From 0cb1995bd55b49445d53cee2d248857e022e7faa Mon Sep 17 00:00:00 2001 From: Pratyoy Mukhopadhyay Date: Wed, 15 Sep 2021 15:18:22 -0700 Subject: [PATCH 1/5] [VAULT-3519] Return no_default_policy on token role read if set --- vault/token_store.go | 4 ++++ vault/token_store_test.go | 27 +++++++++++++++++++-------- 2 files changed, 23 insertions(+), 8 deletions(-) diff --git a/vault/token_store.go b/vault/token_store.go index 3f2435f061a5d..ae7fa49d1db43 100644 --- a/vault/token_store.go +++ b/vault/token_store.go @@ -3208,6 +3208,10 @@ func (ts *TokenStore) tokenStoreRoleRead(ctx context.Context, req *logical.Reque resp.Data["token_num_uses"] = role.TokenNumUses } + if role.TokenNoDefaultPolicy { + resp.Data["token_no_default_policy"] = true + } + return resp, nil } diff --git a/vault/token_store_test.go b/vault/token_store_test.go index 6a5504e165bfc..efdaf9d633497 100644 --- a/vault/token_store_test.go +++ b/vault/token_store_test.go @@ -3211,12 +3211,13 @@ func TestTokenStore_RoleCRUD(t *testing.T) { // automatically due to the existence check req.Operation = logical.CreateOperation req.Data = map[string]interface{}{ - "period": "79h", - "allowed_policies": "test3", - "path_suffix": "happenin", - "renewable": false, - "explicit_max_ttl": "80h", - "token_num_uses": 0, + "period": "79h", + "allowed_policies": "test3", + "path_suffix": "happenin", + "renewable": false, + "explicit_max_ttl": "80h", + "token_num_uses": 0, + "token_no_default_policy": true, } resp, err = core.HandleRequest(namespace.RootContext(nil), req) @@ -3263,6 +3264,10 @@ func TestTokenStore_RoleCRUD(t *testing.T) { } delete(resp.Data, "token_bound_cidrs") + if resp.Data["token_no_default_policy"].(bool) != true { + t.Fatal("unexpected no_default_policy config") + } + delete(resp.Data, "token_no_default_policy") if diff := deep.Equal(expected, resp.Data); diff != nil { t.Fatal(diff) } @@ -3313,6 +3318,11 @@ func TestTokenStore_RoleCRUD(t *testing.T) { } delete(resp.Data, "token_bound_cidrs") + if resp.Data["token_no_default_policy"].(bool) != true { + t.Fatal("unexpected no_default_policy config") + } + delete(resp.Data, "token_no_default_policy") + if diff := deep.Equal(expected, resp.Data); diff != nil { t.Fatal(diff) } @@ -3320,8 +3330,9 @@ func TestTokenStore_RoleCRUD(t *testing.T) { // Update path_suffix and bound_cidrs with empty values req.Operation = logical.CreateOperation req.Data = map[string]interface{}{ - "path_suffix": "", - "bound_cidrs": []string{}, + "path_suffix": "", + "bound_cidrs": []string{}, + "token_no_default_policy": false, } resp, err = core.HandleRequest(namespace.RootContext(nil), req) if err != nil || (resp != nil && resp.IsError()) { From 3b785d07179186096466131ffff42137ca7467c0 Mon Sep 17 00:00:00 2001 From: Pratyoy Mukhopadhyay Date: Wed, 15 Sep 2021 15:21:58 -0700 Subject: [PATCH 2/5] [VAULT-3519] Add changelog --- changelog/12565.txt | 3 +++ 1 file changed, 3 insertions(+) create mode 100644 changelog/12565.txt diff --git a/changelog/12565.txt b/changelog/12565.txt new file mode 100644 index 0000000000000..a125950e38b94 --- /dev/null +++ b/changelog/12565.txt @@ -0,0 +1,3 @@ +```release-note:improvement +core/token: Return the token_no_default_policy config on token role read if set +``` \ No newline at end of file From 6e1ba2803f49ec35c9d199dced3dda2497c51ec7 Mon Sep 17 00:00:00 2001 From: Pratyoy Mukhopadhyay Date: Mon, 20 Sep 2021 14:09:31 -0700 Subject: [PATCH 3/5] [VAULT-3519] Always return token_no_default_policy on role read --- vault/token_store.go | 29 +++++----- vault/token_store_test.go | 111 ++++++++++++++++++-------------------- 2 files changed, 66 insertions(+), 74 deletions(-) diff --git a/vault/token_store.go b/vault/token_store.go index ae7fa49d1db43..33c75c2576861 100644 --- a/vault/token_store.go +++ b/vault/token_store.go @@ -3183,18 +3183,19 @@ func (ts *TokenStore) tokenStoreRoleRead(ctx context.Context, req *logical.Reque // TODO (1.4): Remove "period" and "explicit_max_ttl" if they're zero resp := &logical.Response{ Data: map[string]interface{}{ - "period": int64(role.Period.Seconds()), - "token_period": int64(role.TokenPeriod.Seconds()), - "explicit_max_ttl": int64(role.ExplicitMaxTTL.Seconds()), - "token_explicit_max_ttl": int64(role.TokenExplicitMaxTTL.Seconds()), - "disallowed_policies": role.DisallowedPolicies, - "allowed_policies": role.AllowedPolicies, - "name": role.Name, - "orphan": role.Orphan, - "path_suffix": role.PathSuffix, - "renewable": role.Renewable, - "token_type": role.TokenType.String(), - "allowed_entity_aliases": role.AllowedEntityAliases, + "period": int64(role.Period.Seconds()), + "token_period": int64(role.TokenPeriod.Seconds()), + "explicit_max_ttl": int64(role.ExplicitMaxTTL.Seconds()), + "token_explicit_max_ttl": int64(role.TokenExplicitMaxTTL.Seconds()), + "disallowed_policies": role.DisallowedPolicies, + "allowed_policies": role.AllowedPolicies, + "name": role.Name, + "orphan": role.Orphan, + "path_suffix": role.PathSuffix, + "renewable": role.Renewable, + "token_type": role.TokenType.String(), + "allowed_entity_aliases": role.AllowedEntityAliases, + "token_no_default_policy": role.TokenNoDefaultPolicy, }, } @@ -3208,10 +3209,6 @@ func (ts *TokenStore) tokenStoreRoleRead(ctx context.Context, req *logical.Reque resp.Data["token_num_uses"] = role.TokenNumUses } - if role.TokenNoDefaultPolicy { - resp.Data["token_no_default_policy"] = true - } - return resp, nil } diff --git a/vault/token_store_test.go b/vault/token_store_test.go index efdaf9d633497..34c7c569d84cc 100644 --- a/vault/token_store_test.go +++ b/vault/token_store_test.go @@ -3179,19 +3179,20 @@ func TestTokenStore_RoleCRUD(t *testing.T) { } expected := map[string]interface{}{ - "name": "test", - "orphan": true, - "token_period": int64(259200), - "period": int64(259200), - "allowed_policies": []string{"test1", "test2"}, - "disallowed_policies": []string{}, - "path_suffix": "happenin", - "explicit_max_ttl": int64(7200), - "token_explicit_max_ttl": int64(7200), - "renewable": true, - "token_type": "default-service", - "token_num_uses": 123, - "allowed_entity_aliases": []string(nil), + "name": "test", + "orphan": true, + "token_period": int64(259200), + "period": int64(259200), + "allowed_policies": []string{"test1", "test2"}, + "disallowed_policies": []string{}, + "path_suffix": "happenin", + "explicit_max_ttl": int64(7200), + "token_explicit_max_ttl": int64(7200), + "renewable": true, + "token_type": "default-service", + "token_num_uses": 123, + "allowed_entity_aliases": []string(nil), + "token_no_default_policy": false, } if resp.Data["bound_cidrs"].([]*sockaddr.SockAddrMarshaler)[0].String() != "0.0.0.0/0" { @@ -3241,18 +3242,19 @@ func TestTokenStore_RoleCRUD(t *testing.T) { } expected = map[string]interface{}{ - "name": "test", - "orphan": true, - "period": int64(284400), - "token_period": int64(284400), - "allowed_policies": []string{"test3"}, - "disallowed_policies": []string{}, - "path_suffix": "happenin", - "token_explicit_max_ttl": int64(288000), - "explicit_max_ttl": int64(288000), - "renewable": false, - "token_type": "default-service", - "allowed_entity_aliases": []string(nil), + "name": "test", + "orphan": true, + "period": int64(284400), + "token_period": int64(284400), + "allowed_policies": []string{"test3"}, + "disallowed_policies": []string{}, + "path_suffix": "happenin", + "token_explicit_max_ttl": int64(288000), + "explicit_max_ttl": int64(288000), + "renewable": false, + "token_type": "default-service", + "allowed_entity_aliases": []string(nil), + "token_no_default_policy": true, } if resp.Data["bound_cidrs"].([]*sockaddr.SockAddrMarshaler)[0].String() != "0.0.0.0/0" { @@ -3264,10 +3266,6 @@ func TestTokenStore_RoleCRUD(t *testing.T) { } delete(resp.Data, "token_bound_cidrs") - if resp.Data["token_no_default_policy"].(bool) != true { - t.Fatal("unexpected no_default_policy config") - } - delete(resp.Data, "token_no_default_policy") if diff := deep.Equal(expected, resp.Data); diff != nil { t.Fatal(diff) } @@ -3295,18 +3293,19 @@ func TestTokenStore_RoleCRUD(t *testing.T) { } expected = map[string]interface{}{ - "name": "test", - "orphan": true, - "explicit_max_ttl": int64(5), - "token_explicit_max_ttl": int64(5), - "allowed_policies": []string{"test3"}, - "disallowed_policies": []string{}, - "path_suffix": "happenin", - "period": int64(0), - "token_period": int64(0), - "renewable": false, - "token_type": "default-service", - "allowed_entity_aliases": []string(nil), + "name": "test", + "orphan": true, + "explicit_max_ttl": int64(5), + "token_explicit_max_ttl": int64(5), + "allowed_policies": []string{"test3"}, + "disallowed_policies": []string{}, + "path_suffix": "happenin", + "period": int64(0), + "token_period": int64(0), + "renewable": false, + "token_type": "default-service", + "allowed_entity_aliases": []string(nil), + "token_no_default_policy": true, } if resp.Data["bound_cidrs"].([]*sockaddr.SockAddrMarshaler)[0].String() != "0.0.0.0/0" { @@ -3318,11 +3317,6 @@ func TestTokenStore_RoleCRUD(t *testing.T) { } delete(resp.Data, "token_bound_cidrs") - if resp.Data["token_no_default_policy"].(bool) != true { - t.Fatal("unexpected no_default_policy config") - } - delete(resp.Data, "token_no_default_policy") - if diff := deep.Equal(expected, resp.Data); diff != nil { t.Fatal(diff) } @@ -3351,18 +3345,19 @@ func TestTokenStore_RoleCRUD(t *testing.T) { } expected = map[string]interface{}{ - "name": "test", - "orphan": true, - "token_explicit_max_ttl": int64(5), - "explicit_max_ttl": int64(5), - "allowed_policies": []string{"test3"}, - "disallowed_policies": []string{}, - "path_suffix": "", - "period": int64(0), - "token_period": int64(0), - "renewable": false, - "token_type": "default-service", - "allowed_entity_aliases": []string(nil), + "name": "test", + "orphan": true, + "token_explicit_max_ttl": int64(5), + "explicit_max_ttl": int64(5), + "allowed_policies": []string{"test3"}, + "disallowed_policies": []string{}, + "path_suffix": "", + "period": int64(0), + "token_period": int64(0), + "renewable": false, + "token_type": "default-service", + "allowed_entity_aliases": []string(nil), + "token_no_default_policy": false, } if diff := deep.Equal(expected, resp.Data); diff != nil { From a7f1d4cf5fad5c31073f0b3cf1b56e037c80bcb1 Mon Sep 17 00:00:00 2001 From: Pratyoy Mukhopadhyay Date: Mon, 20 Sep 2021 14:55:11 -0700 Subject: [PATCH 4/5] Fix broken test --- vault/token_store_test.go | 100 ++++++++++++++++++++------------------ 1 file changed, 52 insertions(+), 48 deletions(-) diff --git a/vault/token_store_test.go b/vault/token_store_test.go index 34c7c569d84cc..51b9aa8485022 100644 --- a/vault/token_store_test.go +++ b/vault/token_store_test.go @@ -4156,18 +4156,19 @@ func TestTokenStore_RoleTokenFields(t *testing.T) { } expected := map[string]interface{}{ - "name": "test", - "orphan": false, - "period": int64(1), - "token_period": int64(1), - "allowed_policies": []string(nil), - "disallowed_policies": []string(nil), - "path_suffix": "", - "token_explicit_max_ttl": int64(3600), - "explicit_max_ttl": int64(3600), - "renewable": false, - "token_type": "batch", - "allowed_entity_aliases": []string(nil), + "name": "test", + "orphan": false, + "period": int64(1), + "token_period": int64(1), + "allowed_policies": []string(nil), + "disallowed_policies": []string(nil), + "path_suffix": "", + "token_explicit_max_ttl": int64(3600), + "explicit_max_ttl": int64(3600), + "renewable": false, + "token_type": "batch", + "allowed_entity_aliases": []string(nil), + "token_no_default_policy": false, } if resp.Data["bound_cidrs"].([]*sockaddr.SockAddrMarshaler)[0].String() != "127.0.0.1" { @@ -4209,18 +4210,19 @@ func TestTokenStore_RoleTokenFields(t *testing.T) { } expected := map[string]interface{}{ - "name": "test", - "orphan": false, - "period": int64(5), - "token_period": int64(5), - "allowed_policies": []string(nil), - "disallowed_policies": []string(nil), - "path_suffix": "", - "token_explicit_max_ttl": int64(7200), - "explicit_max_ttl": int64(7200), - "renewable": false, - "token_type": "default-service", - "allowed_entity_aliases": []string(nil), + "name": "test", + "orphan": false, + "period": int64(5), + "token_period": int64(5), + "allowed_policies": []string(nil), + "disallowed_policies": []string(nil), + "path_suffix": "", + "token_explicit_max_ttl": int64(7200), + "explicit_max_ttl": int64(7200), + "renewable": false, + "token_type": "default-service", + "allowed_entity_aliases": []string(nil), + "token_no_default_policy": false, } if resp.Data["bound_cidrs"].([]*sockaddr.SockAddrMarshaler)[0].String() != "127.0.0.1" { @@ -4261,18 +4263,19 @@ func TestTokenStore_RoleTokenFields(t *testing.T) { } expected := map[string]interface{}{ - "name": "test", - "orphan": false, - "period": int64(0), - "token_period": int64(7), - "allowed_policies": []string(nil), - "disallowed_policies": []string(nil), - "path_suffix": "", - "token_explicit_max_ttl": int64(5200), - "explicit_max_ttl": int64(0), - "renewable": false, - "token_type": "default-service", - "allowed_entity_aliases": []string(nil), + "name": "test", + "orphan": false, + "period": int64(0), + "token_period": int64(7), + "allowed_policies": []string(nil), + "disallowed_policies": []string(nil), + "path_suffix": "", + "token_explicit_max_ttl": int64(5200), + "explicit_max_ttl": int64(0), + "renewable": false, + "token_type": "default-service", + "allowed_entity_aliases": []string(nil), + "token_no_default_policy": false, } if resp.Data["token_bound_cidrs"].([]*sockaddr.SockAddrMarshaler)[0].String() != "127.0.0.1" { @@ -4315,18 +4318,19 @@ func TestTokenStore_RoleTokenFields(t *testing.T) { } expected := map[string]interface{}{ - "name": "test", - "orphan": false, - "period": int64(0), - "token_period": int64(5), - "allowed_policies": []string(nil), - "disallowed_policies": []string(nil), - "path_suffix": "", - "token_explicit_max_ttl": int64(7200), - "explicit_max_ttl": int64(0), - "renewable": false, - "token_type": "service", - "allowed_entity_aliases": []string(nil), + "name": "test", + "orphan": false, + "period": int64(0), + "token_period": int64(5), + "allowed_policies": []string(nil), + "disallowed_policies": []string(nil), + "path_suffix": "", + "token_explicit_max_ttl": int64(7200), + "explicit_max_ttl": int64(0), + "renewable": false, + "token_type": "service", + "allowed_entity_aliases": []string(nil), + "token_no_default_policy": false, } if resp.Data["token_bound_cidrs"].([]*sockaddr.SockAddrMarshaler)[0].String() != "127.0.0.1" { From 7746d07263dd2354ce93e10bfc89f3071cec394a Mon Sep 17 00:00:00 2001 From: Pratyoy Mukhopadhyay Date: Tue, 21 Sep 2021 09:16:49 -0700 Subject: [PATCH 5/5] Update role read response in docs --- website/content/api-docs/auth/token.mdx | 1 + 1 file changed, 1 insertion(+) diff --git a/website/content/api-docs/auth/token.mdx b/website/content/api-docs/auth/token.mdx index 8bee69c6be3cc..ae3f5201c02ef 100644 --- a/website/content/api-docs/auth/token.mdx +++ b/website/content/api-docs/auth/token.mdx @@ -636,6 +636,7 @@ $ curl \ "period": 0, "renewable": true, "token_explicit_max_ttl": 0, + "token_no_default_policy": false, "token_period": 0, "token_type": "default-service" },