Return the partial success code override for all batch error types (#18310)

* Return the partial success code override for all batch error types

* changelog

* docs

* Lost the actual override logic. :)

* And don't hardcode 400

* gate on success

builtin/logical/transit/path_encrypt.go

@@ -509,21 +509,23 @@ func (b *backend) pathEncryptWrite(ctx context.Context, req *logical.Request, d
 // that user errors are non-retryable without making changes to the request, and should be surfaced
 // to the user first.
 func batchRequestResponse(d *framework.FieldData, resp *logical.Response, req *logical.Request, successesInBatch, userErrorInBatch, internalErrorInBatch bool) (*logical.Response, error) {
+	if userErrorInBatch || internalErrorInBatch {
+		var code int
 		switch {
 		case userErrorInBatch:
-		code := http.StatusBadRequest
-		if successesInBatch {
-			if codeRaw, ok := d.GetOk("partial_failure_response_code"); ok {
-				code = codeRaw.(int)
-				if code < 1 || code > 599 {
-					resp.AddWarning("invalid HTTP response code override from partial_failure_response_code, reverting to HTTP 400")
 			code = http.StatusBadRequest
+		case internalErrorInBatch:
+			code = http.StatusInternalServerError
 		}
+		if codeRaw, ok := d.GetOk("partial_failure_response_code"); ok && successesInBatch {
+			newCode := codeRaw.(int)
+			if newCode < 1 || newCode > 599 {
+				resp.AddWarning(fmt.Sprintf("invalid HTTP response code override from partial_failure_response_code, reverting to %d", code))
+			} else {
+				code = newCode
 			}
 		}
 		return logical.RespondWithStatusCode(resp, req, code)
-	case internalErrorInBatch:
-		return logical.RespondWithStatusCode(resp, req, http.StatusInternalServerError)
 	}
 
 	return resp, nil

changelog/18310.txt

@@ -0,0 +1,3 @@
+```release-note:bug
+secrets/transit: Honor `partial_success_response_code` on decryption failures.
+```

website/content/api-docs/secret/transit.mdx

@@ -661,10 +661,13 @@ will be returned.
   impact the ciphertext's security.
 
 - `partial_failure_response_code` `(int: 400)` Ordinarily, if a batch item fails 
-to encrypt due to a bad input, but other batch items succeed, the HTTP response 
+  to encrypt due to a bad input, but other batch items succeed, the HTTP response 
-code is 400 (Bad Request).  Some applications may want to treat partial failures
+  code is 400 (Bad Request).  Some applications may want to treat partial failures
-differently.  Providing the parameter returns the given response code integer 
+  differently.  Providing the parameter returns the given response code integer 
-instead of a 400 in this case. If all values fail HTTP 400 is still returned.
+  instead of a failed status code in this case. If all values fail an error
+  code is still returned.  Be warned that some failures (such as failure to
+  decrypt) could be indicative of a security breach and should not be
+  ignored.
 
 ~>**NOTE:** All plaintext data **must be base64-encoded**. The reason for this
 requirement is that Vault does not require that the plaintext is "text". It
@@ -756,10 +759,13 @@ This endpoint decrypts the provided ciphertext using the named key.
   ]
   ```
 - `partial_failure_response_code` `(int: 400)` Ordinarily, if a batch item fails 
-to encrypt due to a bad input, but other batch items succeed, the HTTP response 
+  to encrypt due to a bad input, but other batch items succeed, the HTTP response 
-code is 400 (Bad Request).  Some applications may want to treat partial failures
+  code is 400 (Bad Request).  Some applications may want to treat partial failures
-differently.  Providing the parameter returns the given response code integer 
+  differently.  Providing the parameter returns the given response code integer 
-instead of a 400 in this case. If all values fail HTTP 400 is still returned.
+  instead of a failed status code in this case. If all values fail an error
+  code is still returned.  Be warned that some failures (such as failure to
+  decrypt) could be indicative of a security breach and should not be
+  ignored.
 
 ### Sample Payload