mirror of
https://github.com/minio/minio.git
synced 2025-01-11 15:03:22 -05:00
sts: validate if iam subsystem initialized in handlers (#17796)
This commit is contained in:
parent
0285df5a02
commit
b762fbaf21
@ -39,7 +39,7 @@ func writeSTSErrorResponse(ctx context.Context, w http.ResponseWriter, errCode S
|
|||||||
stsErrorResponse.Error.Message = errCtxt.Error()
|
stsErrorResponse.Error.Message = errCtxt.Error()
|
||||||
}
|
}
|
||||||
switch errCode {
|
switch errCode {
|
||||||
case ErrSTSInternalError, ErrSTSNotInitialized, ErrSTSUpstreamError:
|
case ErrSTSInternalError, ErrSTSNotInitialized, ErrSTSUpstreamError, ErrSTSIAMNotInitialized:
|
||||||
logger.LogIf(ctx, errCtxt, logger.Minio)
|
logger.LogIf(ctx, errCtxt, logger.Minio)
|
||||||
}
|
}
|
||||||
encodedErrorResponse := encodeResponse(stsErrorResponse)
|
encodedErrorResponse := encodeResponse(stsErrorResponse)
|
||||||
@ -82,6 +82,7 @@ const (
|
|||||||
ErrSTSInsecureConnection
|
ErrSTSInsecureConnection
|
||||||
ErrSTSInvalidClientCertificate
|
ErrSTSInvalidClientCertificate
|
||||||
ErrSTSNotInitialized
|
ErrSTSNotInitialized
|
||||||
|
ErrSTSIAMNotInitialized
|
||||||
ErrSTSUpstreamError
|
ErrSTSUpstreamError
|
||||||
ErrSTSInternalError
|
ErrSTSInternalError
|
||||||
)
|
)
|
||||||
@ -149,6 +150,11 @@ var stsErrCodes = stsErrorCodeMap{
|
|||||||
Description: "STS API not initialized, please try again.",
|
Description: "STS API not initialized, please try again.",
|
||||||
HTTPStatusCode: http.StatusServiceUnavailable,
|
HTTPStatusCode: http.StatusServiceUnavailable,
|
||||||
},
|
},
|
||||||
|
ErrSTSIAMNotInitialized: {
|
||||||
|
Code: "STSIAMNotInitialized",
|
||||||
|
Description: "STS IAM not initialized, please try again.",
|
||||||
|
HTTPStatusCode: http.StatusServiceUnavailable,
|
||||||
|
},
|
||||||
ErrSTSUpstreamError: {
|
ErrSTSUpstreamError: {
|
||||||
Code: "InternalError",
|
Code: "InternalError",
|
||||||
Description: "An upstream service required for this operation failed - please try again or contact an administrator.",
|
Description: "An upstream service required for this operation failed - please try again or contact an administrator.",
|
||||||
|
@ -374,6 +374,11 @@ func (sts *stsAPIHandlers) AssumeRoleWithSSO(w http.ResponseWriter, r *http.Requ
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
if !globalIAMSys.Initialized() {
|
||||||
|
writeSTSErrorResponse(ctx, w, ErrSTSIAMNotInitialized, errIAMNotInitialized)
|
||||||
|
return
|
||||||
|
}
|
||||||
|
|
||||||
// Validate JWT; check clientID in claims matches the one associated with the roleArn
|
// Validate JWT; check clientID in claims matches the one associated with the roleArn
|
||||||
if err := globalIAMSys.OpenIDConfig.Validate(r.Context(), roleArn, token, accessToken, r.Form.Get(stsDurationSeconds), claims); err != nil {
|
if err := globalIAMSys.OpenIDConfig.Validate(r.Context(), roleArn, token, accessToken, r.Form.Get(stsDurationSeconds), claims); err != nil {
|
||||||
switch err {
|
switch err {
|
||||||
@ -612,6 +617,11 @@ func (sts *stsAPIHandlers) AssumeRoleWithLDAPIdentity(w http.ResponseWriter, r *
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
if !globalIAMSys.Initialized() {
|
||||||
|
writeSTSErrorResponse(ctx, w, ErrSTSIAMNotInitialized, errIAMNotInitialized)
|
||||||
|
return
|
||||||
|
}
|
||||||
|
|
||||||
ldapUserDN, groupDistNames, err := globalIAMSys.LDAPConfig.Bind(ldapUsername, ldapPassword)
|
ldapUserDN, groupDistNames, err := globalIAMSys.LDAPConfig.Bind(ldapUsername, ldapPassword)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
err = fmt.Errorf("LDAP server error: %w", err)
|
err = fmt.Errorf("LDAP server error: %w", err)
|
||||||
@ -700,6 +710,11 @@ func (sts *stsAPIHandlers) AssumeRoleWithCertificate(w http.ResponseWriter, r *h
|
|||||||
claims := make(map[string]interface{})
|
claims := make(map[string]interface{})
|
||||||
defer logger.AuditLog(ctx, w, r, claims)
|
defer logger.AuditLog(ctx, w, r, claims)
|
||||||
|
|
||||||
|
if !globalIAMSys.Initialized() {
|
||||||
|
writeSTSErrorResponse(ctx, w, ErrSTSIAMNotInitialized, errIAMNotInitialized)
|
||||||
|
return
|
||||||
|
}
|
||||||
|
|
||||||
if !globalIAMSys.STSTLSConfig.Enabled {
|
if !globalIAMSys.STSTLSConfig.Enabled {
|
||||||
writeSTSErrorResponse(ctx, w, ErrSTSNotInitialized, errors.New("STS API 'AssumeRoleWithCertificate' is disabled"))
|
writeSTSErrorResponse(ctx, w, ErrSTSNotInitialized, errors.New("STS API 'AssumeRoleWithCertificate' is disabled"))
|
||||||
return
|
return
|
||||||
@ -857,6 +872,11 @@ func (sts *stsAPIHandlers) AssumeRoleWithCustomToken(w http.ResponseWriter, r *h
|
|||||||
claims := make(map[string]interface{})
|
claims := make(map[string]interface{})
|
||||||
defer logger.AuditLog(ctx, w, r, claims)
|
defer logger.AuditLog(ctx, w, r, claims)
|
||||||
|
|
||||||
|
if !globalIAMSys.Initialized() {
|
||||||
|
writeSTSErrorResponse(ctx, w, ErrSTSIAMNotInitialized, errIAMNotInitialized)
|
||||||
|
return
|
||||||
|
}
|
||||||
|
|
||||||
authn := newGlobalAuthNPluginFn()
|
authn := newGlobalAuthNPluginFn()
|
||||||
if authn == nil {
|
if authn == nil {
|
||||||
writeSTSErrorResponse(ctx, w, ErrSTSNotInitialized, errors.New("STS API 'AssumeRoleWithCustomToken' is disabled"))
|
writeSTSErrorResponse(ctx, w, ErrSTSNotInitialized, errors.New("STS API 'AssumeRoleWithCustomToken' is disabled"))
|
||||||
|
@ -19,13 +19,14 @@ func _() {
|
|||||||
_ = x[ErrSTSInsecureConnection-8]
|
_ = x[ErrSTSInsecureConnection-8]
|
||||||
_ = x[ErrSTSInvalidClientCertificate-9]
|
_ = x[ErrSTSInvalidClientCertificate-9]
|
||||||
_ = x[ErrSTSNotInitialized-10]
|
_ = x[ErrSTSNotInitialized-10]
|
||||||
_ = x[ErrSTSUpstreamError-11]
|
_ = x[ErrSTSIAMNotInitialized-11]
|
||||||
_ = x[ErrSTSInternalError-12]
|
_ = x[ErrSTSUpstreamError-12]
|
||||||
|
_ = x[ErrSTSInternalError-13]
|
||||||
}
|
}
|
||||||
|
|
||||||
const _STSErrorCode_name = "STSNoneSTSAccessDeniedSTSMissingParameterSTSInvalidParameterValueSTSWebIdentityExpiredTokenSTSClientGrantsExpiredTokenSTSInvalidClientGrantsTokenSTSMalformedPolicyDocumentSTSInsecureConnectionSTSInvalidClientCertificateSTSNotInitializedSTSUpstreamErrorSTSInternalError"
|
const _STSErrorCode_name = "STSNoneSTSAccessDeniedSTSMissingParameterSTSInvalidParameterValueSTSWebIdentityExpiredTokenSTSClientGrantsExpiredTokenSTSInvalidClientGrantsTokenSTSMalformedPolicyDocumentSTSInsecureConnectionSTSInvalidClientCertificateSTSNotInitializedSTSIAMNotInitializedSTSUpstreamErrorSTSInternalError"
|
||||||
|
|
||||||
var _STSErrorCode_index = [...]uint16{0, 7, 22, 41, 65, 91, 118, 145, 171, 192, 219, 236, 252, 268}
|
var _STSErrorCode_index = [...]uint16{0, 7, 22, 41, 65, 91, 118, 145, 171, 192, 219, 236, 256, 272, 288}
|
||||||
|
|
||||||
func (i STSErrorCode) String() string {
|
func (i STSErrorCode) String() string {
|
||||||
if i < 0 || i >= STSErrorCode(len(_STSErrorCode_index)-1) {
|
if i < 0 || i >= STSErrorCode(len(_STSErrorCode_index)-1) {
|
||||||
|
Loading…
Reference in New Issue
Block a user