core: set namespace within GeneratePasswordFromPolicy (#12635)

* core: set namespace from the sysview's mount entry on GeneratePasswordFromPolicy

* test: update TestDynamicSystemView to be ns-aware, update tests

* add changelog entry
This commit is contained in:
Calvin Leung Huang 2021-09-27 09:08:07 -07:00 committed by GitHub
parent 3826042daf
commit 7ad62f5be4
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
7 changed files with 25 additions and 11 deletions

View file

@ -45,7 +45,7 @@ func getCluster(t *testing.T) (*vault.TestCluster, logical.SystemView) {
os.Setenv(pluginutil.PluginCACertPEMEnv, cluster.CACertPEMFile) os.Setenv(pluginutil.PluginCACertPEMEnv, cluster.CACertPEMFile)
sys := vault.TestDynamicSystemView(cores[0].Core) sys := vault.TestDynamicSystemView(cores[0].Core, nil)
vault.TestAddTestPlugin(t, cores[0].Core, "postgresql-database-plugin", consts.PluginTypeDatabase, "TestBackend_PluginMain_Postgres", []string{}, "") vault.TestAddTestPlugin(t, cores[0].Core, "postgresql-database-plugin", consts.PluginTypeDatabase, "TestBackend_PluginMain_Postgres", []string{}, "")
vault.TestAddTestPlugin(t, cores[0].Core, "mongodb-database-plugin", consts.PluginTypeDatabase, "TestBackend_PluginMain_Mongo", []string{}, "") vault.TestAddTestPlugin(t, cores[0].Core, "mongodb-database-plugin", consts.PluginTypeDatabase, "TestBackend_PluginMain_Mongo", []string{}, "")
vault.TestAddTestPlugin(t, cores[0].Core, "mongodbatlas-database-plugin", consts.PluginTypeDatabase, "TestBackend_PluginMain_MongoAtlas", []string{}, "") vault.TestAddTestPlugin(t, cores[0].Core, "mongodbatlas-database-plugin", consts.PluginTypeDatabase, "TestBackend_PluginMain_MongoAtlas", []string{}, "")

View file

@ -109,7 +109,7 @@ func getCluster(t *testing.T) (*vault.TestCluster, logical.SystemView) {
cluster.Start() cluster.Start()
cores := cluster.Cores cores := cluster.Cores
sys := vault.TestDynamicSystemView(cores[0].Core) sys := vault.TestDynamicSystemView(cores[0].Core, nil)
vault.TestAddTestPlugin(t, cores[0].Core, "test-plugin", consts.PluginTypeDatabase, "TestPlugin_GRPC_Main", []string{}, "") vault.TestAddTestPlugin(t, cores[0].Core, "test-plugin", consts.PluginTypeDatabase, "TestPlugin_GRPC_Main", []string{}, "")
return cluster, sys return cluster, sys

View file

@ -80,7 +80,7 @@ func testConfig(t *testing.T) (*logical.BackendConfig, func()) {
core := cores[0] core := cores[0]
sys := vault.TestDynamicSystemView(core.Core) sys := vault.TestDynamicSystemView(core.Core, nil)
config := &logical.BackendConfig{ config := &logical.BackendConfig{
Logger: logging.NewVaultLogger(log.Debug), Logger: logging.NewVaultLogger(log.Debug),

3
changelog/12635.txt Normal file
View file

@ -0,0 +1,3 @@
```release-note:bug
core (enterprise): Fix bug where password generation through password policies do not work on namespaces if performed outside a request callback or from an external plugin.
```

View file

@ -340,6 +340,8 @@ func (d dynamicSystemView) GeneratePasswordFromPolicy(ctx context.Context, polic
defer cancel() defer cancel()
} }
ctx = namespace.ContextWithNamespace(ctx, d.mountEntry.Namespace())
policyCfg, err := d.retrievePasswordPolicy(ctx, policyName) policyCfg, err := d.retrievePasswordPolicy(ctx, policyName)
if err != nil { if err != nil {
return "", fmt.Errorf("failed to retrieve password policy: %w", err) return "", fmt.Errorf("failed to retrieve password policy: %w", err)

View file

@ -16,8 +16,9 @@ import (
"github.com/hashicorp/vault/sdk/logical" "github.com/hashicorp/vault/sdk/logical"
) )
var testPolicyName = "testpolicy" var (
var rawTestPasswordPolicy = ` testPolicyName = "testpolicy"
rawTestPasswordPolicy = `
length = 20 length = 20
rule "charset" { rule "charset" {
charset = "abcdefghijklmnopqrstuvwxyz" charset = "abcdefghijklmnopqrstuvwxyz"
@ -31,6 +32,7 @@ rule "charset" {
charset = "0123456789" charset = "0123456789"
min_chars = 1 min_chars = 1
}` }`
)
func TestIdentity_BackendTemplating(t *testing.T) { func TestIdentity_BackendTemplating(t *testing.T) {
var err error var err error
@ -205,7 +207,7 @@ func TestDynamicSystemView_GeneratePasswordFromPolicy_successful(t *testing.T) {
defer cancel() defer cancel()
ctx = namespace.RootContext(ctx) ctx = namespace.RootContext(ctx)
dsv := dynamicSystemView{core: cluster.Cores[0].Core} dsv := TestDynamicSystemView(cluster.Cores[0].Core, nil)
runeset := map[rune]bool{} runeset := map[rune]bool{}
runesFound := []rune{} runesFound := []rune{}
@ -272,11 +274,11 @@ func TestDynamicSystemView_GeneratePasswordFromPolicy_failed(t *testing.T) {
getErr: test.getErr, getErr: test.getErr,
} }
dsv := dynamicSystemView{ core := &Core{
core: &Core{
systemBarrierView: NewBarrierView(testStorage, "sys/"), systemBarrierView: NewBarrierView(testStorage, "sys/"),
},
} }
dsv := TestDynamicSystemView(core, nil)
ctx, cancel := context.WithTimeout(context.Background(), 1*time.Second) ctx, cancel := context.WithTimeout(context.Background(), 1*time.Second)
defer cancel() defer cancel()
actualPassword, err := dsv.GeneratePasswordFromPolicy(ctx, test.policyName) actualPassword, err := dsv.GeneratePasswordFromPolicy(ctx, test.policyName)

View file

@ -434,12 +434,19 @@ func TestKeyCopy(key []byte) []byte {
return result return result
} }
func TestDynamicSystemView(c *Core) *dynamicSystemView { func TestDynamicSystemView(c *Core, ns *namespace.Namespace) *dynamicSystemView {
me := &MountEntry{ me := &MountEntry{
Config: MountConfig{ Config: MountConfig{
DefaultLeaseTTL: 24 * time.Hour, DefaultLeaseTTL: 24 * time.Hour,
MaxLeaseTTL: 2 * 24 * time.Hour, MaxLeaseTTL: 2 * 24 * time.Hour,
}, },
NamespaceID: namespace.RootNamespace.ID,
namespace: namespace.RootNamespace,
}
if ns != nil {
me.NamespaceID = ns.ID
me.namespace = ns
} }
return &dynamicSystemView{c, me} return &dynamicSystemView{c, me}