Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Authenticate to "login" endpoint for non-existent mount path bug #13162

Merged
merged 8 commits into from
Nov 23, 2021

Conversation

akshya96
Copy link
Contributor

Fixes issue #11152

Testing:

  • curl --request POST --cacert cert.pem --cert vault-cert-certificate.pem --key vault-cert-private-key.pem --data '{"name": "vault-cert"}' https://127.0.0.1:8200/v1/auth/akshya/login
    {"errors":["permission denied"]}
  • curl -w '%{http_code}\n' -H Accept:application/json -H Content-Type:application/json --cacert cert.pem --cert vault-cert-certificate.pem --key vault-cert-private-key.pem --data '{"name": "vault-cert"}' https://127.0.0.1:8200/v1/auth/akshya/login -s -o /dev/null
    403

@vercel vercel bot temporarily deployed to Preview – vault-storybook November 16, 2021 17:17 Inactive
@vercel vercel bot temporarily deployed to Preview – vault November 16, 2021 17:17 Inactive
@akshya96 akshya96 changed the title Gh issue11152 Authenticate to "login" endpoint for non-existent mount path bug Nov 16, 2021
@@ -126,7 +126,7 @@ func (c *Core) fetchACLTokenEntryAndEntity(ctx context.Context, req *logical.Req

// Ensure there is a client token
if req.ClientToken == "" {
return nil, nil, nil, nil, &logical.StatusBadRequest{Err: "missing client token"}
return nil, nil, nil, nil, logical.ErrPermissionDenied
Copy link
Contributor

@HridoyRoy HridoyRoy Nov 16, 2021

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm still of the opinion that the generic PermissionDenied error is actually less descriptive than a missing client token message, which more accurately captures what is going on here. I'm happy to let this go in if others think differently, but I'm of the opinion that we should more towards more descriptive error messages in each clause as opposed to consistently throwing a message like logical.ErrPermissionDenied no matter which error clause of a function the error occurs in.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hmm I think I'm also in favor of keeping the more descriptive missing client token error here. Also, I don't think this really addresses the issue reported, imo we would either want to change https://github.com/hashicorp/vault-enterprise/blob/main/vault/router.go#L810 to return true for a login attempt on a non-existent mount, or close the issue out as a won't do.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

( retracting my comment around the PR not addressing the issue, after going through slack conversation )

@@ -373,6 +373,7 @@ func TestRouter_LoginPath(t *testing.T) {
{"auth/foo/bar", false},
{"auth/foo/login", true},
{"auth/foo/login/", false},
{"auth/invalid/login/", false},
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

should this be auth/invalid/login , since auth/foo/login/ is not a valid path, and so I'm guessing the trailing slash makes the login path invalid even if invalid were to be actually valid like foo ?

Copy link
Contributor

@pmmukh pmmukh left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

one test nit, lgtm!

@vercel vercel bot temporarily deployed to Preview – vault November 17, 2021 21:44 Inactive
@vercel vercel bot temporarily deployed to Preview – vault-storybook November 17, 2021 21:44 Inactive
Copy link
Contributor

@kalafut kalafut left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think if we're changing an API response code (in this case from 400 to 403) this should have a CHANGES entry in the changelog. Also, what is the target milestone? I'd suggest 1.10. WDYT @ncabatoff

@@ -14,8 +15,9 @@ func TestHelp(t *testing.T) {
TestServerAuth(t, addr, token)

resp := testHttpGet(t, "", addr+"/v1/sys/mounts?help=1")
if resp.StatusCode != http.StatusBadRequest {
t.Fatal("expected bad request with no token")
fmt.Println(resp.StatusCode)
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is this needed?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Will remove the print statement. Was using it to debug

Copy link
Contributor

@ccapurso ccapurso left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Others have already commented on things that I was planning to focus on. With that said, looks good to me.

@ncabatoff
Copy link
Collaborator

I think if we're changing an API response code (in this case from 400 to 403) this should have a CHANGES entry in the changelog. Also, what is the target milestone? I'd suggest 1.10. WDYT @ncabatoff

@kalafut That works for me.

@vercel vercel bot temporarily deployed to Preview – vault-storybook November 22, 2021 17:43 Inactive
@akshya96 akshya96 requested a review from kalafut November 22, 2021 19:09
@akshya96
Copy link
Contributor Author

I think if we're changing an API response code (in this case from 400 to 403) this should have a CHANGES entry in the changelog. Also, what is the target milestone? I'd suggest 1.10. WDYT @ncabatoff

Added entry to changelog

@akshya96 akshya96 merged commit 94ef8ab into main Nov 23, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

7 participants