From 75ed6b90e54b8374cd6bd5d1f1741bc43a4f2082 Mon Sep 17 00:00:00 2001 From: Calvin Leung Huang Date: Thu, 1 Feb 2018 12:01:46 -0500 Subject: [PATCH] Handle period's zero value in token store's token creation (#3880) * Handle period's zero value on handleCreateCommon * Add test for period zero value --- vault/token_store.go | 18 +++++++++++------- vault/token_store_test.go | 15 +++++++++++++++ 2 files changed, 26 insertions(+), 7 deletions(-) diff --git a/vault/token_store.go b/vault/token_store.go index d3e9d11b0ef3..c65b9a3cabe3 100644 --- a/vault/token_store.go +++ b/vault/token_store.go @@ -1823,19 +1823,23 @@ func (ts *TokenStore) handleCreateCommon(ctx context.Context, req *logical.Reque var periodToUse time.Duration if data.Period != "" { - if !isSudo { - return logical.ErrorResponse("root or sudo privileges required to create periodic token"), - logical.ErrInvalidRequest - } dur, err := parseutil.ParseDurationSecond(data.Period) if err != nil { return logical.ErrorResponse(err.Error()), logical.ErrInvalidRequest } - if dur < 0 { + + switch { + case dur < 0: return logical.ErrorResponse("period must be positive"), logical.ErrInvalidRequest + case dur == 0: + default: + if !isSudo { + return logical.ErrorResponse("root or sudo privileges required to create periodic token"), + logical.ErrInvalidRequest + } + te.Period = dur + periodToUse = dur } - te.Period = dur - periodToUse = dur } // Parse the TTL/lease if any diff --git a/vault/token_store_test.go b/vault/token_store_test.go index 7c19c32b0ad3..fa865c7e2199 100644 --- a/vault/token_store_test.go +++ b/vault/token_store_test.go @@ -2990,6 +2990,21 @@ func TestTokenStore_NoDefaultPolicy(t *testing.T) { t.Fatalf("bad: policies: expected: [default policy1]; actual: %s", resp.Auth.Policies) } + // A non-root token which has 'default' policy attached and period explicitly + // set to its zero value requests for a child token. Child token should be + // successfully created and have 'default' policy attached. + tokenReq.Data = map[string]interface{}{ + "period": "0s", + } + resp, err = ts.HandleRequest(context.Background(), tokenReq) + if err != nil || (resp != nil && resp.IsError()) { + t.Fatalf("err: %v, resp: %v", err, resp) + } + + if !reflect.DeepEqual(resp.Auth.Policies, []string{"default", "policy1"}) { + t.Fatalf("bad: policies: expected: [default policy1]; actual: %s", resp.Auth.Policies) + } + // A non-root token which has 'default' policy attached, request for a // child token to not have 'default' policy while not sending a list tokenReq.Data = map[string]interface{}{