adding existence check for roles

2017-12-15 19:50:20 -05:00 · 2017-12-15 19:50:20 -05:00 · b08606b320
parent b904d28d82
commit b08606b320
2 changed files with 45 additions and 14 deletions
--- a/builtin/logical/nomad/backend_test.go
+++ b/builtin/logical/nomad/backend_test.go
@ -63,7 +63,7 @@ func prepareTestContainer(t *testing.T) (cleanup func(), retAddress string, noma
 			t.Fatalf("err: %v", err)
 		}
 		nomadToken = aclbootstrap.SecretID
-		t.Log("[WARN] Generated Master token: %s", nomadToken)
+		t.Logf("[WARN] Generated Master token: %s", nomadToken)
 		policy := &nomadapi.ACLPolicy{
 			Name:        "test",
 			Description: "test",
@ -211,7 +211,7 @@ func TestBackend_renew_revoke(t *testing.T) {
 	if err := mapstructure.Decode(resp.Data, &d); err != nil {
 		t.Fatal(err)
 	}
-	t.Log("[WARN] Generated token: %s with accesor %s", d.Token, d.Accessor)
+	t.Logf("[WARN] Generated token: %s with accesor %s", d.Token, d.Accessor)

 	// Build a client and verify that the credentials work
 	nomadapiConfig := nomadapi.DefaultConfig()
--- a/builtin/logical/nomad/path_roles.go
+++ b/builtin/logical/nomad/path_roles.go
@ -1,6 +1,8 @@
 package nomad

 import (
+	"errors"
+
 	"github.com/hashicorp/errwrap"
 	"github.com/hashicorp/vault/logical"
 	"github.com/hashicorp/vault/logical/framework"
@ -32,7 +34,6 @@ func pathRoles(b *backend) *framework.Path {

 			"global": &framework.FieldSchema{
 				Type:        framework.TypeBool,
-				Default:     false,
 				Description: "Boolean value describing if the token should be global or not. Defaults to false.",
 			},

@ -48,13 +49,31 @@ Defaults to 'client'.`,

 		Callbacks: map[logical.Operation]framework.OperationFunc{
 			logical.ReadOperation:   b.pathRolesRead,
+			logical.CreateOperation: b.pathRolesWrite,
 			logical.UpdateOperation: b.pathRolesWrite,
 			logical.DeleteOperation: b.pathRolesDelete,
 		},
+
+		ExistenceCheck: b.rolesExistenceCheck,
 	}
 }

+// Establishes dichotomy of request operation between CreateOperation and UpdateOperation.
+// Returning 'true' forces an UpdateOperation, CreateOperation otherwise.
+func (b *backend) rolesExistenceCheck(req *logical.Request, d *framework.FieldData) (bool, error) {
+	name := d.Get("name").(string)
+	entry, err := b.Role(req.Storage, name)
+	if err != nil {
+		return false, err
+	}
+	return entry != nil, nil
+}
+
 func (b *backend) Role(storage logical.Storage, name string) (*roleConfig, error) {
+	if name == "" {
+		return nil, errors.New("invalid role name")
+	}
+
 	entry, err := storage.Get("role/" + name)
 	if err != nil {
 		return nil, errwrap.Wrapf("error retrieving role: {{err}}", err)
@ -105,19 +124,30 @@ func (b *backend) pathRolesRead(

 func (b *backend) pathRolesWrite(
 	req *logical.Request, d *framework.FieldData) (*logical.Response, error) {
-	tokenType := d.Get("type").(string)
 	name := d.Get("name").(string)
-	global := d.Get("global").(bool)
-	policies := d.Get("policies").([]string)

-	switch tokenType {
+	role, err := b.Role(req.Storage, name)
+	if err != nil {
+		return nil, err
+	}
+	if role == nil {
+		role = new(roleConfig)
+	}
+
+	policies, ok := d.GetOk("policies")
+	if ok {
+		role.Policies = policies.([]string)
+	}
+
+	role.TokenType = d.Get("type").(string)
+	switch role.TokenType {
 	case "client":
-		if len(policies) == 0 {
+		if len(role.Policies) == 0 {
 			return logical.ErrorResponse(
 				"policies cannot be empty when using client tokens"), nil
 		}
 	case "management":
-		if len(policies) != 0 {
+		if len(role.Policies) != 0 {
 			return logical.ErrorResponse(
 				"policies should be empty when using management tokens"), nil
 		}
@ -126,11 +156,12 @@ func (b *backend) pathRolesWrite(
 			`type must be "client" or "management"`), nil
 	}

-	entry, err := logical.StorageEntryJSON("role/"+name, roleConfig{
-		Policies:  policies,
-		TokenType: tokenType,
-		Global:    global,
-	})
+	global, ok := d.GetOk("global")
+	if ok {
+		role.Global = global.(bool)
+	}
+
+	entry, err := logical.StorageEntryJSON("role/"+name, role)
 	if err != nil {
 		return nil, err
 	}