luxolus
/
open-vault
2
0
Fork 0
Code Issues 1 Pull Requests Releases Activity

Allow fallback to non /-suffixed path for list acling (#5197) 

This works around a very, very common error where people write policies
to affect listing but forget the slash at the end. If there is no exact
rule with a slash at the end when doing a list, we look to see if there
is a rule without it, and if so, use those capabilities.

Fixes #mass-user-confusion
This commit is contained in:
Jeff Mitchell 2018-08-27 16:44:07 -07:00 committed by GitHub
parent 191fec2be1
commit b44b25d816
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 16 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

16
vault/acl.go
View File

@ -218,6 +218,14 @@ func (a *ACL) Capabilities(path string) (pathCapabilities []string) {
capabilities = perm.CapabilitiesBitmap
goto CHECK
}
if op == logical.ListOperation {
raw, ok = a.exactRules.Get(strings.TrimSuffix(path, "/"))
if ok {
permissions = raw.(*ACLPermissions)
capabilities = permissions.CapabilitiesBitmap
goto CHECK
}
}
// Find a glob rule, default deny if no match
_, raw, ok = a.globRules.LongestPrefix(path)
@ -286,6 +294,14 @@ func (a *ACL) AllowOperation(req *logical.Request) (ret *ACLResults) {
capabilities = permissions.CapabilitiesBitmap
goto CHECK
}
if op == logical.ListOperation {
raw, ok = a.exactRules.Get(strings.TrimSuffix(path, "/"))
if ok {
permissions = raw.(*ACLPermissions)
capabilities = permissions.CapabilitiesBitmap
goto CHECK
}
}
// Find a glob rule, default deny if no match
_, raw, ok = a.globRules.LongestPrefix(path)