diff --git a/integration/integration_test.go b/integration/integration_test.go index bbeec209137d2..1b359f83bc47a 100644 --- a/integration/integration_test.go +++ b/integration/integration_test.go @@ -2437,7 +2437,7 @@ func testInvalidLogins(t *testing.T, suite *integrationTestSuite) { require.NoError(t, err) err = tc.SSH(context.Background(), cmd, false) - require.ErrorIs(t, err, trace.NotFound("failed to dial target host\n\tcluster \"wrong-site\" is not found")) + require.ErrorIs(t, err, trace.NotFound("failed to dial target host\n\tlooking up remote cluster \"wrong-site\"\n\t\tnot found")) } // TestTwoClustersTunnel creates two teleport clusters: "a" and "b" and creates a diff --git a/lib/auth/auth_with_roles.go b/lib/auth/auth_with_roles.go index 03c33402cf122..a7c8793e13cd0 100644 --- a/lib/auth/auth_with_roles.go +++ b/lib/auth/auth_with_roles.go @@ -4819,7 +4819,7 @@ func (a *ServerWithRoles) GetRemoteCluster(clusterName string) (types.RemoteClus } cluster, err := a.authServer.GetRemoteCluster(clusterName) if err != nil { - return nil, trace.Wrap(err) + return nil, utils.OpaqueAccessDenied(err) } if err := a.context.Checker.CheckAccessToRemoteCluster(cluster); err != nil { return nil, utils.OpaqueAccessDenied(err) diff --git a/lib/proxy/router.go b/lib/proxy/router.go index d03b0c941d61a..7664e8d827268 100644 --- a/lib/proxy/router.go +++ b/lib/proxy/router.go @@ -224,7 +224,7 @@ func (r *Router) DialHost(ctx context.Context, clientSrcAddr, clientDstAddr net. if clusterName != r.clusterName { remoteSite, err := r.getRemoteCluster(ctx, clusterName, accessChecker) if err != nil { - return nil, trace.Wrap(err) + return nil, trace.Wrap(err, "looking up remote cluster %q", clusterName) } site = remoteSite } @@ -365,12 +365,12 @@ func (r *Router) getRemoteCluster(ctx context.Context, clusterName string, check site, err := r.siteGetter.GetSite(clusterName) if err != nil { - return nil, trace.Wrap(err) + return nil, utils.OpaqueAccessDenied(err) } rc, err := r.clusterGetter.GetRemoteCluster(clusterName) if err != nil { - return nil, trace.Wrap(err) + return nil, utils.OpaqueAccessDenied(err) } if err := checker.CheckAccessToRemoteCluster(rc); err != nil { diff --git a/lib/reversetunnelclient/api_with_roles.go b/lib/reversetunnelclient/api_with_roles.go index b1364fe0e7b2f..fbf38379ebfa9 100644 --- a/lib/reversetunnelclient/api_with_roles.go +++ b/lib/reversetunnelclient/api_with_roles.go @@ -90,14 +90,14 @@ func (t *TunnelWithRoles) GetSites() ([]RemoteSite, error) { func (t *TunnelWithRoles) GetSite(clusterName string) (RemoteSite, error) { cluster, err := t.tunnel.GetSite(clusterName) if err != nil { - return nil, trace.Wrap(err) + return nil, utils.OpaqueAccessDenied(err) } if t.localCluster == cluster.GetName() { return cluster, nil } rc, err := t.access.GetRemoteCluster(clusterName) if err != nil { - return nil, trace.Wrap(err) + return nil, utils.OpaqueAccessDenied(err) } if err := t.accessChecker.CheckAccessToRemoteCluster(rc); err != nil { return nil, utils.OpaqueAccessDenied(err) diff --git a/lib/utils/utils.go b/lib/utils/utils.go index 042a126fd3262..b9e7d187f38b4 100644 --- a/lib/utils/utils.go +++ b/lib/utils/utils.go @@ -429,10 +429,11 @@ func IsCertExpiredError(err error) bool { return strings.Contains(trace.Unwrap(err).Error(), "ssh: cert has expired") } -// OpaqueAccessDenied returns a generic NotFound instead of AccessDenied -// so as to avoid leaking the existence of secret resources. +// OpaqueAccessDenied returns a generic [trace.NotFoundError] if [err] is a [trace.NotFoundError] or +// a [trace.AccessDeniedError] so as to avoid leaking the existence of secret resources, +// for other error types it returns the original error. func OpaqueAccessDenied(err error) error { - if trace.IsAccessDenied(err) { + if trace.IsNotFound(err) || trace.IsAccessDenied(err) { return trace.NotFound("not found") } return trace.Wrap(err)