From 483720a443999b91307b54b6d1742192be288e4a Mon Sep 17 00:00:00 2001 From: freddygv Date: Thu, 20 Oct 2022 17:10:03 -0600 Subject: [PATCH] Return forbidden on permission denied This commit updates the establish endpoint to bubble up a 403 status code to callers when the establishment secret from the token is invalid. This is a signal that a new peering token must be generated. --- agent/http.go | 5 +++++ agent/rpc/peering/service.go | 2 +- agent/rpc/peering/service_test.go | 3 +++ 3 files changed, 9 insertions(+), 1 deletion(-) diff --git a/agent/http.go b/agent/http.go index ff7764f0d..24f0ed0bb 100644 --- a/agent/http.go +++ b/agent/http.go @@ -21,6 +21,8 @@ import ( "github.com/hashicorp/go-cleanhttp" "github.com/mitchellh/mapstructure" "github.com/pkg/errors" + "google.golang.org/grpc/codes" + "google.golang.org/grpc/status" "github.com/hashicorp/consul/acl" "github.com/hashicorp/consul/agent/cache" @@ -374,6 +376,9 @@ func (s *HTTPHandlers) wrap(handler endpoint, methods []string) http.HandlerFunc if acl.IsErrPermissionDenied(err) || acl.IsErrNotFound(err) { return true } + if e, ok := status.FromError(err); ok && e.Code() == codes.PermissionDenied { + return true + } return false } diff --git a/agent/rpc/peering/service.go b/agent/rpc/peering/service.go index 8a945dc64..b6a8e6cfe 100644 --- a/agent/rpc/peering/service.go +++ b/agent/rpc/peering/service.go @@ -556,7 +556,7 @@ func (s *Server) exchangeSecret(ctx context.Context, peering *pbpeering.Peering, // If we got a permission denied error that means out establishment secret is invalid, so we do not retry. grpcErr, ok := grpcstatus.FromError(err) if ok && grpcErr.Code() == codes.PermissionDenied { - return nil, fmt.Errorf("a new peering token must be generated: %w", grpcErr.Err()) + return nil, grpcstatus.Errorf(codes.PermissionDenied, "a new peering token must be generated: %s", grpcErr.Message()) } if err != nil { dialErrors = multierror.Append(dialErrors, fmt.Errorf("failed to exchange peering secret through address %q: %w", addr, err)) diff --git a/agent/rpc/peering/service_test.go b/agent/rpc/peering/service_test.go index 07a820fe4..9d5ea602f 100644 --- a/agent/rpc/peering/service_test.go +++ b/agent/rpc/peering/service_test.go @@ -510,6 +510,9 @@ func TestPeeringService_Establish_ThroughMeshGateway(t *testing.T) { PeerName: "my-peer-acceptor", PeeringToken: peeringToken, }) + grpcErr, ok := grpcstatus.FromError(err) + require.True(t, ok) + require.Equal(t, codes.PermissionDenied, grpcErr.Code()) testutil.RequireErrorContains(t, err, "a new peering token must be generated") })