From 1c821e448d001840cdcd59c72ac2e257561d33ac Mon Sep 17 00:00:00 2001
From: Jeff Mitchell <jeffrey.mitchell@gmail.com>
Date: Thu, 2 Mar 2017 15:56:08 -0500
Subject: [PATCH] Update error text to make it more obvious what the issue is
 when valid principals aren't found

---
 builtin/logical/ssh/path_sign.go | 13 +++++--------
 1 file changed, 5 insertions(+), 8 deletions(-)

diff --git a/builtin/logical/ssh/path_sign.go b/builtin/logical/ssh/path_sign.go
index eb3d6053b9..69833b2434 100644
--- a/builtin/logical/ssh/path_sign.go
+++ b/builtin/logical/ssh/path_sign.go
@@ -198,20 +198,17 @@ func (b *backend) pathSignCertificate(req *logical.Request, data *framework.Fiel
 }
 
 func (b *backend) calculateValidPrincipals(data *framework.FieldData, defaultPrincipal, principalsAllowedByRole string, validatePrincipal func([]string, string) bool) ([]string, error) {
+	if principalsAllowedByRole == "" {
+		return nil, fmt.Errorf(`"role is not configured to allow any principles`)
+	}
+
 	validPrincipals := data.Get("valid_principals").(string)
 	if validPrincipals == "" {
 		if defaultPrincipal != "" {
 			return []string{defaultPrincipal}, nil
 		}
-		if principalsAllowedByRole == "" {
-			return []string{}, nil
-		}
 
-		return nil, fmt.Errorf(`"valid_principals" value required by role`)
-	}
-
-	if principalsAllowedByRole == "" {
-		return nil, fmt.Errorf(`"valid_principals" not in allowed list`)
+		return nil, fmt.Errorf(`"valid_principals" not supplied and no default set in the role`)
 	}
 
 	parsedPrincipals := strings.Split(validPrincipals, ",")