backport of commit fb97a459ec (#23875)

Co-authored-by: miagilepner <mia.epner@hashicorp.com>
2025-10-29 17:52:32 +00:00 · 2023-10-27 10:19:07 -04:00
parent 8a5e6fcc4e
commit fa2be335d4
2 changed files with 13 additions and 0 deletions
--- a/changelog/23874.txt
+++ b/changelog/23874.txt
@@ -0,0 +1,3 @@
+```release-note:bug
+core: fix policies with wildcards not matching list operations due to the policy path not having a trailing slash 
+```
--- a/vault/acl.go
+++ b/vault/acl.go
@@ -388,6 +388,16 @@ func (a *ACL) AllowOperation(ctx context.Context, req *logical.Request, capCheck
 		}
 	}

+	// List operations need to check without the trailing slash first, because
+	// there could be other rules with trailing wildcards that will match the
+	// path
+	if op == logical.ListOperation && strings.HasSuffix(path, "/") {
+		permissions = a.CheckAllowedFromNonExactPaths(strings.TrimSuffix(path, "/"), false)
+		if permissions != nil {
+			capabilities = permissions.CapabilitiesBitmap
+			goto CHECK
+		}
+	}
 	permissions = a.CheckAllowedFromNonExactPaths(path, false)
 	if permissions != nil {
 		capabilities = permissions.CapabilitiesBitmap