core: set namespace within GeneratePasswordFromPolicy (#12635)
* core: set namespace from the sysview's mount entry on GeneratePasswordFromPolicy * test: update TestDynamicSystemView to be ns-aware, update tests * add changelog entry
This commit is contained in:
parent
3826042daf
commit
7ad62f5be4
|
@ -45,7 +45,7 @@ func getCluster(t *testing.T) (*vault.TestCluster, logical.SystemView) {
|
||||||
|
|
||||||
os.Setenv(pluginutil.PluginCACertPEMEnv, cluster.CACertPEMFile)
|
os.Setenv(pluginutil.PluginCACertPEMEnv, cluster.CACertPEMFile)
|
||||||
|
|
||||||
sys := vault.TestDynamicSystemView(cores[0].Core)
|
sys := vault.TestDynamicSystemView(cores[0].Core, nil)
|
||||||
vault.TestAddTestPlugin(t, cores[0].Core, "postgresql-database-plugin", consts.PluginTypeDatabase, "TestBackend_PluginMain_Postgres", []string{}, "")
|
vault.TestAddTestPlugin(t, cores[0].Core, "postgresql-database-plugin", consts.PluginTypeDatabase, "TestBackend_PluginMain_Postgres", []string{}, "")
|
||||||
vault.TestAddTestPlugin(t, cores[0].Core, "mongodb-database-plugin", consts.PluginTypeDatabase, "TestBackend_PluginMain_Mongo", []string{}, "")
|
vault.TestAddTestPlugin(t, cores[0].Core, "mongodb-database-plugin", consts.PluginTypeDatabase, "TestBackend_PluginMain_Mongo", []string{}, "")
|
||||||
vault.TestAddTestPlugin(t, cores[0].Core, "mongodbatlas-database-plugin", consts.PluginTypeDatabase, "TestBackend_PluginMain_MongoAtlas", []string{}, "")
|
vault.TestAddTestPlugin(t, cores[0].Core, "mongodbatlas-database-plugin", consts.PluginTypeDatabase, "TestBackend_PluginMain_MongoAtlas", []string{}, "")
|
||||||
|
|
|
@ -109,7 +109,7 @@ func getCluster(t *testing.T) (*vault.TestCluster, logical.SystemView) {
|
||||||
cluster.Start()
|
cluster.Start()
|
||||||
cores := cluster.Cores
|
cores := cluster.Cores
|
||||||
|
|
||||||
sys := vault.TestDynamicSystemView(cores[0].Core)
|
sys := vault.TestDynamicSystemView(cores[0].Core, nil)
|
||||||
vault.TestAddTestPlugin(t, cores[0].Core, "test-plugin", consts.PluginTypeDatabase, "TestPlugin_GRPC_Main", []string{}, "")
|
vault.TestAddTestPlugin(t, cores[0].Core, "test-plugin", consts.PluginTypeDatabase, "TestPlugin_GRPC_Main", []string{}, "")
|
||||||
|
|
||||||
return cluster, sys
|
return cluster, sys
|
||||||
|
|
|
@ -80,7 +80,7 @@ func testConfig(t *testing.T) (*logical.BackendConfig, func()) {
|
||||||
|
|
||||||
core := cores[0]
|
core := cores[0]
|
||||||
|
|
||||||
sys := vault.TestDynamicSystemView(core.Core)
|
sys := vault.TestDynamicSystemView(core.Core, nil)
|
||||||
|
|
||||||
config := &logical.BackendConfig{
|
config := &logical.BackendConfig{
|
||||||
Logger: logging.NewVaultLogger(log.Debug),
|
Logger: logging.NewVaultLogger(log.Debug),
|
||||||
|
|
3
changelog/12635.txt
Normal file
3
changelog/12635.txt
Normal file
|
@ -0,0 +1,3 @@
|
||||||
|
```release-note:bug
|
||||||
|
core (enterprise): Fix bug where password generation through password policies do not work on namespaces if performed outside a request callback or from an external plugin.
|
||||||
|
```
|
|
@ -340,6 +340,8 @@ func (d dynamicSystemView) GeneratePasswordFromPolicy(ctx context.Context, polic
|
||||||
defer cancel()
|
defer cancel()
|
||||||
}
|
}
|
||||||
|
|
||||||
|
ctx = namespace.ContextWithNamespace(ctx, d.mountEntry.Namespace())
|
||||||
|
|
||||||
policyCfg, err := d.retrievePasswordPolicy(ctx, policyName)
|
policyCfg, err := d.retrievePasswordPolicy(ctx, policyName)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return "", fmt.Errorf("failed to retrieve password policy: %w", err)
|
return "", fmt.Errorf("failed to retrieve password policy: %w", err)
|
||||||
|
|
|
@ -16,8 +16,9 @@ import (
|
||||||
"github.com/hashicorp/vault/sdk/logical"
|
"github.com/hashicorp/vault/sdk/logical"
|
||||||
)
|
)
|
||||||
|
|
||||||
var testPolicyName = "testpolicy"
|
var (
|
||||||
var rawTestPasswordPolicy = `
|
testPolicyName = "testpolicy"
|
||||||
|
rawTestPasswordPolicy = `
|
||||||
length = 20
|
length = 20
|
||||||
rule "charset" {
|
rule "charset" {
|
||||||
charset = "abcdefghijklmnopqrstuvwxyz"
|
charset = "abcdefghijklmnopqrstuvwxyz"
|
||||||
|
@ -31,6 +32,7 @@ rule "charset" {
|
||||||
charset = "0123456789"
|
charset = "0123456789"
|
||||||
min_chars = 1
|
min_chars = 1
|
||||||
}`
|
}`
|
||||||
|
)
|
||||||
|
|
||||||
func TestIdentity_BackendTemplating(t *testing.T) {
|
func TestIdentity_BackendTemplating(t *testing.T) {
|
||||||
var err error
|
var err error
|
||||||
|
@ -205,7 +207,7 @@ func TestDynamicSystemView_GeneratePasswordFromPolicy_successful(t *testing.T) {
|
||||||
defer cancel()
|
defer cancel()
|
||||||
|
|
||||||
ctx = namespace.RootContext(ctx)
|
ctx = namespace.RootContext(ctx)
|
||||||
dsv := dynamicSystemView{core: cluster.Cores[0].Core}
|
dsv := TestDynamicSystemView(cluster.Cores[0].Core, nil)
|
||||||
|
|
||||||
runeset := map[rune]bool{}
|
runeset := map[rune]bool{}
|
||||||
runesFound := []rune{}
|
runesFound := []rune{}
|
||||||
|
@ -272,11 +274,11 @@ func TestDynamicSystemView_GeneratePasswordFromPolicy_failed(t *testing.T) {
|
||||||
getErr: test.getErr,
|
getErr: test.getErr,
|
||||||
}
|
}
|
||||||
|
|
||||||
dsv := dynamicSystemView{
|
core := &Core{
|
||||||
core: &Core{
|
|
||||||
systemBarrierView: NewBarrierView(testStorage, "sys/"),
|
systemBarrierView: NewBarrierView(testStorage, "sys/"),
|
||||||
},
|
|
||||||
}
|
}
|
||||||
|
dsv := TestDynamicSystemView(core, nil)
|
||||||
|
|
||||||
ctx, cancel := context.WithTimeout(context.Background(), 1*time.Second)
|
ctx, cancel := context.WithTimeout(context.Background(), 1*time.Second)
|
||||||
defer cancel()
|
defer cancel()
|
||||||
actualPassword, err := dsv.GeneratePasswordFromPolicy(ctx, test.policyName)
|
actualPassword, err := dsv.GeneratePasswordFromPolicy(ctx, test.policyName)
|
||||||
|
|
|
@ -434,12 +434,19 @@ func TestKeyCopy(key []byte) []byte {
|
||||||
return result
|
return result
|
||||||
}
|
}
|
||||||
|
|
||||||
func TestDynamicSystemView(c *Core) *dynamicSystemView {
|
func TestDynamicSystemView(c *Core, ns *namespace.Namespace) *dynamicSystemView {
|
||||||
me := &MountEntry{
|
me := &MountEntry{
|
||||||
Config: MountConfig{
|
Config: MountConfig{
|
||||||
DefaultLeaseTTL: 24 * time.Hour,
|
DefaultLeaseTTL: 24 * time.Hour,
|
||||||
MaxLeaseTTL: 2 * 24 * time.Hour,
|
MaxLeaseTTL: 2 * 24 * time.Hour,
|
||||||
},
|
},
|
||||||
|
NamespaceID: namespace.RootNamespace.ID,
|
||||||
|
namespace: namespace.RootNamespace,
|
||||||
|
}
|
||||||
|
|
||||||
|
if ns != nil {
|
||||||
|
me.NamespaceID = ns.ID
|
||||||
|
me.namespace = ns
|
||||||
}
|
}
|
||||||
|
|
||||||
return &dynamicSystemView{c, me}
|
return &dynamicSystemView{c, me}
|
||||||
|
|
Loading…
Reference in a new issue