agent/caching: simplify orphan check; add orphan token creation tests (#6322)

2026-05-05 12:26:34 +02:00 · 2019-03-01 17:57:25 -08:00 · 2019-03-01 17:57:25 -08:00 · 39b8acb915
commit 39b8acb915
parent 12b51ff859
2 changed files with 107 additions and 5 deletions
--- a/command/agent/cache/cache_test.go
+++ b/command/agent/cache/cache_test.go
@ -1194,3 +1194,107 @@ func testCachingCacheClearCommon(t *testing.T, clearType string) {
 		t.Fatalf("expected entry to be nil, got: %v", idx)
 	}
 }
+
+func TestCache_AuthTokenCreateOrphan(t *testing.T) {
+	t.Run("create", func(t *testing.T) {
+		t.Run("managed", func(t *testing.T) {
+			cleanup, _, testClient, leaseCache := setupClusterAndAgent(namespace.RootContext(nil), t, nil)
+			defer cleanup()
+
+			reqOpts := &api.TokenCreateRequest{
+				Policies: []string{"default"},
+				NoParent: true,
+			}
+			resp, err := testClient.Auth().Token().Create(reqOpts)
+			if err != nil {
+				t.Fatal(err)
+			}
+			token := resp.Auth.ClientToken
+
+			idx, err := leaseCache.db.Get(cachememdb.IndexNameToken, token)
+			if err != nil {
+				t.Fatal(err)
+			}
+			if idx == nil {
+				t.Fatalf("expected entry to be non-nil, got: %#v", idx)
+			}
+		})
+
+		t.Run("non-managed", func(t *testing.T) {
+			cleanup, clusterClient, testClient, leaseCache := setupClusterAndAgent(namespace.RootContext(nil), t, nil)
+			defer cleanup()
+
+			reqOpts := &api.TokenCreateRequest{
+				Policies: []string{"default"},
+				NoParent: true,
+			}
+
+			// Use the test client but set the token to one that's not managed by agent
+			testClient.SetToken(clusterClient.Token())
+
+			resp, err := testClient.Auth().Token().Create(reqOpts)
+			if err != nil {
+				t.Fatal(err)
+			}
+			token := resp.Auth.ClientToken
+
+			idx, err := leaseCache.db.Get(cachememdb.IndexNameToken, token)
+			if err != nil {
+				t.Fatal(err)
+			}
+			if idx == nil {
+				t.Fatalf("expected entry to be non-nil, got: %#v", idx)
+			}
+		})
+	})
+
+	t.Run("create-orphan", func(t *testing.T) {
+		t.Run("managed", func(t *testing.T) {
+			cleanup, _, testClient, leaseCache := setupClusterAndAgent(namespace.RootContext(nil), t, nil)
+			defer cleanup()
+
+			reqOpts := &api.TokenCreateRequest{
+				Policies: []string{"default"},
+			}
+			resp, err := testClient.Auth().Token().CreateOrphan(reqOpts)
+			if err != nil {
+				t.Fatal(err)
+			}
+			token := resp.Auth.ClientToken
+
+			idx, err := leaseCache.db.Get(cachememdb.IndexNameToken, token)
+			if err != nil {
+				t.Fatal(err)
+			}
+			if idx == nil {
+				t.Fatalf("expected entry to be non-nil, got: %#v", idx)
+			}
+		})
+
+		t.Run("non-managed", func(t *testing.T) {
+			cleanup, clusterClient, testClient, leaseCache := setupClusterAndAgent(namespace.RootContext(nil), t, nil)
+			defer cleanup()
+
+			reqOpts := &api.TokenCreateRequest{
+				Policies: []string{"default"},
+			}
+
+			// Use the test client but set the token to one that's not managed by agent
+			testClient.SetToken(clusterClient.Token())
+
+			resp, err := testClient.Auth().Token().CreateOrphan(reqOpts)
+			if err != nil {
+				t.Fatal(err)
+			}
+			token := resp.Auth.ClientToken
+
+			idx, err := leaseCache.db.Get(cachememdb.IndexNameToken, token)
+			if err != nil {
+				t.Fatal(err)
+			}
+			if idx == nil {
+				t.Fatalf("expected entry to be non-nil, got: %#v", idx)
+			}
+		})
+	})
+}
--- a/command/agent/cache/lease_cache.go
+++ b/command/agent/cache/lease_cache.go
@ -230,13 +230,11 @@ func (c *LeaseCache) Send(ctx context.Context, req *SendRequest) (*SendResponse,

 	case secret.Auth != nil:
 		c.logger.Debug("processing auth response", "path", req.Request.URL.Path, "method", req.Request.Method)
-		isNonOrphanNewToken := strings.HasPrefix(req.Request.URL.Path, vaultPathTokenCreate) && resp.Response.StatusCode == http.StatusOK && !secret.Auth.Orphan

-		// If the new token is a result of token creation endpoints (not from
-		// login endpoints), and if its a non-orphan, then the new token's
-		// context should be derived from the context of the parent token.
+		// Check if this token creation request resulted in a non-orphan token, and if so
+		// correctly set the parentCtx to the request's token context.
 		var parentCtx context.Context
-		if isNonOrphanNewToken {
+		if !secret.Auth.Orphan {
 			entry, err := c.db.Get(cachememdb.IndexNameToken, req.Token)
 			if err != nil {
 				return nil, err