From d54191adff58d0caaa4a635287ed722f114cb69e Mon Sep 17 00:00:00 2001
From: Jeff Mitchell <jeffrey.mitchell@gmail.com>
Date: Mon, 23 Apr 2018 16:50:04 -0400
Subject: [PATCH] Use permission denied for entity disabling

---
 logical/request.go                        | 4 ----
 vault/core.go                             | 6 +++---
 vault/identity_store_entities_ext_test.go | 4 ++--
 vault/logical_system.go                   | 2 +-
 vault/request_handling.go                 | 4 ++--
 5 files changed, 8 insertions(+), 12 deletions(-)

diff --git a/logical/request.go b/logical/request.go
index 27996bb83..7bff6f080 100644
--- a/logical/request.go
+++ b/logical/request.go
@@ -273,10 +273,6 @@ var (
 	// ErrPermissionDenied is returned if the client is not authorized
 	ErrPermissionDenied = errors.New("permission denied")
 
-	// ErrDisabledEntity is returned if the entity tied to a token is marked as
-	// disabled
-	ErrEntityDisabled = errors.New("entity associated with token is disabled")
-
 	// ErrMultiAuthzPending is returned if the the request needs more
 	// authorizations
 	ErrMultiAuthzPending = errors.New("request needs further approval")
diff --git a/vault/core.go b/vault/core.go
index 0b04533dd..87ad156e3 100644
--- a/vault/core.go
+++ b/vault/core.go
@@ -828,7 +828,7 @@ func (c *Core) checkToken(ctx context.Context, req *logical.Request, unauth bool
 	}
 
 	if entity != nil && entity.Disabled {
-		return nil, te, logical.ErrEntityDisabled
+		return nil, te, logical.ErrPermissionDenied
 	}
 
 	// Check if this is a root protected path
@@ -1391,7 +1391,7 @@ func (c *Core) sealInitCommon(ctx context.Context, req *logical.Request) (retErr
 	}
 
 	if entity != nil && entity.Disabled {
-		retErr = multierror.Append(retErr, logical.ErrEntityDisabled)
+		retErr = multierror.Append(retErr, logical.ErrPermissionDenied)
 		c.stateLock.RUnlock()
 		return retErr
 	}
@@ -1507,7 +1507,7 @@ func (c *Core) StepDown(req *logical.Request) (retErr error) {
 	}
 
 	if entity != nil && entity.Disabled {
-		retErr = multierror.Append(retErr, logical.ErrEntityDisabled)
+		retErr = multierror.Append(retErr, logical.ErrPermissionDenied)
 		c.stateLock.RUnlock()
 		return retErr
 	}
diff --git a/vault/identity_store_entities_ext_test.go b/vault/identity_store_entities_ext_test.go
index f0a9147ea..cfa2d928b 100644
--- a/vault/identity_store_entities_ext_test.go
+++ b/vault/identity_store_entities_ext_test.go
@@ -124,7 +124,7 @@ func TestIdentityStore_EntityDisabled(t *testing.T) {
 	if err == nil {
 		t.Fatalf("expected error, got %#v", *resp)
 	}
-	if !strings.Contains(err.Error(), logical.ErrEntityDisabled.Error()) {
+	if !strings.Contains(err.Error(), logical.ErrPermissionDenied.Error()) {
 		t.Fatalf("expected to see entity disabled error, got %v", err)
 	}
 
@@ -137,7 +137,7 @@ func TestIdentityStore_EntityDisabled(t *testing.T) {
 	if err == nil {
 		t.Fatalf("expected error, got %#v", *resp)
 	}
-	if !strings.Contains(err.Error(), logical.ErrEntityDisabled.Error()) {
+	if !strings.Contains(err.Error(), logical.ErrPermissionDenied.Error()) {
 		t.Fatalf("expected to see entity disabled error, got %v", err)
 	}
 
diff --git a/vault/logical_system.go b/vault/logical_system.go
index 83ec07b5f..661e047ab 100644
--- a/vault/logical_system.go
+++ b/vault/logical_system.go
@@ -3450,7 +3450,7 @@ func (b *SystemBackend) pathInternalUIResultantACL(ctx context.Context, req *log
 	}
 
 	if entity != nil && entity.Disabled {
-		return logical.ErrorResponse(logical.ErrEntityDisabled.Error()), nil
+		return logical.ErrorResponse(logical.ErrPermissionDenied.Error()), nil
 	}
 
 	resp := &logical.Response{
diff --git a/vault/request_handling.go b/vault/request_handling.go
index b03833085..69cf9edc5 100644
--- a/vault/request_handling.go
+++ b/vault/request_handling.go
@@ -204,7 +204,7 @@ func (c *Core) handleRequest(ctx context.Context, req *logical.Request) (retResp
 		// return invalid request so that the status codes can be correct
 		errType := logical.ErrInvalidRequest
 		switch ctErr {
-		case ErrInternalError, logical.ErrPermissionDenied, logical.ErrEntityDisabled:
+		case ErrInternalError, logical.ErrPermissionDenied:
 			errType = ctErr
 		}
 
@@ -522,7 +522,7 @@ func (c *Core) handleLoginRequest(ctx context.Context, req *logical.Request) (re
 			}
 
 			if entity.Disabled {
-				return nil, nil, logical.ErrEntityDisabled
+				return nil, nil, logical.ErrPermissionDenied
 			}
 
 			auth.EntityID = entity.ID