addresses feedback, but tests broken

2025-08-30 11:01:09 +02:00 · 2016-08-05 10:04:02 -04:00 · 2016-08-05 10:04:02 -04:00 · 0a5f9959d6
commit 0a5f9959d6
parent d29e3d79d2
2 changed files with 39 additions and 10 deletions
--- a/vault/token_store.go
+++ b/vault/token_store.go
@ -1076,11 +1076,6 @@ func (ts *TokenStore) handleCreateCommon(
 			logical.ErrInvalidRequest
 	}

-	// Prevent attempts to create a root token without an actual root token as parent
-	if strutil.StrListContains(data.Policies, "root") && !strutil.StrListContains(parent.Policies, "root") {
-		return logical.ErrorResponse("root tokens may not be created without parent token being root"), logical.ErrInvalidRequest
-	}
-
 	// Setup the token entry
 	te := TokenEntry{
 		Parent: req.ClientToken,
@ -1246,6 +1241,11 @@ func (ts *TokenStore) handleCreateCommon(
 		te.TTL = dur
 	}

+	// Prevent attempts to creat a root token without an actual root token as parent
+	if strutil.StrListContains(data.Policies, "root") && strutil.StrListContains(parent.Policies, "root") {
+		return logical.ErrorResponse("root tokens may not be created without parent token being root"), logical.ErrInvalidRequest
+	}
+
 	// Set the lesser explicit max TTL if defined
 	if role != nil && role.ExplicitMaxTTL != 0 {
 		switch {
--- a/vault/token_store_test.go
+++ b/vault/token_store_test.go
@ -833,14 +833,31 @@ func TestTokenStore_HandleRequest_CreateToken_NonRoot_InvalidSubset(t *testing.T
 }

 func TestTokenStore_HandleRequest_CreateToken_NonRoot_RootChild(t *testing.T) {
-	_, ts, _, root := TestCoreWithTokenStore(t)
-	testMakeToken(t, ts, root, "client", "", []string{"foo", "bar"})
+	core, ts, _, root := TestCoreWithTokenStore(t)
+	ps := core.policyStore

+	// Create sudo policy
+	policy, _ := Parse(tokenCreationPolicy)
+	policy.Name = "NonRootSudoTest"
+	if err := ps.SetPolicy(policy); err != nil {
+		t.Fatal(err)
+	}
+
+	// Create a token to use as parent
 	req := logical.TestRequest(t, logical.UpdateOperation, "create")
-	req.ClientToken = "client"
-	req.Data["policies"] = []string{"root", "foo", "bar"}
-
+	req.ClientToken = root
+	req.Data["policies"] = []string{"NonRootSudoTest"}
 	resp, err := ts.HandleRequest(req)
+	if err != nil || (resp != nil && resp.IsError()) {
+		t.Fatalf("err:%v resp:%v", err, resp)
+	}
+	parentToken := resp.Auth.ClientToken
+
+	req = logical.TestRequest(t, logical.UpdateOperation, "create")
+	req.ClientToken = parentToken
+	req.Data["policies"] = []string{"root", "create"}
+
+	resp, err = ts.HandleRequest(req)
 	if err != logical.ErrInvalidRequest {
 		t.Fatalf("err: %v %v", err, resp)
 	}
@ -849,6 +866,18 @@ func TestTokenStore_HandleRequest_CreateToken_NonRoot_RootChild(t *testing.T) {
 	}
 }

+func TestTokenStore_HandleRequest_CreateToken_Root_RootChild(t *testing.T) {
+	_, ts, _, root := TestCoreWithTokenStore(t)
+
+	req := logical.TestRequest(t, logical.UpdateOperation, "create")
+	req.ClientToken = root
+
+	resp, err := ts.HandleRequest(req)
+	if err != nil {
+		t.Fatalf("err: %v %v", err, resp)
+	}
+}
+
 func TestTokenStore_HandleRequest_CreateToken_NonRoot_NoParent(t *testing.T) {
 	_, ts, _, root := TestCoreWithTokenStore(t)
 	testMakeToken(t, ts, root, "client", "", []string{"foo"})