From 6cb6157d37e7eb2633b64662b0355bfc62c4abf6 Mon Sep 17 00:00:00 2001 From: Chris Capurso <1036769+ccapurso@users.noreply.github.com> Date: Tue, 31 Jan 2023 13:57:50 -0500 Subject: [PATCH] return 403 for wrapping requests when no token provided (#18859) * return 403 for wrapping requests when no token provided * add changelog entry * fix changelog * use errors.As * simplify error response string --- changelog/18859.txt | 3 +++ http/sys_wrapping_test.go | 17 +++++++++++++++++ vault/request_handling.go | 2 +- 3 files changed, 21 insertions(+), 1 deletion(-) create mode 100644 changelog/18859.txt diff --git a/changelog/18859.txt b/changelog/18859.txt new file mode 100644 index 000000000..0ee2c361e --- /dev/null +++ b/changelog/18859.txt @@ -0,0 +1,3 @@ +```release-note:bug +core/auth: Return a 403 instead of a 500 for wrapping requests when token is not provided +``` diff --git a/http/sys_wrapping_test.go b/http/sys_wrapping_test.go index 17520e78c..4a26c44fb 100644 --- a/http/sys_wrapping_test.go +++ b/http/sys_wrapping_test.go @@ -2,6 +2,7 @@ package http import ( "encoding/json" + "errors" "reflect" "testing" "time" @@ -366,4 +367,20 @@ func TestHTTP_Wrapping(t *testing.T) { }) { t.Fatalf("secret data did not match expected: %#v", secret.Data) } + + // Ensure that wrapping lookup without a client token responds correctly + client.ClearToken() + secret, err = client.Logical().Read("sys/wrapping/lookup") + if secret != nil { + t.Fatalf("expected no response: %#v", secret) + } + + if err == nil { + t.Fatal("expected error") + } + + var respError *api.ResponseError + if errors.As(err, &respError); respError.StatusCode != 403 { + t.Fatalf("expected 403 response, actual: %d", respError.StatusCode) + } } diff --git a/vault/request_handling.go b/vault/request_handling.go index 28131779b..c31d543eb 100644 --- a/vault/request_handling.go +++ b/vault/request_handling.go @@ -561,7 +561,7 @@ func (c *Core) handleCancelableRequest(ctx context.Context, req *logical.Request // be revoked after the call. So we have to do the validation here. valid, err := c.validateWrappingToken(ctx, req) if err != nil { - return nil, fmt.Errorf("error validating wrapping token: %w", err) + return logical.ErrorResponse(fmt.Sprintf("error validating wrapping token: %s", err.Error())), logical.ErrPermissionDenied } if !valid { return nil, consts.ErrInvalidWrappingToken