mirror of
https://github.com/hashicorp/vault.git
synced 2026-03-23 10:56:09 -04:00
2ef4c50221
* Add audit log entries for enterprise JWT token fields * Reduce enterprise token field comment detail - simplify enterprise token comments in sdk/logical/request.go - remove verbose wording about issuer/audience/authorization semantics * Fix TestAudit_JWT_DelegationToken permission denied error The test was failing with 'permission denied' when using a delegation token (JWT with act claim) to access cubbyhole. The root causes were: 1. RAR (Rich Authorization Request) check: The JWT contained 'authorization_details' constraints that only allowed access to 'secret/data/users/alice' and 'secret/data/config/general', but the test was attempting to access 'cubbyhole/test'. The RAR check in PerformRARCheck() was correctly denying this mismatch. 2. Missing entity policies for actor ACL: For delegation tokens, the actor's ACL is built solely from entity identity policies (not token policies like 'default'). Without explicit policies on the actor entity, the delegation ACL intersection check would fail. Fixes: - Removed 'authorization_details' from the test JWT since the test is about verifying audit log entries for delegation tokens, not RAR constraints - Added 'default' policy to both subject and actor entities to ensure both ACLs allow cubbyhole access for the delegation token intersection - Updated test assertions to match the simplified JWT (removed authorization_details verification) * Use require.NoError instead of t.Fatalf for error check * Add explicit checks for auth field presence before type assertion Adds separate checks to verify the 'auth' and 'metadata' fields exist in the map before attempting type assertion, preventing potential panics and improving test clarity. * test: tighten request metadata merge assertions * test: simplify enterprise metadata assertions * test: split enterprise metadata merge coverage * style: apply gofumpt to entry formatter tests * test: add godoc for enterprise token metadata test --------- Co-authored-by: Bianca <48203644+biazmoreira@users.noreply.github.com> Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> |
||
|---|---|---|
| .. | ||
| backend.go | ||
| backend_ce.go | ||
| backend_ce_test.go | ||
| backend_config.go | ||
| backend_config_ce.go | ||
| backend_file.go | ||
| backend_file_ce_test.go | ||
| backend_file_test.go | ||
| backend_noop.go | ||
| backend_socket.go | ||
| backend_socket_test.go | ||
| backend_syslog.go | ||
| backend_syslog_test.go | ||
| backend_test.go | ||
| broker.go | ||
| broker_ce.go | ||
| broker_test.go | ||
| entry_filter.go | ||
| entry_filter_test.go | ||
| entry_formatter.go | ||
| entry_formatter_ce.go | ||
| entry_formatter_ce_test.go | ||
| entry_formatter_config.go | ||
| entry_formatter_config_ce.go | ||
| entry_formatter_test.go | ||
| errors.go | ||
| errors_test.go | ||
| event.go | ||
| event_test.go | ||
| hashstructure.go | ||
| hashstructure_test.go | ||
| headers.go | ||
| headers_test.go | ||
| nodes.go | ||
| nodes_test.go | ||
| options.go | ||
| options_test.go | ||
| sink_metric_labeler.go | ||
| sink_metric_labeler_test.go | ||
| sink_metric_timer.go | ||
| sink_metric_timer_test.go | ||
| types.go | ||