Return 404 response when looking for a secret_id_accessor that does not exist (#12788)

* Return 404 response when looking for an secret_id_accessor that does not exist Closes https://github.com/hashicorp/vault/issues/12660
2021-10-11 16:07:51 +02:00 · 2021-10-11 16:07:51 +02:00 · 308806eee3
parent 964a0f3b15
commit 308806eee3
3 changed files with 38 additions and 2 deletions
--- a/builtin/credential/approle/path_role.go
+++ b/builtin/credential/approle/path_role.go
@ -4,6 +4,7 @@ import (
 	"context"
 	"errors"
 	"fmt"
+	"net/http"
 	"strings"
 	"time"

@ -237,7 +238,7 @@ can only be set during role creation and once set, it can't be reset later.`,
 				},
 				"bound_cidr_list": {
 					Type: framework.TypeCommaStringSlice,
-					Description: `Deprecated: Please use "secret_id_bound_cidrs" instead. Comma separated string or list 
+					Description: `Deprecated: Please use "secret_id_bound_cidrs" instead. Comma separated string or list
 of CIDR blocks. If set, specifies the blocks of IP addresses which can perform the login operation.`,
 				},
 			},
@ -1297,7 +1298,11 @@ func (b *backend) pathRoleSecretIDAccessorLookupUpdate(ctx context.Context, req
 		return nil, err
 	}
 	if accessorEntry == nil {
-		return nil, fmt.Errorf("failed to find accessor entry for secret_id_accessor: %q", secretIDAccessor)
+		return logical.RespondWithStatusCode(
+			logical.ErrorResponse("failed to find accessor entry for secret_id_accessor: %q", secretIDAccessor),
+			req,
+			http.StatusNotFound,
+		)
 	}

 	roleNameHMAC, err := createHMAC(role.HMACKey, role.name)
--- a/builtin/credential/approle/path_role_test.go
+++ b/builtin/credential/approle/path_role_test.go
@ -993,6 +993,34 @@ func TestAppRole_RoleSecretIDAccessorReadDelete(t *testing.T) {
 	}
 }

+func TestAppRoleSecretIDLookup(t *testing.T) {
+	b, storage := createBackendWithStorage(t)
+	createRole(t, b, storage, "role1", "a,b")
+
+	req := &logical.Request{
+		Operation: logical.UpdateOperation,
+		Storage:   storage,
+		Path:      "role/role1/secret-id-accessor/lookup",
+		Data: map[string]interface{}{
+			"secret_id_accessor": "invalid",
+		},
+	}
+	resp, err := b.HandleRequest(context.Background(), req)
+	if err != nil {
+		t.Fatalf("unexpected error: %v", err)
+	}
+	expected := &logical.Response{
+		Data: map[string]interface{}{
+			"http_content_type": "application/json",
+			"http_raw_body":     `{"request_id":"","lease_id":"","renewable":false,"lease_duration":0,"data":{"error":"failed to find accessor entry for secret_id_accessor: \"invalid\""},"wrap_info":null,"warnings":null,"auth":null}`,
+			"http_status_code":  404,
+		},
+	}
+	if !reflect.DeepEqual(resp, expected) {
+		t.Fatalf("resp:%#v expected:%#v", resp, expected)
+	}
+}
+
 func TestAppRoleRoleListSecretID(t *testing.T) {
 	var resp *logical.Response
 	var err error
--- a/changelog/12788.txt
+++ b/changelog/12788.txt
@ -0,0 +1,3 @@
+```release-note:improvement
+auth/approle: The `role/:name/secret-id-accessor/lookup` endpoint now returns a 404 status code when the `secret_id_accessor` cannot be found
+```