is(err, madmin.ErrTierTypeUnsupported): + apiErr = APIError{ + Code: "XMinioAdminTierTypeUnsupported", + Description: err.Error(), + HTTPStatusCode: http.StatusBadRequest, + } + case errors.Is(err, errTierBackendInUse): + apiErr = APIError{ + Code: "XMinioAdminTierBackendInUse", + Description: err.Error(), + HTTPStatusCode: http.StatusConflict, + } + case errors.Is(err, errTierInsufficientCreds): + apiErr = APIError{ + Code: "XMinioAdminTierInsufficientCreds", + Description: err.Error(), + HTTPStatusCode: http.StatusBadRequest, + } + case errIsTierPermError(err): + apiErr = APIError{ + Code: "XMinioAdminTierInsufficientPermissions", + Description: err.Error(), + HTTPStatusCode: http.StatusBadRequest, + } + default: + apiErr = errorCodes.ToAPIErrWithErr(toAdminAPIErrCode(ctx, err), err) + } + } + return apiErr +} + +// toAdminAPIErrCode - converts errErasureWriteQuorum error to admin API +// specific error. +func toAdminAPIErrCode(ctx context.Context, err error) APIErrorCode { + switch err { + case errErasureWriteQuorum: + return ErrAdminConfigNoQuorum + default: + return toAPIErrorCode(ctx, err) + } +} diff --git a/cmd/admin-handlers-config-kv.go b/cmd/admin-handlers-config-kv.go index 1a34e6324..08fbbd0ca 100644 --- a/cmd/admin-handlers-config-kv.go +++ b/cmd/admin-handlers-config-kv.go @@ -19,7 +19,6 @@ package cmd import ( "bytes" - "context" "encoding/json" "io" "net/http" @@ -28,7 +27,6 @@ import ( "github.com/gorilla/mux" "github.com/minio/madmin-go" - "github.com/minio/minio/internal/auth" "github.com/minio/minio/internal/config" "github.com/minio/minio/internal/config/cache" "github.com/minio/minio/internal/config/etcd" @@ -40,31 +38,13 @@ import ( iampolicy "github.com/minio/pkg/iam/policy" ) -func validateAdminReqConfigKV(ctx context.Context, w http.ResponseWriter, r *http.Request) (auth.Credentials, ObjectLayer) { - // Get current object layer instance. - objectAPI := newObjectLayerFn() - if objectAPI == nil { - writeErrorResponseJSON(ctx, w, errorCodes.ToAPIErr(ErrServerNotInitialized), r.URL) - return auth.Credentials{}, nil - } - - // Validate request signature. - cred, adminAPIErr := checkAdminRequestAuth(ctx, r, iampolicy.ConfigUpdateAdminAction, "") - if adminAPIErr != ErrNone { - writeErrorResponseJSON(ctx, w, errorCodes.ToAPIErr(adminAPIErr), r.URL) - return cred, nil - } - - return cred, objectAPI -} - // DelConfigKVHandler - DELETE /minio/admin/v3/del-config-kv func (a adminAPIHandlers) DelConfigKVHandler(w http.ResponseWriter, r *http.Request) { ctx := newContext(r, w, "DeleteConfigKV") defer logger.AuditLog(ctx, w, r, mustGetClaimsFromToken(r)) - cred, objectAPI := validateAdminReqConfigKV(ctx, w, r) + objectAPI, cred := validateAdminReq(ctx, w, r, iampolicy.ConfigUpdateAdminAction) if objectAPI == nil { return } @@ -106,7 +86,7 @@ func (a adminAPIHandlers) SetConfigKVHandler(w http.ResponseWriter, r *http.Requ defer logger.AuditLog(ctx, w, r, mustGetClaimsFromToken(r)) - cred, objectAPI := validateAdminReqConfigKV(ctx, w, r) + objectAPI, cred := validateAdminReq(ctx, w, r, iampolicy.ConfigUpdateAdminAction) if objectAPI == nil { return } @@ -173,7 +153,7 @@ func (a adminAPIHandlers) GetConfigKVHandler(w http.ResponseWriter, r *http.Requ defer logger.AuditLog(ctx, w, r, mustGetClaimsFromToken(r)) - cred, objectAPI := validateAdminReqConfigKV(ctx, w, r) + objectAPI, cred := validateAdminReq(ctx, w, r, iampolicy.ConfigUpdateAdminAction) if objectAPI == nil { return } @@ -202,7 +182,7 @@ func (a adminAPIHandlers) ClearConfigHistoryKVHandler(w http.ResponseWriter, r * defer logger.AuditLog(ctx, w, r, mustGetClaimsFromToken(r)) - _, objectAPI := validateAdminReqConfigKV(ctx, w, r) + objectAPI, _ := validateAdminReq(ctx, w, r, iampolicy.ConfigUpdateAdminAction) if objectAPI == nil { return } @@ -239,7 +219,7 @@ func (a adminAPIHandlers) RestoreConfigHistoryKVHandler(w http.ResponseWriter, r defer logger.AuditLog(ctx, w, r, mustGetClaimsFromToken(r)) - _, objectAPI := validateAdminReqConfigKV(ctx, w, r) + objectAPI, _ := validateAdminReq(ctx, w, r, iampolicy.ConfigUpdateAdminAction) if objectAPI == nil { return } @@ -287,7 +267,7 @@ func (a adminAPIHandlers) ListConfigHistoryKVHandler(w http.ResponseWriter, r *h defer logger.AuditLog(ctx, w, r, mustGetClaimsFromToken(r)) - cred, objectAPI := validateAdminReqConfigKV(ctx, w, r) + objectAPI, cred := validateAdminReq(ctx, w, r, iampolicy.ConfigUpdateAdminAction) if objectAPI == nil { return } @@ -327,7 +307,7 @@ func (a adminAPIHandlers) HelpConfigKVHandler(w http.ResponseWriter, r *http.Req defer logger.AuditLog(ctx, w, r, mustGetClaimsFromToken(r)) - _, objectAPI := validateAdminReqConfigKV(ctx, w, r) + objectAPI, _ := validateAdminReq(ctx, w, r, iampolicy.ConfigUpdateAdminAction) if objectAPI == nil { return } @@ -355,7 +335,7 @@ func (a adminAPIHandlers) SetConfigHandler(w http.ResponseWriter, r *http.Reques defer logger.AuditLog(ctx, w, r, mustGetClaimsFromToken(r)) - cred, objectAPI := validateAdminReqConfigKV(ctx, w, r) + objectAPI, cred := validateAdminReq(ctx, w, r, iampolicy.ConfigUpdateAdminAction) if objectAPI == nil { return } @@ -407,7 +387,7 @@ func (a adminAPIHandlers) GetConfigHandler(w http.ResponseWriter, r *http.Reques defer logger.AuditLog(ctx, w, r, mustGetClaimsFromToken(r)) - cred, objectAPI := validateAdminReqConfigKV(ctx, w, r) + objectAPI, cred := validateAdminReq(ctx, w, r, iampolicy.ConfigUpdateAdminAction) if objectAPI == nil { return } diff --git a/cmd/admin-handlers-users.go b/cmd/admin-handlers-users.go index 04665ceca..6922c5db5 100644 --- a/cmd/admin-handlers-users.go +++ b/cmd/admin-handlers-users.go @@ -19,7 +19,6 @@ package cmd import ( "bytes" - "context" "encoding/json" "errors" "io" @@ -29,40 +28,18 @@ import ( "github.com/gorilla/mux" "github.com/minio/madmin-go" - "github.com/minio/minio/internal/auth" "github.com/minio/minio/internal/config/dns" "github.com/minio/minio/internal/logger" iampolicy "github.com/minio/pkg/iam/policy" ) -func validateAdminUsersReq(ctx context.Context, w http.ResponseWriter, r *http.Request, action iampolicy.AdminAction) (ObjectLayer, auth.Credentials) { - var cred auth.Credentials - var adminAPIErr APIErrorCode - - // Get current object layer instance. - objectAPI := newObjectLayerFn() - if objectAPI == nil || globalNotificationSys == nil { - writeErrorResponseJSON(ctx, w, errorCodes.ToAPIErr(ErrServerNotInitialized), r.URL) - return nil, cred - } - - // Validate request signature. - cred, adminAPIErr = checkAdminRequestAuth(ctx, r, action, "") - if adminAPIErr != ErrNone { - writeErrorResponseJSON(ctx, w, errorCodes.ToAPIErr(adminAPIErr), r.URL) - return nil, cred - } - - return objectAPI, cred -} - // RemoveUser - DELETE /minio/admin/v3/remove-user?accessKey= func (a adminAPIHandlers) RemoveUser(w http.ResponseWriter, r *http.Request) { ctx := newContext(r, w, "RemoveUser") defer logger.AuditLog(ctx, w, r, mustGetClaimsFromToken(r)) - objectAPI, _ := validateAdminUsersReq(ctx, w, r, iampolicy.DeleteUserAdminAction) + objectAPI, _ := validateAdminReq(ctx, w, r, iampolicy.DeleteUserAdminAction) if objectAPI == nil { return } @@ -100,7 +77,7 @@ func (a adminAPIHandlers) ListBucketUsers(w http.ResponseWriter, r *http.Request defer logger.AuditLog(ctx, w, r, mustGetClaimsFromToken(r)) - objectAPI, cred := validateAdminUsersReq(ctx, w, r, iampolicy.ListUsersAdminAction) + objectAPI, cred := validateAdminReq(ctx, w, r, iampolicy.ListUsersAdminAction) if objectAPI == nil { return } @@ -136,7 +113,7 @@ func (a adminAPIHandlers) ListUsers(w http.ResponseWriter, r *http.Request) { defer logger.AuditLog(ctx, w, r, mustGetClaimsFromToken(r)) - objectAPI, cred := validateAdminUsersReq(ctx, w, r, iampolicy.ListUsersAdminAction) + objectAPI, cred := validateAdminReq(ctx, w, r, iampolicy.ListUsersAdminAction) if objectAPI == nil { return } @@ -234,7 +211,7 @@ func (a adminAPIHandlers) UpdateGroupMembers(w http.ResponseWriter, r *http.Requ defer logger.AuditLog(ctx, w, r, mustGetClaimsFromToken(r)) - objectAPI, _ := validateAdminUsersReq(ctx, w, r, iampolicy.AddUserToGroupAdminAction) + objectAPI, _ := validateAdminReq(ctx, w, r, iampolicy.AddUserToGroupAdminAction) if objectAPI == nil { return } @@ -279,7 +256,7 @@ func (a adminAPIHandlers) GetGroup(w http.ResponseWriter, r *http.Request) { defer logger.AuditLog(ctx, w, r, mustGetClaimsFromToken(r)) - objectAPI, _ := validateAdminUsersReq(ctx, w, r, iampolicy.GetGroupAdminAction) + objectAPI, _ := validateAdminReq(ctx, w, r, iampolicy.GetGroupAdminAction) if objectAPI == nil { return } @@ -308,7 +285,7 @@ func (a adminAPIHandlers) ListGroups(w http.ResponseWriter, r *http.Request) { defer logger.AuditLog(ctx, w, r, mustGetClaimsFromToken(r)) - objectAPI, _ := validateAdminUsersReq(ctx, w, r, iampolicy.ListGroupsAdminAction) + objectAPI, _ := validateAdminReq(ctx, w, r, iampolicy.ListGroupsAdminAction) if objectAPI == nil { return } @@ -334,7 +311,7 @@ func (a adminAPIHandlers) SetGroupStatus(w http.ResponseWriter, r *http.Request) defer logger.AuditLog(ctx, w, r, mustGetClaimsFromToken(r)) - objectAPI, _ := validateAdminUsersReq(ctx, w, r, iampolicy.EnableGroupAdminAction) + objectAPI, _ := validateAdminReq(ctx, w, r, iampolicy.EnableGroupAdminAction) if objectAPI == nil { return } @@ -371,7 +348,7 @@ func (a adminAPIHandlers) SetUserStatus(w http.ResponseWriter, r *http.Request) defer logger.AuditLog(ctx, w, r, mustGetClaimsFromToken(r)) - objectAPI, _ := validateAdminUsersReq(ctx, w, r, iampolicy.EnableUserAdminAction) + objectAPI, _ := validateAdminReq(ctx, w, r, iampolicy.EnableUserAdminAction) if objectAPI == nil { return } @@ -1144,7 +1121,7 @@ func (a adminAPIHandlers) InfoCannedPolicy(w http.ResponseWriter, r *http.Reques defer logger.AuditLog(ctx, w, r, mustGetClaimsFromToken(r)) - objectAPI, _ := validateAdminUsersReq(ctx, w, r, iampolicy.GetPolicyAdminAction) + objectAPI, _ := validateAdminReq(ctx, w, r, iampolicy.GetPolicyAdminAction) if objectAPI == nil { return } @@ -1169,7 +1146,7 @@ func (a adminAPIHandlers) ListBucketPolicies(w http.ResponseWriter, r *http.Requ defer logger.AuditLog(ctx, w, r, mustGetClaimsFromToken(r)) - objectAPI, _ := validateAdminUsersReq(ctx, w, r, iampolicy.ListUserPoliciesAdminAction) + objectAPI, _ := validateAdminReq(ctx, w, r, iampolicy.ListUserPoliciesAdminAction) if objectAPI == nil { return } @@ -1205,7 +1182,7 @@ func (a adminAPIHandlers) ListCannedPolicies(w http.ResponseWriter, r *http.Requ defer logger.AuditLog(ctx, w, r, mustGetClaimsFromToken(r)) - objectAPI, _ := validateAdminUsersReq(ctx, w, r, iampolicy.ListUserPoliciesAdminAction) + objectAPI, _ := validateAdminReq(ctx, w, r, iampolicy.ListUserPoliciesAdminAction) if objectAPI == nil { return } @@ -1239,7 +1216,7 @@ func (a adminAPIHandlers) RemoveCannedPolicy(w http.ResponseWriter, r *http.Requ defer logger.AuditLog(ctx, w, r, mustGetClaimsFromToken(r)) - objectAPI, _ := validateAdminUsersReq(ctx, w, r, iampolicy.DeletePolicyAdminAction) + objectAPI, _ := validateAdminReq(ctx, w, r, iampolicy.DeletePolicyAdminAction) if objectAPI == nil { return } @@ -1267,7 +1244,7 @@ func (a adminAPIHandlers) AddCannedPolicy(w http.ResponseWriter, r *http.Request defer logger.AuditLog(ctx, w, r, mustGetClaimsFromToken(r)) - objectAPI, _ := validateAdminUsersReq(ctx, w, r, iampolicy.CreatePolicyAdminAction) + objectAPI, _ := validateAdminReq(ctx, w, r, iampolicy.CreatePolicyAdminAction) if objectAPI == nil { return } @@ -1319,7 +1296,7 @@ func (a adminAPIHandlers) SetPolicyForUserOrGroup(w http.ResponseWriter, r *http defer logger.AuditLog(ctx, w, r, mustGetClaimsFromToken(r)) - objectAPI, _ := validateAdminUsersReq(ctx, w, r, iampolicy.AttachPolicyAdminAction) + objectAPI, _ := validateAdminReq(ctx, w, r, iampolicy.AttachPolicyAdminAction) if objectAPI == nil { return } diff --git a/cmd/admin-handlers.go b/cmd/admin-handlers.go index b86cd18fe..01f046e2a 100644 --- a/cmd/admin-handlers.go +++ b/cmd/admin-handlers.go @@ -23,7 +23,6 @@ import ( "crypto/subtle" "crypto/tls" "encoding/json" - "errors" "fmt" "hash/crc32" "io" @@ -42,10 +41,7 @@ import ( humanize "github.com/dustin/go-humanize" "github.com/gorilla/mux" "github.com/klauspost/compress/zip" - "github.com/minio/kes" "github.com/minio/madmin-go" - "github.com/minio/minio/internal/auth" - "github.com/minio/minio/internal/config" "github.com/minio/minio/internal/dsync" "github.com/minio/minio/internal/handlers" xhttp "github.com/minio/minio/internal/http" @@ -957,37 +953,6 @@ func (a adminAPIHandlers) SpeedtestHandler(w http.ResponseWriter, r *http.Reques w.(http.Flusher).Flush() } -func validateAdminReq(ctx context.Context, w http.ResponseWriter, r *http.Request, action iampolicy.AdminAction) (ObjectLayer, auth.Credentials) { - var cred auth.Credentials - var adminAPIErr APIErrorCode - // Get current object layer instance. - objectAPI := newObjectLayerFn() - if objectAPI == nil || globalNotificationSys == nil { - writeErrorResponseJSON(ctx, w, errorCodes.ToAPIErr(ErrServerNotInitialized), r.URL) - return nil, cred - } - - // Validate request signature. - cred, adminAPIErr = checkAdminRequestAuth(ctx, r, action, "") - if adminAPIErr != ErrNone { - writeErrorResponseJSON(ctx, w, errorCodes.ToAPIErr(adminAPIErr), r.URL) - return nil, cred - } - - return objectAPI, cred -} - -// AdminError - is a generic error for all admin APIs. -type AdminError struct { - Code string - Message string - StatusCode int -} - -func (ae AdminError) Error() string { - return ae.Message -} - // Admin API errors const ( AdminUpdateUnexpectedFailure = "XMinioAdminUpdateUnexpectedFailure" @@ -995,119 +960,6 @@ const ( AdminUpdateApplyFailure = "XMinioAdminUpdateApplyFailure" ) -// toAdminAPIErrCode - converts errErasureWriteQuorum error to admin API -// specific error. -func toAdminAPIErrCode(ctx context.Context, err error) APIErrorCode { - switch err { - case errErasureWriteQuorum: - return ErrAdminConfigNoQuorum - default: - return toAPIErrorCode(ctx, err) - } -} - -func toAdminAPIErr(ctx context.Context, err error) APIError { - if err == nil { - return noError - } - - var apiErr APIError - switch e := err.(type) { - case iampolicy.Error: - apiErr = APIError{ - Code: "XMinioMalformedIAMPolicy", - Description: e.Error(), - HTTPStatusCode: http.StatusBadRequest, - } - case config.Error: - apiErr = APIError{ - Code: "XMinioConfigError", - Description: e.Error(), - HTTPStatusCode: http.StatusBadRequest, - } - case AdminError: - apiErr = APIError{ - Code: e.Code, - Description: e.Message, - HTTPStatusCode: e.StatusCode, - } - default: - switch { - case errors.Is(err, errConfigNotFound): - apiErr = APIError{ - Code: "XMinioConfigError", - Description: err.Error(), - HTTPStatusCode: http.StatusNotFound, - } - case errors.Is(err, errIAMActionNotAllowed): - apiErr = APIError{ - Code: "XMinioIAMActionNotAllowed", - Description: err.Error(), - HTTPStatusCode: http.StatusForbidden, - } - case errors.Is(err, errIAMNotInitialized): - apiErr = APIError{ - Code: "XMinioIAMNotInitialized", - Description: err.Error(), - HTTPStatusCode: http.StatusServiceUnavailable, - } - case errors.Is(err, kes.ErrKeyExists): - apiErr = APIError{ - Code: "XMinioKMSKeyExists", - Description: err.Error(), - HTTPStatusCode: http.StatusConflict, - } - - // Tier admin API errors - case errors.Is(err, madmin.ErrTierNameEmpty): - apiErr = APIError{ - Code: "XMinioAdminTierNameEmpty", - Description: err.Error(), - HTTPStatusCode: http.StatusBadRequest, - } - case errors.Is(err, madmin.ErrTierInvalidConfig): - apiErr = APIError{ - Code: "XMinioAdminTierInvalidConfig", - Description: err.Error(), - HTTPStatusCode: http.StatusBadRequest, - } - case errors.Is(err, madmin.ErrTierInvalidConfigVersion): - apiErr = APIError{ - Code: "XMinioAdminTierInvalidConfigVersion", - Description: err.Error(), - HTTPStatusCode: http.StatusBadRequest, - } - case errors.Is(err, madmin.ErrTierTypeUnsupported): - apiErr = APIError{ - Code: "XMinioAdminTierTypeUnsupported", - Description: err.Error(), - HTTPStatusCode: http.StatusBadRequest, - } - case errors.Is(err, errTierBackendInUse): - apiErr = APIError{ - Code: "XMinioAdminTierBackendInUse", - Description: err.Error(), - HTTPStatusCode: http.StatusConflict, - } - case errors.Is(err, errTierInsufficientCreds): - apiErr = APIError{ - Code: "XMinioAdminTierInsufficientCreds", - Description: err.Error(), - HTTPStatusCode: http.StatusBadRequest, - } - case errIsTierPermError(err): - apiErr = APIError{ - Code: "XMinioAdminTierInsufficientPermissions", - Description: err.Error(), - HTTPStatusCode: http.StatusBadRequest, - } - default: - apiErr = errorCodes.ToAPIErrWithErr(toAdminAPIErrCode(ctx, err), err) - } - } - return apiErr -} - // Returns true if the madmin.TraceInfo should be traced, // false if certain conditions are not met. // - input entry is not of the type *madmin.TraceInfo* diff --git a/cmd/tier-handlers.go b/cmd/tier-handlers.go index 8d94950e7..bf06e38e8 100644 --- a/cmd/tier-handlers.go +++ b/cmd/tier-handlers.go @@ -72,7 +72,7 @@ func (api adminAPIHandlers) AddTierHandler(w http.ResponseWriter, r *http.Reques return } - objAPI, cred := validateAdminUsersReq(ctx, w, r, iampolicy.SetTierAction) + objAPI, cred := validateAdminReq(ctx, w, r, iampolicy.SetTierAction) if objAPI == nil || globalNotificationSys == nil || globalTierConfigMgr == nil { writeErrorResponseJSON(ctx, w, errorCodes.ToAPIErr(ErrServerNotInitialized), r.URL) return @@ -124,7 +124,7 @@ func (api adminAPIHandlers) ListTierHandler(w http.ResponseWriter, r *http.Reque return } - objAPI, _ := validateAdminUsersReq(ctx, w, r, iampolicy.ListTierAction) + objAPI, _ := validateAdminReq(ctx, w, r, iampolicy.ListTierAction) if objAPI == nil || globalNotificationSys == nil || globalTierConfigMgr == nil { writeErrorResponseJSON(ctx, w, errorCodes.ToAPIErr(ErrServerNotInitialized), r.URL) return @@ -150,7 +150,7 @@ func (api adminAPIHandlers) EditTierHandler(w http.ResponseWriter, r *http.Reque return } - objAPI, cred := validateAdminUsersReq(ctx, w, r, iampolicy.SetTierAction) + objAPI, cred := validateAdminReq(ctx, w, r, iampolicy.SetTierAction) if objAPI == nil || globalNotificationSys == nil || globalTierConfigMgr == nil { writeErrorResponseJSON(ctx, w, errorCodes.ToAPIErr(ErrServerNotInitialized), r.URL) return