mirror of
https://github.com/minio/minio.git
synced 2025-01-11 15:03:22 -05:00
sts: validate if iam subsystem initialized in handlers (#17796)
This commit is contained in:
parent
0285df5a02
commit
b762fbaf21
@ -39,7 +39,7 @@ func writeSTSErrorResponse(ctx context.Context, w http.ResponseWriter, errCode S
|
||||
stsErrorResponse.Error.Message = errCtxt.Error()
|
||||
}
|
||||
switch errCode {
|
||||
case ErrSTSInternalError, ErrSTSNotInitialized, ErrSTSUpstreamError:
|
||||
case ErrSTSInternalError, ErrSTSNotInitialized, ErrSTSUpstreamError, ErrSTSIAMNotInitialized:
|
||||
logger.LogIf(ctx, errCtxt, logger.Minio)
|
||||
}
|
||||
encodedErrorResponse := encodeResponse(stsErrorResponse)
|
||||
@ -82,6 +82,7 @@ const (
|
||||
ErrSTSInsecureConnection
|
||||
ErrSTSInvalidClientCertificate
|
||||
ErrSTSNotInitialized
|
||||
ErrSTSIAMNotInitialized
|
||||
ErrSTSUpstreamError
|
||||
ErrSTSInternalError
|
||||
)
|
||||
@ -149,6 +150,11 @@ var stsErrCodes = stsErrorCodeMap{
|
||||
Description: "STS API not initialized, please try again.",
|
||||
HTTPStatusCode: http.StatusServiceUnavailable,
|
||||
},
|
||||
ErrSTSIAMNotInitialized: {
|
||||
Code: "STSIAMNotInitialized",
|
||||
Description: "STS IAM not initialized, please try again.",
|
||||
HTTPStatusCode: http.StatusServiceUnavailable,
|
||||
},
|
||||
ErrSTSUpstreamError: {
|
||||
Code: "InternalError",
|
||||
Description: "An upstream service required for this operation failed - please try again or contact an administrator.",
|
||||
|
@ -374,6 +374,11 @@ func (sts *stsAPIHandlers) AssumeRoleWithSSO(w http.ResponseWriter, r *http.Requ
|
||||
}
|
||||
}
|
||||
|
||||
if !globalIAMSys.Initialized() {
|
||||
writeSTSErrorResponse(ctx, w, ErrSTSIAMNotInitialized, errIAMNotInitialized)
|
||||
return
|
||||
}
|
||||
|
||||
// Validate JWT; check clientID in claims matches the one associated with the roleArn
|
||||
if err := globalIAMSys.OpenIDConfig.Validate(r.Context(), roleArn, token, accessToken, r.Form.Get(stsDurationSeconds), claims); err != nil {
|
||||
switch err {
|
||||
@ -612,6 +617,11 @@ func (sts *stsAPIHandlers) AssumeRoleWithLDAPIdentity(w http.ResponseWriter, r *
|
||||
}
|
||||
}
|
||||
|
||||
if !globalIAMSys.Initialized() {
|
||||
writeSTSErrorResponse(ctx, w, ErrSTSIAMNotInitialized, errIAMNotInitialized)
|
||||
return
|
||||
}
|
||||
|
||||
ldapUserDN, groupDistNames, err := globalIAMSys.LDAPConfig.Bind(ldapUsername, ldapPassword)
|
||||
if err != nil {
|
||||
err = fmt.Errorf("LDAP server error: %w", err)
|
||||
@ -700,6 +710,11 @@ func (sts *stsAPIHandlers) AssumeRoleWithCertificate(w http.ResponseWriter, r *h
|
||||
claims := make(map[string]interface{})
|
||||
defer logger.AuditLog(ctx, w, r, claims)
|
||||
|
||||
if !globalIAMSys.Initialized() {
|
||||
writeSTSErrorResponse(ctx, w, ErrSTSIAMNotInitialized, errIAMNotInitialized)
|
||||
return
|
||||
}
|
||||
|
||||
if !globalIAMSys.STSTLSConfig.Enabled {
|
||||
writeSTSErrorResponse(ctx, w, ErrSTSNotInitialized, errors.New("STS API 'AssumeRoleWithCertificate' is disabled"))
|
||||
return
|
||||
@ -857,6 +872,11 @@ func (sts *stsAPIHandlers) AssumeRoleWithCustomToken(w http.ResponseWriter, r *h
|
||||
claims := make(map[string]interface{})
|
||||
defer logger.AuditLog(ctx, w, r, claims)
|
||||
|
||||
if !globalIAMSys.Initialized() {
|
||||
writeSTSErrorResponse(ctx, w, ErrSTSIAMNotInitialized, errIAMNotInitialized)
|
||||
return
|
||||
}
|
||||
|
||||
authn := newGlobalAuthNPluginFn()
|
||||
if authn == nil {
|
||||
writeSTSErrorResponse(ctx, w, ErrSTSNotInitialized, errors.New("STS API 'AssumeRoleWithCustomToken' is disabled"))
|
||||
|
@ -19,13 +19,14 @@ func _() {
|
||||
_ = x[ErrSTSInsecureConnection-8]
|
||||
_ = x[ErrSTSInvalidClientCertificate-9]
|
||||
_ = x[ErrSTSNotInitialized-10]
|
||||
_ = x[ErrSTSUpstreamError-11]
|
||||
_ = x[ErrSTSInternalError-12]
|
||||
_ = x[ErrSTSIAMNotInitialized-11]
|
||||
_ = x[ErrSTSUpstreamError-12]
|
||||
_ = x[ErrSTSInternalError-13]
|
||||
}
|
||||
|
||||
const _STSErrorCode_name = "STSNoneSTSAccessDeniedSTSMissingParameterSTSInvalidParameterValueSTSWebIdentityExpiredTokenSTSClientGrantsExpiredTokenSTSInvalidClientGrantsTokenSTSMalformedPolicyDocumentSTSInsecureConnectionSTSInvalidClientCertificateSTSNotInitializedSTSUpstreamErrorSTSInternalError"
|
||||
const _STSErrorCode_name = "STSNoneSTSAccessDeniedSTSMissingParameterSTSInvalidParameterValueSTSWebIdentityExpiredTokenSTSClientGrantsExpiredTokenSTSInvalidClientGrantsTokenSTSMalformedPolicyDocumentSTSInsecureConnectionSTSInvalidClientCertificateSTSNotInitializedSTSIAMNotInitializedSTSUpstreamErrorSTSInternalError"
|
||||
|
||||
var _STSErrorCode_index = [...]uint16{0, 7, 22, 41, 65, 91, 118, 145, 171, 192, 219, 236, 252, 268}
|
||||
var _STSErrorCode_index = [...]uint16{0, 7, 22, 41, 65, 91, 118, 145, 171, 192, 219, 236, 256, 272, 288}
|
||||
|
||||
func (i STSErrorCode) String() string {
|
||||
if i < 0 || i >= STSErrorCode(len(_STSErrorCode_index)-1) {
|
||||
|
Loading…
Reference in New Issue
Block a user