mirror of
https://github.com/optim-enterprises-bv/vault.git
synced 2025-11-05 13:08:07 +00:00
vault: verify login endpoint never returns a secret
This commit is contained in:
Armon Dadgar
@@ -445,6 +445,13 @@ func (c *Core) handleLoginRequest(req *logical.Request) (*logical.Response, erro
|
|||||||
// Route the request
|
// Route the request
|
||||||
resp, err := c.router.Route(req)
|
resp, err := c.router.Route(req)
|
||||||
|
|
||||||
|
// A login request should never return a secret!
|
||||||
|
if resp != nil && resp.Secret != nil {
|
||||||
|
c.logger.Printf("[ERR] core: unexpected Secret response for login path"+
|
||||||
|
"(request: %#v, response: %#v)", req, resp)
|
||||||
|
return nil, ErrInternalError
|
||||||
|
}
|
||||||
|
|
||||||
// If the response generated an authentication, then generate the token
|
// If the response generated an authentication, then generate the token
|
||||||
var auth *logical.Auth
|
var auth *logical.Auth
|
||||||
if resp != nil && resp.Auth != nil {
|
if resp != nil && resp.Auth != nil {
|
||||||
|
|||||||
@@ -891,13 +891,10 @@ func TestCore_HandleLogin_AuditTrail(t *testing.T) {
|
|||||||
noopBack := &NoopBackend{
|
noopBack := &NoopBackend{
|
||||||
Login: []string{"login"},
|
Login: []string{"login"},
|
||||||
Response: &logical.Response{
|
Response: &logical.Response{
|
||||||
Secret: &logical.Secret{
|
Auth: &logical.Auth{
|
||||||
LeaseOptions: logical.LeaseOptions{
|
LeaseOptions: logical.LeaseOptions{
|
||||||
Lease: time.Hour,
|
Lease: time.Hour,
|
||||||
},
|
},
|
||||||
},
|
|
||||||
|
|
||||||
Auth: &logical.Auth{
|
|
||||||
Policies: []string{"foo", "bar"},
|
Policies: []string{"foo", "bar"},
|
||||||
Metadata: map[string]string{
|
Metadata: map[string]string{
|
||||||
"user": "armon",
|
"user": "armon",
|
||||||
|
|||||||
Reference in New Issue
Block a user