From 74ddf430efa99413f9f6dda3576d3370855f455d Mon Sep 17 00:00:00 2001
From: Alex Dadgar <alex.dadgar@gmail.com>
Date: Mon, 13 Feb 2017 10:51:29 -0800
Subject: [PATCH] Disallow root policy from being specified

This PR disallows the specification of a root policy by a Nomad task.
---
 nomad/structs/structs.go      | 15 +++++++++++----
 nomad/structs/structs_test.go | 12 ++++++++++--
 2 files changed, 21 insertions(+), 6 deletions(-)

diff --git a/nomad/structs/structs.go b/nomad/structs/structs.go
index 3fe27853e2da..fd5f793cbd86 100644
--- a/nomad/structs/structs.go
+++ b/nomad/structs/structs.go
@@ -3238,21 +3238,28 @@ func (v *Vault) Validate() error {
 		return nil
 	}
 
+	var mErr multierror.Error
 	if len(v.Policies) == 0 {
-		return fmt.Errorf("Policy list cannot be empty")
+		multierror.Append(&mErr, fmt.Errorf("Policy list cannot be empty"))
+	}
+
+	for _, p := range v.Policies {
+		if p == "root" {
+			multierror.Append(&mErr, fmt.Errorf("Can not specifiy \"root\" policy"))
+		}
 	}
 
 	switch v.ChangeMode {
 	case VaultChangeModeSignal:
 		if v.ChangeSignal == "" {
-			return fmt.Errorf("Signal must be specified when using change mode %q", VaultChangeModeSignal)
+			multierror.Append(&mErr, fmt.Errorf("Signal must be specified when using change mode %q", VaultChangeModeSignal))
 		}
 	case VaultChangeModeNoop, VaultChangeModeRestart:
 	default:
-		return fmt.Errorf("Unknown change mode %q", v.ChangeMode)
+		multierror.Append(&mErr, fmt.Errorf("Unknown change mode %q", v.ChangeMode))
 	}
 
-	return nil
+	return mErr.ErrorOrNil()
 }
 
 const (
diff --git a/nomad/structs/structs_test.go b/nomad/structs/structs_test.go
index 610a00044d59..a3e50e5f8371 100644
--- a/nomad/structs/structs_test.go
+++ b/nomad/structs/structs_test.go
@@ -1493,12 +1493,20 @@ func TestVault_Validate(t *testing.T) {
 		t.Fatalf("Expected policy list empty error")
 	}
 
-	v.Policies = []string{"foo"}
+	v.Policies = []string{"foo", "root"}
 	v.ChangeMode = VaultChangeModeSignal
 
-	if err := v.Validate(); err == nil || !strings.Contains(err.Error(), "Signal must") {
+	err := v.Validate()
+	if err == nil {
+		t.Fatalf("Expected validation errors")
+	}
+
+	if !strings.Contains(err.Error(), "Signal must") {
 		t.Fatalf("Expected signal empty error")
 	}
+	if !strings.Contains(err.Error(), "root") {
+		t.Fatalf("Expected root error")
+	}
 }
 
 func TestParameterizedJobConfig_Validate(t *testing.T) {