diff --git a/builtin/logical/transit/path_encrypt.go b/builtin/logical/transit/path_encrypt.go index 48a6ab7fa..a1ff157e8 100644 --- a/builtin/logical/transit/path_encrypt.go +++ b/builtin/logical/transit/path_encrypt.go @@ -509,21 +509,23 @@ func (b *backend) pathEncryptWrite(ctx context.Context, req *logical.Request, d // that user errors are non-retryable without making changes to the request, and should be surfaced // to the user first. func batchRequestResponse(d *framework.FieldData, resp *logical.Response, req *logical.Request, successesInBatch, userErrorInBatch, internalErrorInBatch bool) (*logical.Response, error) { - switch { - case userErrorInBatch: - code := http.StatusBadRequest - if successesInBatch { - if codeRaw, ok := d.GetOk("partial_failure_response_code"); ok { - code = codeRaw.(int) - if code < 1 || code > 599 { - resp.AddWarning("invalid HTTP response code override from partial_failure_response_code, reverting to HTTP 400") - code = http.StatusBadRequest - } + if userErrorInBatch || internalErrorInBatch { + var code int + switch { + case userErrorInBatch: + code = http.StatusBadRequest + case internalErrorInBatch: + code = http.StatusInternalServerError + } + if codeRaw, ok := d.GetOk("partial_failure_response_code"); ok && successesInBatch { + newCode := codeRaw.(int) + if newCode < 1 || newCode > 599 { + resp.AddWarning(fmt.Sprintf("invalid HTTP response code override from partial_failure_response_code, reverting to %d", code)) + } else { + code = newCode } } return logical.RespondWithStatusCode(resp, req, code) - case internalErrorInBatch: - return logical.RespondWithStatusCode(resp, req, http.StatusInternalServerError) } return resp, nil diff --git a/changelog/18310.txt b/changelog/18310.txt new file mode 100644 index 000000000..5af54ed6a --- /dev/null +++ b/changelog/18310.txt @@ -0,0 +1,3 @@ +```release-note:bug +secrets/transit: Honor `partial_success_response_code` on decryption failures. +``` \ No newline at end of file diff --git a/website/content/api-docs/secret/transit.mdx b/website/content/api-docs/secret/transit.mdx index 42d62b2ae..94e119a32 100644 --- a/website/content/api-docs/secret/transit.mdx +++ b/website/content/api-docs/secret/transit.mdx @@ -661,10 +661,13 @@ will be returned. impact the ciphertext's security. - `partial_failure_response_code` `(int: 400)` Ordinarily, if a batch item fails -to encrypt due to a bad input, but other batch items succeed, the HTTP response -code is 400 (Bad Request). Some applications may want to treat partial failures -differently. Providing the parameter returns the given response code integer -instead of a 400 in this case. If all values fail HTTP 400 is still returned. + to encrypt due to a bad input, but other batch items succeed, the HTTP response + code is 400 (Bad Request). Some applications may want to treat partial failures + differently. Providing the parameter returns the given response code integer + instead of a failed status code in this case. If all values fail an error + code is still returned. Be warned that some failures (such as failure to + decrypt) could be indicative of a security breach and should not be + ignored. ~>**NOTE:** All plaintext data **must be base64-encoded**. The reason for this requirement is that Vault does not require that the plaintext is "text". It @@ -756,10 +759,13 @@ This endpoint decrypts the provided ciphertext using the named key. ] ``` - `partial_failure_response_code` `(int: 400)` Ordinarily, if a batch item fails -to encrypt due to a bad input, but other batch items succeed, the HTTP response -code is 400 (Bad Request). Some applications may want to treat partial failures -differently. Providing the parameter returns the given response code integer -instead of a 400 in this case. If all values fail HTTP 400 is still returned. + to encrypt due to a bad input, but other batch items succeed, the HTTP response + code is 400 (Bad Request). Some applications may want to treat partial failures + differently. Providing the parameter returns the given response code integer + instead of a failed status code in this case. If all values fail an error + code is still returned. Be warned that some failures (such as failure to + decrypt) could be indicative of a security breach and should not be + ignored. ### Sample Payload