From ceeebcb5b7ea34955fd77d2a36fc14f54efae748 Mon Sep 17 00:00:00 2001
From: Armon Dadgar <armon.dadgar@gmail.com>
Date: Wed, 1 Apr 2015 14:03:17 -0700
Subject: [PATCH] vault: Simpify token checking logic

---
 vault/core.go                | 13 ++++---------
 vault/logical_system.go      |  1 +
 vault/logical_system_test.go |  1 +
 3 files changed, 6 insertions(+), 9 deletions(-)

diff --git a/vault/core.go b/vault/core.go
index bdc9a05034..642d40d370 100644
--- a/vault/core.go
+++ b/vault/core.go
@@ -230,8 +230,7 @@ func (c *Core) HandleRequest(req *logical.Request) (*logical.Response, error) {
 
 func (c *Core) handleRequest(req *logical.Request) (*logical.Response, error) {
 	// Validate the token
-	err := c.checkToken(
-		req.Operation, req.Path, req.ClientToken, c.router.RootPath(req.Path))
+	err := c.checkToken(req.Operation, req.Path, req.ClientToken)
 	if err != nil {
 		// If it is an internal error we return that, otherwise we
 		// return invalid request so that the status codes can be correct
@@ -306,7 +305,7 @@ func (c *Core) handleLoginRequest(req *logical.Request) (*logical.Response, erro
 }
 
 func (c *Core) checkToken(
-	op logical.Operation, path string, token string, root bool) error {
+	op logical.Operation, path string, token string) error {
 	// Ensure there is a client token
 	if token == "" {
 		return fmt.Errorf("missing client token")
@@ -332,7 +331,7 @@ func (c *Core) checkToken(
 	}
 
 	// Check if this is a root protected path
-	if root && !acl.RootPrivilege(path) {
+	if c.router.RootPath(path) && !acl.RootPrivilege(path) {
 		return logical.ErrPermissionDenied
 	}
 
@@ -617,11 +616,7 @@ func (c *Core) Seal(token string) error {
 	}
 
 	// Validate the token is a root token
-	err := c.checkToken(
-		logical.WriteOperation,
-		"sys/seal",
-		token,
-		true)
+	err := c.checkToken(logical.WriteOperation, "sys/seal", token)
 	if err != nil {
 		return err
 	}
diff --git a/vault/logical_system.go b/vault/logical_system.go
index f5ea073c9f..43af47423d 100644
--- a/vault/logical_system.go
+++ b/vault/logical_system.go
@@ -22,6 +22,7 @@ func NewSystemBackend(core *Core) logical.Backend {
 				"policy/*",
 				"audit",
 				"audit/*",
+				"seal", // Must be set for Core.Seal() logic
 			},
 		},
 
diff --git a/vault/logical_system_test.go b/vault/logical_system_test.go
index f376fb05a9..c0de5b1673 100644
--- a/vault/logical_system_test.go
+++ b/vault/logical_system_test.go
@@ -18,6 +18,7 @@ func TestSystemBackend_RootPaths(t *testing.T) {
 		"policy/*",
 		"audit",
 		"audit/*",
+		"seal",
 	}
 
 	b := testSystemBackend(t)