Merge pull request #1253 from notnoop/b-ignore-vault-read-kv2-err

Read paths unmodified if KVv2 status check fails
hashicorp · Aug 9, 2019 · 1bdf012 · 1bdf012
2 parents 0d999b3 + f5549c6
commit 1bdf012
Show file tree

Hide file tree

Showing 2 changed files with 66 additions and 4 deletions.
diff --git a/dependency/vault_read.go b/dependency/vault_read.go
@@ -147,10 +147,10 @@ func (d *VaultReadQuery) readSecret(clients *ClientSet, opts *QueryOptions) (*ap
 	if d.isKVv2 == nil {
 		mountPath, isKVv2, err := isKVv2(vaultClient, d.rawPath)
 		if err != nil {
-			return nil, errors.Wrap(err, d.String())
-		}
-
-		if isKVv2 {
+			log.Printf("[WARN] %s: failed to check if %s is KVv2, assume not: %s", d, d.rawPath, err)
+			isKVv2 = false
+			d.secretPath = d.rawPath
+		} else if isKVv2 {
 			d.secretPath = addPrefixToVKVPath(d.rawPath, mountPath, "data")
 		} else {
 			d.secretPath = d.rawPath

diff --git a/dependency/vault_read_test.go b/dependency/vault_read_test.go
@@ -460,6 +460,68 @@ func TestVaultReadQuery_Fetch_PKI_Anonymous(t *testing.T) {
 	}
 }
 
+// TestVaultReadQuery_Fetch_NonSecrets asserts that vault.read can fetch a
+// non-secret
+func TestVaultReadQuery_Fetch_NonSecrets(t *testing.T) {
+	t.Parallel()
+
+	var err error
+
+	clients := testClients
+
+	vc := clients.Vault()
+
+	err = vc.Sys().EnableAuth("approle", "approle", "")
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	_, err = vc.Logical().Write("auth/approle/role/my-approle", nil)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	// create restricted token
+	_, err = vc.Logical().Write("sys/policies/acl/operator",
+		map[string]interface{}{
+			"policy": `path "auth/approle/role/my-approle/role-id" { capabilities = ["read"] }`,
+		})
+	secret, err := vc.Auth().Token().Create(&api.TokenCreateRequest{
+		Policies: []string{"operator"},
+	})
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	anonClient := NewClientSet()
+	anonClient.CreateVaultClient(&CreateVaultClientInput{
+		Address: vaultAddr,
+		Token:   secret.Auth.ClientToken,
+	})
+	_, err = anonClient.vault.client.Auth().Token().LookupSelf()
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	d, err := NewVaultReadQuery("auth/approle/role/my-approle/role-id")
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	act, _, err := d.Fetch(anonClient, nil)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	sec, ok := act.(*Secret)
+	if !ok {
+		t.Fatalf("expected secret but found %v", reflect.TypeOf(act))
+	}
+	if _, ok := sec.Data["role_id"]; !ok {
+		t.Fatalf("expected to find role_id but found: %v", sec.Data)
+	}
+}
+
 func TestVaultReadQuery_String(t *testing.T) {
 	t.Parallel()