luxolus
/
open-vault
2
0
Fork 0
Code Issues 1 Pull Requests Releases Activity

Deduplicate policies prior to generating ACL on request (#17914) 

* Deduplicate policies prior to generating ACL on request

* add changelog

* edit changelog entry
This commit is contained in:
davidadeleon 2022-11-16 17:43:46 -05:00 committed by GitHub
parent adc8f9a20e
commit 3394c28ce1
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 5 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
changelog/17914.txt Normal file
View File

@ -0,0 +1,3 @@
```release-note:bug
auth: Deduplicate policies prior to ACL generation
```

4
vault/request_handling.go
View File

@ -204,7 +204,7 @@ func (c *Core) fetchACLTokenEntryAndEntity(ctx context.Context, req *logical.Req
return nil, nil, nil, nil, ErrInternalError return nil, nil, nil, nil, ErrInternalError
} }
for nsID, nsPolicies := range identityPolicies { for nsID, nsPolicies := range identityPolicies {
policyNames[nsID] = append(policyNames[nsID], nsPolicies...) policyNames[nsID] = policyutil.SanitizePolicies(append(policyNames[nsID], nsPolicies...), false)
} }
// Attach token's namespace information to the context. Wrapping tokens by // Attach token's namespace information to the context. Wrapping tokens by
@ -361,7 +361,7 @@ func (c *Core) checkToken(ctx context.Context, req *logical.Request, unauth bool
if te != nil { if te != nil {
auth.IdentityPolicies = identityPolicies[te.NamespaceID] auth.IdentityPolicies = identityPolicies[te.NamespaceID]
auth.TokenPolicies = te.Policies auth.TokenPolicies = te.Policies
auth.Policies = append(te.Policies, identityPolicies[te.NamespaceID]...) auth.Policies = policyutil.SanitizePolicies(append(te.Policies, identityPolicies[te.NamespaceID]...), false)
auth.Metadata = te.Meta auth.Metadata = te.Meta
auth.DisplayName = te.DisplayName auth.DisplayName = te.DisplayName
auth.EntityID = te.EntityID auth.EntityID = te.EntityID