Return 404 response when looking for a secret_id_accessor that does not exist (#12788)

* Return 404 response when looking for an secret_id_accessor that does not exist

Closes https://github.com/hashicorp/vault/issues/12660
This commit is contained in:
Rémi Lapeyre 2021-10-11 16:07:51 +02:00 committed by GitHub
parent 964a0f3b15
commit 308806eee3
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
3 changed files with 38 additions and 2 deletions

View File

@ -4,6 +4,7 @@ import (
"context"
"errors"
"fmt"
"net/http"
"strings"
"time"
@ -1297,7 +1298,11 @@ func (b *backend) pathRoleSecretIDAccessorLookupUpdate(ctx context.Context, req
return nil, err
}
if accessorEntry == nil {
return nil, fmt.Errorf("failed to find accessor entry for secret_id_accessor: %q", secretIDAccessor)
return logical.RespondWithStatusCode(
logical.ErrorResponse("failed to find accessor entry for secret_id_accessor: %q", secretIDAccessor),
req,
http.StatusNotFound,
)
}
roleNameHMAC, err := createHMAC(role.HMACKey, role.name)

View File

@ -993,6 +993,34 @@ func TestAppRole_RoleSecretIDAccessorReadDelete(t *testing.T) {
}
}
func TestAppRoleSecretIDLookup(t *testing.T) {
b, storage := createBackendWithStorage(t)
createRole(t, b, storage, "role1", "a,b")
req := &logical.Request{
Operation: logical.UpdateOperation,
Storage: storage,
Path: "role/role1/secret-id-accessor/lookup",
Data: map[string]interface{}{
"secret_id_accessor": "invalid",
},
}
resp, err := b.HandleRequest(context.Background(), req)
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
expected := &logical.Response{
Data: map[string]interface{}{
"http_content_type": "application/json",
"http_raw_body": `{"request_id":"","lease_id":"","renewable":false,"lease_duration":0,"data":{"error":"failed to find accessor entry for secret_id_accessor: \"invalid\""},"wrap_info":null,"warnings":null,"auth":null}`,
"http_status_code": 404,
},
}
if !reflect.DeepEqual(resp, expected) {
t.Fatalf("resp:%#v expected:%#v", resp, expected)
}
}
func TestAppRoleRoleListSecretID(t *testing.T) {
var resp *logical.Response
var err error

3
changelog/12788.txt Normal file
View File

@ -0,0 +1,3 @@
```release-note:improvement
auth/approle: The `role/:name/secret-id-accessor/lookup` endpoint now returns a 404 status code when the `secret_id_accessor` cannot be found
```