vault: token store inehrits policies by default

2026-05-05 12:26:34 +02:00 · 2015-04-07 14:19:52 -07:00 · 2015-04-07 14:19:52 -07:00 · 28ffbf9d0c
commit 28ffbf9d0c
parent 7d8329f1ff
2 changed files with 21 additions and 14 deletions
--- a/vault/token_store.go
+++ b/vault/token_store.go
@ -453,8 +453,8 @@ func (ts *TokenStore) handleCreate(
 	var data struct {
 		ID       string
 		Policies []string
-		Metadata map[string]string `mapstructure:"meta"`
-		NoParent bool              `mapstructure:"no_parent"`
+		Metadata map[string]string
+		NoParent bool `mapstructure:"no_parent"`
 		Lease    string
 	}
 	if err := mapstructure.WeakDecode(req.Data, &data); err != nil {
@ -479,17 +479,13 @@ func (ts *TokenStore) handleCreate(
 	}

 	// Only permit policies to be a subset unless the client is root
-	if len(data.Policies) > 0 {
-		if !isRoot && !strListSubset(parent.Policies, data.Policies) {
-			return logical.ErrorResponse("child policies must be subset of parent"), logical.ErrInvalidRequest
-		}
-		te.Policies = data.Policies
+	if len(data.Policies) == 0 {
+		data.Policies = parent.Policies
 	}
-
-	// Ensure is some associated policy
-	if len(te.Policies) == 0 {
-		return logical.ErrorResponse("token must have at least one policy"), logical.ErrInvalidRequest
+	if !isRoot && !strListSubset(parent.Policies, data.Policies) {
+		return logical.ErrorResponse("child policies must be subset of parent"), logical.ErrInvalidRequest
 	}
+	te.Policies = data.Policies

 	// Only allow an orphan token if the client is root
 	if data.NoParent {
--- a/vault/token_store_test.go
+++ b/vault/token_store_test.go
@ -255,11 +255,22 @@ func TestTokenStore_HandleRequest_CreateToken_NoPolicy(t *testing.T) {
 	req.ClientToken = root

 	resp, err := ts.HandleRequest(req)
-	if err != logical.ErrInvalidRequest {
+	if err != nil {
 		t.Fatalf("err: %v %v", err, resp)
 	}
-	if resp.Data["error"] != "token must have at least one policy" {
-		t.Fatalf("bad: %#v", resp)
+
+	expected := &TokenEntry{
+		ID:       resp.Auth.ClientToken,
+		Parent:   root,
+		Policies: []string{"root"},
+		Path:     "auth/token/create",
+	}
+	out, err := ts.Lookup(resp.Auth.ClientToken)
+	if err != nil {
+		t.Fatalf("err: %v", err)
+	}
+	if !reflect.DeepEqual(out, expected) {
+		t.Fatalf("bad: %#v", out)
 	}
 }