From f538631581fdf1167562ae17124a2842f9a40e28 Mon Sep 17 00:00:00 2001 From: Scott Miller Date: Wed, 5 May 2021 14:39:04 -0500 Subject: [PATCH] Fix barrier key autoration config edge cases (#11541) * Add an Int64 type * Use the new Int64 type so that even 32 bit builds can specify max_operations above 2^31 * Missed a spot * go mod vendor * fix cast * changelog * Update unit test to ensure this works on both 32 and 64-bit archs --- changelog/11541.txt | 3 +++ go.mod | 2 +- sdk/framework/field_data.go | 11 +++++++++-- sdk/framework/field_type.go | 1 + vault/logical_system.go | 4 ++-- vault/logical_system_paths.go | 2 +- vault/logical_system_test.go | 13 ++----------- .../hashicorp/vault/sdk/framework/field_data.go | 11 +++++++++-- .../hashicorp/vault/sdk/framework/field_type.go | 1 + vendor/modules.txt | 2 +- 10 files changed, 30 insertions(+), 20 deletions(-) create mode 100644 changelog/11541.txt diff --git a/changelog/11541.txt b/changelog/11541.txt new file mode 100644 index 000000000000..3cf468cc5192 --- /dev/null +++ b/changelog/11541.txt @@ -0,0 +1,3 @@ +```release-note:bug +core: Fix edge cases in the configuration endpoint for barrier key autorotation. +``` diff --git a/go.mod b/go.mod index c7be4a9551b4..da45d8835c5b 100644 --- a/go.mod +++ b/go.mod @@ -104,7 +104,7 @@ require ( github.com/hashicorp/vault-plugin-secrets-openldap v0.4.0 github.com/hashicorp/vault-plugin-secrets-terraform v0.1.0 github.com/hashicorp/vault/api v1.0.5-0.20210210214158-405eced08457 - github.com/hashicorp/vault/sdk v0.1.14-0.20210204230556-cf85a862b7c6 + github.com/hashicorp/vault/sdk v0.1.14-0.20210505171055-299f311fa707 github.com/influxdata/influxdb v0.0.0-20190411212539-d24b7ba8c4c4 github.com/jcmturner/gokrb5/v8 v8.0.0 github.com/jefferai/isbadcipher v0.0.0-20190226160619-51d2077c035f diff --git a/sdk/framework/field_data.go b/sdk/framework/field_data.go index fa73fa04bd27..2b3c22ffd1b8 100644 --- a/sdk/framework/field_data.go +++ b/sdk/framework/field_data.go @@ -38,7 +38,7 @@ func (d *FieldData) Validate() error { } switch schema.Type { - case TypeBool, TypeInt, TypeMap, TypeDurationSecond, TypeSignedDurationSecond, TypeString, + case TypeBool, TypeInt, TypeInt64, TypeMap, TypeDurationSecond, TypeSignedDurationSecond, TypeString, TypeLowerCaseString, TypeNameString, TypeSlice, TypeStringSlice, TypeCommaStringSlice, TypeKVPairs, TypeCommaIntSlice, TypeHeader, TypeFloat, TypeTime: _, _, err := d.getPrimitive(field, schema) @@ -131,7 +131,7 @@ func (d *FieldData) GetOkErr(k string) (interface{}, bool, error) { } switch schema.Type { - case TypeBool, TypeInt, TypeMap, TypeDurationSecond, TypeSignedDurationSecond, TypeString, + case TypeBool, TypeInt, TypeInt64, TypeMap, TypeDurationSecond, TypeSignedDurationSecond, TypeString, TypeLowerCaseString, TypeNameString, TypeSlice, TypeStringSlice, TypeCommaStringSlice, TypeKVPairs, TypeCommaIntSlice, TypeHeader, TypeFloat, TypeTime: return d.getPrimitive(k, schema) @@ -162,6 +162,13 @@ func (d *FieldData) getPrimitive(k string, schema *FieldSchema) (interface{}, bo } return result, true, nil + case TypeInt64: + var result int64 + if err := mapstructure.WeakDecode(raw, &result); err != nil { + return nil, false, err + } + return result, true, nil + case TypeFloat: var result float64 if err := mapstructure.WeakDecode(raw, &result); err != nil { diff --git a/sdk/framework/field_type.go b/sdk/framework/field_type.go index 509eadd3006c..ef7f08191e1a 100644 --- a/sdk/framework/field_type.go +++ b/sdk/framework/field_type.go @@ -7,6 +7,7 @@ const ( TypeInvalid FieldType = 0 TypeString FieldType = iota TypeInt + TypeInt64 TypeBool TypeMap diff --git a/vault/logical_system.go b/vault/logical_system.go index cd13bc455f7a..c2d3f2653f51 100644 --- a/vault/logical_system.go +++ b/vault/logical_system.go @@ -2566,7 +2566,7 @@ func (b *SystemBackend) handleKeyRotationConfigUpdate(ctx context.Context, req * return nil, err } if ok { - rotConfig.MaxOperations = int64(maxOps.(int)) + rotConfig.MaxOperations = maxOps.(int64) } interval, ok, err := data.GetOkErr("interval") if err != nil { @@ -2585,7 +2585,7 @@ func (b *SystemBackend) handleKeyRotationConfigUpdate(ctx context.Context, req * } // Reject out of range settings - if rotConfig.Interval < minimumRotationInterval { + if rotConfig.Interval < minimumRotationInterval && rotConfig.Interval != 0 { return logical.ErrorResponse("interval must be greater or equal to %s", minimumRotationInterval.String()), logical.ErrInvalidRequest } diff --git a/vault/logical_system_paths.go b/vault/logical_system_paths.go index d990253fce93..817ab02ac594 100644 --- a/vault/logical_system_paths.go +++ b/vault/logical_system_paths.go @@ -610,7 +610,7 @@ func (b *SystemBackend) sealPaths() []*framework.Path { Description: strings.TrimSpace(sysHelp["rotation-enabled"][0]), }, "max_operations": { - Type: framework.TypeInt, // 64? + Type: framework.TypeInt64, Description: strings.TrimSpace(sysHelp["rotation-max-operations"][0]), }, "interval": { diff --git a/vault/logical_system_test.go b/vault/logical_system_test.go index e9cabdb4fed1..ca235641630d 100644 --- a/vault/logical_system_test.go +++ b/vault/logical_system_test.go @@ -2066,7 +2066,7 @@ func TestSystemBackend_rotateConfig(t *testing.T) { } req2 := logical.TestRequest(t, logical.UpdateOperation, "rotate/config") - req2.Data["max_operations"] = 123456789 + req2.Data["max_operations"] = int64(3221225472) req2.Data["interval"] = "5432h0m0s" req2.Data["enabled"] = false @@ -2081,20 +2081,11 @@ func TestSystemBackend_rotateConfig(t *testing.T) { } exp = map[string]interface{}{ - "max_operations": 123456789, + "max_operations": int64(3221225472), "interval": "5432h0m0s", "enabled": false, } - // Not pretty, but on a 64-bit machine, the response value is 64-bit, while on a 32 bit machine it'll be an int - // DeepEqual rejects it due to the type difference - if d, ok := resp.Data["max_operations"]; ok { - v, ok := d.(int64) - if ok { - resp.Data["max_operations"] = int(v) - } - } - if !reflect.DeepEqual(resp.Data, exp) { t.Fatalf("got: %#v expect: %#v", resp.Data, exp) } diff --git a/vendor/github.com/hashicorp/vault/sdk/framework/field_data.go b/vendor/github.com/hashicorp/vault/sdk/framework/field_data.go index fa73fa04bd27..2b3c22ffd1b8 100644 --- a/vendor/github.com/hashicorp/vault/sdk/framework/field_data.go +++ b/vendor/github.com/hashicorp/vault/sdk/framework/field_data.go @@ -38,7 +38,7 @@ func (d *FieldData) Validate() error { } switch schema.Type { - case TypeBool, TypeInt, TypeMap, TypeDurationSecond, TypeSignedDurationSecond, TypeString, + case TypeBool, TypeInt, TypeInt64, TypeMap, TypeDurationSecond, TypeSignedDurationSecond, TypeString, TypeLowerCaseString, TypeNameString, TypeSlice, TypeStringSlice, TypeCommaStringSlice, TypeKVPairs, TypeCommaIntSlice, TypeHeader, TypeFloat, TypeTime: _, _, err := d.getPrimitive(field, schema) @@ -131,7 +131,7 @@ func (d *FieldData) GetOkErr(k string) (interface{}, bool, error) { } switch schema.Type { - case TypeBool, TypeInt, TypeMap, TypeDurationSecond, TypeSignedDurationSecond, TypeString, + case TypeBool, TypeInt, TypeInt64, TypeMap, TypeDurationSecond, TypeSignedDurationSecond, TypeString, TypeLowerCaseString, TypeNameString, TypeSlice, TypeStringSlice, TypeCommaStringSlice, TypeKVPairs, TypeCommaIntSlice, TypeHeader, TypeFloat, TypeTime: return d.getPrimitive(k, schema) @@ -162,6 +162,13 @@ func (d *FieldData) getPrimitive(k string, schema *FieldSchema) (interface{}, bo } return result, true, nil + case TypeInt64: + var result int64 + if err := mapstructure.WeakDecode(raw, &result); err != nil { + return nil, false, err + } + return result, true, nil + case TypeFloat: var result float64 if err := mapstructure.WeakDecode(raw, &result); err != nil { diff --git a/vendor/github.com/hashicorp/vault/sdk/framework/field_type.go b/vendor/github.com/hashicorp/vault/sdk/framework/field_type.go index 509eadd3006c..ef7f08191e1a 100644 --- a/vendor/github.com/hashicorp/vault/sdk/framework/field_type.go +++ b/vendor/github.com/hashicorp/vault/sdk/framework/field_type.go @@ -7,6 +7,7 @@ const ( TypeInvalid FieldType = 0 TypeString FieldType = iota TypeInt + TypeInt64 TypeBool TypeMap diff --git a/vendor/modules.txt b/vendor/modules.txt index 9636792469e2..910dd3de4c3f 100644 --- a/vendor/modules.txt +++ b/vendor/modules.txt @@ -709,7 +709,7 @@ github.com/hashicorp/vault-plugin-secrets-terraform # github.com/hashicorp/vault/api v1.0.5-0.20210210214158-405eced08457 => ./api ## explicit github.com/hashicorp/vault/api -# github.com/hashicorp/vault/sdk v0.1.14-0.20210204230556-cf85a862b7c6 => ./sdk +# github.com/hashicorp/vault/sdk v0.1.14-0.20210505171055-299f311fa707 => ./sdk ## explicit github.com/hashicorp/vault/sdk/database/dbplugin github.com/hashicorp/vault/sdk/database/dbplugin/v5