Fix some compatibility (#7048)

CHANGELOG.md

@@ -12,9 +12,6 @@ CHANGES:
    Vault's core; however, this can now be explicitly disabled with the new
    `token_no_default_policy` field.
  * auth/approle: `bound_cidr_list` is no longer returned when reading a role
- * auth/approle: `token_type` no longer allows `default-service` or
-   `default-batch` to be set; they didn't really make sense anyways as that's
-   only meant when mount-tuning to indicate what to do if `default` is chosen.
  
  FEATURES:
 

builtin/credential/approle/path_role.go

@@ -886,6 +886,20 @@ func (b *backend) pathRoleCreateUpdate(ctx context.Context, req *logical.Request
 		return logical.ErrorResponse(fmt.Sprintf("role name %q doesn't exist", roleName)), logical.ErrUnsupportedPath
 	}
 
+	var resp *logical.Response
+
+	// Handle a backwards compat case
+	if tokenTypeRaw, ok := data.Raw["token_type"]; ok {
+		switch tokenTypeRaw.(string) {
+		case "default-service":
+			data.Raw["token_type"] = "service"
+			resp.AddWarning("default-service has no useful meaning; adjusting to service")
+		case "default-batch":
+			data.Raw["token_type"] = "batch"
+			resp.AddWarning("default-batch has no useful meaning; adjusting to batch")
+		}
+	}
+
 	if err := role.ParseTokenFields(req, data); err != nil {
 		return logical.ErrorResponse(err.Error()), logical.ErrInvalidRequest
 	}
@@ -967,7 +981,6 @@ func (b *backend) pathRoleCreateUpdate(ctx context.Context, req *logical.Request
 		return logical.ErrorResponse(fmt.Sprintf("period of %q is greater than the backend's maximum lease TTL of %q", role.Period.String(), b.System().MaxLeaseTTL().String())), nil
 	}
 
-	var resp *logical.Response
 	if role.TokenMaxTTL > b.System().MaxLeaseTTL() {
 		resp = &logical.Response{}
 		resp.AddWarning("token_max_ttl is greater than the backend mount's maximum TTL value; issued tokens' max TTL value will be truncated")

vault/token_store.go

@@ -1825,11 +1825,11 @@ func (ts *TokenStore) handleTidy(ctx context.Context, req *logical.Request, data
 			}
 
 			var countAccessorList,
-			countCubbyholeKeys,
-			deletedCountAccessorEmptyToken,
-			deletedCountAccessorInvalidToken,
-			deletedCountInvalidTokenInAccessor,
-			deletedCountInvalidCubbyholeKey int64
+				countCubbyholeKeys,
+				deletedCountAccessorEmptyToken,
+				deletedCountAccessorInvalidToken,
+				deletedCountInvalidTokenInAccessor,
+				deletedCountInvalidCubbyholeKey int64
 
 			validCubbyholeKeys := make(map[string]bool)
 
@@ -3135,11 +3135,39 @@ func (ts *TokenStore) tokenStoreRoleCreateUpdate(ctx context.Context, req *logic
 		}
 	}
 
+	// We handle token type a bit differently than tokenutil does so we need to
+	// cache and handle it after
+	var tokenTypeStr *string
+	if tokenTypeRaw, ok := data.Raw["token_type"]; ok {
+		tokenTypeStr = new(string)
+		*tokenTypeStr = tokenTypeRaw.(string)
+		delete(data.Raw, "token_type")
+	}
+
 	// Next parse token fields from the helper
 	if err := entry.ParseTokenFields(req, data); err != nil {
 		return logical.ErrorResponse(errwrap.Wrapf("error parsing role fields: {{err}}", err).Error()), nil
 	}
 
+	tokenType := entry.TokenType
+	if tokenType == logical.TokenTypeDefault {
+		tokenType = logical.TokenTypeDefaultService
+	}
+	if tokenTypeStr != nil {
+		switch *tokenTypeStr {
+		case "service":
+			entry.TokenType = logical.TokenTypeService
+		case "batch":
+			entry.TokenType = logical.TokenTypeBatch
+		case "default-service":
+			entry.TokenType = logical.TokenTypeDefaultService
+		case "default-batch":
+			entry.TokenType = logical.TokenTypeDefaultBatch
+		default:
+			return logical.ErrorResponse(fmt.Sprintf("invalid 'token_type' value %q", *tokenTypeStr)), nil
+		}
+	}
+
 	var resp *logical.Response
 
 	// Now handle backwards compat. Prefer token_ fields over others if both