Fix auth/aws so that config/rotate-root saves new key pair to vault (#12715)

* test: add test to verify Vault storage is updated * bug: fix config/rotate-root to store new key * choir: fix changelog name to match PR
2021-10-19 09:26:47 -05:00 · 2021-10-19 09:26:47 -05:00 · 0b95a394d4
parent c945c7b218
commit 0b95a394d4
3 changed files with 17 additions and 14 deletions
--- a/builtin/credential/aws/path_config_rotate_root.go
+++ b/builtin/credential/aws/path_config_rotate_root.go
@ -145,6 +145,10 @@ func (b *backend) pathConfigRotateRootUpdate(ctx context.Context, req *logical.R
 		}
 	}()

+	oldAccessKey := clientConf.AccessKey
+	clientConf.AccessKey = *createAccessKeyRes.AccessKey.AccessKeyId
+	clientConf.SecretKey = *createAccessKeyRes.AccessKey.SecretAccessKey
+
 	// Now get ready to update storage, doing everything beforehand so we can minimize how long
 	// we need to hold onto the lock.
 	newEntry, err := b.configClientToEntry(clientConf)
@ -153,10 +157,6 @@ func (b *backend) pathConfigRotateRootUpdate(ctx context.Context, req *logical.R
 		return nil, errs
 	}

-	oldAccessKey := clientConf.AccessKey
-	clientConf.AccessKey = *createAccessKeyRes.AccessKey.AccessKeyId
-	clientConf.SecretKey = *createAccessKeyRes.AccessKey.SecretAccessKey
-
 	// Someday we may want to allow the user to send a number of seconds to wait here
 	// before deleting the previous access key to allow work to complete. That would allow
 	// AWS, which is eventually consistent, to finish populating the new key in all places.
--- a/builtin/credential/aws/path_config_rotate_root_test.go
+++ b/builtin/credential/aws/path_config_rotate_root_test.go
@ -3,13 +3,11 @@ package awsauth
 import (
 	"context"
 	"testing"
-	"time"

 	"github.com/aws/aws-sdk-go/aws"
 	"github.com/aws/aws-sdk-go/aws/session"
 	"github.com/aws/aws-sdk-go/service/iam"
 	"github.com/aws/aws-sdk-go/service/iam/iamiface"
-	"github.com/hashicorp/go-hclog"
 	"github.com/hashicorp/go-secure-stdlib/awsutil"
 	"github.com/hashicorp/vault/sdk/logical"
 )
@ -33,15 +31,13 @@ func TestPathConfigRotateRoot(t *testing.T) {
 	}

 	ctx := context.Background()
+	config := logical.TestBackendConfig()
+	logical.TestBackendConfig()
 	storage := &logical.InmemStorage{}
-	b, err := Factory(ctx, &logical.BackendConfig{
-		StorageView: storage,
-		Logger:      hclog.Default(),
-		System: &logical.StaticSystemView{
-			DefaultLeaseTTLVal: time.Hour,
-			MaxLeaseTTLVal:     time.Hour,
-		},
-	})
+	config.StorageView = storage
+
+	b, err := Backend(config)
+
 	if err != nil {
 		t.Fatal(err)
 	}
@ -76,4 +72,8 @@ func TestPathConfigRotateRoot(t *testing.T) {
 	if resp.Data["access_key"].(string) != "fizz2" {
 		t.Fatalf("expected new access key buzz2 but received %s", resp.Data["access_key"])
 	}
+	newClientConf, err := b.nonLockedClientConfigEntry(ctx, req.Storage)
+	if resp.Data["access_key"].(string) != newClientConf.AccessKey {
+		t.Fatalf("expected new access key buzz2 to be saved to storage but receieved %s", clientConf.AccessKey)
+	}
 }
--- a/changelog/12715.txt
+++ b/changelog/12715.txt
@ -0,0 +1,3 @@
+```release-note:bug
+auth/aws: fix config/rotate-root to store new key
+```