Add more context aware error for policy parsing errors (#8726)

In existing functionality we simply return a generic error such as "MalformedPolicy" which indicates just a generic string "invalid resource" which is not very meaningful when there might be multiple types of errors during policy parsing. This PR ensures that we send these errors back to client to indicate the actual error, brings in two concrete types such as - iampolicy.Error - policy.Error Refer #8202
2025-11-09 21:49:46 -05:00 · 2020-01-03 11:28:52 -08:00
parent 84e55e2e6f
commit 6695fd6a61
23 changed files with 141 additions and 67 deletions
--- a/pkg/iam/policy/action.go
+++ b/pkg/iam/policy/action.go
@@ -18,7 +18,6 @@ package iampolicy

 import (
 	"encoding/json"
-	"fmt"

 	"github.com/minio/minio/pkg/policy/condition"
 	"github.com/minio/minio/pkg/wildcard"
@@ -177,7 +176,7 @@ func (action Action) MarshalJSON() ([]byte, error) {
 		return json.Marshal(string(action))
 	}

-	return nil, fmt.Errorf("invalid action '%v'", action)
+	return nil, Errorf("invalid action '%v'", action)
 }

 // UnmarshalJSON - decodes JSON data to Action.
@@ -190,7 +189,7 @@ func (action *Action) UnmarshalJSON(data []byte) error {

 	a := Action(s)
 	if !a.IsValid() {
-		return fmt.Errorf("invalid action '%v'", s)
+		return Errorf("invalid action '%v'", s)
 	}

 	*action = a
@@ -209,7 +208,7 @@ func parseAction(s string) (Action, error) {
 		return action, nil
 	}

-	return action, fmt.Errorf("unsupported action '%v'", s)
+	return action, Errorf("unsupported action '%v'", s)
 }

 // actionConditionKeyMap - holds mapping of supported condition key for an action.
--- a/pkg/iam/policy/actionset.go
+++ b/pkg/iam/policy/actionset.go
@@ -58,7 +58,7 @@ func (actionSet ActionSet) Intersection(sset ActionSet) ActionSet {
 // MarshalJSON - encodes ActionSet to JSON data.
 func (actionSet ActionSet) MarshalJSON() ([]byte, error) {
 	if len(actionSet) == 0 {
-		return nil, fmt.Errorf("empty action set")
+		return nil, Errorf("empty action set")
 	}

 	return json.Marshal(actionSet.ToSlice())
@@ -92,7 +92,7 @@ func (actionSet *ActionSet) UnmarshalJSON(data []byte) error {
 	}

 	if len(sset) == 0 {
-		return fmt.Errorf("empty action set")
+		return Errorf("empty action set")
 	}

 	*actionSet = make(ActionSet)
--- a/pkg/iam/policy/admin-action.go
+++ b/pkg/iam/policy/admin-action.go
@@ -17,8 +17,6 @@
 package iampolicy

 import (
-	"fmt"
-
 	"github.com/minio/minio/pkg/policy/condition"
 )

@@ -119,7 +117,7 @@ func parseAdminAction(s string) (AdminAction, error) {
 		return action, nil
 	}

-	return action, fmt.Errorf("unsupported action '%v'", s)
+	return action, Errorf("unsupported action '%v'", s)
 }

 // IsValid - checks if action is valid or not.
--- a/pkg/iam/policy/error.go
+++ b/pkg/iam/policy/error.go
@@ -0,0 +1,39 @@
+/*
+ * MinIO Cloud Storage, (C) 2019 MinIO, Inc.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package iampolicy
+
+import "fmt"
+
+// Error generic iam policy error type
+type Error struct {
+	Err string
+}
+
+// Errorf - formats according to a format specifier and returns
+// the string as a value that satisfies error of type iampolicy.Error
+func Errorf(format string, a ...interface{}) error {
+	return Error{Err: fmt.Sprintf(format, a...)}
+}
+
+// New initializes a new Error
+func New(err string) error {
+	return Error{Err: err}
+}
+
+func (e Error) Error() string {
+	return e.Err
+}
--- a/pkg/iam/policy/policy.go
+++ b/pkg/iam/policy/policy.go
@@ -18,7 +18,6 @@ package iampolicy

 import (
 	"encoding/json"
-	"fmt"
 	"io"

 	"github.com/minio/minio/pkg/policy"
@@ -81,7 +80,7 @@ func (iamp Policy) IsEmpty() bool {
 // isValid - checks if Policy is valid or not.
 func (iamp Policy) isValid() error {
 	if iamp.Version != DefaultVersion && iamp.Version != "" {
-		return fmt.Errorf("invalid version '%v'", iamp.Version)
+		return Errorf("invalid version '%v'", iamp.Version)
 	}

 	for _, statement := range iamp.Statements {
@@ -106,7 +105,7 @@ func (iamp Policy) isValid() error {
 				continue
 			}

-			return fmt.Errorf("duplicate actions %v, resources %v found in statements %v, %v",
+			return Errorf("duplicate actions %v, resources %v found in statements %v, %v",
 				actions, resources, iamp.Statements[i], statement)
 		}
 	}
--- a/pkg/iam/policy/resource.go
+++ b/pkg/iam/policy/resource.go
@@ -18,7 +18,6 @@ package iampolicy

 import (
 	"encoding/json"
-	"fmt"
 	"path"
 	"strings"

@@ -66,7 +65,7 @@ func (r Resource) Match(resource string, conditionValues map[string][]string) bo
 // MarshalJSON - encodes Resource to JSON data.
 func (r Resource) MarshalJSON() ([]byte, error) {
 	if !r.IsValid() {
-		return nil, fmt.Errorf("invalid resource %v", r)
+		return nil, Errorf("invalid resource %v", r)
 	}

 	return json.Marshal(r.String())
@@ -96,7 +95,7 @@ func (r *Resource) UnmarshalJSON(data []byte) error {
 // Validate - validates Resource is for given bucket or not.
 func (r Resource) Validate() error {
 	if !r.IsValid() {
-		return fmt.Errorf("invalid resource")
+		return Errorf("invalid resource")
 	}
 	return nil
 }
@@ -104,14 +103,14 @@ func (r Resource) Validate() error {
 // parseResource - parses string to Resource.
 func parseResource(s string) (Resource, error) {
 	if !strings.HasPrefix(s, ResourceARNPrefix) {
-		return Resource{}, fmt.Errorf("invalid resource '%v'", s)
+		return Resource{}, Errorf("invalid resource '%v'", s)
 	}

 	pattern := strings.TrimPrefix(s, ResourceARNPrefix)
 	tokens := strings.SplitN(pattern, "/", 2)
 	bucketName := tokens[0]
 	if bucketName == "" {
-		return Resource{}, fmt.Errorf("invalid resource format '%v'", s)
+		return Resource{}, Errorf("invalid resource format '%v'", s)
 	}

 	return Resource{
--- a/pkg/iam/policy/resourceset.go
+++ b/pkg/iam/policy/resourceset.go
@@ -69,7 +69,7 @@ func (resourceSet ResourceSet) Intersection(sset ResourceSet) ResourceSet {
 // MarshalJSON - encodes ResourceSet to JSON data.
 func (resourceSet ResourceSet) MarshalJSON() ([]byte, error) {
 	if len(resourceSet) == 0 {
-		return nil, fmt.Errorf("empty resource set")
+		return nil, Errorf("empty resource set")
 	}

 	resources := []Resource{}
@@ -116,7 +116,7 @@ func (resourceSet *ResourceSet) UnmarshalJSON(data []byte) error {
 		}

 		if _, found := (*resourceSet)[resource]; found {
-			return fmt.Errorf("duplicate resource '%v' found", s)
+			return Errorf("duplicate resource '%v' found", s)
 		}

 		resourceSet.Add(resource)
--- a/pkg/iam/policy/statement.go
+++ b/pkg/iam/policy/statement.go
@@ -18,7 +18,6 @@ package iampolicy

 import (
 	"encoding/json"
-	"fmt"
 	"strings"

 	"github.com/minio/minio/pkg/policy"
@@ -74,11 +73,11 @@ func (statement Statement) isAdmin() bool {
 // isValid - checks whether statement is valid or not.
 func (statement Statement) isValid() error {
 	if !statement.Effect.IsValid() {
-		return fmt.Errorf("invalid Effect %v", statement.Effect)
+		return Errorf("invalid Effect %v", statement.Effect)
 	}

 	if len(statement.Actions) == 0 {
-		return fmt.Errorf("Action must not be empty")
+		return Errorf("Action must not be empty")
 	}

 	if statement.isAdmin() {
@@ -86,14 +85,14 @@ func (statement Statement) isValid() error {
 			keys := statement.Conditions.Keys()
 			keyDiff := keys.Difference(adminActionConditionKeyMap[action])
 			if !keyDiff.IsEmpty() {
-				return fmt.Errorf("unsupported condition keys '%v' used for action '%v'", keyDiff, action)
+				return Errorf("unsupported condition keys '%v' used for action '%v'", keyDiff, action)
 			}
 		}
 		return nil
 	}

 	if len(statement.Resources) == 0 {
-		return fmt.Errorf("Resource must not be empty")
+		return Errorf("Resource must not be empty")
 	}

 	if err := statement.Resources.Validate(); err != nil {
@@ -102,13 +101,13 @@ func (statement Statement) isValid() error {

 	for action := range statement.Actions {
 		if !statement.Resources.objectResourceExists() && !statement.Resources.bucketResourceExists() {
-			return fmt.Errorf("unsupported Resource found %v for action %v", statement.Resources, action)
+			return Errorf("unsupported Resource found %v for action %v", statement.Resources, action)
 		}

 		keys := statement.Conditions.Keys()
 		keyDiff := keys.Difference(actionConditionKeyMap[action])
 		if !keyDiff.IsEmpty() {
-			return fmt.Errorf("unsupported condition keys '%v' used for action '%v'", keyDiff, action)
+			return Errorf("unsupported condition keys '%v' used for action '%v'", keyDiff, action)
 		}
 	}