From 2a1775f45f63ae485043375f71dc4d705ad256b5 Mon Sep 17 00:00:00 2001
From: Tianhao Guo <rggth09@gmail.com>
Date: Wed, 29 May 2024 03:34:59 +0800
Subject: [PATCH] fix an edge case bug that "identity_policies" is nil (#17007)

* check if "identity_policies" is nil to fix cli vault login error

* add changelog

* skip add identity_policies to resp when there's no identity_policies associated in token's namespace

This is an edge case, when an entity has identity_policies associated in other namespaces but no identity_policies in this token's namespace, `identityPolicies[out.NamespaceID]` is nil, client side doesn't handle nil which raises error.

* update changelog

---------

Co-authored-by: Violet Hynes <violet.hynes@hashicorp.com>
---
 api/secret.go        | 4 ++++
 changelog/17007.txt  | 3 +++
 vault/token_store.go | 6 ++++--
 3 files changed, 11 insertions(+), 2 deletions(-)
 create mode 100644 changelog/17007.txt

diff --git a/api/secret.go b/api/secret.go
index d37bf3cf06..7df9f66a4d 100644
--- a/api/secret.go
+++ b/api/secret.go
@@ -159,6 +159,10 @@ TOKEN_DONE:
 			goto DONE
 		}
 
+		if s.Data["identity_policies"] == nil {
+			goto DONE
+		}
+
 		sList, ok := s.Data["identity_policies"].([]string)
 		if ok {
 			identityPolicies = sList
diff --git a/changelog/17007.txt b/changelog/17007.txt
new file mode 100644
index 0000000000..6c2a2801b2
--- /dev/null
+++ b/changelog/17007.txt
@@ -0,0 +1,3 @@
+```release-note:bug
+auth/token: fixes an edge case bug that "identity_policies" is nil and causes cli vault login error
+```
diff --git a/vault/token_store.go b/vault/token_store.go
index 7e4d5951bc..30d9170e20 100644
--- a/vault/token_store.go
+++ b/vault/token_store.go
@@ -3435,8 +3435,10 @@ func (ts *TokenStore) handleLookup(ctx context.Context, req *logical.Request, da
 			return nil, err
 		}
 		if len(identityPolicies) != 0 {
-			resp.Data["identity_policies"] = identityPolicies[out.NamespaceID]
-			delete(identityPolicies, out.NamespaceID)
+			if _, ok := identityPolicies[out.NamespaceID]; ok {
+				resp.Data["identity_policies"] = identityPolicies[out.NamespaceID]
+				delete(identityPolicies, out.NamespaceID)
+			}
 			resp.Data["external_namespace_policies"] = identityPolicies
 		}
 	}