Register the token entry's path instead of the request path, to handle role suffixes correctly

This commit is contained in:
Jeff Mitchell 2016-04-14 07:56:09 -04:00
parent bb0dd624e1
commit 53773f12e3
2 changed files with 26 additions and 31 deletions

View file

@ -541,8 +541,15 @@ func (c *Core) handleRequest(req *logical.Request) (retResp *logical.Response, r
return nil, auth, ErrInternalError
}
// Register with the expiration manager
if err := c.expiration.RegisterAuth(req.Path, resp.Auth); err != nil {
// Register with the expiration manager. We use the token's actual path
// here because roles allow suffixes.
te, err := c.tokenStore.Lookup(resp.Auth.ClientToken)
if err != nil {
c.logger.Printf("[ERR] core: failed to lookup token: %v", err)
return nil, nil, ErrInternalError
}
if err := c.expiration.RegisterAuth(te.Path, resp.Auth); err != nil {
c.logger.Printf("[ERR] core: failed to register token lease "+
"(request path: %s): %v", req.Path, err)
return nil, auth, ErrInternalError
@ -651,7 +658,7 @@ func (c *Core) handleLoginRequest(req *logical.Request) (*logical.Response, *log
auth.Policies = te.Policies
// Register with the expiration manager
if err := c.expiration.RegisterAuth(req.Path, auth); err != nil {
if err := c.expiration.RegisterAuth(te.Path, auth); err != nil {
c.logger.Printf("[ERR] core: failed to register token lease "+
"(request path: %s): %v", req.Path, err)
return nil, auth, ErrInternalError

View file

@ -8,7 +8,6 @@ import (
"time"
"github.com/hashicorp/vault/logical"
"github.com/mitchellh/mapstructure"
)
func getBackendConfig(c *Core) *logical.BackendConfig {
@ -1208,22 +1207,16 @@ func TestTokenStore_RoleCRUD(t *testing.T) {
t.Fatalf("got a nil response")
}
var actual tsRoleEntry
err = mapstructure.WeakDecode(resp.Data, &actual)
if err != nil {
t.Fatalf("error decoding role json: %v", err)
expected := map[string]interface{}{
"name": "test",
"orphan": true,
"period": float64(259200),
"allowed_policies": []string{"test1", "test2"},
"path_suffix": "happenin",
}
expected := tsRoleEntry{
Name: "test",
Orphan: true,
Period: 72 * time.Hour,
AllowedPolicies: []string{"test1", "test2"},
PathSuffix: "happenin",
}
if !reflect.DeepEqual(expected, actual) {
t.Fatalf("expected:\n%v\nactual:\n%v\n", expected, actual)
if !reflect.DeepEqual(expected, resp.Data) {
t.Fatalf("expected:\n%v\nactual:\n%v\n", expected, resp.Data)
}
// Now test updating; this should be set to an UpdateOperation
@ -1254,21 +1247,16 @@ func TestTokenStore_RoleCRUD(t *testing.T) {
t.Fatalf("got a nil response")
}
err = mapstructure.WeakDecode(resp.Data, &actual)
if err != nil {
t.Fatalf("error decoding role json: %v", err)
expected = map[string]interface{}{
"name": "test",
"orphan": true,
"period": float64(284400),
"allowed_policies": []string{"test3"},
"path_suffix": "happenin",
}
expected = tsRoleEntry{
Name: "test",
Orphan: true,
Period: 79 * time.Hour,
AllowedPolicies: []string{"test3"},
PathSuffix: "happenin",
}
if !reflect.DeepEqual(expected, actual) {
t.Fatalf("expected:\n%v\nactual:\n%v\n", expected, actual)
if !reflect.DeepEqual(expected, resp.Data) {
t.Fatalf("expected:\n%v\nactual:\n%v\n", expected, resp.Data)
}
req.Operation = logical.ListOperation