Skip to content

Commit

Permalink
Handle period's zero value in token store's token creation (#3880)
Browse files Browse the repository at this point in the history
* Handle period's zero value on handleCreateCommon

* Add test for period zero value
  • Loading branch information
calvn authored Feb 1, 2018
1 parent 7cc193d commit 75ed6b9
Show file tree
Hide file tree
Showing 2 changed files with 26 additions and 7 deletions.
18 changes: 11 additions & 7 deletions vault/token_store.go
Original file line number Diff line number Diff line change
Expand Up @@ -1823,19 +1823,23 @@ func (ts *TokenStore) handleCreateCommon(ctx context.Context, req *logical.Reque

var periodToUse time.Duration
if data.Period != "" {
if !isSudo {
return logical.ErrorResponse("root or sudo privileges required to create periodic token"),
logical.ErrInvalidRequest
}
dur, err := parseutil.ParseDurationSecond(data.Period)
if err != nil {
return logical.ErrorResponse(err.Error()), logical.ErrInvalidRequest
}
if dur < 0 {

switch {
case dur < 0:
return logical.ErrorResponse("period must be positive"), logical.ErrInvalidRequest
case dur == 0:
default:
if !isSudo {
return logical.ErrorResponse("root or sudo privileges required to create periodic token"),
logical.ErrInvalidRequest
}
te.Period = dur
periodToUse = dur
}
te.Period = dur
periodToUse = dur
}

// Parse the TTL/lease if any
Expand Down
15 changes: 15 additions & 0 deletions vault/token_store_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -2990,6 +2990,21 @@ func TestTokenStore_NoDefaultPolicy(t *testing.T) {
t.Fatalf("bad: policies: expected: [default policy1]; actual: %s", resp.Auth.Policies)
}

// A non-root token which has 'default' policy attached and period explicitly
// set to its zero value requests for a child token. Child token should be
// successfully created and have 'default' policy attached.
tokenReq.Data = map[string]interface{}{
"period": "0s",
}
resp, err = ts.HandleRequest(context.Background(), tokenReq)
if err != nil || (resp != nil && resp.IsError()) {
t.Fatalf("err: %v, resp: %v", err, resp)
}

if !reflect.DeepEqual(resp.Auth.Policies, []string{"default", "policy1"}) {
t.Fatalf("bad: policies: expected: [default policy1]; actual: %s", resp.Auth.Policies)
}

// A non-root token which has 'default' policy attached, request for a
// child token to not have 'default' policy while not sending a list
tokenReq.Data = map[string]interface{}{
Expand Down

0 comments on commit 75ed6b9

Please sign in to comment.