diff --git a/command/login_test.go b/command/login_test.go index fc3e18dbf7ad4..aefdd25851902 100644 --- a/command/login_test.go +++ b/command/login_test.go @@ -87,7 +87,7 @@ func TestLoginCommand_Run(t *testing.T) { t.Fatal(err) } - if l, exp := len(storedToken), minTokenLengthExternal+vault.TokenPrefixLength; l != exp { + if l, exp := len(storedToken), minTokenLengthExternal+vault.TokenPrefixLength; l < exp { t.Errorf("expected token to be %d characters, was %d: %q", exp, l, storedToken) } }) diff --git a/helper/namespace/namespace.go b/helper/namespace/namespace.go index 6cdaed71ce0a7..045d2abe454d5 100644 --- a/helper/namespace/namespace.go +++ b/helper/namespace/namespace.go @@ -100,12 +100,12 @@ func SplitIDFromString(input string) (string, string) { slashIdx := strings.LastIndex(input, "/") switch { - case strings.HasPrefix(input, "b."): - prefix = "b." + case strings.HasPrefix(input, consts.LegacyBatchTokenPrefix): + prefix = consts.LegacyBatchTokenPrefix input = input[2:] - case strings.HasPrefix(input, "s."): - prefix = "s." + case strings.HasPrefix(input, consts.LegacyServiceTokenPrefix): + prefix = consts.LegacyServiceTokenPrefix input = input[2:] case strings.HasPrefix(input, consts.BatchTokenPrefix): prefix = consts.BatchTokenPrefix diff --git a/vault/core_test.go b/vault/core_test.go index fb0733946df13..b970b4c67fbbd 100644 --- a/vault/core_test.go +++ b/vault/core_test.go @@ -175,7 +175,10 @@ func TestCore_UseSSCTokenToggleOn(t *testing.T) { // Read the key req.Operation = logical.ReadOperation req.Data = nil - req.SetTokenEntry(&logical.TokenEntry{ID: root, NamespaceID: "root", Policies: []string{"root"}}) + err = c.PopulateTokenEntry(ctx, req) + if err != nil { + t.Fatalf("err: %s", err) + } resp, err = c.HandleRequest(ctx, req) if err != nil { t.Fatalf("err: %v", err) @@ -202,7 +205,7 @@ func TestCore_UseNonSSCTokenToggleOff(t *testing.T) { DisableSSCTokens: true, } c, _, root := TestCoreUnsealedWithConfig(t, coreConfig) - if len(root) > TokenLength+OldTokenPrefixLength || !strings.HasPrefix(root, "s.") { + if len(root) > TokenLength+OldTokenPrefixLength || !strings.HasPrefix(root, consts.LegacyServiceTokenPrefix) { t.Fatalf("token is not an old token type: %s, %d", root, len(root)) } c.disableSSCTokens = false @@ -227,7 +230,10 @@ func TestCore_UseNonSSCTokenToggleOff(t *testing.T) { // Read the key req.Operation = logical.ReadOperation req.Data = nil - req.SetTokenEntry(&logical.TokenEntry{ID: root, NamespaceID: "root", Policies: []string{"root"}}) + err = c.PopulateTokenEntry(ctx, req) + if err != nil { + t.Fatalf("err: %s", err) + } resp, err = c.HandleRequest(ctx, req) if err != nil { t.Fatalf("err: %v", err) @@ -457,7 +463,10 @@ func TestCore_HandleRequest_Lease(t *testing.T) { // Read the key req.Operation = logical.ReadOperation req.Data = nil - req.SetTokenEntry(&logical.TokenEntry{ID: root, NamespaceID: "root", Policies: []string{"root"}}) + err = c.PopulateTokenEntry(ctx, req) + if err != nil { + t.Fatalf("err: %s", err) + } resp, err = c.HandleRequest(ctx, req) if err != nil { t.Fatalf("err: %v", err) @@ -500,7 +509,10 @@ func TestCore_HandleRequest_Lease_MaxLength(t *testing.T) { // Read the key req.Operation = logical.ReadOperation req.Data = nil - req.SetTokenEntry(&logical.TokenEntry{ID: root, NamespaceID: "root", Policies: []string{"root"}}) + err = c.PopulateTokenEntry(ctx, req) + if err != nil { + t.Fatalf("err: %s", err) + } resp, err = c.HandleRequest(ctx, req) if err != nil { t.Fatalf("err: %v", err) @@ -543,7 +555,10 @@ func TestCore_HandleRequest_Lease_DefaultLength(t *testing.T) { // Read the key req.Operation = logical.ReadOperation req.Data = nil - req.SetTokenEntry(&logical.TokenEntry{ID: root, NamespaceID: "root", Policies: []string{"root"}}) + err = c.PopulateTokenEntry(ctx, req) + if err != nil { + t.Fatalf("err: %s", err) + } resp, err = c.HandleRequest(ctx, req) if err != nil { t.Fatalf("err: %v", err) @@ -1034,7 +1049,10 @@ func TestCore_HandleRequest_AuditTrail_noHMACKeys(t *testing.T) { ClientToken: root, } req.ClientToken = root - req.SetTokenEntry(&logical.TokenEntry{ID: root, NamespaceID: "root", Policies: []string{"root"}}) + err = c.PopulateTokenEntry(namespace.RootContext(nil), req) + if err != nil { + t.Fatalf("err: %s", err) + } if _, err := c.HandleRequest(namespace.RootContext(nil), req); err != nil { t.Fatalf("err: %v", err) } @@ -2087,7 +2105,10 @@ func TestCore_RenewSameLease(t *testing.T) { // Read the key req.Operation = logical.ReadOperation req.Data = nil - req.SetTokenEntry(&logical.TokenEntry{ID: root, NamespaceID: "root", Policies: []string{"root"}}) + err = c.PopulateTokenEntry(namespace.RootContext(nil), req) + if err != nil { + t.Fatalf("err: %s", err) + } resp, err = c.HandleRequest(namespace.RootContext(nil), req) if err != nil { t.Fatalf("err: %v", err) @@ -2259,7 +2280,10 @@ path "secret/*" { // Read the key req.Operation = logical.ReadOperation req.Data = nil - req.SetTokenEntry(&logical.TokenEntry{ID: root, NamespaceID: "root", Policies: []string{"root"}}) + err = c.PopulateTokenEntry(namespace.RootContext(nil), req) + if err != nil { + t.Fatalf("err: %s", err) + } resp, err = c.HandleRequest(namespace.RootContext(nil), req) if err != nil { t.Fatalf("err: %v", err) diff --git a/vault/expiration_test.go b/vault/expiration_test.go index bfd3a4d034555..af82a34cf4233 100644 --- a/vault/expiration_test.go +++ b/vault/expiration_test.go @@ -2476,8 +2476,10 @@ func TestExpiration_RevokeForce(t *testing.T) { Path: "badrenew/creds", ClientToken: root, } - req.SetTokenEntry(&logical.TokenEntry{ID: root, NamespaceID: "root", Policies: []string{"root"}}) - + err = core.PopulateTokenEntry(namespace.RootContext(nil), req) + if err != nil { + t.Fatalf("err: %s", err) + } resp, err := core.HandleRequest(namespace.RootContext(nil), req) if err != nil { t.Fatal(err) @@ -2525,8 +2527,10 @@ func TestExpiration_RevokeForceSingle(t *testing.T) { Path: "badrenew/creds", ClientToken: root, } - req.SetTokenEntry(&logical.TokenEntry{ID: root, NamespaceID: "root", Policies: []string{"root"}}) - + err = core.PopulateTokenEntry(namespace.RootContext(nil), req) + if err != nil { + t.Fatalf("err: %s", err) + } resp, err := core.HandleRequest(namespace.RootContext(nil), req) if err != nil { t.Fatal(err) diff --git a/vault/logical_system_test.go b/vault/logical_system_test.go index 0128399ff4879..4d8fa62ec374f 100644 --- a/vault/logical_system_test.go +++ b/vault/logical_system_test.go @@ -1013,7 +1013,10 @@ func TestSystemBackend_leases(t *testing.T) { // Read a key with a LeaseID req = logical.TestRequest(t, logical.ReadOperation, "secret/foo") req.ClientToken = root - req.SetTokenEntry(&logical.TokenEntry{ID: root, NamespaceID: "root", Policies: []string{"root"}}) + err = core.PopulateTokenEntry(namespace.RootContext(nil), req) + if err != nil { + t.Fatalf("err: %s", err) + } resp, err = core.HandleRequest(namespace.RootContext(nil), req) if err != nil { t.Fatalf("err: %v", err) @@ -1060,7 +1063,10 @@ func TestSystemBackend_leases_list(t *testing.T) { // Read a key with a LeaseID req = logical.TestRequest(t, logical.ReadOperation, "secret/foo") req.ClientToken = root - req.SetTokenEntry(&logical.TokenEntry{ID: root, NamespaceID: "root", Policies: []string{"root"}}) + err = core.PopulateTokenEntry(namespace.RootContext(nil), req) + if err != nil { + t.Fatalf("err: %s", err) + } resp, err = core.HandleRequest(namespace.RootContext(nil), req) if err != nil { t.Fatalf("err: %v", err) @@ -1109,7 +1115,10 @@ func TestSystemBackend_leases_list(t *testing.T) { // Generate multiple leases req = logical.TestRequest(t, logical.ReadOperation, "secret/foo") req.ClientToken = root - req.SetTokenEntry(&logical.TokenEntry{ID: root, NamespaceID: "root", Policies: []string{"root"}}) + err = core.PopulateTokenEntry(namespace.RootContext(nil), req) + if err != nil { + t.Fatalf("err: %s", err) + } resp, err = core.HandleRequest(namespace.RootContext(nil), req) if err != nil { t.Fatalf("err: %v", err) @@ -1120,7 +1129,10 @@ func TestSystemBackend_leases_list(t *testing.T) { req = logical.TestRequest(t, logical.ReadOperation, "secret/foo") req.ClientToken = root - req.SetTokenEntry(&logical.TokenEntry{ID: root, NamespaceID: "root", Policies: []string{"root"}}) + err = core.PopulateTokenEntry(namespace.RootContext(nil), req) + if err != nil { + t.Fatalf("err: %s", err) + } resp, err = core.HandleRequest(namespace.RootContext(nil), req) if err != nil { t.Fatalf("err: %v", err) @@ -1160,7 +1172,10 @@ func TestSystemBackend_leases_list(t *testing.T) { // Read a key with a LeaseID req = logical.TestRequest(t, logical.ReadOperation, "secret/bar") req.ClientToken = root - req.SetTokenEntry(&logical.TokenEntry{ID: root, NamespaceID: "root", Policies: []string{"root"}}) + err = core.PopulateTokenEntry(namespace.RootContext(nil), req) + if err != nil { + t.Fatalf("err: %s", err) + } resp, err = core.HandleRequest(namespace.RootContext(nil), req) if err != nil { t.Fatalf("err: %v", err) @@ -1208,7 +1223,10 @@ func TestSystemBackend_renew(t *testing.T) { // Read a key with a LeaseID req = logical.TestRequest(t, logical.ReadOperation, "secret/foo") req.ClientToken = root - req.SetTokenEntry(&logical.TokenEntry{ID: root, NamespaceID: "root", Policies: []string{"root"}}) + err = core.PopulateTokenEntry(namespace.RootContext(nil), req) + if err != nil { + t.Fatalf("err: %s", err) + } resp, err = core.HandleRequest(namespace.RootContext(nil), req) if err != nil { t.Fatalf("err: %v", err) @@ -1245,7 +1263,10 @@ func TestSystemBackend_renew(t *testing.T) { // Read a key with a LeaseID req = logical.TestRequest(t, logical.ReadOperation, "secret/foo") req.ClientToken = root - req.SetTokenEntry(&logical.TokenEntry{ID: root, NamespaceID: "root", Policies: []string{"root"}}) + err = core.PopulateTokenEntry(namespace.RootContext(nil), req) + if err != nil { + t.Fatalf("err: %s", err) + } resp, err = core.HandleRequest(namespace.RootContext(nil), req) if err != nil { t.Fatalf("err: %v", err) @@ -1374,7 +1395,10 @@ func TestSystemBackend_revoke(t *testing.T) { // Read a key with a LeaseID req = logical.TestRequest(t, logical.ReadOperation, "secret/foo") req.ClientToken = root - req.SetTokenEntry(&logical.TokenEntry{ID: root, NamespaceID: "root", Policies: []string{"root"}}) + err = core.PopulateTokenEntry(namespace.RootContext(nil), req) + if err != nil { + t.Fatalf("err: %s", err) + } resp, err = core.HandleRequest(namespace.RootContext(nil), req) if err != nil { t.Fatalf("err: %v", err) @@ -1406,7 +1430,10 @@ func TestSystemBackend_revoke(t *testing.T) { // Read a key with a LeaseID req = logical.TestRequest(t, logical.ReadOperation, "secret/foo") req.ClientToken = root - req.SetTokenEntry(&logical.TokenEntry{ID: root, NamespaceID: "root", Policies: []string{"root"}}) + err = core.PopulateTokenEntry(namespace.RootContext(nil), req) + if err != nil { + t.Fatalf("err: %s", err) + } resp, err = core.HandleRequest(namespace.RootContext(nil), req) if err != nil { t.Fatalf("err: %v", err) @@ -1429,7 +1456,10 @@ func TestSystemBackend_revoke(t *testing.T) { // Read a key with a LeaseID req = logical.TestRequest(t, logical.ReadOperation, "secret/foo") req.ClientToken = root - req.SetTokenEntry(&logical.TokenEntry{ID: root, NamespaceID: "root", Policies: []string{"root"}}) + err = core.PopulateTokenEntry(namespace.RootContext(nil), req) + if err != nil { + t.Fatalf("err: %s", err) + } resp, err = core.HandleRequest(namespace.RootContext(nil), req) if err != nil { t.Fatalf("err: %v", err) @@ -1519,7 +1549,10 @@ func TestSystemBackend_revokePrefix(t *testing.T) { // Read a key with a LeaseID req = logical.TestRequest(t, logical.ReadOperation, "secret/foo") req.ClientToken = root - req.SetTokenEntry(&logical.TokenEntry{ID: root, NamespaceID: "root", Policies: []string{"root"}}) + err = core.PopulateTokenEntry(namespace.RootContext(nil), req) + if err != nil { + t.Fatalf("err: %s", err) + } resp, err = core.HandleRequest(namespace.RootContext(nil), req) if err != nil { t.Fatalf("err: %v", err) @@ -1568,7 +1601,10 @@ func TestSystemBackend_revokePrefix_origUrl(t *testing.T) { // Read a key with a LeaseID req = logical.TestRequest(t, logical.ReadOperation, "secret/foo") req.ClientToken = root - req.SetTokenEntry(&logical.TokenEntry{ID: root, NamespaceID: "root", Policies: []string{"root"}}) + err = core.PopulateTokenEntry(namespace.RootContext(nil), req) + if err != nil { + t.Fatalf("err: %s", err) + } resp, err = core.HandleRequest(namespace.RootContext(nil), req) if err != nil { t.Fatalf("err: %v", err) diff --git a/vault/request_handling_test.go b/vault/request_handling_test.go index c4e22a565d557..cfdea525f7320 100644 --- a/vault/request_handling_test.go +++ b/vault/request_handling_test.go @@ -448,7 +448,10 @@ func TestRequestHandling_SecretLeaseMetric(t *testing.T) { // Read a key with a LeaseID req = logical.TestRequest(t, logical.ReadOperation, "secret/foo") req.ClientToken = root - req.SetTokenEntry(&logical.TokenEntry{ID: root, NamespaceID: "root", Policies: []string{"root"}}) + err = core.PopulateTokenEntry(namespace.RootContext(nil), req) + if err != nil { + t.Fatalf("err: %s", err) + } resp, err = core.HandleRequest(namespace.RootContext(nil), req) if err != nil { t.Fatalf("err: %v", err) diff --git a/vault/router.go b/vault/router.go index 98c805d680e74..a75167059bf60 100644 --- a/vault/router.go +++ b/vault/router.go @@ -603,7 +603,7 @@ func (r *Router) routeCommon(ctx context.Context, req *logical.Request, existenc } switch { - case te.NamespaceID == namespace.RootNamespaceID && !strings.HasPrefix(req.ClientToken, "s.") && + case te.NamespaceID == namespace.RootNamespaceID && !strings.HasPrefix(req.ClientToken, consts.LegacyServiceTokenPrefix) && !strings.HasPrefix(req.ClientToken, consts.ServiceTokenPrefix): // In order for the token store to revoke later, we need to have the same // salted ID, so we double-salt what's going to the cubbyhole backend diff --git a/vault/token_store.go b/vault/token_store.go index d3924afe38a69..b3308d73161c9 100644 --- a/vault/token_store.go +++ b/vault/token_store.go @@ -898,7 +898,7 @@ func (ts *TokenStore) create(ctx context.Context, entry *logical.TokenEntry) err switch { case strings.HasPrefix(entry.ID, consts.ServiceTokenPrefix): return fmt.Errorf("custom token ID cannot have the 'hvs.' prefix") - case strings.HasPrefix(entry.ID, "s."): + case strings.HasPrefix(entry.ID, consts.LegacyServiceTokenPrefix): return fmt.Errorf("custom token ID cannot have the 's.' prefix") case strings.Contains(entry.ID, "."): return fmt.Errorf("custom token ID cannot have a '.' in the value") @@ -1260,7 +1260,7 @@ func (ts *TokenStore) Lookup(ctx context.Context, id string) (*logical.TokenEntr } func (ts *TokenStore) stripBatchPrefix(id string) string { - if strings.HasPrefix(id, "b.") { + if strings.HasPrefix(id, consts.LegacyBatchTokenPrefix) { return id[2:] } if strings.HasPrefix(id, consts.BatchTokenPrefix) {