Introduce STS client grants API and OPA policy integration (#6168)

This PR introduces two new features - AWS STS compatible STS API named AssumeRoleWithClientGrants ``` POST /?Action=AssumeRoleWithClientGrants&Token=<jwt> ``` This API endpoint returns temporary access credentials, access tokens signature types supported by this API - RSA keys - ECDSA keys Fetches the required public key from the JWKS endpoints, provides them as rsa or ecdsa public keys. - External policy engine support, in this case OPA policy engine - Credentials are stored on disks
2026-02-12 05:40:16 -05:00 · 2018-10-09 14:00:01 -07:00
parent 16a100b597
commit 54ae364def
76 changed files with 7249 additions and 713 deletions
--- a/cmd/sts-errors.go
+++ b/cmd/sts-errors.go
@@ -0,0 +1,119 @@
+/*
+ * Minio Cloud Storage, (C) 2018 Minio, Inc.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package cmd
+
+import (
+	"encoding/xml"
+	"net/http"
+)
+
+// writeSTSErrorRespone writes error headers
+func writeSTSErrorResponse(w http.ResponseWriter, errorCode STSErrorCode) {
+	stsError := getSTSError(errorCode)
+	// Generate error response.
+	stsErrorResponse := getSTSErrorResponse(stsError)
+	encodedErrorResponse := encodeResponse(stsErrorResponse)
+	writeResponse(w, stsError.HTTPStatusCode, encodedErrorResponse, mimeXML)
+}
+
+// STSError structure
+type STSError struct {
+	Code           string
+	Description    string
+	HTTPStatusCode int
+}
+
+// STSErrorResponse - error response format
+type STSErrorResponse struct {
+	XMLName xml.Name `xml:"https://sts.amazonaws.com/doc/2011-06-15/ ErrorResponse" json:"-"`
+	Error   struct {
+		Type    string `xml:"Type"`
+		Code    string `xml:"Code"`
+		Message string `xml:"Message"`
+	} `xml:"Error"`
+	RequestID string `xml:"RequestId"`
+}
+
+// STSErrorCode type of error status.
+type STSErrorCode int
+
+// Error codes, non exhaustive list - http://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRoleWithSAML.html
+const (
+	ErrSTSNone STSErrorCode = iota
+	ErrSTSMissingParameter
+	ErrSTSInvalidParameterValue
+	ErrSTSClientGrantsExpiredToken
+	ErrSTSInvalidClientGrantsToken
+	ErrSTSMalformedPolicyDocument
+	ErrSTSNotInitialized
+	ErrSTSInternalError
+)
+
+// error code to STSError structure, these fields carry respective
+// descriptions for all the error responses.
+var stsErrCodeResponse = map[STSErrorCode]STSError{
+	ErrSTSMissingParameter: {
+		Code:           "MissingParameter",
+		Description:    "A required parameter for the specified action is not supplied.",
+		HTTPStatusCode: http.StatusBadRequest,
+	},
+	ErrSTSInvalidParameterValue: {
+		Code:           "InvalidParameterValue",
+		Description:    "An invalid or out-of-range value was supplied for the input parameter.",
+		HTTPStatusCode: http.StatusBadRequest,
+	},
+	ErrSTSClientGrantsExpiredToken: {
+		Code:           "ExpiredToken",
+		Description:    "The client grants that was passed is expired or is not valid.",
+		HTTPStatusCode: http.StatusBadRequest,
+	},
+	ErrSTSInvalidClientGrantsToken: {
+		Code:           "InvalidClientGrantsToken",
+		Description:    "The client grants token that was passed could not be validated by Minio.",
+		HTTPStatusCode: http.StatusBadRequest,
+	},
+	ErrSTSMalformedPolicyDocument: {
+		Code:           "MalformedPolicyDocument",
+		Description:    "The request was rejected because the policy document was malformed.",
+		HTTPStatusCode: http.StatusBadRequest,
+	},
+	ErrSTSNotInitialized: {
+		Code:           "STSNotInitialized",
+		Description:    "STS API not initialized, please try again.",
+		HTTPStatusCode: http.StatusServiceUnavailable,
+	},
+	ErrSTSInternalError: {
+		Code:           "InternalError",
+		Description:    "We encountered an internal error generating credentials, please try again.",
+		HTTPStatusCode: http.StatusInternalServerError,
+	},
+}
+
+// getSTSError provides STS Error for input STS error code.
+func getSTSError(code STSErrorCode) STSError {
+	return stsErrCodeResponse[code]
+}
+
+// getErrorResponse gets in standard error and resource value and
+// provides a encodable populated response values
+func getSTSErrorResponse(err STSError) STSErrorResponse {
+	errRsp := STSErrorResponse{}
+	errRsp.Error.Code = err.Code
+	errRsp.Error.Message = err.Description
+	errRsp.RequestID = "3L137"
+	return errRsp
+}