MyFavMirrors/minio
1
0
Fork 0
mirror of https://github.com/minio/minio.git synced 2025-11-22 02:35:30 -05:00
Code Issues Packages Projects Releases Wiki Activity

fix: send valid claims in AuditLogs for browser requests (#9713)

Browse Source 
Additionally also fix STS logs to filter out LDAP
password to be sent out in audit logs.

Bonus fix handle the reload of users properly by
making sure to preserve the newer users during the
reload to be not invalidated.

Fixes #9707
Fixes #9644
Fixes #9651
This commit is contained in:
Harshavardhana
2020-05-27 12:38:44 -07:00
committed by GitHub
parent e5ecd20d44
commit 7cedc5369d
5 changed files with 106 additions and 29 deletions
Download Patch File Download Diff File Expand all files Collapse all files

24
cmd/web-handlers.go
View File

@@ -944,13 +944,17 @@ func (web *webAPIHandlers) CreateURLToken(r *http.Request, args *WebGenericArgs,
func (web *webAPIHandlers) Upload(w http.ResponseWriter, r *http.Request) {
ctx := newContext(r, w, "WebUpload")
defer logger.AuditLog(w, r, "WebUpload", mustGetClaimsFromToken(r))
// obtain the claims here if possible, for audit logging.
claims, owner, authErr := webRequestAuthenticate(r)
defer logger.AuditLog(w, r, "WebUpload", claims.Map())
objectAPI := web.ObjectAPI()
if objectAPI == nil {
writeWebErrorResponse(w, errServerNotInitialized)
return
}
vars := mux.Vars(r)
bucket := vars["bucket"]
object, err := url.PathUnescape(vars["object"])
@@ -961,8 +965,6 @@ func (web *webAPIHandlers) Upload(w http.ResponseWriter, r *http.Request) {
retPerms := ErrAccessDenied
holdPerms := ErrAccessDenied
claims, owner, authErr := webRequestAuthenticate(r)
if authErr != nil {
if authErr == errNoAuthToken {
// Check if anonymous (non-owner) has access to upload objects.
@@ -1167,7 +1169,10 @@ func (web *webAPIHandlers) Upload(w http.ResponseWriter, r *http.Request) {
func (web *webAPIHandlers) Download(w http.ResponseWriter, r *http.Request) {
ctx := newContext(r, w, "WebDownload")
defer logger.AuditLog(w, r, "WebDownload", mustGetClaimsFromToken(r))
vars := mux.Vars(r)
claims, owner, authErr := webTokenAuthenticate(r.URL.Query().Get("token"))
defer logger.AuditLog(w, r, "WebDownload", claims.Map())
objectAPI := web.ObjectAPI()
if objectAPI == nil {
@@ -1175,19 +1180,16 @@ func (web *webAPIHandlers) Download(w http.ResponseWriter, r *http.Request) {
return
}
vars := mux.Vars(r)
bucket := vars["bucket"]
object, err := url.PathUnescape(vars["object"])
if err != nil {
writeWebErrorResponse(w, err)
return
}
token := r.URL.Query().Get("token")
getRetPerms := ErrAccessDenied
legalHoldPerms := ErrAccessDenied
claims, owner, authErr := webTokenAuthenticate(token)
if authErr != nil {
if authErr == errNoAuthToken {
// Check if anonymous (non-owner) has access to download objects.
@@ -1359,8 +1361,10 @@ type DownloadZipArgs struct {
func (web *webAPIHandlers) DownloadZip(w http.ResponseWriter, r *http.Request) {
host := handlers.GetSourceIP(r)
claims, owner, authErr := webTokenAuthenticate(r.URL.Query().Get("token"))
ctx := newContext(r, w, "WebDownloadZip")
defer logger.AuditLog(w, r, "WebDownloadZip", mustGetClaimsFromToken(r))
defer logger.AuditLog(w, r, "WebDownloadZip", claims.Map())
objectAPI := web.ObjectAPI()
if objectAPI == nil {
@@ -1377,8 +1381,7 @@ func (web *webAPIHandlers) DownloadZip(w http.ResponseWriter, r *http.Request) {
writeWebErrorResponse(w, decodeErr)
return
}
token := r.URL.Query().Get("token")
claims, owner, authErr := webTokenAuthenticate(token)
var getRetPerms []APIErrorCode
var legalHoldPerms []APIErrorCode
@@ -1592,6 +1595,7 @@ type GetBucketPolicyRep struct {
// GetBucketPolicy - get bucket policy for the requested prefix.
func (web *webAPIHandlers) GetBucketPolicy(r *http.Request, args *GetBucketPolicyArgs, reply *GetBucketPolicyRep) error {
ctx := newWebContext(r, args, "WebGetBucketPolicy")
objectAPI := web.ObjectAPI()
if objectAPI == nil {
return toJSONError(ctx, errServerNotInitialized)