Merge pull request #1214 from hashicorp/resp-use-te-policies

Sort and filter policies going into the create token entry, then use
2016-03-15 14:07:29 -04:00 · 2016-03-15 14:07:29 -04:00 · 74ff117d03
parent 8fdbe2b40d 8a5fc6b017
commit 74ff117d03
1 changed files with 23 additions and 7 deletions
--- a/vault/core.go
+++ b/vault/core.go
@ -672,14 +672,29 @@ func (c *Core) handleLoginRequest(req *logical.Request) (*logical.Response, *log
 			TTL:          auth.TTL,
 		}

-		if !strListSubset(te.Policies, []string{"root"}) {
-			// Append 'default' policy to the token being created
-			te.Policies = append(te.Policies, "default")
-			sort.Strings(te.Policies)
+		if strListSubset(te.Policies, []string{"root"}) {
+			te.Policies = []string{"root"}
+		} else {
+			// Use a map to filter out/prevent duplicates
+			policyMap := map[string]bool{}
+			for _, policy := range te.Policies {
+				if policy == "" {
+					// Don't allow a policy with no name, even though it is a valid
+					// slice member
+					continue
+				}
+				policyMap[policy] = true
+			}

-			// Update the response with the policies associated with token
-			auth.Policies = append(auth.Policies, "default")
-			sort.Strings(auth.Policies)
+			// Add the default policy
+			policyMap["default"] = true
+
+			te.Policies = []string{}
+			for k, _ := range policyMap {
+				te.Policies = append(te.Policies, k)
+			}
+
+			sort.Strings(te.Policies)
 		}

 		if err := c.tokenStore.create(&te); err != nil {
@ -690,6 +705,7 @@ func (c *Core) handleLoginRequest(req *logical.Request) (*logical.Response, *log
 		// Populate the client token and accessor
 		auth.ClientToken = te.ID
 		auth.Accessor = te.Accessor
+		auth.Policies = te.Policies

 		// Register with the expiration manager
 		if err := c.expiration.RegisterAuth(req.Path, auth); err != nil {