vault: verify login endpoint never returns a secret

This commit is contained in:
Armon Dadgar 2015-05-09 11:51:58 -07:00
parent 13ab31f4b5
commit 843d9e6484
2 changed files with 8 additions and 4 deletions

View file

@ -445,6 +445,13 @@ func (c *Core) handleLoginRequest(req *logical.Request) (*logical.Response, erro
// Route the request
resp, err := c.router.Route(req)
// A login request should never return a secret!
if resp != nil && resp.Secret != nil {
c.logger.Printf("[ERR] core: unexpected Secret response for login path"+
"(request: %#v, response: %#v)", req, resp)
return nil, ErrInternalError
}
// If the response generated an authentication, then generate the token
var auth *logical.Auth
if resp != nil && resp.Auth != nil {

View file

@ -891,13 +891,10 @@ func TestCore_HandleLogin_AuditTrail(t *testing.T) {
noopBack := &NoopBackend{
Login: []string{"login"},
Response: &logical.Response{
Secret: &logical.Secret{
Auth: &logical.Auth{
LeaseOptions: logical.LeaseOptions{
Lease: time.Hour,
},
},
Auth: &logical.Auth{
Policies: []string{"foo", "bar"},
Metadata: map[string]string{
"user": "armon",