Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Fix panic due to metadata being nil #4719

Merged
merged 10 commits into from
Jun 11, 2018
8 changes: 7 additions & 1 deletion builtin/credential/approle/path_login.go
Original file line number Diff line number Diff line change
Expand Up @@ -83,7 +83,7 @@ func (b *backend) pathLoginUpdate(ctx context.Context, req *logical.Request, dat
return logical.ErrorResponse("invalid role ID"), nil
}

var metadata map[string]string
metadata := make(map[string]string)
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

In the secret id case, we unilaterally assign to metadata, which means we should still add a nil map check before writing in the role name in case that ever is (or might become with future revisions) nil.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Secret IDs constructor is initializing the map. So, it is unlikely that metadata is nil. But still, I've added a nil check before assigning the role_name.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Now that we have the nil check below, allocating the map isn't strictly necessary but I'm good either way :)

if role.BindSecretID {
secretID := strings.TrimSpace(data.Get("secret_id").(string))
if secretID == "" {
Expand Down Expand Up @@ -261,6 +261,12 @@ func (b *backend) pathLoginUpdate(ctx context.Context, req *logical.Request, dat
}
}

// For some reason, if metadata was set to nil while processing secret ID
// binding, ensure that it is initialized again to avoid a panic.
if metadata == nil {
metadata = make(map[string]string)
}

// Always include the role name, for later filtering
metadata["role_name"] = role.name

Expand Down
52 changes: 52 additions & 0 deletions builtin/credential/approle/path_login_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -8,6 +8,58 @@ import (
"github.com/hashicorp/vault/logical"
)

func TestAppRole_BoundCIDRLogin(t *testing.T) {
var resp *logical.Response
var err error
b, s := createBackendWithStorage(t)

// Create a role with secret ID binding disabled and only bound cidr list
// enabled
resp, err = b.HandleRequest(context.Background(), &logical.Request{
Path: "role/testrole",
Operation: logical.CreateOperation,
Data: map[string]interface{}{
"bind_secret_id": false,
"bound_cidr_list": []string{"127.0.0.1/8"},
},
Storage: s,
})
if err != nil || (resp != nil && resp.IsError()) {
t.Fatalf("err:%v resp:%#v", err, resp)
}

// Read the role ID
resp, err = b.HandleRequest(context.Background(), &logical.Request{
Path: "role/testrole/role-id",
Operation: logical.ReadOperation,
Storage: s,
})
if err != nil || (resp != nil && resp.IsError()) {
t.Fatalf("err:%v resp:%#v", err, resp)
}

roleID := resp.Data["role_id"]

// Fill in the connection information and login with just the role ID
resp, err = b.HandleRequest(context.Background(), &logical.Request{
Path: "login",
Operation: logical.UpdateOperation,
Data: map[string]interface{}{
"role_id": roleID,
},
Storage: s,
Connection: &logical.Connection{RemoteAddr: "127.0.0.1"},
})
if err != nil || (resp != nil && resp.IsError()) {
t.Fatalf("err:%v resp:%#v", err, resp)
}

// Login should pass
if resp.Auth == nil {
t.Fatalf("expected login to succeed")
}
}

func TestAppRole_RoleLogin(t *testing.T) {
var resp *logical.Response
var err error
Expand Down