Fix the bug where the policy name is empty during the ACL check in th…

…e policy module.
Tongsuo-Project · Jan 11, 2025 · 78406f9 · 78406f9
1 parent 73e2b06
commit 78406f9
Show file tree

Hide file tree

Showing 4 changed files with 13 additions and 8 deletions.
diff --git a/src/logical/auth.rs b/src/logical/auth.rs
@@ -27,6 +27,9 @@ pub struct Auth {
     // Policies is the list of policies that the authenticated user is associated with.
     pub policies: Vec<String>,
 
+    // token_policies break down the list in policies to help determine where a policy was sourced
+    pub token_policies: Vec<String>,
+
     // Indicates that the default policy should not be added by core when creating a token.
     // The default policy will still be added if it's explicitly defined.
     pub no_default_policy: bool,

diff --git a/src/modules/auth/token_store.rs b/src/modules/auth/token_store.rs
@@ -311,14 +311,17 @@ impl TokenStoreInner {
 
         self.use_token(&mut entry)?;
 
-        let auth = Auth {
+        let mut auth = Auth {
             client_token: token.to_string(),
             display_name: entry.display_name,
+            token_policies: entry.policies.clone(),
             policies: entry.policies.clone(),
             metadata: entry.meta,
             ..Auth::default()
         };
 
+        sanitize_policies(&mut auth.policies, false);
+
         Ok(Some(auth))
     }
 
@@ -704,9 +707,11 @@ impl Handler for TokenStore {
                 auth.ttl = MAX_LEASE_DURATION_SECS;
             }
 
-            sanitize_policies(&mut auth.policies, !auth.no_default_policy);
 
-            if auth.policies.contains(&"root".to_string()) {
+            auth.token_policies = auth.policies.clone();
+            sanitize_policies(&mut auth.token_policies, !auth.no_default_policy);
+
+            if auth.token_policies.contains(&"root".to_string()) {
                 return Err(rv_error_response!("auth methods cannot create root tokens"));
             }
 
@@ -715,6 +720,7 @@ impl Handler for TokenStore {
                 meta: auth.metadata.clone(),
                 display_name: auth.display_name.clone(),
                 ttl: auth.ttl.as_secs(),
+                policies: auth.token_policies.clone(),
                 ..Default::default()
             };
 

diff --git a/src/modules/policy/policy_store.rs b/src/modules/policy/policy_store.rs
@@ -145,11 +145,6 @@ path "sys/tools/hash/*" {
 path "sys/control-group/request" {
     capabilities = ["update"]
 }
-
-# Allow a token to make requests to the Authorization Endpoint for OIDC providers.
-path "identity/oidc/provider/+/authorize" {
-    capabilities = ["read", "update"]
-}
 "#;
 
 static RESPONSE_WRAPPING_POLICY_NAME: &str = "response-wrapping";

diff --git a/src/utils/token_util.rs b/src/utils/token_util.rs
@@ -194,6 +194,7 @@ impl TokenParams {
         auth.ttl = self.token_ttl;
         auth.max_ttl = self.token_max_ttl;
         auth.policies = self.token_policies.clone();
+        auth.no_default_policy = self.token_no_default_policy;
         auth.renewable = true;
     }
 }