boundary daemon add-token to return returns 403 Forbidden when Boundary returns the same (#4345)

2 years ago · acabfd7f2c
parent b3a292d4b9
commit acabfd7f2c
3 changed files with 38 additions and 3 deletions
--- a/internal/clientcache/internal/daemon/server.go
+++ b/internal/clientcache/internal/daemon/server.go
@ -182,7 +182,10 @@ func defaultBoundaryTokenReader(ctx context.Context, cp ClientProvider) (cache.B

 		at, err := atClient.Read(ctx, atId)
 		if err != nil {
-			return nil, errors.Wrap(ctx, err, op)
+			if api.ErrPermissionDenied.Is(err) {
+				return nil, errors.Wrap(ctx, err, op, errors.WithMsg("Failed to get auth token from Boundary"), errors.WithCode(errors.Forbidden), errors.WithoutEvent())
+			}
+			return nil, errors.Wrap(ctx, err, op, errors.WithoutEvent())
 		}
 		return at.GetItem(), nil
 	}, nil
--- a/internal/clientcache/internal/daemon/server_test.go
+++ b/internal/clientcache/internal/daemon/server_test.go
@ -8,6 +8,7 @@ import (
 	"testing"

 	"github.com/hashicorp/boundary/api"
+	"github.com/hashicorp/boundary/api/roles"
 	"github.com/hashicorp/boundary/internal/cmd/base"
 	"github.com/hashicorp/boundary/internal/daemon/controller"
 	"github.com/stretchr/testify/assert"
@ -28,6 +29,21 @@ func TestDefaultBoundaryTokenReader(t *testing.T) {
 	})

 	tc := controller.NewTestController(t, nil)
+	client := tc.Client()
+	client.SetToken(tc.Token().Token)
+	rclient := roles.NewClient(client)
+	rl, err := rclient.List(ctx, "global", roles.WithRecursive(true))
+	require.NoError(t, err)
+
+	// delete everything except for the admin role
+	for _, r := range rl.Items {
+		if r.Name == "Administration" {
+			continue
+		}
+		_, err := rclient.Delete(ctx, r.Id)
+		require.NoError(t, err)
+	}
+
 	cp := fakeClientProvider{tc}

 	cases := []struct {
@ -42,6 +58,12 @@ func TestDefaultBoundaryTokenReader(t *testing.T) {
 			token:       tc.Token().Token,
 			errContains: "",
 		},
+		{
+			name:        "token cant read itself",
+			address:     tc.ApiAddrs()[0],
+			token:       tc.UnprivilegedToken().Token,
+			errContains: "PermissionDenied",
+		},
 		{
 			name:        "empty address",
 			address:     "",
--- a/internal/clientcache/internal/daemon/token_handler.go
+++ b/internal/clientcache/internal/daemon/token_handler.go
@ -115,16 +115,26 @@ func newTokenHandlerFunc(ctx context.Context, repo *cache.Repository, refresher
 				AuthTokenId: perReq.AuthTokenId,
 			}
 			if err = repo.AddKeyringToken(ctx, perReq.BoundaryAddr, kt); err != nil {
+				errCode := http.StatusInternalServerError
+				if errors.Match(errors.T(errors.Forbidden), err) {
+					errCode = http.StatusForbidden
+				}
+
 				err := fmt.Errorf("Failed to add a keyring stored token with id %q: %w", perReq.AuthTokenId, err)
 				event.WriteError(ctx, op, err)
-				writeError(w, err.Error(), http.StatusInternalServerError)
+				writeError(w, err.Error(), errCode)
 				return
 			}
 		case perReq.AuthToken != "":
 			if err = repo.AddRawToken(ctx, perReq.BoundaryAddr, perReq.AuthToken); err != nil {
+				errCode := http.StatusInternalServerError
+				if errors.Match(errors.T(errors.Forbidden), err) {
+					errCode = http.StatusForbidden
+				}
+
 				err := fmt.Errorf("Failed to add a raw token with id %q: %w", perReq.AuthTokenId, err)
 				event.WriteError(ctx, op, err)
-				writeError(w, fmt.Sprintf("Failed to add a raw token: %v", err), http.StatusInternalServerError)
+				writeError(w, err.Error(), errCode)
 				return
 			}
 		}