forwarding requests subjected to Login MFA to the active node (#15009)

* forwarding requests subjected to Login MFA to the active node

* CL, and making fmt happy
This commit is contained in:
Hamid Ghaf 2022-04-13 10:11:53 -04:00 committed by GitHub
parent 5074cec5cb
commit a12271af46
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
3 changed files with 10 additions and 2 deletions

3
changelog/15009.txt Normal file
View File

@ -0,0 +1,3 @@
```release-note:bug
auth: forward requests subject to login MFA from perfStandby to Active node
```

View File

@ -10,10 +10,9 @@ import (
"time" "time"
"github.com/hashicorp/go-secure-stdlib/strutil" "github.com/hashicorp/go-secure-stdlib/strutil"
"github.com/stretchr/testify/require"
"github.com/hashicorp/vault/sdk/helper/consts" "github.com/hashicorp/vault/sdk/helper/consts"
"github.com/hashicorp/vault/sdk/logical" "github.com/hashicorp/vault/sdk/logical"
"github.com/stretchr/testify/require"
) )
func BenchmarkBackendRoute(b *testing.B) { func BenchmarkBackendRoute(b *testing.B) {

View File

@ -1506,6 +1506,12 @@ func (c *Core) handleLoginRequest(ctx context.Context, req *logical.Request) (re
} }
} }
} else if len(matchedMfaEnforcementList) > 0 && len(req.MFACreds) == 0 { } else if len(matchedMfaEnforcementList) > 0 && len(req.MFACreds) == 0 {
// two-phase login MFA requests should be forwarded
// to the active node, as the validation should only
// happen in that node
if c.perfStandby {
return nil, nil, logical.ErrPerfStandbyPleaseForward
}
mfaRequestID, err := uuid.GenerateUUID() mfaRequestID, err := uuid.GenerateUUID()
if err != nil { if err != nil {
return nil, nil, err return nil, nil, err