fix an edge case bug that "identity_policies" is nil (#17007)

* check if "identity_policies" is nil to fix cli vault login error * add changelog * skip add identity_policies to resp when there's no identity_policies associated in token's namespace This is an edge case, when an entity has identity_policies associated in other namespaces but no identity_policies in this token's namespace, `identityPolicies[out.NamespaceID]` is nil, client side doesn't handle nil which raises error. * update changelog --------- Co-authored-by: Violet Hynes <violet.hynes@hashicorp.com>
2025-10-29 17:52:32 +00:00 · 2024-05-29 03:34:59 +08:00
parent 476b0d57c9
commit 2a1775f45f
3 changed files with 11 additions and 2 deletions
--- a/api/secret.go
+++ b/api/secret.go
@@ -159,6 +159,10 @@ TOKEN_DONE:
 			goto DONE
 		}

+		if s.Data["identity_policies"] == nil {
+			goto DONE
+		}
+
 		sList, ok := s.Data["identity_policies"].([]string)
 		if ok {
 			identityPolicies = sList
--- a/changelog/17007.txt
+++ b/changelog/17007.txt
@@ -0,0 +1,3 @@
+```release-note:bug
+auth/token: fixes an edge case bug that "identity_policies" is nil and causes cli vault login error
+```
--- a/vault/token_store.go
+++ b/vault/token_store.go
@@ -3435,8 +3435,10 @@ func (ts *TokenStore) handleLookup(ctx context.Context, req *logical.Request, da
 			return nil, err
 		}
 		if len(identityPolicies) != 0 {
-			resp.Data["identity_policies"] = identityPolicies[out.NamespaceID]
-			delete(identityPolicies, out.NamespaceID)
+			if _, ok := identityPolicies[out.NamespaceID]; ok {
+				resp.Data["identity_policies"] = identityPolicies[out.NamespaceID]
+				delete(identityPolicies, out.NamespaceID)
+			}
 			resp.Data["external_namespace_policies"] = identityPolicies
 		}
 	}