diff --git a/changelog/10650.txt b/changelog/10650.txt new file mode 100644 index 000000000000..49c8298839d3 --- /dev/null +++ b/changelog/10650.txt @@ -0,0 +1,4 @@ +```release-note:bug +core: Make the response to an unauthenticated request to sys/internal endpoints consistent regardless of mount existence. +``` + diff --git a/vault/logical_system.go b/vault/logical_system.go index c46257bac9ad..205a8e08a03c 100644 --- a/vault/logical_system.go +++ b/vault/logical_system.go @@ -3354,6 +3354,20 @@ func (b *SystemBackend) pathInternalUIMountRead(ctx context.Context, req *logica } path = sanitizePath(path) + // Load the ACL policies so we can walk the prefix for this mount + acl, te, entity, _, err := b.Core.fetchACLTokenEntryAndEntity(ctx, req) + if err != nil { + return nil, err + } + if entity != nil && entity.Disabled { + b.logger.Warn("permission denied as the entity on the token is disabled") + return nil, logical.ErrPermissionDenied + } + if te != nil && te.EntityID != "" && entity == nil { + b.logger.Warn("permission denied as the entity on the token is invalid") + return nil, logical.ErrPermissionDenied + } + errResp := logical.ErrorResponse(fmt.Sprintf("preflight capability check returned 403, please ensure client's policies grant access to path %q", path)) ns, err := namespace.FromContext(ctx) @@ -3386,20 +3400,6 @@ func (b *SystemBackend) pathInternalUIMountRead(ctx context.Context, req *logica fullMountPath = ns.Path + me.Namespace().Path + me.Path } - // Load the ACL policies so we can walk the prefix for this mount - acl, te, entity, _, err := b.Core.fetchACLTokenEntryAndEntity(ctx, req) - if err != nil { - return nil, err - } - if entity != nil && entity.Disabled { - b.logger.Warn("permission denied as the entity on the token is disabled") - return errResp, logical.ErrPermissionDenied - } - if te != nil && te.EntityID != "" && entity == nil { - b.logger.Warn("permission denied as the entity on the token is invalid") - return nil, logical.ErrPermissionDenied - } - if !hasMountAccess(ctx, acl, fullMountPath) { return errResp, logical.ErrPermissionDenied }