fix remove LDAPPassword from audit logs (#9773)

the previous fix for #9707 was not correct, fix this properly passing the right filter keys to be filtered from the audit log output. Fixes #9767
2025-11-07 21:02:58 -05:00 · 2020-06-04 22:07:55 -07:00
parent 26cfd52e7e
commit d93bdea433
3 changed files with 22 additions and 27 deletions
--- a/cmd/sts-handlers.go
+++ b/cmd/sts-handlers.go
@@ -1,5 +1,5 @@
 /*
- * MinIO Cloud Storage, (C) 2018, 2019 MinIO, Inc.
+ * MinIO Cloud Storage, (C) 2018-2020 MinIO, Inc.
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
@@ -173,7 +173,7 @@ func (sts *stsAPIHandlers) AssumeRole(w http.ResponseWriter, r *http.Request) {
 	}

 	ctx = newContext(r, w, action)
-	defer stsAuditLog(w, r, action)
+	defer logger.AuditLog(w, r, action, nil)

 	sessionPolicyStr := r.Form.Get(stsPolicy)
 	// https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRole.html
@@ -258,15 +258,6 @@ func (sts *stsAPIHandlers) AssumeRole(w http.ResponseWriter, r *http.Request) {
 	writeSuccessResponseXML(w, encodeResponse(assumeRoleResponse))
 }

-func stsAuditLog(w http.ResponseWriter, r *http.Request, action string) {
-	for _, k := range []string{
-		stsLDAPPassword, // cleanup any passwords before sending to audit logs.
-	} {
-		r.URL.Query().Del(k)
-	}
-	logger.AuditLog(w, r, action, nil)
-}
-
 func (sts *stsAPIHandlers) AssumeRoleWithJWT(w http.ResponseWriter, r *http.Request) {
 	ctx := newContext(r, w, "AssumeRoleJWTCommon")

@@ -290,7 +281,7 @@ func (sts *stsAPIHandlers) AssumeRoleWithJWT(w http.ResponseWriter, r *http.Requ
 	}

 	ctx = newContext(r, w, action)
-	defer stsAuditLog(w, r, action)
+	defer logger.AuditLog(w, r, action, nil)

 	if globalOpenIDValidators == nil {
 		writeSTSErrorResponse(ctx, w, true, ErrSTSNotInitialized, errServerNotInitialized)
@@ -437,6 +428,8 @@ func (sts *stsAPIHandlers) AssumeRoleWithClientGrants(w http.ResponseWriter, r *
 func (sts *stsAPIHandlers) AssumeRoleWithLDAPIdentity(w http.ResponseWriter, r *http.Request) {
 	ctx := newContext(r, w, "AssumeRoleWithLDAPIdentity")

+	defer logger.AuditLog(w, r, "AssumeRoleWithLDAPIdentity", nil, stsLDAPPassword)
+
 	// Parse the incoming form data.
 	if err := r.ParseForm(); err != nil {
 		writeSTSErrorResponse(ctx, w, true, ErrSTSInvalidParameterValue, err)
@@ -444,7 +437,16 @@ func (sts *stsAPIHandlers) AssumeRoleWithLDAPIdentity(w http.ResponseWriter, r *
 	}

 	if r.Form.Get(stsVersion) != stsAPIVersion {
-		writeSTSErrorResponse(ctx, w, true, ErrSTSMissingParameter, fmt.Errorf("Invalid STS API version %s, expecting %s", r.Form.Get("Version"), stsAPIVersion))
+		writeSTSErrorResponse(ctx, w, true, ErrSTSMissingParameter,
+			fmt.Errorf("Invalid STS API version %s, expecting %s", r.Form.Get("Version"), stsAPIVersion))
+		return
+	}
+
+	ldapUsername := r.Form.Get(stsLDAPUsername)
+	ldapPassword := r.Form.Get(stsLDAPPassword)
+
+	if ldapUsername == "" || ldapPassword == "" {
+		writeSTSErrorResponse(ctx, w, true, ErrSTSMissingParameter, fmt.Errorf("LDAPUsername and LDAPPassword cannot be empty"))
 		return
 	}

@@ -456,17 +458,6 @@ func (sts *stsAPIHandlers) AssumeRoleWithLDAPIdentity(w http.ResponseWriter, r *
 		return
 	}

-	ctx = newContext(r, w, action)
-	defer stsAuditLog(w, r, action)
-
-	ldapUsername := r.Form.Get(stsLDAPUsername)
-	ldapPassword := r.Form.Get(stsLDAPPassword)
-
-	if ldapUsername == "" || ldapPassword == "" {
-		writeSTSErrorResponse(ctx, w, true, ErrSTSMissingParameter, fmt.Errorf("LDAPUsername and LDAPPassword cannot be empty"))
-		return
-	}
-
 	sessionPolicyStr := r.Form.Get(stsPolicy)
 	// https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRole.html
 	// The plain text that you use for both inline and managed session