diff --git a/command/agent/cache/cache_test.go b/command/agent/cache/cache_test.go index 6f1e7eff89..66586ad427 100644 --- a/command/agent/cache/cache_test.go +++ b/command/agent/cache/cache_test.go @@ -1194,3 +1194,107 @@ func testCachingCacheClearCommon(t *testing.T, clearType string) { t.Fatalf("expected entry to be nil, got: %v", idx) } } + +func TestCache_AuthTokenCreateOrphan(t *testing.T) { + t.Run("create", func(t *testing.T) { + t.Run("managed", func(t *testing.T) { + cleanup, _, testClient, leaseCache := setupClusterAndAgent(namespace.RootContext(nil), t, nil) + defer cleanup() + + reqOpts := &api.TokenCreateRequest{ + Policies: []string{"default"}, + NoParent: true, + } + resp, err := testClient.Auth().Token().Create(reqOpts) + if err != nil { + t.Fatal(err) + } + token := resp.Auth.ClientToken + + idx, err := leaseCache.db.Get(cachememdb.IndexNameToken, token) + if err != nil { + t.Fatal(err) + } + if idx == nil { + t.Fatalf("expected entry to be non-nil, got: %#v", idx) + } + }) + + t.Run("non-managed", func(t *testing.T) { + cleanup, clusterClient, testClient, leaseCache := setupClusterAndAgent(namespace.RootContext(nil), t, nil) + defer cleanup() + + reqOpts := &api.TokenCreateRequest{ + Policies: []string{"default"}, + NoParent: true, + } + + // Use the test client but set the token to one that's not managed by agent + testClient.SetToken(clusterClient.Token()) + + resp, err := testClient.Auth().Token().Create(reqOpts) + if err != nil { + t.Fatal(err) + } + token := resp.Auth.ClientToken + + idx, err := leaseCache.db.Get(cachememdb.IndexNameToken, token) + if err != nil { + t.Fatal(err) + } + if idx == nil { + t.Fatalf("expected entry to be non-nil, got: %#v", idx) + } + }) + }) + + t.Run("create-orphan", func(t *testing.T) { + t.Run("managed", func(t *testing.T) { + cleanup, _, testClient, leaseCache := setupClusterAndAgent(namespace.RootContext(nil), t, nil) + defer cleanup() + + reqOpts := &api.TokenCreateRequest{ + Policies: []string{"default"}, + } + resp, err := testClient.Auth().Token().CreateOrphan(reqOpts) + if err != nil { + t.Fatal(err) + } + token := resp.Auth.ClientToken + + idx, err := leaseCache.db.Get(cachememdb.IndexNameToken, token) + if err != nil { + t.Fatal(err) + } + if idx == nil { + t.Fatalf("expected entry to be non-nil, got: %#v", idx) + } + }) + + t.Run("non-managed", func(t *testing.T) { + cleanup, clusterClient, testClient, leaseCache := setupClusterAndAgent(namespace.RootContext(nil), t, nil) + defer cleanup() + + reqOpts := &api.TokenCreateRequest{ + Policies: []string{"default"}, + } + + // Use the test client but set the token to one that's not managed by agent + testClient.SetToken(clusterClient.Token()) + + resp, err := testClient.Auth().Token().CreateOrphan(reqOpts) + if err != nil { + t.Fatal(err) + } + token := resp.Auth.ClientToken + + idx, err := leaseCache.db.Get(cachememdb.IndexNameToken, token) + if err != nil { + t.Fatal(err) + } + if idx == nil { + t.Fatalf("expected entry to be non-nil, got: %#v", idx) + } + }) + }) +} diff --git a/command/agent/cache/lease_cache.go b/command/agent/cache/lease_cache.go index 4f1310d65a..4aa34d1eb0 100644 --- a/command/agent/cache/lease_cache.go +++ b/command/agent/cache/lease_cache.go @@ -230,13 +230,11 @@ func (c *LeaseCache) Send(ctx context.Context, req *SendRequest) (*SendResponse, case secret.Auth != nil: c.logger.Debug("processing auth response", "path", req.Request.URL.Path, "method", req.Request.Method) - isNonOrphanNewToken := strings.HasPrefix(req.Request.URL.Path, vaultPathTokenCreate) && resp.Response.StatusCode == http.StatusOK && !secret.Auth.Orphan - // If the new token is a result of token creation endpoints (not from - // login endpoints), and if its a non-orphan, then the new token's - // context should be derived from the context of the parent token. + // Check if this token creation request resulted in a non-orphan token, and if so + // correctly set the parentCtx to the request's token context. var parentCtx context.Context - if isNonOrphanNewToken { + if !secret.Auth.Orphan { entry, err := c.db.Get(cachememdb.IndexNameToken, req.Token) if err != nil { return nil, err