Tokenutil: Perform num uses check earlier (#11647) (#11762)

* Perform num uses check earlier

* Add CL

* Ensure that login works

builtin/credential/approle/backend_test.go

@@ -5,10 +5,13 @@ import (
 	"strings"
 	"testing"
 
+	"github.com/stretchr/testify/require"
+
 	"github.com/hashicorp/vault/sdk/logical"
 )
 
 func createBackendWithStorage(t *testing.T) (*backend, logical.Storage) {
+	t.Helper()
 	config := logical.TestBackendConfig()
 	config.StorageView = &logical.InmemStorage{}
 
@@ -26,6 +29,72 @@ func createBackendWithStorage(t *testing.T) (*backend, logical.Storage) {
 	return b, config.StorageView
 }
 
+func TestAppRole_RoleServiceToBatchNumUses(t *testing.T) {
+	b, s := createBackendWithStorage(t)
+
+	requestFunc := func(operation logical.Operation, data map[string]interface{}) {
+		resp, err := b.HandleRequest(context.Background(), &logical.Request{
+			Path:      "role/testrole",
+			Operation: operation,
+			Storage:   s,
+			Data:      data,
+		})
+		if err != nil || (resp != nil && resp.IsError()) {
+			t.Fatalf("bad: err: %#v\nresp: %#v", err, resp)
+		}
+	}
+
+	data := map[string]interface{}{
+		"bind_secret_id":     true,
+		"secret_id_num_uses": 0,
+		"secret_id_ttl":      "10m",
+		"token_policies":     "policy",
+		"token_ttl":          "5m",
+		"token_max_ttl":      "10m",
+		"token_num_uses":     2,
+		"token_type":         "default",
+	}
+	requestFunc(logical.CreateOperation, data)
+
+	data["token_num_uses"] = 0
+	data["token_type"] = "batch"
+	requestFunc(logical.UpdateOperation, data)
+
+	resp, err := b.HandleRequest(context.Background(), &logical.Request{
+		Path:      "role/testrole/role-id",
+		Operation: logical.ReadOperation,
+		Storage:   s,
+	})
+	if err != nil || (resp != nil && resp.IsError()) {
+		t.Fatalf("bad: resp: %#v\nerr: %v", resp, err)
+	}
+	roleID := resp.Data["role_id"]
+
+	resp, err = b.HandleRequest(context.Background(), &logical.Request{
+		Path:      "role/testrole/secret-id",
+		Operation: logical.UpdateOperation,
+		Storage:   s,
+	})
+	if err != nil || (resp != nil && resp.IsError()) {
+		t.Fatalf("bad: resp: %#v\nerr: %v", resp, err)
+	}
+	secretID := resp.Data["secret_id"]
+
+	resp, err = b.HandleRequest(context.Background(), &logical.Request{
+		Path:      "login",
+		Operation: logical.UpdateOperation,
+		Data: map[string]interface{}{
+			"role_id":   roleID,
+			"secret_id": secretID,
+		},
+		Storage: s,
+	})
+	if err != nil || (resp != nil && resp.IsError()) {
+		t.Fatalf("bad: resp: %#v\nerr: %v", resp, err)
+	}
+	require.NotNil(t, resp.Auth)
+}
+
 func TestAppRole_RoleNameCaseSensitivity(t *testing.T) {
 	testFunc := func(t *testing.T, roleName string) {
 		var resp *logical.Response

changelog/11647.txt

@@ -0,0 +1,3 @@
+```release-note:bug
+tokenutil: Perform the num uses check before token type.
+```

sdk/helper/tokenutil/tokenutil.go

@@ -207,6 +207,13 @@ func (t *TokenParams) ParseTokenFields(req *logical.Request, d *framework.FieldD
 		t.TokenType = tokenType
 	}
 
+	if tokenNumUses, ok := d.GetOk("token_num_uses"); ok {
+		t.TokenNumUses = tokenNumUses.(int)
+	}
+	if t.TokenNumUses < 0 {
+		return errors.New("'token_num_uses' cannot be negative")
+	}
+
 	if t.TokenType == logical.TokenTypeBatch || t.TokenType == logical.TokenTypeDefaultBatch {
 		if t.TokenPeriod != 0 {
 			return errors.New("'token_type' cannot be 'batch' or 'default_batch' when set to generate periodic tokens")
@@ -226,13 +233,6 @@ func (t *TokenParams) ParseTokenFields(req *logical.Request, d *framework.FieldD
 		return errors.New("'token_ttl' cannot be greater than 'token_max_ttl'")
 	}
 
-	if tokenNumUses, ok := d.GetOk("token_num_uses"); ok {
-		t.TokenNumUses = tokenNumUses.(int)
-	}
-	if t.TokenNumUses < 0 {
-		return errors.New("'token_num_uses' cannot be negative")
-	}
-
 	return nil
 }