Only use entropy augmentation for root token creation [VAULT-670] (#10487)

* Only use entropy augmentation for root token creation * changelog * change wording of changelog entry
2020-12-04 09:44:04 -08:00 · 2020-12-04 09:44:04 -08:00 · 0ada870a52
parent 081db3a240
commit 0ada870a52
3 changed files with 11 additions and 2 deletions
--- a/changelog/10487.txt
+++ b/changelog/10487.txt
@ -0,0 +1,3 @@
+```release-note:bug
+core (enterprise): Limit entropy augmentation during token generation to root tokens.
+```
--- a/go.mod
+++ b/go.mod
@ -149,7 +149,7 @@ require (
 	golang.org/x/crypto v0.0.0-20201002170205-7f63de1d35b0
 	golang.org/x/net v0.0.0-20200625001655-4c5254603344
 	golang.org/x/oauth2 v0.0.0-20200107190931-bf48bf16ab8d
-	golang.org/x/sys v0.0.0-20200828194041-157a740278f4
+	golang.org/x/sys v0.0.0-20200831180312-196b9ba8737a
 	golang.org/x/tools v0.0.0-20200521155704-91d71f6c2f04
 	google.golang.org/api v0.29.0
 	google.golang.org/grpc v1.29.1
--- a/vault/token_store.go
+++ b/vault/token_store.go
@ -806,7 +806,9 @@ func (ts *TokenStore) create(ctx context.Context, entry *logical.TokenEntry) err
 	}

 	entry.Policies = policyutil.SanitizePolicies(entry.Policies, policyutil.DoNotAddDefaultPolicy)
+	var createRootTokenFlag bool
 	if len(entry.Policies) == 1 && entry.Policies[0] == "root" {
+		createRootTokenFlag = true
 		metrics.IncrCounter([]string{"token", "create_root"}, 1)
 	}

@ -820,7 +822,11 @@ func (ts *TokenStore) create(ctx context.Context, entry *logical.TokenEntry) err
 		if entry.ID == "" {
 			userSelectedID = false
 			var err error
-			entry.ID, err = base62.RandomWithReader(TokenLength, ts.core.secureRandomReader)
+			if createRootTokenFlag {
+				entry.ID, err = base62.RandomWithReader(TokenLength, ts.core.secureRandomReader)
+			} else {
+				entry.ID, err = base62.Random(TokenLength)
+			}
 			if err != nil {
 				return err
 			}