backport of commit 87376a1f5c (#23790)

Co-authored-by: Hamid Ghaf <83242695+hghaf099@users.noreply.github.com>
2025-11-02 03:27:54 +00:00 · 2023-10-23 12:19:20 -04:00
parent aebe972bca
commit 559f864654
3 changed files with 11 additions and 8 deletions
--- a/builtin/credential/approle/path_login.go
+++ b/builtin/credential/approle/path_login.go
@@ -99,7 +99,7 @@ func (b *backend) pathLoginResolveRole(ctx context.Context, req *logical.Request
 		return nil, err
 	}
 	if roleIDIndex == nil {
-		return logical.ErrorResponse("invalid role ID"), nil
+		return logical.ErrorResponse("invalid role or secret ID"), nil
 	}
 	roleName := roleIDIndex.Name
@@ -113,7 +113,7 @@ func (b *backend) pathLoginResolveRole(ctx context.Context, req *logical.Request
 		return nil, err
 	}
 	if role == nil {
-		return logical.ErrorResponse("invalid role ID"), nil
+		return logical.ErrorResponse("invalid role or secret ID"), nil
 	}
 	return logical.ResolveRoleResponse(roleName)
@@ -134,7 +134,7 @@ func (b *backend) pathLoginUpdate(ctx context.Context, req *logical.Request, dat
 		return nil, err
 	}
 	if roleIDIndex == nil {
-		return logical.ErrorResponse("invalid role ID"), nil
+		return logical.ErrorResponse("invalid role or secret ID"), nil
 	}
 	roleName := roleIDIndex.Name
@@ -148,7 +148,7 @@ func (b *backend) pathLoginUpdate(ctx context.Context, req *logical.Request, dat
 		return nil, err
 	}
 	if role == nil {
-		return logical.ErrorResponse("invalid role ID"), nil
+		return logical.ErrorResponse("invalid role or secret ID"), nil
 	}
 	metadata := make(map[string]string)
@@ -184,7 +184,7 @@ func (b *backend) pathLoginUpdate(ctx context.Context, req *logical.Request, dat
 			return nil, err
 		}
 		if entry == nil {
-			return logical.ErrorResponse("invalid secret id"), logical.ErrInvalidCredentials
+			return logical.ErrorResponse("invalid role or secret ID"), logical.ErrInvalidCredentials
 		}
 		// If a secret ID entry does not have a corresponding accessor
@@ -204,7 +204,7 @@ func (b *backend) pathLoginUpdate(ctx context.Context, req *logical.Request, dat
 				return nil, err
 			}
 			if entry == nil {
-				return logical.ErrorResponse("invalid secret id"), nil
+				return logical.ErrorResponse("invalid role or secret ID"), nil
 			}
 			accessorEntry, err := b.secretIDAccessorEntry(ctx, req.Storage, entry.SecretIDAccessor, role.SecretIDPrefix)
@@ -217,7 +217,7 @@ func (b *backend) pathLoginUpdate(ctx context.Context, req *logical.Request, dat
 					return nil, fmt.Errorf("error deleting secret ID %q from storage: %w", secretIDHMAC, err)
 				}
 			}
-			return logical.ErrorResponse("invalid secret id"), nil
+			return logical.ErrorResponse("invalid role or secret ID"), nil
 		}
 		switch {
--- a/builtin/credential/approle/path_login_test.go
+++ b/builtin/credential/approle/path_login_test.go
@@ -354,7 +354,7 @@ func TestAppRole_RoleDoesNotExist(t *testing.T) {
 		t.Fatal("Error not part of response.")
 	}
-	if !strings.Contains(errString, "invalid role ID") {
+	if !strings.Contains(errString, "invalid role or secret ID") {
 		t.Fatalf("Error was not due to invalid role ID. Error: %s", errString)
 	}
 }
--- a/changelog/23786.txt
+++ b/changelog/23786.txt
@@ -0,0 +1,3 @@
 ```release-note:change
 auth/approle: Normalized error response messages when invalid credentials are provided
 ```