From 8a5fc6b01793489166b540e46090e1473380780f Mon Sep 17 00:00:00 2001 From: Jeff Mitchell Date: Tue, 15 Mar 2016 14:05:25 -0400 Subject: [PATCH] Sort and filter policies going into the create token entry, then use that as the definitive source for the response Auth object. --- vault/core.go | 30 +++++++++++++++++++++++------- 1 file changed, 23 insertions(+), 7 deletions(-) diff --git a/vault/core.go b/vault/core.go index aeca810f0..baae57828 100644 --- a/vault/core.go +++ b/vault/core.go @@ -672,14 +672,29 @@ func (c *Core) handleLoginRequest(req *logical.Request) (*logical.Response, *log TTL: auth.TTL, } - if !strListSubset(te.Policies, []string{"root"}) { - // Append 'default' policy to the token being created - te.Policies = append(te.Policies, "default") - sort.Strings(te.Policies) + if strListSubset(te.Policies, []string{"root"}) { + te.Policies = []string{"root"} + } else { + // Use a map to filter out/prevent duplicates + policyMap := map[string]bool{} + for _, policy := range te.Policies { + if policy == "" { + // Don't allow a policy with no name, even though it is a valid + // slice member + continue + } + policyMap[policy] = true + } - // Update the response with the policies associated with token - auth.Policies = append(auth.Policies, "default") - sort.Strings(auth.Policies) + // Add the default policy + policyMap["default"] = true + + te.Policies = []string{} + for k, _ := range policyMap { + te.Policies = append(te.Policies, k) + } + + sort.Strings(te.Policies) } if err := c.tokenStore.create(&te); err != nil { @@ -690,6 +705,7 @@ func (c *Core) handleLoginRequest(req *logical.Request) (*logical.Response, *log // Populate the client token and accessor auth.ClientToken = te.ID auth.Accessor = te.Accessor + auth.Policies = te.Policies // Register with the expiration manager if err := c.expiration.RegisterAuth(req.Path, auth); err != nil {