From 04b4a6aa50aa9eee406f2ef0a49147fc3ebf6954 Mon Sep 17 00:00:00 2001 From: Jeff Mitchell Date: Tue, 14 Feb 2017 16:28:16 -0500 Subject: [PATCH] Fix Okta auth issue when a user has no policies and/or groups set. (#2371) Fixes #2367 --- builtin/credential/okta/backend.go | 10 ++++------ builtin/credential/okta/backend_test.go | 21 +++++++++++---------- 2 files changed, 15 insertions(+), 16 deletions(-) diff --git a/builtin/credential/okta/backend.go b/builtin/credential/okta/backend.go index 6e4f16927..43a16473a 100644 --- a/builtin/credential/okta/backend.go +++ b/builtin/credential/okta/backend.go @@ -59,10 +59,6 @@ func (b *backend) Login(req *logical.Request, username string, password string) return nil, logical.ErrorResponse("okta auth backend unexpected failure"), nil } - if b.Logger().IsDebug() { - b.Logger().Debug("auth/okta:", auth) - } - oktaGroups, err := b.getOktaGroups(cfg, auth.Embedded.User.ID) if err != nil { return nil, logical.ErrorResponse(err.Error()), nil @@ -96,13 +92,15 @@ func (b *backend) Login(req *logical.Request, username string, password string) var policies []string for _, groupName := range allGroups { group, err := b.Group(req.Storage, groupName) - if err == nil && group != nil { + if err == nil && group != nil && group.Policies != nil { policies = append(policies, group.Policies...) } } // Merge local Policies into Okta Policies - policies = append(policies, user.Policies...) + if user != nil && user.Policies != nil { + policies = append(policies, user.Policies...) + } if len(policies) == 0 { errStr := "user is not a member of any authorized policy" diff --git a/builtin/credential/okta/backend_test.go b/builtin/credential/okta/backend_test.go index b808caf8a..7672dc099 100644 --- a/builtin/credential/okta/backend_test.go +++ b/builtin/credential/okta/backend_test.go @@ -7,6 +7,7 @@ import ( "testing" "github.com/hashicorp/vault/helper/logformat" + "github.com/hashicorp/vault/helper/policyutil" log "github.com/mgutz/logxi/v1" "github.com/hashicorp/vault/logical" @@ -40,23 +41,23 @@ func TestBackend_Config(t *testing.T) { Backend: b, Steps: []logicaltest.TestStep{ testConfigCreate(t, configData), - testLoginWrite(t, username, "wrong", "E0000004", 0), - testLoginWrite(t, username, password, "user is not a member of any authorized policy", 0), + testLoginWrite(t, username, "wrong", "E0000004", nil), + testLoginWrite(t, username, password, "user is not a member of any authorized policy", nil), testAccUserGroups(t, username, "local_group,local_group2"), testAccGroups(t, "local_group", "local_group_policy"), - testLoginWrite(t, username, password, "", 2), + testLoginWrite(t, username, password, "", []string{"local_group_policy"}), testAccGroups(t, "Everyone", "everyone_group_policy,every_group_policy2"), - testLoginWrite(t, username, password, "", 2), + testLoginWrite(t, username, password, "", []string{"local_group_policy"}), testConfigUpdate(t, configDataToken), testConfigRead(t, configData), - testLoginWrite(t, username, password, "", 4), - testAccGroups(t, "TestGroup", "testgroup_group_policy"), - testLoginWrite(t, username, password, "", 5), + testLoginWrite(t, username, password, "", []string{"everyone_group_policy", "every_group_policy2", "local_group_policy"}), + testAccGroups(t, "local_group2", "testgroup_group_policy"), + testLoginWrite(t, username, password, "", []string{"everyone_group_policy", "every_group_policy2", "local_group_policy", "testgroup_group_policy"}), }, }) } -func testLoginWrite(t *testing.T, username, password, reason string, policies int) logicaltest.TestStep { +func testLoginWrite(t *testing.T, username, password, reason string, policies []string) logicaltest.TestStep { return logicaltest.TestStep{ Operation: logical.UpdateOperation, Path: "login/" + username, @@ -72,8 +73,8 @@ func testLoginWrite(t *testing.T, username, password, reason string, policies in } if resp.Auth != nil { - if len(resp.Auth.Policies) != policies { - return fmt.Errorf("policy mismatch expected %d but got %s", policies, resp.Auth.Policies) + if !policyutil.EquivalentPolicies(resp.Auth.Policies, policies) { + return fmt.Errorf("policy mismatch expected %v but got %v", policies, resp.Auth.Policies) } }