upstream/vault
1
0
Fork 0
mirror of https://github.com/hashicorp/vault.git synced 2026-06-06 07:13:04 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions 11

Fix create token sudo non-root namespace check (#7224)

Browse source 
* Fix create token sudo non-root namespace check

* Moved path trimming to SudoPrivilege

* Changed to tokenCtx instead of request ctx

* Use root context for AllowOperation; details in comment
This commit is contained in:
Michel Vocks 2019-08-05 22:03:47 +02:00 committed by Jeff Mitchell
parent a32c1ddad9
commit 6e1360bc48
1 changed files with 4 additions and 2 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

6
vault/dynamic_system_view.go
View file

@ -110,11 +110,13 @@ func (d dynamicSystemView) SudoPrivilege(ctx context.Context, path string, token
// The operation type isn't important here as this is run from a path the
// user has already been given access to; we only care about whether they
// have sudo
// have sudo. Note that we use root context because the path that comes in
// must be fully-qualified already so we don't want AllowOperation to
// prepend a namespace prefix onto it.
req := new(logical.Request)
req.Operation = logical.ReadOperation
req.Path = path
authResults := acl.AllowOperation(ctx, req, true)
authResults := acl.AllowOperation(namespace.RootContext(ctx), req, true)
return authResults.RootPrivs
}