Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Make the error response to the sys/internal/ui/mounts with no client token consistent #10650

Merged
merged 6 commits into from
Jan 7, 2021

Conversation

sgmiller
Copy link
Collaborator

@sgmiller sgmiller commented Jan 5, 2021

If an authenticated call is made to this endpoint, check the token anyway even if the mount doesn't exist (e.g. don't early out) in order to return the same error whether the mount exists or not.

Addresses VAULT-872.

@sgmiller sgmiller requested review from vishalnayak and xntrik January 5, 2021 18:35
@sgmiller sgmiller requested review from ncabatoff and removed request for vishalnayak January 5, 2021 21:28
@@ -3363,6 +3363,12 @@ func (b *SystemBackend) pathInternalUIMountRead(ctx context.Context, req *logica

me := b.Core.router.MatchingMountEntry(ctx, path)
if me == nil {
// To be consistent with the case no client token was supplied, go through the motions of verifying authorization
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Do we also need to handle the equivalent case where the mount exists but replication filtering precludes using it? (see checkReplicatedFiltering below)

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yep, I think you're right, added.

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why not call b.verifyAuthorizedMountAccess at the outset? If we're going to return an error when it returns an error, why even bother looking up the mount entry or filtering?

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

So that we return the error each code path meant to do if the verifyA..M..A.. succeeds. In other words, only return a consistent error in the absence of a proper authenticated session, otherwise being more specific is okay.

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hmm, yeah, that may be equivalent and less subject to timing attacks. I'll revisit in the morning but that may be a good point.

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Your right I think, no harm in doing the token/entity check first. Changed.

@sgmiller sgmiller requested a review from ncabatoff January 6, 2021 19:59
return resp, nil
}

func (b *SystemBackend) verifyAuthorizedMountAccess(ctx context.Context, req *logical.Request) (*ACL, error) {
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The name of this method is a bit misleading since I don't think it has anything to do with mounts.

@sgmiller sgmiller requested a review from ncabatoff January 7, 2021 15:25
}
if entity != nil && entity.Disabled {
b.logger.Warn("permission denied as the entity on the token is disabled")
return nil, logical.ErrPermissionDenied
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is the change to not return errResp here deliberate?

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I couldn't see why unlike everywhere else that ignored the errResp.

@sgmiller sgmiller added this to the 1.6.2 milestone Jan 7, 2021
@sgmiller sgmiller merged commit 1311239 into master Jan 7, 2021
@sgmiller sgmiller deleted the sys/internal-consistent-err branch January 7, 2021 17:46
sgmiller added a commit that referenced this pull request Jan 7, 2021
…token consistent (#10650)

* Make the error response to the sys/internal/ui/mounts with no client token consistent

* changelog

* Don't test against an empty mount path

* One other spot

* Instead, do all token checks first and early out before even looking for the mount
sgmiller added a commit that referenced this pull request Jan 7, 2021
…token consistent (#10650) (#10672)

* Make the error response to the sys/internal/ui/mounts with no client token consistent

* changelog

* Don't test against an empty mount path

* One other spot

* Instead, do all token checks first and early out before even looking for the mount
sgmiller added a commit that referenced this pull request Jan 7, 2021
…token consistent (#10650)

* Make the error response to the sys/internal/ui/mounts with no client token consistent

* changelog

* Don't test against an empty mount path

* One other spot

* Instead, do all token checks first and early out before even looking for the mount
mladlow added a commit that referenced this pull request Jan 27, 2021
…token consistent (#10650) (#10674)

* Make the error response to the sys/internal/ui/mounts with no client token consistent

* changelog

* Don't test against an empty mount path

* One other spot

* Instead, do all token checks first and early out before even looking for the mount

Co-authored-by: Meggie <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants