From 23ecf797e732a772435cb2d298339dee9f624de4 Mon Sep 17 00:00:00 2001
From: Russell Jones <russell.valerius.jones@gmail.com>
Date: Wed, 11 Oct 2017 19:09:06 +0000
Subject: [PATCH] Corrected static token handling.

---
 lib/auth/auth.go                    |  6 ++++--
 lib/auth/auth_test.go               |  5 +++++
 lib/config/configuration.go         |  8 +++++---
 lib/config/fileconf.go              |  2 +-
 lib/service/cfg.go                  |  1 +
 lib/services/local/configuration.go |  2 +-
 lib/services/statictokens.go        | 16 ++++++++++++++++
 7 files changed, 33 insertions(+), 7 deletions(-)

diff --git a/lib/auth/auth.go b/lib/auth/auth.go
index 031ff8ac77096..53a86a9b39679 100644
--- a/lib/auth/auth.go
+++ b/lib/auth/auth.go
@@ -621,10 +621,12 @@ func (s *AuthServer) GetTokens() (tokens []services.ProvisionToken, err error) {
 	}
 	// get static tokens:
 	tkns, err := s.GetStaticTokens()
-	if err != nil {
+	if err != nil && !trace.IsNotFound(err) {
 		return nil, trace.Wrap(err)
 	}
-	tokens = append(tokens, tkns.GetStaticTokens()...)
+	if err == nil {
+		tokens = append(tokens, tkns.GetStaticTokens()...)
+	}
 	// get user tokens:
 	userTokens, err := s.Identity.GetSignupTokens()
 	if err != nil {
diff --git a/lib/auth/auth_test.go b/lib/auth/auth_test.go
index ed83e1911e837..56905ffd7fd7e 100644
--- a/lib/auth/auth_test.go
+++ b/lib/auth/auth_test.go
@@ -154,6 +154,11 @@ func (s *AuthSuite) TestTokensCRUD(c *C) {
 	c.Assert(s.a.UpsertCertAuthority(
 		suite.NewTestCA(services.HostCA, "me.localhost")), IsNil)
 
+	// before we do anything, we should have 0 tokens
+	btokens, err := s.a.GetTokens()
+	c.Assert(err, IsNil)
+	c.Assert(len(btokens), Equals, 0)
+
 	// generate single-use token (TTL is 0)
 	tok, err := s.a.GenerateToken(teleport.Roles{teleport.RoleNode}, 0)
 	c.Assert(err, IsNil)
diff --git a/lib/config/configuration.go b/lib/config/configuration.go
index e250c41484e89..b6f40b9b0f393 100644
--- a/lib/config/configuration.go
+++ b/lib/config/configuration.go
@@ -359,9 +359,11 @@ func ApplyFileConfig(fc *FileConfig, cfg *service.Config) error {
 		return trace.Wrap(err)
 	}
 	// read in static tokens from file configuration and create services.StaticTokens
-	cfg.Auth.StaticTokens, err = fc.Auth.StaticTokens.Parse()
-	if err != nil {
-		return trace.Wrap(err)
+	if fc.Auth.StaticTokens != nil {
+		cfg.Auth.StaticTokens, err = fc.Auth.StaticTokens.Parse()
+		if err != nil {
+			return trace.Wrap(err)
+		}
 	}
 	// read in and set authentication preferences
 	if fc.Auth.Authentication != nil {
diff --git a/lib/config/fileconf.go b/lib/config/fileconf.go
index fa2d029895c13..2a2a2f361e3ae 100644
--- a/lib/config/fileconf.go
+++ b/lib/config/fileconf.go
@@ -518,7 +518,7 @@ func (c ClusterName) Parse() (services.ClusterName, error) {
 type StaticTokens []StaticToken
 
 func (t StaticTokens) Parse() (services.StaticTokens, error) {
-	var staticTokens []services.ProvisionToken
+	staticTokens := []services.ProvisionToken{}
 
 	for _, token := range t {
 		st, err := token.Parse()
diff --git a/lib/service/cfg.go b/lib/service/cfg.go
index bb9fbfc0eb9af..b7b5d47728d34 100644
--- a/lib/service/cfg.go
+++ b/lib/service/cfg.go
@@ -307,6 +307,7 @@ func ApplyDefaults(cfg *Config) {
 	cfg.Auth.SSHAddr = *defaults.AuthListenAddr()
 	cfg.Auth.StorageConfig.Type = boltbk.GetName()
 	cfg.Auth.StorageConfig.Params = backend.Params{"path": cfg.DataDir}
+	cfg.Auth.StaticTokens = services.DefaultStaticTokens()
 	defaults.ConfigureLimiter(&cfg.Auth.Limiter)
 	// set new style default auth preferences
 	ap := &services.AuthPreferenceV2{}
diff --git a/lib/services/local/configuration.go b/lib/services/local/configuration.go
index 6143b8ca81f77..4f98185c41e3b 100644
--- a/lib/services/local/configuration.go
+++ b/lib/services/local/configuration.go
@@ -68,7 +68,7 @@ func (s *ClusterConfigurationService) GetStaticTokens() (services.StaticTokens,
 	data, err := s.GetVal([]string{"cluster_configuration"}, "static_tokens")
 	if err != nil {
 		if trace.IsNotFound(err) {
-			return nil, trace.NotFound("cluster name not found")
+			return nil, trace.NotFound("static tokens not found")
 		}
 		return nil, trace.Wrap(err)
 	}
diff --git a/lib/services/statictokens.go b/lib/services/statictokens.go
index 9ab6b28a4cde6..4a46578c03964 100644
--- a/lib/services/statictokens.go
+++ b/lib/services/statictokens.go
@@ -62,6 +62,22 @@ func NewStaticTokens(spec StaticTokensSpecV2) (StaticTokens, error) {
 	return &st, nil
 }
 
+// DefaultStaticTokens is used to get the default static tokens (empty list)
+// when nothing is specified in file configuration.
+func DefaultStaticTokens() StaticTokens {
+	return &StaticTokensV2{
+		Kind:    KindStaticTokens,
+		Version: V2,
+		Metadata: Metadata{
+			Name:      MetaNameStaticTokens,
+			Namespace: defaults.Namespace,
+		},
+		Spec: StaticTokensSpecV2{
+			StaticTokens: []ProvisionToken{},
+		},
+	}
+}
+
 // StaticTokensV2 implements the StaticTokens interface.
 type StaticTokensV2 struct {
 	// Kind is a resource kind - always resource.