vault: ensure token renew does not double register

2026-05-05 12:26:34 +02:00 · 2015-06-17 15:22:50 -07:00 · 2015-06-17 15:22:50 -07:00 · 0bd806a586
commit 0bd806a586
parent d8f5235764
2 changed files with 52 additions and 2 deletions
--- a/vault/core.go
+++ b/vault/core.go
@ -413,8 +413,9 @@ func (c *Core) handleRequest(req *logical.Request) (*logical.Response, error) {
 	}

 	// Only the token store is allowed to return an auth block, for any
-	// other request this is an internal error
-	if resp != nil && resp.Auth != nil {
+	// other request this is an internal error. We exclude renewal of a token,
+	// since it does not need to be re-registered
+	if resp != nil && resp.Auth != nil && !strings.HasPrefix(req.Path, "auth/token/renew/") {
 		if !strings.HasPrefix(req.Path, "auth/token/") {
 			c.logger.Printf(
 				"[ERR] core: unexpected Auth response for non-token backend "+
--- a/vault/core_test.go
+++ b/vault/core_test.go
@ -1368,6 +1368,55 @@ func TestCore_RenewSameLease(t *testing.T) {
 	}
 }

+// Renew of a token should not create a new lease
+func TestCore_RenewToken_SingleRegister(t *testing.T) {
+	c, _, root := TestCoreUnsealed(t)
+
+	// Create a new token
+	req := &logical.Request{
+		Operation: logical.WriteOperation,
+		Path:      "auth/token/create",
+		Data: map[string]interface{}{
+			"lease": "1h",
+		},
+		ClientToken: root,
+	}
+	resp, err := c.HandleRequest(req)
+	if err != nil {
+		t.Fatalf("err: %v", err)
+	}
+	newClient := resp.Auth.ClientToken
+
+	// Renew the token
+	req = logical.TestRequest(t, logical.WriteOperation, "auth/token/renew/"+newClient)
+	req.ClientToken = newClient
+	resp, err = c.HandleRequest(req)
+	if err != nil {
+		t.Fatalf("err: %v", err)
+	}
+
+	// Revoke using the renew prefix
+	req = logical.TestRequest(t, logical.WriteOperation, "sys/revoke-prefix/auth/token/renew/")
+	req.ClientToken = root
+	resp, err = c.HandleRequest(req)
+	if err != nil {
+		t.Fatalf("err: %v", err)
+	}
+
+	// Verify our token is still valid (e.g. we did not get invalided by the revoke)
+	req = logical.TestRequest(t, logical.ReadOperation, "auth/token/lookup/"+newClient)
+	req.ClientToken = newClient
+	resp, err = c.HandleRequest(req)
+	if err != nil {
+		t.Fatalf("err: %v", err)
+	}
+
+	// Verify the token exists
+	if resp.Data["id"] != newClient {
+		t.Fatalf("bad: %#v", resp.Data)
+	}
+}
+
 // Based on bug GH-203, attempt to disable a credential backend with leased secrets
 func TestCore_EnableDisableCred_WithLease(t *testing.T) {
 	// Create a badass credential backend that always logs in as armon