fix auth renew panic (hashicorp#18011)

* fix auth renew panic

* CL

* adding a test step to a cert test for pathLoginRenew

builtin/credential/cert/backend_test.go

@@ -456,6 +456,21 @@ func TestBackend_PermittedDNSDomainsIntermediateCA(t *testing.T) {
 	if secret.Auth == nil || secret.Auth.ClientToken == "" {
 		t.Fatalf("expected a successful authentication")
 	}
+
+	// testing pathLoginRenew for cert auth
+	oldAccessor := secret.Auth.Accessor
+	newClient.SetToken(client.Token())
+	secret, err = newClient.Logical().Write("auth/token/renew-accessor", map[string]interface{}{
+		"accessor":  secret.Auth.Accessor,
+		"increment": 3600,
+	})
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	if secret.Auth == nil || secret.Auth.ClientToken != "" || secret.Auth.LeaseDuration != 3600 || secret.Auth.Accessor != oldAccessor {
+		t.Fatalf("unexpected accessor renewal")
+	}
 }
 
 func TestBackend_MetadataBasedACLPolicy(t *testing.T) {

builtin/credential/cert/path_login.go

@@ -236,7 +236,7 @@ func (b *backend) verifyCredentials(ctx context.Context, req *logical.Request, d
 	var certName string
 	if req.Auth != nil { // It's a renewal, use the saved certName
 		certName = req.Auth.Metadata["cert_name"]
-	} else {
+	} else if d != nil { // d is nil if handleAuthRenew call the authRenew
 		certName = d.Get("name").(string)
 	}
 

builtin/credential/okta/path_login.go

@@ -143,7 +143,11 @@ func (b *backend) pathLogin(ctx context.Context, req *logical.Request, d *framew
 func (b *backend) pathLoginRenew(ctx context.Context, req *logical.Request, d *framework.FieldData) (*logical.Response, error) {
 	username := req.Auth.Metadata["username"]
 	password := req.Auth.InternalData["password"].(string)
-	nonce := d.Get("nonce").(string)
+
+	var nonce string
+	if d != nil {
+		nonce = d.Get("nonce").(string)
+	}
 
 	cfg, err := b.getConfig(ctx, req)
 	if err != nil {

changelog/18011.txt

@@ -0,0 +1,3 @@
+```release-note:bug
+auth/okta: fix a panic for AuthRenew in Okta
+```