Fix regression in 0.6.4 where token store roles could not properly wo… (#2286)

vault/token_store.go

@@ -1468,18 +1468,10 @@ func (ts *TokenStore) handleCreateCommon(
 				}
 			}
 		} else {
-			// Check against parent policies, or assign parent policies. As
-			// this is a role, add default unless explicitly disabled.
+			// Assign parent policies if none have been requested. As this is a
+			// role, add default unless explicitly disabled.
 			if len(finalPolicies) == 0 {
 				finalPolicies = policyutil.SanitizePolicies(parent.Policies, localAddDefault)
-			} else {
-				// If we added default based on the fact that this is using a
-				// role, we need to add it here too to ensure that the subset
-				// matching works.
-				sanitizedParentPolicies := policyutil.SanitizePolicies(parent.Policies, localAddDefault)
-				if !strutil.StrListSubset(sanitizedParentPolicies, finalPolicies) {
-					return logical.ErrorResponse("child policies must be subset of parent when role contains no allowed_policies"), logical.ErrInvalidRequest
-				}
 			}
 		}
 

vault/token_store_test.go

@@ -1919,6 +1919,16 @@ func TestTokenStore_RoleDisallowedPolicies(t *testing.T) {
 		t.Fatal("expected an error response")
 	}
 
+	// Disallowed should act as a blacklist so make sure we can still make
+	// something with other policies in the request
+	req = logical.TestRequest(t, logical.UpdateOperation, "create/test123")
+	req.Data["policies"] = []string{"foo", "bar"}
+	req.ClientToken = parentToken
+	resp, err = ts.HandleRequest(req)
+	if err != nil || resp == nil || resp.IsError() {
+		t.Fatalf("err:%v resp:%v", err, resp)
+	}
+
 	// Create a role to have 'default' policy disallowed
 	req = logical.TestRequest(t, logical.UpdateOperation, "roles/default")
 	req.ClientToken = root