upstream/vault
1
0
Fork 0
mirror of https://github.com/hashicorp/vault.git synced 2026-02-03 20:40:45 -05:00
Code Issues Projects Releases Packages Wiki Activity Actions 9

Replace string contains to be case insensitive (#31045)

Browse source
This commit is contained in:
Bianca 2025-06-20 11:54:48 +02:00 committed by GitHub
parent c4467ff9e5
commit 642b4f1817
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
4 changed files with 8 additions and 5 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

3
changelog/31045.txt Normal file
View file

@ -0,0 +1,3 @@
```release-note:bug
core: Fix string contains check in Identity APIs to be case-insensitive.
```

2
vault/identity_store_entities.go
View file

@ -349,7 +349,7 @@ func (i *IdentityStore) handleEntityUpdateCommon() framework.OperationFunc {
entity.Policies = strutil.RemoveDuplicates(entityPoliciesRaw.([]string), false)
}
if strutil.StrListContains(entity.Policies, "root") {
if strutil.StrListContainsCaseInsensitive(entity.Policies, "root") {
return logical.ErrorResponse("policies cannot contain root"), nil
}

2
vault/identity_store_groups.go
View file

@ -265,7 +265,7 @@ func (i *IdentityStore) handleGroupUpdateCommon(ctx context.Context, req *logica
group.Policies = strutil.RemoveDuplicatesStable(policiesRaw.([]string), true)
}
if strutil.StrListContains(group.Policies, "root") {
if strutil.StrListContainsCaseInsensitive(group.Policies, "root") {
return logical.ErrorResponse("policies cannot contain root"), nil
}

6
vault/token_store.go
View file

@ -2993,10 +2993,10 @@ func (ts *TokenStore) handleCreateCommon(ctx context.Context, req *logical.Reque
}
}
if strutil.StrListContains(te.Policies, "root") {
if strutil.StrListContainsCaseInsensitive(te.Policies, "root") {
// Prevent attempts to create a root token without an actual root token as parent.
// This is to thwart privilege escalation by tokens having 'sudo' privileges.
if !strutil.StrListContains(parent.Policies, "root") {
if !strutil.StrListContainsCaseInsensitive(parent.Policies, "root") {
return logical.ErrorResponse("root tokens may not be created without parent token being root"), logical.ErrInvalidRequest
}
@ -3151,7 +3151,7 @@ func (ts *TokenStore) handleCreateCommon(ctx context.Context, req *logical.Reque
}
// Only calculate a TTL if you are A) periodic, B) have a TTL, C) do not have a TTL and are not a root token
if periodToUse > 0 || te.TTL > 0 || (te.TTL == 0 && !strutil.StrListContains(te.Policies, "root")) {
if periodToUse > 0 || te.TTL > 0 || (te.TTL == 0 && !strutil.StrListContainsCaseInsensitive(te.Policies, "root")) {
ttl, warnings, err := framework.CalculateTTL(sysView, 0, te.TTL, periodToUse, backendMaxTTL, explicitMaxTTLToUse, time.Unix(te.CreationTime, 0))
if err != nil {
return nil, err