forwarding requests subjected to Login MFA to the active node (#15009)

* forwarding requests subjected to Login MFA to the active node * CL, and making fmt happy
hashicorp · Apr 13, 2022 · e072acf · e072acf
1 parent 617e62c
commit e072acf
Show file tree

Hide file tree

Showing 3 changed files with 10 additions and 2 deletions.
diff --git a/changelog/15009.txt b/changelog/15009.txt
@@ -0,0 +1,3 @@
+```release-note:bug
+auth: forward requests subject to login MFA from perfStandby to Active node
+```
diff --git a/sdk/framework/backend_test.go b/sdk/framework/backend_test.go
@@ -10,10 +10,9 @@ import (
 	"time"
 
 	"github.com/hashicorp/go-secure-stdlib/strutil"
-	"github.com/stretchr/testify/require"
-
 	"github.com/hashicorp/vault/sdk/helper/consts"
 	"github.com/hashicorp/vault/sdk/logical"
+	"github.com/stretchr/testify/require"
 )
 
 func BenchmarkBackendRoute(b *testing.B) {

diff --git a/vault/request_handling.go b/vault/request_handling.go
@@ -1506,6 +1506,12 @@ func (c *Core) handleLoginRequest(ctx context.Context, req *logical.Request) (re
 					}
 				}
 			} else if len(matchedMfaEnforcementList) > 0 && len(req.MFACreds) == 0 {
+				// two-phase login MFA requests should be forwarded
+				// to the active node, as the validation should only
+				// happen in that node
+				if c.perfStandby {
+					return nil, nil, logical.ErrPerfStandbyPleaseForward
+				}
 				mfaRequestID, err := uuid.GenerateUUID()
 				if err != nil {
 					return nil, nil, err