Skip to content

Commit

Permalink
Fix panic due to metadata being nil (#4719)
Browse files Browse the repository at this point in the history
* Fix panic due to metadata being nil

* added a nil check

* Added a test

* ensure metadata is never nil

* Remove unnecessary allocation

* revert back to early initialization
  • Loading branch information
vishalnayak authored Jun 11, 2018
1 parent 4a5b9c6 commit 0c83eae
Show file tree
Hide file tree
Showing 2 changed files with 59 additions and 1 deletion.
8 changes: 7 additions & 1 deletion builtin/credential/approle/path_login.go
Original file line number Diff line number Diff line change
Expand Up @@ -83,7 +83,7 @@ func (b *backend) pathLoginUpdate(ctx context.Context, req *logical.Request, dat
return logical.ErrorResponse("invalid role ID"), nil
}

var metadata map[string]string
metadata := make(map[string]string)
if role.BindSecretID {
secretID := strings.TrimSpace(data.Get("secret_id").(string))
if secretID == "" {
Expand Down Expand Up @@ -261,6 +261,12 @@ func (b *backend) pathLoginUpdate(ctx context.Context, req *logical.Request, dat
}
}

// For some reason, if metadata was set to nil while processing secret ID
// binding, ensure that it is initialized again to avoid a panic.
if metadata == nil {
metadata = make(map[string]string)
}

// Always include the role name, for later filtering
metadata["role_name"] = role.name

Expand Down
52 changes: 52 additions & 0 deletions builtin/credential/approle/path_login_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -8,6 +8,58 @@ import (
"github.com/hashicorp/vault/logical"
)

func TestAppRole_BoundCIDRLogin(t *testing.T) {
var resp *logical.Response
var err error
b, s := createBackendWithStorage(t)

// Create a role with secret ID binding disabled and only bound cidr list
// enabled
resp, err = b.HandleRequest(context.Background(), &logical.Request{
Path: "role/testrole",
Operation: logical.CreateOperation,
Data: map[string]interface{}{
"bind_secret_id": false,
"bound_cidr_list": []string{"127.0.0.1/8"},
},
Storage: s,
})
if err != nil || (resp != nil && resp.IsError()) {
t.Fatalf("err:%v resp:%#v", err, resp)
}

// Read the role ID
resp, err = b.HandleRequest(context.Background(), &logical.Request{
Path: "role/testrole/role-id",
Operation: logical.ReadOperation,
Storage: s,
})
if err != nil || (resp != nil && resp.IsError()) {
t.Fatalf("err:%v resp:%#v", err, resp)
}

roleID := resp.Data["role_id"]

// Fill in the connection information and login with just the role ID
resp, err = b.HandleRequest(context.Background(), &logical.Request{
Path: "login",
Operation: logical.UpdateOperation,
Data: map[string]interface{}{
"role_id": roleID,
},
Storage: s,
Connection: &logical.Connection{RemoteAddr: "127.0.0.1"},
})
if err != nil || (resp != nil && resp.IsError()) {
t.Fatalf("err:%v resp:%#v", err, resp)
}

// Login should pass
if resp.Auth == nil {
t.Fatalf("expected login to succeed")
}
}

func TestAppRole_RoleLogin(t *testing.T) {
var resp *logical.Response
var err error
Expand Down

0 comments on commit 0c83eae

Please sign in to comment.