From 9aca33487ea5c4da624650d27fc8dfbd83ea3fea Mon Sep 17 00:00:00 2001 From: Vishal Nayak Date: Thu, 31 May 2018 10:18:34 -0400 Subject: [PATCH] Passthrough EntityID to backends (#4663) * passthrough entity id * address review feedback --- vault/identity_store_test.go | 73 ++++++++++++++++++++++++++++++++++++ vault/router.go | 9 ----- 2 files changed, 73 insertions(+), 9 deletions(-) diff --git a/vault/identity_store_test.go b/vault/identity_store_test.go index 5c7f33819..bc418a4a5 100644 --- a/vault/identity_store_test.go +++ b/vault/identity_store_test.go @@ -5,10 +5,83 @@ import ( "testing" "time" + uuid "github.com/hashicorp/go-uuid" credGithub "github.com/hashicorp/vault/builtin/credential/github" "github.com/hashicorp/vault/logical" ) +func TestIdentityStore_EntityIDPassthrough(t *testing.T) { + // Enable GitHub auth and initialize + is, ghAccessor, core := testIdentityStoreWithGithubAuth(t) + alias := &logical.Alias{ + MountType: "github", + MountAccessor: ghAccessor, + Name: "githubuser", + } + + // Create an entity with GitHub alias + entity, err := is.CreateOrFetchEntity(alias) + if err != nil { + t.Fatal(err) + } + if entity == nil { + t.Fatalf("expected a non-nil entity") + } + + // Create a token with the above created entity set on it + ent := &TokenEntry{ + ID: "testtokenid", + Path: "test", + Policies: []string{"root"}, + CreationTime: time.Now().Unix(), + EntityID: entity.ID, + } + if err := core.tokenStore.create(context.Background(), ent); err != nil { + t.Fatalf("err: %s", err) + } + + // Set a request handler to the noop backend which responds with the entity + // ID received in the request object + requestHandler := func(ctx context.Context, req *logical.Request) (*logical.Response, error) { + return &logical.Response{ + Data: map[string]interface{}{ + "entity_id": req.EntityID, + }, + }, nil + } + + noop := &NoopBackend{ + RequestHandler: requestHandler, + } + + // Mount the noop backend + _, barrier, _ := mockBarrier(t) + view := NewBarrierView(barrier, "logical/") + meUUID, err := uuid.GenerateUUID() + if err != nil { + t.Fatal(err) + } + err = core.router.Mount(noop, "test/backend/", &MountEntry{Path: "test/backend/", Type: "noop", UUID: meUUID, Accessor: "noop-accessor"}, view) + if err != nil { + t.Fatal(err) + } + + // Make the request with the above created token + resp, err := core.HandleRequest(&logical.Request{ + ClientToken: "testtokenid", + Operation: logical.ReadOperation, + Path: "test/backend/foo", + }) + if err != nil || (resp != nil && resp.IsError()) { + t.Fatalf("bad: resp: %#v\n err: %v", resp, err) + } + + // Expected entity ID to be in the response + if resp.Data["entity_id"] != entity.ID { + t.Fatalf("expected entity ID to be passed through to the backend") + } +} + func TestIdentityStore_CreateOrFetchEntity(t *testing.T) { is, ghAccessor, _ := testIdentityStoreWithGithubAuth(t) alias := &logical.Alias{ diff --git a/vault/router.go b/vault/router.go index d79cc1633..249cce305 100644 --- a/vault/router.go +++ b/vault/router.go @@ -437,15 +437,6 @@ func (r *Router) routeCommon(ctx context.Context, req *logical.Request, existenc originalEntityID := req.EntityID - // Allow EntityID to passthrough to the system backend. This is required to - // allow clients to generate MFA credentials in respective entity objects - // in identity store via the system backend. - switch { - case strings.HasPrefix(originalPath, "sys/"): - default: - req.EntityID = "" - } - // Hash the request token unless the request is being routed to the token // or system backend. clientToken := req.ClientToken