From 0a5f9959d658085dc04047b31a96ce40837f6b04 Mon Sep 17 00:00:00 2001 From: Laura Bennett Date: Fri, 5 Aug 2016 10:04:02 -0400 Subject: [PATCH] addresses feedback, but tests broken --- vault/token_store.go | 10 +++++----- vault/token_store_test.go | 39 ++++++++++++++++++++++++++++++++++----- 2 files changed, 39 insertions(+), 10 deletions(-) diff --git a/vault/token_store.go b/vault/token_store.go index 7622abdf56..122cc4db7b 100644 --- a/vault/token_store.go +++ b/vault/token_store.go @@ -1076,11 +1076,6 @@ func (ts *TokenStore) handleCreateCommon( logical.ErrInvalidRequest } - // Prevent attempts to create a root token without an actual root token as parent - if strutil.StrListContains(data.Policies, "root") && !strutil.StrListContains(parent.Policies, "root") { - return logical.ErrorResponse("root tokens may not be created without parent token being root"), logical.ErrInvalidRequest - } - // Setup the token entry te := TokenEntry{ Parent: req.ClientToken, @@ -1246,6 +1241,11 @@ func (ts *TokenStore) handleCreateCommon( te.TTL = dur } + // Prevent attempts to creat a root token without an actual root token as parent + if strutil.StrListContains(data.Policies, "root") && strutil.StrListContains(parent.Policies, "root") { + return logical.ErrorResponse("root tokens may not be created without parent token being root"), logical.ErrInvalidRequest + } + // Set the lesser explicit max TTL if defined if role != nil && role.ExplicitMaxTTL != 0 { switch { diff --git a/vault/token_store_test.go b/vault/token_store_test.go index 3cb18cc5af..c01f16afcd 100644 --- a/vault/token_store_test.go +++ b/vault/token_store_test.go @@ -833,14 +833,31 @@ func TestTokenStore_HandleRequest_CreateToken_NonRoot_InvalidSubset(t *testing.T } func TestTokenStore_HandleRequest_CreateToken_NonRoot_RootChild(t *testing.T) { - _, ts, _, root := TestCoreWithTokenStore(t) - testMakeToken(t, ts, root, "client", "", []string{"foo", "bar"}) + core, ts, _, root := TestCoreWithTokenStore(t) + ps := core.policyStore + // Create sudo policy + policy, _ := Parse(tokenCreationPolicy) + policy.Name = "NonRootSudoTest" + if err := ps.SetPolicy(policy); err != nil { + t.Fatal(err) + } + + // Create a token to use as parent req := logical.TestRequest(t, logical.UpdateOperation, "create") - req.ClientToken = "client" - req.Data["policies"] = []string{"root", "foo", "bar"} - + req.ClientToken = root + req.Data["policies"] = []string{"NonRootSudoTest"} resp, err := ts.HandleRequest(req) + if err != nil || (resp != nil && resp.IsError()) { + t.Fatalf("err:%v resp:%v", err, resp) + } + parentToken := resp.Auth.ClientToken + + req = logical.TestRequest(t, logical.UpdateOperation, "create") + req.ClientToken = parentToken + req.Data["policies"] = []string{"root", "create"} + + resp, err = ts.HandleRequest(req) if err != logical.ErrInvalidRequest { t.Fatalf("err: %v %v", err, resp) } @@ -849,6 +866,18 @@ func TestTokenStore_HandleRequest_CreateToken_NonRoot_RootChild(t *testing.T) { } } +func TestTokenStore_HandleRequest_CreateToken_Root_RootChild(t *testing.T) { + _, ts, _, root := TestCoreWithTokenStore(t) + + req := logical.TestRequest(t, logical.UpdateOperation, "create") + req.ClientToken = root + + resp, err := ts.HandleRequest(req) + if err != nil { + t.Fatalf("err: %v %v", err, resp) + } +} + func TestTokenStore_HandleRequest_CreateToken_NonRoot_NoParent(t *testing.T) { _, ts, _, root := TestCoreWithTokenStore(t) testMakeToken(t, ts, root, "client", "", []string{"foo"})