Only use entropy augmentation for root token creation [VAULT-670] (#1…

…0487) * Only use entropy augmentation for root token creation * changelog * change wording of changelog entry
hashicorp · Dec 4, 2020 · bbe77aa · bbe77aa
1 parent 403b94e
commit bbe77aa
Show file tree

Hide file tree

Showing 3 changed files with 11 additions and 2 deletions.
diff --git a/changelog/10487.txt b/changelog/10487.txt
@@ -0,0 +1,3 @@
+```release-note:bug
+core (enterprise): Limit entropy augmentation during token generation to root tokens.
+```
diff --git a/go.mod b/go.mod
@@ -149,7 +149,7 @@ require (
 	golang.org/x/crypto v0.0.0-20201002170205-7f63de1d35b0
 	golang.org/x/net v0.0.0-20200625001655-4c5254603344
 	golang.org/x/oauth2 v0.0.0-20200107190931-bf48bf16ab8d
-	golang.org/x/sys v0.0.0-20200828194041-157a740278f4
+	golang.org/x/sys v0.0.0-20200831180312-196b9ba8737a
 	golang.org/x/tools v0.0.0-20200521155704-91d71f6c2f04
 	google.golang.org/api v0.29.0
 	google.golang.org/grpc v1.29.1

diff --git a/vault/token_store.go b/vault/token_store.go
@@ -806,7 +806,9 @@ func (ts *TokenStore) create(ctx context.Context, entry *logical.TokenEntry) err
 	}
 
 	entry.Policies = policyutil.SanitizePolicies(entry.Policies, policyutil.DoNotAddDefaultPolicy)
+	var createRootTokenFlag bool
 	if len(entry.Policies) == 1 && entry.Policies[0] == "root" {
+		createRootTokenFlag = true
 		metrics.IncrCounter([]string{"token", "create_root"}, 1)
 	}
 
@@ -820,7 +822,11 @@ func (ts *TokenStore) create(ctx context.Context, entry *logical.TokenEntry) err
 		if entry.ID == "" {
 			userSelectedID = false
 			var err error
-			entry.ID, err = base62.RandomWithReader(TokenLength, ts.core.secureRandomReader)
+			if createRootTokenFlag {
+				entry.ID, err = base62.RandomWithReader(TokenLength, ts.core.secureRandomReader)
+			} else {
+				entry.ID, err = base62.Random(TokenLength)
+			}
 			if err != nil {
 				return err
 			}