Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Return errInvalidCredentials when wrong credentials is provided for existent users #17104

Merged
merged 7 commits into from Sep 27, 2022
Merged

Return errInvalidCredentials when wrong credentials is provided for existent users #17104

merged 7 commits into from Sep 27, 2022

Conversation

akshya96
Copy link
Contributor

@akshya96 akshya96 commented Sep 12, 2022
edited

https://hashicorp.atlassian.net/browse/VAULT-8304
The auth methods returns a specific error code “ErrInvalidCredentials” in cases where it fails due to invalid credentials for existent users.
This helps to differentiate between existent and not existent users when lockout feature is implemented to prevent brute forcing
This is only used for handling lockouts and will be removed before return. This will not be returned or seen externally.
These changes are for approle, ldap and userpass auth methods
Added changes to RespondErrorCommon and also added a test to confirm that ErrInvalidCredentials is not seen externally.

@akshya96 akshya96 marked this pull request as ready for review September 12, 2022 21:32
@akshya96 akshya96 requested a review from a team September 12, 2022 21:32
@HridoyRoy
Copy link
Contributor

Are the ErrInvalidCredentials changes only for the Approle and Userpass login endpoints?

@akshya96
Copy link
Contributor Author

Are the ErrInvalidCredentials changes only for the Approle and Userpass login endpoints?

It is for approle, userpass and ldap

mpalmi
mpalmi approved these changes Sep 13, 2022
View reviewed changes
Copy link
Contributor

@mpalmi mpalmi left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM! Just one small question about switch/case v. if/else.

builtin/credential/userpass/path_login.go Show resolved Hide resolved
@ncabatoff ncabatoff self-requested a review September 16, 2022 12:53
@akshya96 akshya96 merged commit 9d49bfa into main Sep 27, 2022
jayant07-yb pushed a commit to jayant07-yb/hashicorp-vault-integrations that referenced this pull request Mar 15, 2023
@akshya96
Return errInvalidCredentials when wrong credentials is provided for e…
0190277 
…xistent users (hashicorp#17104)

* adding errInvalidCredentials

* fixing tests

* add changelog

* fixing fmt errors

* test if routeErr is seen externally and fixing error comment

* adding fmt changes

* adding comments
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@mpalmi mpalmi mpalmi approved these changes

@raskchanky raskchanky raskchanky approved these changes

@ncabatoff ncabatoff ncabatoff approved these changes

@HridoyRoy HridoyRoy Awaiting requested review from HridoyRoy

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
5 participants
@akshya96 @HridoyRoy @raskchanky @ncabatoff @mpalmi