Fix cubbyhole and token revocation for legacy service tokens (#19416)

* Fix cubbyhole and revocation for legacy service tokens

Legacy service tokens generated in Vault 1.10+ with env var
VAULT_DISABLE_SERVER_SIDE_CONSISTENT_TOKENS=true are not assigned
a cubbyhole ID. The implication is that cubbyhole/ cannot be
used, nor can the tokens be revoked.

This commit assigns a cubbyhole ID to these tokens and adds
a new test case to see that cubbyhole and revocation works correctly.

* add changelog

* add godoc to test cases
This commit is contained in:
nsimons 2023-03-06 22:09:45 +02:00 committed by GitHub
parent 79c0619f14
commit d91d2ceaf8
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
3 changed files with 18 additions and 1 deletions

3
changelog/19416.txt Normal file
View File

@ -0,0 +1,3 @@
```release-note:bug
auth/token: Fix cubbyhole and revocation for legacy service tokens
```

View File

@ -1105,7 +1105,7 @@ func (ts *TokenStore) create(ctx context.Context, entry *logical.TokenEntry) err
entry.ID = fmt.Sprintf("%s.%s", entry.ID, tokenNS.ID) entry.ID = fmt.Sprintf("%s.%s", entry.ID, tokenNS.ID)
} }
if tokenNS.ID != namespace.RootNamespaceID || strings.HasPrefix(entry.ID, consts.ServiceTokenPrefix) { if tokenNS.ID != namespace.RootNamespaceID || strings.HasPrefix(entry.ID, consts.ServiceTokenPrefix) || strings.HasPrefix(entry.ID, consts.LegacyServiceTokenPrefix) {
if entry.CubbyholeID == "" { if entry.CubbyholeID == "" {
cubbyholeID, err := base62.Random(TokenLength) cubbyholeID, err := base62.Random(TokenLength)
if err != nil { if err != nil {

View File

@ -50,8 +50,22 @@ func TestTokenStore_CreateOrphanResponse(t *testing.T) {
} }
} }
// TestTokenStore_CubbyholeDeletion tests that a token's cubbyhole
// can be used and that the cubbyhole is removed after the token is revoked.
func TestTokenStore_CubbyholeDeletion(t *testing.T) { func TestTokenStore_CubbyholeDeletion(t *testing.T) {
c, _, root := TestCoreUnsealed(t) c, _, root := TestCoreUnsealed(t)
testTokenStore_CubbyholeDeletion(t, c, root)
}
// TestTokenStore_CubbyholeDeletionSSCTokensDisabled tests that a legacy token's
// cubbyhole can be used, and that the cubbyhole is removed after the token is revoked.
func TestTokenStore_CubbyholeDeletionSSCTokensDisabled(t *testing.T) {
c, _, root := TestCoreUnsealed(t)
c.disableSSCTokens = true
testTokenStore_CubbyholeDeletion(t, c, root)
}
func testTokenStore_CubbyholeDeletion(t *testing.T, c *Core, root string) {
ts := c.tokenStore ts := c.tokenStore
for i := 0; i < 10; i++ { for i := 0; i < 10; i++ {