Ensure we won't nil pointer if policies is somehow empty

vault/core.go

@@ -1014,11 +1014,12 @@ func (c *Core) sealInitCommon(ctx context.Context, req *logical.Request) (retErr
 	// Audit-log the request before going any further
 	auth := &logical.Auth{
 		ClientToken:      req.ClientToken,
-		Policies:         append(te.Policies, identityPolicies...),
-		TokenPolicies:    te.Policies,
+		Policies:         identityPolicies,
 		IdentityPolicies: identityPolicies,
 	}
 	if te != nil {
+		auth.TokenPolicies = te.Policies
+		auth.Policies = append(te.Policies, identityPolicies...)
 		auth.Metadata = te.Meta
 		auth.DisplayName = te.DisplayName
 		auth.EntityID = te.EntityID

vault/ha.go

@@ -163,11 +163,12 @@ func (c *Core) StepDown(req *logical.Request) (retErr error) {
 	// Audit-log the request before going any further
 	auth := &logical.Auth{
 		ClientToken:      req.ClientToken,
-		Policies:         append(te.Policies, identityPolicies...),
-		TokenPolicies:    te.Policies,
+		Policies:         identityPolicies,
 		IdentityPolicies: identityPolicies,
 	}
 	if te != nil {
+		auth.TokenPolicies = te.Policies
+		auth.Policies = append(te.Policies, identityPolicies...)
 		auth.Metadata = te.Meta
 		auth.DisplayName = te.DisplayName
 		auth.EntityID = te.EntityID

vault/request_handling.go

@@ -220,12 +220,13 @@ func (c *Core) checkToken(ctx context.Context, req *logical.Request, unauth bool
 	auth := &logical.Auth{
 		ClientToken:      req.ClientToken,
 		Accessor:         req.ClientTokenAccessor,
-		Policies:         append(te.Policies, identityPolicies...),
-		TokenPolicies:    te.Policies,
+		Policies:         identityPolicies,
 		IdentityPolicies: identityPolicies,
 	}
 
 	if te != nil {
+		auth.TokenPolicies = te.Policies
+		auth.Policies = append(te.Policies, identityPolicies...)
 		auth.Metadata = te.Meta
 		auth.DisplayName = te.DisplayName
 		auth.EntityID = te.EntityID