From 241353a25fe1e07ce8cca2a8a362d7d58660e1ec Mon Sep 17 00:00:00 2001 From: Michel Vocks Date: Mon, 13 May 2019 19:22:54 +0200 Subject: [PATCH] Moved entity alias check up so that the entity and entity alias is only created when it has been specified in allowed_entity_aliases list --- vault/token_store.go | 26 +++++++++++++------------- vault/token_store_test.go | 9 ++++----- 2 files changed, 17 insertions(+), 18 deletions(-) diff --git a/vault/token_store.go b/vault/token_store.go index af9aba51ce29..c3cb153692f4 100644 --- a/vault/token_store.go +++ b/vault/token_store.go @@ -17,10 +17,10 @@ import ( "github.com/golang/protobuf/proto" "github.com/hashicorp/errwrap" log "github.com/hashicorp/go-hclog" - "github.com/hashicorp/go-sockaddr" + sockaddr "github.com/hashicorp/go-sockaddr" - "github.com/armon/go-metrics" - "github.com/hashicorp/go-multierror" + metrics "github.com/armon/go-metrics" + multierror "github.com/hashicorp/go-multierror" "github.com/hashicorp/vault/helper/identity" "github.com/hashicorp/vault/helper/namespace" "github.com/hashicorp/vault/sdk/framework" @@ -1830,11 +1830,11 @@ func (ts *TokenStore) handleTidy(ctx context.Context, req *logical.Request, data } var countAccessorList, - countCubbyholeKeys, - deletedCountAccessorEmptyToken, - deletedCountAccessorInvalidToken, - deletedCountInvalidTokenInAccessor, - deletedCountInvalidCubbyholeKey int64 + countCubbyholeKeys, + deletedCountAccessorEmptyToken, + deletedCountAccessorInvalidToken, + deletedCountInvalidTokenInAccessor, + deletedCountInvalidCubbyholeKey int64 validCubbyholeKeys := make(map[string]bool) @@ -2222,6 +2222,11 @@ func (ts *TokenStore) handleCreateCommon(ctx context.Context, req *logical.Reque return logical.ErrorResponse("'entity_alias' is only allowed in combination with token role"), logical.ErrInvalidRequest } + // Check if provided entity alias name is in the allowed entity aliases list + if !strutil.StrListContains(role.AllowedEntityAliases, data.EntityAlias) { + return logical.ErrorResponse("invalid 'entity_alias' value"), logical.ErrInvalidRequest + } + // Get mount accessor which is required to lookup entity alias mountValidationResp := ts.core.router.MatchingMountByAccessor(req.MountAccessor) if mountValidationResp == nil { @@ -2255,11 +2260,6 @@ func (ts *TokenStore) handleCreateCommon(ctx context.Context, req *logical.Reque // Set new entity id overwriteEntityID = newEntity.ID default: - // Check if provided entity alias name is in the allowed entity aliases list - if !strutil.StrListContains(role.AllowedEntityAliases, data.EntityAlias) { - return logical.ErrorResponse("invalid 'entity_alias' value"), logical.ErrInvalidRequest - } - // Lookup entity entity, err := ts.core.identityStore.CreateOrFetchEntity(ctx, alias) if err != nil { diff --git a/vault/token_store_test.go b/vault/token_store_test.go index 80828b287f7e..3d59be4d47b1 100644 --- a/vault/token_store_test.go +++ b/vault/token_store_test.go @@ -13,12 +13,11 @@ import ( "testing" "time" - "github.com/hashicorp/go-sockaddr" - "github.com/go-test/deep" "github.com/hashicorp/errwrap" - "github.com/hashicorp/go-hclog" - "github.com/hashicorp/go-uuid" + hclog "github.com/hashicorp/go-hclog" + sockaddr "github.com/hashicorp/go-sockaddr" + uuid "github.com/hashicorp/go-uuid" "github.com/hashicorp/vault/helper/identity" "github.com/hashicorp/vault/helper/namespace" "github.com/hashicorp/vault/sdk/helper/locksutil" @@ -2719,7 +2718,7 @@ func TestTokenStore_HandleRequest_CreateToken_NonExistingEntityAlias(t *testing. "period": "72h", "path_suffix": "happenin", "bound_cidrs": []string{"0.0.0.0/0"}, - "allowed_entity_aliases": []string{"test1", "test2"}, + "allowed_entity_aliases": []string{"test1", "test2", entityAliasName}, }, }) if err != nil || (resp != nil && resp.IsError()) {