return 403 for wrapping requests when no token provided (#18859)

* return 403 for wrapping requests when no token provided * add changelog entry * fix changelog * use errors.As * simplify error response string
2025-10-30 18:17:55 +00:00 · 2023-01-31 13:57:50 -05:00
parent f7fcf32fd1
commit fe68295256
3 changed files with 21 additions and 1 deletions
--- a/changelog/18859.txt
+++ b/changelog/18859.txt
@@ -0,0 +1,3 @@
+```release-note:bug
+core/auth: Return a 403 instead of a 500 for wrapping requests when token is not provided
+```
--- a/http/sys_wrapping_test.go
+++ b/http/sys_wrapping_test.go
@@ -2,6 +2,7 @@ package http

 import (
 	"encoding/json"
+	"errors"
 	"reflect"
 	"testing"
 	"time"
@@ -366,4 +367,20 @@ func TestHTTP_Wrapping(t *testing.T) {
 	}) {
 		t.Fatalf("secret data did not match expected: %#v", secret.Data)
 	}
+
+	// Ensure that wrapping lookup without a client token responds correctly
+	client.ClearToken()
+	secret, err = client.Logical().Read("sys/wrapping/lookup")
+	if secret != nil {
+		t.Fatalf("expected no response: %#v", secret)
+	}
+
+	if err == nil {
+		t.Fatal("expected error")
+	}
+
+	var respError *api.ResponseError
+	if errors.As(err, &respError); respError.StatusCode != 403 {
+		t.Fatalf("expected 403 response, actual: %d", respError.StatusCode)
+	}
 }
--- a/vault/request_handling.go
+++ b/vault/request_handling.go
@@ -561,7 +561,7 @@ func (c *Core) handleCancelableRequest(ctx context.Context, req *logical.Request
 			// be revoked after the call. So we have to do the validation here.
 			valid, err := c.validateWrappingToken(ctx, req)
 			if err != nil {
-				return nil, fmt.Errorf("error validating wrapping token: %w", err)
+				return logical.ErrorResponse(fmt.Sprintf("error validating wrapping token: %s", err.Error())), logical.ErrPermissionDenied
 			}
 			if !valid {
 				return nil, consts.ErrInvalidWrappingToken