From df29d25e6b3d954181093d77fffedcd802ca805f Mon Sep 17 00:00:00 2001 From: Anis Eleuch Date: Sat, 15 Jul 2023 02:34:55 +0100 Subject: [PATCH] return different status code for internode communication (#17655) mc admin trace -a will be able to quickly show 401 Unauthorized header to pinpoint trivial issues between nodes, such as wrong root credentials and skewed time. --- cmd/jwt.go | 2 ++ cmd/storage-rest-server.go | 16 +++++++++++----- 2 files changed, 13 insertions(+), 5 deletions(-) diff --git a/cmd/jwt.go b/cmd/jwt.go index 154c92eba..fdfd4906c 100644 --- a/cmd/jwt.go +++ b/cmd/jwt.go @@ -46,6 +46,8 @@ var ( errAccessKeyDisabled = errors.New("The access key you provided is disabled") errAuthentication = errors.New("Authentication failed, check your access credentials") errNoAuthToken = errors.New("JWT token missing") + errSkewedAuthTime = errors.New("Skewed authenticationdate/time") + errMalformedAuth = errors.New("Malformed authentication input") ) // cachedAuthenticateNode will cache authenticateNode results for given values up to ttl. diff --git a/cmd/storage-rest-server.go b/cmd/storage-rest-server.go index 41edf1509..005133bfc 100644 --- a/cmd/storage-rest-server.go +++ b/cmd/storage-rest-server.go @@ -56,9 +56,15 @@ type storageRESTServer struct { } func (s *storageRESTServer) writeErrorResponse(w http.ResponseWriter, err error) { - if errors.Is(err, errDiskStale) { + err = unwrapAll(err) + switch err { + case errDiskStale: w.WriteHeader(http.StatusPreconditionFailed) - } else { + case errFileNotFound, errFileVersionNotFound: + w.WriteHeader(http.StatusNotFound) + case errInvalidAccessKeyID, errAccessKeyDisabled, errNoAuthToken, errMalformedAuth, errAuthentication, errSkewedAuthTime: + w.WriteHeader(http.StatusUnauthorized) + default: w.WriteHeader(http.StatusForbidden) } w.Write([]byte(err.Error())) @@ -74,7 +80,7 @@ func storageServerRequestValidate(r *http.Request) error { if err == jwtreq.ErrNoTokenInRequest { return errNoAuthToken } - return err + return errMalformedAuth } claims := xjwt.NewStandardClaims() @@ -94,7 +100,7 @@ func storageServerRequestValidate(r *http.Request) error { requestTimeStr := r.Header.Get("X-Minio-Time") requestTime, err := time.Parse(time.RFC3339, requestTimeStr) if err != nil { - return err + return errMalformedAuth } utcNow := UTCNow() delta := requestTime.Sub(utcNow) @@ -102,7 +108,7 @@ func storageServerRequestValidate(r *http.Request) error { delta *= -1 } if delta > DefaultSkewTime { - return fmt.Errorf("client time %v is too apart with server time %v", requestTime, utcNow) + return errSkewedAuthTime } return nil