mirror of
https://github.com/minio/minio.git
synced 2025-01-26 06:03:17 -05:00
54ae364def
This PR introduces two new features - AWS STS compatible STS API named AssumeRoleWithClientGrants ``` POST /?Action=AssumeRoleWithClientGrants&Token=<jwt> ``` This API endpoint returns temporary access credentials, access tokens signature types supported by this API - RSA keys - ECDSA keys Fetches the required public key from the JWKS endpoints, provides them as rsa or ecdsa public keys. - External policy engine support, in this case OPA policy engine - Credentials are stored on disks
120 lines
3.9 KiB
Go
120 lines
3.9 KiB
Go
/*
|
|
* Minio Cloud Storage, (C) 2018 Minio, Inc.
|
|
*
|
|
* Licensed under the Apache License, Version 2.0 (the "License");
|
|
* you may not use this file except in compliance with the License.
|
|
* You may obtain a copy of the License at
|
|
*
|
|
* http://www.apache.org/licenses/LICENSE-2.0
|
|
*
|
|
* Unless required by applicable law or agreed to in writing, software
|
|
* distributed under the License is distributed on an "AS IS" BASIS,
|
|
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
* See the License for the specific language governing permissions and
|
|
* limitations under the License.
|
|
*/
|
|
|
|
package cmd
|
|
|
|
import (
|
|
"encoding/xml"
|
|
"net/http"
|
|
)
|
|
|
|
// writeSTSErrorRespone writes error headers
|
|
func writeSTSErrorResponse(w http.ResponseWriter, errorCode STSErrorCode) {
|
|
stsError := getSTSError(errorCode)
|
|
// Generate error response.
|
|
stsErrorResponse := getSTSErrorResponse(stsError)
|
|
encodedErrorResponse := encodeResponse(stsErrorResponse)
|
|
writeResponse(w, stsError.HTTPStatusCode, encodedErrorResponse, mimeXML)
|
|
}
|
|
|
|
// STSError structure
|
|
type STSError struct {
|
|
Code string
|
|
Description string
|
|
HTTPStatusCode int
|
|
}
|
|
|
|
// STSErrorResponse - error response format
|
|
type STSErrorResponse struct {
|
|
XMLName xml.Name `xml:"https://sts.amazonaws.com/doc/2011-06-15/ ErrorResponse" json:"-"`
|
|
Error struct {
|
|
Type string `xml:"Type"`
|
|
Code string `xml:"Code"`
|
|
Message string `xml:"Message"`
|
|
} `xml:"Error"`
|
|
RequestID string `xml:"RequestId"`
|
|
}
|
|
|
|
// STSErrorCode type of error status.
|
|
type STSErrorCode int
|
|
|
|
// Error codes, non exhaustive list - http://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRoleWithSAML.html
|
|
const (
|
|
ErrSTSNone STSErrorCode = iota
|
|
ErrSTSMissingParameter
|
|
ErrSTSInvalidParameterValue
|
|
ErrSTSClientGrantsExpiredToken
|
|
ErrSTSInvalidClientGrantsToken
|
|
ErrSTSMalformedPolicyDocument
|
|
ErrSTSNotInitialized
|
|
ErrSTSInternalError
|
|
)
|
|
|
|
// error code to STSError structure, these fields carry respective
|
|
// descriptions for all the error responses.
|
|
var stsErrCodeResponse = map[STSErrorCode]STSError{
|
|
ErrSTSMissingParameter: {
|
|
Code: "MissingParameter",
|
|
Description: "A required parameter for the specified action is not supplied.",
|
|
HTTPStatusCode: http.StatusBadRequest,
|
|
},
|
|
ErrSTSInvalidParameterValue: {
|
|
Code: "InvalidParameterValue",
|
|
Description: "An invalid or out-of-range value was supplied for the input parameter.",
|
|
HTTPStatusCode: http.StatusBadRequest,
|
|
},
|
|
ErrSTSClientGrantsExpiredToken: {
|
|
Code: "ExpiredToken",
|
|
Description: "The client grants that was passed is expired or is not valid.",
|
|
HTTPStatusCode: http.StatusBadRequest,
|
|
},
|
|
ErrSTSInvalidClientGrantsToken: {
|
|
Code: "InvalidClientGrantsToken",
|
|
Description: "The client grants token that was passed could not be validated by Minio.",
|
|
HTTPStatusCode: http.StatusBadRequest,
|
|
},
|
|
ErrSTSMalformedPolicyDocument: {
|
|
Code: "MalformedPolicyDocument",
|
|
Description: "The request was rejected because the policy document was malformed.",
|
|
HTTPStatusCode: http.StatusBadRequest,
|
|
},
|
|
ErrSTSNotInitialized: {
|
|
Code: "STSNotInitialized",
|
|
Description: "STS API not initialized, please try again.",
|
|
HTTPStatusCode: http.StatusServiceUnavailable,
|
|
},
|
|
ErrSTSInternalError: {
|
|
Code: "InternalError",
|
|
Description: "We encountered an internal error generating credentials, please try again.",
|
|
HTTPStatusCode: http.StatusInternalServerError,
|
|
},
|
|
}
|
|
|
|
// getSTSError provides STS Error for input STS error code.
|
|
func getSTSError(code STSErrorCode) STSError {
|
|
return stsErrCodeResponse[code]
|
|
}
|
|
|
|
// getErrorResponse gets in standard error and resource value and
|
|
// provides a encodable populated response values
|
|
func getSTSErrorResponse(err STSError) STSErrorResponse {
|
|
errRsp := STSErrorResponse{}
|
|
errRsp.Error.Code = err.Code
|
|
errRsp.Error.Message = err.Description
|
|
errRsp.RequestID = "3L137"
|
|
return errRsp
|
|
}
|