9d906d4632
The List RPC correctly authorized against the prefix argument. But when filtering results underneath the prefix, it only checked authorization for standard ACL tokens and not Workload Identity. This results in WI tokens being able to read List results (metadata only: variable paths and timestamps) for variables under the `nomad/` prefix that belong to other jobs in the same namespace. Fixes the filtering and split the `handleMixedAuthEndpoint` function into separate authentication and authorization steps so that we don't need to re-verify the claim token on each filtered object. Also includes: * update semgrep rule for mixed auth endpoints * variables: List returns empty set when all results are filtered |
||
|---|---|---|
| .. | ||
| api_errorf.yml | ||
| changelog.yml | ||
| fsm_time.yml | ||
| go_tests.yml | ||
| loopclosure.yml | ||
| rpc_endpoint.yml | ||
| time_after.yml | ||
| ui.yml | ||