Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Authenticate to "login" endpoint for non-existent mount path bug #13162

Merged
merged 8 commits into from
Nov 23, 2021
Merged

Authenticate to "login" endpoint for non-existent mount path bug #13162

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
8 commits
Select commit Hold shift + click to select a range
997026e
changing response from missing client token to permission denied
akshya96 Nov 16, 2021
c2b0cef
Merge branch 'main' into GHIssue11152
akshya96 Nov 16, 2021
7c3aaba
removing todo comment
akshya96 Nov 16, 2021
c7c5991
Merge branch 'main' into GHIssue11152
akshya96 Nov 17, 2021
03cbbc8
fix tests
akshya96 Nov 17, 2021
4c7f605
adding changelog
akshya96 Nov 22, 2021
9a1e0e0
Merge branch 'main' into GHIssue11152
akshya96 Nov 22, 2021
ce0aabc
fixing changelog
akshya96 Nov 22, 2021
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
3 changes: 3 additions & 0 deletions changelog/13162.txt
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,3 @@
```release-note:bug
core: authentication to "login" endpoint for non-existent mount path returns permission denied with status code 403
```
4 changes: 2 additions & 2 deletions http/handler_test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -315,8 +315,8 @@ func TestHandler_MissingToken(t *testing.T) {
if err != nil {
t.Fatal(err)
}
if resp.StatusCode != 400 {
t.Fatalf("expected code 400, got: %d", resp.StatusCode)
if resp.StatusCode != 403 {
t.Fatalf("expected code 403, got: %d", resp.StatusCode)
}
}

Expand Down
4 changes: 2 additions & 2 deletions http/help_test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -14,8 +14,8 @@ func TestHelp(t *testing.T) {
TestServerAuth(t, addr, token)

resp := testHttpGet(t, "", addr+"/v1/sys/mounts?help=1")
if resp.StatusCode != http.StatusBadRequest {
t.Fatal("expected bad request with no token")
if resp.StatusCode != http.StatusForbidden {
t.Fatal("expected permission denied with no token")
}

resp = testHttpGet(t, token, addr+"/v1/sys/mounts?help=1")
Expand Down
4 changes: 2 additions & 2 deletions http/sys_metrics_test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -23,7 +23,7 @@ func TestSysMetricsUnauthenticated(t *testing.T) {

// Default: Only authenticated access
resp := testHttpGet(t, "", addr+"/v1/sys/metrics")
testResponseStatus(t, resp, 400)
testResponseStatus(t, resp, 403)
resp = testHttpGet(t, token, addr+"/v1/sys/metrics")
testResponseStatus(t, resp, 200)

Expand Down Expand Up @@ -65,7 +65,7 @@ func TestSysPProfUnauthenticated(t *testing.T) {

// Default: Only authenticated access
resp := testHttpGet(t, "", addr+"/v1/sys/pprof/cmdline")
testResponseStatus(t, resp, 400)
testResponseStatus(t, resp, 403)
resp = testHttpGet(t, token, addr+"/v1/sys/pprof/cmdline")
testResponseStatus(t, resp, 200)

Expand Down
4 changes: 2 additions & 2 deletions vault/core_test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -472,10 +472,10 @@ func TestCore_HandleRequest_MissingToken(t *testing.T) {
},
}
resp, err := c.HandleRequest(namespace.RootContext(nil), req)
if err == nil || !errwrap.Contains(err, logical.ErrInvalidRequest.Error()) {
if err == nil || !errwrap.Contains(err, logical.ErrPermissionDenied.Error()) {
t.Fatalf("err: %v", err)
}
if resp.Data["error"] != "missing client token" {
if resp.Data["error"] != logical.ErrPermissionDenied.Error() {
t.Fatalf("bad: %#v", resp)
}
}
Expand Down
2 changes: 1 addition & 1 deletion vault/request_handling.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -126,7 +126,7 @@ func (c *Core) fetchACLTokenEntryAndEntity(ctx context.Context, req *logical.Req

// Ensure there is a client token
if req.ClientToken == "" {
return nil, nil, nil, nil, &logical.StatusBadRequest{Err: "missing client token"}
return nil, nil, nil, nil, logical.ErrPermissionDenied
Copy link
Contributor

@HridoyRoy HridoyRoy Nov 16, 2021
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm still of the opinion that the generic PermissionDenied error is actually less descriptive than a missing client token message, which more accurately captures what is going on here. I'm happy to let this go in if others think differently, but I'm of the opinion that we should more towards more descriptive error messages in each clause as opposed to consistently throwing a message like logical.ErrPermissionDenied no matter which error clause of a function the error occurs in.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hmm I think I'm also in favor of keeping the more descriptive missing client token error here. Also, I don't think this really addresses the issue reported, imo we would either want to change https://github.com/hashicorp/vault-enterprise/blob/main/vault/router.go#L810 to return true for a login attempt on a non-existent mount, or close the issue out as a won't do.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

( retracting my comment around the PR not addressing the issue, after going through slack conversation )

}

if c.tokenStore == nil {
Expand Down
1 change: 1 addition & 0 deletions vault/router_test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -373,6 +373,7 @@ func TestRouter_LoginPath(t *testing.T) {
{"auth/foo/bar", false},
{"auth/foo/login", true},
{"auth/foo/login/", false},
{"auth/invalid/login", false},
{"auth/foo/oauth", false},
{"auth/foo/oauth/", true},
{"auth/foo/oauth/redirect", true},
Expand Down