Skip to content

Commit

Permalink
vault: fix panic by checking for nil secret
Browse files Browse the repository at this point in the history 
Vault's RenewSelf(...) API may return (nil, nil). We failed to check if
secret was nil before attempting to use it.

RenewSelf:
https://github.com/hashicorp/vault/blob/e3eee5b4fb386418d10b6a248252ec6e2e05d980/api/auth_token.go#L138-L155

Calls ParseSecret:
https://github.com/hashicorp/vault/blob/e3eee5b4fb386418d10b6a248252ec6e2e05d980/api/secret.go#L309-L311

If anyone has an idea on how to test this I didn't see any options. We
use a real Vault service, so there's no opportunity to mock the
response.
  • Loading branch information
@schmichael
schmichael committed Nov 20, 2018
1 parent a1d5f12 commit f5f5948
Showing 1 changed file with 5 additions and 0 deletions.
5 changes: 5 additions & 0 deletions nomad/vault.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -547,6 +547,11 @@ func (v *vaultClient) renew() error {
if err != nil {
return err
}
if secret == nil {
// It's possible for RenewSelf to return (nil, nil) if the
// response body from Vault is empty.
return fmt.Errorf("renewal failed: empty response from vault")
}

auth := secret.Auth
if auth == nil {
Expand Down

0 comments on commit f5f5948

Please sign in to comment.