From 2de6ca24e30e839ddb9e713f992f48f18fe5e2a9 Mon Sep 17 00:00:00 2001
From: Michael Tibben <michael.tibben@99designs.com>
Date: Fri, 3 Mar 2023 13:31:24 +1100
Subject: [PATCH] Fix config validation

---
 vault/config.go      |  5 ++---
 vault/config_test.go | 36 ++++++++++++++++++++++++++++++++++++
 2 files changed, 38 insertions(+), 3 deletions(-)

diff --git a/vault/config.go b/vault/config.go
index 75b27716f..035c6dd50 100644
--- a/vault/config.go
+++ b/vault/config.go
@@ -725,11 +725,10 @@ func (c *Config) Validate() error {
 	if c.HasCredentialProcess() {
 		n++
 	}
-	if c.HasRole() {
-		n++
-	}
 	if c.HasSourceProfile() {
 		n++
+	} else if c.HasRole() {
+		n++
 	}
 
 	if n > 1 {
diff --git a/vault/config_test.go b/vault/config_test.go
index 245fbd325..b284f7aa2 100644
--- a/vault/config_test.go
+++ b/vault/config_test.go
@@ -616,3 +616,39 @@ source_profile = interim
 		t.Fatalf("Expected transitive_session_tags to be empty, got %+v", baseConfig.TransitiveSessionTags)
 	}
 }
+
+func TestValidConfigValidation(t *testing.T) {
+	f := newConfigFile(t, []byte(`
+[profile foo]
+region         = eu-west-1
+mfa_serial     = arn:aws:iam::9999999999999:mfa/david
+
+[profile foo:staging]
+role_arn       = arn:aws:iam::1111111111111:role/admin
+source_profile = foo
+region         = eu-west-2
+mfa_serial     = arn:aws:iam::9999999999999:mfa/david
+
+[profile foo:production]
+role_arn       = arn:aws:iam::1111111111111:role/admin
+source_profile = foo
+region         = eu-west-2
+mfa_serial     = arn:aws:iam::9999999999999:mfa/david
+credential_process = true
+`))
+	defer os.Remove(f)
+	configFile, _ := vault.LoadConfig(f)
+	configLoader := &vault.ConfigLoader{File: configFile}
+
+	config, _ := configLoader.LoadFromProfile("foo:staging")
+	err = config.Validate()
+	if err != nil {
+		t.Fatalf("Should have validated: %v", err)
+	}
+
+	config, _ = configLoader.LoadFromProfile("foo:production")
+	err = config.Validate()
+	if err == nil {
+		t.Fatalf("Should have failed validation: %v", err)
+	}
+}