From 1a51faad62d66f5c852406be170d6746b4ba4bc4 Mon Sep 17 00:00:00 2001
From: David Berichon <davidberich@gmail.com>
Date: Mon, 21 Apr 2025 00:31:01 +0000
Subject: [PATCH] fix(auth): prevent panic when 'auth_login.parameters' is set
 to null

This commit resolves an issue where the application could panic if `auth_login.parameters` was explicitly set to `null`.

Changes were made to `auth.go` to verify whether a map[string]interface{} instance retrieved via v.(map[string]interface{}) is nil before assigning it to 'params'. If it's found to be null, 'params' will now default to an empty map instead of null.

The test file `auth_test.go` has also been updated with a new test case 'TestAuthLogin_Init_nilParameters', in order to validate that this fix works as intended by simulating a situation where 'parameters' is explicitly set to null.

These changes should help improve the overall reliability of the application by preventing unexpected crashes due to null 'parameters'.
---
 CHANGELOG.md                   |  1 +
 internal/provider/auth.go      |  6 +++++-
 internal/provider/auth_test.go | 37 ++++++++++++++++++++++++++++++++++
 3 files changed, 43 insertions(+), 1 deletion(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 6993fd6553..e8db19fd73 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -8,6 +8,7 @@ FEATURES:
 
 BUGS:
 
+* Fix panic when `auth_login.parameters` is explicitly set to `null` [#XXXX](https://github.com/hashicorp/terraform-provider-vault/pull/XXXX)
 * Fix credential validation failures in `vault_azure_access_credentials` data source caused by Azure RBAC propagation delays using `azure_groups` [#2437](https://github.com/hashicorp/terraform-provider-vault/pull/2437)
 
 ## 4.7.0 (Mar 12, 2025)
diff --git a/internal/provider/auth.go b/internal/provider/auth.go
index 31e5214ce6..94e2c3cc70 100644
--- a/internal/provider/auth.go
+++ b/internal/provider/auth.go
@@ -249,7 +249,11 @@ func (l *AuthLoginCommon) init(d *schema.ResourceData) (string, map[string]inter
 
 	var params map[string]interface{}
 	if v, ok := l.getOk(d, consts.FieldParameters); ok {
-		params = v.(map[string]interface{})
+		rawParams := v.(map[string]interface{})
+		if rawParams == nil {
+			rawParams = make(map[string]interface{})
+		}
+		params = rawParams
 		ns, _ := l.getOk(d, consts.FieldNamespace)
 		params[consts.FieldNamespace] = ns
 
diff --git a/internal/provider/auth_test.go b/internal/provider/auth_test.go
index fd5315a08d..5ef7e506c4 100644
--- a/internal/provider/auth_test.go
+++ b/internal/provider/auth_test.go
@@ -316,3 +316,40 @@ func TestAuthLoginCommon_Namespace(t *testing.T) {
 		})
 	}
 }
+
+func TestAuthLogin_Init_nilParameters(t *testing.T) {
+	s := make(map[string]*schema.Schema)
+	MustAddAuthLoginSchema(s)
+
+	for field, sch := range s {
+		if sch.Type != schema.TypeList {
+			continue
+		}
+
+		switch field {
+		case "auth_login_kerberos", "auth_login_userpass", "auth_login_azure", "auth_login_cert",
+			"auth_login_oci", "auth_login_jwt", "auth_login_radius", "auth_login_token_file":
+			// Skip entries that require mandatory fields for Init
+			continue
+		}
+
+		raw := map[string]interface{}{
+			field: []interface{}{
+				map[string]interface{}{
+					"method":     "gcp",
+					"path":       "auth/gcp/login",
+					"parameters": nil,
+					"role":       "vault-admin",
+				},
+			},
+		}
+
+		l, err := GetAuthLogin(schema.TestResourceDataRaw(t, s, raw))
+		if err != nil {
+			t.Errorf("unexpected error for field %s: %v", field, err)
+		}
+		if l == nil {
+			t.Errorf("expected auth login for field %s but got nil", field)
+		}
+	}
+}