Copy fix(transit): prevent panic on restore with missing policy into main (#12206) (#12305)

* Copy https://github.com/hashicorp/vault/pull/31733 into main




* fix(transit): prevent panic on restore with missing policy

* test: add unit test for RestorePolicy nil policy validation

* changelog: add entry for transit restore panic fix

* Update changelog/31733.txt



---------

Co-authored-by: Abhishek Dadwal <dadwalabhishek10@gmail.com>
Co-authored-by: Abhishek Dadwal <73817744+Abhishek00810@users.noreply.github.com>
Co-authored-by: Steven Clark <steven@sclark.me>
This commit is contained in:
Vault Automation 2026-02-11 15:58:00 -05:00 committed by GitHub
parent 5d265dd284
commit 15fca8246d
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
3 changed files with 24 additions and 0 deletions

3
changelog/31733.txt Normal file
View file

@ -0,0 +1,3 @@
```release-note:bug
secrets/transit: Fix nil pointer panic when restoring malformed backup data.
```

View file

@ -162,6 +162,11 @@ func (lm *LockManager) RestorePolicy(ctx context.Context, storage logical.Storag
return err
}
// Validate that the policy exists in the backup data
if keyData.Policy == nil {
return errors.New("backup data does not contain a valid policy")
}
// Set a different name if desired
if name != "" {
keyData.Policy.Name = name

View file

@ -6,6 +6,7 @@ package keysutil
import (
"context"
"crypto/rand"
"encoding/base64"
"testing"
"github.com/hashicorp/vault/sdk/logical"
@ -98,3 +99,18 @@ func TestImportPolicy(t *testing.T) {
})
}
}
func TestRestorePolicy_NilPolicy(t *testing.T) {
lm, err := NewLockManager(false, 0)
require.NoError(t, err)
ctx := context.Background()
storage := &logical.InmemStorage{}
// Create backup data without "policy" field (causes nil Policy)
invalidBackup := base64.StdEncoding.EncodeToString([]byte(`{"archived_keys": null}`))
err = lm.RestorePolicy(ctx, storage, "test-key", invalidBackup, false)
require.Error(t, err)
require.Contains(t, err.Error(), "backup data does not contain a valid policy")
}