Make the error response to the sys/internal/ui/mounts with no client token consistent (#10650) (#10674)

sgmiller · mladlow · web-flow · commit 77eccdcd113a · 2021-01-26T19:25:30.000-05:00
* Make the error response to the sys/internal/ui/mounts with no client token consistent

* changelog

* Don't test against an empty mount path

* One other spot

* Instead, do all token checks first and early out before even looking for the mount

Co-authored-by: Meggie &lt;meggie@hashicorp.com&gt;
diff --git a/changelog/10650.txt b/changelog/10650.txt
@@ -0,0 +1,4 @@
+```release-note:bug
+core: Make the response to an unauthenticated request to sys/internal endpoints consistent regardless of mount existence.
+```
+
diff --git a/vault/logical_system.go b/vault/logical_system.go
@@ -3312,6 +3312,20 @@ func (b *SystemBackend) pathInternalUIMountRead(ctx context.Context, req *logica
 	}
 	path = sanitizePath(path)
 
+	// Load the ACL policies so we can walk the prefix for this mount
+	acl, te, entity, _, err := b.Core.fetchACLTokenEntryAndEntity(ctx, req)
+	if err != nil {
+		return nil, err
+	}
+	if entity != nil && entity.Disabled {
+		b.logger.Warn("permission denied as the entity on the token is disabled")
+		return nil, logical.ErrPermissionDenied
+	}
+	if te != nil && te.EntityID != "" && entity == nil {
+		b.logger.Warn("permission denied as the entity on the token is invalid")
+		return nil, logical.ErrPermissionDenied
+	}
+
 	errResp := logical.ErrorResponse(fmt.Sprintf("preflight capability check returned 403, please ensure client's policies grant access to path %q", path))
 
 	ns, err := namespace.FromContext(ctx)
@@ -3344,20 +3358,6 @@ func (b *SystemBackend) pathInternalUIMountRead(ctx context.Context, req *logica
 		fullMountPath = ns.Path + me.Namespace().Path + me.Path
 	}
 
-	// Load the ACL policies so we can walk the prefix for this mount
-	acl, te, entity, _, err := b.Core.fetchACLTokenEntryAndEntity(ctx, req)
-	if err != nil {
-		return nil, err
-	}
-	if entity != nil && entity.Disabled {
-		b.logger.Warn("permission denied as the entity on the token is disabled")
-		return errResp, logical.ErrPermissionDenied
-	}
-	if te != nil && te.EntityID != "" && entity == nil {
-		b.logger.Warn("permission denied as the entity on the token is invalid")
-		return nil, logical.ErrPermissionDenied
-	}
-
 	if !hasMountAccess(ctx, acl, fullMountPath) {
 		return errResp, logical.ErrPermissionDenied
 	}

-Original file line number
+Diff line change
@@ @@ -0,0 +1,4 @@ @@
 +```release-note:bug
 +core: Make the response to an unauthenticated request to sys/internal endpoints consistent regardless of mount existence.
 +```
++