diff --git a/internal/clientcache/internal/daemon/server.go b/internal/clientcache/internal/daemon/server.go index a4df4be59b..08c97fd4be 100644 --- a/internal/clientcache/internal/daemon/server.go +++ b/internal/clientcache/internal/daemon/server.go @@ -182,7 +182,10 @@ func defaultBoundaryTokenReader(ctx context.Context, cp ClientProvider) (cache.B at, err := atClient.Read(ctx, atId) if err != nil { - return nil, errors.Wrap(ctx, err, op) + if api.ErrPermissionDenied.Is(err) { + return nil, errors.Wrap(ctx, err, op, errors.WithMsg("Failed to get auth token from Boundary"), errors.WithCode(errors.Forbidden), errors.WithoutEvent()) + } + return nil, errors.Wrap(ctx, err, op, errors.WithoutEvent()) } return at.GetItem(), nil }, nil diff --git a/internal/clientcache/internal/daemon/server_test.go b/internal/clientcache/internal/daemon/server_test.go index 273cd5c802..1afafedcaf 100644 --- a/internal/clientcache/internal/daemon/server_test.go +++ b/internal/clientcache/internal/daemon/server_test.go @@ -8,6 +8,7 @@ import ( "testing" "github.com/hashicorp/boundary/api" + "github.com/hashicorp/boundary/api/roles" "github.com/hashicorp/boundary/internal/cmd/base" "github.com/hashicorp/boundary/internal/daemon/controller" "github.com/stretchr/testify/assert" @@ -28,6 +29,21 @@ func TestDefaultBoundaryTokenReader(t *testing.T) { }) tc := controller.NewTestController(t, nil) + client := tc.Client() + client.SetToken(tc.Token().Token) + rclient := roles.NewClient(client) + rl, err := rclient.List(ctx, "global", roles.WithRecursive(true)) + require.NoError(t, err) + + // delete everything except for the admin role + for _, r := range rl.Items { + if r.Name == "Administration" { + continue + } + _, err := rclient.Delete(ctx, r.Id) + require.NoError(t, err) + } + cp := fakeClientProvider{tc} cases := []struct { @@ -42,6 +58,12 @@ func TestDefaultBoundaryTokenReader(t *testing.T) { token: tc.Token().Token, errContains: "", }, + { + name: "token cant read itself", + address: tc.ApiAddrs()[0], + token: tc.UnprivilegedToken().Token, + errContains: "PermissionDenied", + }, { name: "empty address", address: "", diff --git a/internal/clientcache/internal/daemon/token_handler.go b/internal/clientcache/internal/daemon/token_handler.go index 8106b66e47..a1a57b4327 100644 --- a/internal/clientcache/internal/daemon/token_handler.go +++ b/internal/clientcache/internal/daemon/token_handler.go @@ -115,16 +115,26 @@ func newTokenHandlerFunc(ctx context.Context, repo *cache.Repository, refresher AuthTokenId: perReq.AuthTokenId, } if err = repo.AddKeyringToken(ctx, perReq.BoundaryAddr, kt); err != nil { + errCode := http.StatusInternalServerError + if errors.Match(errors.T(errors.Forbidden), err) { + errCode = http.StatusForbidden + } + err := fmt.Errorf("Failed to add a keyring stored token with id %q: %w", perReq.AuthTokenId, err) event.WriteError(ctx, op, err) - writeError(w, err.Error(), http.StatusInternalServerError) + writeError(w, err.Error(), errCode) return } case perReq.AuthToken != "": if err = repo.AddRawToken(ctx, perReq.BoundaryAddr, perReq.AuthToken); err != nil { + errCode := http.StatusInternalServerError + if errors.Match(errors.T(errors.Forbidden), err) { + errCode = http.StatusForbidden + } + err := fmt.Errorf("Failed to add a raw token with id %q: %w", perReq.AuthTokenId, err) event.WriteError(ctx, op, err) - writeError(w, fmt.Sprintf("Failed to add a raw token: %v", err), http.StatusInternalServerError) + writeError(w, err.Error(), errCode) return } }