mirrors/vault
1
0
Fork 0
mirror of https://github.com/hashicorp/vault.git synced 2025-08-30 02:51:07 +02:00
Code Issues Projects Releases Wiki Activity

initial commit for minor update to token-store

Browse Source
This commit is contained in:
Laura Bennett 2016-08-03 14:32:17 -04:00
parent 1957de6d12
commit d29e3d79d2
2 changed files with 22 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
vault/token_store.go
View File

@ -1076,6 +1076,11 @@ func (ts *TokenStore) handleCreateCommon(
logical.ErrInvalidRequest
}
// Prevent attempts to create a root token without an actual root token as parent
if strutil.StrListContains(data.Policies, "root") && !strutil.StrListContains(parent.Policies, "root") {
return logical.ErrorResponse("root tokens may not be created without parent token being root"), logical.ErrInvalidRequest
}
// Setup the token entry
te := TokenEntry{
Parent: req.ClientToken,

17
vault/token_store_test.go
View File

@ -832,6 +832,23 @@ func TestTokenStore_HandleRequest_CreateToken_NonRoot_InvalidSubset(t *testing.T
}
}
func TestTokenStore_HandleRequest_CreateToken_NonRoot_RootChild(t *testing.T) {
_, ts, _, root := TestCoreWithTokenStore(t)
testMakeToken(t, ts, root, "client", "", []string{"foo", "bar"})
req := logical.TestRequest(t, logical.UpdateOperation, "create")
req.ClientToken = "client"
req.Data["policies"] = []string{"root", "foo", "bar"}
resp, err := ts.HandleRequest(req)
if err != logical.ErrInvalidRequest {
t.Fatalf("err: %v %v", err, resp)
}
if resp.Data["error"] != "root tokens may not be created without parent token being root" {
t.Fatalf("bad: %#v", resp)
}
}
func TestTokenStore_HandleRequest_CreateToken_NonRoot_NoParent(t *testing.T) {
_, ts, _, root := TestCoreWithTokenStore(t)
testMakeToken(t, ts, root, "client", "", []string{"foo"})