Return a more helpful error message for unknown db roles (#6157)

* return a more helpful err msg * update test, print fmt * fix other test failure
2019-02-07 11:16:23 -08:00 · 2019-02-07 11:16:23 -08:00 · 3225a66d34
parent f9cb767d9c
commit 3225a66d34
2 changed files with 5 additions and 5 deletions
--- a/builtin/logical/database/backend_test.go
+++ b/builtin/logical/database/backend_test.go
@ -1156,8 +1156,8 @@ func TestBackend_allowedRoles(t *testing.T) {
 		Data:      data,
 	}
 	credsResp, err := b.HandleRequest(namespace.RootContext(nil), req)
-	if err != logical.ErrPermissionDenied {
-		t.Fatalf("expected error to be:%s got:%#v\n", logical.ErrPermissionDenied, err)
+	if err == nil {
+		t.Fatal("expected error because role is denied")
 	}

 	// update connection with glob allowed roles connection
@ -1254,8 +1254,8 @@ func TestBackend_allowedRoles(t *testing.T) {
 		Data:      data,
 	}
 	credsResp, err = b.HandleRequest(namespace.RootContext(nil), req)
-	if err != logical.ErrPermissionDenied {
-		t.Fatalf("expected error to be:%s got:%#v\n", logical.ErrPermissionDenied, err)
+	if err == nil {
+		t.Fatal("expected error because role is denied")
 	}

 	// Get creds from allowed role, should work.
--- a/builtin/logical/database/path_creds_create.go
+++ b/builtin/logical/database/path_creds_create.go
@ -51,7 +51,7 @@ func (b *databaseBackend) pathCredsCreateRead() framework.OperationFunc {
 		// If role name isn't in the database's allowed roles, send back a
 		// permission denied.
 		if !strutil.StrListContains(dbConfig.AllowedRoles, "*") && !strutil.StrListContainsGlob(dbConfig.AllowedRoles, name) {
-			return nil, logical.ErrPermissionDenied
+			return nil, fmt.Errorf("%q is not an allowed role", name)
 		}

 		// Get the Database object