Register the token entry's path instead of the request path, to handle role suffixes correctly
This commit is contained in:
Jeff Mitchell
parent
bb0dd624e1
commit
53773f12e3
|
|
@ -541,8 +541,15 @@ func (c *Core) handleRequest(req *logical.Request) (retResp *logical.Response, r
|
|||
return nil, auth, ErrInternalError
|
||||
}
|
||||
|
||||
// Register with the expiration manager
|
||||
if err := c.expiration.RegisterAuth(req.Path, resp.Auth); err != nil {
|
||||
// Register with the expiration manager. We use the token's actual path
|
||||
// here because roles allow suffixes.
|
||||
te, err := c.tokenStore.Lookup(resp.Auth.ClientToken)
|
||||
if err != nil {
|
||||
c.logger.Printf("[ERR] core: failed to lookup token: %v", err)
|
||||
return nil, nil, ErrInternalError
|
||||
}
|
||||
|
||||
if err := c.expiration.RegisterAuth(te.Path, resp.Auth); err != nil {
|
||||
c.logger.Printf("[ERR] core: failed to register token lease "+
|
||||
"(request path: %s): %v", req.Path, err)
|
||||
return nil, auth, ErrInternalError
|
||||
|
|
@ -651,7 +658,7 @@ func (c *Core) handleLoginRequest(req *logical.Request) (*logical.Response, *log
|
|||
auth.Policies = te.Policies
|
||||
|
||||
// Register with the expiration manager
|
||||
if err := c.expiration.RegisterAuth(req.Path, auth); err != nil {
|
||||
if err := c.expiration.RegisterAuth(te.Path, auth); err != nil {
|
||||
c.logger.Printf("[ERR] core: failed to register token lease "+
|
||||
"(request path: %s): %v", req.Path, err)
|
||||
return nil, auth, ErrInternalError
|
||||
|
|
|
|||
|
|
@ -8,7 +8,6 @@ import (
|
|||
"time"
|
||||
|
||||
"github.com/hashicorp/vault/logical"
|
||||
"github.com/mitchellh/mapstructure"
|
||||
)
|
||||
|
||||
func getBackendConfig(c *Core) *logical.BackendConfig {
|
||||
|
|
@ -1208,22 +1207,16 @@ func TestTokenStore_RoleCRUD(t *testing.T) {
|
|||
t.Fatalf("got a nil response")
|
||||
}
|
||||
|
||||
var actual tsRoleEntry
|
||||
err = mapstructure.WeakDecode(resp.Data, &actual)
|
||||
if err != nil {
|
||||
t.Fatalf("error decoding role json: %v", err)
|
||||
expected := map[string]interface{}{
|
||||
"name": "test",
|
||||
"orphan": true,
|
||||
"period": float64(259200),
|
||||
"allowed_policies": []string{"test1", "test2"},
|
||||
"path_suffix": "happenin",
|
||||
}
|
||||
|
||||
expected := tsRoleEntry{
|
||||
Name: "test",
|
||||
Orphan: true,
|
||||
Period: 72 * time.Hour,
|
||||
AllowedPolicies: []string{"test1", "test2"},
|
||||
PathSuffix: "happenin",
|
||||
}
|
||||
|
||||
if !reflect.DeepEqual(expected, actual) {
|
||||
t.Fatalf("expected:\n%v\nactual:\n%v\n", expected, actual)
|
||||
if !reflect.DeepEqual(expected, resp.Data) {
|
||||
t.Fatalf("expected:\n%v\nactual:\n%v\n", expected, resp.Data)
|
||||
}
|
||||
|
||||
// Now test updating; this should be set to an UpdateOperation
|
||||
|
|
@ -1254,21 +1247,16 @@ func TestTokenStore_RoleCRUD(t *testing.T) {
|
|||
t.Fatalf("got a nil response")
|
||||
}
|
||||
|
||||
err = mapstructure.WeakDecode(resp.Data, &actual)
|
||||
if err != nil {
|
||||
t.Fatalf("error decoding role json: %v", err)
|
||||
expected = map[string]interface{}{
|
||||
"name": "test",
|
||||
"orphan": true,
|
||||
"period": float64(284400),
|
||||
"allowed_policies": []string{"test3"},
|
||||
"path_suffix": "happenin",
|
||||
}
|
||||
|
||||
expected = tsRoleEntry{
|
||||
Name: "test",
|
||||
Orphan: true,
|
||||
Period: 79 * time.Hour,
|
||||
AllowedPolicies: []string{"test3"},
|
||||
PathSuffix: "happenin",
|
||||
}
|
||||
|
||||
if !reflect.DeepEqual(expected, actual) {
|
||||
t.Fatalf("expected:\n%v\nactual:\n%v\n", expected, actual)
|
||||
if !reflect.DeepEqual(expected, resp.Data) {
|
||||
t.Fatalf("expected:\n%v\nactual:\n%v\n", expected, resp.Data)
|
||||
}
|
||||
|
||||
req.Operation = logical.ListOperation
|
||||
|
|
|
|||
Loading…
Reference in New Issue