diff --git a/integration/integration_test.go b/integration/integration_test.go index d69f4bd945b81..c26e08e49cd33 100644 --- a/integration/integration_test.go +++ b/integration/integration_test.go @@ -2403,7 +2403,7 @@ func testInvalidLogins(t *testing.T, suite *integrationTestSuite) { require.NoError(t, err) err = tc.SSH(context.Background(), cmd, false) - require.ErrorIs(t, err, trace.NotFound("failed to dial target host\n\tcluster \"wrong-site\" is not found")) + require.ErrorIs(t, err, trace.NotFound("failed to dial target host\n\tlooking up remote cluster \"wrong-site\"\n\t\tnot found")) } // TestTwoClustersTunnel creates two teleport clusters: "a" and "b" and creates a diff --git a/lib/auth/auth_with_roles.go b/lib/auth/auth_with_roles.go index a658dae4447cf..a6aba628ec48f 100644 --- a/lib/auth/auth_with_roles.go +++ b/lib/auth/auth_with_roles.go @@ -4526,7 +4526,7 @@ func (a *ServerWithRoles) GetRemoteCluster(clusterName string) (types.RemoteClus } cluster, err := a.authServer.GetRemoteCluster(clusterName) if err != nil { - return nil, trace.Wrap(err) + return nil, utils.OpaqueAccessDenied(err) } if err := a.context.Checker.CheckAccessToRemoteCluster(cluster); err != nil { return nil, utils.OpaqueAccessDenied(err) diff --git a/lib/proxy/router.go b/lib/proxy/router.go index c270012c650f5..98bef2451e02d 100644 --- a/lib/proxy/router.go +++ b/lib/proxy/router.go @@ -223,7 +223,7 @@ func (r *Router) DialHost(ctx context.Context, clientSrcAddr, clientDstAddr net. if clusterName != r.clusterName { remoteSite, err := r.getRemoteCluster(ctx, clusterName, accessChecker) if err != nil { - return nil, targetTeleportVersion, trace.Wrap(err) + return nil, targetTeleportVersion, trace.Wrap(err, "looking up remote cluster %q", clusterName) } site = remoteSite } @@ -331,12 +331,12 @@ func (r *Router) getRemoteCluster(ctx context.Context, clusterName string, check site, err := r.siteGetter.GetSite(clusterName) if err != nil { - return nil, trace.Wrap(err) + return nil, utils.OpaqueAccessDenied(err) } rc, err := r.clusterGetter.GetRemoteCluster(clusterName) if err != nil { - return nil, trace.Wrap(err) + return nil, utils.OpaqueAccessDenied(err) } if err := checker.CheckAccessToRemoteCluster(rc); err != nil { diff --git a/lib/reversetunnelclient/api_with_roles.go b/lib/reversetunnelclient/api_with_roles.go index 4098143fe8ab2..219c64f4535f0 100644 --- a/lib/reversetunnelclient/api_with_roles.go +++ b/lib/reversetunnelclient/api_with_roles.go @@ -86,14 +86,14 @@ func (t *TunnelWithRoles) GetSites() ([]RemoteSite, error) { func (t *TunnelWithRoles) GetSite(clusterName string) (RemoteSite, error) { cluster, err := t.tunnel.GetSite(clusterName) if err != nil { - return nil, trace.Wrap(err) + return nil, utils.OpaqueAccessDenied(err) } if t.localCluster == cluster.GetName() { return cluster, nil } rc, err := t.access.GetRemoteCluster(clusterName) if err != nil { - return nil, trace.Wrap(err) + return nil, utils.OpaqueAccessDenied(err) } if err := t.accessChecker.CheckAccessToRemoteCluster(rc); err != nil { return nil, utils.OpaqueAccessDenied(err) diff --git a/lib/utils/utils.go b/lib/utils/utils.go index 000ad28d4ac37..7473e8e62badd 100644 --- a/lib/utils/utils.go +++ b/lib/utils/utils.go @@ -424,10 +424,11 @@ func IsCertExpiredError(err error) bool { return strings.Contains(trace.Unwrap(err).Error(), "ssh: cert has expired") } -// OpaqueAccessDenied returns a generic NotFound instead of AccessDenied -// so as to avoid leaking the existence of secret resources. +// OpaqueAccessDenied returns a generic [trace.NotFoundError] if [err] is a [trace.NotFoundError] or +// a [trace.AccessDeniedError] so as to avoid leaking the existence of secret resources, +// for other error types it returns the original error. func OpaqueAccessDenied(err error) error { - if trace.IsAccessDenied(err) { + if trace.IsNotFound(err) || trace.IsAccessDenied(err) { return trace.NotFound("not found") } return trace.Wrap(err)