Deduplicate policies prior to generating ACL on request (#17914)

* Deduplicate policies prior to generating ACL on request * add changelog * edit changelog entry
2022-11-16 17:43:46 -05:00 · 2022-11-16 17:43:46 -05:00 · 3394c28ce1
parent adc8f9a20e
commit 3394c28ce1
2 changed files with 5 additions and 2 deletions
--- a/changelog/17914.txt
+++ b/changelog/17914.txt
@ -0,0 +1,3 @@
+```release-note:bug
+auth: Deduplicate policies prior to ACL generation
+```
--- a/vault/request_handling.go
+++ b/vault/request_handling.go
@ -204,7 +204,7 @@ func (c *Core) fetchACLTokenEntryAndEntity(ctx context.Context, req *logical.Req
 		return nil, nil, nil, nil, ErrInternalError
 	}
 	for nsID, nsPolicies := range identityPolicies {
-		policyNames[nsID] = append(policyNames[nsID], nsPolicies...)
+		policyNames[nsID] = policyutil.SanitizePolicies(append(policyNames[nsID], nsPolicies...), false)
 	}

 	// Attach token's namespace information to the context. Wrapping tokens by
@ -361,7 +361,7 @@ func (c *Core) checkToken(ctx context.Context, req *logical.Request, unauth bool
 	if te != nil {
 		auth.IdentityPolicies = identityPolicies[te.NamespaceID]
 		auth.TokenPolicies = te.Policies
-		auth.Policies = append(te.Policies, identityPolicies[te.NamespaceID]...)
+		auth.Policies = policyutil.SanitizePolicies(append(te.Policies, identityPolicies[te.NamespaceID]...), false)
 		auth.Metadata = te.Meta
 		auth.DisplayName = te.DisplayName
 		auth.EntityID = te.EntityID