From 06edc295d3c0f2e6884a93956d3b0430118de383 Mon Sep 17 00:00:00 2001 From: Howie Ludewig Date: Fri, 1 Oct 2021 17:08:05 -0500 Subject: [PATCH 1/3] test: add test to verify Vault storage is updated --- .../aws/path_config_rotate_root_test.go | 20 +++++++++---------- 1 file changed, 10 insertions(+), 10 deletions(-) diff --git a/builtin/credential/aws/path_config_rotate_root_test.go b/builtin/credential/aws/path_config_rotate_root_test.go index 7f585e47e177d..59361090f266b 100644 --- a/builtin/credential/aws/path_config_rotate_root_test.go +++ b/builtin/credential/aws/path_config_rotate_root_test.go @@ -3,13 +3,11 @@ package awsauth import ( "context" "testing" - "time" "github.com/aws/aws-sdk-go/aws" "github.com/aws/aws-sdk-go/aws/session" "github.com/aws/aws-sdk-go/service/iam" "github.com/aws/aws-sdk-go/service/iam/iamiface" - "github.com/hashicorp/go-hclog" "github.com/hashicorp/go-secure-stdlib/awsutil" "github.com/hashicorp/vault/sdk/logical" ) @@ -33,15 +31,13 @@ func TestPathConfigRotateRoot(t *testing.T) { } ctx := context.Background() + config := logical.TestBackendConfig() + logical.TestBackendConfig() storage := &logical.InmemStorage{} - b, err := Factory(ctx, &logical.BackendConfig{ - StorageView: storage, - Logger: hclog.Default(), - System: &logical.StaticSystemView{ - DefaultLeaseTTLVal: time.Hour, - MaxLeaseTTLVal: time.Hour, - }, - }) + config.StorageView = storage + + b, err := Backend(config) + if err != nil { t.Fatal(err) } @@ -76,4 +72,8 @@ func TestPathConfigRotateRoot(t *testing.T) { if resp.Data["access_key"].(string) != "fizz2" { t.Fatalf("expected new access key buzz2 but received %s", resp.Data["access_key"]) } + newClientConf, err := b.nonLockedClientConfigEntry(ctx, req.Storage) + if resp.Data["access_key"].(string) != newClientConf.AccessKey { + t.Fatalf("expected new access key buzz2 to be saved to storage but receieved %s", clientConf.AccessKey) + } } From b4fbc84907bed13546135e11d222a208a71ff0bb Mon Sep 17 00:00:00 2001 From: Howie Ludewig Date: Fri, 1 Oct 2021 17:14:13 -0500 Subject: [PATCH 2/3] bug: fix config/rotate-root to store new key --- builtin/credential/aws/path_config_rotate_root.go | 8 ++++---- changelog/12214.txt | 3 +++ 2 files changed, 7 insertions(+), 4 deletions(-) create mode 100644 changelog/12214.txt diff --git a/builtin/credential/aws/path_config_rotate_root.go b/builtin/credential/aws/path_config_rotate_root.go index d5553632dd95e..125056234312b 100644 --- a/builtin/credential/aws/path_config_rotate_root.go +++ b/builtin/credential/aws/path_config_rotate_root.go @@ -145,6 +145,10 @@ func (b *backend) pathConfigRotateRootUpdate(ctx context.Context, req *logical.R } }() + oldAccessKey := clientConf.AccessKey + clientConf.AccessKey = *createAccessKeyRes.AccessKey.AccessKeyId + clientConf.SecretKey = *createAccessKeyRes.AccessKey.SecretAccessKey + // Now get ready to update storage, doing everything beforehand so we can minimize how long // we need to hold onto the lock. newEntry, err := b.configClientToEntry(clientConf) @@ -153,10 +157,6 @@ func (b *backend) pathConfigRotateRootUpdate(ctx context.Context, req *logical.R return nil, errs } - oldAccessKey := clientConf.AccessKey - clientConf.AccessKey = *createAccessKeyRes.AccessKey.AccessKeyId - clientConf.SecretKey = *createAccessKeyRes.AccessKey.SecretAccessKey - // Someday we may want to allow the user to send a number of seconds to wait here // before deleting the previous access key to allow work to complete. That would allow // AWS, which is eventually consistent, to finish populating the new key in all places. diff --git a/changelog/12214.txt b/changelog/12214.txt new file mode 100644 index 0000000000000..b4a61a7deb8c8 --- /dev/null +++ b/changelog/12214.txt @@ -0,0 +1,3 @@ +```release-note:bug +auth/aws: fix config/rotate-root to store new key +``` From fcef44c9cb04c6af339612d0506ff62a0ee3f116 Mon Sep 17 00:00:00 2001 From: Howie Ludewig Date: Mon, 4 Oct 2021 10:59:22 -0500 Subject: [PATCH 3/3] choir: fix changelog name to match PR --- changelog/{12214.txt => 12715.txt} | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename changelog/{12214.txt => 12715.txt} (100%) diff --git a/changelog/12214.txt b/changelog/12715.txt similarity index 100% rename from changelog/12214.txt rename to changelog/12715.txt