diff --git a/CHANGELOG.md b/CHANGELOG.md index 4928c47675..feb7532160 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -12,9 +12,6 @@ CHANGES: Vault's core; however, this can now be explicitly disabled with the new `token_no_default_policy` field. * auth/approle: `bound_cidr_list` is no longer returned when reading a role - * auth/approle: `token_type` no longer allows `default-service` or - `default-batch` to be set; they didn't really make sense anyways as that's - only meant when mount-tuning to indicate what to do if `default` is chosen. FEATURES: diff --git a/builtin/credential/approle/path_role.go b/builtin/credential/approle/path_role.go index 14d42ed74b..e53a0fe8cc 100644 --- a/builtin/credential/approle/path_role.go +++ b/builtin/credential/approle/path_role.go @@ -886,6 +886,20 @@ func (b *backend) pathRoleCreateUpdate(ctx context.Context, req *logical.Request return logical.ErrorResponse(fmt.Sprintf("role name %q doesn't exist", roleName)), logical.ErrUnsupportedPath } + var resp *logical.Response + + // Handle a backwards compat case + if tokenTypeRaw, ok := data.Raw["token_type"]; ok { + switch tokenTypeRaw.(string) { + case "default-service": + data.Raw["token_type"] = "service" + resp.AddWarning("default-service has no useful meaning; adjusting to service") + case "default-batch": + data.Raw["token_type"] = "batch" + resp.AddWarning("default-batch has no useful meaning; adjusting to batch") + } + } + if err := role.ParseTokenFields(req, data); err != nil { return logical.ErrorResponse(err.Error()), logical.ErrInvalidRequest } @@ -967,7 +981,6 @@ func (b *backend) pathRoleCreateUpdate(ctx context.Context, req *logical.Request return logical.ErrorResponse(fmt.Sprintf("period of %q is greater than the backend's maximum lease TTL of %q", role.Period.String(), b.System().MaxLeaseTTL().String())), nil } - var resp *logical.Response if role.TokenMaxTTL > b.System().MaxLeaseTTL() { resp = &logical.Response{} resp.AddWarning("token_max_ttl is greater than the backend mount's maximum TTL value; issued tokens' max TTL value will be truncated") diff --git a/vault/token_store.go b/vault/token_store.go index 0cd0500018..8b3cc171bc 100644 --- a/vault/token_store.go +++ b/vault/token_store.go @@ -1825,11 +1825,11 @@ func (ts *TokenStore) handleTidy(ctx context.Context, req *logical.Request, data } var countAccessorList, - countCubbyholeKeys, - deletedCountAccessorEmptyToken, - deletedCountAccessorInvalidToken, - deletedCountInvalidTokenInAccessor, - deletedCountInvalidCubbyholeKey int64 + countCubbyholeKeys, + deletedCountAccessorEmptyToken, + deletedCountAccessorInvalidToken, + deletedCountInvalidTokenInAccessor, + deletedCountInvalidCubbyholeKey int64 validCubbyholeKeys := make(map[string]bool) @@ -3135,11 +3135,39 @@ func (ts *TokenStore) tokenStoreRoleCreateUpdate(ctx context.Context, req *logic } } + // We handle token type a bit differently than tokenutil does so we need to + // cache and handle it after + var tokenTypeStr *string + if tokenTypeRaw, ok := data.Raw["token_type"]; ok { + tokenTypeStr = new(string) + *tokenTypeStr = tokenTypeRaw.(string) + delete(data.Raw, "token_type") + } + // Next parse token fields from the helper if err := entry.ParseTokenFields(req, data); err != nil { return logical.ErrorResponse(errwrap.Wrapf("error parsing role fields: {{err}}", err).Error()), nil } + tokenType := entry.TokenType + if tokenType == logical.TokenTypeDefault { + tokenType = logical.TokenTypeDefaultService + } + if tokenTypeStr != nil { + switch *tokenTypeStr { + case "service": + entry.TokenType = logical.TokenTypeService + case "batch": + entry.TokenType = logical.TokenTypeBatch + case "default-service": + entry.TokenType = logical.TokenTypeDefaultService + case "default-batch": + entry.TokenType = logical.TokenTypeDefaultBatch + default: + return logical.ErrorResponse(fmt.Sprintf("invalid 'token_type' value %q", *tokenTypeStr)), nil + } + } + var resp *logical.Response // Now handle backwards compat. Prefer token_ fields over others if both