core: set namespace within GeneratePasswordFromPolicy (#12635)

* core: set namespace from the sysview's mount entry on GeneratePasswordFromPolicy

* test: update TestDynamicSystemView to be ns-aware, update tests

* add changelog entry
This commit is contained in:
Calvin Leung Huang 2021-09-27 09:08:07 -07:00 committed by GitHub
parent 3826042daf
commit 7ad62f5be4
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
7 changed files with 25 additions and 11 deletions

View File

@ -45,7 +45,7 @@ func getCluster(t *testing.T) (*vault.TestCluster, logical.SystemView) {
os.Setenv(pluginutil.PluginCACertPEMEnv, cluster.CACertPEMFile)
sys := vault.TestDynamicSystemView(cores[0].Core)
sys := vault.TestDynamicSystemView(cores[0].Core, nil)
vault.TestAddTestPlugin(t, cores[0].Core, "postgresql-database-plugin", consts.PluginTypeDatabase, "TestBackend_PluginMain_Postgres", []string{}, "")
vault.TestAddTestPlugin(t, cores[0].Core, "mongodb-database-plugin", consts.PluginTypeDatabase, "TestBackend_PluginMain_Mongo", []string{}, "")
vault.TestAddTestPlugin(t, cores[0].Core, "mongodbatlas-database-plugin", consts.PluginTypeDatabase, "TestBackend_PluginMain_MongoAtlas", []string{}, "")

View File

@ -109,7 +109,7 @@ func getCluster(t *testing.T) (*vault.TestCluster, logical.SystemView) {
cluster.Start()
cores := cluster.Cores
sys := vault.TestDynamicSystemView(cores[0].Core)
sys := vault.TestDynamicSystemView(cores[0].Core, nil)
vault.TestAddTestPlugin(t, cores[0].Core, "test-plugin", consts.PluginTypeDatabase, "TestPlugin_GRPC_Main", []string{}, "")
return cluster, sys

View File

@ -80,7 +80,7 @@ func testConfig(t *testing.T) (*logical.BackendConfig, func()) {
core := cores[0]
sys := vault.TestDynamicSystemView(core.Core)
sys := vault.TestDynamicSystemView(core.Core, nil)
config := &logical.BackendConfig{
Logger: logging.NewVaultLogger(log.Debug),

3
changelog/12635.txt Normal file
View File

@ -0,0 +1,3 @@
```release-note:bug
core (enterprise): Fix bug where password generation through password policies do not work on namespaces if performed outside a request callback or from an external plugin.
```

View File

@ -340,6 +340,8 @@ func (d dynamicSystemView) GeneratePasswordFromPolicy(ctx context.Context, polic
defer cancel()
}
ctx = namespace.ContextWithNamespace(ctx, d.mountEntry.Namespace())
policyCfg, err := d.retrievePasswordPolicy(ctx, policyName)
if err != nil {
return "", fmt.Errorf("failed to retrieve password policy: %w", err)

View File

@ -16,8 +16,9 @@ import (
"github.com/hashicorp/vault/sdk/logical"
)
var testPolicyName = "testpolicy"
var rawTestPasswordPolicy = `
var (
testPolicyName = "testpolicy"
rawTestPasswordPolicy = `
length = 20
rule "charset" {
charset = "abcdefghijklmnopqrstuvwxyz"
@ -31,6 +32,7 @@ rule "charset" {
charset = "0123456789"
min_chars = 1
}`
)
func TestIdentity_BackendTemplating(t *testing.T) {
var err error
@ -205,7 +207,7 @@ func TestDynamicSystemView_GeneratePasswordFromPolicy_successful(t *testing.T) {
defer cancel()
ctx = namespace.RootContext(ctx)
dsv := dynamicSystemView{core: cluster.Cores[0].Core}
dsv := TestDynamicSystemView(cluster.Cores[0].Core, nil)
runeset := map[rune]bool{}
runesFound := []rune{}
@ -272,11 +274,11 @@ func TestDynamicSystemView_GeneratePasswordFromPolicy_failed(t *testing.T) {
getErr: test.getErr,
}
dsv := dynamicSystemView{
core: &Core{
core := &Core{
systemBarrierView: NewBarrierView(testStorage, "sys/"),
},
}
dsv := TestDynamicSystemView(core, nil)
ctx, cancel := context.WithTimeout(context.Background(), 1*time.Second)
defer cancel()
actualPassword, err := dsv.GeneratePasswordFromPolicy(ctx, test.policyName)

View File

@ -434,12 +434,19 @@ func TestKeyCopy(key []byte) []byte {
return result
}
func TestDynamicSystemView(c *Core) *dynamicSystemView {
func TestDynamicSystemView(c *Core, ns *namespace.Namespace) *dynamicSystemView {
me := &MountEntry{
Config: MountConfig{
DefaultLeaseTTL: 24 * time.Hour,
MaxLeaseTTL: 2 * 24 * time.Hour,
},
NamespaceID: namespace.RootNamespace.ID,
namespace: namespace.RootNamespace,
}
if ns != nil {
me.NamespaceID = ns.ID
me.namespace = ns
}
return &dynamicSystemView{c, me}