From a7f5d0c8ea1eeb43357dc76e680e8d338cdf7c0b Mon Sep 17 00:00:00 2001 From: hc-github-team-secure-vault-core <82990506+hc-github-team-secure-vault-core@users.noreply.github.com> Date: Mon, 23 Oct 2023 12:19:20 -0400 Subject: [PATCH] backport of commit 87376a1f5c676c9a54e1050b3e71e32c4ac92595 (#23790) Co-authored-by: Hamid Ghaf <83242695+hghaf099@users.noreply.github.com> --- builtin/credential/approle/path_login.go | 14 +++++++------- builtin/credential/approle/path_login_test.go | 2 +- changelog/23786.txt | 3 +++ 3 files changed, 11 insertions(+), 8 deletions(-) create mode 100644 changelog/23786.txt diff --git a/builtin/credential/approle/path_login.go b/builtin/credential/approle/path_login.go index a4c4fe82c..1e21e793e 100644 --- a/builtin/credential/approle/path_login.go +++ b/builtin/credential/approle/path_login.go @@ -99,7 +99,7 @@ func (b *backend) pathLoginResolveRole(ctx context.Context, req *logical.Request return nil, err } if roleIDIndex == nil { - return logical.ErrorResponse("invalid role ID"), nil + return logical.ErrorResponse("invalid role or secret ID"), nil } roleName := roleIDIndex.Name @@ -113,7 +113,7 @@ func (b *backend) pathLoginResolveRole(ctx context.Context, req *logical.Request return nil, err } if role == nil { - return logical.ErrorResponse("invalid role ID"), nil + return logical.ErrorResponse("invalid role or secret ID"), nil } return logical.ResolveRoleResponse(roleName) @@ -134,7 +134,7 @@ func (b *backend) pathLoginUpdate(ctx context.Context, req *logical.Request, dat return nil, err } if roleIDIndex == nil { - return logical.ErrorResponse("invalid role ID"), nil + return logical.ErrorResponse("invalid role or secret ID"), nil } roleName := roleIDIndex.Name @@ -148,7 +148,7 @@ func (b *backend) pathLoginUpdate(ctx context.Context, req *logical.Request, dat return nil, err } if role == nil { - return logical.ErrorResponse("invalid role ID"), nil + return logical.ErrorResponse("invalid role or secret ID"), nil } metadata := make(map[string]string) @@ -184,7 +184,7 @@ func (b *backend) pathLoginUpdate(ctx context.Context, req *logical.Request, dat return nil, err } if entry == nil { - return logical.ErrorResponse("invalid secret id"), logical.ErrInvalidCredentials + return logical.ErrorResponse("invalid role or secret ID"), logical.ErrInvalidCredentials } // If a secret ID entry does not have a corresponding accessor @@ -204,7 +204,7 @@ func (b *backend) pathLoginUpdate(ctx context.Context, req *logical.Request, dat return nil, err } if entry == nil { - return logical.ErrorResponse("invalid secret id"), nil + return logical.ErrorResponse("invalid role or secret ID"), nil } accessorEntry, err := b.secretIDAccessorEntry(ctx, req.Storage, entry.SecretIDAccessor, role.SecretIDPrefix) @@ -217,7 +217,7 @@ func (b *backend) pathLoginUpdate(ctx context.Context, req *logical.Request, dat return nil, fmt.Errorf("error deleting secret ID %q from storage: %w", secretIDHMAC, err) } } - return logical.ErrorResponse("invalid secret id"), nil + return logical.ErrorResponse("invalid role or secret ID"), nil } switch { diff --git a/builtin/credential/approle/path_login_test.go b/builtin/credential/approle/path_login_test.go index 5a09c6c4e..efed4676b 100644 --- a/builtin/credential/approle/path_login_test.go +++ b/builtin/credential/approle/path_login_test.go @@ -354,7 +354,7 @@ func TestAppRole_RoleDoesNotExist(t *testing.T) { t.Fatal("Error not part of response.") } - if !strings.Contains(errString, "invalid role ID") { + if !strings.Contains(errString, "invalid role or secret ID") { t.Fatalf("Error was not due to invalid role ID. Error: %s", errString) } } diff --git a/changelog/23786.txt b/changelog/23786.txt new file mode 100644 index 000000000..b6e73142e --- /dev/null +++ b/changelog/23786.txt @@ -0,0 +1,3 @@ +```release-note:change +auth/approle: Normalized error response messages when invalid credentials are provided +```