From 3b927d41f3c5ac4c42d7a4323d60a7ddc56bde65 Mon Sep 17 00:00:00 2001 From: Jeff Mitchell Date: Sat, 2 Dec 2017 14:10:23 -0500 Subject: [PATCH] allowed/disallowed_policies as TypeCommaStringSlice Our docs apparently claim that this is a list, but the code is string-only. This fixes that discrepancy. --- CHANGELOG.md | 10 ++++++++++ vault/token_store.go | 18 ++++++++---------- 2 files changed, 18 insertions(+), 10 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 9a4cd4217758..7b572a3310e8 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,7 +1,17 @@ ## 0.9.1 (Unreleased) +DEPRECATIONS/CHANGES: + + * Token Auth Backend Roles parameter types: For `allowed_policies` and + `disallowed_policies` in role definitions in the token auth backend, input + can now be a comma-separated string or an array of strings. Reading a role + will now return arrays for these parameters. + IMPROVEMENTS: + * auth/token: `allowed_policies` and `disallowed_policies` can now be + specified as a comma-separated string or an array of strings + BUG FIXES: * database/mysql: Allow the creation statement to use commands that are not diff --git a/vault/token_store.go b/vault/token_store.go index b72fba6fad4c..d989393711c8 100644 --- a/vault/token_store.go +++ b/vault/token_store.go @@ -178,14 +178,12 @@ func NewTokenStore(c *Core, config *logical.BackendConfig) (*TokenStore, error) }, "allowed_policies": &framework.FieldSchema{ - Type: framework.TypeString, - Default: "", + Type: framework.TypeCommaStringSlice, Description: tokenAllowedPoliciesHelp, }, "disallowed_policies": &framework.FieldSchema{ - Type: framework.TypeString, - Default: "", + Type: framework.TypeCommaStringSlice, Description: tokenDisallowedPoliciesHelp, }, @@ -2465,18 +2463,18 @@ func (ts *TokenStore) tokenStoreRoleCreateUpdate( return logical.ErrorResponse(fmt.Sprintf("error registering path suffix: %s", consts.ErrPathContainsParentReferences)), nil } - allowedPoliciesStr, ok := data.GetOk("allowed_policies") + allowedPoliciesRaw, ok := data.GetOk("allowed_policies") if ok { - entry.AllowedPolicies = policyutil.SanitizePolicies(strings.Split(allowedPoliciesStr.(string), ","), policyutil.DoNotAddDefaultPolicy) + entry.AllowedPolicies = policyutil.SanitizePolicies(allowedPoliciesRaw.([]string), policyutil.DoNotAddDefaultPolicy) } else if req.Operation == logical.CreateOperation { - entry.AllowedPolicies = policyutil.SanitizePolicies(strings.Split(data.Get("allowed_policies").(string), ","), policyutil.DoNotAddDefaultPolicy) + entry.AllowedPolicies = policyutil.SanitizePolicies(data.Get("allowed_policies").([]string), policyutil.DoNotAddDefaultPolicy) } - disallowedPoliciesStr, ok := data.GetOk("disallowed_policies") + disallowedPoliciesRaw, ok := data.GetOk("disallowed_policies") if ok { - entry.DisallowedPolicies = strutil.ParseDedupLowercaseAndSortStrings(disallowedPoliciesStr.(string), ",") + entry.DisallowedPolicies = strutil.RemoveDuplicates(disallowedPoliciesRaw.([]string), true) } else if req.Operation == logical.CreateOperation { - entry.DisallowedPolicies = strutil.ParseDedupLowercaseAndSortStrings(data.Get("disallowed_policies").(string), ",") + entry.DisallowedPolicies = strutil.RemoveDuplicates(data.Get("disallowed_policies").([]string), true) } // Store it