Skip to content

Commit

Permalink
Fix create token sudo non-root namespace check (#7224)
Browse files Browse the repository at this point in the history
* Fix create token sudo non-root namespace check

* Moved path trimming to SudoPrivilege

* Changed to tokenCtx instead of request ctx

* Use root context for AllowOperation; details in comment
  • Loading branch information
michelvocks authored and jefferai committed Aug 5, 2019
1 parent a32c1dd commit 6e1360b
Showing 1 changed file with 4 additions and 2 deletions.
6 changes: 4 additions & 2 deletions vault/dynamic_system_view.go
Original file line number Diff line number Diff line change
Expand Up @@ -110,11 +110,13 @@ func (d dynamicSystemView) SudoPrivilege(ctx context.Context, path string, token

// The operation type isn't important here as this is run from a path the
// user has already been given access to; we only care about whether they
// have sudo
// have sudo. Note that we use root context because the path that comes in
// must be fully-qualified already so we don't want AllowOperation to
// prepend a namespace prefix onto it.
req := new(logical.Request)
req.Operation = logical.ReadOperation
req.Path = path
authResults := acl.AllowOperation(ctx, req, true)
authResults := acl.AllowOperation(namespace.RootContext(ctx), req, true)
return authResults.RootPrivs
}

Expand Down

0 comments on commit 6e1360b

Please sign in to comment.