self-hosted/minio
self-hosted/minio
1
0
Fork 0
mirror of https://github.com/minio/minio synced 2024-10-14 20:04:32 +00:00
Code Issues Packages Projects Releases Wiki Activity

Ensure that AssumeRole calls are sent to Audit log (#14202)

Browse source 
When authentication fails MinIO was not sending out an Audit log 
event for this STS call
This commit is contained in:
Aditya Manthramurthy 2022-01-27 16:17:11 -08:00 committed by GitHub
parent a2a48cc065
commit c3d9c45f58
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
1 changed files with 25 additions and 19 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

44
cmd/sts-handlers.go
View file

@ -132,24 +132,23 @@ func registerSTSRouter(router *mux.Router) {
}
func checkAssumeRoleAuth(ctx context.Context, r *http.Request) (user auth.Credentials, isErrCodeSTS bool, stsErr STSErrorCode) {
switch getRequestAuthType(r) {
default:
if !isRequestSignatureV4(r) {
return user, true, ErrSTSAccessDenied
case authTypeSigned:
s3Err := isReqAuthenticated(ctx, r, globalSite.Region, serviceSTS)
if s3Err != ErrNone {
return user, false, STSErrorCode(s3Err)
}
}
user, _, s3Err = getReqAccessKeyV4(r, globalSite.Region, serviceSTS)
if s3Err != ErrNone {
return user, false, STSErrorCode(s3Err)
}
s3Err := isReqAuthenticated(ctx, r, globalSite.Region, serviceSTS)
if s3Err != ErrNone {
return user, false, STSErrorCode(s3Err)
}
// Temporary credentials or Service accounts cannot generate further temporary credentials.
if user.IsTemp() || user.IsServiceAccount() {
return user, true, ErrSTSAccessDenied
}
user, _, s3Err = getReqAccessKeyV4(r, globalSite.Region, serviceSTS)
if s3Err != ErrNone {
return user, false, STSErrorCode(s3Err)
}
// Temporary credentials or Service accounts cannot generate further temporary credentials.
if user.IsTemp() || user.IsServiceAccount() {
return user, true, ErrSTSAccessDenied
}
// Session tokens are not allowed in STS AssumeRole requests.
@ -178,11 +177,11 @@ func parseForm(r *http.Request) error {
func (sts *stsAPIHandlers) AssumeRole(w http.ResponseWriter, r *http.Request) {
ctx := newContext(r, w, "AssumeRole")
// Check auth here (otherwise r.Form will have unexpected values from
// the call to `parseForm` below), but return failure only after we are
// able to validate that it is a valid STS request, so that we are able
// to send an appropriate audit log.
user, isErrCodeSTS, stsErr := checkAssumeRoleAuth(ctx, r)
if stsErr != ErrSTSNone {
writeSTSErrorResponse(ctx, w, isErrCodeSTS, stsErr, nil)
return
}
if err := parseForm(r); err != nil {
writeSTSErrorResponse(ctx, w, true, ErrSTSInvalidParameterValue, err)
@ -205,6 +204,13 @@ func (sts *stsAPIHandlers) AssumeRole(w http.ResponseWriter, r *http.Request) {
ctx = newContext(r, w, action)
defer logger.AuditLog(ctx, w, r, nil)
// Validate the authentication result here so that failures will be
// audit-logged.
if stsErr != ErrSTSNone {
writeSTSErrorResponse(ctx, w, isErrCodeSTS, stsErr, nil)
return
}
sessionPolicyStr := r.Form.Get(stsPolicy)
// https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRole.html
// The plain text that you use for both inline and managed session