mirror of
https://github.com/minio/minio.git
synced 2025-01-24 13:13:16 -05:00
1330e59307
For a non-existent user server would return STS not initialized ``` aws --profile harsha --endpoint-url http://localhost:9000 \ sts assume-role \ --role-arn arn:xxx:xxx:xxx:xxxx \ --role-session-name anything ``` instead return an appropriate error as expected by STS API Additionally also format the `trace` output for STS APIs
152 lines
4.9 KiB
Go
152 lines
4.9 KiB
Go
/*
|
|
* MinIO Cloud Storage, (C) 2018 MinIO, Inc.
|
|
*
|
|
* Licensed under the Apache License, Version 2.0 (the "License");
|
|
* you may not use this file except in compliance with the License.
|
|
* You may obtain a copy of the License at
|
|
*
|
|
* http://www.apache.org/licenses/LICENSE-2.0
|
|
*
|
|
* Unless required by applicable law or agreed to in writing, software
|
|
* distributed under the License is distributed on an "AS IS" BASIS,
|
|
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
* See the License for the specific language governing permissions and
|
|
* limitations under the License.
|
|
*/
|
|
|
|
package cmd
|
|
|
|
import (
|
|
"context"
|
|
"encoding/xml"
|
|
"fmt"
|
|
"net/http"
|
|
|
|
xhttp "github.com/minio/minio/cmd/http"
|
|
"github.com/minio/minio/cmd/logger"
|
|
)
|
|
|
|
// writeSTSErrorRespone writes error headers
|
|
func writeSTSErrorResponse(ctx context.Context, w http.ResponseWriter, errCode STSErrorCode, errCtxt error) {
|
|
err := stsErrCodes.ToSTSErr(errCode)
|
|
// Generate error response.
|
|
stsErrorResponse := STSErrorResponse{}
|
|
stsErrorResponse.Error.Code = err.Code
|
|
stsErrorResponse.RequestID = w.Header().Get(xhttp.AmzRequestID)
|
|
stsErrorResponse.Error.Message = err.Description
|
|
if errCtxt != nil {
|
|
stsErrorResponse.Error.Message = fmt.Sprintf("%v", errCtxt)
|
|
}
|
|
logKind := logger.All
|
|
switch errCode {
|
|
case ErrSTSInternalError, ErrSTSNotInitialized:
|
|
logKind = logger.Minio
|
|
default:
|
|
logKind = logger.Application
|
|
}
|
|
logger.LogIf(ctx, errCtxt, logKind)
|
|
encodedErrorResponse := encodeResponse(stsErrorResponse)
|
|
writeResponse(w, err.HTTPStatusCode, encodedErrorResponse, mimeXML)
|
|
}
|
|
|
|
// STSError structure
|
|
type STSError struct {
|
|
Code string
|
|
Description string
|
|
HTTPStatusCode int
|
|
}
|
|
|
|
// STSErrorResponse - error response format
|
|
type STSErrorResponse struct {
|
|
XMLName xml.Name `xml:"https://sts.amazonaws.com/doc/2011-06-15/ ErrorResponse" json:"-"`
|
|
Error struct {
|
|
Type string `xml:"Type"`
|
|
Code string `xml:"Code"`
|
|
Message string `xml:"Message"`
|
|
} `xml:"Error"`
|
|
RequestID string `xml:"RequestId"`
|
|
}
|
|
|
|
// STSErrorCode type of error status.
|
|
type STSErrorCode int
|
|
|
|
// Error codes, non exhaustive list - http://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRoleWithSAML.html
|
|
const (
|
|
ErrSTSNone STSErrorCode = iota
|
|
ErrSTSAccessDenied
|
|
ErrSTSMissingParameter
|
|
ErrSTSInvalidParameterValue
|
|
ErrSTSWebIdentityExpiredToken
|
|
ErrSTSClientGrantsExpiredToken
|
|
ErrSTSInvalidAccessKey
|
|
ErrSTSInvalidClientGrantsToken
|
|
ErrSTSMalformedPolicyDocument
|
|
ErrSTSNotInitialized
|
|
ErrSTSInternalError
|
|
)
|
|
|
|
type stsErrorCodeMap map[STSErrorCode]STSError
|
|
|
|
func (e stsErrorCodeMap) ToSTSErr(errCode STSErrorCode) STSError {
|
|
apiErr, ok := e[errCode]
|
|
if !ok {
|
|
return e[ErrSTSInternalError]
|
|
}
|
|
return apiErr
|
|
}
|
|
|
|
// error code to STSError structure, these fields carry respective
|
|
// descriptions for all the error responses.
|
|
var stsErrCodes = stsErrorCodeMap{
|
|
ErrSTSAccessDenied: {
|
|
Code: "AccessDenied",
|
|
Description: "Generating temporary credentials not allowed for this request.",
|
|
HTTPStatusCode: http.StatusForbidden,
|
|
},
|
|
ErrSTSMissingParameter: {
|
|
Code: "MissingParameter",
|
|
Description: "A required parameter for the specified action is not supplied.",
|
|
HTTPStatusCode: http.StatusBadRequest,
|
|
},
|
|
ErrSTSInvalidParameterValue: {
|
|
Code: "InvalidParameterValue",
|
|
Description: "An invalid or out-of-range value was supplied for the input parameter.",
|
|
HTTPStatusCode: http.StatusBadRequest,
|
|
},
|
|
ErrSTSWebIdentityExpiredToken: {
|
|
Code: "ExpiredToken",
|
|
Description: "The web identity token that was passed is expired or is not valid. Get a new identity token from the identity provider and then retry the request.",
|
|
HTTPStatusCode: http.StatusBadRequest,
|
|
},
|
|
ErrSTSClientGrantsExpiredToken: {
|
|
Code: "ExpiredToken",
|
|
Description: "The client grants that was passed is expired or is not valid. Get a new client grants token from the identity provider and then retry the request.",
|
|
HTTPStatusCode: http.StatusBadRequest,
|
|
},
|
|
ErrSTSInvalidClientGrantsToken: {
|
|
Code: "InvalidClientGrantsToken",
|
|
Description: "The client grants token that was passed could not be validated by MinIO.",
|
|
HTTPStatusCode: http.StatusBadRequest,
|
|
},
|
|
ErrSTSInvalidAccessKey: {
|
|
Code: "InvalidClientTokenId",
|
|
Description: "The security token included in the request is invalid.",
|
|
HTTPStatusCode: http.StatusForbidden,
|
|
},
|
|
ErrSTSMalformedPolicyDocument: {
|
|
Code: "MalformedPolicyDocument",
|
|
Description: "The request was rejected because the policy document was malformed.",
|
|
HTTPStatusCode: http.StatusBadRequest,
|
|
},
|
|
ErrSTSNotInitialized: {
|
|
Code: "STSNotInitialized",
|
|
Description: "STS API not initialized, please try again.",
|
|
HTTPStatusCode: http.StatusServiceUnavailable,
|
|
},
|
|
ErrSTSInternalError: {
|
|
Code: "InternalError",
|
|
Description: "We encountered an internal error generating credentials, please try again.",
|
|
HTTPStatusCode: http.StatusInternalServerError,
|
|
},
|
|
}
|