Fix the issue of returning on the first paramater check. Added tests for this case.
This commit is contained in:
parent
da9e62bc24
commit
24d8710233
24
vault/acl.go
24
vault/acl.go
|
@ -243,7 +243,8 @@ CHECK:
|
|||
case logical.CreateOperation:
|
||||
operationAllowed = capabilities&CreateCapabilityInt > 0
|
||||
|
||||
// These three re-use UpdateCapabilityInt since that's the most appropriate capability/operation mapping
|
||||
// These three re-use UpdateCapabilityInt since that's the most appropriate
|
||||
// capability/operation mapping
|
||||
case logical.RevokeOperation, logical.RenewOperation, logical.RollbackOperation:
|
||||
operationAllowed = capabilities&UpdateCapabilityInt > 0
|
||||
|
||||
|
@ -255,7 +256,8 @@ CHECK:
|
|||
return false, sudo
|
||||
}
|
||||
|
||||
// Only check parameter permissions for operations that can modify parameters.
|
||||
// Only check parameter permissions for operations that can modify
|
||||
// parameters.
|
||||
if op == logical.UpdateOperation || op == logical.DeleteOperation || op == logical.CreateOperation {
|
||||
// Check if all parameters have been denied
|
||||
if _, ok := permissions.DeniedParameters["*"]; ok {
|
||||
|
@ -271,7 +273,12 @@ CHECK:
|
|||
// Check if parameter has explictly denied
|
||||
if valueSlice, ok := permissions.DeniedParameters[parameter]; ok {
|
||||
// If the value exists in denied values slice, deny
|
||||
return !valueInParameterList(value, valueSlice), sudo
|
||||
if valueInParameterList(value, valueSlice) {
|
||||
return false, sudo
|
||||
}
|
||||
// If the value doesn't exist in the denied values slice,
|
||||
// continue
|
||||
continue
|
||||
}
|
||||
|
||||
// Specfic parameters have been allowed
|
||||
|
@ -280,16 +287,17 @@ CHECK:
|
|||
if valueSlice, ok := permissions.AllowedParameters[parameter]; !ok {
|
||||
return false, sudo
|
||||
} else {
|
||||
// If the value exists in the allowed values slice, allow
|
||||
return valueInParameterList(value, valueSlice), sudo
|
||||
// If the value doesn't exists in the allowed values slice,
|
||||
// deny
|
||||
if !valueInParameterList(value, valueSlice) {
|
||||
return false, sudo
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
return true, sudo
|
||||
}
|
||||
|
||||
return operationAllowed, sudo
|
||||
return true, sudo
|
||||
}
|
||||
|
||||
func valueInParameterList(v interface{}, list []interface{}) bool {
|
||||
|
|
|
@ -338,6 +338,8 @@ func TestACL_ValuePermissions(t *testing.T) {
|
|||
{"foo/baz", []string{"allow"}, []interface{}{"good"}, true},
|
||||
{"foo/baz", []string{"deny"}, []interface{}{"bad"}, false},
|
||||
{"foo/baz", []string{"deny"}, []interface{}{"good"}, true},
|
||||
{"foo/baz", []string{"allow", "deny"}, []interface{}{"good", "bad"}, false},
|
||||
{"foo/baz", []string{"deny", "allow"}, []interface{}{"good", "bad"}, false},
|
||||
{"foo/baz", []string{"allow"}, []interface{}{"bad"}, false},
|
||||
{"foo/baz", []string{"neither"}, []interface{}{"bad"}, false},
|
||||
{"fizz/buzz", []string{"allow_multi"}, []interface{}{"good"}, true},
|
||||
|
|
Loading…
Reference in New Issue