From 6ec8cd8f2874ef14b9e5134bd814ce3f7b8ade99 Mon Sep 17 00:00:00 2001 From: Vishal Nayak Date: Wed, 19 May 2021 14:06:08 -0400 Subject: [PATCH] Tokenutil: Perform num uses check earlier (#11647) * Perform num uses check earlier * Add CL * Ensure that login works --- builtin/credential/approle/backend_test.go | 69 +++++++++++++++++++ changelog/11647.txt | 3 + sdk/helper/tokenutil/tokenutil.go | 14 ++-- .../vault/sdk/helper/tokenutil/tokenutil.go | 14 ++-- 4 files changed, 86 insertions(+), 14 deletions(-) create mode 100644 changelog/11647.txt diff --git a/builtin/credential/approle/backend_test.go b/builtin/credential/approle/backend_test.go index a23f4c364..044f02d2a 100644 --- a/builtin/credential/approle/backend_test.go +++ b/builtin/credential/approle/backend_test.go @@ -5,10 +5,13 @@ import ( "strings" "testing" + "github.com/stretchr/testify/require" + "github.com/hashicorp/vault/sdk/logical" ) func createBackendWithStorage(t *testing.T) (*backend, logical.Storage) { + t.Helper() config := logical.TestBackendConfig() config.StorageView = &logical.InmemStorage{} @@ -26,6 +29,72 @@ func createBackendWithStorage(t *testing.T) (*backend, logical.Storage) { return b, config.StorageView } +func TestAppRole_RoleServiceToBatchNumUses(t *testing.T) { + b, s := createBackendWithStorage(t) + + requestFunc := func(operation logical.Operation, data map[string]interface{}) { + resp, err := b.HandleRequest(context.Background(), &logical.Request{ + Path: "role/testrole", + Operation: operation, + Storage: s, + Data: data, + }) + if err != nil || (resp != nil && resp.IsError()) { + t.Fatalf("bad: err: %#v\nresp: %#v", err, resp) + } + } + + data := map[string]interface{}{ + "bind_secret_id": true, + "secret_id_num_uses": 0, + "secret_id_ttl": "10m", + "token_policies": "policy", + "token_ttl": "5m", + "token_max_ttl": "10m", + "token_num_uses": 2, + "token_type": "default", + } + requestFunc(logical.CreateOperation, data) + + data["token_num_uses"] = 0 + data["token_type"] = "batch" + requestFunc(logical.UpdateOperation, data) + + resp, err := b.HandleRequest(context.Background(), &logical.Request{ + Path: "role/testrole/role-id", + Operation: logical.ReadOperation, + Storage: s, + }) + if err != nil || (resp != nil && resp.IsError()) { + t.Fatalf("bad: resp: %#v\nerr: %v", resp, err) + } + roleID := resp.Data["role_id"] + + resp, err = b.HandleRequest(context.Background(), &logical.Request{ + Path: "role/testrole/secret-id", + Operation: logical.UpdateOperation, + Storage: s, + }) + if err != nil || (resp != nil && resp.IsError()) { + t.Fatalf("bad: resp: %#v\nerr: %v", resp, err) + } + secretID := resp.Data["secret_id"] + + resp, err = b.HandleRequest(context.Background(), &logical.Request{ + Path: "login", + Operation: logical.UpdateOperation, + Data: map[string]interface{}{ + "role_id": roleID, + "secret_id": secretID, + }, + Storage: s, + }) + if err != nil || (resp != nil && resp.IsError()) { + t.Fatalf("bad: resp: %#v\nerr: %v", resp, err) + } + require.NotNil(t, resp.Auth) +} + func TestAppRole_RoleNameCaseSensitivity(t *testing.T) { testFunc := func(t *testing.T, roleName string) { var resp *logical.Response diff --git a/changelog/11647.txt b/changelog/11647.txt new file mode 100644 index 000000000..2075989ef --- /dev/null +++ b/changelog/11647.txt @@ -0,0 +1,3 @@ +```release-note:bug +tokenutil: Perform the num uses check before token type. +``` diff --git a/sdk/helper/tokenutil/tokenutil.go b/sdk/helper/tokenutil/tokenutil.go index 29f974834..19a3f73c5 100644 --- a/sdk/helper/tokenutil/tokenutil.go +++ b/sdk/helper/tokenutil/tokenutil.go @@ -207,6 +207,13 @@ func (t *TokenParams) ParseTokenFields(req *logical.Request, d *framework.FieldD t.TokenType = tokenType } + if tokenNumUses, ok := d.GetOk("token_num_uses"); ok { + t.TokenNumUses = tokenNumUses.(int) + } + if t.TokenNumUses < 0 { + return errors.New("'token_num_uses' cannot be negative") + } + if t.TokenType == logical.TokenTypeBatch || t.TokenType == logical.TokenTypeDefaultBatch { if t.TokenPeriod != 0 { return errors.New("'token_type' cannot be 'batch' or 'default_batch' when set to generate periodic tokens") @@ -226,13 +233,6 @@ func (t *TokenParams) ParseTokenFields(req *logical.Request, d *framework.FieldD return errors.New("'token_ttl' cannot be greater than 'token_max_ttl'") } - if tokenNumUses, ok := d.GetOk("token_num_uses"); ok { - t.TokenNumUses = tokenNumUses.(int) - } - if t.TokenNumUses < 0 { - return errors.New("'token_num_uses' cannot be negative") - } - return nil } diff --git a/vendor/github.com/hashicorp/vault/sdk/helper/tokenutil/tokenutil.go b/vendor/github.com/hashicorp/vault/sdk/helper/tokenutil/tokenutil.go index 29f974834..19a3f73c5 100644 --- a/vendor/github.com/hashicorp/vault/sdk/helper/tokenutil/tokenutil.go +++ b/vendor/github.com/hashicorp/vault/sdk/helper/tokenutil/tokenutil.go @@ -207,6 +207,13 @@ func (t *TokenParams) ParseTokenFields(req *logical.Request, d *framework.FieldD t.TokenType = tokenType } + if tokenNumUses, ok := d.GetOk("token_num_uses"); ok { + t.TokenNumUses = tokenNumUses.(int) + } + if t.TokenNumUses < 0 { + return errors.New("'token_num_uses' cannot be negative") + } + if t.TokenType == logical.TokenTypeBatch || t.TokenType == logical.TokenTypeDefaultBatch { if t.TokenPeriod != 0 { return errors.New("'token_type' cannot be 'batch' or 'default_batch' when set to generate periodic tokens") @@ -226,13 +233,6 @@ func (t *TokenParams) ParseTokenFields(req *logical.Request, d *framework.FieldD return errors.New("'token_ttl' cannot be greater than 'token_max_ttl'") } - if tokenNumUses, ok := d.GetOk("token_num_uses"); ok { - t.TokenNumUses = tokenNumUses.(int) - } - if t.TokenNumUses < 0 { - return errors.New("'token_num_uses' cannot be negative") - } - return nil }