Fix the issue of returning on the first paramater check. Added tests for this case.

2017-02-15 22:13:18 -08:00 · 2017-02-15 22:13:18 -08:00 · 24d8710233
parent da9e62bc24
commit 24d8710233
2 changed files with 18 additions and 8 deletions
--- a/vault/acl.go
+++ b/vault/acl.go
@ -243,7 +243,8 @@ CHECK:
 	case logical.CreateOperation:
 		operationAllowed = capabilities&CreateCapabilityInt > 0

-	// These three re-use UpdateCapabilityInt since that's the most appropriate capability/operation mapping
+	// These three re-use UpdateCapabilityInt since that's the most appropriate
+	// capability/operation mapping
 	case logical.RevokeOperation, logical.RenewOperation, logical.RollbackOperation:
 		operationAllowed = capabilities&UpdateCapabilityInt > 0

@ -255,7 +256,8 @@ CHECK:
 		return false, sudo
 	}

-	// Only check parameter permissions for operations that can modify parameters.
+	// Only check parameter permissions for operations that can modify
+	// parameters.
 	if op == logical.UpdateOperation || op == logical.DeleteOperation || op == logical.CreateOperation {
 		// Check if all parameters have been denied
 		if _, ok := permissions.DeniedParameters["*"]; ok {
@ -271,7 +273,12 @@ CHECK:
 			// Check if parameter has explictly denied
 			if valueSlice, ok := permissions.DeniedParameters[parameter]; ok {
 				// If the value exists in denied values slice, deny
-				return !valueInParameterList(value, valueSlice), sudo
+				if valueInParameterList(value, valueSlice) {
+					return false, sudo
+				}
+				// If the value doesn't exist in the denied values slice,
+				// continue
+				continue
 			}

 			// Specfic parameters have been allowed
@ -280,16 +287,17 @@ CHECK:
 				if valueSlice, ok := permissions.AllowedParameters[parameter]; !ok {
 					return false, sudo
 				} else {
-					// If the value exists in the allowed values slice, allow
-					return valueInParameterList(value, valueSlice), sudo
+					// If the value doesn't exists in the allowed values slice,
+					// deny
+					if !valueInParameterList(value, valueSlice) {
+						return false, sudo
+					}
 				}
 			}
 		}
-
-		return true, sudo
 	}

-	return operationAllowed, sudo
+	return true, sudo
 }

 func valueInParameterList(v interface{}, list []interface{}) bool {
--- a/vault/acl_test.go
+++ b/vault/acl_test.go
@ -338,6 +338,8 @@ func TestACL_ValuePermissions(t *testing.T) {
 		{"foo/baz", []string{"allow"}, []interface{}{"good"}, true},
 		{"foo/baz", []string{"deny"}, []interface{}{"bad"}, false},
 		{"foo/baz", []string{"deny"}, []interface{}{"good"}, true},
+		{"foo/baz", []string{"allow", "deny"}, []interface{}{"good", "bad"}, false},
+		{"foo/baz", []string{"deny", "allow"}, []interface{}{"good", "bad"}, false},
 		{"foo/baz", []string{"allow"}, []interface{}{"bad"}, false},
 		{"foo/baz", []string{"neither"}, []interface{}{"bad"}, false},
 		{"fizz/buzz", []string{"allow_multi"}, []interface{}{"good"}, true},