mirrors/vault
1
0
Fork 0
mirror of https://github.com/hashicorp/vault.git synced 2025-08-30 19:11:09 +02:00
Code Issues Projects Releases Wiki Activity

addresses feedback, but tests broken

Browse Source
This commit is contained in:
Laura Bennett 2016-08-05 10:04:02 -04:00
parent d29e3d79d2
commit 0a5f9959d6
2 changed files with 39 additions and 10 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
vault/token_store.go
View File

@ -1076,11 +1076,6 @@ func (ts *TokenStore) handleCreateCommon(
logical.ErrInvalidRequest logical.ErrInvalidRequest
} }
// Prevent attempts to create a root token without an actual root token as parent
if strutil.StrListContains(data.Policies, "root") && !strutil.StrListContains(parent.Policies, "root") {
return logical.ErrorResponse("root tokens may not be created without parent token being root"), logical.ErrInvalidRequest
}
// Setup the token entry // Setup the token entry
te := TokenEntry{ te := TokenEntry{
Parent: req.ClientToken, Parent: req.ClientToken,
@ -1246,6 +1241,11 @@ func (ts *TokenStore) handleCreateCommon(
te.TTL = dur te.TTL = dur
} }
// Prevent attempts to creat a root token without an actual root token as parent
if strutil.StrListContains(data.Policies, "root") && strutil.StrListContains(parent.Policies, "root") {
return logical.ErrorResponse("root tokens may not be created without parent token being root"), logical.ErrInvalidRequest
}
// Set the lesser explicit max TTL if defined // Set the lesser explicit max TTL if defined
if role != nil && role.ExplicitMaxTTL != 0 { if role != nil && role.ExplicitMaxTTL != 0 {
switch { switch {

39
vault/token_store_test.go
View File

@ -833,14 +833,31 @@ func TestTokenStore_HandleRequest_CreateToken_NonRoot_InvalidSubset(t *testing.T
} }
func TestTokenStore_HandleRequest_CreateToken_NonRoot_RootChild(t *testing.T) { func TestTokenStore_HandleRequest_CreateToken_NonRoot_RootChild(t *testing.T) {
_, ts, _, root := TestCoreWithTokenStore(t) core, ts, _, root := TestCoreWithTokenStore(t)
testMakeToken(t, ts, root, "client", "", []string{"foo", "bar"}) ps := core.policyStore
// Create sudo policy
policy, _ := Parse(tokenCreationPolicy)
policy.Name = "NonRootSudoTest"
if err := ps.SetPolicy(policy); err != nil {
t.Fatal(err)
}
// Create a token to use as parent
req := logical.TestRequest(t, logical.UpdateOperation, "create") req := logical.TestRequest(t, logical.UpdateOperation, "create")
req.ClientToken = "client" req.ClientToken = root
req.Data["policies"] = []string{"root", "foo", "bar"} req.Data["policies"] = []string{"NonRootSudoTest"}
resp, err := ts.HandleRequest(req) resp, err := ts.HandleRequest(req)
if err != nil || (resp != nil && resp.IsError()) {
t.Fatalf("err:%v resp:%v", err, resp)
}
parentToken := resp.Auth.ClientToken
req = logical.TestRequest(t, logical.UpdateOperation, "create")
req.ClientToken = parentToken
req.Data["policies"] = []string{"root", "create"}
resp, err = ts.HandleRequest(req)
if err != logical.ErrInvalidRequest { if err != logical.ErrInvalidRequest {
t.Fatalf("err: %v %v", err, resp) t.Fatalf("err: %v %v", err, resp)
} }
@ -849,6 +866,18 @@ func TestTokenStore_HandleRequest_CreateToken_NonRoot_RootChild(t *testing.T) {
} }
} }
func TestTokenStore_HandleRequest_CreateToken_Root_RootChild(t *testing.T) {
_, ts, _, root := TestCoreWithTokenStore(t)
req := logical.TestRequest(t, logical.UpdateOperation, "create")
req.ClientToken = root
resp, err := ts.HandleRequest(req)
if err != nil {
t.Fatalf("err: %v %v", err, resp)
}
}
func TestTokenStore_HandleRequest_CreateToken_NonRoot_NoParent(t *testing.T) { func TestTokenStore_HandleRequest_CreateToken_NonRoot_NoParent(t *testing.T) {
_, ts, _, root := TestCoreWithTokenStore(t) _, ts, _, root := TestCoreWithTokenStore(t)
testMakeToken(t, ts, root, "client", "", []string{"foo"}) testMakeToken(t, ts, root, "client", "", []string{"foo"})