From 239ccdd259167ff7e4ce12c636df0eb69dfb4d22 Mon Sep 17 00:00:00 2001 From: hc-github-team-secure-vault-core <82990506+hc-github-team-secure-vault-core@users.noreply.github.com> Date: Mon, 23 Oct 2023 12:23:35 -0400 Subject: [PATCH] backport of commit 87376a1f5c676c9a54e1050b3e71e32c4ac92595 (#23789) Co-authored-by: Hamid Ghaf <83242695+hghaf099@users.noreply.github.com> --- builtin/credential/approle/path_login.go | 14 +++++++------- builtin/credential/approle/path_login_test.go | 2 +- changelog/23786.txt | 3 +++ 3 files changed, 11 insertions(+), 8 deletions(-) create mode 100644 changelog/23786.txt diff --git a/builtin/credential/approle/path_login.go b/builtin/credential/approle/path_login.go index 489ff638e2..4e19ec3610 100644 --- a/builtin/credential/approle/path_login.go +++ b/builtin/credential/approle/path_login.go @@ -92,7 +92,7 @@ func (b *backend) pathLoginResolveRole(ctx context.Context, req *logical.Request return nil, err } if roleIDIndex == nil { - return logical.ErrorResponse("invalid role ID"), nil + return logical.ErrorResponse("invalid role or secret ID"), nil } roleName := roleIDIndex.Name @@ -106,7 +106,7 @@ func (b *backend) pathLoginResolveRole(ctx context.Context, req *logical.Request return nil, err } if role == nil { - return logical.ErrorResponse("invalid role ID"), nil + return logical.ErrorResponse("invalid role or secret ID"), nil } return logical.ResolveRoleResponse(roleName) @@ -127,7 +127,7 @@ func (b *backend) pathLoginUpdate(ctx context.Context, req *logical.Request, dat return nil, err } if roleIDIndex == nil { - return logical.ErrorResponse("invalid role ID"), nil + return logical.ErrorResponse("invalid role or secret ID"), nil } roleName := roleIDIndex.Name @@ -141,7 +141,7 @@ func (b *backend) pathLoginUpdate(ctx context.Context, req *logical.Request, dat return nil, err } if role == nil { - return logical.ErrorResponse("invalid role ID"), nil + return logical.ErrorResponse("invalid role or secret ID"), nil } metadata := make(map[string]string) @@ -177,7 +177,7 @@ func (b *backend) pathLoginUpdate(ctx context.Context, req *logical.Request, dat return nil, err } if entry == nil { - return logical.ErrorResponse("invalid secret id"), logical.ErrInvalidCredentials + return logical.ErrorResponse("invalid role or secret ID"), logical.ErrInvalidCredentials } // If a secret ID entry does not have a corresponding accessor @@ -197,7 +197,7 @@ func (b *backend) pathLoginUpdate(ctx context.Context, req *logical.Request, dat return nil, err } if entry == nil { - return logical.ErrorResponse("invalid secret id"), nil + return logical.ErrorResponse("invalid role or secret ID"), nil } accessorEntry, err := b.secretIDAccessorEntry(ctx, req.Storage, entry.SecretIDAccessor, role.SecretIDPrefix) @@ -210,7 +210,7 @@ func (b *backend) pathLoginUpdate(ctx context.Context, req *logical.Request, dat return nil, fmt.Errorf("error deleting secret ID %q from storage: %w", secretIDHMAC, err) } } - return logical.ErrorResponse("invalid secret id"), nil + return logical.ErrorResponse("invalid role or secret ID"), nil } switch { diff --git a/builtin/credential/approle/path_login_test.go b/builtin/credential/approle/path_login_test.go index 9a7f57af4d..fe49d55155 100644 --- a/builtin/credential/approle/path_login_test.go +++ b/builtin/credential/approle/path_login_test.go @@ -420,7 +420,7 @@ func TestAppRole_RoleDoesNotExist(t *testing.T) { t.Fatal("Error not part of response.") } - if !strings.Contains(errString, "invalid role ID") { + if !strings.Contains(errString, "invalid role or secret ID") { t.Fatalf("Error was not due to invalid role ID. Error: %s", errString) } } diff --git a/changelog/23786.txt b/changelog/23786.txt new file mode 100644 index 0000000000..b6e73142eb --- /dev/null +++ b/changelog/23786.txt @@ -0,0 +1,3 @@ +```release-note:change +auth/approle: Normalized error response messages when invalid credentials are provided +```