From e0cbb10a0e778aca8cc6ea9eb0757e9cca1124ee Mon Sep 17 00:00:00 2001 From: Calvin Leung Huang <1883212+calvn@users.noreply.github.com> Date: Mon, 27 Sep 2021 09:08:07 -0700 Subject: [PATCH] core: set namespace within GeneratePasswordFromPolicy (#12635) * core: set namespace from the sysview's mount entry on GeneratePasswordFromPolicy * test: update TestDynamicSystemView to be ns-aware, update tests * add changelog entry --- builtin/logical/database/backend_test.go | 2 +- builtin/logical/database/dbplugin/plugin_test.go | 2 +- builtin/plugin/backend_test.go | 2 +- changelog/12635.txt | 3 +++ vault/dynamic_system_view.go | 2 ++ vault/dynamic_system_view_test.go | 16 +++++++++------- vault/testing.go | 9 ++++++++- 7 files changed, 25 insertions(+), 11 deletions(-) create mode 100644 changelog/12635.txt diff --git a/builtin/logical/database/backend_test.go b/builtin/logical/database/backend_test.go index ec843bfdf4898..6d42fcbfd6e35 100644 --- a/builtin/logical/database/backend_test.go +++ b/builtin/logical/database/backend_test.go @@ -45,7 +45,7 @@ func getCluster(t *testing.T) (*vault.TestCluster, logical.SystemView) { os.Setenv(pluginutil.PluginCACertPEMEnv, cluster.CACertPEMFile) - sys := vault.TestDynamicSystemView(cores[0].Core) + sys := vault.TestDynamicSystemView(cores[0].Core, nil) vault.TestAddTestPlugin(t, cores[0].Core, "postgresql-database-plugin", consts.PluginTypeDatabase, "TestBackend_PluginMain_Postgres", []string{}, "") vault.TestAddTestPlugin(t, cores[0].Core, "mongodb-database-plugin", consts.PluginTypeDatabase, "TestBackend_PluginMain_Mongo", []string{}, "") vault.TestAddTestPlugin(t, cores[0].Core, "mongodbatlas-database-plugin", consts.PluginTypeDatabase, "TestBackend_PluginMain_MongoAtlas", []string{}, "") diff --git a/builtin/logical/database/dbplugin/plugin_test.go b/builtin/logical/database/dbplugin/plugin_test.go index 754f82b40fb79..e96f55deb2748 100644 --- a/builtin/logical/database/dbplugin/plugin_test.go +++ b/builtin/logical/database/dbplugin/plugin_test.go @@ -109,7 +109,7 @@ func getCluster(t *testing.T) (*vault.TestCluster, logical.SystemView) { cluster.Start() cores := cluster.Cores - sys := vault.TestDynamicSystemView(cores[0].Core) + sys := vault.TestDynamicSystemView(cores[0].Core, nil) vault.TestAddTestPlugin(t, cores[0].Core, "test-plugin", consts.PluginTypeDatabase, "TestPlugin_GRPC_Main", []string{}, "") return cluster, sys diff --git a/builtin/plugin/backend_test.go b/builtin/plugin/backend_test.go index 600df860472c0..87bbdb2c4c6d4 100644 --- a/builtin/plugin/backend_test.go +++ b/builtin/plugin/backend_test.go @@ -80,7 +80,7 @@ func testConfig(t *testing.T) (*logical.BackendConfig, func()) { core := cores[0] - sys := vault.TestDynamicSystemView(core.Core) + sys := vault.TestDynamicSystemView(core.Core, nil) config := &logical.BackendConfig{ Logger: logging.NewVaultLogger(log.Debug), diff --git a/changelog/12635.txt b/changelog/12635.txt new file mode 100644 index 0000000000000..9e1a7d7fe15e5 --- /dev/null +++ b/changelog/12635.txt @@ -0,0 +1,3 @@ +```release-note:bug +core (enterprise): Fix bug where password generation through password policies do not work on namespaces if performed outside a request callback or from an external plugin. +``` \ No newline at end of file diff --git a/vault/dynamic_system_view.go b/vault/dynamic_system_view.go index 906a7e9465add..64de5c9793ed9 100644 --- a/vault/dynamic_system_view.go +++ b/vault/dynamic_system_view.go @@ -340,6 +340,8 @@ func (d dynamicSystemView) GeneratePasswordFromPolicy(ctx context.Context, polic defer cancel() } + ctx = namespace.ContextWithNamespace(ctx, d.mountEntry.Namespace()) + policyCfg, err := d.retrievePasswordPolicy(ctx, policyName) if err != nil { return "", fmt.Errorf("failed to retrieve password policy: %w", err) diff --git a/vault/dynamic_system_view_test.go b/vault/dynamic_system_view_test.go index b7861428cf91b..1091f33e3149e 100644 --- a/vault/dynamic_system_view_test.go +++ b/vault/dynamic_system_view_test.go @@ -16,8 +16,9 @@ import ( "github.com/hashicorp/vault/sdk/logical" ) -var testPolicyName = "testpolicy" -var rawTestPasswordPolicy = ` +var ( + testPolicyName = "testpolicy" + rawTestPasswordPolicy = ` length = 20 rule "charset" { charset = "abcdefghijklmnopqrstuvwxyz" @@ -31,6 +32,7 @@ rule "charset" { charset = "0123456789" min_chars = 1 }` +) func TestIdentity_BackendTemplating(t *testing.T) { var err error @@ -205,7 +207,7 @@ func TestDynamicSystemView_GeneratePasswordFromPolicy_successful(t *testing.T) { defer cancel() ctx = namespace.RootContext(ctx) - dsv := dynamicSystemView{core: cluster.Cores[0].Core} + dsv := TestDynamicSystemView(cluster.Cores[0].Core, nil) runeset := map[rune]bool{} runesFound := []rune{} @@ -272,11 +274,11 @@ func TestDynamicSystemView_GeneratePasswordFromPolicy_failed(t *testing.T) { getErr: test.getErr, } - dsv := dynamicSystemView{ - core: &Core{ - systemBarrierView: NewBarrierView(testStorage, "sys/"), - }, + core := &Core{ + systemBarrierView: NewBarrierView(testStorage, "sys/"), } + dsv := TestDynamicSystemView(core, nil) + ctx, cancel := context.WithTimeout(context.Background(), 1*time.Second) defer cancel() actualPassword, err := dsv.GeneratePasswordFromPolicy(ctx, test.policyName) diff --git a/vault/testing.go b/vault/testing.go index 51849d6d39a89..dbe921969d493 100644 --- a/vault/testing.go +++ b/vault/testing.go @@ -434,12 +434,19 @@ func TestKeyCopy(key []byte) []byte { return result } -func TestDynamicSystemView(c *Core) *dynamicSystemView { +func TestDynamicSystemView(c *Core, ns *namespace.Namespace) *dynamicSystemView { me := &MountEntry{ Config: MountConfig{ DefaultLeaseTTL: 24 * time.Hour, MaxLeaseTTL: 2 * 24 * time.Hour, }, + NamespaceID: namespace.RootNamespace.ID, + namespace: namespace.RootNamespace, + } + + if ns != nil { + me.NamespaceID = ns.ID + me.namespace = ns } return &dynamicSystemView{c, me}