sts: validate if iam subsystem initialized in handlers (#17796)

2023-08-03 13:24:25 -07:00 · 2023-08-03 13:24:25 -07:00 · b762fbaf21
parent 0285df5a02
commit b762fbaf21
3 changed files with 32 additions and 5 deletions
--- a/cmd/sts-errors.go
+++ b/cmd/sts-errors.go
@ -39,7 +39,7 @@ func writeSTSErrorResponse(ctx context.Context, w http.ResponseWriter, errCode S
 		stsErrorResponse.Error.Message = errCtxt.Error()
 	}
 	switch errCode {
-	case ErrSTSInternalError, ErrSTSNotInitialized, ErrSTSUpstreamError:
+	case ErrSTSInternalError, ErrSTSNotInitialized, ErrSTSUpstreamError, ErrSTSIAMNotInitialized:
 		logger.LogIf(ctx, errCtxt, logger.Minio)
 	}
 	encodedErrorResponse := encodeResponse(stsErrorResponse)
@ -82,6 +82,7 @@ const (
 	ErrSTSInsecureConnection
 	ErrSTSInvalidClientCertificate
 	ErrSTSNotInitialized
+	ErrSTSIAMNotInitialized
 	ErrSTSUpstreamError
 	ErrSTSInternalError
 )
@ -149,6 +150,11 @@ var stsErrCodes = stsErrorCodeMap{
 		Description:    "STS API not initialized, please try again.",
 		HTTPStatusCode: http.StatusServiceUnavailable,
 	},
+	ErrSTSIAMNotInitialized: {
+		Code:           "STSIAMNotInitialized",
+		Description:    "STS IAM not initialized, please try again.",
+		HTTPStatusCode: http.StatusServiceUnavailable,
+	},
 	ErrSTSUpstreamError: {
 		Code:           "InternalError",
 		Description:    "An upstream service required for this operation failed - please try again or contact an administrator.",
--- a/cmd/sts-handlers.go
+++ b/cmd/sts-handlers.go
@ -374,6 +374,11 @@ func (sts *stsAPIHandlers) AssumeRoleWithSSO(w http.ResponseWriter, r *http.Requ
 		}
 	}

+	if !globalIAMSys.Initialized() {
+		writeSTSErrorResponse(ctx, w, ErrSTSIAMNotInitialized, errIAMNotInitialized)
+		return
+	}
+
 	// Validate JWT; check clientID in claims matches the one associated with the roleArn
 	if err := globalIAMSys.OpenIDConfig.Validate(r.Context(), roleArn, token, accessToken, r.Form.Get(stsDurationSeconds), claims); err != nil {
 		switch err {
@ -612,6 +617,11 @@ func (sts *stsAPIHandlers) AssumeRoleWithLDAPIdentity(w http.ResponseWriter, r *
 		}
 	}

+	if !globalIAMSys.Initialized() {
+		writeSTSErrorResponse(ctx, w, ErrSTSIAMNotInitialized, errIAMNotInitialized)
+		return
+	}
+
 	ldapUserDN, groupDistNames, err := globalIAMSys.LDAPConfig.Bind(ldapUsername, ldapPassword)
 	if err != nil {
 		err = fmt.Errorf("LDAP server error: %w", err)
@ -700,6 +710,11 @@ func (sts *stsAPIHandlers) AssumeRoleWithCertificate(w http.ResponseWriter, r *h
 	claims := make(map[string]interface{})
 	defer logger.AuditLog(ctx, w, r, claims)

+	if !globalIAMSys.Initialized() {
+		writeSTSErrorResponse(ctx, w, ErrSTSIAMNotInitialized, errIAMNotInitialized)
+		return
+	}
+
 	if !globalIAMSys.STSTLSConfig.Enabled {
 		writeSTSErrorResponse(ctx, w, ErrSTSNotInitialized, errors.New("STS API 'AssumeRoleWithCertificate' is disabled"))
 		return
@ -857,6 +872,11 @@ func (sts *stsAPIHandlers) AssumeRoleWithCustomToken(w http.ResponseWriter, r *h
 	claims := make(map[string]interface{})
 	defer logger.AuditLog(ctx, w, r, claims)

+	if !globalIAMSys.Initialized() {
+		writeSTSErrorResponse(ctx, w, ErrSTSIAMNotInitialized, errIAMNotInitialized)
+		return
+	}
+
 	authn := newGlobalAuthNPluginFn()
 	if authn == nil {
 		writeSTSErrorResponse(ctx, w, ErrSTSNotInitialized, errors.New("STS API 'AssumeRoleWithCustomToken' is disabled"))
--- a/cmd/stserrorcode_string.go
+++ b/cmd/stserrorcode_string.go
@ -19,13 +19,14 @@ func _() {
 	_ = x[ErrSTSInsecureConnection-8]
 	_ = x[ErrSTSInvalidClientCertificate-9]
 	_ = x[ErrSTSNotInitialized-10]
-	_ = x[ErrSTSUpstreamError-11]
-	_ = x[ErrSTSInternalError-12]
+	_ = x[ErrSTSIAMNotInitialized-11]
+	_ = x[ErrSTSUpstreamError-12]
+	_ = x[ErrSTSInternalError-13]
 }

-const _STSErrorCode_name = "STSNoneSTSAccessDeniedSTSMissingParameterSTSInvalidParameterValueSTSWebIdentityExpiredTokenSTSClientGrantsExpiredTokenSTSInvalidClientGrantsTokenSTSMalformedPolicyDocumentSTSInsecureConnectionSTSInvalidClientCertificateSTSNotInitializedSTSUpstreamErrorSTSInternalError"
+const _STSErrorCode_name = "STSNoneSTSAccessDeniedSTSMissingParameterSTSInvalidParameterValueSTSWebIdentityExpiredTokenSTSClientGrantsExpiredTokenSTSInvalidClientGrantsTokenSTSMalformedPolicyDocumentSTSInsecureConnectionSTSInvalidClientCertificateSTSNotInitializedSTSIAMNotInitializedSTSUpstreamErrorSTSInternalError"

-var _STSErrorCode_index = [...]uint16{0, 7, 22, 41, 65, 91, 118, 145, 171, 192, 219, 236, 252, 268}
+var _STSErrorCode_index = [...]uint16{0, 7, 22, 41, 65, 91, 118, 145, 171, 192, 219, 236, 256, 272, 288}

 func (i STSErrorCode) String() string {
 	if i < 0 || i >= STSErrorCode(len(_STSErrorCode_index)-1) {