Merge remote-tracking branch 'remotes/from/ce/main'

2026-05-12 08:06:59 +02:00 · 2026-05-11 18:33:07 +00:00 · 2026-05-11 18:33:07 +00:00 · 3bbbe5bf23
commit 3bbbe5bf23
parent bf388881c0 bd8da3ad0f
3 changed files with 40 additions and 1 deletions
--- a/builtin/logical/pki/backend_test.go
+++ b/builtin/logical/pki/backend_test.go
@ -50,6 +50,7 @@ import (
 	logicaltest "github.com/hashicorp/vault/helper/testhelpers/logical"
 	"github.com/hashicorp/vault/helper/testhelpers/teststorage"
 	vaulthttp "github.com/hashicorp/vault/http"
+	"github.com/hashicorp/vault/sdk/framework"
 	"github.com/hashicorp/vault/sdk/helper/certutil"
 	"github.com/hashicorp/vault/sdk/helper/cryptoutil"
 	"github.com/hashicorp/vault/sdk/helper/testhelpers/schema"
@ -8324,3 +8325,22 @@ func TestBackend_IDNWithWildcards_AltNames(t *testing.T) {
 func stringSliceContainsAny(sl []string, substr string) bool {
 	return slices.ContainsFunc(sl, func(s string) bool { return strings.Contains(s, substr) })
 }
+
+func nilFunction(ctx context.Context, req *logical.Request, data *framework.FieldData, role *issuing.RoleEntry) (*logical.Response, error) {
+	return nil, nil
+}
+
+// TestBackend_MetricsWrapManagesNilResp validates that when wrapping a function that returns nil, nil (no error, no
+// response), we pass on the lack of error and lack of response (and don't panic).
+func TestBackend_MetricsWrapManagesNilResp(t *testing.T) {
+	t.Parallel()
+	b, s := CreateBackendWithStorage(t)
+
+	req := &logical.Request{Storage: s}
+	fieldData := &framework.FieldData{Schema: map[string]*framework.FieldSchema{}, Raw: map[string]interface{}{}}
+
+	wrappedFunc := b.metricsWrap("huh", roleOptional, nilFunction)
+	resp, err := wrappedFunc(context.Background(), req, fieldData)
+	require.NoError(t, err)
+	require.Nil(t, resp)
+}
--- a/vault/request_handling.go
+++ b/vault/request_handling.go
@ -922,7 +922,10 @@ func (c *Core) handleCancelableRequest(ctx context.Context, req *logical.Request
 			}
 			// We don't care if the token is a server side consistent token or not. Either way, we're going
 			// to be returning it for these paths instead of the short token stored in vault.
-			requestBodyToken = token.(string)
+			requestBodyToken, ok = token.(string)
+			if !ok {
+				return logical.ErrorResponse("invalid token"), logical.ErrPermissionDenied
+			}
 			if IsSSCToken(token.(string)) && !IsEnterpriseToken(token.(string)) {
 				token, err = c.CheckSSCToken(ctx, token.(string), c.isLoginRequest(ctx, req), c.perfStandby)
 				// If we receive an error from CheckSSCToken, we can assume the token is bad somehow, and the client
--- a/vault/request_handling_test.go
+++ b/vault/request_handling_test.go
@ -1024,3 +1024,19 @@ func TestRequestHandling_fetchACLTokenEntryAndEntity_NonExpiring_RootIgnoresCIDR
 	require.NotNil(t, te)
 	require.Equal(t, time.Duration(0), te.TTL)
 }
+
+// TestRequestHandling_handleCancelableTestNumericToken tests that if a token
+// that is passed in, is somehow a number rather than a string (not currently
+// possible), then the handling will error, not panic.
+func TestRequestHandling_handleCancelableTestNumericToken(t *testing.T) {
+	core, _, _ := TestCoreUnsealed(t)
+	ctx := namespace.RootContext(context.Background())
+
+	data := map[string]interface{}{"token": 5}
+	req := &logical.Request{Data: data, Path: "auth/token/lookup"}
+
+	resp, err := core.handleCancelableRequest(ctx, req)
+	require.True(t, resp != nil && err != nil)
+	require.ErrorContains(t, err, logical.ErrPermissionDenied.Error())
+	require.ErrorContains(t, resp.Error(), "invalid token")
+}