MyFavMirrors
/
minio
mirror of https://github.com/minio/minio.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

sts: validate if iam subsystem initialized in handlers (#17796)

This commit is contained in:
Poorna 2023-08-03 13:24:25 -07:00 committed by GitHub
parent 0285df5a02
commit b762fbaf21
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
3 changed files with 32 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
cmd/sts-errors.go
View File

@ -39,7 +39,7 @@ func writeSTSErrorResponse(ctx context.Context, w http.ResponseWriter, errCode S
stsErrorResponse.Error.Message = errCtxt.Error() stsErrorResponse.Error.Message = errCtxt.Error()
} }
switch errCode { switch errCode {
case ErrSTSInternalError, ErrSTSNotInitialized, ErrSTSUpstreamError: case ErrSTSInternalError, ErrSTSNotInitialized, ErrSTSUpstreamError, ErrSTSIAMNotInitialized:
logger.LogIf(ctx, errCtxt, logger.Minio) logger.LogIf(ctx, errCtxt, logger.Minio)
} }
encodedErrorResponse := encodeResponse(stsErrorResponse) encodedErrorResponse := encodeResponse(stsErrorResponse)
@ -82,6 +82,7 @@ const (
ErrSTSInsecureConnection ErrSTSInsecureConnection
ErrSTSInvalidClientCertificate ErrSTSInvalidClientCertificate
ErrSTSNotInitialized ErrSTSNotInitialized
ErrSTSIAMNotInitialized
ErrSTSUpstreamError ErrSTSUpstreamError
ErrSTSInternalError ErrSTSInternalError
) )
@ -149,6 +150,11 @@ var stsErrCodes = stsErrorCodeMap{
Description: "STS API not initialized, please try again.", Description: "STS API not initialized, please try again.",
HTTPStatusCode: http.StatusServiceUnavailable, HTTPStatusCode: http.StatusServiceUnavailable,
}, },
ErrSTSIAMNotInitialized: {
Code: "STSIAMNotInitialized",
Description: "STS IAM not initialized, please try again.",
HTTPStatusCode: http.StatusServiceUnavailable,
},
ErrSTSUpstreamError: { ErrSTSUpstreamError: {
Code: "InternalError", Code: "InternalError",
Description: "An upstream service required for this operation failed - please try again or contact an administrator.", Description: "An upstream service required for this operation failed - please try again or contact an administrator.",

20
cmd/sts-handlers.go
View File

@ -374,6 +374,11 @@ func (sts *stsAPIHandlers) AssumeRoleWithSSO(w http.ResponseWriter, r *http.Requ
} }
} }
if !globalIAMSys.Initialized() {
writeSTSErrorResponse(ctx, w, ErrSTSIAMNotInitialized, errIAMNotInitialized)
return
}
// Validate JWT; check clientID in claims matches the one associated with the roleArn // Validate JWT; check clientID in claims matches the one associated with the roleArn
if err := globalIAMSys.OpenIDConfig.Validate(r.Context(), roleArn, token, accessToken, r.Form.Get(stsDurationSeconds), claims); err != nil { if err := globalIAMSys.OpenIDConfig.Validate(r.Context(), roleArn, token, accessToken, r.Form.Get(stsDurationSeconds), claims); err != nil {
switch err { switch err {
@ -612,6 +617,11 @@ func (sts *stsAPIHandlers) AssumeRoleWithLDAPIdentity(w http.ResponseWriter, r *
} }
} }
if !globalIAMSys.Initialized() {
writeSTSErrorResponse(ctx, w, ErrSTSIAMNotInitialized, errIAMNotInitialized)
return
}
ldapUserDN, groupDistNames, err := globalIAMSys.LDAPConfig.Bind(ldapUsername, ldapPassword) ldapUserDN, groupDistNames, err := globalIAMSys.LDAPConfig.Bind(ldapUsername, ldapPassword)
if err != nil { if err != nil {
err = fmt.Errorf("LDAP server error: %w", err) err = fmt.Errorf("LDAP server error: %w", err)
@ -700,6 +710,11 @@ func (sts *stsAPIHandlers) AssumeRoleWithCertificate(w http.ResponseWriter, r *h
claims := make(map[string]interface{}) claims := make(map[string]interface{})
defer logger.AuditLog(ctx, w, r, claims) defer logger.AuditLog(ctx, w, r, claims)
if !globalIAMSys.Initialized() {
writeSTSErrorResponse(ctx, w, ErrSTSIAMNotInitialized, errIAMNotInitialized)
return
}
if !globalIAMSys.STSTLSConfig.Enabled { if !globalIAMSys.STSTLSConfig.Enabled {
writeSTSErrorResponse(ctx, w, ErrSTSNotInitialized, errors.New("STS API 'AssumeRoleWithCertificate' is disabled")) writeSTSErrorResponse(ctx, w, ErrSTSNotInitialized, errors.New("STS API 'AssumeRoleWithCertificate' is disabled"))
return return
@ -857,6 +872,11 @@ func (sts *stsAPIHandlers) AssumeRoleWithCustomToken(w http.ResponseWriter, r *h
claims := make(map[string]interface{}) claims := make(map[string]interface{})
defer logger.AuditLog(ctx, w, r, claims) defer logger.AuditLog(ctx, w, r, claims)
if !globalIAMSys.Initialized() {
writeSTSErrorResponse(ctx, w, ErrSTSIAMNotInitialized, errIAMNotInitialized)
return
}
authn := newGlobalAuthNPluginFn() authn := newGlobalAuthNPluginFn()
if authn == nil { if authn == nil {
writeSTSErrorResponse(ctx, w, ErrSTSNotInitialized, errors.New("STS API 'AssumeRoleWithCustomToken' is disabled")) writeSTSErrorResponse(ctx, w, ErrSTSNotInitialized, errors.New("STS API 'AssumeRoleWithCustomToken' is disabled"))

9
cmd/stserrorcode_string.go
View File

@ -19,13 +19,14 @@ func _() {
_ = x[ErrSTSInsecureConnection-8] _ = x[ErrSTSInsecureConnection-8]
_ = x[ErrSTSInvalidClientCertificate-9] _ = x[ErrSTSInvalidClientCertificate-9]
_ = x[ErrSTSNotInitialized-10] _ = x[ErrSTSNotInitialized-10]
_ = x[ErrSTSUpstreamError-11] _ = x[ErrSTSIAMNotInitialized-11]
_ = x[ErrSTSInternalError-12] _ = x[ErrSTSUpstreamError-12]
_ = x[ErrSTSInternalError-13]
} }
const _STSErrorCode_name = "STSNoneSTSAccessDeniedSTSMissingParameterSTSInvalidParameterValueSTSWebIdentityExpiredTokenSTSClientGrantsExpiredTokenSTSInvalidClientGrantsTokenSTSMalformedPolicyDocumentSTSInsecureConnectionSTSInvalidClientCertificateSTSNotInitializedSTSUpstreamErrorSTSInternalError" const _STSErrorCode_name = "STSNoneSTSAccessDeniedSTSMissingParameterSTSInvalidParameterValueSTSWebIdentityExpiredTokenSTSClientGrantsExpiredTokenSTSInvalidClientGrantsTokenSTSMalformedPolicyDocumentSTSInsecureConnectionSTSInvalidClientCertificateSTSNotInitializedSTSIAMNotInitializedSTSUpstreamErrorSTSInternalError"
var _STSErrorCode_index = [...]uint16{0, 7, 22, 41, 65, 91, 118, 145, 171, 192, 219, 236, 252, 268} var _STSErrorCode_index = [...]uint16{0, 7, 22, 41, 65, 91, 118, 145, 171, 192, 219, 236, 256, 272, 288}
func (i STSErrorCode) String() string { func (i STSErrorCode) String() string {
if i < 0 || i >= STSErrorCode(len(_STSErrorCode_index)-1) { if i < 0 || i >= STSErrorCode(len(_STSErrorCode_index)-1) {