diff --git a/internal/daemon/controller/interceptor.go b/internal/daemon/controller/interceptor.go index dc521ef163..f4c46a1f13 100644 --- a/internal/daemon/controller/interceptor.go +++ b/internal/daemon/controller/interceptor.go @@ -393,16 +393,10 @@ func aliasResolutionInterceptor( } interceptorCtx, err = alias.ResolveRequestIds(interceptorCtx, reqMsg, r) if err != nil { - // Since this is intercepted prior to checking that the requester - // is authorized to make the request, returning a 404 here and a 401 - // when the request is checked in the handler would expose which - // aliases exist. Instead, we return a unauthenticated error here so there - // is no way to distinguish between a missing alias and an existing - // alias that points to a destination the requester is not allowed - // to perform an action on. - // handlers.UnauthenticatedError() turns into an http 401 status - // code "Unauthorized". - return nil, handlers.UnauthenticatedError() + // At this point, the request is unauthorized, therefore return a + // static error rather than exposing what the result of + // `ResolveRequestIds` was. + return nil, handlers.NotFoundError() } return handler(interceptorCtx, req) } diff --git a/internal/daemon/controller/interceptor_test.go b/internal/daemon/controller/interceptor_test.go index 9e0d3fb050..56a14fbedc 100644 --- a/internal/daemon/controller/interceptor_test.go +++ b/internal/daemon/controller/interceptor_test.go @@ -726,13 +726,13 @@ func Test_aliasResolutionInterceptor(t *testing.T) { name: "aliasable request with unknown alias", req: &pbs.GetTargetRequest{Id: "not.a.registered.alias"}, wantModifiedReq: &pbs.GetTargetRequest{Id: "not.a.registered.alias"}, - errorIs: handlers.UnauthenticatedError(), + errorIs: handlers.NotFoundError(), }, { name: "aliasable request with destinationless alias", req: &pbs.GetTargetRequest{Id: alWithoutDest.GetValue()}, wantModifiedReq: &pbs.GetTargetRequest{Id: alWithoutDest.GetValue()}, - errorIs: handlers.UnauthenticatedError(), + errorIs: handlers.NotFoundError(), }, } for _, tc := range cases { diff --git a/internal/tests/api/targets/target_test.go b/internal/tests/api/targets/target_test.go index 274c42ffd7..292985967e 100644 --- a/internal/tests/api/targets/target_test.go +++ b/internal/tests/api/targets/target_test.go @@ -685,12 +685,12 @@ func TestCrud(t *testing.T) { assert.EqualValues(http.StatusNotFound, apiErr.Response().StatusCode()) }) - t.Run("deleting unknown alias is unauthorized", func(t *testing.T) { + t.Run("deleting unknown alias is not found", func(t *testing.T) { _, err = tarClient.Delete(tc.Context(), al.GetValue()) assert.Error(err) apiErr := api.AsServerError(err) assert.NotNil(apiErr) - assert.EqualValues(http.StatusUnauthorized, apiErr.Response().StatusCode()) + assert.EqualValues(http.StatusNotFound, apiErr.Response().StatusCode()) }) } @@ -750,7 +750,7 @@ func TestSet_Errors(t *testing.T) { require.Error(err) apiErr = api.AsServerError(err) assert.NotNil(apiErr) - assert.EqualValues(http.StatusUnauthorized, apiErr.Response().StatusCode()) + assert.EqualValues(http.StatusNotFound, apiErr.Response().StatusCode()) // reading by alias with no destination id should fail rw := db.New(tc.DbConn()) @@ -759,8 +759,7 @@ func TestSet_Errors(t *testing.T) { require.Error(err) apiErr = api.AsServerError(err) assert.NotNil(apiErr) - assert.EqualValues(http.StatusUnauthorized, apiErr.Response().StatusCode()) - noAliasApiErrReponse := apiErr.Response() + assert.EqualValues(http.StatusNotFound, apiErr.Response().StatusCode()) client.SetToken("at_1234567890_madeupinvalidtoken") tarClient = targets.NewClient(client) @@ -768,9 +767,6 @@ func TestSet_Errors(t *testing.T) { apiErr = api.AsServerError(err) assert.NotNil(apiErr) assert.EqualValues(http.StatusUnauthorized, apiErr.Response().StatusCode()) - // We should not be able to tell the difference between an unauthorized request - // and a request that tries to resolve an alias that points to nothing. - assert.EqualValues(noAliasApiErrReponse.Body, apiErr.Response().Body) } func TestCreateTarget_WhitespaceInAddress(t *testing.T) {