Restrict orphan revocation to root tokens

2015-09-16 09:22:15 -04:00 · 2015-09-16 09:22:15 -04:00 · 047ba90a44
parent 5c363a1bd3
commit 047ba90a44
2 changed files with 47 additions and 0 deletions
--- a/vault/token_store.go
+++ b/vault/token_store.go
@ -76,6 +76,7 @@ func NewTokenStore(c *Core, config *logical.BackendConfig) (*TokenStore, error)
 		PathsSpecial: &logical.Paths{
 			Root: []string{
 				"revoke-prefix/*",
+				"revoke-orphan/*",
 			},
 		},

@ -606,6 +607,22 @@ func (ts *TokenStore) handleRevokeOrphan(
 		return logical.ErrorResponse("missing token ID"), logical.ErrInvalidRequest
 	}

+	parent, err := ts.Lookup(req.ClientToken)
+	if err != nil {
+		return logical.ErrorResponse(fmt.Sprintf("parent token lookup failed: %s", err.Error())), logical.ErrInvalidRequest
+	}
+	if parent == nil {
+		return logical.ErrorResponse("parent token lookup failed"), logical.ErrInvalidRequest
+	}
+
+	// Check if the parent policy is root
+	isRoot := strListContains(parent.Policies, "root")
+
+	if !isRoot {
+		return logical.ErrorResponse("root required to revoke and orphan"),
+			logical.ErrInvalidRequest
+	}
+
 	// Revoke and orphan
 	if err := ts.Revoke(id); err != nil {
 		return logical.ErrorResponse(err.Error()), logical.ErrInvalidRequest
--- a/vault/token_store_test.go
+++ b/vault/token_store_test.go
@ -690,6 +690,7 @@ func TestTokenStore_HandleRequest_RevokeOrphan(t *testing.T) {
 	testMakeToken(t, ts, "child", "sub-child", []string{"foo"})

 	req := logical.TestRequest(t, logical.WriteOperation, "revoke-orphan/child")
+	req.ClientToken = root
 	resp, err := ts.HandleRequest(req)
 	if err != nil {
 		t.Fatalf("err: %v %v", err, resp)
@ -716,6 +717,35 @@ func TestTokenStore_HandleRequest_RevokeOrphan(t *testing.T) {
 	}
 }

+func TestTokenStore_HandleRequest_RevokeOrphan_NonRoot(t *testing.T) {
+	_, ts, root := mockTokenStore(t)
+	testMakeToken(t, ts, root, "child", []string{"foo"})
+
+	out, err := ts.Lookup("child")
+	if err != nil {
+		t.Fatalf("err: %v", err)
+	}
+	if out == nil {
+		t.Fatalf("bad: %v", out)
+	}
+
+	req := logical.TestRequest(t, logical.WriteOperation, "revoke-orphan/child")
+	req.ClientToken = "child"
+	resp, err := ts.HandleRequest(req)
+	if err != logical.ErrInvalidRequest {
+		t.Fatalf("did not get error when non-root revoking itself with orphan flag; resp is %#v", resp)
+	}
+
+	// Should still exist
+	out, err = ts.Lookup("child")
+	if err != nil {
+		t.Fatalf("err: %v", err)
+	}
+	if out == nil {
+		t.Fatalf("bad: %v", out)
+	}
+}
+
 func TestTokenStore_HandleRequest_Lookup(t *testing.T) {
 	_, ts, root := mockTokenStore(t)
 	req := logical.TestRequest(t, logical.ReadOperation, "lookup/"+root)