From cfd522e0f0b02c269bdec2918210122822abdaa8 Mon Sep 17 00:00:00 2001
From: Jeff Mitchell <jeff@hashicorp.com>
Date: Tue, 4 Apr 2017 08:54:18 -0700
Subject: [PATCH] Use ParseStringSlice on PKI organization/organizational unit.
 (#2561)

After, separately dedup and use new flag to not lowercase value.

Fixes #2555
---
 builtin/credential/ldap/backend.go |  4 ++--
 builtin/logical/pki/cert_util.go   |  4 ++--
 helper/policyutil/policyutil.go    |  2 +-
 helper/strutil/strutil.go          | 16 +++++++++-------
 vault/token_store.go               |  4 ++--
 5 files changed, 16 insertions(+), 14 deletions(-)

diff --git a/builtin/credential/ldap/backend.go b/builtin/credential/ldap/backend.go
index 85ea2d88b12b..c0741e5878d1 100644
--- a/builtin/credential/ldap/backend.go
+++ b/builtin/credential/ldap/backend.go
@@ -165,11 +165,11 @@ func (b *backend) Login(req *logical.Request, username string, password string)
 			policies = append(policies, group.Policies...)
 		}
 	}
-	if user !=nil && user.Policies != nil {
+	if user != nil && user.Policies != nil {
 		policies = append(policies, user.Policies...)
 	}
 	// Policies from each group may overlap
-	policies = strutil.RemoveDuplicates(policies)
+	policies = strutil.RemoveDuplicates(policies, true)
 
 	if len(policies) == 0 {
 		errStr := "user is not a member of any authorized group"
diff --git a/builtin/logical/pki/cert_util.go b/builtin/logical/pki/cert_util.go
index 36d284c48ccc..f8e9f8279576 100644
--- a/builtin/logical/pki/cert_util.go
+++ b/builtin/logical/pki/cert_util.go
@@ -665,7 +665,7 @@ func generateCreationBundle(b *backend,
 	ou := []string{}
 	{
 		if role.OU != "" {
-			ou = strutil.ParseDedupAndSortStrings(role.OU, ",")
+			ou = strutil.RemoveDuplicates(strutil.ParseStringSlice(role.OU, ","), false)
 		}
 	}
 
@@ -673,7 +673,7 @@ func generateCreationBundle(b *backend,
 	organization := []string{}
 	{
 		if role.Organization != "" {
-			organization = strutil.ParseDedupAndSortStrings(role.Organization, ",")
+			organization = strutil.RemoveDuplicates(strutil.ParseStringSlice(role.Organization, ","), false)
 		}
 	}
 
diff --git a/helper/policyutil/policyutil.go b/helper/policyutil/policyutil.go
index 7734d18f95ce..9ac9b9379cae 100644
--- a/helper/policyutil/policyutil.go
+++ b/helper/policyutil/policyutil.go
@@ -61,7 +61,7 @@ func SanitizePolicies(policies []string, addDefault bool) []string {
 		policies = append(policies, "default")
 	}
 
-	return strutil.RemoveDuplicates(policies)
+	return strutil.RemoveDuplicates(policies, true)
 }
 
 // EquivalentPolicies checks whether the given policy sets are equivalent, as in,
diff --git a/helper/strutil/strutil.go b/helper/strutil/strutil.go
index 0d418016a1d4..df65db0c1765 100644
--- a/helper/strutil/strutil.go
+++ b/helper/strutil/strutil.go
@@ -39,7 +39,7 @@ func ParseDedupAndSortStrings(input string, sep string) []string {
 		// Don't return nil
 		return parsed
 	}
-	return RemoveDuplicates(strings.Split(input, sep))
+	return RemoveDuplicates(strings.Split(input, sep), true)
 }
 
 // Parses a comma separated list of `<key>=<value>` tuples into a
@@ -174,19 +174,21 @@ func ParseArbitraryStringSlice(input string, sep string) []string {
 	return ret
 }
 
-// Removes duplicate and empty elements from a slice of strings.
-// This also converts the items in the slice to lower case and
-// returns a sorted slice.
-func RemoveDuplicates(items []string) []string {
+// Removes duplicate and empty elements from a slice of strings. This also may
+// convert the items in the slice to lower case and returns a sorted slice.
+func RemoveDuplicates(items []string, lowercase bool) []string {
 	itemsMap := map[string]bool{}
 	for _, item := range items {
-		item = strings.ToLower(strings.TrimSpace(item))
+		item = strings.TrimSpace(item)
+		if lowercase {
+			item = strings.ToLower(item)
+		}
 		if item == "" {
 			continue
 		}
 		itemsMap[item] = true
 	}
-	items = []string{}
+	items = make([]string, 0, len(itemsMap))
 	for item, _ := range itemsMap {
 		items = append(items, item)
 	}
diff --git a/vault/token_store.go b/vault/token_store.go
index 1cd611ca0a29..32e1c20c0a67 100644
--- a/vault/token_store.go
+++ b/vault/token_store.go
@@ -10,9 +10,9 @@ import (
 	"github.com/armon/go-metrics"
 	"github.com/hashicorp/go-multierror"
 	"github.com/hashicorp/go-uuid"
-	"github.com/hashicorp/vault/helper/parseutil"
 	"github.com/hashicorp/vault/helper/jsonutil"
 	"github.com/hashicorp/vault/helper/locksutil"
+	"github.com/hashicorp/vault/helper/parseutil"
 	"github.com/hashicorp/vault/helper/policyutil"
 	"github.com/hashicorp/vault/helper/salt"
 	"github.com/hashicorp/vault/helper/strutil"
@@ -1468,7 +1468,7 @@ func (ts *TokenStore) handleCreateCommon(
 
 		if len(role.DisallowedPolicies) > 0 {
 			// We don't add the default here because we only want to disallow it if it's explicitly set
-			sanitizedRolePolicies = strutil.RemoveDuplicates(role.DisallowedPolicies)
+			sanitizedRolePolicies = strutil.RemoveDuplicates(role.DisallowedPolicies, true)
 
 			for _, finalPolicy := range finalPolicies {
 				if strutil.StrListContains(sanitizedRolePolicies, finalPolicy) {