From cbed6372685661364c211397d31aff247e2577ab Mon Sep 17 00:00:00 2001 From: Calvin Leung Huang Date: Wed, 31 Jan 2018 12:48:26 -0500 Subject: [PATCH 1/2] Handle period's zero value on handleCreateCommon --- vault/token_store.go | 18 +++++++++++------- 1 file changed, 11 insertions(+), 7 deletions(-) diff --git a/vault/token_store.go b/vault/token_store.go index 8a49123d05f2..b53a27a62f2e 100644 --- a/vault/token_store.go +++ b/vault/token_store.go @@ -1837,19 +1837,23 @@ func (ts *TokenStore) handleCreateCommon(ctx context.Context, req *logical.Reque var periodToUse time.Duration if data.Period != "" { - if !isSudo { - return logical.ErrorResponse("root or sudo privileges required to create periodic token"), - logical.ErrInvalidRequest - } dur, err := parseutil.ParseDurationSecond(data.Period) if err != nil { return logical.ErrorResponse(err.Error()), logical.ErrInvalidRequest } - if dur < 0 { + + switch { + case dur < 0: return logical.ErrorResponse("period must be positive"), logical.ErrInvalidRequest + case dur == 0: + default: + if !isSudo { + return logical.ErrorResponse("root or sudo privileges required to create periodic token"), + logical.ErrInvalidRequest + } + te.Period = dur + periodToUse = dur } - te.Period = dur - periodToUse = dur } // Parse the TTL/lease if any From fee50ad63b8b4843a2407d954a4e40038f634bf7 Mon Sep 17 00:00:00 2001 From: Calvin Leung Huang Date: Wed, 31 Jan 2018 13:04:05 -0500 Subject: [PATCH 2/2] Add test for period zero value --- vault/token_store_test.go | 15 +++++++++++++++ 1 file changed, 15 insertions(+) diff --git a/vault/token_store_test.go b/vault/token_store_test.go index 639e4d950b57..c7a8448d3e62 100644 --- a/vault/token_store_test.go +++ b/vault/token_store_test.go @@ -2998,6 +2998,21 @@ func TestTokenStore_NoDefaultPolicy(t *testing.T) { t.Fatalf("bad: policies: expected: [default policy1]; actual: %s", resp.Auth.Policies) } + // A non-root token which has 'default' policy attached and period explicitly + // set to its zero value requests for a child token. Child token should be + // successfully created and have 'default' policy attached. + tokenReq.Data = map[string]interface{}{ + "period": "0s", + } + resp, err = ts.HandleRequest(context.Background(), tokenReq) + if err != nil || (resp != nil && resp.IsError()) { + t.Fatalf("err: %v, resp: %v", err, resp) + } + + if !reflect.DeepEqual(resp.Auth.Policies, []string{"default", "policy1"}) { + t.Fatalf("bad: policies: expected: [default policy1]; actual: %s", resp.Auth.Policies) + } + // A non-root token which has 'default' policy attached, request for a // child token to not have 'default' policy while not sending a list tokenReq.Data = map[string]interface{}{