From 9543067ffe912458d71bdb603c7fa1501d1b5188 Mon Sep 17 00:00:00 2001 From: Hamid Ghaf <83242695+hghaf099@users.noreply.github.com> Date: Fri, 18 Nov 2022 10:38:18 -0500 Subject: [PATCH] fix auth renew panic (#18011) * fix auth renew panic * CL * adding a test step to a cert test for pathLoginRenew --- builtin/credential/cert/backend_test.go | 15 +++++++++++++++ builtin/credential/cert/path_login.go | 2 +- builtin/credential/okta/path_login.go | 6 +++++- changelog/18011.txt | 3 +++ 4 files changed, 24 insertions(+), 2 deletions(-) create mode 100644 changelog/18011.txt diff --git a/builtin/credential/cert/backend_test.go b/builtin/credential/cert/backend_test.go index 062fc156b..4365df477 100644 --- a/builtin/credential/cert/backend_test.go +++ b/builtin/credential/cert/backend_test.go @@ -456,6 +456,21 @@ func TestBackend_PermittedDNSDomainsIntermediateCA(t *testing.T) { if secret.Auth == nil || secret.Auth.ClientToken == "" { t.Fatalf("expected a successful authentication") } + + // testing pathLoginRenew for cert auth + oldAccessor := secret.Auth.Accessor + newClient.SetToken(client.Token()) + secret, err = newClient.Logical().Write("auth/token/renew-accessor", map[string]interface{}{ + "accessor": secret.Auth.Accessor, + "increment": 3600, + }) + if err != nil { + t.Fatal(err) + } + + if secret.Auth == nil || secret.Auth.ClientToken != "" || secret.Auth.LeaseDuration != 3600 || secret.Auth.Accessor != oldAccessor { + t.Fatalf("unexpected accessor renewal") + } } func TestBackend_MetadataBasedACLPolicy(t *testing.T) { diff --git a/builtin/credential/cert/path_login.go b/builtin/credential/cert/path_login.go index dd70e739b..d2902b88e 100644 --- a/builtin/credential/cert/path_login.go +++ b/builtin/credential/cert/path_login.go @@ -236,7 +236,7 @@ func (b *backend) verifyCredentials(ctx context.Context, req *logical.Request, d var certName string if req.Auth != nil { // It's a renewal, use the saved certName certName = req.Auth.Metadata["cert_name"] - } else { + } else if d != nil { // d is nil if handleAuthRenew call the authRenew certName = d.Get("name").(string) } diff --git a/builtin/credential/okta/path_login.go b/builtin/credential/okta/path_login.go index c6b18f02d..0f8967576 100644 --- a/builtin/credential/okta/path_login.go +++ b/builtin/credential/okta/path_login.go @@ -143,7 +143,11 @@ func (b *backend) pathLogin(ctx context.Context, req *logical.Request, d *framew func (b *backend) pathLoginRenew(ctx context.Context, req *logical.Request, d *framework.FieldData) (*logical.Response, error) { username := req.Auth.Metadata["username"] password := req.Auth.InternalData["password"].(string) - nonce := d.Get("nonce").(string) + + var nonce string + if d != nil { + nonce = d.Get("nonce").(string) + } cfg, err := b.getConfig(ctx, req) if err != nil { diff --git a/changelog/18011.txt b/changelog/18011.txt new file mode 100644 index 000000000..ed2251046 --- /dev/null +++ b/changelog/18011.txt @@ -0,0 +1,3 @@ +```release-note:bug +auth/okta: fix a panic for AuthRenew in Okta +```