luxolus
/
open-vault
2
0
Fork 0
Code Issues 1 Pull Requests Releases Activity

Make the error response to the sys/internal/ui/mounts with no client token consistent (#10650) 

* Make the error response to the sys/internal/ui/mounts with no client token consistent

* changelog

* Don't test against an empty mount path

* One other spot

* Instead, do all token checks first and early out before even looking for the mount
This commit is contained in:
Scott Miller 2021-01-07 11:46:08 -06:00 committed by GitHub
parent 7189a67a33
commit c3e0d06216
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 18 additions and 14 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
changelog/10650.txt Normal file
View File

@ -0,0 +1,4 @@
```release-note:bug
core: Make the response to an unauthenticated request to sys/internal endpoints consistent regardless of mount existence.
```

28
vault/logical_system.go
View File

@ -3354,6 +3354,20 @@ func (b *SystemBackend) pathInternalUIMountRead(ctx context.Context, req *logica
}
path = sanitizePath(path)
// Load the ACL policies so we can walk the prefix for this mount
acl, te, entity, _, err := b.Core.fetchACLTokenEntryAndEntity(ctx, req)
if err != nil {
return nil, err
}
if entity != nil && entity.Disabled {
b.logger.Warn("permission denied as the entity on the token is disabled")
return nil, logical.ErrPermissionDenied
}
if te != nil && te.EntityID != "" && entity == nil {
b.logger.Warn("permission denied as the entity on the token is invalid")
return nil, logical.ErrPermissionDenied
}
errResp := logical.ErrorResponse(fmt.Sprintf("preflight capability check returned 403, please ensure client's policies grant access to path %q", path))
ns, err := namespace.FromContext(ctx)
@ -3386,20 +3400,6 @@ func (b *SystemBackend) pathInternalUIMountRead(ctx context.Context, req *logica
fullMountPath = ns.Path + me.Namespace().Path + me.Path
}
// Load the ACL policies so we can walk the prefix for this mount
acl, te, entity, _, err := b.Core.fetchACLTokenEntryAndEntity(ctx, req)
if err != nil {
return nil, err
}
if entity != nil && entity.Disabled {
b.logger.Warn("permission denied as the entity on the token is disabled")
return errResp, logical.ErrPermissionDenied
}
if te != nil && te.EntityID != "" && entity == nil {
b.logger.Warn("permission denied as the entity on the token is invalid")
return nil, logical.ErrPermissionDenied
}
if !hasMountAccess(ctx, acl, fullMountPath) {
return errResp, logical.ErrPermissionDenied
}