backport of commit 5b41148bfcfd305991c19998f6d04ca8880da137 (#21488)

This commit is contained in:
hc-github-team-secure-vault-core 2023-06-28 13:46:37 -04:00 committed by GitHub
parent c97ada6e49
commit 9310e3acba
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
4 changed files with 10 additions and 14 deletions

View File

@ -9,6 +9,7 @@ import (
"strings" "strings"
"github.com/hashicorp/go-secure-stdlib/strutil" "github.com/hashicorp/go-secure-stdlib/strutil"
"github.com/hashicorp/vault/sdk/framework" "github.com/hashicorp/vault/sdk/framework"
"github.com/hashicorp/vault/sdk/helper/ldaputil" "github.com/hashicorp/vault/sdk/helper/ldaputil"
"github.com/hashicorp/vault/sdk/logical" "github.com/hashicorp/vault/sdk/logical"
@ -96,7 +97,7 @@ func (b *backend) Login(ctx context.Context, req *logical.Request, username stri
if b.Logger().IsDebug() { if b.Logger().IsDebug() {
b.Logger().Debug("error getting user bind DN", "error", err) b.Logger().Debug("error getting user bind DN", "error", err)
} }
return "", nil, logical.ErrorResponse(errUserBindFailed), nil, nil return "", nil, logical.ErrorResponse(errUserBindFailed), nil, logical.ErrInvalidCredentials
} }
if b.Logger().IsDebug() { if b.Logger().IsDebug() {

View File

@ -83,17 +83,8 @@ func (b *backend) pathLogin(ctx context.Context, req *logical.Request, d *framew
password := d.Get("password").(string) password := d.Get("password").(string)
effectiveUsername, policies, resp, groupNames, err := b.Login(ctx, req, username, password, cfg.UsernameAsAlias) effectiveUsername, policies, resp, groupNames, err := b.Login(ctx, req, username, password, cfg.UsernameAsAlias)
// Handle an internal error if err != nil || (resp != nil && resp.IsError()) {
if err != nil { return resp, err
return nil, err
}
if resp != nil {
// Handle a logical error
if resp.IsError() {
return resp, nil
}
} else {
resp = &logical.Response{}
} }
auth := &logical.Auth{ auth := &logical.Auth{

3
changelog/21282.txt Normal file
View File

@ -0,0 +1,3 @@
```release-note:change
auth/ldap: Normalize HTTP response codes when invalid credentials are provided
```

View File

@ -21,6 +21,8 @@ import (
"github.com/hashicorp/go-secure-stdlib/strutil" "github.com/hashicorp/go-secure-stdlib/strutil"
"github.com/hashicorp/go-sockaddr" "github.com/hashicorp/go-sockaddr"
"github.com/hashicorp/go-uuid" "github.com/hashicorp/go-uuid"
uberAtomic "go.uber.org/atomic"
"github.com/hashicorp/vault/command/server" "github.com/hashicorp/vault/command/server"
"github.com/hashicorp/vault/helper/identity" "github.com/hashicorp/vault/helper/identity"
"github.com/hashicorp/vault/helper/identity/mfa" "github.com/hashicorp/vault/helper/identity/mfa"
@ -36,7 +38,6 @@ import (
"github.com/hashicorp/vault/sdk/logical" "github.com/hashicorp/vault/sdk/logical"
"github.com/hashicorp/vault/vault/quotas" "github.com/hashicorp/vault/vault/quotas"
"github.com/hashicorp/vault/vault/tokens" "github.com/hashicorp/vault/vault/tokens"
uberAtomic "go.uber.org/atomic"
) )
const ( const (
@ -1408,7 +1409,7 @@ func (c *Core) handleLoginRequest(ctx context.Context, req *logical.Request) (re
return nil, nil, err return nil, nil, err
} }
} }
return nil, nil, resp.Error() return resp, nil, routeErr
} }
if resp != nil { if resp != nil {