Skip to content

Commit

Permalink
backport of commit 382d318 (hashicorp#20682)
Browse files Browse the repository at this point in the history
Co-authored-by: Marc Boudreau <marc.boudreau@hashicorp.com>
  • Loading branch information
hc-github-team-secure-vault-core and Marc Boudreau authored May 19, 2023
1 parent 5e0cc29 commit 191712e
Show file tree
Hide file tree
Showing 3 changed files with 213 additions and 2 deletions.
4 changes: 2 additions & 2 deletions api/secret.go
Original file line number Diff line number Diff line change
Expand Up @@ -147,8 +147,8 @@ TOKEN_DONE:

// Identity policies
{
_, ok := s.Data["identity_policies"]
if !ok {
v, ok := s.Data["identity_policies"]
if !ok || v == nil {
goto DONE
}

Expand Down
208 changes: 208 additions & 0 deletions api/secret_test.go
Original file line number Diff line number Diff line change
@@ -0,0 +1,208 @@
package api

import (
"testing"
)

func TestTokenPolicies(t *testing.T) {
var s *Secret

// Verify some of the short-circuit paths in the function
if policies, err := s.TokenPolicies(); policies != nil {
t.Errorf("policies was not nil, got %v", policies)
} else if err != nil {
t.Errorf("err was not nil, got %v", err)
}

s = &Secret{}

if policies, err := s.TokenPolicies(); policies != nil {
t.Errorf("policies was not nil, got %v", policies)
} else if err != nil {
t.Errorf("err was not nil, got %v", err)
}

s.Auth = &SecretAuth{}

if policies, err := s.TokenPolicies(); policies != nil {
t.Errorf("policies was not nil, got %v", policies)
} else if err != nil {
t.Errorf("err was not nil, got %v", err)
}

s.Auth.Policies = []string{}

if policies, err := s.TokenPolicies(); policies != nil {
t.Errorf("policies was not nil, got %v", policies)
} else if err != nil {
t.Errorf("err was not nil, got %v", err)
}

s.Auth.Policies = []string{"test"}

if policies, err := s.TokenPolicies(); policies == nil {
t.Error("policies was nil")
} else if err != nil {
t.Errorf("err was not nil, got %v", err)
}

s.Auth = nil
s.Data = make(map[string]interface{})

if policies, err := s.TokenPolicies(); policies != nil {
t.Errorf("policies was not nil, got %v", policies)
} else if err != nil {
t.Errorf("err was not nil, got %v", err)
}

// Verify that s.Data["policies"] are properly processed
{
policyList := make([]string, 0)
s.Data["policies"] = policyList

if policies, err := s.TokenPolicies(); len(policies) != len(policyList) {
t.Errorf("expecting policies length %d, got %d", len(policyList), len(policies))
} else if err != nil {
t.Errorf("err was not nil, got %v", err)
} else if s.Auth == nil {
t.Error("Auth field is still nil")
}

policyList = append(policyList, "policy1", "policy2")
s.Data["policies"] = policyList

if policies, err := s.TokenPolicies(); len(policyList) != 2 {
t.Errorf("expecting policies length %d, got %d", len(policyList), len(policies))
} else if err != nil {
t.Errorf("err was not nil, got %v", err)
} else if s.Auth == nil {
t.Error("Auth field is still nil")
}
}

// Do it again but with an interface{} slice
{
s.Auth = nil
policyList := make([]interface{}, 0)
s.Data["policies"] = policyList

if policies, err := s.TokenPolicies(); len(policies) != len(policyList) {
t.Errorf("expecting policies length %d, got %d", len(policyList), len(policies))
} else if err != nil {
t.Errorf("err was not nil, got %v", err)
} else if s.Auth == nil {
t.Error("Auth field is still nil")
}

policyItems := make([]interface{}, 2)
policyItems[0] = "policy1"
policyItems[1] = "policy2"

policyList = append(policyList, policyItems...)
s.Data["policies"] = policyList

if policies, err := s.TokenPolicies(); len(policies) != 2 {
t.Errorf("expecting policies length %d, got %d", len(policyList), len(policies))
} else if err != nil {
t.Errorf("err was not nil, got %v", err)
} else if s.Auth == nil {
t.Error("Auth field is still nil")
}

s.Auth = nil
s.Data["policies"] = 7.0

if policies, err := s.TokenPolicies(); err == nil {
t.Error("err was nil")
} else if policies != nil {
t.Errorf("policies was not nil, got %v", policies)
}

s.Auth = nil
s.Data["policies"] = []int{2, 3, 5, 8, 13}

if policies, err := s.TokenPolicies(); err == nil {
t.Error("err was nil")
} else if policies != nil {
t.Errorf("policies was not nil, got %v", policies)
}
}

s.Auth = nil
s.Data["policies"] = nil

if policies, err := s.TokenPolicies(); err != nil {
t.Errorf("err was not nil, got %v", err)
} else if policies != nil {
t.Errorf("policies was not nil, got %v", policies)
}

// Verify that logic that merges s.Data["policies"] and s.Data["identity_policies"] works
{
policyList := []string{"policy1", "policy2", "policy3"}
s.Data["policies"] = policyList[:1]
s.Data["identity_policies"] = "not_a_slice"
s.Auth = nil

if policies, err := s.TokenPolicies(); err == nil {
t.Error("err was nil")
} else if policies != nil {
t.Errorf("policies was not nil, got %v", policies)
}

s.Data["identity_policies"] = policyList[1:]

if policies, err := s.TokenPolicies(); len(policyList) != len(policies) {
t.Errorf("expecting policies length %d, got %d", len(policyList), len(policies))
} else if err != nil {
t.Errorf("err was not nil, got %v", err)
} else if s.Auth == nil {
t.Error("Auth field is still nil")
}
}

// Do it again but with an interface{} slice
{
policyList := []interface{}{"policy1", "policy2", "policy3"}
s.Data["policies"] = policyList[:1]
s.Data["identity_policies"] = "not_a_slice"
s.Auth = nil

if policies, err := s.TokenPolicies(); err == nil {
t.Error("err was nil")
} else if policies != nil {
t.Errorf("policies was not nil, got %v", policies)
}

s.Data["identity_policies"] = policyList[1:]

if policies, err := s.TokenPolicies(); len(policyList) != len(policies) {
t.Errorf("expecting policies length %d, got %d", len(policyList), len(policies))
} else if err != nil {
t.Errorf("err was not nil, got %v", err)
} else if s.Auth == nil {
t.Error("Auth field is still nil")
}

s.Auth = nil
s.Data["identity_policies"] = []int{2, 3, 5, 8, 13}

if policies, err := s.TokenPolicies(); err == nil {
t.Error("err was nil")
} else if policies != nil {
t.Errorf("policies was not nil, got %v", policies)
}
}

s.Auth = nil
s.Data["policies"] = []string{"policy1"}
s.Data["identity_policies"] = nil

if policies, err := s.TokenPolicies(); err != nil {
t.Errorf("err was not nil, got %v", err)
} else if len(policies) != 1 {
t.Errorf("expecting policies length %d, got %d", 1, len(policies))
} else if s.Auth == nil {
t.Error("Auth field is still nil")
}
}
3 changes: 3 additions & 0 deletions changelog/20636.txt
Original file line number Diff line number Diff line change
@@ -0,0 +1,3 @@
```release-note:bug
api: Properly Handle nil identity_policies in Secret Data
```

0 comments on commit 191712e

Please sign in to comment.