From 5d8e55d902ae23715cef94cf84d9c6c84648d483 Mon Sep 17 00:00:00 2001 From: rerorero Date: Fri, 28 May 2021 04:05:20 +0900 Subject: [PATCH] Fix: Transit encrypt batch does not honor key_version (#11628) * fix(secret/transit): #10232 Transit encrypt batch does not honor key_version * add changelog for 11628 --- builtin/logical/transit/path_encrypt.go | 9 +++++++++ builtin/logical/transit/path_encrypt_test.go | 6 ++++++ changelog/11628.txt | 3 +++ 3 files changed, 18 insertions(+) create mode 100644 changelog/11628.txt diff --git a/builtin/logical/transit/path_encrypt.go b/builtin/logical/transit/path_encrypt.go index 7bd23b5b463d..d59269ecdf28 100644 --- a/builtin/logical/transit/path_encrypt.go +++ b/builtin/logical/transit/path_encrypt.go @@ -3,6 +3,7 @@ package transit import ( "context" "encoding/base64" + "encoding/json" "fmt" "reflect" @@ -194,6 +195,14 @@ func decodeBatchRequestItems(src interface{}, dst *[]BatchRequestItem) error { if !reflect.ValueOf(v).IsValid() { } else if casted, ok := v.(int); ok { (*dst)[i].KeyVersion = casted + } else if js, ok := v.(json.Number); ok { + // https://github.com/hashicorp/vault/issues/10232 + // Because API server parses json request with UseNumber=true, logical.Request.Data can include json.Number for a number field. + if casted, err := js.Int64(); err == nil { + (*dst)[i].KeyVersion = int(casted) + } else { + errs.Errors = append(errs.Errors, fmt.Sprintf(`error decoding %T into [%d].key_version: strconv.ParseInt: parsing "%s": invalid syntax`, v, i, v)) + } } else { errs.Errors = append(errs.Errors, fmt.Sprintf("'[%d].key_version' expected type 'int', got unconvertible type '%T'", i, item["key_version"])) } diff --git a/builtin/logical/transit/path_encrypt_test.go b/builtin/logical/transit/path_encrypt_test.go index b81112f0e5d4..b6a772a0a6d9 100644 --- a/builtin/logical/transit/path_encrypt_test.go +++ b/builtin/logical/transit/path_encrypt_test.go @@ -2,6 +2,7 @@ package transit import ( "context" + "encoding/json" "reflect" "testing" @@ -634,6 +635,11 @@ func TestTransit_decodeBatchRequestItems(t *testing.T) { src: []interface{}{map[string]interface{}{"key_version": "666"}}, dest: []BatchRequestItem{}, }, + { + name: "src_key_version_invalid-number-dest", + src: []interface{}{map[string]interface{}{"plaintext": "dGhlIHF1aWNrIGJyb3duIGZveA==", "key_version": json.Number("1.1")}}, + dest: []BatchRequestItem{}, + }, { name: "src_nonce-dest", src: []interface{}{map[string]interface{}{"nonce": "dGVzdGNvbnRleHQ="}}, diff --git a/changelog/11628.txt b/changelog/11628.txt new file mode 100644 index 000000000000..335777e12cde --- /dev/null +++ b/changelog/11628.txt @@ -0,0 +1,3 @@ +```release-note:bug +secret: fix the bug where transit encrypt batch doesn't work with key_version +```