Fix Okta auth issue when a user has no policies and/or groups set. (#2371)

Fixes #2367
2017-02-14 16:28:16 -05:00 · 2017-02-14 16:28:16 -05:00 · 04b4a6aa50
parent f88defce49
commit 04b4a6aa50
2 changed files with 15 additions and 16 deletions
--- a/builtin/credential/okta/backend.go
+++ b/builtin/credential/okta/backend.go
@ -59,10 +59,6 @@ func (b *backend) Login(req *logical.Request, username string, password string)
 		return nil, logical.ErrorResponse("okta auth backend unexpected failure"), nil
 	}

-	if b.Logger().IsDebug() {
-		b.Logger().Debug("auth/okta:", auth)
-	}
-
 	oktaGroups, err := b.getOktaGroups(cfg, auth.Embedded.User.ID)
 	if err != nil {
 		return nil, logical.ErrorResponse(err.Error()), nil
@ -96,13 +92,15 @@ func (b *backend) Login(req *logical.Request, username string, password string)
 	var policies []string
 	for _, groupName := range allGroups {
 		group, err := b.Group(req.Storage, groupName)
-		if err == nil && group != nil {
+		if err == nil && group != nil && group.Policies != nil {
 			policies = append(policies, group.Policies...)
 		}
 	}

 	// Merge local Policies into Okta Policies
-	policies = append(policies, user.Policies...)
+	if user != nil && user.Policies != nil {
+		policies = append(policies, user.Policies...)
+	}

 	if len(policies) == 0 {
 		errStr := "user is not a member of any authorized policy"
--- a/builtin/credential/okta/backend_test.go
+++ b/builtin/credential/okta/backend_test.go
@ -7,6 +7,7 @@ import (
 	"testing"

 	"github.com/hashicorp/vault/helper/logformat"
+	"github.com/hashicorp/vault/helper/policyutil"
 	log "github.com/mgutz/logxi/v1"

 	"github.com/hashicorp/vault/logical"
@ -40,23 +41,23 @@ func TestBackend_Config(t *testing.T) {
 		Backend:        b,
 		Steps: []logicaltest.TestStep{
 			testConfigCreate(t, configData),
-			testLoginWrite(t, username, "wrong", "E0000004", 0),
-			testLoginWrite(t, username, password, "user is not a member of any authorized policy", 0),
+			testLoginWrite(t, username, "wrong", "E0000004", nil),
+			testLoginWrite(t, username, password, "user is not a member of any authorized policy", nil),
 			testAccUserGroups(t, username, "local_group,local_group2"),
 			testAccGroups(t, "local_group", "local_group_policy"),
-			testLoginWrite(t, username, password, "", 2),
+			testLoginWrite(t, username, password, "", []string{"local_group_policy"}),
 			testAccGroups(t, "Everyone", "everyone_group_policy,every_group_policy2"),
-			testLoginWrite(t, username, password, "", 2),
+			testLoginWrite(t, username, password, "", []string{"local_group_policy"}),
 			testConfigUpdate(t, configDataToken),
 			testConfigRead(t, configData),
-			testLoginWrite(t, username, password, "", 4),
-			testAccGroups(t, "TestGroup", "testgroup_group_policy"),
-			testLoginWrite(t, username, password, "", 5),
+			testLoginWrite(t, username, password, "", []string{"everyone_group_policy", "every_group_policy2", "local_group_policy"}),
+			testAccGroups(t, "local_group2", "testgroup_group_policy"),
+			testLoginWrite(t, username, password, "", []string{"everyone_group_policy", "every_group_policy2", "local_group_policy", "testgroup_group_policy"}),
 		},
 	})
 }

-func testLoginWrite(t *testing.T, username, password, reason string, policies int) logicaltest.TestStep {
+func testLoginWrite(t *testing.T, username, password, reason string, policies []string) logicaltest.TestStep {
 	return logicaltest.TestStep{
 		Operation: logical.UpdateOperation,
 		Path:      "login/" + username,
@ -72,8 +73,8 @@ func testLoginWrite(t *testing.T, username, password, reason string, policies in
 			}

 			if resp.Auth != nil {
-				if len(resp.Auth.Policies) != policies {
-					return fmt.Errorf("policy mismatch expected %d but got %s", policies, resp.Auth.Policies)
+				if !policyutil.EquivalentPolicies(resp.Auth.Policies, policies) {
+					return fmt.Errorf("policy mismatch expected %v but got %v", policies, resp.Auth.Policies)
 				}
 			}