From cb54688f59a9d3ed4bb6dd511f66639419c7ce64 Mon Sep 17 00:00:00 2001
From: Jeff Mitchell <jeff@hashicorp.com>
Date: Fri, 11 May 2018 11:58:12 -0400
Subject: [PATCH] Fix panic when running capabilities CLI command with multiple
 paths (#4553)

* Fix panic using 'vault token capabilities' with more than one path

Fixes #4552

* Add test
---
 api/sys_capabilities.go            |  8 +++++++-
 command/token_capabilities.go      |  4 ++++
 command/token_capabilities_test.go | 17 +++++++++++++++++
 3 files changed, 28 insertions(+), 1 deletion(-)

diff --git a/api/sys_capabilities.go b/api/sys_capabilities.go
index 80f6218849..cbb3a72d7e 100644
--- a/api/sys_capabilities.go
+++ b/api/sys_capabilities.go
@@ -34,8 +34,14 @@ func (c *Sys) Capabilities(token, path string) ([]string, error) {
 		return nil, err
 	}
 
+	if result["capabilities"] == nil {
+		return nil, nil
+	}
 	var capabilities []string
-	capabilitiesRaw := result["capabilities"].([]interface{})
+	capabilitiesRaw, ok := result["capabilities"].([]interface{})
+	if !ok {
+		return nil, fmt.Errorf("error interpreting returned capabilities")
+	}
 	for _, capability := range capabilitiesRaw {
 		capabilities = append(capabilities, capability.(string))
 	}
diff --git a/command/token_capabilities.go b/command/token_capabilities.go
index 68ec32af18..2c877a7133 100644
--- a/command/token_capabilities.go
+++ b/command/token_capabilities.go
@@ -93,6 +93,10 @@ func (c *TokenCapabilitiesCommand) Run(args []string) int {
 		c.UI.Error(fmt.Sprintf("Error listing capabilities: %s", err))
 		return 2
 	}
+	if capabilities == nil {
+		c.UI.Error(fmt.Sprintf("No capabilities found"))
+		return 1
+	}
 
 	switch Format(c.UI) {
 	case "table":
diff --git a/command/token_capabilities_test.go b/command/token_capabilities_test.go
index d529d33eec..874db49129 100644
--- a/command/token_capabilities_test.go
+++ b/command/token_capabilities_test.go
@@ -165,6 +165,23 @@ func TestTokenCapabilitiesCommand_Run(t *testing.T) {
 		}
 	})
 
+	t.Run("multiple_paths", func(t *testing.T) {
+		t.Parallel()
+
+		client, closer := testVaultServer(t)
+		defer closer()
+
+		_, cmd := testTokenCapabilitiesCommand(t)
+		cmd.client = client
+
+		code := cmd.Run([]string{
+			"secret/foo,secret/bar",
+		})
+		if exp := 1; code != exp {
+			t.Errorf("expected %d to be %d", code, exp)
+		}
+	})
+
 	t.Run("no_tabs", func(t *testing.T) {
 		t.Parallel()