Authenticate to "login" endpoint for non-existent mount path bug (#13162)

* changing response from missing client token to permission denied

* removing todo comment

* fix tests

* adding changelog

* fixing changelog
This commit is contained in:
akshya96 2021-11-22 17:06:59 -08:00 committed by GitHub
parent d5f4fbecc1
commit f77223bfe5
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
7 changed files with 13 additions and 9 deletions

3
changelog/13162.txt Normal file
View File

@ -0,0 +1,3 @@
```release-note:bug
core: authentication to "login" endpoint for non-existent mount path returns permission denied with status code 403
```

View File

@ -315,8 +315,8 @@ func TestHandler_MissingToken(t *testing.T) {
if err != nil { if err != nil {
t.Fatal(err) t.Fatal(err)
} }
if resp.StatusCode != 400 { if resp.StatusCode != 403 {
t.Fatalf("expected code 400, got: %d", resp.StatusCode) t.Fatalf("expected code 403, got: %d", resp.StatusCode)
} }
} }

View File

@ -14,8 +14,8 @@ func TestHelp(t *testing.T) {
TestServerAuth(t, addr, token) TestServerAuth(t, addr, token)
resp := testHttpGet(t, "", addr+"/v1/sys/mounts?help=1") resp := testHttpGet(t, "", addr+"/v1/sys/mounts?help=1")
if resp.StatusCode != http.StatusBadRequest { if resp.StatusCode != http.StatusForbidden {
t.Fatal("expected bad request with no token") t.Fatal("expected permission denied with no token")
} }
resp = testHttpGet(t, token, addr+"/v1/sys/mounts?help=1") resp = testHttpGet(t, token, addr+"/v1/sys/mounts?help=1")

View File

@ -23,7 +23,7 @@ func TestSysMetricsUnauthenticated(t *testing.T) {
// Default: Only authenticated access // Default: Only authenticated access
resp := testHttpGet(t, "", addr+"/v1/sys/metrics") resp := testHttpGet(t, "", addr+"/v1/sys/metrics")
testResponseStatus(t, resp, 400) testResponseStatus(t, resp, 403)
resp = testHttpGet(t, token, addr+"/v1/sys/metrics") resp = testHttpGet(t, token, addr+"/v1/sys/metrics")
testResponseStatus(t, resp, 200) testResponseStatus(t, resp, 200)
@ -65,7 +65,7 @@ func TestSysPProfUnauthenticated(t *testing.T) {
// Default: Only authenticated access // Default: Only authenticated access
resp := testHttpGet(t, "", addr+"/v1/sys/pprof/cmdline") resp := testHttpGet(t, "", addr+"/v1/sys/pprof/cmdline")
testResponseStatus(t, resp, 400) testResponseStatus(t, resp, 403)
resp = testHttpGet(t, token, addr+"/v1/sys/pprof/cmdline") resp = testHttpGet(t, token, addr+"/v1/sys/pprof/cmdline")
testResponseStatus(t, resp, 200) testResponseStatus(t, resp, 200)

View File

@ -472,10 +472,10 @@ func TestCore_HandleRequest_MissingToken(t *testing.T) {
}, },
} }
resp, err := c.HandleRequest(namespace.RootContext(nil), req) resp, err := c.HandleRequest(namespace.RootContext(nil), req)
if err == nil || !errwrap.Contains(err, logical.ErrInvalidRequest.Error()) { if err == nil || !errwrap.Contains(err, logical.ErrPermissionDenied.Error()) {
t.Fatalf("err: %v", err) t.Fatalf("err: %v", err)
} }
if resp.Data["error"] != "missing client token" { if resp.Data["error"] != logical.ErrPermissionDenied.Error() {
t.Fatalf("bad: %#v", resp) t.Fatalf("bad: %#v", resp)
} }
} }

View File

@ -126,7 +126,7 @@ func (c *Core) fetchACLTokenEntryAndEntity(ctx context.Context, req *logical.Req
// Ensure there is a client token // Ensure there is a client token
if req.ClientToken == "" { if req.ClientToken == "" {
return nil, nil, nil, nil, &logical.StatusBadRequest{Err: "missing client token"} return nil, nil, nil, nil, logical.ErrPermissionDenied
} }
if c.tokenStore == nil { if c.tokenStore == nil {

View File

@ -373,6 +373,7 @@ func TestRouter_LoginPath(t *testing.T) {
{"auth/foo/bar", false}, {"auth/foo/bar", false},
{"auth/foo/login", true}, {"auth/foo/login", true},
{"auth/foo/login/", false}, {"auth/foo/login/", false},
{"auth/invalid/login", false},
{"auth/foo/oauth", false}, {"auth/foo/oauth", false},
{"auth/foo/oauth/", true}, {"auth/foo/oauth/", true},
{"auth/foo/oauth/redirect", true}, {"auth/foo/oauth/redirect", true},