[VAULT-3519] Return no_default_policy on token role read (#12565)

* [VAULT-3519] Return no_default_policy on token role read if set * [VAULT-3519] Add changelog * [VAULT-3519] Always return token_no_default_policy on role read * Fix broken test * Update role read response in docs
2021-09-21 09:53:08 -07:00 · 2021-09-21 09:53:08 -07:00 · 8e6698fb4a
parent a538936367
commit 8e6698fb4a
4 changed files with 23 additions and 8 deletions
--- a/changelog/12565.txt
+++ b/changelog/12565.txt
@ -0,0 +1,3 @@
+```release-note:improvement
+core/token: Return the token_no_default_policy config on token role read if set
+```
--- a/vault/token_store.go
+++ b/vault/token_store.go
@ -3223,6 +3223,7 @@ func (ts *TokenStore) tokenStoreRoleRead(ctx context.Context, req *logical.Reque
 			"renewable":                role.Renewable,
 			"token_type":               role.TokenType.String(),
 			"allowed_entity_aliases":   role.AllowedEntityAliases,
+			"token_no_default_policy":  role.TokenNoDefaultPolicy,
 		},
 	}

--- a/vault/token_store_test.go
+++ b/vault/token_store_test.go
@ -3194,6 +3194,7 @@ func TestTokenStore_RoleCRUD(t *testing.T) {
 		"token_type":               "default-service",
 		"token_num_uses":           123,
 		"allowed_entity_aliases":   []string(nil),
+		"token_no_default_policy":  false,
 	}

 	if resp.Data["bound_cidrs"].([]*sockaddr.SockAddrMarshaler)[0].String() != "0.0.0.0/0" {
@ -3213,12 +3214,13 @@ func TestTokenStore_RoleCRUD(t *testing.T) {
 	// automatically due to the existence check
 	req.Operation = logical.CreateOperation
 	req.Data = map[string]interface{}{
-		"period":           "79h",
-		"allowed_policies": "test3",
-		"path_suffix":      "happenin",
-		"renewable":        false,
-		"explicit_max_ttl": "80h",
-		"token_num_uses":   0,
+		"period":                  "79h",
+		"allowed_policies":        "test3",
+		"path_suffix":             "happenin",
+		"renewable":               false,
+		"explicit_max_ttl":        "80h",
+		"token_num_uses":          0,
+		"token_no_default_policy": true,
 	}

 	resp, err = core.HandleRequest(namespace.RootContext(nil), req)
@ -3256,6 +3258,7 @@ func TestTokenStore_RoleCRUD(t *testing.T) {
 		"renewable":                false,
 		"token_type":               "default-service",
 		"allowed_entity_aliases":   []string(nil),
+		"token_no_default_policy":  true,
 	}

 	if resp.Data["bound_cidrs"].([]*sockaddr.SockAddrMarshaler)[0].String() != "0.0.0.0/0" {
@ -3308,6 +3311,7 @@ func TestTokenStore_RoleCRUD(t *testing.T) {
 		"renewable":                false,
 		"token_type":               "default-service",
 		"allowed_entity_aliases":   []string(nil),
+		"token_no_default_policy":  true,
 	}

 	if resp.Data["bound_cidrs"].([]*sockaddr.SockAddrMarshaler)[0].String() != "0.0.0.0/0" {
@ -3326,8 +3330,9 @@ func TestTokenStore_RoleCRUD(t *testing.T) {
 	// Update path_suffix and bound_cidrs with empty values
 	req.Operation = logical.CreateOperation
 	req.Data = map[string]interface{}{
-		"path_suffix": "",
-		"bound_cidrs": []string{},
+		"path_suffix":             "",
+		"bound_cidrs":             []string{},
+		"token_no_default_policy": false,
 	}
 	resp, err = core.HandleRequest(namespace.RootContext(nil), req)
 	if err != nil || (resp != nil && resp.IsError()) {
@ -3360,6 +3365,7 @@ func TestTokenStore_RoleCRUD(t *testing.T) {
 		"renewable":                false,
 		"token_type":               "default-service",
 		"allowed_entity_aliases":   []string(nil),
+		"token_no_default_policy":  false,
 	}

 	if diff := deep.Equal(expected, resp.Data); diff != nil {
@ -4428,6 +4434,7 @@ func TestTokenStore_RoleTokenFields(t *testing.T) {
 			"renewable":                false,
 			"token_type":               "batch",
 			"allowed_entity_aliases":   []string(nil),
+			"token_no_default_policy":  false,
 		}

 		if resp.Data["bound_cidrs"].([]*sockaddr.SockAddrMarshaler)[0].String() != "127.0.0.1" {
@ -4483,6 +4490,7 @@ func TestTokenStore_RoleTokenFields(t *testing.T) {
 			"renewable":                false,
 			"token_type":               "default-service",
 			"allowed_entity_aliases":   []string(nil),
+			"token_no_default_policy":  false,
 		}

 		if resp.Data["bound_cidrs"].([]*sockaddr.SockAddrMarshaler)[0].String() != "127.0.0.1" {
@ -4537,6 +4545,7 @@ func TestTokenStore_RoleTokenFields(t *testing.T) {
 			"renewable":                false,
 			"token_type":               "default-service",
 			"allowed_entity_aliases":   []string(nil),
+			"token_no_default_policy":  false,
 		}

 		if resp.Data["token_bound_cidrs"].([]*sockaddr.SockAddrMarshaler)[0].String() != "127.0.0.1" {
@ -4593,6 +4602,7 @@ func TestTokenStore_RoleTokenFields(t *testing.T) {
 			"renewable":                false,
 			"token_type":               "service",
 			"allowed_entity_aliases":   []string(nil),
+			"token_no_default_policy":  false,
 		}

 		if resp.Data["token_bound_cidrs"].([]*sockaddr.SockAddrMarshaler)[0].String() != "127.0.0.1" {
--- a/website/content/api-docs/auth/token.mdx
+++ b/website/content/api-docs/auth/token.mdx
@ -636,6 +636,7 @@ $ curl \
    "period": 0,
    "renewable": true,
    "token_explicit_max_ttl": 0,
+    "token_no_default_policy": false,
    "token_period": 0,
    "token_type": "default-service"
  },