Authenticate to "login" endpoint for non-existent mount path bug (#13162)
* changing response from missing client token to permission denied * removing todo comment * fix tests * adding changelog * fixing changelog
This commit is contained in:
parent
d5f4fbecc1
commit
f77223bfe5
|
@ -0,0 +1,3 @@
|
||||||
|
```release-note:bug
|
||||||
|
core: authentication to "login" endpoint for non-existent mount path returns permission denied with status code 403
|
||||||
|
```
|
|
@ -315,8 +315,8 @@ func TestHandler_MissingToken(t *testing.T) {
|
||||||
if err != nil {
|
if err != nil {
|
||||||
t.Fatal(err)
|
t.Fatal(err)
|
||||||
}
|
}
|
||||||
if resp.StatusCode != 400 {
|
if resp.StatusCode != 403 {
|
||||||
t.Fatalf("expected code 400, got: %d", resp.StatusCode)
|
t.Fatalf("expected code 403, got: %d", resp.StatusCode)
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
@ -14,8 +14,8 @@ func TestHelp(t *testing.T) {
|
||||||
TestServerAuth(t, addr, token)
|
TestServerAuth(t, addr, token)
|
||||||
|
|
||||||
resp := testHttpGet(t, "", addr+"/v1/sys/mounts?help=1")
|
resp := testHttpGet(t, "", addr+"/v1/sys/mounts?help=1")
|
||||||
if resp.StatusCode != http.StatusBadRequest {
|
if resp.StatusCode != http.StatusForbidden {
|
||||||
t.Fatal("expected bad request with no token")
|
t.Fatal("expected permission denied with no token")
|
||||||
}
|
}
|
||||||
|
|
||||||
resp = testHttpGet(t, token, addr+"/v1/sys/mounts?help=1")
|
resp = testHttpGet(t, token, addr+"/v1/sys/mounts?help=1")
|
||||||
|
|
|
@ -23,7 +23,7 @@ func TestSysMetricsUnauthenticated(t *testing.T) {
|
||||||
|
|
||||||
// Default: Only authenticated access
|
// Default: Only authenticated access
|
||||||
resp := testHttpGet(t, "", addr+"/v1/sys/metrics")
|
resp := testHttpGet(t, "", addr+"/v1/sys/metrics")
|
||||||
testResponseStatus(t, resp, 400)
|
testResponseStatus(t, resp, 403)
|
||||||
resp = testHttpGet(t, token, addr+"/v1/sys/metrics")
|
resp = testHttpGet(t, token, addr+"/v1/sys/metrics")
|
||||||
testResponseStatus(t, resp, 200)
|
testResponseStatus(t, resp, 200)
|
||||||
|
|
||||||
|
@ -65,7 +65,7 @@ func TestSysPProfUnauthenticated(t *testing.T) {
|
||||||
|
|
||||||
// Default: Only authenticated access
|
// Default: Only authenticated access
|
||||||
resp := testHttpGet(t, "", addr+"/v1/sys/pprof/cmdline")
|
resp := testHttpGet(t, "", addr+"/v1/sys/pprof/cmdline")
|
||||||
testResponseStatus(t, resp, 400)
|
testResponseStatus(t, resp, 403)
|
||||||
resp = testHttpGet(t, token, addr+"/v1/sys/pprof/cmdline")
|
resp = testHttpGet(t, token, addr+"/v1/sys/pprof/cmdline")
|
||||||
testResponseStatus(t, resp, 200)
|
testResponseStatus(t, resp, 200)
|
||||||
|
|
||||||
|
|
|
@ -472,10 +472,10 @@ func TestCore_HandleRequest_MissingToken(t *testing.T) {
|
||||||
},
|
},
|
||||||
}
|
}
|
||||||
resp, err := c.HandleRequest(namespace.RootContext(nil), req)
|
resp, err := c.HandleRequest(namespace.RootContext(nil), req)
|
||||||
if err == nil || !errwrap.Contains(err, logical.ErrInvalidRequest.Error()) {
|
if err == nil || !errwrap.Contains(err, logical.ErrPermissionDenied.Error()) {
|
||||||
t.Fatalf("err: %v", err)
|
t.Fatalf("err: %v", err)
|
||||||
}
|
}
|
||||||
if resp.Data["error"] != "missing client token" {
|
if resp.Data["error"] != logical.ErrPermissionDenied.Error() {
|
||||||
t.Fatalf("bad: %#v", resp)
|
t.Fatalf("bad: %#v", resp)
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
|
@ -126,7 +126,7 @@ func (c *Core) fetchACLTokenEntryAndEntity(ctx context.Context, req *logical.Req
|
||||||
|
|
||||||
// Ensure there is a client token
|
// Ensure there is a client token
|
||||||
if req.ClientToken == "" {
|
if req.ClientToken == "" {
|
||||||
return nil, nil, nil, nil, &logical.StatusBadRequest{Err: "missing client token"}
|
return nil, nil, nil, nil, logical.ErrPermissionDenied
|
||||||
}
|
}
|
||||||
|
|
||||||
if c.tokenStore == nil {
|
if c.tokenStore == nil {
|
||||||
|
|
|
@ -373,6 +373,7 @@ func TestRouter_LoginPath(t *testing.T) {
|
||||||
{"auth/foo/bar", false},
|
{"auth/foo/bar", false},
|
||||||
{"auth/foo/login", true},
|
{"auth/foo/login", true},
|
||||||
{"auth/foo/login/", false},
|
{"auth/foo/login/", false},
|
||||||
|
{"auth/invalid/login", false},
|
||||||
{"auth/foo/oauth", false},
|
{"auth/foo/oauth", false},
|
||||||
{"auth/foo/oauth/", true},
|
{"auth/foo/oauth/", true},
|
||||||
{"auth/foo/oauth/redirect", true},
|
{"auth/foo/oauth/redirect", true},
|
||||||
|
|
Loading…
Reference in New Issue