Merge pull request #2309 from hashicorp/f-no-root-token

Disallow root policy from being specified

nomad/structs/structs.go

@@ -3260,21 +3260,28 @@ func (v *Vault) Validate() error {
 		return nil
 	}
 
+	var mErr multierror.Error
 	if len(v.Policies) == 0 {
-		return fmt.Errorf("Policy list cannot be empty")
+		multierror.Append(&mErr, fmt.Errorf("Policy list cannot be empty"))
+	}
+
+	for _, p := range v.Policies {
+		if p == "root" {
+			multierror.Append(&mErr, fmt.Errorf("Can not specifiy \"root\" policy"))
+		}
 	}
 
 	switch v.ChangeMode {
 	case VaultChangeModeSignal:
 		if v.ChangeSignal == "" {
-			return fmt.Errorf("Signal must be specified when using change mode %q", VaultChangeModeSignal)
+			multierror.Append(&mErr, fmt.Errorf("Signal must be specified when using change mode %q", VaultChangeModeSignal))
 		}
 	case VaultChangeModeNoop, VaultChangeModeRestart:
 	default:
-		return fmt.Errorf("Unknown change mode %q", v.ChangeMode)
+		multierror.Append(&mErr, fmt.Errorf("Unknown change mode %q", v.ChangeMode))
 	}
 
-	return nil
+	return mErr.ErrorOrNil()
 }
 
 const (

nomad/structs/structs_test.go

@@ -1510,12 +1510,20 @@ func TestVault_Validate(t *testing.T) {
 		t.Fatalf("Expected policy list empty error")
 	}
 
-	v.Policies = []string{"foo"}
+	v.Policies = []string{"foo", "root"}
 	v.ChangeMode = VaultChangeModeSignal
 
-	if err := v.Validate(); err == nil || !strings.Contains(err.Error(), "Signal must") {
+	err := v.Validate()
+	if err == nil {
+		t.Fatalf("Expected validation errors")
+	}
+
+	if !strings.Contains(err.Error(), "Signal must") {
 		t.Fatalf("Expected signal empty error")
 	}
+	if !strings.Contains(err.Error(), "root") {
+		t.Fatalf("Expected root error")
+	}
 }
 
 func TestParameterizedJobConfig_Validate(t *testing.T) {