Copy fix(transit): prevent panic on restore with missing policy into main (#12206) (#12305)

* Copy https://github.com/hashicorp/vault/pull/31733 into main * fix(transit): prevent panic on restore with missing policy * test: add unit test for RestorePolicy nil policy validation * changelog: add entry for transit restore panic fix * Update changelog/31733.txt --------- Co-authored-by: Abhishek Dadwal <dadwalabhishek10@gmail.com> Co-authored-by: Abhishek Dadwal <73817744+Abhishek00810@users.noreply.github.com> Co-authored-by: Steven Clark <steven@sclark.me>
2026-02-18 18:38:08 -05:00 · 2026-02-11 15:58:00 -05:00 · 2026-02-11 15:58:00 -05:00 · 15fca8246d
commit 15fca8246d
parent 5d265dd284
3 changed files with 24 additions and 0 deletions
--- a/changelog/31733.txt
+++ b/changelog/31733.txt
@ -0,0 +1,3 @@
+```release-note:bug
+secrets/transit: Fix nil pointer panic when restoring malformed backup data.
+```
--- a/sdk/helper/keysutil/lock_manager.go
+++ b/sdk/helper/keysutil/lock_manager.go
@ -162,6 +162,11 @@ func (lm *LockManager) RestorePolicy(ctx context.Context, storage logical.Storag
 		return err
 	}

+	// Validate that the policy exists in the backup data
+	if keyData.Policy == nil {
+		return errors.New("backup data does not contain a valid policy")
+	}
+
 	// Set a different name if desired
 	if name != "" {
 		keyData.Policy.Name = name
--- a/sdk/helper/keysutil/lock_manager_test.go
+++ b/sdk/helper/keysutil/lock_manager_test.go
@ -6,6 +6,7 @@ package keysutil
 import (
 	"context"
 	"crypto/rand"
+	"encoding/base64"
 	"testing"

 	"github.com/hashicorp/vault/sdk/logical"
@ -98,3 +99,18 @@ func TestImportPolicy(t *testing.T) {
 		})
 	}
 }
+
+func TestRestorePolicy_NilPolicy(t *testing.T) {
+	lm, err := NewLockManager(false, 0)
+	require.NoError(t, err)
+
+	ctx := context.Background()
+	storage := &logical.InmemStorage{}
+
+	// Create backup data without "policy" field (causes nil Policy)
+	invalidBackup := base64.StdEncoding.EncodeToString([]byte(`{"archived_keys": null}`))
+
+	err = lm.RestorePolicy(ctx, storage, "test-key", invalidBackup, false)
+	require.Error(t, err)
+	require.Contains(t, err.Error(), "backup data does not contain a valid policy")
+}