From 21ecd7d12ad04a3ec65948335836625a5898b7bb Mon Sep 17 00:00:00 2001
From: Calvin Leung Huang <1883212+calvn@users.noreply.github.com>
Date: Wed, 4 Aug 2021 11:53:40 -0700
Subject: [PATCH] Backport 1.8.1: identity: allow creating a role with a
 non-existent key (#12251) (#12257)

* identity: allow creating a role with a non-existent key (#12251)

* identity: allow creating a role with a non-existent key

* remove whitespace

* add changelog

* changelog: remove 12251 entry (#12256)

Co-authored-by: John-Michael Faircloth <fairclothjm@users.noreply.github.com>
---
 vault/identity_store_oidc.go      |  8 +++----
 vault/identity_store_oidc_test.go | 35 +++++++++++++++++++++++++++++++
 2 files changed, 39 insertions(+), 4 deletions(-)

diff --git a/vault/identity_store_oidc.go b/vault/identity_store_oidc.go
index 9aa940a669ed9..bc865d15a610b 100644
--- a/vault/identity_store_oidc.go
+++ b/vault/identity_store_oidc.go
@@ -989,7 +989,7 @@ func (i *IdentityStore) pathOIDCCreateUpdateRole(ctx context.Context, req *logic
 		role.TokenTTL = time.Duration(d.Get("ttl").(int)) * time.Second
 	}
 
-	// get the key referenced by this role
+	// get the key referenced by this role if it exists
 	var key namedKey
 	entry, err := req.Storage.Get(ctx, namedKeyConfigPath+role.Key)
 	if err != nil {
@@ -999,10 +999,10 @@ func (i *IdentityStore) pathOIDCCreateUpdateRole(ctx context.Context, req *logic
 		if err := entry.DecodeJSON(&key); err != nil {
 			return nil, err
 		}
-	}
 
-	if role.TokenTTL > key.VerificationTTL {
-		return logical.ErrorResponse("a role's token ttl cannot be longer than the verification_ttl of the key it references"), nil
+		if role.TokenTTL > key.VerificationTTL {
+			return logical.ErrorResponse("a role's token ttl cannot be longer than the verification_ttl of the key it references"), nil
+		}
 	}
 
 	if clientID, ok := d.GetOk("client_id"); ok {
diff --git a/vault/identity_store_oidc_test.go b/vault/identity_store_oidc_test.go
index a334393ca352b..2f039e7ff0a3d 100644
--- a/vault/identity_store_oidc_test.go
+++ b/vault/identity_store_oidc_test.go
@@ -113,6 +113,41 @@ func TestOIDC_Path_OIDCRoleRole(t *testing.T) {
 	}
 }
 
+// TestOIDC_Path_OIDCRole_NoKey tests that a role can be created with a non-existent key
+func TestOIDC_Path_OIDCRole_NoKey(t *testing.T) {
+	c, _, _ := TestCoreUnsealed(t)
+	ctx := namespace.RootContext(nil)
+	storage := &logical.InmemStorage{}
+
+	// Create a test role "test-role1" with a non-existent key -- should succeed
+	resp, err := c.identityStore.HandleRequest(ctx, &logical.Request{
+		Path:      "oidc/role/test-role1",
+		Operation: logical.CreateOperation,
+		Data: map[string]interface{}{
+			"key": "test-key",
+		},
+		Storage: storage,
+	})
+	expectSuccess(t, resp, err)
+
+	// Read "test-role1" and validate
+	resp, err = c.identityStore.HandleRequest(ctx, &logical.Request{
+		Path:      "oidc/role/test-role1",
+		Operation: logical.ReadOperation,
+		Storage:   storage,
+	})
+	expectSuccess(t, resp, err)
+	expected := map[string]interface{}{
+		"key":       "test-key",
+		"ttl":       int64(86400),
+		"template":  "",
+		"client_id": resp.Data["client_id"],
+	}
+	if diff := deep.Equal(expected, resp.Data); diff != nil {
+		t.Fatal(diff)
+	}
+}
+
 // TestOIDC_Path_OIDCRole_InvalidTokenTTL tests the TokenTTL validation
 func TestOIDC_Path_OIDCRole_InvalidTokenTTL(t *testing.T) {
 	c, _, _ := TestCoreUnsealed(t)