From bd8da3ad0f98b8baaf00db560a51a3052853f4a8 Mon Sep 17 00:00:00 2001 From: Vault Automation Date: Mon, 11 May 2026 12:04:12 -0600 Subject: [PATCH] Resolve some code-alerts, and add particular tests. (#14689) (#14704) Co-authored-by: Kit Haines --- builtin/logical/pki/backend_test.go | 20 ++++++++++++++++++++ vault/request_handling.go | 5 ++++- vault/request_handling_test.go | 16 ++++++++++++++++ 3 files changed, 40 insertions(+), 1 deletion(-) diff --git a/builtin/logical/pki/backend_test.go b/builtin/logical/pki/backend_test.go index b9ebe416d3..c881c64712 100644 --- a/builtin/logical/pki/backend_test.go +++ b/builtin/logical/pki/backend_test.go @@ -50,6 +50,7 @@ import ( logicaltest "github.com/hashicorp/vault/helper/testhelpers/logical" "github.com/hashicorp/vault/helper/testhelpers/teststorage" vaulthttp "github.com/hashicorp/vault/http" + "github.com/hashicorp/vault/sdk/framework" "github.com/hashicorp/vault/sdk/helper/certutil" "github.com/hashicorp/vault/sdk/helper/cryptoutil" "github.com/hashicorp/vault/sdk/helper/testhelpers/schema" @@ -8324,3 +8325,22 @@ func TestBackend_IDNWithWildcards_AltNames(t *testing.T) { func stringSliceContainsAny(sl []string, substr string) bool { return slices.ContainsFunc(sl, func(s string) bool { return strings.Contains(s, substr) }) } + +func nilFunction(ctx context.Context, req *logical.Request, data *framework.FieldData, role *issuing.RoleEntry) (*logical.Response, error) { + return nil, nil +} + +// TestBackend_MetricsWrapManagesNilResp validates that when wrapping a function that returns nil, nil (no error, no +// response), we pass on the lack of error and lack of response (and don't panic). +func TestBackend_MetricsWrapManagesNilResp(t *testing.T) { + t.Parallel() + b, s := CreateBackendWithStorage(t) + + req := &logical.Request{Storage: s} + fieldData := &framework.FieldData{Schema: map[string]*framework.FieldSchema{}, Raw: map[string]interface{}{}} + + wrappedFunc := b.metricsWrap("huh", roleOptional, nilFunction) + resp, err := wrappedFunc(context.Background(), req, fieldData) + require.NoError(t, err) + require.Nil(t, resp) +} diff --git a/vault/request_handling.go b/vault/request_handling.go index a96d5d3d68..e5d27c9f75 100644 --- a/vault/request_handling.go +++ b/vault/request_handling.go @@ -922,7 +922,10 @@ func (c *Core) handleCancelableRequest(ctx context.Context, req *logical.Request } // We don't care if the token is a server side consistent token or not. Either way, we're going // to be returning it for these paths instead of the short token stored in vault. - requestBodyToken = token.(string) + requestBodyToken, ok = token.(string) + if !ok { + return logical.ErrorResponse("invalid token"), logical.ErrPermissionDenied + } if IsSSCToken(token.(string)) && !IsEnterpriseToken(token.(string)) { token, err = c.CheckSSCToken(ctx, token.(string), c.isLoginRequest(ctx, req), c.perfStandby) // If we receive an error from CheckSSCToken, we can assume the token is bad somehow, and the client diff --git a/vault/request_handling_test.go b/vault/request_handling_test.go index 55362fd69d..fe74be094e 100644 --- a/vault/request_handling_test.go +++ b/vault/request_handling_test.go @@ -1024,3 +1024,19 @@ func TestRequestHandling_fetchACLTokenEntryAndEntity_NonExpiring_RootIgnoresCIDR require.NotNil(t, te) require.Equal(t, time.Duration(0), te.TTL) } + +// TestRequestHandling_handleCancelableTestNumericToken tests that if a token +// that is passed in, is somehow a number rather than a string (not currently +// possible), then the handling will error, not panic. +func TestRequestHandling_handleCancelableTestNumericToken(t *testing.T) { + core, _, _ := TestCoreUnsealed(t) + ctx := namespace.RootContext(context.Background()) + + data := map[string]interface{}{"token": 5} + req := &logical.Request{Data: data, Path: "auth/token/lookup"} + + resp, err := core.handleCancelableRequest(ctx, req) + require.True(t, resp != nil && err != nil) + require.ErrorContains(t, err, logical.ErrPermissionDenied.Error()) + require.ErrorContains(t, resp.Error(), "invalid token") +}