Fix panic when logging in to userpass without a valid user (#7160)

This commit is contained in:
Jeff Mitchell 2019-07-22 12:27:28 -04:00 committed by GitHub
parent 3b22ab2486
commit 2f41018df8
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23

View file

@ -64,11 +64,6 @@ func (b *backend) pathLogin(ctx context.Context, req *logical.Request, d *framew
// Get the user and validate auth
user, userError := b.user(ctx, req.Storage, username)
// Check for a CIDR match.
if !cidrutil.RemoteAddrIsOk(req.Connection.RemoteAddr, user.TokenBoundCIDRs) {
return nil, logical.ErrPermissionDenied
}
var userPassword []byte
var legacyPassword bool
// If there was an error or it's nil, we fake a password for the bcrypt
@ -108,6 +103,11 @@ func (b *backend) pathLogin(ctx context.Context, req *logical.Request, d *framew
return logical.ErrorResponse("invalid username or password"), nil
}
// Check for a CIDR match.
if !cidrutil.RemoteAddrIsOk(req.Connection.RemoteAddr, user.TokenBoundCIDRs) {
return nil, logical.ErrPermissionDenied
}
auth := &logical.Auth{
Metadata: map[string]string{
"username": username,