Skip to content

Commit

Permalink
Refactored a few checks for the token entity overwrite. Fixed tests.
Browse files Browse the repository at this point in the history
  • Loading branch information
michelvocks committed May 14, 2019
1 parent 1c080b1 commit 7611478
Show file tree
Hide file tree
Showing 2 changed files with 33 additions and 21 deletions.
47 changes: 29 additions & 18 deletions vault/token_store.go
Original file line number Diff line number Diff line change
Expand Up @@ -19,8 +19,8 @@ import (
log "github.com/hashicorp/go-hclog"
"github.com/hashicorp/go-sockaddr"

metrics "github.com/armon/go-metrics"
multierror "github.com/hashicorp/go-multierror"
"github.com/armon/go-metrics"
"github.com/hashicorp/go-multierror"
"github.com/hashicorp/vault/helper/identity"
"github.com/hashicorp/vault/helper/namespace"
"github.com/hashicorp/vault/sdk/framework"
Expand Down Expand Up @@ -2234,37 +2234,48 @@ func (ts *TokenStore) handleCreateCommon(ctx context.Context, req *logical.Reque
return logical.ErrorResponse(err.Error()), nil
}

// Create alias for later processing
alias := &logical.Alias{
Name: data.EntityAlias,
MountAccessor: mountValidationResp.Accessor,
MountType: mountValidationResp.Type,
}

switch {
case aliasByFactors == nil:
// Entity alias does not exist. Create a new entity and entity alias
newAlias := &logical.Alias{
Name: data.EntityAlias,
MountAccessor: mountValidationResp.Accessor,
MountType: mountValidationResp.Type,
}

newEntity, err := ts.core.identityStore.CreateOrFetchEntity(ctx, newAlias)
newEntity, err := ts.core.identityStore.CreateOrFetchEntity(ctx, alias)
if err != nil {
return logical.ErrorResponse(err.Error()), nil
}
if newEntity == nil {
return logical.ErrorResponse("failed to create new entity for given entity alias"), nil
}

// Set new entity id
overwriteEntityID = newEntity.ID
default:
// Verify that the specified entity alias is included in the allowed entity alias list
foundEntityAlias := false
for _, entityAlias := range role.AllowedEntityAliases {
if strings.Compare(entityAlias, data.EntityAlias) == 0 {
foundEntityAlias = true
}
// Check if provided entity alias name is in the allowed entity aliases list
if !strutil.StrListContains(role.AllowedEntityAliases, data.EntityAlias) {
return logical.ErrorResponse("invalid 'entity_alias' value"), logical.ErrInvalidRequest
}

if !foundEntityAlias {
return logical.ErrorResponse("invalid 'entity_alias' value"), logical.ErrInvalidRequest
// Lookup entity
entity, err := ts.core.identityStore.CreateOrFetchEntity(ctx, alias)
if err != nil {
return logical.ErrorResponse(err.Error()), nil
}
if entity == nil {
return logical.ErrorResponse("failed to lookup entity from given entity alias"), nil
}

// Validate that the entity is not disabled
if entity.Disabled {
return logical.ErrorResponse("entity from given entity alias is disabled"), logical.ErrPermissionDenied
}

// Set new entity id
overwriteEntityID = aliasByFactors.CanonicalID
overwriteEntityID = entity.ID
}
}

Expand Down
7 changes: 4 additions & 3 deletions vault/token_store_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,6 @@ import (
"context"
"encoding/json"
"fmt"
"github.com/mitchellh/mapstructure"
"path"
"reflect"
"sort"
Expand All @@ -18,11 +17,13 @@ import (

"github.com/go-test/deep"
"github.com/hashicorp/errwrap"
hclog "github.com/hashicorp/go-hclog"
uuid "github.com/hashicorp/go-uuid"
"github.com/hashicorp/go-hclog"
"github.com/hashicorp/go-uuid"
"github.com/hashicorp/vault/helper/identity"
"github.com/hashicorp/vault/helper/namespace"
"github.com/hashicorp/vault/sdk/helper/locksutil"
"github.com/hashicorp/vault/sdk/logical"
"github.com/mitchellh/mapstructure"
)

func TestTokenStore_CreateOrphanResponse(t *testing.T) {
Expand Down

0 comments on commit 7611478

Please sign in to comment.