From 0b95a394d44d62dddef85feb6aa770d180843a32 Mon Sep 17 00:00:00 2001 From: ludewigh Date: Tue, 19 Oct 2021 09:26:47 -0500 Subject: [PATCH] Fix auth/aws so that config/rotate-root saves new key pair to vault (#12715) * test: add test to verify Vault storage is updated * bug: fix config/rotate-root to store new key * choir: fix changelog name to match PR --- .../credential/aws/path_config_rotate_root.go | 8 ++++---- .../aws/path_config_rotate_root_test.go | 20 +++++++++---------- changelog/12715.txt | 3 +++ 3 files changed, 17 insertions(+), 14 deletions(-) create mode 100644 changelog/12715.txt diff --git a/builtin/credential/aws/path_config_rotate_root.go b/builtin/credential/aws/path_config_rotate_root.go index d5553632d..125056234 100644 --- a/builtin/credential/aws/path_config_rotate_root.go +++ b/builtin/credential/aws/path_config_rotate_root.go @@ -145,6 +145,10 @@ func (b *backend) pathConfigRotateRootUpdate(ctx context.Context, req *logical.R } }() + oldAccessKey := clientConf.AccessKey + clientConf.AccessKey = *createAccessKeyRes.AccessKey.AccessKeyId + clientConf.SecretKey = *createAccessKeyRes.AccessKey.SecretAccessKey + // Now get ready to update storage, doing everything beforehand so we can minimize how long // we need to hold onto the lock. newEntry, err := b.configClientToEntry(clientConf) @@ -153,10 +157,6 @@ func (b *backend) pathConfigRotateRootUpdate(ctx context.Context, req *logical.R return nil, errs } - oldAccessKey := clientConf.AccessKey - clientConf.AccessKey = *createAccessKeyRes.AccessKey.AccessKeyId - clientConf.SecretKey = *createAccessKeyRes.AccessKey.SecretAccessKey - // Someday we may want to allow the user to send a number of seconds to wait here // before deleting the previous access key to allow work to complete. That would allow // AWS, which is eventually consistent, to finish populating the new key in all places. diff --git a/builtin/credential/aws/path_config_rotate_root_test.go b/builtin/credential/aws/path_config_rotate_root_test.go index 7f585e47e..59361090f 100644 --- a/builtin/credential/aws/path_config_rotate_root_test.go +++ b/builtin/credential/aws/path_config_rotate_root_test.go @@ -3,13 +3,11 @@ package awsauth import ( "context" "testing" - "time" "github.com/aws/aws-sdk-go/aws" "github.com/aws/aws-sdk-go/aws/session" "github.com/aws/aws-sdk-go/service/iam" "github.com/aws/aws-sdk-go/service/iam/iamiface" - "github.com/hashicorp/go-hclog" "github.com/hashicorp/go-secure-stdlib/awsutil" "github.com/hashicorp/vault/sdk/logical" ) @@ -33,15 +31,13 @@ func TestPathConfigRotateRoot(t *testing.T) { } ctx := context.Background() + config := logical.TestBackendConfig() + logical.TestBackendConfig() storage := &logical.InmemStorage{} - b, err := Factory(ctx, &logical.BackendConfig{ - StorageView: storage, - Logger: hclog.Default(), - System: &logical.StaticSystemView{ - DefaultLeaseTTLVal: time.Hour, - MaxLeaseTTLVal: time.Hour, - }, - }) + config.StorageView = storage + + b, err := Backend(config) + if err != nil { t.Fatal(err) } @@ -76,4 +72,8 @@ func TestPathConfigRotateRoot(t *testing.T) { if resp.Data["access_key"].(string) != "fizz2" { t.Fatalf("expected new access key buzz2 but received %s", resp.Data["access_key"]) } + newClientConf, err := b.nonLockedClientConfigEntry(ctx, req.Storage) + if resp.Data["access_key"].(string) != newClientConf.AccessKey { + t.Fatalf("expected new access key buzz2 to be saved to storage but receieved %s", clientConf.AccessKey) + } } diff --git a/changelog/12715.txt b/changelog/12715.txt new file mode 100644 index 000000000..b4a61a7de --- /dev/null +++ b/changelog/12715.txt @@ -0,0 +1,3 @@ +```release-note:bug +auth/aws: fix config/rotate-root to store new key +```