Skip to content

Commit

Permalink
core: set namespace within GeneratePasswordFromPolicy (#12635) (#12649)
Browse files Browse the repository at this point in the history
* core: set namespace from the sysview's mount entry on GeneratePasswordFromPolicy

* test: update TestDynamicSystemView to be ns-aware, update tests

* add changelog entry
  • Loading branch information
calvn authored Sep 27, 2021
1 parent 0fd0699 commit 2d8e2d3
Show file tree
Hide file tree
Showing 7 changed files with 25 additions and 11 deletions.
2 changes: 1 addition & 1 deletion builtin/logical/database/backend_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -45,7 +45,7 @@ func getCluster(t *testing.T) (*vault.TestCluster, logical.SystemView) {

os.Setenv(pluginutil.PluginCACertPEMEnv, cluster.CACertPEMFile)

sys := vault.TestDynamicSystemView(cores[0].Core)
sys := vault.TestDynamicSystemView(cores[0].Core, nil)
vault.TestAddTestPlugin(t, cores[0].Core, "postgresql-database-plugin", consts.PluginTypeDatabase, "TestBackend_PluginMain_Postgres", []string{}, "")
vault.TestAddTestPlugin(t, cores[0].Core, "mongodb-database-plugin", consts.PluginTypeDatabase, "TestBackend_PluginMain_Mongo", []string{}, "")
vault.TestAddTestPlugin(t, cores[0].Core, "mongodbatlas-database-plugin", consts.PluginTypeDatabase, "TestBackend_PluginMain_MongoAtlas", []string{}, "")
Expand Down
2 changes: 1 addition & 1 deletion builtin/logical/database/dbplugin/plugin_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -109,7 +109,7 @@ func getCluster(t *testing.T) (*vault.TestCluster, logical.SystemView) {
cluster.Start()
cores := cluster.Cores

sys := vault.TestDynamicSystemView(cores[0].Core)
sys := vault.TestDynamicSystemView(cores[0].Core, nil)
vault.TestAddTestPlugin(t, cores[0].Core, "test-plugin", consts.PluginTypeDatabase, "TestPlugin_GRPC_Main", []string{}, "")

return cluster, sys
Expand Down
2 changes: 1 addition & 1 deletion builtin/plugin/backend_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -80,7 +80,7 @@ func testConfig(t *testing.T) (*logical.BackendConfig, func()) {

core := cores[0]

sys := vault.TestDynamicSystemView(core.Core)
sys := vault.TestDynamicSystemView(core.Core, nil)

config := &logical.BackendConfig{
Logger: logging.NewVaultLogger(log.Debug),
Expand Down
3 changes: 3 additions & 0 deletions changelog/12635.txt
Original file line number Diff line number Diff line change
@@ -0,0 +1,3 @@
```release-note:bug
core (enterprise): Fix bug where password generation through password policies do not work on namespaces if performed outside a request callback or from an external plugin.
```
2 changes: 2 additions & 0 deletions vault/dynamic_system_view.go
Original file line number Diff line number Diff line change
Expand Up @@ -340,6 +340,8 @@ func (d dynamicSystemView) GeneratePasswordFromPolicy(ctx context.Context, polic
defer cancel()
}

ctx = namespace.ContextWithNamespace(ctx, d.mountEntry.Namespace())

policyCfg, err := d.retrievePasswordPolicy(ctx, policyName)
if err != nil {
return "", fmt.Errorf("failed to retrieve password policy: %w", err)
Expand Down
16 changes: 9 additions & 7 deletions vault/dynamic_system_view_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -16,8 +16,9 @@ import (
"github.com/hashicorp/vault/sdk/logical"
)

var testPolicyName = "testpolicy"
var rawTestPasswordPolicy = `
var (
testPolicyName = "testpolicy"
rawTestPasswordPolicy = `
length = 20
rule "charset" {
charset = "abcdefghijklmnopqrstuvwxyz"
Expand All @@ -31,6 +32,7 @@ rule "charset" {
charset = "0123456789"
min_chars = 1
}`
)

func TestIdentity_BackendTemplating(t *testing.T) {
var err error
Expand Down Expand Up @@ -205,7 +207,7 @@ func TestDynamicSystemView_GeneratePasswordFromPolicy_successful(t *testing.T) {
defer cancel()

ctx = namespace.RootContext(ctx)
dsv := dynamicSystemView{core: cluster.Cores[0].Core}
dsv := TestDynamicSystemView(cluster.Cores[0].Core, nil)

runeset := map[rune]bool{}
runesFound := []rune{}
Expand Down Expand Up @@ -272,11 +274,11 @@ func TestDynamicSystemView_GeneratePasswordFromPolicy_failed(t *testing.T) {
getErr: test.getErr,
}

dsv := dynamicSystemView{
core: &Core{
systemBarrierView: NewBarrierView(testStorage, "sys/"),
},
core := &Core{
systemBarrierView: NewBarrierView(testStorage, "sys/"),
}
dsv := TestDynamicSystemView(core, nil)

ctx, cancel := context.WithTimeout(context.Background(), 1*time.Second)
defer cancel()
actualPassword, err := dsv.GeneratePasswordFromPolicy(ctx, test.policyName)
Expand Down
9 changes: 8 additions & 1 deletion vault/testing.go
Original file line number Diff line number Diff line change
Expand Up @@ -434,12 +434,19 @@ func TestKeyCopy(key []byte) []byte {
return result
}

func TestDynamicSystemView(c *Core) *dynamicSystemView {
func TestDynamicSystemView(c *Core, ns *namespace.Namespace) *dynamicSystemView {
me := &MountEntry{
Config: MountConfig{
DefaultLeaseTTL: 24 * time.Hour,
MaxLeaseTTL: 2 * 24 * time.Hour,
},
NamespaceID: namespace.RootNamespace.ID,
namespace: namespace.RootNamespace,
}

if ns != nil {
me.NamespaceID = ns.ID
me.namespace = ns
}

return &dynamicSystemView{c, me}
Expand Down

0 comments on commit 2d8e2d3

Please sign in to comment.