diff --git a/cmd/admin-handlers-users.go b/cmd/admin-handlers-users.go index 8a88094fd..8488a95ba 100644 --- a/cmd/admin-handlers-users.go +++ b/cmd/admin-handlers-users.go @@ -830,7 +830,11 @@ func (a adminAPIHandlers) UpdateServiceAccount(w http.ResponseWriter, r *http.Re } condValues := getConditionValues(r, "", cred) - addExpirationToCondValues(updateReq.NewExpiration, condValues) + err = addExpirationToCondValues(updateReq.NewExpiration, condValues) + if err != nil { + writeErrorResponseJSON(ctx, w, toAdminAPIErr(ctx, err), r.URL) + return + } // Permission checks: // @@ -2459,11 +2463,16 @@ func (a adminAPIHandlers) ImportIAM(w http.ResponseWriter, r *http.Request) { } } -func addExpirationToCondValues(exp *time.Time, condValues map[string][]string) { - if exp == nil { - return +func addExpirationToCondValues(exp *time.Time, condValues map[string][]string) error { + if exp == nil || exp.IsZero() || exp.Equal(timeSentinel) { + return nil } - condValues["DurationSeconds"] = []string{strconv.FormatInt(int64(exp.Sub(time.Now()).Seconds()), 10)} + dur := exp.Sub(time.Now()) + if dur <= 0 { + return errors.New("unsupported expiration time") + } + condValues["DurationSeconds"] = []string{strconv.FormatInt(int64(dur.Seconds()), 10)} + return nil } func commonAddServiceAccount(r *http.Request) (context.Context, auth.Credentials, newServiceAccountOpts, madmin.AddServiceAccountReq, string, APIError) { @@ -2528,7 +2537,10 @@ func commonAddServiceAccount(r *http.Request) (context.Context, auth.Credentials } condValues := getConditionValues(r, "", cred) - addExpirationToCondValues(createReq.Expiration, condValues) + err = addExpirationToCondValues(createReq.Expiration, condValues) + if err != nil { + return ctx, auth.Credentials{}, newServiceAccountOpts{}, madmin.AddServiceAccountReq{}, "", toAdminAPIErr(ctx, err) + } // Check if action is allowed if creating access key for another user // Check if action is explicitly denied if for self