Make the error response to the sys/internal/ui/mounts with no client …

…token consistent (#10650) * Make the error response to the sys/internal/ui/mounts with no client token consistent * changelog * Don't test against an empty mount path * One other spot * Instead, do all token checks first and early out before even looking for the mount
hashicorp · Jan 7, 2021 · 1311239 · 1311239
1 parent 636d037
commit 1311239
Show file tree

Hide file tree

Showing 2 changed files with 18 additions and 14 deletions.
diff --git a/changelog/10650.txt b/changelog/10650.txt
@@ -0,0 +1,4 @@
+```release-note:bug
+core: Make the response to an unauthenticated request to sys/internal endpoints consistent regardless of mount existence.
+```
+
diff --git a/vault/logical_system.go b/vault/logical_system.go
@@ -3354,6 +3354,20 @@ func (b *SystemBackend) pathInternalUIMountRead(ctx context.Context, req *logica
 	}
 	path = sanitizePath(path)
 
+	// Load the ACL policies so we can walk the prefix for this mount
+	acl, te, entity, _, err := b.Core.fetchACLTokenEntryAndEntity(ctx, req)
+	if err != nil {
+		return nil, err
+	}
+	if entity != nil && entity.Disabled {
+		b.logger.Warn("permission denied as the entity on the token is disabled")
+		return nil, logical.ErrPermissionDenied
+	}
+	if te != nil && te.EntityID != "" && entity == nil {
+		b.logger.Warn("permission denied as the entity on the token is invalid")
+		return nil, logical.ErrPermissionDenied
+	}
+
 	errResp := logical.ErrorResponse(fmt.Sprintf("preflight capability check returned 403, please ensure client's policies grant access to path %q", path))
 
 	ns, err := namespace.FromContext(ctx)
@@ -3386,20 +3400,6 @@ func (b *SystemBackend) pathInternalUIMountRead(ctx context.Context, req *logica
 		fullMountPath = ns.Path + me.Namespace().Path + me.Path
 	}
 
-	// Load the ACL policies so we can walk the prefix for this mount
-	acl, te, entity, _, err := b.Core.fetchACLTokenEntryAndEntity(ctx, req)
-	if err != nil {
-		return nil, err
-	}
-	if entity != nil && entity.Disabled {
-		b.logger.Warn("permission denied as the entity on the token is disabled")
-		return errResp, logical.ErrPermissionDenied
-	}
-	if te != nil && te.EntityID != "" && entity == nil {
-		b.logger.Warn("permission denied as the entity on the token is invalid")
-		return nil, logical.ErrPermissionDenied
-	}
-
 	if !hasMountAccess(ctx, acl, fullMountPath) {
 		return errResp, logical.ErrPermissionDenied
 	}