scottk/vault
1
0
Fork 0
mirror of https://github.com/optim-enterprises-bv/vault.git synced 2025-11-02 03:27:54 +00:00
Code Issues Packages Projects Releases Wiki Activity

Properly check for policy equivalency during renewal.

Browse Source 
This introduces a function that compares two string policy sets while
ignoring the presence of "default" (since it's added by core, not the
backend), and ensuring that ordering and/or duplication are not failure
conditions.

Fixes #1256
This commit is contained in:
Jeff Mitchell
2016-03-24 09:41:51 -04:00
parent a1b59bac56
commit 7ce9701800
9 changed files with 104 additions and 24 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
builtin/credential/github/path_login.go
View File

@@ -3,10 +3,9 @@ package github
import (
"fmt"
"net/url"
"reflect"
"sort"
"github.com/google/go-github/github"
"github.com/hashicorp/vault/helper/policies"
"github.com/hashicorp/vault/logical"
"github.com/hashicorp/vault/logical/framework"
)
@@ -83,8 +82,7 @@ func (b *backend) pathLoginRenew(
} else {
verifyResp = verifyResponse
}
sort.Strings(req.Auth.Policies)
if !reflect.DeepEqual(verifyResp.Policies, req.Auth.Policies) {
if !policies.EquivalentPolicies(verifyResp.Policies, req.Auth.Policies) {
return logical.ErrorResponse("policies do not match"), nil
}