From a25132cec4dab74fc588fe5edbc5242260ff0f66 Mon Sep 17 00:00:00 2001 From: Brian Kassouf Date: Tue, 21 Feb 2017 15:53:27 -0800 Subject: [PATCH] On merge favor values that have additive privileges --- vault/acl.go | 23 ++++++++++++++++++----- 1 file changed, 18 insertions(+), 5 deletions(-) diff --git a/vault/acl.go b/vault/acl.go index 7beff98be..b11e19094 100644 --- a/vault/acl.go +++ b/vault/acl.go @@ -80,9 +80,16 @@ func NewACL(policies []*Policy) (*ACL, error) { if pc.Permissions.AllowedParameters == nil { pc.Permissions.AllowedParameters = existingPerms.AllowedParameters } else { - // Merge the two maps, appending values on key conflict. for key, value := range existingPerms.AllowedParameters { - pc.Permissions.AllowedParameters[key] = append(value, pc.Permissions.AllowedParameters[key]...) + pcValue, ok := pc.Permissions.AllowedParameters[key] + // If an empty array exist it should overwrite any other + // value. + if len(value) == 0 || (ok && len(pcValue) == 0) { + pc.Permissions.AllowedParameters[key] = []interface{}{} + } else { + // Merge the two maps, appending values on key conflict. + pc.Permissions.AllowedParameters[key] = append(value, pc.Permissions.AllowedParameters[key]...) + } } } } @@ -91,10 +98,16 @@ func NewACL(policies []*Policy) (*ACL, error) { if pc.Permissions.DeniedParameters == nil { pc.Permissions.DeniedParameters = existingPerms.DeniedParameters } else { - - // Merge the two maps, appending values on key conflict. for key, value := range existingPerms.DeniedParameters { - pc.Permissions.DeniedParameters[key] = append(value, pc.Permissions.DeniedParameters[key]...) + pcValue, ok := pc.Permissions.DeniedParameters[key] + // If an empty array exist it should overwrite any other + // value. + if len(value) == 0 || (ok && len(pcValue) == 0) { + pc.Permissions.DeniedParameters[key] = []interface{}{} + } else { + // Merge the two maps, appending values on key conflict. + pc.Permissions.DeniedParameters[key] = append(value, pc.Permissions.DeniedParameters[key]...) + } } } }