From b1dfed04c71927ae7ab78c53adfaff8794fa148d Mon Sep 17 00:00:00 2001
From: Scott Miller <smiller@hashicorp.com>
Date: Wed, 2 Jun 2021 12:43:21 -0500
Subject: [PATCH] Backport transit batch key_version fix to 1.7.x (#11718)

* Fix: Transit encrypt batch does not honor key_version (#11628)

* fix(secret/transit): #10232 Transit encrypt batch does not honor key_version

* add changelog for 11628

* Try a 5s request timeout

* Pin aerospike container image to a known working tag. (#11677)

Co-authored-by: rerorero <nato9598@hotmail.co.jp>
Co-authored-by: Nick Cabatoff <ncabatoff@hashicorp.com>
---
 builtin/logical/transit/path_encrypt.go                  | 9 +++++++++
 builtin/logical/transit/path_encrypt_test.go             | 6 ++++++
 changelog/11628.txt                                      | 3 +++
 physical/aerospike/aerospike_test.go                     | 2 +-
 sdk/database/dbplugin/v5/testing/test_helpers.go         | 2 +-
 .../sdk/database/dbplugin/v5/testing/test_helpers.go     | 2 +-
 6 files changed, 21 insertions(+), 3 deletions(-)
 create mode 100644 changelog/11628.txt

diff --git a/builtin/logical/transit/path_encrypt.go b/builtin/logical/transit/path_encrypt.go
index 7bd23b5b463d..d59269ecdf28 100644
--- a/builtin/logical/transit/path_encrypt.go
+++ b/builtin/logical/transit/path_encrypt.go
@@ -3,6 +3,7 @@ package transit
 import (
 	"context"
 	"encoding/base64"
+	"encoding/json"
 	"fmt"
 	"reflect"
 
@@ -194,6 +195,14 @@ func decodeBatchRequestItems(src interface{}, dst *[]BatchRequestItem) error {
 			if !reflect.ValueOf(v).IsValid() {
 			} else if casted, ok := v.(int); ok {
 				(*dst)[i].KeyVersion = casted
+			} else if js, ok := v.(json.Number); ok {
+				// https://github.com/hashicorp/vault/issues/10232
+				// Because API server parses json request with UseNumber=true, logical.Request.Data can include json.Number for a number field.
+				if casted, err := js.Int64(); err == nil {
+					(*dst)[i].KeyVersion = int(casted)
+				} else {
+					errs.Errors = append(errs.Errors, fmt.Sprintf(`error decoding %T into [%d].key_version: strconv.ParseInt: parsing "%s": invalid syntax`, v, i, v))
+				}
 			} else {
 				errs.Errors = append(errs.Errors, fmt.Sprintf("'[%d].key_version' expected type 'int', got unconvertible type '%T'", i, item["key_version"]))
 			}
diff --git a/builtin/logical/transit/path_encrypt_test.go b/builtin/logical/transit/path_encrypt_test.go
index b81112f0e5d4..b6a772a0a6d9 100644
--- a/builtin/logical/transit/path_encrypt_test.go
+++ b/builtin/logical/transit/path_encrypt_test.go
@@ -2,6 +2,7 @@ package transit
 
 import (
 	"context"
+	"encoding/json"
 	"reflect"
 	"testing"
 
@@ -634,6 +635,11 @@ func TestTransit_decodeBatchRequestItems(t *testing.T) {
 			src:  []interface{}{map[string]interface{}{"key_version": "666"}},
 			dest: []BatchRequestItem{},
 		},
+		{
+			name: "src_key_version_invalid-number-dest",
+			src:  []interface{}{map[string]interface{}{"plaintext": "dGhlIHF1aWNrIGJyb3duIGZveA==", "key_version": json.Number("1.1")}},
+			dest: []BatchRequestItem{},
+		},
 		{
 			name: "src_nonce-dest",
 			src:  []interface{}{map[string]interface{}{"nonce": "dGVzdGNvbnRleHQ="}},
diff --git a/changelog/11628.txt b/changelog/11628.txt
new file mode 100644
index 000000000000..335777e12cde
--- /dev/null
+++ b/changelog/11628.txt
@@ -0,0 +1,3 @@
+```release-note:bug
+secret: fix the bug where transit encrypt batch doesn't work with key_version
+```
diff --git a/physical/aerospike/aerospike_test.go b/physical/aerospike/aerospike_test.go
index 1f5989ac49bc..802921b33e5d 100644
--- a/physical/aerospike/aerospike_test.go
+++ b/physical/aerospike/aerospike_test.go
@@ -44,7 +44,7 @@ func prepareAerospikeContainer(t *testing.T) (func(), *aerospikeConfig) {
 	runner, err := docker.NewServiceRunner(docker.RunOptions{
 		ImageRepo:     "aerospike/aerospike-server",
 		ContainerName: "aerospikedb",
-		ImageTag:      "latest",
+		ImageTag:      "5.5.0.10",
 		Ports:         []string{"3000/tcp", "3001/tcp", "3002/tcp", "3003/tcp"},
 	})
 	if err != nil {
diff --git a/sdk/database/dbplugin/v5/testing/test_helpers.go b/sdk/database/dbplugin/v5/testing/test_helpers.go
index 200a603649a3..a5b4b337e5f3 100644
--- a/sdk/database/dbplugin/v5/testing/test_helpers.go
+++ b/sdk/database/dbplugin/v5/testing/test_helpers.go
@@ -12,7 +12,7 @@ import (
 func getRequestTimeout(t *testing.T) time.Duration {
 	rawDur := os.Getenv("VAULT_TEST_DATABASE_REQUEST_TIMEOUT")
 	if rawDur == "" {
-		return 2 * time.Second
+		return 5 * time.Second
 	}
 
 	dur, err := time.ParseDuration(rawDur)
diff --git a/vendor/github.com/hashicorp/vault/sdk/database/dbplugin/v5/testing/test_helpers.go b/vendor/github.com/hashicorp/vault/sdk/database/dbplugin/v5/testing/test_helpers.go
index 200a603649a3..a5b4b337e5f3 100644
--- a/vendor/github.com/hashicorp/vault/sdk/database/dbplugin/v5/testing/test_helpers.go
+++ b/vendor/github.com/hashicorp/vault/sdk/database/dbplugin/v5/testing/test_helpers.go
@@ -12,7 +12,7 @@ import (
 func getRequestTimeout(t *testing.T) time.Duration {
 	rawDur := os.Getenv("VAULT_TEST_DATABASE_REQUEST_TIMEOUT")
 	if rawDur == "" {
-		return 2 * time.Second
+		return 5 * time.Second
 	}
 
 	dur, err := time.ParseDuration(rawDur)