From d7025e5aea12263132b76ca96c49a3d14d4c3937 Mon Sep 17 00:00:00 2001 From: Violet Hynes Date: Thu, 21 Jul 2022 15:31:23 -0400 Subject: [PATCH] VAULT-7046 Allow trailing globbing at the end of a path suffix quota (#16386) * VAULT-7046 OSS changes for trailing glob quotas * VAULT-7046 allow glob of 'a*' to match 'a' * VAULT-7046 Add changelog * VAULT-7046 fix minor typo --- changelog/16386.txt | 3 +++ vault/quotas/quotas.go | 14 ++++++++++++++ vault/quotas/quotas_test.go | 14 +++++++++++++- 3 files changed, 30 insertions(+), 1 deletion(-) create mode 100644 changelog/16386.txt diff --git a/changelog/16386.txt b/changelog/16386.txt new file mode 100644 index 0000000000..4fa6a6ca66 --- /dev/null +++ b/changelog/16386.txt @@ -0,0 +1,3 @@ +```release-note:bug +core/quotas: Added globbing functionality on the end of path suffix quota paths +``` diff --git a/vault/quotas/quotas.go b/vault/quotas/quotas.go index cac8ba5891..038fe54d64 100644 --- a/vault/quotas/quotas.go +++ b/vault/quotas/quotas.go @@ -523,6 +523,20 @@ func (m *Manager) queryQuota(txn *memdb.Txn, req *Request) (Quota, error) { return quota, nil } + // Fetch path suffix quotas with globbing + // Request paths which match the resulting glob (i.e. share the same prefix prior to the glob) are in scope for the quota + for i := 0; i <= len(pathSuffix); i++ { + trimmedSuffixWithGlob := pathSuffix[:len(pathSuffix)-i] + "*" + // Check to see if a quota exists with this particular pattern + quota, err = quotaFetchFunc(indexNamespaceMountPath, req.NamespacePath, req.MountPath, trimmedSuffixWithGlob, false) + if err != nil { + return nil, err + } + if quota != nil { + return quota, nil + } + } + // Fetch mount quota quota, err = quotaFetchFunc(indexNamespaceMount, req.NamespacePath, req.MountPath, false, false) if err != nil { diff --git a/vault/quotas/quotas_test.go b/vault/quotas/quotas_test.go index f65f0a9cd7..00299859fc 100644 --- a/vault/quotas/quotas_test.go +++ b/vault/quotas/quotas_test.go @@ -87,7 +87,19 @@ func TestQuotas_Precedence(t *testing.T) { // Define a namespace mount specific quota and expect that to be returned. rateLimitNSMountQuota := setQuotaFunc(t, "rateLimitNSMountQuota", "testns/", "testmount/", "", "") - checkQuotaFunc(t, "testns/", "testmount/", "", "", rateLimitNSMountQuota) + checkQuotaFunc(t, "testns/", "testmount/", "testpath", "", rateLimitNSMountQuota) + + // Define a namespace mount + glob and expect that to be returned. + rateLimitNSMountGlob := setQuotaFunc(t, "rateLimitNSMountGlob", "testns/", "testmount/", "*", "") + checkQuotaFunc(t, "testns/", "testmount/", "testpath", "", rateLimitNSMountGlob) + + // Define a namespace mount + path specific quota with a glob and expect that to be returned. + rateLimitNSMountPathSuffixGlob := setQuotaFunc(t, "rateLimitNSMountPathSuffixGlob", "testns/", "testmount/", "test*", "") + checkQuotaFunc(t, "testns/", "testmount/", "testpath", "", rateLimitNSMountPathSuffixGlob) + + // Define a namespace mount + path specific quota with a glob at the end of the path and expect that to be returned. + rateLimitNSMountPathSuffixGlobAfterPath := setQuotaFunc(t, "rateLimitNSMountPathSuffixGlobAfterPath", "testns/", "testmount/", "testpath*", "") + checkQuotaFunc(t, "testns/", "testmount/", "testpath", "", rateLimitNSMountPathSuffixGlobAfterPath) // Define a namespace mount + path specific quota and expect that to be returned. rateLimitNSMountPathQuota := setQuotaFunc(t, "rateLimitNSMountPathQuota", "testns/", "testmount/", "testpath", "")