From 48cb30312a9ac8e7e13653ddc5606ff79898ee73 Mon Sep 17 00:00:00 2001 From: Jeff Mitchell Date: Tue, 27 Mar 2018 16:34:06 -0400 Subject: [PATCH 1/3] Remove old workaround for a rollback error (#4206) It can now cause problems in other situations --- vault/auth.go | 5 ---- vault/router_ext_test.go | 52 ++++++++++++++++++++++++++++++++++++++++ vault/testing.go | 47 ++++++++++++++++++++++++++++++++++++ 3 files changed, 99 insertions(+), 5 deletions(-) create mode 100644 vault/router_ext_test.go diff --git a/vault/auth.go b/vault/auth.go index 487b94230..38eee3326 100644 --- a/vault/auth.go +++ b/vault/auth.go @@ -448,11 +448,6 @@ func (c *Core) setupCredentials(ctx context.Context) error { for _, entry := range c.auth.Entries { var backend logical.Backend - // Work around some problematic code that existed in master for a while - if strings.HasPrefix(entry.Path, credentialRoutePrefix) { - entry.Path = strings.TrimPrefix(entry.Path, credentialRoutePrefix) - persistNeeded = true - } // Create a barrier view using the UUID viewPath := credentialBarrierPrefix + entry.UUID + "/" diff --git a/vault/router_ext_test.go b/vault/router_ext_test.go new file mode 100644 index 000000000..78aa76e38 --- /dev/null +++ b/vault/router_ext_test.go @@ -0,0 +1,52 @@ +package vault_test + +import ( + "testing" + + "github.com/hashicorp/vault/api" + "github.com/hashicorp/vault/builtin/credential/userpass" + vaulthttp "github.com/hashicorp/vault/http" + "github.com/hashicorp/vault/logical" + "github.com/hashicorp/vault/vault" +) + +func TestRouter_MountSubpath_Checks(t *testing.T) { + testRouter_MountSubpath(t, []string{"auth/abcd/123", "abcd/123"}) + testRouter_MountSubpath(t, []string{"abcd/123", "auth/abcd/123"}) + testRouter_MountSubpath(t, []string{"auth/abcd/123", "abcd/123"}) +} + +func testRouter_MountSubpath(t *testing.T, mountPoints []string) { + coreConfig := &vault.CoreConfig{ + CredentialBackends: map[string]logical.Factory{ + "userpass": userpass.Factory, + }, + } + cluster := vault.NewTestCluster(t, coreConfig, &vault.TestClusterOptions{ + HandlerFunc: vaulthttp.Handler, + }) + cluster.Start() + defer cluster.Cleanup() + + vault.TestWaitActive(t, cluster.Cores[0].Core) + client := cluster.Cores[0].Client + + authInput := &api.EnableAuthOptions{ + Type: "userpass", + } + + for _, mp := range mountPoints { + t.Logf("mounting %s", mp) + var err error + err = client.Sys().EnableAuthWithOptions(mp, authInput) + if err != nil { + t.Fatalf("err: %v", err) + } + } + + cluster.EnsureCoresSealed(t) + + cluster.UnsealCores(t) + + t.Logf("Done: %#v", mountPoints) +} diff --git a/vault/testing.go b/vault/testing.go index 2bbd91950..79799e625 100644 --- a/vault/testing.go +++ b/vault/testing.go @@ -768,6 +768,53 @@ func (c *TestCluster) Start() { } } +// UnsealCores uses the cluster barrier keys to unseal the test cluster cores +func (c *TestCluster) UnsealCores(t testing.T) { + numCores := len(c.Cores) + + // Unseal first core + for _, key := range c.BarrierKeys { + if _, err := c.Cores[0].Unseal(TestKeyCopy(key)); err != nil { + t.Fatalf("unseal err: %s", err) + } + } + + // Verify unsealed + sealed, err := c.Cores[0].Sealed() + if err != nil { + t.Fatalf("err checking seal status: %s", err) + } + if sealed { + t.Fatal("should not be sealed") + } + + TestWaitActive(t, c.Cores[0].Core) + + // Unseal other cores + for i := 1; i < numCores; i++ { + for _, key := range c.BarrierKeys { + if _, err := c.Cores[i].Core.Unseal(TestKeyCopy(key)); err != nil { + t.Fatalf("unseal err: %s", err) + } + } + } + + // Let them come fully up to standby + time.Sleep(2 * time.Second) + + // Ensure cluster connection info is populated. + // Other cores should not come up as leaders. + for i := 1; i < numCores; i++ { + isLeader, _, _, err := c.Cores[i].Leader() + if err != nil { + t.Fatal(err) + } + if isLeader { + t.Fatalf("core[%d] should not be leader", i) + } + } +} + func (c *TestCluster) EnsureCoresSealed(t testing.T) { t.Helper() if err := c.ensureCoresSealed(); err != nil { From c02e8dd428f23f01ca3152129e794b2d7be4f907 Mon Sep 17 00:00:00 2001 From: Jeff Mitchell Date: Tue, 27 Mar 2018 16:35:25 -0400 Subject: [PATCH 2/3] changelog++ --- CHANGELOG.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 6062d8912..a61d90048 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -11,6 +11,8 @@ BUG FIXES: parent prefix entry in the underlying storage backend. These operations also mark corresponding child tokens as orphans by removing the parent/secondary index from the entries. [GH-4193] + * core: Fix issue occurring from mounting two auth backends with the same path + with one mount having `auth/` in front [GH-4206] ## 0.9.6 (March 20th, 2018) From 1a060446a9d4b50352e0a09fc8f76c35771eedd7 Mon Sep 17 00:00:00 2001 From: vishalnayak Date: Tue, 27 Mar 2018 17:04:13 -0400 Subject: [PATCH 3/3] changelog++ --- CHANGELOG.md | 1 + 1 file changed, 1 insertion(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index a61d90048..67f3a175a 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -13,6 +13,7 @@ BUG FIXES: index from the entries. [GH-4193] * core: Fix issue occurring from mounting two auth backends with the same path with one mount having `auth/` in front [GH-4206] + * mfa: Invalidation of MFA configurations (Enterprise) ## 0.9.6 (March 20th, 2018)