From ceb1ccf05060b480a4405daa14639dcbd6547bcb Mon Sep 17 00:00:00 2001 From: Scott Miller Date: Thu, 7 Jan 2021 11:46:08 -0600 Subject: [PATCH] Make the error response to the sys/internal/ui/mounts with no client token consistent (#10650) * Make the error response to the sys/internal/ui/mounts with no client token consistent * changelog * Don't test against an empty mount path * One other spot * Instead, do all token checks first and early out before even looking for the mount --- changelog/10650.txt | 4 ++++ vault/logical_system.go | 28 ++++++++++++++-------------- 2 files changed, 18 insertions(+), 14 deletions(-) create mode 100644 changelog/10650.txt diff --git a/changelog/10650.txt b/changelog/10650.txt new file mode 100644 index 000000000000..49c8298839d3 --- /dev/null +++ b/changelog/10650.txt @@ -0,0 +1,4 @@ +```release-note:bug +core: Make the response to an unauthenticated request to sys/internal endpoints consistent regardless of mount existence. +``` + diff --git a/vault/logical_system.go b/vault/logical_system.go index b9b4d6bd293c..30c95c943f3b 100644 --- a/vault/logical_system.go +++ b/vault/logical_system.go @@ -3344,6 +3344,20 @@ func (b *SystemBackend) pathInternalUIMountRead(ctx context.Context, req *logica } path = sanitizePath(path) + // Load the ACL policies so we can walk the prefix for this mount + acl, te, entity, _, err := b.Core.fetchACLTokenEntryAndEntity(ctx, req) + if err != nil { + return nil, err + } + if entity != nil && entity.Disabled { + b.logger.Warn("permission denied as the entity on the token is disabled") + return nil, logical.ErrPermissionDenied + } + if te != nil && te.EntityID != "" && entity == nil { + b.logger.Warn("permission denied as the entity on the token is invalid") + return nil, logical.ErrPermissionDenied + } + errResp := logical.ErrorResponse(fmt.Sprintf("preflight capability check returned 403, please ensure client's policies grant access to path %q", path)) ns, err := namespace.FromContext(ctx) @@ -3376,20 +3390,6 @@ func (b *SystemBackend) pathInternalUIMountRead(ctx context.Context, req *logica fullMountPath = ns.Path + me.Namespace().Path + me.Path } - // Load the ACL policies so we can walk the prefix for this mount - acl, te, entity, _, err := b.Core.fetchACLTokenEntryAndEntity(ctx, req) - if err != nil { - return nil, err - } - if entity != nil && entity.Disabled { - b.logger.Warn("permission denied as the entity on the token is disabled") - return errResp, logical.ErrPermissionDenied - } - if te != nil && te.EntityID != "" && entity == nil { - b.logger.Warn("permission denied as the entity on the token is invalid") - return nil, logical.ErrPermissionDenied - } - if !hasMountAccess(ctx, acl, fullMountPath) { return errResp, logical.ErrPermissionDenied }