Authenticate to "login" endpoint for non-existent mount path bug (#13162)

* changing response from missing client token to permission denied * removing todo comment * fix tests * adding changelog * fixing changelog
2025-11-04 04:28:08 +00:00 · 2021-11-22 17:06:59 -08:00
parent 87c355e2bb
commit 94ef8ab3ae
7 changed files with 13 additions and 9 deletions
--- a/changelog/13162.txt
+++ b/changelog/13162.txt
@@ -0,0 +1,3 @@
 ```release-note:bug
 core: authentication to "login" endpoint for non-existent mount path returns permission denied with status code 403
 ```
--- a/http/handler_test.go
+++ b/http/handler_test.go
@@ -315,8 +315,8 @@ func TestHandler_MissingToken(t *testing.T) {
 	if err != nil {
 		t.Fatal(err)
 	}
-	if resp.StatusCode != 400 {
+	if resp.StatusCode != 403 {
-		t.Fatalf("expected code 400, got: %d", resp.StatusCode)
+		t.Fatalf("expected code 403, got: %d", resp.StatusCode)
 	}
 }
--- a/http/help_test.go
+++ b/http/help_test.go
@@ -14,8 +14,8 @@ func TestHelp(t *testing.T) {
 	TestServerAuth(t, addr, token)
 	resp := testHttpGet(t, "", addr+"/v1/sys/mounts?help=1")
-	if resp.StatusCode != http.StatusBadRequest {
+	if resp.StatusCode != http.StatusForbidden {
-		t.Fatal("expected bad request with no token")
+		t.Fatal("expected permission denied with no token")
 	}
 	resp = testHttpGet(t, token, addr+"/v1/sys/mounts?help=1")
--- a/http/sys_metrics_test.go
+++ b/http/sys_metrics_test.go
@@ -23,7 +23,7 @@ func TestSysMetricsUnauthenticated(t *testing.T) {
 	// Default: Only authenticated access
 	resp := testHttpGet(t, "", addr+"/v1/sys/metrics")
-	testResponseStatus(t, resp, 400)
+	testResponseStatus(t, resp, 403)
 	resp = testHttpGet(t, token, addr+"/v1/sys/metrics")
 	testResponseStatus(t, resp, 200)
@@ -65,7 +65,7 @@ func TestSysPProfUnauthenticated(t *testing.T) {
 	// Default: Only authenticated access
 	resp := testHttpGet(t, "", addr+"/v1/sys/pprof/cmdline")
-	testResponseStatus(t, resp, 400)
+	testResponseStatus(t, resp, 403)
 	resp = testHttpGet(t, token, addr+"/v1/sys/pprof/cmdline")
 	testResponseStatus(t, resp, 200)
--- a/vault/core_test.go
+++ b/vault/core_test.go
@@ -472,10 +472,10 @@ func TestCore_HandleRequest_MissingToken(t *testing.T) {
 		},
 	}
 	resp, err := c.HandleRequest(namespace.RootContext(nil), req)
-	if err == nil || !errwrap.Contains(err, logical.ErrInvalidRequest.Error()) {
+	if err == nil || !errwrap.Contains(err, logical.ErrPermissionDenied.Error()) {
 		t.Fatalf("err: %v", err)
 	}
-	if resp.Data["error"] != "missing client token" {
+	if resp.Data["error"] != logical.ErrPermissionDenied.Error() {
 		t.Fatalf("bad: %#v", resp)
 	}
 }
--- a/vault/request_handling.go
+++ b/vault/request_handling.go
@@ -126,7 +126,7 @@ func (c *Core) fetchACLTokenEntryAndEntity(ctx context.Context, req *logical.Req
 	// Ensure there is a client token
 	if req.ClientToken == "" {
-		return nil, nil, nil, nil, &logical.StatusBadRequest{Err: "missing client token"}
+		return nil, nil, nil, nil, logical.ErrPermissionDenied
 	}
 	if c.tokenStore == nil {
--- a/vault/router_test.go
+++ b/vault/router_test.go
@@ -373,6 +373,7 @@ func TestRouter_LoginPath(t *testing.T) {
 		{"auth/foo/bar", false},
 		{"auth/foo/login", true},
 		{"auth/foo/login/", false},
 		{"auth/invalid/login", false},
 		{"auth/foo/oauth", false},
 		{"auth/foo/oauth/", true},
 		{"auth/foo/oauth/redirect", true},