VAULT-5094: Deal with identity_policies Set to nil in Secret Data Field (#20636)
* fix: deal with identity_policies set to nil * add changelog file
This commit is contained in:
parent
ea3441333a
commit
c61941c443
|
@ -150,8 +150,8 @@ TOKEN_DONE:
|
||||||
|
|
||||||
// Identity policies
|
// Identity policies
|
||||||
{
|
{
|
||||||
_, ok := s.Data["identity_policies"]
|
v, ok := s.Data["identity_policies"]
|
||||||
if !ok {
|
if !ok || v == nil {
|
||||||
goto DONE
|
goto DONE
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
@ -0,0 +1,208 @@
|
||||||
|
package api
|
||||||
|
|
||||||
|
import (
|
||||||
|
"testing"
|
||||||
|
)
|
||||||
|
|
||||||
|
func TestTokenPolicies(t *testing.T) {
|
||||||
|
var s *Secret
|
||||||
|
|
||||||
|
// Verify some of the short-circuit paths in the function
|
||||||
|
if policies, err := s.TokenPolicies(); policies != nil {
|
||||||
|
t.Errorf("policies was not nil, got %v", policies)
|
||||||
|
} else if err != nil {
|
||||||
|
t.Errorf("err was not nil, got %v", err)
|
||||||
|
}
|
||||||
|
|
||||||
|
s = &Secret{}
|
||||||
|
|
||||||
|
if policies, err := s.TokenPolicies(); policies != nil {
|
||||||
|
t.Errorf("policies was not nil, got %v", policies)
|
||||||
|
} else if err != nil {
|
||||||
|
t.Errorf("err was not nil, got %v", err)
|
||||||
|
}
|
||||||
|
|
||||||
|
s.Auth = &SecretAuth{}
|
||||||
|
|
||||||
|
if policies, err := s.TokenPolicies(); policies != nil {
|
||||||
|
t.Errorf("policies was not nil, got %v", policies)
|
||||||
|
} else if err != nil {
|
||||||
|
t.Errorf("err was not nil, got %v", err)
|
||||||
|
}
|
||||||
|
|
||||||
|
s.Auth.Policies = []string{}
|
||||||
|
|
||||||
|
if policies, err := s.TokenPolicies(); policies != nil {
|
||||||
|
t.Errorf("policies was not nil, got %v", policies)
|
||||||
|
} else if err != nil {
|
||||||
|
t.Errorf("err was not nil, got %v", err)
|
||||||
|
}
|
||||||
|
|
||||||
|
s.Auth.Policies = []string{"test"}
|
||||||
|
|
||||||
|
if policies, err := s.TokenPolicies(); policies == nil {
|
||||||
|
t.Error("policies was nil")
|
||||||
|
} else if err != nil {
|
||||||
|
t.Errorf("err was not nil, got %v", err)
|
||||||
|
}
|
||||||
|
|
||||||
|
s.Auth = nil
|
||||||
|
s.Data = make(map[string]interface{})
|
||||||
|
|
||||||
|
if policies, err := s.TokenPolicies(); policies != nil {
|
||||||
|
t.Errorf("policies was not nil, got %v", policies)
|
||||||
|
} else if err != nil {
|
||||||
|
t.Errorf("err was not nil, got %v", err)
|
||||||
|
}
|
||||||
|
|
||||||
|
// Verify that s.Data["policies"] are properly processed
|
||||||
|
{
|
||||||
|
policyList := make([]string, 0)
|
||||||
|
s.Data["policies"] = policyList
|
||||||
|
|
||||||
|
if policies, err := s.TokenPolicies(); len(policies) != len(policyList) {
|
||||||
|
t.Errorf("expecting policies length %d, got %d", len(policyList), len(policies))
|
||||||
|
} else if err != nil {
|
||||||
|
t.Errorf("err was not nil, got %v", err)
|
||||||
|
} else if s.Auth == nil {
|
||||||
|
t.Error("Auth field is still nil")
|
||||||
|
}
|
||||||
|
|
||||||
|
policyList = append(policyList, "policy1", "policy2")
|
||||||
|
s.Data["policies"] = policyList
|
||||||
|
|
||||||
|
if policies, err := s.TokenPolicies(); len(policyList) != 2 {
|
||||||
|
t.Errorf("expecting policies length %d, got %d", len(policyList), len(policies))
|
||||||
|
} else if err != nil {
|
||||||
|
t.Errorf("err was not nil, got %v", err)
|
||||||
|
} else if s.Auth == nil {
|
||||||
|
t.Error("Auth field is still nil")
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
// Do it again but with an interface{} slice
|
||||||
|
{
|
||||||
|
s.Auth = nil
|
||||||
|
policyList := make([]interface{}, 0)
|
||||||
|
s.Data["policies"] = policyList
|
||||||
|
|
||||||
|
if policies, err := s.TokenPolicies(); len(policies) != len(policyList) {
|
||||||
|
t.Errorf("expecting policies length %d, got %d", len(policyList), len(policies))
|
||||||
|
} else if err != nil {
|
||||||
|
t.Errorf("err was not nil, got %v", err)
|
||||||
|
} else if s.Auth == nil {
|
||||||
|
t.Error("Auth field is still nil")
|
||||||
|
}
|
||||||
|
|
||||||
|
policyItems := make([]interface{}, 2)
|
||||||
|
policyItems[0] = "policy1"
|
||||||
|
policyItems[1] = "policy2"
|
||||||
|
|
||||||
|
policyList = append(policyList, policyItems...)
|
||||||
|
s.Data["policies"] = policyList
|
||||||
|
|
||||||
|
if policies, err := s.TokenPolicies(); len(policies) != 2 {
|
||||||
|
t.Errorf("expecting policies length %d, got %d", len(policyList), len(policies))
|
||||||
|
} else if err != nil {
|
||||||
|
t.Errorf("err was not nil, got %v", err)
|
||||||
|
} else if s.Auth == nil {
|
||||||
|
t.Error("Auth field is still nil")
|
||||||
|
}
|
||||||
|
|
||||||
|
s.Auth = nil
|
||||||
|
s.Data["policies"] = 7.0
|
||||||
|
|
||||||
|
if policies, err := s.TokenPolicies(); err == nil {
|
||||||
|
t.Error("err was nil")
|
||||||
|
} else if policies != nil {
|
||||||
|
t.Errorf("policies was not nil, got %v", policies)
|
||||||
|
}
|
||||||
|
|
||||||
|
s.Auth = nil
|
||||||
|
s.Data["policies"] = []int{2, 3, 5, 8, 13}
|
||||||
|
|
||||||
|
if policies, err := s.TokenPolicies(); err == nil {
|
||||||
|
t.Error("err was nil")
|
||||||
|
} else if policies != nil {
|
||||||
|
t.Errorf("policies was not nil, got %v", policies)
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
s.Auth = nil
|
||||||
|
s.Data["policies"] = nil
|
||||||
|
|
||||||
|
if policies, err := s.TokenPolicies(); err != nil {
|
||||||
|
t.Errorf("err was not nil, got %v", err)
|
||||||
|
} else if policies != nil {
|
||||||
|
t.Errorf("policies was not nil, got %v", policies)
|
||||||
|
}
|
||||||
|
|
||||||
|
// Verify that logic that merges s.Data["policies"] and s.Data["identity_policies"] works
|
||||||
|
{
|
||||||
|
policyList := []string{"policy1", "policy2", "policy3"}
|
||||||
|
s.Data["policies"] = policyList[:1]
|
||||||
|
s.Data["identity_policies"] = "not_a_slice"
|
||||||
|
s.Auth = nil
|
||||||
|
|
||||||
|
if policies, err := s.TokenPolicies(); err == nil {
|
||||||
|
t.Error("err was nil")
|
||||||
|
} else if policies != nil {
|
||||||
|
t.Errorf("policies was not nil, got %v", policies)
|
||||||
|
}
|
||||||
|
|
||||||
|
s.Data["identity_policies"] = policyList[1:]
|
||||||
|
|
||||||
|
if policies, err := s.TokenPolicies(); len(policyList) != len(policies) {
|
||||||
|
t.Errorf("expecting policies length %d, got %d", len(policyList), len(policies))
|
||||||
|
} else if err != nil {
|
||||||
|
t.Errorf("err was not nil, got %v", err)
|
||||||
|
} else if s.Auth == nil {
|
||||||
|
t.Error("Auth field is still nil")
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
// Do it again but with an interface{} slice
|
||||||
|
{
|
||||||
|
policyList := []interface{}{"policy1", "policy2", "policy3"}
|
||||||
|
s.Data["policies"] = policyList[:1]
|
||||||
|
s.Data["identity_policies"] = "not_a_slice"
|
||||||
|
s.Auth = nil
|
||||||
|
|
||||||
|
if policies, err := s.TokenPolicies(); err == nil {
|
||||||
|
t.Error("err was nil")
|
||||||
|
} else if policies != nil {
|
||||||
|
t.Errorf("policies was not nil, got %v", policies)
|
||||||
|
}
|
||||||
|
|
||||||
|
s.Data["identity_policies"] = policyList[1:]
|
||||||
|
|
||||||
|
if policies, err := s.TokenPolicies(); len(policyList) != len(policies) {
|
||||||
|
t.Errorf("expecting policies length %d, got %d", len(policyList), len(policies))
|
||||||
|
} else if err != nil {
|
||||||
|
t.Errorf("err was not nil, got %v", err)
|
||||||
|
} else if s.Auth == nil {
|
||||||
|
t.Error("Auth field is still nil")
|
||||||
|
}
|
||||||
|
|
||||||
|
s.Auth = nil
|
||||||
|
s.Data["identity_policies"] = []int{2, 3, 5, 8, 13}
|
||||||
|
|
||||||
|
if policies, err := s.TokenPolicies(); err == nil {
|
||||||
|
t.Error("err was nil")
|
||||||
|
} else if policies != nil {
|
||||||
|
t.Errorf("policies was not nil, got %v", policies)
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
s.Auth = nil
|
||||||
|
s.Data["policies"] = []string{"policy1"}
|
||||||
|
s.Data["identity_policies"] = nil
|
||||||
|
|
||||||
|
if policies, err := s.TokenPolicies(); err != nil {
|
||||||
|
t.Errorf("err was not nil, got %v", err)
|
||||||
|
} else if len(policies) != 1 {
|
||||||
|
t.Errorf("expecting policies length %d, got %d", 1, len(policies))
|
||||||
|
} else if s.Auth == nil {
|
||||||
|
t.Error("Auth field is still nil")
|
||||||
|
}
|
||||||
|
}
|
|
@ -0,0 +1,3 @@
|
||||||
|
```release-note:bug
|
||||||
|
api: Properly Handle nil identity_policies in Secret Data
|
||||||
|
```
|
Loading…
Reference in New Issue