backport of commit b19562d (#24025)

hc-github-team-secure-vault-core · kubawi · web-flow · commit 891eb6fd7cbb · 2023-11-06T13:51:52.000Z
Co-authored-by: Kuba Wieczorek &lt;kuba.wieczorek@hashicorp.com&gt;
diff --git a/vault/policy_store.go b/vault/policy_store.go
@@ -467,7 +467,7 @@ func (ps *PolicyStore) GetNonEGPPolicyType(nsID string, name string) (*PolicyTyp
 	pt, ok := ps.policyTypeMap.Load(index)
 	if !ok {
 		// Doesn't exist
-		return nil, fmt.Errorf("policy does not exist in type map: %v", index)
+		return nil, ErrPolicyNotExistInTypeMap
 	}
 
 	policyType, ok := pt.(PolicyType)
diff --git a/vault/policy_store_test.go b/vault/policy_store_test.go
@@ -360,15 +360,15 @@ func TestPolicyStore_GetNonEGPPolicyType(t *testing.T) {
 			paramNamespace:       "1AbcD",
 			paramPolicyName:      "policy1",
 			isErrorExpected:      true,
-			expectedErrorMessage: "policy does not exist in type map: 1AbcD/policy1",
+			expectedErrorMessage: "policy does not exist in type map",
 		},
 		"not-in-map-rgp": {
 			policyStoreKey:       "2WxyZ/policy2",
 			policyStoreValue:     PolicyTypeRGP,
 			paramNamespace:       "1AbcD",
 			paramPolicyName:      "policy1",
 			isErrorExpected:      true,
-			expectedErrorMessage: "policy does not exist in type map: 1AbcD/policy1",
+			expectedErrorMessage: "policy does not exist in type map",
 		},
 		"unknown-policy-type": {
 			policyStoreKey:       "1AbcD/policy1",
diff --git a/vault/request_handling.go b/vault/request_handling.go
@@ -52,7 +52,8 @@ var (
 	// to complete, unless overridden on a per-handler basis
 	DefaultMaxRequestDuration = 90 * time.Second
 
-	ErrNoApplicablePolicies = errors.New("no applicable policies")
+	ErrNoApplicablePolicies    = errors.New("no applicable policies")
+	ErrPolicyNotExistInTypeMap = errors.New("policy does not exist in type map")
 
 	egpDebugLogging bool
 
@@ -180,6 +181,13 @@ func (c *Core) getApplicableGroupPolicies(ctx context.Context, tokenNS *namespac
 
 	for _, policyName := range nsPolicies {
 		t, err := c.policyStore.GetNonEGPPolicyType(policyNS.ID, policyName)
+		if err != nil && errors.Is(err, ErrPolicyNotExistInTypeMap) {
+			// When we attempt to get a non-EGP policy type, and receive an
+			// explicit error that it doesn't exist (in the type map) we log the
+			// ns/policy and continue without error.
+			c.Logger().Debug(fmt.Errorf("%w: %v/%v", err, policyNS.ID, policyName).Error())
+			continue
+		}
 		if err != nil || t == nil {
 			return nil, fmt.Errorf("failed to look up type of policy: %w", err)
 		}

Original file line number	Diff line number	Diff line change
`@@ -467,7 +467,7 @@ func (ps PolicyStore) GetNonEGPPolicyType(nsID string, name string) (PolicyTyp`
`467`	`467`	`pt, ok := ps.policyTypeMap.Load(index)`
`468`	`468`	`if !ok {`
`469`	`469`	`// Doesn't exist`
`470`		`- return nil, fmt.Errorf("policy does not exist in type map: %v", index)`
	`470`	`+ return nil, ErrPolicyNotExistInTypeMap`
`471`	`471`	`}`
`472`	`472`
`473`	`473`	`policyType, ok := pt.(PolicyType)`