luxolus
/
open-vault
2
0
Fork 0
Code Issues 1 Pull Requests Releases Activity

[VAULT-3519] Return no_default_policy on token role read (#12565) 

* [VAULT-3519] Return no_default_policy on token role read if set

* [VAULT-3519] Add changelog

* [VAULT-3519] Always return token_no_default_policy on role read

* Fix broken test

* Update role read response in docs
This commit is contained in:
Pratyoy Mukhopadhyay 2021-09-21 09:53:08 -07:00 committed by GitHub
parent a538936367
commit 8e6698fb4a
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
4 changed files with 23 additions and 8 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
changelog/12565.txt Normal file
View File

@ -0,0 +1,3 @@
```release-note:improvement
core/token: Return the token_no_default_policy config on token role read if set
```

1
vault/token_store.go
View File

@ -3223,6 +3223,7 @@ func (ts *TokenStore) tokenStoreRoleRead(ctx context.Context, req *logical.Reque
"renewable": role.Renewable, "renewable": role.Renewable,
"token_type": role.TokenType.String(), "token_type": role.TokenType.String(),
"allowed_entity_aliases": role.AllowedEntityAliases, "allowed_entity_aliases": role.AllowedEntityAliases,
"token_no_default_policy": role.TokenNoDefaultPolicy,
}, },
} }

26
vault/token_store_test.go
View File

@ -3194,6 +3194,7 @@ func TestTokenStore_RoleCRUD(t *testing.T) {
"token_type": "default-service", "token_type": "default-service",
"token_num_uses": 123, "token_num_uses": 123,
"allowed_entity_aliases": []string(nil), "allowed_entity_aliases": []string(nil),
"token_no_default_policy": false,
} }
if resp.Data["bound_cidrs"].([]*sockaddr.SockAddrMarshaler)[0].String() != "0.0.0.0/0" { if resp.Data["bound_cidrs"].([]*sockaddr.SockAddrMarshaler)[0].String() != "0.0.0.0/0" {
@ -3213,12 +3214,13 @@ func TestTokenStore_RoleCRUD(t *testing.T) {
// automatically due to the existence check // automatically due to the existence check
req.Operation = logical.CreateOperation req.Operation = logical.CreateOperation
req.Data = map[string]interface{}{ req.Data = map[string]interface{}{
"period": "79h", "period": "79h",
"allowed_policies": "test3", "allowed_policies": "test3",
"path_suffix": "happenin", "path_suffix": "happenin",
"renewable": false, "renewable": false,
"explicit_max_ttl": "80h", "explicit_max_ttl": "80h",
"token_num_uses": 0, "token_num_uses": 0,
"token_no_default_policy": true,
} }
resp, err = core.HandleRequest(namespace.RootContext(nil), req) resp, err = core.HandleRequest(namespace.RootContext(nil), req)
@ -3256,6 +3258,7 @@ func TestTokenStore_RoleCRUD(t *testing.T) {
"renewable": false, "renewable": false,
"token_type": "default-service", "token_type": "default-service",
"allowed_entity_aliases": []string(nil), "allowed_entity_aliases": []string(nil),
"token_no_default_policy": true,
} }
if resp.Data["bound_cidrs"].([]*sockaddr.SockAddrMarshaler)[0].String() != "0.0.0.0/0" { if resp.Data["bound_cidrs"].([]*sockaddr.SockAddrMarshaler)[0].String() != "0.0.0.0/0" {
@ -3308,6 +3311,7 @@ func TestTokenStore_RoleCRUD(t *testing.T) {
"renewable": false, "renewable": false,
"token_type": "default-service", "token_type": "default-service",
"allowed_entity_aliases": []string(nil), "allowed_entity_aliases": []string(nil),
"token_no_default_policy": true,
} }
if resp.Data["bound_cidrs"].([]*sockaddr.SockAddrMarshaler)[0].String() != "0.0.0.0/0" { if resp.Data["bound_cidrs"].([]*sockaddr.SockAddrMarshaler)[0].String() != "0.0.0.0/0" {
@ -3326,8 +3330,9 @@ func TestTokenStore_RoleCRUD(t *testing.T) {
// Update path_suffix and bound_cidrs with empty values // Update path_suffix and bound_cidrs with empty values
req.Operation = logical.CreateOperation req.Operation = logical.CreateOperation
req.Data = map[string]interface{}{ req.Data = map[string]interface{}{
"path_suffix": "", "path_suffix": "",
"bound_cidrs": []string{}, "bound_cidrs": []string{},
"token_no_default_policy": false,
} }
resp, err = core.HandleRequest(namespace.RootContext(nil), req) resp, err = core.HandleRequest(namespace.RootContext(nil), req)
if err != nil || (resp != nil && resp.IsError()) { if err != nil || (resp != nil && resp.IsError()) {
@ -3360,6 +3365,7 @@ func TestTokenStore_RoleCRUD(t *testing.T) {
"renewable": false, "renewable": false,
"token_type": "default-service", "token_type": "default-service",
"allowed_entity_aliases": []string(nil), "allowed_entity_aliases": []string(nil),
"token_no_default_policy": false,
} }
if diff := deep.Equal(expected, resp.Data); diff != nil { if diff := deep.Equal(expected, resp.Data); diff != nil {
@ -4428,6 +4434,7 @@ func TestTokenStore_RoleTokenFields(t *testing.T) {
"renewable": false, "renewable": false,
"token_type": "batch", "token_type": "batch",
"allowed_entity_aliases": []string(nil), "allowed_entity_aliases": []string(nil),
"token_no_default_policy": false,
} }
if resp.Data["bound_cidrs"].([]*sockaddr.SockAddrMarshaler)[0].String() != "127.0.0.1" { if resp.Data["bound_cidrs"].([]*sockaddr.SockAddrMarshaler)[0].String() != "127.0.0.1" {
@ -4483,6 +4490,7 @@ func TestTokenStore_RoleTokenFields(t *testing.T) {
"renewable": false, "renewable": false,
"token_type": "default-service", "token_type": "default-service",
"allowed_entity_aliases": []string(nil), "allowed_entity_aliases": []string(nil),
"token_no_default_policy": false,
} }
if resp.Data["bound_cidrs"].([]*sockaddr.SockAddrMarshaler)[0].String() != "127.0.0.1" { if resp.Data["bound_cidrs"].([]*sockaddr.SockAddrMarshaler)[0].String() != "127.0.0.1" {
@ -4537,6 +4545,7 @@ func TestTokenStore_RoleTokenFields(t *testing.T) {
"renewable": false, "renewable": false,
"token_type": "default-service", "token_type": "default-service",
"allowed_entity_aliases": []string(nil), "allowed_entity_aliases": []string(nil),
"token_no_default_policy": false,
} }
if resp.Data["token_bound_cidrs"].([]*sockaddr.SockAddrMarshaler)[0].String() != "127.0.0.1" { if resp.Data["token_bound_cidrs"].([]*sockaddr.SockAddrMarshaler)[0].String() != "127.0.0.1" {
@ -4593,6 +4602,7 @@ func TestTokenStore_RoleTokenFields(t *testing.T) {
"renewable": false, "renewable": false,
"token_type": "service", "token_type": "service",
"allowed_entity_aliases": []string(nil), "allowed_entity_aliases": []string(nil),
"token_no_default_policy": false,
} }
if resp.Data["token_bound_cidrs"].([]*sockaddr.SockAddrMarshaler)[0].String() != "127.0.0.1" { if resp.Data["token_bound_cidrs"].([]*sockaddr.SockAddrMarshaler)[0].String() != "127.0.0.1" {

1
website/content/api-docs/auth/token.mdx
View File

@ -636,6 +636,7 @@ $ curl \
"period": 0, "period": 0,
"renewable": true, "renewable": true,
"token_explicit_max_ttl": 0, "token_explicit_max_ttl": 0,
"token_no_default_policy": false,
"token_period": 0, "token_period": 0,
"token_type": "default-service" "token_type": "default-service"
}, },