From 642b4f18173d8c5d759ab840c7a2f010b262f7ae Mon Sep 17 00:00:00 2001
From: Bianca <48203644+biazmoreira@users.noreply.github.com>
Date: Fri, 20 Jun 2025 11:54:48 +0200
Subject: [PATCH] Replace string contains to be case insensitive (#31045)

---
 changelog/31045.txt              | 3 +++
 vault/identity_store_entities.go | 2 +-
 vault/identity_store_groups.go   | 2 +-
 vault/token_store.go             | 6 +++---
 4 files changed, 8 insertions(+), 5 deletions(-)
 create mode 100644 changelog/31045.txt

diff --git a/changelog/31045.txt b/changelog/31045.txt
new file mode 100644
index 0000000000..e0e70a49bf
--- /dev/null
+++ b/changelog/31045.txt
@@ -0,0 +1,3 @@
+```release-note:bug
+core: Fix string contains check in Identity APIs to be case-insensitive.
+```
\ No newline at end of file
diff --git a/vault/identity_store_entities.go b/vault/identity_store_entities.go
index 001888d55b..4cb7170371 100644
--- a/vault/identity_store_entities.go
+++ b/vault/identity_store_entities.go
@@ -349,7 +349,7 @@ func (i *IdentityStore) handleEntityUpdateCommon() framework.OperationFunc {
 			entity.Policies = strutil.RemoveDuplicates(entityPoliciesRaw.([]string), false)
 		}
 
-		if strutil.StrListContains(entity.Policies, "root") {
+		if strutil.StrListContainsCaseInsensitive(entity.Policies, "root") {
 			return logical.ErrorResponse("policies cannot contain root"), nil
 		}
 
diff --git a/vault/identity_store_groups.go b/vault/identity_store_groups.go
index d1385d50e1..bcd5636d6a 100644
--- a/vault/identity_store_groups.go
+++ b/vault/identity_store_groups.go
@@ -265,7 +265,7 @@ func (i *IdentityStore) handleGroupUpdateCommon(ctx context.Context, req *logica
 		group.Policies = strutil.RemoveDuplicatesStable(policiesRaw.([]string), true)
 	}
 
-	if strutil.StrListContains(group.Policies, "root") {
+	if strutil.StrListContainsCaseInsensitive(group.Policies, "root") {
 		return logical.ErrorResponse("policies cannot contain root"), nil
 	}
 
diff --git a/vault/token_store.go b/vault/token_store.go
index 778511f662..0568b6752d 100644
--- a/vault/token_store.go
+++ b/vault/token_store.go
@@ -2993,10 +2993,10 @@ func (ts *TokenStore) handleCreateCommon(ctx context.Context, req *logical.Reque
 		}
 	}
 
-	if strutil.StrListContains(te.Policies, "root") {
+	if strutil.StrListContainsCaseInsensitive(te.Policies, "root") {
 		// Prevent attempts to create a root token without an actual root token as parent.
 		// This is to thwart privilege escalation by tokens having 'sudo' privileges.
-		if !strutil.StrListContains(parent.Policies, "root") {
+		if !strutil.StrListContainsCaseInsensitive(parent.Policies, "root") {
 			return logical.ErrorResponse("root tokens may not be created without parent token being root"), logical.ErrInvalidRequest
 		}
 
@@ -3151,7 +3151,7 @@ func (ts *TokenStore) handleCreateCommon(ctx context.Context, req *logical.Reque
 	}
 
 	// Only calculate a TTL if you are A) periodic, B) have a TTL, C) do not have a TTL and are not a root token
-	if periodToUse > 0 || te.TTL > 0 || (te.TTL == 0 && !strutil.StrListContains(te.Policies, "root")) {
+	if periodToUse > 0 || te.TTL > 0 || (te.TTL == 0 && !strutil.StrListContainsCaseInsensitive(te.Policies, "root")) {
 		ttl, warnings, err := framework.CalculateTTL(sysView, 0, te.TTL, periodToUse, backendMaxTTL, explicitMaxTTLToUse, time.Unix(te.CreationTime, 0))
 		if err != nil {
 			return nil, err