Sort policies before returning/storing, like we do in handleCreateCommon

hashicorp · Mar 11, 2016 · 4bfc02b · 4bfc02b
1 parent 0b2477d
commit 4bfc02b
Show file tree

Hide file tree

Showing 2 changed files with 6 additions and 2 deletions.
diff --git a/vault/core.go b/vault/core.go
@@ -10,6 +10,7 @@ import (
 	"log"
 	"net/url"
 	"os"
+	"sort"
 	"strings"
 	"sync"
 	"time"
@@ -674,8 +675,11 @@ func (c *Core) handleLoginRequest(req *logical.Request) (*logical.Response, *log
 		if !strListSubset(te.Policies, []string{"root"}) {
 			// Append 'default' policy to the token being created
 			te.Policies = append(te.Policies, "default")
+			sort.Strings(te.Policies)
+
 			// Update the response with the policies associated with token
 			auth.Policies = append(auth.Policies, "default")
+			sort.Strings(auth.Policies)
 		}
 
 		if err := c.tokenStore.create(&te); err != nil {

diff --git a/vault/core_test.go b/vault/core_test.go
@@ -789,7 +789,7 @@ func TestCore_HandleLogin_Token(t *testing.T) {
 		ID:       clientToken,
 		Accessor: te.Accessor,
 		Parent:   "",
-		Policies: []string{"foo", "bar", "default"},
+		Policies: []string{"bar", "default", "foo"},
 		Path:     "auth/foo/login",
 		Meta: map[string]string{
 			"user": "armon",
@@ -950,7 +950,7 @@ func TestCore_HandleLogin_AuditTrail(t *testing.T) {
 	if auth.ClientToken != clientToken {
 		t.Fatalf("bad client token: %#v", auth)
 	}
-	if len(auth.Policies) != 3 || auth.Policies[0] != "foo" || auth.Policies[1] != "bar" || auth.Policies[2] != "default" {
+	if len(auth.Policies) != 3 || auth.Policies[0] != "bar" || auth.Policies[1] != "default" || auth.Policies[2] != "foo" {
 		t.Fatalf("bad: %#v", auth)
 	}
 	if len(noop.RespReq) != 2 || !reflect.DeepEqual(noop.RespReq[1], lreq) {