From 3394c28ce17db438c96df06f68ee4ec10fe505a4 Mon Sep 17 00:00:00 2001
From: davidadeleon <56207066+davidadeleon@users.noreply.github.com>
Date: Wed, 16 Nov 2022 17:43:46 -0500
Subject: [PATCH] Deduplicate policies prior to generating ACL on request
 (#17914)

* Deduplicate policies prior to generating ACL on request

* add changelog

* edit changelog entry
---
 changelog/17914.txt       | 3 +++
 vault/request_handling.go | 4 ++--
 2 files changed, 5 insertions(+), 2 deletions(-)
 create mode 100644 changelog/17914.txt

diff --git a/changelog/17914.txt b/changelog/17914.txt
new file mode 100644
index 000000000..671e6362b
--- /dev/null
+++ b/changelog/17914.txt
@@ -0,0 +1,3 @@
+```release-note:bug
+auth: Deduplicate policies prior to ACL generation
+```
diff --git a/vault/request_handling.go b/vault/request_handling.go
index 2f6b781f9..4a5bb5da4 100644
--- a/vault/request_handling.go
+++ b/vault/request_handling.go
@@ -204,7 +204,7 @@ func (c *Core) fetchACLTokenEntryAndEntity(ctx context.Context, req *logical.Req
 		return nil, nil, nil, nil, ErrInternalError
 	}
 	for nsID, nsPolicies := range identityPolicies {
-		policyNames[nsID] = append(policyNames[nsID], nsPolicies...)
+		policyNames[nsID] = policyutil.SanitizePolicies(append(policyNames[nsID], nsPolicies...), false)
 	}
 
 	// Attach token's namespace information to the context. Wrapping tokens by
@@ -361,7 +361,7 @@ func (c *Core) checkToken(ctx context.Context, req *logical.Request, unauth bool
 	if te != nil {
 		auth.IdentityPolicies = identityPolicies[te.NamespaceID]
 		auth.TokenPolicies = te.Policies
-		auth.Policies = append(te.Policies, identityPolicies[te.NamespaceID]...)
+		auth.Policies = policyutil.SanitizePolicies(append(te.Policies, identityPolicies[te.NamespaceID]...), false)
 		auth.Metadata = te.Meta
 		auth.DisplayName = te.DisplayName
 		auth.EntityID = te.EntityID