SSCT Optimizations (OSS) (#14323)
* update ci.hcl to remove 1.6.x and add in 1.10.x * SSCT OSS PR review comments and optimizations * check errors in populate token entry calls
This commit is contained in:
Hridoy Roy
GitHub
parent
ed8240fb05
commit
d8155aa7c4
|
|
@ -87,7 +87,7 @@ func TestLoginCommand_Run(t *testing.T) {
|
|||
t.Fatal(err)
|
||||
}
|
||||
|
||||
if l, exp := len(storedToken), minTokenLengthExternal+vault.TokenPrefixLength; l != exp {
|
||||
if l, exp := len(storedToken), minTokenLengthExternal+vault.TokenPrefixLength; l < exp {
|
||||
t.Errorf("expected token to be %d characters, was %d: %q", exp, l, storedToken)
|
||||
}
|
||||
})
|
||||
|
|
|
|||
|
|
@ -100,12 +100,12 @@ func SplitIDFromString(input string) (string, string) {
|
|||
slashIdx := strings.LastIndex(input, "/")
|
||||
|
||||
switch {
|
||||
case strings.HasPrefix(input, "b."):
|
||||
prefix = "b."
|
||||
case strings.HasPrefix(input, consts.LegacyBatchTokenPrefix):
|
||||
prefix = consts.LegacyBatchTokenPrefix
|
||||
input = input[2:]
|
||||
|
||||
case strings.HasPrefix(input, "s."):
|
||||
prefix = "s."
|
||||
case strings.HasPrefix(input, consts.LegacyServiceTokenPrefix):
|
||||
prefix = consts.LegacyServiceTokenPrefix
|
||||
input = input[2:]
|
||||
case strings.HasPrefix(input, consts.BatchTokenPrefix):
|
||||
prefix = consts.BatchTokenPrefix
|
||||
|
|
|
|||
|
|
@ -175,7 +175,10 @@ func TestCore_UseSSCTokenToggleOn(t *testing.T) {
|
|||
// Read the key
|
||||
req.Operation = logical.ReadOperation
|
||||
req.Data = nil
|
||||
req.SetTokenEntry(&logical.TokenEntry{ID: root, NamespaceID: "root", Policies: []string{"root"}})
|
||||
err = c.PopulateTokenEntry(ctx, req)
|
||||
if err != nil {
|
||||
t.Fatalf("err: %s", err)
|
||||
}
|
||||
resp, err = c.HandleRequest(ctx, req)
|
||||
if err != nil {
|
||||
t.Fatalf("err: %v", err)
|
||||
|
|
@ -202,7 +205,7 @@ func TestCore_UseNonSSCTokenToggleOff(t *testing.T) {
|
|||
DisableSSCTokens: true,
|
||||
}
|
||||
c, _, root := TestCoreUnsealedWithConfig(t, coreConfig)
|
||||
if len(root) > TokenLength+OldTokenPrefixLength || !strings.HasPrefix(root, "s.") {
|
||||
if len(root) > TokenLength+OldTokenPrefixLength || !strings.HasPrefix(root, consts.LegacyServiceTokenPrefix) {
|
||||
t.Fatalf("token is not an old token type: %s, %d", root, len(root))
|
||||
}
|
||||
c.disableSSCTokens = false
|
||||
|
|
@ -227,7 +230,10 @@ func TestCore_UseNonSSCTokenToggleOff(t *testing.T) {
|
|||
// Read the key
|
||||
req.Operation = logical.ReadOperation
|
||||
req.Data = nil
|
||||
req.SetTokenEntry(&logical.TokenEntry{ID: root, NamespaceID: "root", Policies: []string{"root"}})
|
||||
err = c.PopulateTokenEntry(ctx, req)
|
||||
if err != nil {
|
||||
t.Fatalf("err: %s", err)
|
||||
}
|
||||
resp, err = c.HandleRequest(ctx, req)
|
||||
if err != nil {
|
||||
t.Fatalf("err: %v", err)
|
||||
|
|
@ -457,7 +463,10 @@ func TestCore_HandleRequest_Lease(t *testing.T) {
|
|||
// Read the key
|
||||
req.Operation = logical.ReadOperation
|
||||
req.Data = nil
|
||||
req.SetTokenEntry(&logical.TokenEntry{ID: root, NamespaceID: "root", Policies: []string{"root"}})
|
||||
err = c.PopulateTokenEntry(ctx, req)
|
||||
if err != nil {
|
||||
t.Fatalf("err: %s", err)
|
||||
}
|
||||
resp, err = c.HandleRequest(ctx, req)
|
||||
if err != nil {
|
||||
t.Fatalf("err: %v", err)
|
||||
|
|
@ -500,7 +509,10 @@ func TestCore_HandleRequest_Lease_MaxLength(t *testing.T) {
|
|||
// Read the key
|
||||
req.Operation = logical.ReadOperation
|
||||
req.Data = nil
|
||||
req.SetTokenEntry(&logical.TokenEntry{ID: root, NamespaceID: "root", Policies: []string{"root"}})
|
||||
err = c.PopulateTokenEntry(ctx, req)
|
||||
if err != nil {
|
||||
t.Fatalf("err: %s", err)
|
||||
}
|
||||
resp, err = c.HandleRequest(ctx, req)
|
||||
if err != nil {
|
||||
t.Fatalf("err: %v", err)
|
||||
|
|
@ -543,7 +555,10 @@ func TestCore_HandleRequest_Lease_DefaultLength(t *testing.T) {
|
|||
// Read the key
|
||||
req.Operation = logical.ReadOperation
|
||||
req.Data = nil
|
||||
req.SetTokenEntry(&logical.TokenEntry{ID: root, NamespaceID: "root", Policies: []string{"root"}})
|
||||
err = c.PopulateTokenEntry(ctx, req)
|
||||
if err != nil {
|
||||
t.Fatalf("err: %s", err)
|
||||
}
|
||||
resp, err = c.HandleRequest(ctx, req)
|
||||
if err != nil {
|
||||
t.Fatalf("err: %v", err)
|
||||
|
|
@ -1034,7 +1049,10 @@ func TestCore_HandleRequest_AuditTrail_noHMACKeys(t *testing.T) {
|
|||
ClientToken: root,
|
||||
}
|
||||
req.ClientToken = root
|
||||
req.SetTokenEntry(&logical.TokenEntry{ID: root, NamespaceID: "root", Policies: []string{"root"}})
|
||||
err = c.PopulateTokenEntry(namespace.RootContext(nil), req)
|
||||
if err != nil {
|
||||
t.Fatalf("err: %s", err)
|
||||
}
|
||||
if _, err := c.HandleRequest(namespace.RootContext(nil), req); err != nil {
|
||||
t.Fatalf("err: %v", err)
|
||||
}
|
||||
|
|
@ -2087,7 +2105,10 @@ func TestCore_RenewSameLease(t *testing.T) {
|
|||
// Read the key
|
||||
req.Operation = logical.ReadOperation
|
||||
req.Data = nil
|
||||
req.SetTokenEntry(&logical.TokenEntry{ID: root, NamespaceID: "root", Policies: []string{"root"}})
|
||||
err = c.PopulateTokenEntry(namespace.RootContext(nil), req)
|
||||
if err != nil {
|
||||
t.Fatalf("err: %s", err)
|
||||
}
|
||||
resp, err = c.HandleRequest(namespace.RootContext(nil), req)
|
||||
if err != nil {
|
||||
t.Fatalf("err: %v", err)
|
||||
|
|
@ -2259,7 +2280,10 @@ path "secret/*" {
|
|||
// Read the key
|
||||
req.Operation = logical.ReadOperation
|
||||
req.Data = nil
|
||||
req.SetTokenEntry(&logical.TokenEntry{ID: root, NamespaceID: "root", Policies: []string{"root"}})
|
||||
err = c.PopulateTokenEntry(namespace.RootContext(nil), req)
|
||||
if err != nil {
|
||||
t.Fatalf("err: %s", err)
|
||||
}
|
||||
resp, err = c.HandleRequest(namespace.RootContext(nil), req)
|
||||
if err != nil {
|
||||
t.Fatalf("err: %v", err)
|
||||
|
|
|
|||
|
|
@ -2476,8 +2476,10 @@ func TestExpiration_RevokeForce(t *testing.T) {
|
|||
Path: "badrenew/creds",
|
||||
ClientToken: root,
|
||||
}
|
||||
req.SetTokenEntry(&logical.TokenEntry{ID: root, NamespaceID: "root", Policies: []string{"root"}})
|
||||
|
||||
err = core.PopulateTokenEntry(namespace.RootContext(nil), req)
|
||||
if err != nil {
|
||||
t.Fatalf("err: %s", err)
|
||||
}
|
||||
resp, err := core.HandleRequest(namespace.RootContext(nil), req)
|
||||
if err != nil {
|
||||
t.Fatal(err)
|
||||
|
|
@ -2525,8 +2527,10 @@ func TestExpiration_RevokeForceSingle(t *testing.T) {
|
|||
Path: "badrenew/creds",
|
||||
ClientToken: root,
|
||||
}
|
||||
req.SetTokenEntry(&logical.TokenEntry{ID: root, NamespaceID: "root", Policies: []string{"root"}})
|
||||
|
||||
err = core.PopulateTokenEntry(namespace.RootContext(nil), req)
|
||||
if err != nil {
|
||||
t.Fatalf("err: %s", err)
|
||||
}
|
||||
resp, err := core.HandleRequest(namespace.RootContext(nil), req)
|
||||
if err != nil {
|
||||
t.Fatal(err)
|
||||
|
|
|
|||
|
|
@ -1013,7 +1013,10 @@ func TestSystemBackend_leases(t *testing.T) {
|
|||
// Read a key with a LeaseID
|
||||
req = logical.TestRequest(t, logical.ReadOperation, "secret/foo")
|
||||
req.ClientToken = root
|
||||
req.SetTokenEntry(&logical.TokenEntry{ID: root, NamespaceID: "root", Policies: []string{"root"}})
|
||||
err = core.PopulateTokenEntry(namespace.RootContext(nil), req)
|
||||
if err != nil {
|
||||
t.Fatalf("err: %s", err)
|
||||
}
|
||||
resp, err = core.HandleRequest(namespace.RootContext(nil), req)
|
||||
if err != nil {
|
||||
t.Fatalf("err: %v", err)
|
||||
|
|
@ -1060,7 +1063,10 @@ func TestSystemBackend_leases_list(t *testing.T) {
|
|||
// Read a key with a LeaseID
|
||||
req = logical.TestRequest(t, logical.ReadOperation, "secret/foo")
|
||||
req.ClientToken = root
|
||||
req.SetTokenEntry(&logical.TokenEntry{ID: root, NamespaceID: "root", Policies: []string{"root"}})
|
||||
err = core.PopulateTokenEntry(namespace.RootContext(nil), req)
|
||||
if err != nil {
|
||||
t.Fatalf("err: %s", err)
|
||||
}
|
||||
resp, err = core.HandleRequest(namespace.RootContext(nil), req)
|
||||
if err != nil {
|
||||
t.Fatalf("err: %v", err)
|
||||
|
|
@ -1109,7 +1115,10 @@ func TestSystemBackend_leases_list(t *testing.T) {
|
|||
// Generate multiple leases
|
||||
req = logical.TestRequest(t, logical.ReadOperation, "secret/foo")
|
||||
req.ClientToken = root
|
||||
req.SetTokenEntry(&logical.TokenEntry{ID: root, NamespaceID: "root", Policies: []string{"root"}})
|
||||
err = core.PopulateTokenEntry(namespace.RootContext(nil), req)
|
||||
if err != nil {
|
||||
t.Fatalf("err: %s", err)
|
||||
}
|
||||
resp, err = core.HandleRequest(namespace.RootContext(nil), req)
|
||||
if err != nil {
|
||||
t.Fatalf("err: %v", err)
|
||||
|
|
@ -1120,7 +1129,10 @@ func TestSystemBackend_leases_list(t *testing.T) {
|
|||
|
||||
req = logical.TestRequest(t, logical.ReadOperation, "secret/foo")
|
||||
req.ClientToken = root
|
||||
req.SetTokenEntry(&logical.TokenEntry{ID: root, NamespaceID: "root", Policies: []string{"root"}})
|
||||
err = core.PopulateTokenEntry(namespace.RootContext(nil), req)
|
||||
if err != nil {
|
||||
t.Fatalf("err: %s", err)
|
||||
}
|
||||
resp, err = core.HandleRequest(namespace.RootContext(nil), req)
|
||||
if err != nil {
|
||||
t.Fatalf("err: %v", err)
|
||||
|
|
@ -1160,7 +1172,10 @@ func TestSystemBackend_leases_list(t *testing.T) {
|
|||
// Read a key with a LeaseID
|
||||
req = logical.TestRequest(t, logical.ReadOperation, "secret/bar")
|
||||
req.ClientToken = root
|
||||
req.SetTokenEntry(&logical.TokenEntry{ID: root, NamespaceID: "root", Policies: []string{"root"}})
|
||||
err = core.PopulateTokenEntry(namespace.RootContext(nil), req)
|
||||
if err != nil {
|
||||
t.Fatalf("err: %s", err)
|
||||
}
|
||||
resp, err = core.HandleRequest(namespace.RootContext(nil), req)
|
||||
if err != nil {
|
||||
t.Fatalf("err: %v", err)
|
||||
|
|
@ -1208,7 +1223,10 @@ func TestSystemBackend_renew(t *testing.T) {
|
|||
// Read a key with a LeaseID
|
||||
req = logical.TestRequest(t, logical.ReadOperation, "secret/foo")
|
||||
req.ClientToken = root
|
||||
req.SetTokenEntry(&logical.TokenEntry{ID: root, NamespaceID: "root", Policies: []string{"root"}})
|
||||
err = core.PopulateTokenEntry(namespace.RootContext(nil), req)
|
||||
if err != nil {
|
||||
t.Fatalf("err: %s", err)
|
||||
}
|
||||
resp, err = core.HandleRequest(namespace.RootContext(nil), req)
|
||||
if err != nil {
|
||||
t.Fatalf("err: %v", err)
|
||||
|
|
@ -1245,7 +1263,10 @@ func TestSystemBackend_renew(t *testing.T) {
|
|||
// Read a key with a LeaseID
|
||||
req = logical.TestRequest(t, logical.ReadOperation, "secret/foo")
|
||||
req.ClientToken = root
|
||||
req.SetTokenEntry(&logical.TokenEntry{ID: root, NamespaceID: "root", Policies: []string{"root"}})
|
||||
err = core.PopulateTokenEntry(namespace.RootContext(nil), req)
|
||||
if err != nil {
|
||||
t.Fatalf("err: %s", err)
|
||||
}
|
||||
resp, err = core.HandleRequest(namespace.RootContext(nil), req)
|
||||
if err != nil {
|
||||
t.Fatalf("err: %v", err)
|
||||
|
|
@ -1374,7 +1395,10 @@ func TestSystemBackend_revoke(t *testing.T) {
|
|||
// Read a key with a LeaseID
|
||||
req = logical.TestRequest(t, logical.ReadOperation, "secret/foo")
|
||||
req.ClientToken = root
|
||||
req.SetTokenEntry(&logical.TokenEntry{ID: root, NamespaceID: "root", Policies: []string{"root"}})
|
||||
err = core.PopulateTokenEntry(namespace.RootContext(nil), req)
|
||||
if err != nil {
|
||||
t.Fatalf("err: %s", err)
|
||||
}
|
||||
resp, err = core.HandleRequest(namespace.RootContext(nil), req)
|
||||
if err != nil {
|
||||
t.Fatalf("err: %v", err)
|
||||
|
|
@ -1406,7 +1430,10 @@ func TestSystemBackend_revoke(t *testing.T) {
|
|||
// Read a key with a LeaseID
|
||||
req = logical.TestRequest(t, logical.ReadOperation, "secret/foo")
|
||||
req.ClientToken = root
|
||||
req.SetTokenEntry(&logical.TokenEntry{ID: root, NamespaceID: "root", Policies: []string{"root"}})
|
||||
err = core.PopulateTokenEntry(namespace.RootContext(nil), req)
|
||||
if err != nil {
|
||||
t.Fatalf("err: %s", err)
|
||||
}
|
||||
resp, err = core.HandleRequest(namespace.RootContext(nil), req)
|
||||
if err != nil {
|
||||
t.Fatalf("err: %v", err)
|
||||
|
|
@ -1429,7 +1456,10 @@ func TestSystemBackend_revoke(t *testing.T) {
|
|||
// Read a key with a LeaseID
|
||||
req = logical.TestRequest(t, logical.ReadOperation, "secret/foo")
|
||||
req.ClientToken = root
|
||||
req.SetTokenEntry(&logical.TokenEntry{ID: root, NamespaceID: "root", Policies: []string{"root"}})
|
||||
err = core.PopulateTokenEntry(namespace.RootContext(nil), req)
|
||||
if err != nil {
|
||||
t.Fatalf("err: %s", err)
|
||||
}
|
||||
resp, err = core.HandleRequest(namespace.RootContext(nil), req)
|
||||
if err != nil {
|
||||
t.Fatalf("err: %v", err)
|
||||
|
|
@ -1519,7 +1549,10 @@ func TestSystemBackend_revokePrefix(t *testing.T) {
|
|||
// Read a key with a LeaseID
|
||||
req = logical.TestRequest(t, logical.ReadOperation, "secret/foo")
|
||||
req.ClientToken = root
|
||||
req.SetTokenEntry(&logical.TokenEntry{ID: root, NamespaceID: "root", Policies: []string{"root"}})
|
||||
err = core.PopulateTokenEntry(namespace.RootContext(nil), req)
|
||||
if err != nil {
|
||||
t.Fatalf("err: %s", err)
|
||||
}
|
||||
resp, err = core.HandleRequest(namespace.RootContext(nil), req)
|
||||
if err != nil {
|
||||
t.Fatalf("err: %v", err)
|
||||
|
|
@ -1568,7 +1601,10 @@ func TestSystemBackend_revokePrefix_origUrl(t *testing.T) {
|
|||
// Read a key with a LeaseID
|
||||
req = logical.TestRequest(t, logical.ReadOperation, "secret/foo")
|
||||
req.ClientToken = root
|
||||
req.SetTokenEntry(&logical.TokenEntry{ID: root, NamespaceID: "root", Policies: []string{"root"}})
|
||||
err = core.PopulateTokenEntry(namespace.RootContext(nil), req)
|
||||
if err != nil {
|
||||
t.Fatalf("err: %s", err)
|
||||
}
|
||||
resp, err = core.HandleRequest(namespace.RootContext(nil), req)
|
||||
if err != nil {
|
||||
t.Fatalf("err: %v", err)
|
||||
|
|
|
|||
|
|
@ -448,7 +448,10 @@ func TestRequestHandling_SecretLeaseMetric(t *testing.T) {
|
|||
// Read a key with a LeaseID
|
||||
req = logical.TestRequest(t, logical.ReadOperation, "secret/foo")
|
||||
req.ClientToken = root
|
||||
req.SetTokenEntry(&logical.TokenEntry{ID: root, NamespaceID: "root", Policies: []string{"root"}})
|
||||
err = core.PopulateTokenEntry(namespace.RootContext(nil), req)
|
||||
if err != nil {
|
||||
t.Fatalf("err: %s", err)
|
||||
}
|
||||
resp, err = core.HandleRequest(namespace.RootContext(nil), req)
|
||||
if err != nil {
|
||||
t.Fatalf("err: %v", err)
|
||||
|
|
|
|||
|
|
@ -603,7 +603,7 @@ func (r *Router) routeCommon(ctx context.Context, req *logical.Request, existenc
|
|||
}
|
||||
|
||||
switch {
|
||||
case te.NamespaceID == namespace.RootNamespaceID && !strings.HasPrefix(req.ClientToken, "s.") &&
|
||||
case te.NamespaceID == namespace.RootNamespaceID && !strings.HasPrefix(req.ClientToken, consts.LegacyServiceTokenPrefix) &&
|
||||
!strings.HasPrefix(req.ClientToken, consts.ServiceTokenPrefix):
|
||||
// In order for the token store to revoke later, we need to have the same
|
||||
// salted ID, so we double-salt what's going to the cubbyhole backend
|
||||
|
|
|
|||
|
|
@ -898,7 +898,7 @@ func (ts *TokenStore) create(ctx context.Context, entry *logical.TokenEntry) err
|
|||
switch {
|
||||
case strings.HasPrefix(entry.ID, consts.ServiceTokenPrefix):
|
||||
return fmt.Errorf("custom token ID cannot have the 'hvs.' prefix")
|
||||
case strings.HasPrefix(entry.ID, "s."):
|
||||
case strings.HasPrefix(entry.ID, consts.LegacyServiceTokenPrefix):
|
||||
return fmt.Errorf("custom token ID cannot have the 's.' prefix")
|
||||
case strings.Contains(entry.ID, "."):
|
||||
return fmt.Errorf("custom token ID cannot have a '.' in the value")
|
||||
|
|
@ -1260,7 +1260,7 @@ func (ts *TokenStore) Lookup(ctx context.Context, id string) (*logical.TokenEntr
|
|||
}
|
||||
|
||||
func (ts *TokenStore) stripBatchPrefix(id string) string {
|
||||
if strings.HasPrefix(id, "b.") {
|
||||
if strings.HasPrefix(id, consts.LegacyBatchTokenPrefix) {
|
||||
return id[2:]
|
||||
}
|
||||
if strings.HasPrefix(id, consts.BatchTokenPrefix) {
|
||||
|
|
|
|||
Loading…
Reference in New Issue