Ensure that AssumeRole calls are sent to Audit log (#14202)

When authentication fails MinIO was not sending out an Audit log 
event for this STS call
This commit is contained in:
Aditya Manthramurthy 2022-01-27 16:17:11 -08:00 committed by GitHub
parent a2a48cc065
commit c3d9c45f58
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23

View File

@ -132,10 +132,10 @@ func registerSTSRouter(router *mux.Router) {
} }
func checkAssumeRoleAuth(ctx context.Context, r *http.Request) (user auth.Credentials, isErrCodeSTS bool, stsErr STSErrorCode) { func checkAssumeRoleAuth(ctx context.Context, r *http.Request) (user auth.Credentials, isErrCodeSTS bool, stsErr STSErrorCode) {
switch getRequestAuthType(r) { if !isRequestSignatureV4(r) {
default:
return user, true, ErrSTSAccessDenied return user, true, ErrSTSAccessDenied
case authTypeSigned: }
s3Err := isReqAuthenticated(ctx, r, globalSite.Region, serviceSTS) s3Err := isReqAuthenticated(ctx, r, globalSite.Region, serviceSTS)
if s3Err != ErrNone { if s3Err != ErrNone {
return user, false, STSErrorCode(s3Err) return user, false, STSErrorCode(s3Err)
@ -150,7 +150,6 @@ func checkAssumeRoleAuth(ctx context.Context, r *http.Request) (user auth.Creden
if user.IsTemp() || user.IsServiceAccount() { if user.IsTemp() || user.IsServiceAccount() {
return user, true, ErrSTSAccessDenied return user, true, ErrSTSAccessDenied
} }
}
// Session tokens are not allowed in STS AssumeRole requests. // Session tokens are not allowed in STS AssumeRole requests.
if getSessionToken(r) != "" { if getSessionToken(r) != "" {
@ -178,11 +177,11 @@ func parseForm(r *http.Request) error {
func (sts *stsAPIHandlers) AssumeRole(w http.ResponseWriter, r *http.Request) { func (sts *stsAPIHandlers) AssumeRole(w http.ResponseWriter, r *http.Request) {
ctx := newContext(r, w, "AssumeRole") ctx := newContext(r, w, "AssumeRole")
// Check auth here (otherwise r.Form will have unexpected values from
// the call to `parseForm` below), but return failure only after we are
// able to validate that it is a valid STS request, so that we are able
// to send an appropriate audit log.
user, isErrCodeSTS, stsErr := checkAssumeRoleAuth(ctx, r) user, isErrCodeSTS, stsErr := checkAssumeRoleAuth(ctx, r)
if stsErr != ErrSTSNone {
writeSTSErrorResponse(ctx, w, isErrCodeSTS, stsErr, nil)
return
}
if err := parseForm(r); err != nil { if err := parseForm(r); err != nil {
writeSTSErrorResponse(ctx, w, true, ErrSTSInvalidParameterValue, err) writeSTSErrorResponse(ctx, w, true, ErrSTSInvalidParameterValue, err)
@ -205,6 +204,13 @@ func (sts *stsAPIHandlers) AssumeRole(w http.ResponseWriter, r *http.Request) {
ctx = newContext(r, w, action) ctx = newContext(r, w, action)
defer logger.AuditLog(ctx, w, r, nil) defer logger.AuditLog(ctx, w, r, nil)
// Validate the authentication result here so that failures will be
// audit-logged.
if stsErr != ErrSTSNone {
writeSTSErrorResponse(ctx, w, isErrCodeSTS, stsErr, nil)
return
}
sessionPolicyStr := r.Form.Get(stsPolicy) sessionPolicyStr := r.Form.Get(stsPolicy)
// https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRole.html // https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRole.html
// The plain text that you use for both inline and managed session // The plain text that you use for both inline and managed session