mirror of
https://github.com/hashicorp/vault.git
synced 2025-08-24 08:01:07 +02:00
b7dff9777d
* wip * Work on the tuneable allowance and some bugs * Call handleCancellableRequest instead, which gets the audit order more correct and includes the preauth response * Get rid of no longer needed operation * Phew, this wasn't necessary * Add auth error handling by the backend, and fix a bug with handleInvalidCredentials * Cleanup req/resp naming * Use the new form, and data * Discovered that tokens werent really being checked because isLoginRequest returns true for the re-request into the backend, when it shouldnt * Add a few more checks in the delegated request handler for bad inputs - Protect the delegated handler from bad inputs from the backend such as an empty accessor, a path that isn't registered as a login request - Add similar protections for bad auth results as we do in the normal login request paths. Technically not 100% needed but if somehow the handleCancelableRequest doesn't use the handleLoginRequest code path we could get into trouble in the future - Add delegated-auth-accessors flag to the secrets tune command and api-docs * Unit tests and some small fixes * Remove transit preauth test, rely on unit tests * Cleanup and add a little more commentary in tests * Fix typos, add another failure use-case which we reference a disabled auth mount * PR Feedback - Use router to lookup mount instead of defining a new lookup method - Enforce auth table types and namespace when mount is found - Define a type alias for the handleInvalidCreds - Fix typos/grammar - Clean up globals in test * Additional PR feedback - Add test for delegated auth handler - Force batch token usage - Add a test to validate failures if a non-batch token is used - Check for Data member being nil in test cases * Update failure error message around requiring batch tokens * Trap MFA requests * Reword some error messages * Add test and fixes for delegated response wrapping * Move MFA test to dedicated mount - If the delegated auth tests were running in parallel, the MFA test case might influence the other tests, so move the MFA to a dedicated mount * PR feedback: use textproto.CanonicalMIMEHeaderKey - Change the X-Vault-Wrap-Ttl constant to X-Vault-Wrap-TTL and use textproto.CanonicalMIMEHeaderKey to format it within the delete call. - This protects the code around changes of the constant typing * PR feedback - Append Error to RequestDelegatedAuth - Force error interface impl through explicit nil var assignment on RequestDelegatedAuthError - Clean up test factory and leverage NewTestSoloCluster - Leverage newer maps.Clone as this is 1.16 only --------- Co-authored-by: Scott G. Miller <smiller@hashicorp.com>