minio/cmd/sts-errors.go

/*
 * MinIO Cloud Storage, (C) 2018 MinIO, Inc.
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
 * You may obtain a copy of the License at
 *
 *     http://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the License for the specific language governing permissions and
 * limitations under the License.
 */

package cmd

import (
	"context"
	"encoding/xml"
	"net/http"

	xhttp "github.com/minio/minio/cmd/http"
	"github.com/minio/minio/cmd/logger"
)

// writeSTSErrorRespone writes error headers
func writeSTSErrorResponse(ctx context.Context, w http.ResponseWriter, isErrCodeSTS bool, errCode STSErrorCode, errCtxt error) {
	var err STSError
	if isErrCodeSTS {
		err = stsErrCodes.ToSTSErr(errCode)
	}
	if err.Code == "InternalError" || !isErrCodeSTS {
		aerr := getAPIError(APIErrorCode(errCode))
		if aerr.Code != "InternalError" {
			err.Code = aerr.Code
			err.Description = aerr.Description
			err.HTTPStatusCode = aerr.HTTPStatusCode
		}
	}
	// Generate error response.
	stsErrorResponse := STSErrorResponse{}
	stsErrorResponse.Error.Code = err.Code
	stsErrorResponse.RequestID = w.Header().Get(xhttp.AmzRequestID)
	stsErrorResponse.Error.Message = err.Description
	if errCtxt != nil {
		stsErrorResponse.Error.Message = errCtxt.Error()
	}
	var logKind logger.Kind
	switch errCode {
	case ErrSTSInternalError, ErrSTSNotInitialized:
		logKind = logger.Minio
	default:
		logKind = logger.All
	}
	logger.LogIf(ctx, errCtxt, logKind)
	encodedErrorResponse := encodeResponse(stsErrorResponse)
	writeResponse(w, err.HTTPStatusCode, encodedErrorResponse, mimeXML)
}

// STSError structure
type STSError struct {
	Code           string
	Description    string
	HTTPStatusCode int
}

// STSErrorResponse - error response format
type STSErrorResponse struct {
	XMLName xml.Name `xml:"https://sts.amazonaws.com/doc/2011-06-15/ ErrorResponse" json:"-"`
	Error   struct {
		Type    string `xml:"Type"`
		Code    string `xml:"Code"`
		Message string `xml:"Message"`
	} `xml:"Error"`
	RequestID string `xml:"RequestId"`
}

// STSErrorCode type of error status.
type STSErrorCode int

// Error codes, non exhaustive list - http://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRoleWithSAML.html
const (
	ErrSTSNone STSErrorCode = iota
	ErrSTSAccessDenied
	ErrSTSMissingParameter
	ErrSTSInvalidParameterValue
	ErrSTSWebIdentityExpiredToken
	ErrSTSClientGrantsExpiredToken
	ErrSTSInvalidClientGrantsToken
	ErrSTSMalformedPolicyDocument
	ErrSTSNotInitialized
	ErrSTSInternalError
)

type stsErrorCodeMap map[STSErrorCode]STSError

func (e stsErrorCodeMap) ToSTSErr(errCode STSErrorCode) STSError {
	apiErr, ok := e[errCode]
	if !ok {
		return e[ErrSTSInternalError]
	}
	return apiErr
}

// error code to STSError structure, these fields carry respective
// descriptions for all the error responses.
var stsErrCodes = stsErrorCodeMap{
	ErrSTSAccessDenied: {
		Code:           "AccessDenied",
		Description:    "Generating temporary credentials not allowed for this request.",
		HTTPStatusCode: http.StatusForbidden,
	},
	ErrSTSMissingParameter: {
		Code:           "MissingParameter",
		Description:    "A required parameter for the specified action is not supplied.",
		HTTPStatusCode: http.StatusBadRequest,
	},
	ErrSTSInvalidParameterValue: {
		Code:           "InvalidParameterValue",
		Description:    "An invalid or out-of-range value was supplied for the input parameter.",
		HTTPStatusCode: http.StatusBadRequest,
	},
	ErrSTSWebIdentityExpiredToken: {
		Code:           "ExpiredToken",
		Description:    "The web identity token that was passed is expired or is not valid. Get a new identity token from the identity provider and then retry the request.",
		HTTPStatusCode: http.StatusBadRequest,
	},
	ErrSTSClientGrantsExpiredToken: {
		Code:           "ExpiredToken",
		Description:    "The client grants that was passed is expired or is not valid. Get a new client grants token from the identity provider and then retry the request.",
		HTTPStatusCode: http.StatusBadRequest,
	},
	ErrSTSInvalidClientGrantsToken: {
		Code:           "InvalidClientGrantsToken",
		Description:    "The client grants token that was passed could not be validated by MinIO.",
		HTTPStatusCode: http.StatusBadRequest,
	},
	ErrSTSMalformedPolicyDocument: {
		Code:           "MalformedPolicyDocument",
		Description:    "The request was rejected because the policy document was malformed.",
		HTTPStatusCode: http.StatusBadRequest,
	},
	ErrSTSNotInitialized: {
		Code:           "STSNotInitialized",
		Description:    "STS API not initialized, please try again.",
		HTTPStatusCode: http.StatusServiceUnavailable,
	},
	ErrSTSInternalError: {
		Code:           "InternalError",
		Description:    "We encountered an internal error generating credentials, please try again.",
		HTTPStatusCode: http.StatusInternalServerError,
	},
}
Introduce STS client grants API and OPA policy integration (#6168) This PR introduces two new features - AWS STS compatible STS API named AssumeRoleWithClientGrants ``` POST /?Action=AssumeRoleWithClientGrants&Token=<jwt> ``` This API endpoint returns temporary access credentials, access tokens signature types supported by this API - RSA keys - ECDSA keys Fetches the required public key from the JWKS endpoints, provides them as rsa or ecdsa public keys. - External policy engine support, in this case OPA policy engine - Credentials are stored on disks 6 years ago			`/*`
Replace Minio refs in docs with MinIO and links (#7494) 6 years ago			`* MinIO Cloud Storage, (C) 2018 MinIO, Inc.`
Introduce STS client grants API and OPA policy integration (#6168) This PR introduces two new features - AWS STS compatible STS API named AssumeRoleWithClientGrants ``` POST /?Action=AssumeRoleWithClientGrants&Token=<jwt> ``` This API endpoint returns temporary access credentials, access tokens signature types supported by this API - RSA keys - ECDSA keys Fetches the required public key from the JWKS endpoints, provides them as rsa or ecdsa public keys. - External policy engine support, in this case OPA policy engine - Credentials are stored on disks 6 years ago			`*`
			`* Licensed under the Apache License, Version 2.0 (the "License");`
			`* you may not use this file except in compliance with the License.`
			`* You may obtain a copy of the License at`
			`*`
			`* http://www.apache.org/licenses/LICENSE-2.0`
			`*`
			`* Unless required by applicable law or agreed to in writing, software`
			`* distributed under the License is distributed on an "AS IS" BASIS,`
			`* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.`
			`* See the License for the specific language governing permissions and`
			`* limitations under the License.`
			`*/`

			`package cmd`

			`import (`
Add more context to error messages in STS handlers(#8304) 5 years ago			`"context"`
Introduce STS client grants API and OPA policy integration (#6168) This PR introduces two new features - AWS STS compatible STS API named AssumeRoleWithClientGrants ``` POST /?Action=AssumeRoleWithClientGrants&Token=<jwt> ``` This API endpoint returns temporary access credentials, access tokens signature types supported by this API - RSA keys - ECDSA keys Fetches the required public key from the JWKS endpoints, provides them as rsa or ecdsa public keys. - External policy engine support, in this case OPA policy engine - Credentials are stored on disks 6 years ago			`"encoding/xml"`
			`"net/http"`
Ensure that we use constants everywhere (#7845) This allows for canonicalization of the strings throughout our code and provides a common space for all these constants to reside. This list is rather non-exhaustive but captures all the headers used in AWS S3 API operations 5 years ago
			`xhttp "github.com/minio/minio/cmd/http"`
Add more context to error messages in STS handlers(#8304) 5 years ago			`"github.com/minio/minio/cmd/logger"`
Introduce STS client grants API and OPA policy integration (#6168) This PR introduces two new features - AWS STS compatible STS API named AssumeRoleWithClientGrants ``` POST /?Action=AssumeRoleWithClientGrants&Token=<jwt> ``` This API endpoint returns temporary access credentials, access tokens signature types supported by this API - RSA keys - ECDSA keys Fetches the required public key from the JWKS endpoints, provides them as rsa or ecdsa public keys. - External policy engine support, in this case OPA policy engine - Credentials are stored on disks 6 years ago			`)`

			`// writeSTSErrorRespone writes error headers`
fixes misleading assume role error msgs (#9642) 5 years ago			`func writeSTSErrorResponse(ctx context.Context, w http.ResponseWriter, isErrCodeSTS bool, errCode STSErrorCode, errCtxt error) {`
			`var err STSError`
			`if isErrCodeSTS {`
			`err = stsErrCodes.ToSTSErr(errCode)`
			`}`
			`if err.Code == "InternalError" \|\| !isErrCodeSTS {`
fix: sts to return appropriate errors (#9161) 5 years ago			`aerr := getAPIError(APIErrorCode(errCode))`
			`if aerr.Code != "InternalError" {`
			`err.Code = aerr.Code`
			`err.Description = aerr.Description`
			`err.HTTPStatusCode = aerr.HTTPStatusCode`
			`}`
			`}`
Introduce STS client grants API and OPA policy integration (#6168) This PR introduces two new features - AWS STS compatible STS API named AssumeRoleWithClientGrants ``` POST /?Action=AssumeRoleWithClientGrants&Token=<jwt> ``` This API endpoint returns temporary access credentials, access tokens signature types supported by this API - RSA keys - ECDSA keys Fetches the required public key from the JWKS endpoints, provides them as rsa or ecdsa public keys. - External policy engine support, in this case OPA policy engine - Credentials are stored on disks 6 years ago			`// Generate error response.`
Add more context to error messages in STS handlers(#8304) 5 years ago			`stsErrorResponse := STSErrorResponse{}`
			`stsErrorResponse.Error.Code = err.Code`
			`stsErrorResponse.RequestID = w.Header().Get(xhttp.AmzRequestID)`
			`stsErrorResponse.Error.Message = err.Description`
			`if errCtxt != nil {`
add ruleguard support, fix all the reported issues (#10335) 4 years ago			`stsErrorResponse.Error.Message = errCtxt.Error()`
Add more context to error messages in STS handlers(#8304) 5 years ago			`}`
enable full linter across the codebase (#9620) enable linter using golangci-lint across codebase to run a bunch of linters together, we shall enable new linters as we fix more things the codebase. This PR fixes the first stage of this cleanup. 5 years ago			`var logKind logger.Kind`
Allow logging targets to be configured to receive `minio` (#8347) specific errors, `application` errors or `all` by default. console logging on server by default lists all logs - enhance admin console API to accept `type` as query parameter to subscribe to application/minio logs. 5 years ago			`switch errCode {`
			`case ErrSTSInternalError, ErrSTSNotInitialized:`
			`logKind = logger.Minio`
			`default:`
enable full linter across the codebase (#9620) enable linter using golangci-lint across codebase to run a bunch of linters together, we shall enable new linters as we fix more things the codebase. This PR fixes the first stage of this cleanup. 5 years ago			`logKind = logger.All`
Allow logging targets to be configured to receive `minio` (#8347) specific errors, `application` errors or `all` by default. console logging on server by default lists all logs - enhance admin console API to accept `type` as query parameter to subscribe to application/minio logs. 5 years ago			`}`
			`logger.LogIf(ctx, errCtxt, logKind)`
Introduce STS client grants API and OPA policy integration (#6168) This PR introduces two new features - AWS STS compatible STS API named AssumeRoleWithClientGrants ``` POST /?Action=AssumeRoleWithClientGrants&Token=<jwt> ``` This API endpoint returns temporary access credentials, access tokens signature types supported by this API - RSA keys - ECDSA keys Fetches the required public key from the JWKS endpoints, provides them as rsa or ecdsa public keys. - External policy engine support, in this case OPA policy engine - Credentials are stored on disks 6 years ago			`encodedErrorResponse := encodeResponse(stsErrorResponse)`
Add proper requestID for STS errors (#7245) 6 years ago			`writeResponse(w, err.HTTPStatusCode, encodedErrorResponse, mimeXML)`
Introduce STS client grants API and OPA policy integration (#6168) This PR introduces two new features - AWS STS compatible STS API named AssumeRoleWithClientGrants ``` POST /?Action=AssumeRoleWithClientGrants&Token=<jwt> ``` This API endpoint returns temporary access credentials, access tokens signature types supported by this API - RSA keys - ECDSA keys Fetches the required public key from the JWKS endpoints, provides them as rsa or ecdsa public keys. - External policy engine support, in this case OPA policy engine - Credentials are stored on disks 6 years ago			`}`

			`// STSError structure`
			`type STSError struct {`
			`Code string`
			`Description string`
			`HTTPStatusCode int`
			`}`

			`// STSErrorResponse - error response format`
			`type STSErrorResponse struct {`
			XMLName xml.Name `xml:"https://sts.amazonaws.com/doc/2011-06-15/ ErrorResponse" json:"-"`
			`Error struct {`
			Type string `xml:"Type"`
			Code string `xml:"Code"`
			Message string `xml:"Message"`
			} `xml:"Error"`
			RequestID string `xml:"RequestId"`
			`}`

			`// STSErrorCode type of error status.`
			`type STSErrorCode int`

			`// Error codes, non exhaustive list - http://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRoleWithSAML.html`
			`const (`
			`ErrSTSNone STSErrorCode = iota`
Implement AssumeRole API for Minio users (#7267) For actual API reference read here https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRole.html Documentation is added and updated as well at docs/sts/assume-role.md Fixes #6381 6 years ago			`ErrSTSAccessDenied`
Introduce STS client grants API and OPA policy integration (#6168) This PR introduces two new features - AWS STS compatible STS API named AssumeRoleWithClientGrants ``` POST /?Action=AssumeRoleWithClientGrants&Token=<jwt> ``` This API endpoint returns temporary access credentials, access tokens signature types supported by this API - RSA keys - ECDSA keys Fetches the required public key from the JWKS endpoints, provides them as rsa or ecdsa public keys. - External policy engine support, in this case OPA policy engine - Credentials are stored on disks 6 years ago			`ErrSTSMissingParameter`
			`ErrSTSInvalidParameterValue`
Add support for AssumeRoleWithWebIdentity (#6985) 6 years ago			`ErrSTSWebIdentityExpiredToken`
Introduce STS client grants API and OPA policy integration (#6168) This PR introduces two new features - AWS STS compatible STS API named AssumeRoleWithClientGrants ``` POST /?Action=AssumeRoleWithClientGrants&Token=<jwt> ``` This API endpoint returns temporary access credentials, access tokens signature types supported by this API - RSA keys - ECDSA keys Fetches the required public key from the JWKS endpoints, provides them as rsa or ecdsa public keys. - External policy engine support, in this case OPA policy engine - Credentials are stored on disks 6 years ago			`ErrSTSClientGrantsExpiredToken`
			`ErrSTSInvalidClientGrantsToken`
			`ErrSTSMalformedPolicyDocument`
			`ErrSTSNotInitialized`
			`ErrSTSInternalError`
			`)`

Add proper requestID for STS errors (#7245) 6 years ago			`type stsErrorCodeMap map[STSErrorCode]STSError`

			`func (e stsErrorCodeMap) ToSTSErr(errCode STSErrorCode) STSError {`
			`apiErr, ok := e[errCode]`
			`if !ok {`
			`return e[ErrSTSInternalError]`
			`}`
			`return apiErr`
			`}`

Introduce STS client grants API and OPA policy integration (#6168) This PR introduces two new features - AWS STS compatible STS API named AssumeRoleWithClientGrants ``` POST /?Action=AssumeRoleWithClientGrants&Token=<jwt> ``` This API endpoint returns temporary access credentials, access tokens signature types supported by this API - RSA keys - ECDSA keys Fetches the required public key from the JWKS endpoints, provides them as rsa or ecdsa public keys. - External policy engine support, in this case OPA policy engine - Credentials are stored on disks 6 years ago			`// error code to STSError structure, these fields carry respective`
			`// descriptions for all the error responses.`
Add proper requestID for STS errors (#7245) 6 years ago			`var stsErrCodes = stsErrorCodeMap{`
Implement AssumeRole API for Minio users (#7267) For actual API reference read here https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRole.html Documentation is added and updated as well at docs/sts/assume-role.md Fixes #6381 6 years ago			`ErrSTSAccessDenied: {`
			`Code: "AccessDenied",`
			`Description: "Generating temporary credentials not allowed for this request.",`
			`HTTPStatusCode: http.StatusForbidden,`
			`},`
Introduce STS client grants API and OPA policy integration (#6168) This PR introduces two new features - AWS STS compatible STS API named AssumeRoleWithClientGrants ``` POST /?Action=AssumeRoleWithClientGrants&Token=<jwt> ``` This API endpoint returns temporary access credentials, access tokens signature types supported by this API - RSA keys - ECDSA keys Fetches the required public key from the JWKS endpoints, provides them as rsa or ecdsa public keys. - External policy engine support, in this case OPA policy engine - Credentials are stored on disks 6 years ago			`ErrSTSMissingParameter: {`
			`Code: "MissingParameter",`
			`Description: "A required parameter for the specified action is not supplied.",`
			`HTTPStatusCode: http.StatusBadRequest,`
			`},`
			`ErrSTSInvalidParameterValue: {`
			`Code: "InvalidParameterValue",`
			`Description: "An invalid or out-of-range value was supplied for the input parameter.",`
			`HTTPStatusCode: http.StatusBadRequest,`
			`},`
Add support for AssumeRoleWithWebIdentity (#6985) 6 years ago			`ErrSTSWebIdentityExpiredToken: {`
			`Code: "ExpiredToken",`
			`Description: "The web identity token that was passed is expired or is not valid. Get a new identity token from the identity provider and then retry the request.",`
			`HTTPStatusCode: http.StatusBadRequest,`
			`},`
Introduce STS client grants API and OPA policy integration (#6168) This PR introduces two new features - AWS STS compatible STS API named AssumeRoleWithClientGrants ``` POST /?Action=AssumeRoleWithClientGrants&Token=<jwt> ``` This API endpoint returns temporary access credentials, access tokens signature types supported by this API - RSA keys - ECDSA keys Fetches the required public key from the JWKS endpoints, provides them as rsa or ecdsa public keys. - External policy engine support, in this case OPA policy engine - Credentials are stored on disks 6 years ago			`ErrSTSClientGrantsExpiredToken: {`
			`Code: "ExpiredToken",`
Add support for AssumeRoleWithWebIdentity (#6985) 6 years ago			`Description: "The client grants that was passed is expired or is not valid. Get a new client grants token from the identity provider and then retry the request.",`
Introduce STS client grants API and OPA policy integration (#6168) This PR introduces two new features - AWS STS compatible STS API named AssumeRoleWithClientGrants ``` POST /?Action=AssumeRoleWithClientGrants&Token=<jwt> ``` This API endpoint returns temporary access credentials, access tokens signature types supported by this API - RSA keys - ECDSA keys Fetches the required public key from the JWKS endpoints, provides them as rsa or ecdsa public keys. - External policy engine support, in this case OPA policy engine - Credentials are stored on disks 6 years ago			`HTTPStatusCode: http.StatusBadRequest,`
			`},`
			`ErrSTSInvalidClientGrantsToken: {`
			`Code: "InvalidClientGrantsToken",`
Replace Minio refs in docs with MinIO and links (#7494) 6 years ago			`Description: "The client grants token that was passed could not be validated by MinIO.",`
Introduce STS client grants API and OPA policy integration (#6168) This PR introduces two new features - AWS STS compatible STS API named AssumeRoleWithClientGrants ``` POST /?Action=AssumeRoleWithClientGrants&Token=<jwt> ``` This API endpoint returns temporary access credentials, access tokens signature types supported by this API - RSA keys - ECDSA keys Fetches the required public key from the JWKS endpoints, provides them as rsa or ecdsa public keys. - External policy engine support, in this case OPA policy engine - Credentials are stored on disks 6 years ago			`HTTPStatusCode: http.StatusBadRequest,`
			`},`
			`ErrSTSMalformedPolicyDocument: {`
			`Code: "MalformedPolicyDocument",`
			`Description: "The request was rejected because the policy document was malformed.",`
			`HTTPStatusCode: http.StatusBadRequest,`
			`},`
			`ErrSTSNotInitialized: {`
			`Code: "STSNotInitialized",`
			`Description: "STS API not initialized, please try again.",`
			`HTTPStatusCode: http.StatusServiceUnavailable,`
			`},`
			`ErrSTSInternalError: {`
			`Code: "InternalError",`
			`Description: "We encountered an internal error generating credentials, please try again.",`
			`HTTPStatusCode: http.StatusInternalServerError,`
			`},`
			`}`