roles: Allow member_of_groups to be empty

jsok · jsok · commit 47775e0b18ed · 2019-06-10T10:01:37.000+10:00
Under the proviso that the username is set.
Subsequently set the token to be user-scoped.
diff --git a/path_roles.go b/path_roles.go
@@ -140,7 +140,12 @@ func (b *backend) pathRolesCreateUpdate(ctx context.Context, req *logical.Reques
 		role.MemberOfGroups = memberOfGroups.([]string)
 	}
 	if len(role.MemberOfGroups) == 0 {
-		return logical.ErrorResponse("member_of_groups cannot be empty"), nil
+		if role.Username == "" {
+			return logical.ErrorResponse("member_of_groups cannot be empty if no username supplied"), nil
+		}
+		// Assume user-scoped-token
+		// This will fail when creating tokens if the username is transient
+		role.MemberOfGroups = []string{"*"}
 	}
 
 	if tokenTTLRaw, ok := d.GetOk("ttl"); ok {
diff --git a/path_roles_test.go b/path_roles_test.go
@@ -30,6 +30,14 @@ func TestRole_Create(t *testing.T) {
 				"member_of_groups": "role1-group",
 			},
 		},
+		{
+			ExpectedToSucceed,
+			"role-without-groups",
+			map[string]interface{}{
+				"username":         "user",
+				"member_of_groups": "",
+			},
+		},
 		{
 			FailWithLogicalError,
 			"role-with-invalid-ttl",
@@ -41,10 +49,7 @@ func TestRole_Create(t *testing.T) {
 		{
 			FailWithLogicalError,
 			"role-without-groups",
-			map[string]interface{}{
-				"username":         "user",
-				"member_of_groups": "",
-			},
+			map[string]interface{}{},
 		},
 	}
 
@@ -63,6 +68,37 @@ func TestRole_Create(t *testing.T) {
 	}
 }
 
+func TestRole_Create_UserScoped(t *testing.T) {
+	b, storage := newBackend(t)
+
+	roleData := map[string]interface{}{"username": "user"}
+
+	req := &logical.Request{
+		Operation: logical.CreateOperation,
+		Path:      "roles/test",
+		Storage:   storage,
+		Data:      roleData,
+	}
+	resp, err := b.HandleRequest(context.Background(), req)
+	assertLogicalResponse(t, ExpectedToSucceed, err, resp)
+
+	req = &logical.Request{
+		Operation: logical.ReadOperation,
+		Path:      "roles/test",
+		Storage:   storage,
+	}
+	resp, err = b.HandleRequest(context.Background(), req)
+	assertLogicalResponse(t, ExpectedToSucceed, err, resp)
+
+	groups := resp.Data["member_of_groups"].([]string)
+	if len(groups) != 1 {
+		t.Fatalf("Expected exactly 1 group set on role, got: %v\n", groups)
+	}
+	if groups[0] != "*" {
+		t.Fatalf("Expected group '*', got: %v\n", groups)
+	}
+}
+
 func TestRole_Update(t *testing.T) {
 	b, storage := newBackend(t)
 

Original file line number	Diff line number	Diff line change
`@@ -140,7 +140,12 @@ func (b backend) pathRolesCreateUpdate(ctx context.Context, req logical.Reques`
`140`	`140`	`role.MemberOfGroups = memberOfGroups.([]string)`
`141`	`141`	`}`
`142`	`142`	`if len(role.MemberOfGroups) == 0 {`
`143`		`- return logical.ErrorResponse("member_of_groups cannot be empty"), nil`
	`143`	`+ if role.Username == "" {`
	`144`	`+ return logical.ErrorResponse("member_of_groups cannot be empty if no username supplied"), nil`
	`145`	`+ }`
	`146`	`+ // Assume user-scoped-token`
	`147`	`+ // This will fail when creating tokens if the username is transient`
	`148`	`+ role.MemberOfGroups = []string{"*"}`
`144`	`149`	`}`
`145`	`150`
`146`	`151`	`if tokenTTLRaw, ok := d.GetOk("ttl"); ok {`