Backport 1.8.1: identity: allow creating a role with a non-existent k…

…ey (#12251) (#12257) * identity: allow creating a role with a non-existent key (#12251) * identity: allow creating a role with a non-existent key * remove whitespace * add changelog * changelog: remove 12251 entry (#12256) Co-authored-by: John-Michael Faircloth <fairclothjm@users.noreply.github.com>
hashicorp · Aug 4, 2021 · 21ecd7d · 21ecd7d
1 parent d4269f3
commit 21ecd7d
Show file tree

Hide file tree

Showing 2 changed files with 39 additions and 4 deletions.
diff --git a/vault/identity_store_oidc.go b/vault/identity_store_oidc.go
@@ -989,7 +989,7 @@ func (i *IdentityStore) pathOIDCCreateUpdateRole(ctx context.Context, req *logic
 		role.TokenTTL = time.Duration(d.Get("ttl").(int)) * time.Second
 	}
 
-	// get the key referenced by this role
+	// get the key referenced by this role if it exists
 	var key namedKey
 	entry, err := req.Storage.Get(ctx, namedKeyConfigPath+role.Key)
 	if err != nil {
@@ -999,10 +999,10 @@ func (i *IdentityStore) pathOIDCCreateUpdateRole(ctx context.Context, req *logic
 		if err := entry.DecodeJSON(&key); err != nil {
 			return nil, err
 		}
-	}
 
-	if role.TokenTTL > key.VerificationTTL {
-		return logical.ErrorResponse("a role's token ttl cannot be longer than the verification_ttl of the key it references"), nil
+		if role.TokenTTL > key.VerificationTTL {
+			return logical.ErrorResponse("a role's token ttl cannot be longer than the verification_ttl of the key it references"), nil
+		}
 	}
 
 	if clientID, ok := d.GetOk("client_id"); ok {

diff --git a/vault/identity_store_oidc_test.go b/vault/identity_store_oidc_test.go
@@ -113,6 +113,41 @@ func TestOIDC_Path_OIDCRoleRole(t *testing.T) {
 	}
 }
 
+// TestOIDC_Path_OIDCRole_NoKey tests that a role can be created with a non-existent key
+func TestOIDC_Path_OIDCRole_NoKey(t *testing.T) {
+	c, _, _ := TestCoreUnsealed(t)
+	ctx := namespace.RootContext(nil)
+	storage := &logical.InmemStorage{}
+
+	// Create a test role "test-role1" with a non-existent key -- should succeed
+	resp, err := c.identityStore.HandleRequest(ctx, &logical.Request{
+		Path:      "oidc/role/test-role1",
+		Operation: logical.CreateOperation,
+		Data: map[string]interface{}{
+			"key": "test-key",
+		},
+		Storage: storage,
+	})
+	expectSuccess(t, resp, err)
+
+	// Read "test-role1" and validate
+	resp, err = c.identityStore.HandleRequest(ctx, &logical.Request{
+		Path:      "oidc/role/test-role1",
+		Operation: logical.ReadOperation,
+		Storage:   storage,
+	})
+	expectSuccess(t, resp, err)
+	expected := map[string]interface{}{
+		"key":       "test-key",
+		"ttl":       int64(86400),
+		"template":  "",
+		"client_id": resp.Data["client_id"],
+	}
+	if diff := deep.Equal(expected, resp.Data); diff != nil {
+		t.Fatal(diff)
+	}
+}
+
 // TestOIDC_Path_OIDCRole_InvalidTokenTTL tests the TokenTTL validation
 func TestOIDC_Path_OIDCRole_InvalidTokenTTL(t *testing.T) {
 	c, _, _ := TestCoreUnsealed(t)