From 28ffbf9d0cb68dd44c590b27ecfd7a2f5321e4d2 Mon Sep 17 00:00:00 2001
From: Mitchell Hashimoto <mitchell.hashimoto@gmail.com>
Date: Tue, 7 Apr 2015 14:19:52 -0700
Subject: [PATCH] vault: token store inehrits policies by default

---
 vault/token_store.go      | 18 +++++++-----------
 vault/token_store_test.go | 17 ++++++++++++++---
 2 files changed, 21 insertions(+), 14 deletions(-)

diff --git a/vault/token_store.go b/vault/token_store.go
index c265e1abad..326b58dcd8 100644
--- a/vault/token_store.go
+++ b/vault/token_store.go
@@ -453,8 +453,8 @@ func (ts *TokenStore) handleCreate(
 	var data struct {
 		ID       string
 		Policies []string
-		Metadata map[string]string `mapstructure:"meta"`
-		NoParent bool              `mapstructure:"no_parent"`
+		Metadata map[string]string
+		NoParent bool `mapstructure:"no_parent"`
 		Lease    string
 	}
 	if err := mapstructure.WeakDecode(req.Data, &data); err != nil {
@@ -479,17 +479,13 @@ func (ts *TokenStore) handleCreate(
 	}
 
 	// Only permit policies to be a subset unless the client is root
-	if len(data.Policies) > 0 {
-		if !isRoot && !strListSubset(parent.Policies, data.Policies) {
-			return logical.ErrorResponse("child policies must be subset of parent"), logical.ErrInvalidRequest
-		}
-		te.Policies = data.Policies
+	if len(data.Policies) == 0 {
+		data.Policies = parent.Policies
 	}
-
-	// Ensure is some associated policy
-	if len(te.Policies) == 0 {
-		return logical.ErrorResponse("token must have at least one policy"), logical.ErrInvalidRequest
+	if !isRoot && !strListSubset(parent.Policies, data.Policies) {
+		return logical.ErrorResponse("child policies must be subset of parent"), logical.ErrInvalidRequest
 	}
+	te.Policies = data.Policies
 
 	// Only allow an orphan token if the client is root
 	if data.NoParent {
diff --git a/vault/token_store_test.go b/vault/token_store_test.go
index 5aaf8d01e8..11ed2abbf0 100644
--- a/vault/token_store_test.go
+++ b/vault/token_store_test.go
@@ -255,11 +255,22 @@ func TestTokenStore_HandleRequest_CreateToken_NoPolicy(t *testing.T) {
 	req.ClientToken = root
 
 	resp, err := ts.HandleRequest(req)
-	if err != logical.ErrInvalidRequest {
+	if err != nil {
 		t.Fatalf("err: %v %v", err, resp)
 	}
-	if resp.Data["error"] != "token must have at least one policy" {
-		t.Fatalf("bad: %#v", resp)
+
+	expected := &TokenEntry{
+		ID:       resp.Auth.ClientToken,
+		Parent:   root,
+		Policies: []string{"root"},
+		Path:     "auth/token/create",
+	}
+	out, err := ts.Lookup(resp.Auth.ClientToken)
+	if err != nil {
+		t.Fatalf("err: %v", err)
+	}
+	if !reflect.DeepEqual(out, expected) {
+		t.Fatalf("bad: %#v", out)
 	}
 }