mirrors/vault
1
0
Fork 0
mirror of https://github.com/hashicorp/vault.git synced 2025-11-28 14:11:10 +01:00
Code Issues Projects Releases Wiki Activity

Ensure at least one constraint on the role

Browse Source
This commit is contained in:
vishalnayak 2016-09-13 16:03:15 -04:00
parent 5ea177e468
commit 166d67c0a8
3 changed files with 65 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

16
builtin/credential/approle/path_role.go
View File

@ -524,6 +524,22 @@ func (b *backend) pathRoleSecretIDList(req *logical.Request, data *framework.Fie
// setRoleEntry grabs a write lock and stores the options on an role into the storage. // setRoleEntry grabs a write lock and stores the options on an role into the storage.
// Also creates a reverse index from the role's RoleID to the role itself. // Also creates a reverse index from the role's RoleID to the role itself.
func (b *backend) setRoleEntry(s logical.Storage, roleName string, role *roleStorageEntry, previousRoleID string) error { func (b *backend) setRoleEntry(s logical.Storage, roleName string, role *roleStorageEntry, previousRoleID string) error {
if roleName == "" {
return fmt.Errorf("missing role name")
}
if role == nil {
return fmt.Errorf("nil role")
}
// At least one constraint should be enabled on the role
switch {
case role.BindSecretID:
case role.BoundCIDRList != "":
default:
return fmt.Errorf("at least one constraint should be enabled on the role")
}
// Create a storage entry for the role // Create a storage entry for the role
entry, err := logical.StorageEntryJSON("role/"+strings.ToLower(roleName), role) entry, err := logical.StorageEntryJSON("role/"+strings.ToLower(roleName), role)
if err != nil { if err != nil {

45
builtin/credential/approle/path_role_test.go
View File

@ -10,6 +10,51 @@ import (
"github.com/mitchellh/mapstructure" "github.com/mitchellh/mapstructure"
) )
func TestAppRole_RoleConstraints(t *testing.T) {
var resp *logical.Response
var err error
b, storage := createBackendWithStorage(t)
roleData := map[string]interface{}{
"role_id": "role-id-123",
"policies": "a,b",
}
roleReq := &logical.Request{
Operation: logical.CreateOperation,
Path: "role/testrole1",
Storage: storage,
Data: roleData,
}
// Set bind_secret_id, which is enabled by default
resp, err = b.HandleRequest(roleReq)
if err != nil || (resp != nil && resp.IsError()) {
t.Fatalf("err:%v resp:%#v", err, resp)
}
// Set bound_cidr_list alone by explicitly disabling bind_secret_id
roleReq.Operation = logical.UpdateOperation
roleData["bind_secret_id"] = false
roleData["bound_cidr_list"] = "0.0.0.0/0"
resp, err = b.HandleRequest(roleReq)
if err != nil || (resp != nil && resp.IsError()) {
t.Fatalf("err:%v resp:%#v", err, resp)
}
// Remove both constraints
roleReq.Operation = logical.UpdateOperation
roleData["bound_cidr_list"] = ""
roleData["bind_secret_id"] = false
resp, err = b.HandleRequest(roleReq)
if resp != nil && resp.IsError() {
t.Fatalf("resp:%#v", err, resp)
}
if err == nil {
t.Fatalf("expected an error")
}
}
func TestAppRole_RoleIDUniqueness(t *testing.T) { func TestAppRole_RoleIDUniqueness(t *testing.T) {
var resp *logical.Response var resp *logical.Response
var err error var err error

6
website/source/docs/auth/approle.html.md
View File

@ -211,8 +211,10 @@ $ curl -XPOST "http://127.0.0.1:8200/v1/auth/approle/login" -d '{"role_id":"50be
<dl class="api"> <dl class="api">
<dt>Description</dt> <dt>Description</dt>
<dd> <dd>
Create a new AppRole or update an existing AppRole. This endpoint Creates a new AppRole or updates an existing AppRole. This endpoint
supports both `create` and `update` capabilities. supports both `create` and `update` capabilities. There can be one or more
constraints enabled on the role. It is required to have at least one of them
enabled while creating or updating a role.
</dd> </dd>
<dt>Method</dt> <dt>Method</dt>