[VAULT-3519] Return no_default_policy on token role read (#12565)

* [VAULT-3519] Return no_default_policy on token role read if set * [VAULT-3519] Add changelog * [VAULT-3519] Always return token_no_default_policy on role read * Fix broken test * Update role read response in docs
hashicorp · Sep 21, 2021 · cf45b2b · cf45b2b
1 parent 68065df
commit cf45b2b
Show file tree

Hide file tree

Showing 4 changed files with 23 additions and 8 deletions.
diff --git a/changelog/12565.txt b/changelog/12565.txt
@@ -0,0 +1,3 @@
+```release-note:improvement
+core/token: Return the token_no_default_policy config on token role read if set
+```
diff --git a/vault/token_store.go b/vault/token_store.go
@@ -3223,6 +3223,7 @@ func (ts *TokenStore) tokenStoreRoleRead(ctx context.Context, req *logical.Reque
 			"renewable":                role.Renewable,
 			"token_type":               role.TokenType.String(),
 			"allowed_entity_aliases":   role.AllowedEntityAliases,
+			"token_no_default_policy":  role.TokenNoDefaultPolicy,
 		},
 	}
 

diff --git a/vault/token_store_test.go b/vault/token_store_test.go
@@ -3194,6 +3194,7 @@ func TestTokenStore_RoleCRUD(t *testing.T) {
 		"token_type":               "default-service",
 		"token_num_uses":           123,
 		"allowed_entity_aliases":   []string(nil),
+		"token_no_default_policy":  false,
 	}
 
 	if resp.Data["bound_cidrs"].([]*sockaddr.SockAddrMarshaler)[0].String() != "0.0.0.0/0" {
@@ -3213,12 +3214,13 @@ func TestTokenStore_RoleCRUD(t *testing.T) {
 	// automatically due to the existence check
 	req.Operation = logical.CreateOperation
 	req.Data = map[string]interface{}{
-		"period":           "79h",
-		"allowed_policies": "test3",
-		"path_suffix":      "happenin",
-		"renewable":        false,
-		"explicit_max_ttl": "80h",
-		"token_num_uses":   0,
+		"period":                  "79h",
+		"allowed_policies":        "test3",
+		"path_suffix":             "happenin",
+		"renewable":               false,
+		"explicit_max_ttl":        "80h",
+		"token_num_uses":          0,
+		"token_no_default_policy": true,
 	}
 
 	resp, err = core.HandleRequest(namespace.RootContext(nil), req)
@@ -3256,6 +3258,7 @@ func TestTokenStore_RoleCRUD(t *testing.T) {
 		"renewable":                false,
 		"token_type":               "default-service",
 		"allowed_entity_aliases":   []string(nil),
+		"token_no_default_policy":  true,
 	}
 
 	if resp.Data["bound_cidrs"].([]*sockaddr.SockAddrMarshaler)[0].String() != "0.0.0.0/0" {
@@ -3308,6 +3311,7 @@ func TestTokenStore_RoleCRUD(t *testing.T) {
 		"renewable":                false,
 		"token_type":               "default-service",
 		"allowed_entity_aliases":   []string(nil),
+		"token_no_default_policy":  true,
 	}
 
 	if resp.Data["bound_cidrs"].([]*sockaddr.SockAddrMarshaler)[0].String() != "0.0.0.0/0" {
@@ -3326,8 +3330,9 @@ func TestTokenStore_RoleCRUD(t *testing.T) {
 	// Update path_suffix and bound_cidrs with empty values
 	req.Operation = logical.CreateOperation
 	req.Data = map[string]interface{}{
-		"path_suffix": "",
-		"bound_cidrs": []string{},
+		"path_suffix":             "",
+		"bound_cidrs":             []string{},
+		"token_no_default_policy": false,
 	}
 	resp, err = core.HandleRequest(namespace.RootContext(nil), req)
 	if err != nil || (resp != nil && resp.IsError()) {
@@ -3360,6 +3365,7 @@ func TestTokenStore_RoleCRUD(t *testing.T) {
 		"renewable":                false,
 		"token_type":               "default-service",
 		"allowed_entity_aliases":   []string(nil),
+		"token_no_default_policy":  false,
 	}
 
 	if diff := deep.Equal(expected, resp.Data); diff != nil {
@@ -4428,6 +4434,7 @@ func TestTokenStore_RoleTokenFields(t *testing.T) {
 			"renewable":                false,
 			"token_type":               "batch",
 			"allowed_entity_aliases":   []string(nil),
+			"token_no_default_policy":  false,
 		}
 
 		if resp.Data["bound_cidrs"].([]*sockaddr.SockAddrMarshaler)[0].String() != "127.0.0.1" {
@@ -4483,6 +4490,7 @@ func TestTokenStore_RoleTokenFields(t *testing.T) {
 			"renewable":                false,
 			"token_type":               "default-service",
 			"allowed_entity_aliases":   []string(nil),
+			"token_no_default_policy":  false,
 		}
 
 		if resp.Data["bound_cidrs"].([]*sockaddr.SockAddrMarshaler)[0].String() != "127.0.0.1" {
@@ -4537,6 +4545,7 @@ func TestTokenStore_RoleTokenFields(t *testing.T) {
 			"renewable":                false,
 			"token_type":               "default-service",
 			"allowed_entity_aliases":   []string(nil),
+			"token_no_default_policy":  false,
 		}
 
 		if resp.Data["token_bound_cidrs"].([]*sockaddr.SockAddrMarshaler)[0].String() != "127.0.0.1" {
@@ -4593,6 +4602,7 @@ func TestTokenStore_RoleTokenFields(t *testing.T) {
 			"renewable":                false,
 			"token_type":               "service",
 			"allowed_entity_aliases":   []string(nil),
+			"token_no_default_policy":  false,
 		}
 
 		if resp.Data["token_bound_cidrs"].([]*sockaddr.SockAddrMarshaler)[0].String() != "127.0.0.1" {

diff --git a/website/content/api-docs/auth/token.mdx b/website/content/api-docs/auth/token.mdx
@@ -636,6 +636,7 @@ $ curl \
     "period": 0,
     "renewable": true,
     "token_explicit_max_ttl": 0,
+    "token_no_default_policy": false,
     "token_period": 0,
     "token_type": "default-service"
   },