Backport transit batch key_version fix to 1.7.x (#11718)

* Fix: Transit encrypt batch does not honor key_version (#11628) * fix(secret/transit): #10232 Transit encrypt batch does not honor key_version * add changelog for 11628 * Try a 5s request timeout * Pin aerospike container image to a known working tag. (#11677) Co-authored-by: rerorero <nato9598@hotmail.co.jp> Co-authored-by: Nick Cabatoff <ncabatoff@hashicorp.com>
hashicorp · Jun 2, 2021 · b1dfed0 · b1dfed0
1 parent f51c97e
commit b1dfed0
Show file tree

Hide file tree

Showing 6 changed files with 21 additions and 3 deletions.
diff --git a/builtin/logical/transit/path_encrypt.go b/builtin/logical/transit/path_encrypt.go
@@ -3,6 +3,7 @@ package transit
 import (
 	"context"
 	"encoding/base64"
+	"encoding/json"
 	"fmt"
 	"reflect"
 
@@ -194,6 +195,14 @@ func decodeBatchRequestItems(src interface{}, dst *[]BatchRequestItem) error {
 			if !reflect.ValueOf(v).IsValid() {
 			} else if casted, ok := v.(int); ok {
 				(*dst)[i].KeyVersion = casted
+			} else if js, ok := v.(json.Number); ok {
+				// https://github.com/hashicorp/vault/issues/10232
+				// Because API server parses json request with UseNumber=true, logical.Request.Data can include json.Number for a number field.
+				if casted, err := js.Int64(); err == nil {
+					(*dst)[i].KeyVersion = int(casted)
+				} else {
+					errs.Errors = append(errs.Errors, fmt.Sprintf(`error decoding %T into [%d].key_version: strconv.ParseInt: parsing "%s": invalid syntax`, v, i, v))
+				}
 			} else {
 				errs.Errors = append(errs.Errors, fmt.Sprintf("'[%d].key_version' expected type 'int', got unconvertible type '%T'", i, item["key_version"]))
 			}

diff --git a/builtin/logical/transit/path_encrypt_test.go b/builtin/logical/transit/path_encrypt_test.go
@@ -2,6 +2,7 @@ package transit
 
 import (
 	"context"
+	"encoding/json"
 	"reflect"
 	"testing"
 
@@ -634,6 +635,11 @@ func TestTransit_decodeBatchRequestItems(t *testing.T) {
 			src:  []interface{}{map[string]interface{}{"key_version": "666"}},
 			dest: []BatchRequestItem{},
 		},
+		{
+			name: "src_key_version_invalid-number-dest",
+			src:  []interface{}{map[string]interface{}{"plaintext": "dGhlIHF1aWNrIGJyb3duIGZveA==", "key_version": json.Number("1.1")}},
+			dest: []BatchRequestItem{},
+		},
 		{
 			name: "src_nonce-dest",
 			src:  []interface{}{map[string]interface{}{"nonce": "dGVzdGNvbnRleHQ="}},

diff --git a/changelog/11628.txt b/changelog/11628.txt
@@ -0,0 +1,3 @@
+```release-note:bug
+secret: fix the bug where transit encrypt batch doesn't work with key_version
+```
diff --git a/physical/aerospike/aerospike_test.go b/physical/aerospike/aerospike_test.go
@@ -44,7 +44,7 @@ func prepareAerospikeContainer(t *testing.T) (func(), *aerospikeConfig) {
 	runner, err := docker.NewServiceRunner(docker.RunOptions{
 		ImageRepo:     "aerospike/aerospike-server",
 		ContainerName: "aerospikedb",
-		ImageTag:      "latest",
+		ImageTag:      "5.5.0.10",
 		Ports:         []string{"3000/tcp", "3001/tcp", "3002/tcp", "3003/tcp"},
 	})
 	if err != nil {

diff --git a/sdk/database/dbplugin/v5/testing/test_helpers.go b/sdk/database/dbplugin/v5/testing/test_helpers.go
@@ -12,7 +12,7 @@ import (
 func getRequestTimeout(t *testing.T) time.Duration {
 	rawDur := os.Getenv("VAULT_TEST_DATABASE_REQUEST_TIMEOUT")
 	if rawDur == "" {
-		return 2 * time.Second
+		return 5 * time.Second
 	}
 
 	dur, err := time.ParseDuration(rawDur)

diff --git a/vendor/github.com/hashicorp/vault/sdk/database/dbplugin/v5/testing/test_helpers.go b/vendor/github.com/hashicorp/vault/sdk/database/dbplugin/v5/testing/test_helpers.go