From b762fbaf21d106c95127b8bf7af65227cc8b798a Mon Sep 17 00:00:00 2001 From: Poorna Date: Thu, 3 Aug 2023 13:24:25 -0700 Subject: [PATCH] sts: validate if iam subsystem initialized in handlers (#17796) --- cmd/sts-errors.go | 8 +++++++- cmd/sts-handlers.go | 20 ++++++++++++++++++++ cmd/stserrorcode_string.go | 9 +++++---- 3 files changed, 32 insertions(+), 5 deletions(-) diff --git a/cmd/sts-errors.go b/cmd/sts-errors.go index 75cfbe871..ba26b9e19 100644 --- a/cmd/sts-errors.go +++ b/cmd/sts-errors.go @@ -39,7 +39,7 @@ func writeSTSErrorResponse(ctx context.Context, w http.ResponseWriter, errCode S stsErrorResponse.Error.Message = errCtxt.Error() } switch errCode { - case ErrSTSInternalError, ErrSTSNotInitialized, ErrSTSUpstreamError: + case ErrSTSInternalError, ErrSTSNotInitialized, ErrSTSUpstreamError, ErrSTSIAMNotInitialized: logger.LogIf(ctx, errCtxt, logger.Minio) } encodedErrorResponse := encodeResponse(stsErrorResponse) @@ -82,6 +82,7 @@ const ( ErrSTSInsecureConnection ErrSTSInvalidClientCertificate ErrSTSNotInitialized + ErrSTSIAMNotInitialized ErrSTSUpstreamError ErrSTSInternalError ) @@ -149,6 +150,11 @@ var stsErrCodes = stsErrorCodeMap{ Description: "STS API not initialized, please try again.", HTTPStatusCode: http.StatusServiceUnavailable, }, + ErrSTSIAMNotInitialized: { + Code: "STSIAMNotInitialized", + Description: "STS IAM not initialized, please try again.", + HTTPStatusCode: http.StatusServiceUnavailable, + }, ErrSTSUpstreamError: { Code: "InternalError", Description: "An upstream service required for this operation failed - please try again or contact an administrator.", diff --git a/cmd/sts-handlers.go b/cmd/sts-handlers.go index f8051e0ab..0b644701f 100644 --- a/cmd/sts-handlers.go +++ b/cmd/sts-handlers.go @@ -374,6 +374,11 @@ func (sts *stsAPIHandlers) AssumeRoleWithSSO(w http.ResponseWriter, r *http.Requ } } + if !globalIAMSys.Initialized() { + writeSTSErrorResponse(ctx, w, ErrSTSIAMNotInitialized, errIAMNotInitialized) + return + } + // Validate JWT; check clientID in claims matches the one associated with the roleArn if err := globalIAMSys.OpenIDConfig.Validate(r.Context(), roleArn, token, accessToken, r.Form.Get(stsDurationSeconds), claims); err != nil { switch err { @@ -612,6 +617,11 @@ func (sts *stsAPIHandlers) AssumeRoleWithLDAPIdentity(w http.ResponseWriter, r * } } + if !globalIAMSys.Initialized() { + writeSTSErrorResponse(ctx, w, ErrSTSIAMNotInitialized, errIAMNotInitialized) + return + } + ldapUserDN, groupDistNames, err := globalIAMSys.LDAPConfig.Bind(ldapUsername, ldapPassword) if err != nil { err = fmt.Errorf("LDAP server error: %w", err) @@ -700,6 +710,11 @@ func (sts *stsAPIHandlers) AssumeRoleWithCertificate(w http.ResponseWriter, r *h claims := make(map[string]interface{}) defer logger.AuditLog(ctx, w, r, claims) + if !globalIAMSys.Initialized() { + writeSTSErrorResponse(ctx, w, ErrSTSIAMNotInitialized, errIAMNotInitialized) + return + } + if !globalIAMSys.STSTLSConfig.Enabled { writeSTSErrorResponse(ctx, w, ErrSTSNotInitialized, errors.New("STS API 'AssumeRoleWithCertificate' is disabled")) return @@ -857,6 +872,11 @@ func (sts *stsAPIHandlers) AssumeRoleWithCustomToken(w http.ResponseWriter, r *h claims := make(map[string]interface{}) defer logger.AuditLog(ctx, w, r, claims) + if !globalIAMSys.Initialized() { + writeSTSErrorResponse(ctx, w, ErrSTSIAMNotInitialized, errIAMNotInitialized) + return + } + authn := newGlobalAuthNPluginFn() if authn == nil { writeSTSErrorResponse(ctx, w, ErrSTSNotInitialized, errors.New("STS API 'AssumeRoleWithCustomToken' is disabled")) diff --git a/cmd/stserrorcode_string.go b/cmd/stserrorcode_string.go index 17ccd97c5..1774e98cb 100644 --- a/cmd/stserrorcode_string.go +++ b/cmd/stserrorcode_string.go @@ -19,13 +19,14 @@ func _() { _ = x[ErrSTSInsecureConnection-8] _ = x[ErrSTSInvalidClientCertificate-9] _ = x[ErrSTSNotInitialized-10] - _ = x[ErrSTSUpstreamError-11] - _ = x[ErrSTSInternalError-12] + _ = x[ErrSTSIAMNotInitialized-11] + _ = x[ErrSTSUpstreamError-12] + _ = x[ErrSTSInternalError-13] } -const _STSErrorCode_name = "STSNoneSTSAccessDeniedSTSMissingParameterSTSInvalidParameterValueSTSWebIdentityExpiredTokenSTSClientGrantsExpiredTokenSTSInvalidClientGrantsTokenSTSMalformedPolicyDocumentSTSInsecureConnectionSTSInvalidClientCertificateSTSNotInitializedSTSUpstreamErrorSTSInternalError" +const _STSErrorCode_name = "STSNoneSTSAccessDeniedSTSMissingParameterSTSInvalidParameterValueSTSWebIdentityExpiredTokenSTSClientGrantsExpiredTokenSTSInvalidClientGrantsTokenSTSMalformedPolicyDocumentSTSInsecureConnectionSTSInvalidClientCertificateSTSNotInitializedSTSIAMNotInitializedSTSUpstreamErrorSTSInternalError" -var _STSErrorCode_index = [...]uint16{0, 7, 22, 41, 65, 91, 118, 145, 171, 192, 219, 236, 252, 268} +var _STSErrorCode_index = [...]uint16{0, 7, 22, 41, 65, 91, 118, 145, 171, 192, 219, 236, 256, 272, 288} func (i STSErrorCode) String() string { if i < 0 || i >= STSErrorCode(len(_STSErrorCode_index)-1) {