From 7ba7309b8bcfdec2d65543f590d9923dade8c263 Mon Sep 17 00:00:00 2001
From: Becca Petrin <beccapetrin@posteo.net>
Date: Thu, 7 Feb 2019 11:16:23 -0800
Subject: [PATCH] Return a more helpful error message for unknown db roles
 (#6157)

* return a more helpful err msg

* update test, print fmt

* fix other test failure
---
 builtin/logical/database/backend_test.go      | 8 ++++----
 builtin/logical/database/path_creds_create.go | 2 +-
 2 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/builtin/logical/database/backend_test.go b/builtin/logical/database/backend_test.go
index abb941fd41..93c2a9fb99 100644
--- a/builtin/logical/database/backend_test.go
+++ b/builtin/logical/database/backend_test.go
@@ -1156,8 +1156,8 @@ func TestBackend_allowedRoles(t *testing.T) {
 		Data:      data,
 	}
 	credsResp, err := b.HandleRequest(namespace.RootContext(nil), req)
-	if err != logical.ErrPermissionDenied {
-		t.Fatalf("expected error to be:%s got:%#v\n", logical.ErrPermissionDenied, err)
+	if err == nil {
+		t.Fatal("expected error because role is denied")
 	}
 
 	// update connection with glob allowed roles connection
@@ -1254,8 +1254,8 @@ func TestBackend_allowedRoles(t *testing.T) {
 		Data:      data,
 	}
 	credsResp, err = b.HandleRequest(namespace.RootContext(nil), req)
-	if err != logical.ErrPermissionDenied {
-		t.Fatalf("expected error to be:%s got:%#v\n", logical.ErrPermissionDenied, err)
+	if err == nil {
+		t.Fatal("expected error because role is denied")
 	}
 
 	// Get creds from allowed role, should work.
diff --git a/builtin/logical/database/path_creds_create.go b/builtin/logical/database/path_creds_create.go
index e002c6b7fa..df780f73c5 100644
--- a/builtin/logical/database/path_creds_create.go
+++ b/builtin/logical/database/path_creds_create.go
@@ -51,7 +51,7 @@ func (b *databaseBackend) pathCredsCreateRead() framework.OperationFunc {
 		// If role name isn't in the database's allowed roles, send back a
 		// permission denied.
 		if !strutil.StrListContains(dbConfig.AllowedRoles, "*") && !strutil.StrListContainsGlob(dbConfig.AllowedRoles, name) {
-			return nil, logical.ErrPermissionDenied
+			return nil, fmt.Errorf("%q is not an allowed role", name)
 		}
 
 		// Get the Database object