Merge pull request #567 from hobbeswalsh/master

Spaces in displayName break AWS IAM

builtin/logical/aws/secret_access_keys.go

@@ -3,6 +3,7 @@ package aws
 import (
 	"fmt"
 	"math/rand"
+	"regexp"
 	"time"
 
 	"github.com/aws/aws-sdk-go/aws"
@@ -46,7 +47,7 @@ func (b *backend) secretAccessKeysCreate(
 
 	// Generate a random username. We don't put the policy names in the
 	// username because the AWS console makes it pretty easy to see that.
-	username := fmt.Sprintf("vault-%s-%d-%d", displayName, time.Now().Unix(), rand.Int31n(10000))
+	username := fmt.Sprintf("vault-%s-%d-%d", normalizeDisplayName(displayName), time.Now().Unix(), rand.Int31n(10000))
 
 	// Write to the WAL that this user will be created. We do this before
 	// the user is created because if switch the order then the WAL put
@@ -141,3 +142,8 @@ func secretAccessKeysRevoke(
 
 	return nil, nil
 }
+
+func normalizeDisplayName(displayName string) string {
+	re := regexp.MustCompile("[^a-zA-Z+=,.@_-]")
+	return re.ReplaceAllString(displayName, "_")
+}

builtin/logical/aws/secret_access_keys_test.go

@@ -0,0 +1,25 @@
+package aws
+
+import (
+	"testing"
+)
+
+func TestNormalizeDisplayName(t *testing.T) {
+	invalidName := "^#$test name\nshould be normalized)(*"
+	expectedName := "___test_name_should_be_normalized___"
+	normalizedName := normalizeDisplayName(invalidName)
+	if normalizedName != expectedName {
+		t.Fatalf(
+			"normalizeDisplayName does not normalize AWS name correctly: %s",
+			normalizedName)
+	}
+
+	validName := "test_name_should_normalize_to_itself@example.com"
+	normalizedValidName := normalizeDisplayName(validName)
+	if normalizedValidName != validName {
+		t.Fatalf(
+			"normalizeDisplayName erroneously normalizes valid names: %s",
+			normalizedName)
+	}
+
+}