Seal wrap all root tokens and their leases (#3540)

This commit is contained in:
Jeff Mitchell 2017-11-06 13:10:36 -05:00 committed by GitHub
parent 2af5b9274f
commit 119607dcb7
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
2 changed files with 6 additions and 0 deletions

View file

@ -1104,6 +1104,9 @@ func (m *ExpirationManager) persistEntry(le *leaseEntry) error {
Key: le.LeaseID,
Value: buf,
}
if le.Auth != nil && len(le.Auth.Policies) == 1 && le.Auth.Policies[0] == "root" {
ent.SealWrap = true
}
if err := m.idView.Put(&ent); err != nil {
return fmt.Errorf("failed to persist lease entry: %v", err)
}

View file

@ -838,6 +838,9 @@ func (ts *TokenStore) storeCommon(entry *TokenEntry, writeSecondary bool) error
// Write the primary ID
path := lookupPrefix + saltedId
le := &logical.StorageEntry{Key: path, Value: enc}
if len(entry.Policies) == 1 && entry.Policies[0] == "root" {
le.SealWrap = true
}
if err := ts.view.Put(le); err != nil {
return fmt.Errorf("failed to persist entry: %v", err)
}