scottk/vault
1
0
Fork 0
mirror of https://github.com/optim-enterprises-bv/vault.git synced 2025-10-30 02:02:43 +00:00
Code Issues Packages Projects Releases Wiki Activity

VAULT-3825: Wildcard ACL policies without a trailing slash should match LIST operations (#23874)

Browse Source 
* allow lists to match without trailing slash

* changelog
This commit is contained in:
miagilepner
2023-10-27 15:59:41 +02:00
committed by GitHub
parent 40e9fcde49
commit fb97a459ec
2 changed files with 13 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
changelog/23874.txt Normal file
View File

@@ -0,0 +1,3 @@
```release-note:bug
core: fix policies with wildcards not matching list operations due to the policy path not having a trailing slash
```

10
vault/acl.go
View File

@@ -409,6 +409,16 @@ func (a *ACL) AllowOperation(ctx context.Context, req *logical.Request, capCheck
} }
} }
// List operations need to check without the trailing slash first, because
// there could be other rules with trailing wildcards that will match the
// path
if op == logical.ListOperation && strings.HasSuffix(path, "/") {
permissions = a.CheckAllowedFromNonExactPaths(strings.TrimSuffix(path, "/"), false)
if permissions != nil {
capabilities = permissions.CapabilitiesBitmap
goto CHECK
}
}
permissions = a.CheckAllowedFromNonExactPaths(path, false) permissions = a.CheckAllowedFromNonExactPaths(path, false)
if permissions != nil { if permissions != nil {
capabilities = permissions.CapabilitiesBitmap capabilities = permissions.CapabilitiesBitmap