From c27825a8a74c8aeeb56945bcbcccb153f14ded5d Mon Sep 17 00:00:00 2001
From: Chris Capurso <christopher.capurso@gmail.com>
Date: Wed, 16 Feb 2022 16:30:11 -0500
Subject: [PATCH] fix approle login IPBelongsToCIDRBlocksSlice err handling
 (#14107)

* fix approle login IPBelongsToCIDRBlocksSlice err handling

* add changelog entry
---
 builtin/credential/approle/path_login.go | 9 ++++++---
 changelog/14107.txt                      | 3 +++
 2 files changed, 9 insertions(+), 3 deletions(-)
 create mode 100644 changelog/14107.txt

diff --git a/builtin/credential/approle/path_login.go b/builtin/credential/approle/path_login.go
index a392966fa8..ba478c4ffd 100644
--- a/builtin/credential/approle/path_login.go
+++ b/builtin/credential/approle/path_login.go
@@ -178,11 +178,14 @@ func (b *backend) pathLoginUpdate(ctx context.Context, req *logical.Request, dat
 				}
 
 				belongs, err := cidrutil.IPBelongsToCIDRBlocksSlice(req.Connection.RemoteAddr, entry.CIDRList)
-				if !belongs || err != nil {
+				if err != nil {
+					return logical.ErrorResponse(err.Error()), logical.ErrInvalidRequest
+				}
+
+				if !belongs {
 					return logical.ErrorResponse(fmt.Errorf(
-						"source address %q unauthorized through CIDR restrictions on the secret ID: %w",
+						"source address %q unauthorized through CIDR restrictions on the secret ID",
 						req.Connection.RemoteAddr,
-						err,
 					).Error()), nil
 				}
 			}
diff --git a/changelog/14107.txt b/changelog/14107.txt
new file mode 100644
index 0000000000..f17138c055
--- /dev/null
+++ b/changelog/14107.txt
@@ -0,0 +1,3 @@
+```release-note:bug
+auth/approle: Fix wrapping of nil errors in `login` endpoint
+```