Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[VAULT-3519] Return no_default_policy on token role read #12565

Merged
merged 6 commits into from Sep 21, 2021
Merged

[VAULT-3519] Return no_default_policy on token role read #12565

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
6 commits
Select commit Hold shift + click to select a range
0cb1995
[VAULT-3519] Return no_default_policy on token role read if set
pmmukh Sep 15, 2021
3b785d0
[VAULT-3519] Add changelog
pmmukh Sep 15, 2021
6e1ba28
[VAULT-3519] Always return token_no_default_policy on role read
pmmukh Sep 20, 2021
a7f1d4c
Fix broken test
pmmukh Sep 20, 2021
8e998bd
Merge branch 'main' into vault-3519-update-token-role-read
pmmukh Sep 21, 2021
7746d07
Update role read response in docs
pmmukh Sep 21, 2021
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
3 changes: 3 additions & 0 deletions changelog/12565.txt
View file
Open in desktop
@@ -0,0 +1,3 @@
```release-note:improvement
core/token: Return the token_no_default_policy config on token role read if set
```
1 change: 1 addition & 0 deletions vault/token_store.go
View file
Open in desktop
Expand Up @@ -3223,6 +3223,7 @@ func (ts *TokenStore) tokenStoreRoleRead(ctx context.Context, req *logical.Reque
"renewable": role.Renewable,
"token_type": role.TokenType.String(),
"allowed_entity_aliases": role.AllowedEntityAliases,
"token_no_default_policy": role.TokenNoDefaultPolicy,
},
}

Expand Down
26 changes: 18 additions & 8 deletions vault/token_store_test.go
View file
Open in desktop
Expand Up @@ -3194,6 +3194,7 @@ func TestTokenStore_RoleCRUD(t *testing.T) {
"token_type": "default-service",
"token_num_uses": 123,
"allowed_entity_aliases": []string(nil),
"token_no_default_policy": false,
}

if resp.Data["bound_cidrs"].([]*sockaddr.SockAddrMarshaler)[0].String() != "0.0.0.0/0" {
Expand All @@ -3213,12 +3214,13 @@ func TestTokenStore_RoleCRUD(t *testing.T) {
// automatically due to the existence check
req.Operation = logical.CreateOperation
req.Data = map[string]interface{}{
"period": "79h",
"allowed_policies": "test3",
"path_suffix": "happenin",
"renewable": false,
"explicit_max_ttl": "80h",
"token_num_uses": 0,
"period": "79h",
"allowed_policies": "test3",
"path_suffix": "happenin",
"renewable": false,
"explicit_max_ttl": "80h",
"token_num_uses": 0,
"token_no_default_policy": true,
}

resp, err = core.HandleRequest(namespace.RootContext(nil), req)
Expand Down Expand Up @@ -3256,6 +3258,7 @@ func TestTokenStore_RoleCRUD(t *testing.T) {
"renewable": false,
"token_type": "default-service",
"allowed_entity_aliases": []string(nil),
"token_no_default_policy": true,
}

if resp.Data["bound_cidrs"].([]*sockaddr.SockAddrMarshaler)[0].String() != "0.0.0.0/0" {
Expand Down Expand Up @@ -3308,6 +3311,7 @@ func TestTokenStore_RoleCRUD(t *testing.T) {
"renewable": false,
"token_type": "default-service",
"allowed_entity_aliases": []string(nil),
"token_no_default_policy": true,
}

if resp.Data["bound_cidrs"].([]*sockaddr.SockAddrMarshaler)[0].String() != "0.0.0.0/0" {
Expand All @@ -3326,8 +3330,9 @@ func TestTokenStore_RoleCRUD(t *testing.T) {
// Update path_suffix and bound_cidrs with empty values
req.Operation = logical.CreateOperation
req.Data = map[string]interface{}{
"path_suffix": "",
"bound_cidrs": []string{},
"path_suffix": "",
"bound_cidrs": []string{},
"token_no_default_policy": false,
}
resp, err = core.HandleRequest(namespace.RootContext(nil), req)
if err != nil || (resp != nil && resp.IsError()) {
Expand Down Expand Up @@ -3360,6 +3365,7 @@ func TestTokenStore_RoleCRUD(t *testing.T) {
"renewable": false,
"token_type": "default-service",
"allowed_entity_aliases": []string(nil),
"token_no_default_policy": false,
}

if diff := deep.Equal(expected, resp.Data); diff != nil {
Expand Down Expand Up @@ -4428,6 +4434,7 @@ func TestTokenStore_RoleTokenFields(t *testing.T) {
"renewable": false,
"token_type": "batch",
"allowed_entity_aliases": []string(nil),
"token_no_default_policy": false,
}

if resp.Data["bound_cidrs"].([]*sockaddr.SockAddrMarshaler)[0].String() != "127.0.0.1" {
Expand Down Expand Up @@ -4483,6 +4490,7 @@ func TestTokenStore_RoleTokenFields(t *testing.T) {
"renewable": false,
"token_type": "default-service",
"allowed_entity_aliases": []string(nil),
"token_no_default_policy": false,
}

if resp.Data["bound_cidrs"].([]*sockaddr.SockAddrMarshaler)[0].String() != "127.0.0.1" {
Expand Down Expand Up @@ -4537,6 +4545,7 @@ func TestTokenStore_RoleTokenFields(t *testing.T) {
"renewable": false,
"token_type": "default-service",
"allowed_entity_aliases": []string(nil),
"token_no_default_policy": false,
}

if resp.Data["token_bound_cidrs"].([]*sockaddr.SockAddrMarshaler)[0].String() != "127.0.0.1" {
Expand Down Expand Up @@ -4593,6 +4602,7 @@ func TestTokenStore_RoleTokenFields(t *testing.T) {
"renewable": false,
"token_type": "service",
"allowed_entity_aliases": []string(nil),
"token_no_default_policy": false,
}

if resp.Data["token_bound_cidrs"].([]*sockaddr.SockAddrMarshaler)[0].String() != "127.0.0.1" {
Expand Down
1 change: 1 addition & 0 deletions website/content/api-docs/auth/token.mdx
View file
Open in desktop
Expand Up @@ -636,6 +636,7 @@ $ curl \
"period": 0,
"renewable": true,
"token_explicit_max_ttl": 0,
"token_no_default_policy": false,
"token_period": 0,
"token_type": "default-service"
},
Expand Down