Return the partial success code override for all batch error types (#18310)

* Return the partial success code override for all batch error types

* changelog

* docs

* Lost the actual override logic. :)

* And don't hardcode 400

* gate on success

builtin/logical/transit/path_encrypt.go

@@ -509,21 +509,23 @@ func (b *backend) pathEncryptWrite(ctx context.Context, req *logical.Request, d
 // that user errors are non-retryable without making changes to the request, and should be surfaced
 // to the user first.
 func batchRequestResponse(d *framework.FieldData, resp *logical.Response, req *logical.Request, successesInBatch, userErrorInBatch, internalErrorInBatch bool) (*logical.Response, error) {
+	if userErrorInBatch || internalErrorInBatch {
+		var code int
 		switch {
 		case userErrorInBatch:
-		code := http.StatusBadRequest
-		if successesInBatch {
-			if codeRaw, ok := d.GetOk("partial_failure_response_code"); ok {
-				code = codeRaw.(int)
-				if code < 1 || code > 599 {
-					resp.AddWarning("invalid HTTP response code override from partial_failure_response_code, reverting to HTTP 400")
 			code = http.StatusBadRequest
+		case internalErrorInBatch:
+			code = http.StatusInternalServerError
 		}
+		if codeRaw, ok := d.GetOk("partial_failure_response_code"); ok && successesInBatch {
+			newCode := codeRaw.(int)
+			if newCode < 1 || newCode > 599 {
+				resp.AddWarning(fmt.Sprintf("invalid HTTP response code override from partial_failure_response_code, reverting to %d", code))
+			} else {
+				code = newCode
 			}
 		}
 		return logical.RespondWithStatusCode(resp, req, code)
-	case internalErrorInBatch:
-		return logical.RespondWithStatusCode(resp, req, http.StatusInternalServerError)
 	}
 
 	return resp, nil

changelog/18310.txt

@@ -0,0 +1,3 @@
+```release-note:bug
+secrets/transit: Honor `partial_success_response_code` on decryption failures.
+```

website/content/api-docs/secret/transit.mdx

@@ -664,7 +664,10 @@ will be returned.
   to encrypt due to a bad input, but other batch items succeed, the HTTP response 
   code is 400 (Bad Request).  Some applications may want to treat partial failures
   differently.  Providing the parameter returns the given response code integer 
-instead of a 400 in this case. If all values fail HTTP 400 is still returned.
+  instead of a failed status code in this case. If all values fail an error
+  code is still returned.  Be warned that some failures (such as failure to
+  decrypt) could be indicative of a security breach and should not be
+  ignored.
 
 ~>**NOTE:** All plaintext data **must be base64-encoded**. The reason for this
 requirement is that Vault does not require that the plaintext is "text". It
@@ -759,7 +762,10 @@ This endpoint decrypts the provided ciphertext using the named key.
   to encrypt due to a bad input, but other batch items succeed, the HTTP response 
   code is 400 (Bad Request).  Some applications may want to treat partial failures
   differently.  Providing the parameter returns the given response code integer 
-instead of a 400 in this case. If all values fail HTTP 400 is still returned.
+  instead of a failed status code in this case. If all values fail an error
+  code is still returned.  Be warned that some failures (such as failure to
+  decrypt) could be indicative of a security breach and should not be
+  ignored.
 
 ### Sample Payload