From 2bf61de12503aec8c3ab76366b30f6d4fb87562d Mon Sep 17 00:00:00 2001 From: hc-github-team-secure-vault-core <82990506+hc-github-team-secure-vault-core@users.noreply.github.com> Date: Mon, 6 Nov 2023 08:51:52 -0500 Subject: [PATCH] backport of commit b19562db9a8c1b65ea660ed0d51aaf9498a9887d (#24025) Co-authored-by: Kuba Wieczorek --- vault/policy_store.go | 2 +- vault/policy_store_test.go | 4 ++-- vault/request_handling.go | 10 +++++++++- 3 files changed, 12 insertions(+), 4 deletions(-) diff --git a/vault/policy_store.go b/vault/policy_store.go index d10433852..9b39049fa 100644 --- a/vault/policy_store.go +++ b/vault/policy_store.go @@ -467,7 +467,7 @@ func (ps *PolicyStore) GetNonEGPPolicyType(nsID string, name string) (*PolicyTyp pt, ok := ps.policyTypeMap.Load(index) if !ok { // Doesn't exist - return nil, fmt.Errorf("policy does not exist in type map: %v", index) + return nil, ErrPolicyNotExistInTypeMap } policyType, ok := pt.(PolicyType) diff --git a/vault/policy_store_test.go b/vault/policy_store_test.go index 374499c9c..a514176a3 100644 --- a/vault/policy_store_test.go +++ b/vault/policy_store_test.go @@ -360,7 +360,7 @@ func TestPolicyStore_GetNonEGPPolicyType(t *testing.T) { paramNamespace: "1AbcD", paramPolicyName: "policy1", isErrorExpected: true, - expectedErrorMessage: "policy does not exist in type map: 1AbcD/policy1", + expectedErrorMessage: "policy does not exist in type map", }, "not-in-map-rgp": { policyStoreKey: "2WxyZ/policy2", @@ -368,7 +368,7 @@ func TestPolicyStore_GetNonEGPPolicyType(t *testing.T) { paramNamespace: "1AbcD", paramPolicyName: "policy1", isErrorExpected: true, - expectedErrorMessage: "policy does not exist in type map: 1AbcD/policy1", + expectedErrorMessage: "policy does not exist in type map", }, "unknown-policy-type": { policyStoreKey: "1AbcD/policy1", diff --git a/vault/request_handling.go b/vault/request_handling.go index 0c34ad8b3..53766ca13 100644 --- a/vault/request_handling.go +++ b/vault/request_handling.go @@ -52,7 +52,8 @@ var ( // to complete, unless overridden on a per-handler basis DefaultMaxRequestDuration = 90 * time.Second - ErrNoApplicablePolicies = errors.New("no applicable policies") + ErrNoApplicablePolicies = errors.New("no applicable policies") + ErrPolicyNotExistInTypeMap = errors.New("policy does not exist in type map") egpDebugLogging bool @@ -180,6 +181,13 @@ func (c *Core) getApplicableGroupPolicies(ctx context.Context, tokenNS *namespac for _, policyName := range nsPolicies { t, err := c.policyStore.GetNonEGPPolicyType(policyNS.ID, policyName) + if err != nil && errors.Is(err, ErrPolicyNotExistInTypeMap) { + // When we attempt to get a non-EGP policy type, and receive an + // explicit error that it doesn't exist (in the type map) we log the + // ns/policy and continue without error. + c.Logger().Debug(fmt.Errorf("%w: %v/%v", err, policyNS.ID, policyName).Error()) + continue + } if err != nil || t == nil { return nil, fmt.Errorf("failed to look up type of policy: %w", err) }