Panic when token_type is null for /auth/token/roles/{role_name} #13232
Description
Describe the bug
Making a POST at /auth/token/roles/{role_name} with token_type = null results in no HTTP response and the following stacktrace:
2021-11-20T22:41:52.487+0200 [INFO] http: panic serving 127.0.0.1:51337: interface conversion: interface {} is nil, not string
goroutine 58 [running]:
net/http.(*conn).serve.func1()
/Users/runner/hostedtoolcache/go/1.17.2/x64/src/net/http/server.go:1801 +0xb9
panic({0x50a5d80, 0xc0016008d0})
/Users/runner/hostedtoolcache/go/1.17.2/x64/src/runtime/panic.go:1047 +0x266
github.com/hashicorp/vault/vault.(*TokenStore).tokenStoreRoleCreateUpdate(0xc000ad8c40, {0x6a43270, 0xc0015f1c20}, 0xc00104cd80, 0xc0015fa700)
/Users/runner/work/vault/vault/vault/token_store.go:3351 +0x1fa5
github.com/hashicorp/vault/sdk/framework.(*Backend).HandleRequest(0xc000596d00, {0x6a43270, 0xc0015f1c20}, 0xc00104cd80)
/Users/runner/work/vault/vault/sdk/framework/backend.go:278 +0x7ed
github.com/hashicorp/vault/vault.(*Router).routeCommon(0xc00098c2d0, {0x6a43270, 0xc0015f1c20}, 0xc00104cd80, 0x0)
/Users/runner/work/vault/vault/vault/router.go:708 +0x15ec
github.com/hashicorp/vault/vault.(*Router).Route(...)
/Users/runner/work/vault/vault/vault/router.go:505
github.com/hashicorp/vault/vault.(*Core).doRouting(0xc00081db00, {0x6a43270, 0xc0015f1c20}, 0xc000497570)
/Users/runner/work/vault/vault/vault/request_handling.go:741 +0x2c
github.com/hashicorp/vault/vault.(*Core).handleRequest(0xc000ade600, {0x6a43270, 0xc0015f1c20}, 0xc00104cd80)
/Users/runner/work/vault/vault/vault/request_handling.go:917 +0x1192
github.com/hashicorp/vault/vault.(*Core).handleCancelableRequest(0xc000ade600, {0x6a43270, 0xc0015f1860}, 0xc00104cd80)
/Users/runner/work/vault/vault/vault/request_handling.go:609 +0x1073
github.com/hashicorp/vault/vault.(*Core).switchedLockHandleRequest(0xc000ade600, {0x6a43270, 0xc0015f1680}, 0xc00104cd80, 0x0)
/Users/runner/work/vault/vault/vault/request_handling.go:442 +0x4a5
github.com/hashicorp/vault/vault.(*Core).HandleRequest(...)
To Reproduce
Steps to reproduce the behavior:
- Run a
curlwith the below JSON
{
"bound_cidrs": [
"999999999999",
"999999999999"
],
"period": 7,
"token_num_uses": 3,
"allowed_entity_aliases": [
"AAAAAAAAAAAAAAAAAAAAAAAAA",
"AAAAAAAAAAAAAAAAAAAAAAAAA"
],
"token_explicit_max_ttl": 6,
"path_suffix": "jjjjjjjjjjjjj",
"token_period": 9,
"orphan": true,
"token_type": null,
"explicit_max_ttl": 2,
"token_no_default_policy": true,
"disallowed_policies": [
"rrrrrrrrrrrrrrrrrrrrr",
"rrrrrrrrrrrrrrrrrrrrr"
],
"allowed_policies": [
"AAAAAAAAAAAAAAAA",
"AAAAAAAAAAAAAAAA"
],
"renewable": true,
"token_bound_cidrs": [
"444444444444444444",
"444444444444444444"
]
}Expected behavior
A proper HTTP response: 400 with some errors details.
Environment:
- Vault Server Version (retrieve with vault status): 1.9.0
- Vault CLI Version (retrieve with vault version): Vault v1.9.0
- Server Operating System/Architecture: macOS Monterey 12.0.1
This was discovered while running a fuzzing tool I wrote for OpenAPI specs: https://github.com/Endava/cats. You can replay the test using:
Test6459.json.zip
./cats.jar replay --tests="Test6459.json"
This might have the same root cause as: #13225