Ensure GetConsoleSTSClient() is used correctly (#425)

Author: Alevsk

restapi/client-admin.go

@@ -307,7 +307,7 @@ func newAdminFromClaims(claims *models.Principal) (*madmin.AdminClient, error) {
 	if err != nil {
 		return nil, err
 	}
-	adminClient.SetCustomTransport(getSTSClient().Transport)
+	adminClient.SetCustomTransport(GetConsoleSTSClient().Transport)
 	return adminClient, nil
 }
 
@@ -316,17 +316,20 @@ var (
 	consoleSecretKey = getSecretKey()
 )
 
-// stsClient is an http.Client with Custom TLS Transport that loads certificates from .console/certs/CAs
+// stsClient is a custom http client, this client should not be called directly and instead be
+// called using GetConsoleSTSClient() to ensure is initialized and the certificates are loaded correctly
 var stsClient *http.Client
-var consoleLDAPAdminCreds consoleCredentials
 
-func getSTSClient() *http.Client {
+// GetConsoleSTSClient will initialize the console STS Client with Custom TLS Transport that with loads certs at .console/certs/CAs
+func GetConsoleSTSClient() *http.Client {
 	if stsClient == nil {
 		stsClient = PrepareSTSClient(false)
 	}
 	return stsClient
 }
 
+var consoleLDAPAdminCreds consoleCredentials
+
 func newSuperMAdminClient() (*madmin.AdminClient, error) {
 	accessKey := consoleAccessKey
 	secretKey := consoleSecretKey
@@ -336,7 +339,7 @@ func newSuperMAdminClient() (*madmin.AdminClient, error) {
 	if ldap.GetLDAPEnabled() {
 		// initialize LDAP super Admin Credentials once
 		if consoleLDAPAdminCreds.consoleCredentials == nil {
-			consoleCredentialsFromLDAP, err := auth.GetCredentialsFromLDAP(getSTSClient(), MinioEndpoint, consoleAccessKey, consoleSecretKey)
+			consoleCredentialsFromLDAP, err := auth.GetCredentialsFromLDAP(GetConsoleSTSClient(), MinioEndpoint, consoleAccessKey, consoleSecretKey)
 			if err != nil {
 				return nil, err
 			}

restapi/client.go

@@ -266,7 +266,6 @@ func (s consoleSTSAssumeRole) IsExpired() bool {
 	return s.stsAssumeRole.IsExpired()
 }
 
-// STSClient contains http.client configuration need it by STSAssumeRole
 var (
 	MinioEndpoint = getMinIOServer()
 )
@@ -289,7 +288,7 @@ func newConsoleCredentials(accessKey, secretKey, location string) (*credentials.
 			if MinioEndpoint == "" {
 				return nil, errors.New("endpoint cannot be empty for AssumeRoleSTS")
 			}
-			creds, err := auth.GetCredentialsFromLDAP(stsClient, MinioEndpoint, accessKey, secretKey)
+			creds, err := auth.GetCredentialsFromLDAP(GetConsoleSTSClient(), MinioEndpoint, accessKey, secretKey)
 			if err != nil {
 				return nil, err
 			}
@@ -308,7 +307,7 @@ func newConsoleCredentials(accessKey, secretKey, location string) (*credentials.
 				DurationSeconds: xjwt.GetConsoleSTSDurationInSeconds(),
 			}
 			stsAssumeRole := &credentials.STSAssumeRole{
-				Client:      stsClient,
+				Client:      GetConsoleSTSClient(),
 				STSEndpoint: MinioEndpoint,
 				Options:     opts,
 			}
@@ -331,7 +330,7 @@ func newMinioClient(claims *models.Principal) (*minio.Client, error) {
 	minioClient, err := minio.New(getMinIOEndpoint(), &minio.Options{
 		Creds:     creds,
 		Secure:    getMinIOEndpointIsSecure(),
-		Transport: stsClient.Transport,
+		Transport: GetConsoleSTSClient().Transport,
 	})
 	if err != nil {
 		return nil, err