sys: do not show filtered mounts on internal/ui/mounts (#6412)

2019-03-14 11:43:44 -07:00 · 2019-03-14 11:43:44 -07:00 · a71adbc2ce
parent b86edf3d8e
commit a71adbc2ce
1 changed files with 24 additions and 0 deletions
--- a/vault/logical_system.go
+++ b/vault/logical_system.go
@ -2899,6 +2899,14 @@ func (b *SystemBackend) pathInternalUIMountsRead(ctx context.Context, req *logic

 	b.Core.mountsLock.RLock()
 	for _, entry := range b.Core.mounts.Entries {
+		filtered, err := b.Core.checkReplicatedFiltering(ctx, entry, "")
+		if err != nil {
+			return nil, err
+		}
+		if filtered {
+			continue
+		}
+
 		if ns.ID == entry.NamespaceID && hasAccess(ctx, entry) {
 			if isAuthed {
 				// If this is an authed request return all the mount info
@ -2916,6 +2924,14 @@ func (b *SystemBackend) pathInternalUIMountsRead(ctx context.Context, req *logic

 	b.Core.authLock.RLock()
 	for _, entry := range b.Core.auth.Entries {
+		filtered, err := b.Core.checkReplicatedFiltering(ctx, entry, credentialRoutePrefix)
+		if err != nil {
+			return nil, err
+		}
+		if filtered {
+			continue
+		}
+
 		if ns.ID == entry.NamespaceID && hasAccess(ctx, entry) {
 			if isAuthed {
 				// If this is an authed request return all the mount info
@ -2955,6 +2971,14 @@ func (b *SystemBackend) pathInternalUIMountRead(ctx context.Context, req *logica
 		return errResp, logical.ErrPermissionDenied
 	}

+	filtered, err := b.Core.checkReplicatedFiltering(ctx, me, "")
+	if err != nil {
+		return nil, err
+	}
+	if filtered {
+		return errResp, logical.ErrPermissionDenied
+	}
+
 	resp := &logical.Response{
 		Data: mountInfo(me),
 	}