minio/cmd/sts-errors.go
Harshavardhana 1330e59307
accessKeyId missing should return appropriate error in AssumeRole (#9048)
For a non-existent user server would return STS not initialized
```
aws --profile harsha --endpoint-url http://localhost:9000 \
      sts assume-role \
      --role-arn arn:xxx:xxx:xxx:xxxx \
      --role-session-name anything
```

instead return an appropriate error as expected by STS API

Additionally also format the `trace` output for STS APIs
2020-02-26 12:26:47 -08:00

152 lines
4.9 KiB
Go

/*
* MinIO Cloud Storage, (C) 2018 MinIO, Inc.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package cmd
import (
"context"
"encoding/xml"
"fmt"
"net/http"
xhttp "github.com/minio/minio/cmd/http"
"github.com/minio/minio/cmd/logger"
)
// writeSTSErrorRespone writes error headers
func writeSTSErrorResponse(ctx context.Context, w http.ResponseWriter, errCode STSErrorCode, errCtxt error) {
err := stsErrCodes.ToSTSErr(errCode)
// Generate error response.
stsErrorResponse := STSErrorResponse{}
stsErrorResponse.Error.Code = err.Code
stsErrorResponse.RequestID = w.Header().Get(xhttp.AmzRequestID)
stsErrorResponse.Error.Message = err.Description
if errCtxt != nil {
stsErrorResponse.Error.Message = fmt.Sprintf("%v", errCtxt)
}
logKind := logger.All
switch errCode {
case ErrSTSInternalError, ErrSTSNotInitialized:
logKind = logger.Minio
default:
logKind = logger.Application
}
logger.LogIf(ctx, errCtxt, logKind)
encodedErrorResponse := encodeResponse(stsErrorResponse)
writeResponse(w, err.HTTPStatusCode, encodedErrorResponse, mimeXML)
}
// STSError structure
type STSError struct {
Code string
Description string
HTTPStatusCode int
}
// STSErrorResponse - error response format
type STSErrorResponse struct {
XMLName xml.Name `xml:"https://sts.amazonaws.com/doc/2011-06-15/ ErrorResponse" json:"-"`
Error struct {
Type string `xml:"Type"`
Code string `xml:"Code"`
Message string `xml:"Message"`
} `xml:"Error"`
RequestID string `xml:"RequestId"`
}
// STSErrorCode type of error status.
type STSErrorCode int
// Error codes, non exhaustive list - http://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRoleWithSAML.html
const (
ErrSTSNone STSErrorCode = iota
ErrSTSAccessDenied
ErrSTSMissingParameter
ErrSTSInvalidParameterValue
ErrSTSWebIdentityExpiredToken
ErrSTSClientGrantsExpiredToken
ErrSTSInvalidAccessKey
ErrSTSInvalidClientGrantsToken
ErrSTSMalformedPolicyDocument
ErrSTSNotInitialized
ErrSTSInternalError
)
type stsErrorCodeMap map[STSErrorCode]STSError
func (e stsErrorCodeMap) ToSTSErr(errCode STSErrorCode) STSError {
apiErr, ok := e[errCode]
if !ok {
return e[ErrSTSInternalError]
}
return apiErr
}
// error code to STSError structure, these fields carry respective
// descriptions for all the error responses.
var stsErrCodes = stsErrorCodeMap{
ErrSTSAccessDenied: {
Code: "AccessDenied",
Description: "Generating temporary credentials not allowed for this request.",
HTTPStatusCode: http.StatusForbidden,
},
ErrSTSMissingParameter: {
Code: "MissingParameter",
Description: "A required parameter for the specified action is not supplied.",
HTTPStatusCode: http.StatusBadRequest,
},
ErrSTSInvalidParameterValue: {
Code: "InvalidParameterValue",
Description: "An invalid or out-of-range value was supplied for the input parameter.",
HTTPStatusCode: http.StatusBadRequest,
},
ErrSTSWebIdentityExpiredToken: {
Code: "ExpiredToken",
Description: "The web identity token that was passed is expired or is not valid. Get a new identity token from the identity provider and then retry the request.",
HTTPStatusCode: http.StatusBadRequest,
},
ErrSTSClientGrantsExpiredToken: {
Code: "ExpiredToken",
Description: "The client grants that was passed is expired or is not valid. Get a new client grants token from the identity provider and then retry the request.",
HTTPStatusCode: http.StatusBadRequest,
},
ErrSTSInvalidClientGrantsToken: {
Code: "InvalidClientGrantsToken",
Description: "The client grants token that was passed could not be validated by MinIO.",
HTTPStatusCode: http.StatusBadRequest,
},
ErrSTSInvalidAccessKey: {
Code: "InvalidClientTokenId",
Description: "The security token included in the request is invalid.",
HTTPStatusCode: http.StatusForbidden,
},
ErrSTSMalformedPolicyDocument: {
Code: "MalformedPolicyDocument",
Description: "The request was rejected because the policy document was malformed.",
HTTPStatusCode: http.StatusBadRequest,
},
ErrSTSNotInitialized: {
Code: "STSNotInitialized",
Description: "STS API not initialized, please try again.",
HTTPStatusCode: http.StatusServiceUnavailable,
},
ErrSTSInternalError: {
Code: "InternalError",
Description: "We encountered an internal error generating credentials, please try again.",
HTTPStatusCode: http.StatusInternalServerError,
},
}