mirror of
https://github.com/minio/minio.git
synced 2024-12-24 06:05:55 -05:00
Ensure that AssumeRole calls are sent to Audit log (#14202)
When authentication fails MinIO was not sending out an Audit log event for this STS call
This commit is contained in:
parent
a2a48cc065
commit
c3d9c45f58
@ -132,24 +132,23 @@ func registerSTSRouter(router *mux.Router) {
|
|||||||
}
|
}
|
||||||
|
|
||||||
func checkAssumeRoleAuth(ctx context.Context, r *http.Request) (user auth.Credentials, isErrCodeSTS bool, stsErr STSErrorCode) {
|
func checkAssumeRoleAuth(ctx context.Context, r *http.Request) (user auth.Credentials, isErrCodeSTS bool, stsErr STSErrorCode) {
|
||||||
switch getRequestAuthType(r) {
|
if !isRequestSignatureV4(r) {
|
||||||
default:
|
|
||||||
return user, true, ErrSTSAccessDenied
|
return user, true, ErrSTSAccessDenied
|
||||||
case authTypeSigned:
|
}
|
||||||
s3Err := isReqAuthenticated(ctx, r, globalSite.Region, serviceSTS)
|
|
||||||
if s3Err != ErrNone {
|
|
||||||
return user, false, STSErrorCode(s3Err)
|
|
||||||
}
|
|
||||||
|
|
||||||
user, _, s3Err = getReqAccessKeyV4(r, globalSite.Region, serviceSTS)
|
s3Err := isReqAuthenticated(ctx, r, globalSite.Region, serviceSTS)
|
||||||
if s3Err != ErrNone {
|
if s3Err != ErrNone {
|
||||||
return user, false, STSErrorCode(s3Err)
|
return user, false, STSErrorCode(s3Err)
|
||||||
}
|
}
|
||||||
|
|
||||||
// Temporary credentials or Service accounts cannot generate further temporary credentials.
|
user, _, s3Err = getReqAccessKeyV4(r, globalSite.Region, serviceSTS)
|
||||||
if user.IsTemp() || user.IsServiceAccount() {
|
if s3Err != ErrNone {
|
||||||
return user, true, ErrSTSAccessDenied
|
return user, false, STSErrorCode(s3Err)
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// Temporary credentials or Service accounts cannot generate further temporary credentials.
|
||||||
|
if user.IsTemp() || user.IsServiceAccount() {
|
||||||
|
return user, true, ErrSTSAccessDenied
|
||||||
}
|
}
|
||||||
|
|
||||||
// Session tokens are not allowed in STS AssumeRole requests.
|
// Session tokens are not allowed in STS AssumeRole requests.
|
||||||
@ -178,11 +177,11 @@ func parseForm(r *http.Request) error {
|
|||||||
func (sts *stsAPIHandlers) AssumeRole(w http.ResponseWriter, r *http.Request) {
|
func (sts *stsAPIHandlers) AssumeRole(w http.ResponseWriter, r *http.Request) {
|
||||||
ctx := newContext(r, w, "AssumeRole")
|
ctx := newContext(r, w, "AssumeRole")
|
||||||
|
|
||||||
|
// Check auth here (otherwise r.Form will have unexpected values from
|
||||||
|
// the call to `parseForm` below), but return failure only after we are
|
||||||
|
// able to validate that it is a valid STS request, so that we are able
|
||||||
|
// to send an appropriate audit log.
|
||||||
user, isErrCodeSTS, stsErr := checkAssumeRoleAuth(ctx, r)
|
user, isErrCodeSTS, stsErr := checkAssumeRoleAuth(ctx, r)
|
||||||
if stsErr != ErrSTSNone {
|
|
||||||
writeSTSErrorResponse(ctx, w, isErrCodeSTS, stsErr, nil)
|
|
||||||
return
|
|
||||||
}
|
|
||||||
|
|
||||||
if err := parseForm(r); err != nil {
|
if err := parseForm(r); err != nil {
|
||||||
writeSTSErrorResponse(ctx, w, true, ErrSTSInvalidParameterValue, err)
|
writeSTSErrorResponse(ctx, w, true, ErrSTSInvalidParameterValue, err)
|
||||||
@ -205,6 +204,13 @@ func (sts *stsAPIHandlers) AssumeRole(w http.ResponseWriter, r *http.Request) {
|
|||||||
ctx = newContext(r, w, action)
|
ctx = newContext(r, w, action)
|
||||||
defer logger.AuditLog(ctx, w, r, nil)
|
defer logger.AuditLog(ctx, w, r, nil)
|
||||||
|
|
||||||
|
// Validate the authentication result here so that failures will be
|
||||||
|
// audit-logged.
|
||||||
|
if stsErr != ErrSTSNone {
|
||||||
|
writeSTSErrorResponse(ctx, w, isErrCodeSTS, stsErr, nil)
|
||||||
|
return
|
||||||
|
}
|
||||||
|
|
||||||
sessionPolicyStr := r.Form.Get(stsPolicy)
|
sessionPolicyStr := r.Form.Get(stsPolicy)
|
||||||
// https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRole.html
|
// https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRole.html
|
||||||
// The plain text that you use for both inline and managed session
|
// The plain text that you use for both inline and managed session
|
||||||
|
Loading…
Reference in New Issue
Block a user