Use permission denied for entity disabling

2018-04-23 16:50:04 -04:00 · 2018-04-23 16:50:04 -04:00 · d54191adff
parent ca872c5de1
commit d54191adff
5 changed files with 8 additions and 12 deletions
--- a/logical/request.go
+++ b/logical/request.go
@ -273,10 +273,6 @@ var (
 	// ErrPermissionDenied is returned if the client is not authorized
 	ErrPermissionDenied = errors.New("permission denied")

-	// ErrDisabledEntity is returned if the entity tied to a token is marked as
-	// disabled
-	ErrEntityDisabled = errors.New("entity associated with token is disabled")
-
 	// ErrMultiAuthzPending is returned if the the request needs more
 	// authorizations
 	ErrMultiAuthzPending = errors.New("request needs further approval")
--- a/vault/core.go
+++ b/vault/core.go
@ -828,7 +828,7 @@ func (c *Core) checkToken(ctx context.Context, req *logical.Request, unauth bool
 	}

 	if entity != nil && entity.Disabled {
-		return nil, te, logical.ErrEntityDisabled
+		return nil, te, logical.ErrPermissionDenied
 	}

 	// Check if this is a root protected path
@ -1391,7 +1391,7 @@ func (c *Core) sealInitCommon(ctx context.Context, req *logical.Request) (retErr
 	}

 	if entity != nil && entity.Disabled {
-		retErr = multierror.Append(retErr, logical.ErrEntityDisabled)
+		retErr = multierror.Append(retErr, logical.ErrPermissionDenied)
 		c.stateLock.RUnlock()
 		return retErr
 	}
@ -1507,7 +1507,7 @@ func (c *Core) StepDown(req *logical.Request) (retErr error) {
 	}

 	if entity != nil && entity.Disabled {
-		retErr = multierror.Append(retErr, logical.ErrEntityDisabled)
+		retErr = multierror.Append(retErr, logical.ErrPermissionDenied)
 		c.stateLock.RUnlock()
 		return retErr
 	}
--- a/vault/identity_store_entities_ext_test.go
+++ b/vault/identity_store_entities_ext_test.go
@ -124,7 +124,7 @@ func TestIdentityStore_EntityDisabled(t *testing.T) {
 	if err == nil {
 		t.Fatalf("expected error, got %#v", *resp)
 	}
-	if !strings.Contains(err.Error(), logical.ErrEntityDisabled.Error()) {
+	if !strings.Contains(err.Error(), logical.ErrPermissionDenied.Error()) {
 		t.Fatalf("expected to see entity disabled error, got %v", err)
 	}

@ -137,7 +137,7 @@ func TestIdentityStore_EntityDisabled(t *testing.T) {
 	if err == nil {
 		t.Fatalf("expected error, got %#v", *resp)
 	}
-	if !strings.Contains(err.Error(), logical.ErrEntityDisabled.Error()) {
+	if !strings.Contains(err.Error(), logical.ErrPermissionDenied.Error()) {
 		t.Fatalf("expected to see entity disabled error, got %v", err)
 	}

--- a/vault/logical_system.go
+++ b/vault/logical_system.go
@ -3450,7 +3450,7 @@ func (b *SystemBackend) pathInternalUIResultantACL(ctx context.Context, req *log
 	}

 	if entity != nil && entity.Disabled {
-		return logical.ErrorResponse(logical.ErrEntityDisabled.Error()), nil
+		return logical.ErrorResponse(logical.ErrPermissionDenied.Error()), nil
 	}

 	resp := &logical.Response{
--- a/vault/request_handling.go
+++ b/vault/request_handling.go
@ -204,7 +204,7 @@ func (c *Core) handleRequest(ctx context.Context, req *logical.Request) (retResp
 		// return invalid request so that the status codes can be correct
 		errType := logical.ErrInvalidRequest
 		switch ctErr {
-		case ErrInternalError, logical.ErrPermissionDenied, logical.ErrEntityDisabled:
+		case ErrInternalError, logical.ErrPermissionDenied:
 			errType = ctErr
 		}

@ -522,7 +522,7 @@ func (c *Core) handleLoginRequest(ctx context.Context, req *logical.Request) (re
 			}

 			if entity.Disabled {
-				return nil, nil, logical.ErrEntityDisabled
+				return nil, nil, logical.ErrPermissionDenied
 			}

 			auth.EntityID = entity.ID