open-nomad/acl
Tim Gross 50e7e5535b
ACL: disallow missing path in secure variable policy (#14123)
The HCL parser allows for labels that aren't needed, which makes it easy to
accidentally write a `secure_variable` block that has the intended path as the
label for that block instead of the innner `path` block. This can result in
silent failure to lock down variables if an incorrectly specified block was used
to reduce the scope of capabilities (for example, if another correctly-written
rule allows access to `*`).

We can't detect the extraneous label in the HCL API, but we can detect if we're
missing `path` blocks entirely. Use this to block obvious user errors.
2022-08-15 17:06:36 -04:00
..
acl.go search: use secure vars ACL policy for secure vars context (#13788) 2022-07-21 08:39:36 -04:00
acl_test.go secure vars: filter by path in List RPCs (#14036) 2022-08-15 11:38:20 -04:00
policy.go ACL: disallow missing path in secure variable policy (#14123) 2022-08-15 17:06:36 -04:00
policy_test.go ACL: disallow missing path in secure variable policy (#14123) 2022-08-15 17:06:36 -04:00