From 8e6698fb4affb0dc6544ab4808d86b2cc4a41987 Mon Sep 17 00:00:00 2001 From: Pratyoy Mukhopadhyay <35388175+pmmukh@users.noreply.github.com> Date: Tue, 21 Sep 2021 09:53:08 -0700 Subject: [PATCH] [VAULT-3519] Return no_default_policy on token role read (#12565) * [VAULT-3519] Return no_default_policy on token role read if set * [VAULT-3519] Add changelog * [VAULT-3519] Always return token_no_default_policy on role read * Fix broken test * Update role read response in docs --- changelog/12565.txt | 3 +++ vault/token_store.go | 1 + vault/token_store_test.go | 26 +++++++++++++++++-------- website/content/api-docs/auth/token.mdx | 1 + 4 files changed, 23 insertions(+), 8 deletions(-) create mode 100644 changelog/12565.txt diff --git a/changelog/12565.txt b/changelog/12565.txt new file mode 100644 index 000000000..a125950e3 --- /dev/null +++ b/changelog/12565.txt @@ -0,0 +1,3 @@ +```release-note:improvement +core/token: Return the token_no_default_policy config on token role read if set +``` \ No newline at end of file diff --git a/vault/token_store.go b/vault/token_store.go index 0fd011a01..6b0cb754b 100644 --- a/vault/token_store.go +++ b/vault/token_store.go @@ -3223,6 +3223,7 @@ func (ts *TokenStore) tokenStoreRoleRead(ctx context.Context, req *logical.Reque "renewable": role.Renewable, "token_type": role.TokenType.String(), "allowed_entity_aliases": role.AllowedEntityAliases, + "token_no_default_policy": role.TokenNoDefaultPolicy, }, } diff --git a/vault/token_store_test.go b/vault/token_store_test.go index 4a4bf5557..a45b6c37b 100644 --- a/vault/token_store_test.go +++ b/vault/token_store_test.go @@ -3194,6 +3194,7 @@ func TestTokenStore_RoleCRUD(t *testing.T) { "token_type": "default-service", "token_num_uses": 123, "allowed_entity_aliases": []string(nil), + "token_no_default_policy": false, } if resp.Data["bound_cidrs"].([]*sockaddr.SockAddrMarshaler)[0].String() != "0.0.0.0/0" { @@ -3213,12 +3214,13 @@ func TestTokenStore_RoleCRUD(t *testing.T) { // automatically due to the existence check req.Operation = logical.CreateOperation req.Data = map[string]interface{}{ - "period": "79h", - "allowed_policies": "test3", - "path_suffix": "happenin", - "renewable": false, - "explicit_max_ttl": "80h", - "token_num_uses": 0, + "period": "79h", + "allowed_policies": "test3", + "path_suffix": "happenin", + "renewable": false, + "explicit_max_ttl": "80h", + "token_num_uses": 0, + "token_no_default_policy": true, } resp, err = core.HandleRequest(namespace.RootContext(nil), req) @@ -3256,6 +3258,7 @@ func TestTokenStore_RoleCRUD(t *testing.T) { "renewable": false, "token_type": "default-service", "allowed_entity_aliases": []string(nil), + "token_no_default_policy": true, } if resp.Data["bound_cidrs"].([]*sockaddr.SockAddrMarshaler)[0].String() != "0.0.0.0/0" { @@ -3308,6 +3311,7 @@ func TestTokenStore_RoleCRUD(t *testing.T) { "renewable": false, "token_type": "default-service", "allowed_entity_aliases": []string(nil), + "token_no_default_policy": true, } if resp.Data["bound_cidrs"].([]*sockaddr.SockAddrMarshaler)[0].String() != "0.0.0.0/0" { @@ -3326,8 +3330,9 @@ func TestTokenStore_RoleCRUD(t *testing.T) { // Update path_suffix and bound_cidrs with empty values req.Operation = logical.CreateOperation req.Data = map[string]interface{}{ - "path_suffix": "", - "bound_cidrs": []string{}, + "path_suffix": "", + "bound_cidrs": []string{}, + "token_no_default_policy": false, } resp, err = core.HandleRequest(namespace.RootContext(nil), req) if err != nil || (resp != nil && resp.IsError()) { @@ -3360,6 +3365,7 @@ func TestTokenStore_RoleCRUD(t *testing.T) { "renewable": false, "token_type": "default-service", "allowed_entity_aliases": []string(nil), + "token_no_default_policy": false, } if diff := deep.Equal(expected, resp.Data); diff != nil { @@ -4428,6 +4434,7 @@ func TestTokenStore_RoleTokenFields(t *testing.T) { "renewable": false, "token_type": "batch", "allowed_entity_aliases": []string(nil), + "token_no_default_policy": false, } if resp.Data["bound_cidrs"].([]*sockaddr.SockAddrMarshaler)[0].String() != "127.0.0.1" { @@ -4483,6 +4490,7 @@ func TestTokenStore_RoleTokenFields(t *testing.T) { "renewable": false, "token_type": "default-service", "allowed_entity_aliases": []string(nil), + "token_no_default_policy": false, } if resp.Data["bound_cidrs"].([]*sockaddr.SockAddrMarshaler)[0].String() != "127.0.0.1" { @@ -4537,6 +4545,7 @@ func TestTokenStore_RoleTokenFields(t *testing.T) { "renewable": false, "token_type": "default-service", "allowed_entity_aliases": []string(nil), + "token_no_default_policy": false, } if resp.Data["token_bound_cidrs"].([]*sockaddr.SockAddrMarshaler)[0].String() != "127.0.0.1" { @@ -4593,6 +4602,7 @@ func TestTokenStore_RoleTokenFields(t *testing.T) { "renewable": false, "token_type": "service", "allowed_entity_aliases": []string(nil), + "token_no_default_policy": false, } if resp.Data["token_bound_cidrs"].([]*sockaddr.SockAddrMarshaler)[0].String() != "127.0.0.1" { diff --git a/website/content/api-docs/auth/token.mdx b/website/content/api-docs/auth/token.mdx index 8bee69c6b..ae3f5201c 100644 --- a/website/content/api-docs/auth/token.mdx +++ b/website/content/api-docs/auth/token.mdx @@ -636,6 +636,7 @@ $ curl \ "period": 0, "renewable": true, "token_explicit_max_ttl": 0, + "token_no_default_policy": false, "token_period": 0, "token_type": "default-service" },