Skip to content

Commit

Permalink
Moved entity alias check up so that the entity and entity alias is on…
Browse files Browse the repository at this point in the history
…ly created when it has been specified in allowed_entity_aliases list
  • Loading branch information
michelvocks committed May 14, 2019
1 parent 7611478 commit 241353a
Show file tree
Hide file tree
Showing 2 changed files with 17 additions and 18 deletions.
26 changes: 13 additions & 13 deletions vault/token_store.go
Original file line number Diff line number Diff line change
Expand Up @@ -17,10 +17,10 @@ import (
"github.com/golang/protobuf/proto"
"github.com/hashicorp/errwrap"
log "github.com/hashicorp/go-hclog"
"github.com/hashicorp/go-sockaddr"
sockaddr "github.com/hashicorp/go-sockaddr"

"github.com/armon/go-metrics"
"github.com/hashicorp/go-multierror"
metrics "github.com/armon/go-metrics"
multierror "github.com/hashicorp/go-multierror"
"github.com/hashicorp/vault/helper/identity"
"github.com/hashicorp/vault/helper/namespace"
"github.com/hashicorp/vault/sdk/framework"
Expand Down Expand Up @@ -1830,11 +1830,11 @@ func (ts *TokenStore) handleTidy(ctx context.Context, req *logical.Request, data
}

var countAccessorList,
countCubbyholeKeys,
deletedCountAccessorEmptyToken,
deletedCountAccessorInvalidToken,
deletedCountInvalidTokenInAccessor,
deletedCountInvalidCubbyholeKey int64
countCubbyholeKeys,
deletedCountAccessorEmptyToken,
deletedCountAccessorInvalidToken,
deletedCountInvalidTokenInAccessor,
deletedCountInvalidCubbyholeKey int64

validCubbyholeKeys := make(map[string]bool)

Expand Down Expand Up @@ -2222,6 +2222,11 @@ func (ts *TokenStore) handleCreateCommon(ctx context.Context, req *logical.Reque
return logical.ErrorResponse("'entity_alias' is only allowed in combination with token role"), logical.ErrInvalidRequest
}

// Check if provided entity alias name is in the allowed entity aliases list
if !strutil.StrListContains(role.AllowedEntityAliases, data.EntityAlias) {
return logical.ErrorResponse("invalid 'entity_alias' value"), logical.ErrInvalidRequest
}

// Get mount accessor which is required to lookup entity alias
mountValidationResp := ts.core.router.MatchingMountByAccessor(req.MountAccessor)
if mountValidationResp == nil {
Expand Down Expand Up @@ -2255,11 +2260,6 @@ func (ts *TokenStore) handleCreateCommon(ctx context.Context, req *logical.Reque
// Set new entity id
overwriteEntityID = newEntity.ID
default:
// Check if provided entity alias name is in the allowed entity aliases list
if !strutil.StrListContains(role.AllowedEntityAliases, data.EntityAlias) {
return logical.ErrorResponse("invalid 'entity_alias' value"), logical.ErrInvalidRequest
}

// Lookup entity
entity, err := ts.core.identityStore.CreateOrFetchEntity(ctx, alias)
if err != nil {
Expand Down
9 changes: 4 additions & 5 deletions vault/token_store_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -13,12 +13,11 @@ import (
"testing"
"time"

"github.com/hashicorp/go-sockaddr"

"github.com/go-test/deep"
"github.com/hashicorp/errwrap"
"github.com/hashicorp/go-hclog"
"github.com/hashicorp/go-uuid"
hclog "github.com/hashicorp/go-hclog"
sockaddr "github.com/hashicorp/go-sockaddr"
uuid "github.com/hashicorp/go-uuid"
"github.com/hashicorp/vault/helper/identity"
"github.com/hashicorp/vault/helper/namespace"
"github.com/hashicorp/vault/sdk/helper/locksutil"
Expand Down Expand Up @@ -2719,7 +2718,7 @@ func TestTokenStore_HandleRequest_CreateToken_NonExistingEntityAlias(t *testing.
"period": "72h",
"path_suffix": "happenin",
"bound_cidrs": []string{"0.0.0.0/0"},
"allowed_entity_aliases": []string{"test1", "test2"},
"allowed_entity_aliases": []string{"test1", "test2", entityAliasName},
},
})
if err != nil || (resp != nil && resp.IsError()) {
Expand Down

0 comments on commit 241353a

Please sign in to comment.