Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Return a 403 for a bad SSCT instead of 500 #16112

Merged
merged 5 commits into from
Jun 23, 2022
Merged

Return a 403 for a bad SSCT instead of 500 #16112

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
2bc1f99
Return a 403 for a bad SSCT instead of 500
raskchanky Jun 22, 2022
7c908e8
log the error instead of returning it
raskchanky Jun 22, 2022
e207e32
remove the logging
raskchanky Jun 22, 2022
3c15fd0
correct weird thing where my IDE removed some imports wth
raskchanky Jun 22, 2022
8849c6d
add changelog
raskchanky Jun 23, 2022
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
3 changes: 3 additions & 0 deletions changelog/16112.txt
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,3 @@
```release-note:bug
core/auth: Return a 403 instead of a 500 for a malformed SSCT
```
7 changes: 5 additions & 2 deletions vault/request_handling.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -582,13 +582,16 @@ func (c *Core) handleCancelableRequest(ctx context.Context, req *logical.Request
if token == nil {
return logical.ErrorResponse("invalid token"), logical.ErrPermissionDenied
}
// We don't care if the token is an server side consistent token or not. Either way, we're going
// We don't care if the token is a server side consistent token or not. Either way, we're going
// to be returning it for these paths instead of the short token stored in vault.
requestBodyToken = token.(string)
if IsSSCToken(token.(string)) {
token, err = c.CheckSSCToken(ctx, token.(string), c.isLoginRequest(ctx, req), c.perfStandby)

// If we receive an error from CheckSSCToken, we can assume the token is bad somehow, and the client
// should receive a 403 bad token error like they do for all other invalid tokens.
if err != nil {
return nil, fmt.Errorf("server side consistent token check failed: %w", err)
return logical.ErrorResponse("bad token"), logical.ErrPermissionDenied
}
req.Data["token"] = token
}
Expand Down