Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Backport of VAULT-5094: Deal with identity_policies Set to nil in Secret Data Field into release/1.13.x #20682

Merged
merged 1 commit into from
May 19, 2023
Merged

Backport of VAULT-5094: Deal with identity_policies Set to nil in Secret Data Field into release/1.13.x #20682

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 2 additions & 2 deletions api/secret.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -147,8 +147,8 @@ TOKEN_DONE:

// Identity policies
{
_, ok := s.Data["identity_policies"]
if !ok {
v, ok := s.Data["identity_policies"]
if !ok || v == nil {
goto DONE
}

Expand Down
208 changes: 208 additions & 0 deletions api/secret_test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,208 @@
package api

import (
"testing"
)

func TestTokenPolicies(t *testing.T) {
var s *Secret

// Verify some of the short-circuit paths in the function
if policies, err := s.TokenPolicies(); policies != nil {
t.Errorf("policies was not nil, got %v", policies)
} else if err != nil {
t.Errorf("err was not nil, got %v", err)
}

s = &Secret{}

if policies, err := s.TokenPolicies(); policies != nil {
t.Errorf("policies was not nil, got %v", policies)
} else if err != nil {
t.Errorf("err was not nil, got %v", err)
}

s.Auth = &SecretAuth{}

if policies, err := s.TokenPolicies(); policies != nil {
t.Errorf("policies was not nil, got %v", policies)
} else if err != nil {
t.Errorf("err was not nil, got %v", err)
}

s.Auth.Policies = []string{}

if policies, err := s.TokenPolicies(); policies != nil {
t.Errorf("policies was not nil, got %v", policies)
} else if err != nil {
t.Errorf("err was not nil, got %v", err)
}

s.Auth.Policies = []string{"test"}

if policies, err := s.TokenPolicies(); policies == nil {
t.Error("policies was nil")
} else if err != nil {
t.Errorf("err was not nil, got %v", err)
}

s.Auth = nil
s.Data = make(map[string]interface{})

if policies, err := s.TokenPolicies(); policies != nil {
t.Errorf("policies was not nil, got %v", policies)
} else if err != nil {
t.Errorf("err was not nil, got %v", err)
}

// Verify that s.Data["policies"] are properly processed
{
policyList := make([]string, 0)
s.Data["policies"] = policyList

if policies, err := s.TokenPolicies(); len(policies) != len(policyList) {
t.Errorf("expecting policies length %d, got %d", len(policyList), len(policies))
} else if err != nil {
t.Errorf("err was not nil, got %v", err)
} else if s.Auth == nil {
t.Error("Auth field is still nil")
}

policyList = append(policyList, "policy1", "policy2")
s.Data["policies"] = policyList

if policies, err := s.TokenPolicies(); len(policyList) != 2 {
t.Errorf("expecting policies length %d, got %d", len(policyList), len(policies))
} else if err != nil {
t.Errorf("err was not nil, got %v", err)
} else if s.Auth == nil {
t.Error("Auth field is still nil")
}
}

// Do it again but with an interface{} slice
{
s.Auth = nil
policyList := make([]interface{}, 0)
s.Data["policies"] = policyList

if policies, err := s.TokenPolicies(); len(policies) != len(policyList) {
t.Errorf("expecting policies length %d, got %d", len(policyList), len(policies))
} else if err != nil {
t.Errorf("err was not nil, got %v", err)
} else if s.Auth == nil {
t.Error("Auth field is still nil")
}

policyItems := make([]interface{}, 2)
policyItems[0] = "policy1"
policyItems[1] = "policy2"

policyList = append(policyList, policyItems...)
s.Data["policies"] = policyList

if policies, err := s.TokenPolicies(); len(policies) != 2 {
t.Errorf("expecting policies length %d, got %d", len(policyList), len(policies))
} else if err != nil {
t.Errorf("err was not nil, got %v", err)
} else if s.Auth == nil {
t.Error("Auth field is still nil")
}

s.Auth = nil
s.Data["policies"] = 7.0

if policies, err := s.TokenPolicies(); err == nil {
t.Error("err was nil")
} else if policies != nil {
t.Errorf("policies was not nil, got %v", policies)
}

s.Auth = nil
s.Data["policies"] = []int{2, 3, 5, 8, 13}

if policies, err := s.TokenPolicies(); err == nil {
t.Error("err was nil")
} else if policies != nil {
t.Errorf("policies was not nil, got %v", policies)
}
}

s.Auth = nil
s.Data["policies"] = nil

if policies, err := s.TokenPolicies(); err != nil {
t.Errorf("err was not nil, got %v", err)
} else if policies != nil {
t.Errorf("policies was not nil, got %v", policies)
}

// Verify that logic that merges s.Data["policies"] and s.Data["identity_policies"] works
{
policyList := []string{"policy1", "policy2", "policy3"}
s.Data["policies"] = policyList[:1]
s.Data["identity_policies"] = "not_a_slice"
s.Auth = nil

if policies, err := s.TokenPolicies(); err == nil {
t.Error("err was nil")
} else if policies != nil {
t.Errorf("policies was not nil, got %v", policies)
}

s.Data["identity_policies"] = policyList[1:]

if policies, err := s.TokenPolicies(); len(policyList) != len(policies) {
t.Errorf("expecting policies length %d, got %d", len(policyList), len(policies))
} else if err != nil {
t.Errorf("err was not nil, got %v", err)
} else if s.Auth == nil {
t.Error("Auth field is still nil")
}
}

// Do it again but with an interface{} slice
{
policyList := []interface{}{"policy1", "policy2", "policy3"}
s.Data["policies"] = policyList[:1]
s.Data["identity_policies"] = "not_a_slice"
s.Auth = nil

if policies, err := s.TokenPolicies(); err == nil {
t.Error("err was nil")
} else if policies != nil {
t.Errorf("policies was not nil, got %v", policies)
}

s.Data["identity_policies"] = policyList[1:]

if policies, err := s.TokenPolicies(); len(policyList) != len(policies) {
t.Errorf("expecting policies length %d, got %d", len(policyList), len(policies))
} else if err != nil {
t.Errorf("err was not nil, got %v", err)
} else if s.Auth == nil {
t.Error("Auth field is still nil")
}

s.Auth = nil
s.Data["identity_policies"] = []int{2, 3, 5, 8, 13}

if policies, err := s.TokenPolicies(); err == nil {
t.Error("err was nil")
} else if policies != nil {
t.Errorf("policies was not nil, got %v", policies)
}
}

s.Auth = nil
s.Data["policies"] = []string{"policy1"}
s.Data["identity_policies"] = nil

if policies, err := s.TokenPolicies(); err != nil {
t.Errorf("err was not nil, got %v", err)
} else if len(policies) != 1 {
t.Errorf("expecting policies length %d, got %d", 1, len(policies))
} else if s.Auth == nil {
t.Error("Auth field is still nil")
}
}
3 changes: 3 additions & 0 deletions changelog/20636.txt
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,3 @@
```release-note:bug
api: Properly Handle nil identity_policies in Secret Data
```