backport of commit 2f677665b3 (#21527)

Co-authored-by: Max Bowsher <maxbowsher@gmail.com>

api/plugin_helpers_test.go

@@ -12,10 +12,12 @@ func TestIsSudoPath(t *testing.T) {
 		path     string
 		expected bool
 	}{
+		// Testing: Not a real endpoint
 		{
 			"/not/in/sudo/paths/list",
 			false,
 		},
+		// Testing: sys/raw/{path}
 		{
 			"/sys/raw/single-node-path",
 			true,
@@ -28,26 +30,43 @@ func TestIsSudoPath(t *testing.T) {
 			"/sys/raw/WEIRD(but_still_valid!)p4Th?🗿笑",
 			true,
 		},
+		// Testing: sys/auth/{path}/tune
 		{
 			"/sys/auth/path/in/middle/tune",
 			true,
 		},
+		// Testing: sys/plugins/catalog/{type} and sys/plugins/catalog/{name} (regexes overlap)
 		{
 			"/sys/plugins/catalog/some-type",
 			true,
 		},
+		// Testing: Not a real endpoint
 		{
 			"/sys/plugins/catalog/some/type/or/name/with/slashes",
 			false,
 		},
+		// Testing: sys/plugins/catalog/{type}/{name}
 		{
 			"/sys/plugins/catalog/some-type/some-name",
 			true,
 		},
+		// Testing: Not a real endpoint
 		{
 			"/sys/plugins/catalog/some-type/some/name/with/slashes",
 			false,
 		},
+		// Testing: auth/token/accessors (an example of a sudo path that only accepts list operations)
+		// It is matched as sudo without the trailing slash...
+		{
+			"/auth/token/accessors",
+			true,
+		},
+		// ...and also with it.
+		// (Although at the time of writing, the only caller of IsSudoPath always removes trailing slashes.)
+		{
+			"/auth/token/accessors/",
+			true,
+		},
 	}
 
 	for _, tc := range testCases {