backport of commit 642b4f1 (#31046)

hc-github-team-secure-vault-core · biazmoreira · web-flow · commit 472170102746 · 2025-06-20T10:21:01.000Z
Co-authored-by: Bianca &lt;48203644+biazmoreira@users.noreply.github.com&gt;
diff --git a/changelog/31045.txt b/changelog/31045.txt
@@ -0,0 +1,3 @@
+```release-note:bug
+core: Fix string contains check in Identity APIs to be case-insensitive.
+```
diff --git a/vault/identity_store_entities.go b/vault/identity_store_entities.go
@@ -349,7 +349,7 @@ func (i *IdentityStore) handleEntityUpdateCommon() framework.OperationFunc {
 			entity.Policies = strutil.RemoveDuplicates(entityPoliciesRaw.([]string), false)
 		}
 
-		if strutil.StrListContains(entity.Policies, "root") {
+		if strutil.StrListContainsCaseInsensitive(entity.Policies, "root") {
 			return logical.ErrorResponse("policies cannot contain root"), nil
 		}
 
diff --git a/vault/identity_store_groups.go b/vault/identity_store_groups.go
@@ -265,7 +265,7 @@ func (i *IdentityStore) handleGroupUpdateCommon(ctx context.Context, req *logica
 		group.Policies = strutil.RemoveDuplicatesStable(policiesRaw.([]string), true)
 	}
 
-	if strutil.StrListContains(group.Policies, "root") {
+	if strutil.StrListContainsCaseInsensitive(group.Policies, "root") {
 		return logical.ErrorResponse("policies cannot contain root"), nil
 	}
 
diff --git a/vault/token_store.go b/vault/token_store.go
@@ -2993,10 +2993,10 @@ func (ts *TokenStore) handleCreateCommon(ctx context.Context, req *logical.Reque
 		}
 	}
 
-	if strutil.StrListContains(te.Policies, "root") {
+	if strutil.StrListContainsCaseInsensitive(te.Policies, "root") {
 		// Prevent attempts to create a root token without an actual root token as parent.
 		// This is to thwart privilege escalation by tokens having 'sudo' privileges.
-		if !strutil.StrListContains(parent.Policies, "root") {
+		if !strutil.StrListContainsCaseInsensitive(parent.Policies, "root") {
 			return logical.ErrorResponse("root tokens may not be created without parent token being root"), logical.ErrInvalidRequest
 		}
 
@@ -3151,7 +3151,7 @@ func (ts *TokenStore) handleCreateCommon(ctx context.Context, req *logical.Reque
 	}
 
 	// Only calculate a TTL if you are A) periodic, B) have a TTL, C) do not have a TTL and are not a root token
-	if periodToUse > 0 || te.TTL > 0 || (te.TTL == 0 && !strutil.StrListContains(te.Policies, "root")) {
+	if periodToUse > 0 || te.TTL > 0 || (te.TTL == 0 && !strutil.StrListContainsCaseInsensitive(te.Policies, "root")) {
 		ttl, warnings, err := framework.CalculateTTL(sysView, 0, te.TTL, periodToUse, backendMaxTTL, explicitMaxTTLToUse, time.Unix(te.CreationTime, 0))
 		if err != nil {
 			return nil, err

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,3 @@`
	`1`	+```release-note:bug
	`2`	`+core: Fix string contains check in Identity APIs to be case-insensitive.`
	`3`	+```
Original file line number	Diff line number	Diff line change
`@@ -349,7 +349,7 @@ func (i *IdentityStore) handleEntityUpdateCommon() framework.OperationFunc {`
`349`	`349`	`entity.Policies = strutil.RemoveDuplicates(entityPoliciesRaw.([]string), false)`
`350`	`350`	`}`
`351`	`351`
`352`		`- if strutil.StrListContains(entity.Policies, "root") {`
	`352`	`+ if strutil.StrListContainsCaseInsensitive(entity.Policies, "root") {`
`353`	`353`	`return logical.ErrorResponse("policies cannot contain root"), nil`
`354`	`354`	`}`
`355`	`355`
Original file line number	Diff line number	Diff line change
`@@ -265,7 +265,7 @@ func (i IdentityStore) handleGroupUpdateCommon(ctx context.Context, req logica`
`265`	`265`	`group.Policies = strutil.RemoveDuplicatesStable(policiesRaw.([]string), true)`
`266`	`266`	`}`
`267`	`267`
`268`		`- if strutil.StrListContains(group.Policies, "root") {`
	`268`	`+ if strutil.StrListContainsCaseInsensitive(group.Policies, "root") {`
`269`	`269`	`return logical.ErrorResponse("policies cannot contain root"), nil`
`270`	`270`	`}`
`271`	`271`
Original file line number	Diff line number	Diff line change
`@@ -2993,10 +2993,10 @@ func (ts TokenStore) handleCreateCommon(ctx context.Context, req logical.Reque`
`2993`	`2993`	`}`
`2994`	`2994`	`}`
`2995`	`2995`
`2996`		`- if strutil.StrListContains(te.Policies, "root") {`
	`2996`	`+ if strutil.StrListContainsCaseInsensitive(te.Policies, "root") {`
`2997`	`2997`	`// Prevent attempts to create a root token without an actual root token as parent.`
`2998`	`2998`	`// This is to thwart privilege escalation by tokens having 'sudo' privileges.`
`2999`		`- if !strutil.StrListContains(parent.Policies, "root") {`
	`2999`	`+ if !strutil.StrListContainsCaseInsensitive(parent.Policies, "root") {`
`3000`	`3000`	`return logical.ErrorResponse("root tokens may not be created without parent token being root"), logical.ErrInvalidRequest`
`3001`	`3001`	`}`
`3002`	`3002`
`@@ -3151,7 +3151,7 @@ func (ts TokenStore) handleCreateCommon(ctx context.Context, req logical.Reque`
`3151`	`3151`	`}`
`3152`	`3152`
`3153`	`3153`	`// Only calculate a TTL if you are A) periodic, B) have a TTL, C) do not have a TTL and are not a root token`
`3154`		`- if periodToUse > 0 \|\| te.TTL > 0 \|\| (te.TTL == 0 && !strutil.StrListContains(te.Policies, "root")) {`
	`3154`	`+ if periodToUse > 0 \|\| te.TTL > 0 \|\| (te.TTL == 0 && !strutil.StrListContainsCaseInsensitive(te.Policies, "root")) {`
`3155`	`3155`	`ttl, warnings, err := framework.CalculateTTL(sysView, 0, te.TTL, periodToUse, backendMaxTTL, explicitMaxTTLToUse, time.Unix(te.CreationTime, 0))`
`3156`	`3156`	`if err != nil {`
`3157`	`3157`	`return nil, err`