From a1dd29ef2add85a154389491acc3f470d684372b Mon Sep 17 00:00:00 2001
From: Harshavardhana <harsha@minio.io>
Date: Sun, 26 Dec 2021 21:53:19 -0800
Subject: [PATCH] parse proper STS Error response

---
 pkg/credentials/error_response.go    | 26 +++++++++-----------------
 pkg/credentials/sts_client_grants.go |  8 ++++----
 pkg/credentials/sts_ldap_identity.go |  7 +++----
 pkg/credentials/sts_tls_identity.go  |  7 +++----
 pkg/credentials/sts_web_identity.go  |  7 +++----
 5 files changed, 22 insertions(+), 33 deletions(-)

diff --git a/pkg/credentials/error_response.go b/pkg/credentials/error_response.go
index 798b441370..73e53f6161 100644
--- a/pkg/credentials/error_response.go
+++ b/pkg/credentials/error_response.go
@@ -29,29 +29,21 @@ import (
 // ErrorResponse struct should be comparable since it is compared inside
 // golang http API (https://github.com/golang/go/issues/29768)
 type ErrorResponse struct {
-	XMLName   xml.Name `xml:"Error" json:"-"`
-	Code      string
-	Message   string
+	XMLName  xml.Name `xml:"https://sts.amazonaws.com/doc/2011-06-15/ ErrorResponse" json:"-"`
+	STSError struct {
+		Type    string `xml:"Type"`
+		Code    string `xml:"Code"`
+		Message string `xml:"Message"`
+	} `xml:"Error"`
 	RequestID string `xml:"RequestId"`
-	HostID    string `xml:"HostId"`
-
-	// Region where the bucket is located. This header is returned
-	// only in HEAD bucket and ListObjects response.
-	Region string
-
-	// Captures the server string returned in response header.
-	Server string
-
-	// Underlying HTTP status code for the returned error
-	StatusCode int `xml:"-" json:"-"`
 }
 
 // Error - Returns STS error string.
 func (e ErrorResponse) Error() string {
-	if e.Message == "" {
-		return fmt.Sprintf("Error response code %s.", e.Code)
+	if e.STSError.Message == "" {
+		return fmt.Sprintf("Error response code %s.", e.STSError.Code)
 	}
-	return e.Message
+	return e.STSError.Message
 }
 
 // xmlDecoder provide decoded value in xml.
diff --git a/pkg/credentials/sts_client_grants.go b/pkg/credentials/sts_client_grants.go
index a40381da00..85cd4599db 100644
--- a/pkg/credentials/sts_client_grants.go
+++ b/pkg/credentials/sts_client_grants.go
@@ -135,10 +135,10 @@ func getClientGrantsCredentials(clnt *http.Client, endpoint string,
 		var errResp ErrorResponse
 		_, err = xmlDecodeAndBody(resp.Body, &errResp)
 		if err != nil {
-			return AssumeRoleWithClientGrantsResponse{}, ErrorResponse{
-				Code:    "InvalidArgument",
-				Message: err.Error(),
-			}
+			errResp := ErrorResponse{}
+			errResp.STSError.Code = "InvalidArgument"
+			errResp.STSError.Message = err.Error()
+			return AssumeRoleWithClientGrantsResponse{}, errResp
 		}
 		return AssumeRoleWithClientGrantsResponse{}, errResp
 	}
diff --git a/pkg/credentials/sts_ldap_identity.go b/pkg/credentials/sts_ldap_identity.go
index 26d9e0361f..ec2f1a31bd 100644
--- a/pkg/credentials/sts_ldap_identity.go
+++ b/pkg/credentials/sts_ldap_identity.go
@@ -171,10 +171,9 @@ func (k *LDAPIdentity) Retrieve() (value Value, err error) {
 		var errResp ErrorResponse
 		_, err = xmlDecodeAndBody(resp.Body, &errResp)
 		if err != nil {
-			return value, ErrorResponse{
-				Code:    "InvalidArgument",
-				Message: err.Error(),
-			}
+			errResp.STSError.Code = "InvalidArgument"
+			errResp.STSError.Message = err.Error()
+			return value, errResp
 		}
 		return value, errResp
 	}
diff --git a/pkg/credentials/sts_tls_identity.go b/pkg/credentials/sts_tls_identity.go
index e56e7be67c..105fc209a6 100644
--- a/pkg/credentials/sts_tls_identity.go
+++ b/pkg/credentials/sts_tls_identity.go
@@ -152,10 +152,9 @@ func (i *STSCertificateIdentity) Retrieve() (Value, error) {
 		var errResp ErrorResponse
 		_, err = xmlDecodeAndBody(resp.Body, &errResp)
 		if err != nil {
-			return Value{}, ErrorResponse{
-				Code:    "InvalidArgument",
-				Message: err.Error(),
-			}
+			errResp.STSError.Code = "InvalidArgument"
+			errResp.STSError.Message = err.Error()
+			return Value{}, errResp
 		}
 		return Value{}, errResp
 	}
diff --git a/pkg/credentials/sts_web_identity.go b/pkg/credentials/sts_web_identity.go
index 72352188d2..70e8f96746 100644
--- a/pkg/credentials/sts_web_identity.go
+++ b/pkg/credentials/sts_web_identity.go
@@ -153,10 +153,9 @@ func getWebIdentityCredentials(clnt *http.Client, endpoint, roleARN, roleSession
 		var errResp ErrorResponse
 		_, err = xmlDecodeAndBody(resp.Body, &errResp)
 		if err != nil {
-			return AssumeRoleWithWebIdentityResponse{}, ErrorResponse{
-				Code:    "InvalidArgument",
-				Message: err.Error(),
-			}
+			errResp.STSError.Code = "InvalidArgument"
+			errResp.STSError.Message = err.Error()
+			return AssumeRoleWithWebIdentityResponse{}, errResp
 		}
 		return AssumeRoleWithWebIdentityResponse{}, errResp
 	}