Consider new bounds as a criteria to allow role creation (#2600)

* Consider new bounds as a criteria to allow role creation * Added a test
2017-04-17 10:36:11 -04:00 · 2017-04-17 10:36:11 -04:00 · 09cd069435
parent b6758b7ea9
commit 09cd069435
2 changed files with 27 additions and 11 deletions
--- a/builtin/credential/aws-ec2/path_role.go
+++ b/builtin/credential/aws-ec2/path_role.go
@ -350,12 +350,14 @@ func (b *backend) pathRoleCreateUpdate(

 	// Ensure that at least one bound is set on the role
 	switch {
-	case roleEntry.BoundAccountID != "":
 	case roleEntry.BoundAmiID != "":
-	case roleEntry.BoundIamInstanceProfileARN != "":
+	case roleEntry.BoundAccountID != "":
+	case roleEntry.BoundRegion != "":
+	case roleEntry.BoundVpcID != "":
+	case roleEntry.BoundSubnetID != "":
 	case roleEntry.BoundIamRoleARN != "":
+	case roleEntry.BoundIamInstanceProfileARN != "":
 	default:
-
 		return logical.ErrorResponse("at least be one bound parameter should be specified on the role"), nil
 	}

--- a/builtin/credential/aws-ec2/path_role_test.go
+++ b/builtin/credential/aws-ec2/path_role_test.go
@ -9,6 +9,8 @@ import (
 )

 func TestAwsEc2_RoleCrud(t *testing.T) {
+	var err error
+	var resp *logical.Response
 	config := logical.TestBackendConfig()
 	storage := &logical.InmemStorage{}
 	config.StorageView = storage
@ -22,6 +24,23 @@ func TestAwsEc2_RoleCrud(t *testing.T) {
 		t.Fatal(err)
 	}

+	role1Data := map[string]interface{}{
+		"bound_vpc_id":             "testvpcid",
+		"allow_instance_migration": true,
+		"policies":                 "testpolicy1,testpolicy2",
+	}
+	roleReq := &logical.Request{
+		Operation: logical.UpdateOperation,
+		Storage:   storage,
+		Path:      "role/role1",
+		Data:      role1Data,
+	}
+
+	resp, err = b.HandleRequest(roleReq)
+	if err != nil || (resp != nil && resp.IsError()) {
+		t.Fatalf("resp: %#v, err: %v", resp, err)
+	}
+
 	roleData := map[string]interface{}{
 		"bound_ami_id":                   "testamiid",
 		"bound_account_id":               "testaccountid",
@ -40,14 +59,9 @@ func TestAwsEc2_RoleCrud(t *testing.T) {
 		"period":                    "1m",
 	}

-	roleReq := &logical.Request{
-		Operation: logical.UpdateOperation,
-		Storage:   storage,
-		Path:      "role/testrole",
-		Data:      roleData,
-	}
-
-	resp, err := b.HandleRequest(roleReq)
+	roleReq.Path = "role/testrole"
+	roleReq.Data = roleData
+	resp, err = b.HandleRequest(roleReq)
 	if err != nil || (resp != nil && resp.IsError()) {
 		t.Fatalf("resp: %#v, err: %v", resp, err)
 	}